You still have processes, they just are software isolated rather than hardware isolated. You write everything in a language that can guarantee no unsafe behavior then no hardware checks are needed or any task switching and most of the safety checks are done at compile time:
Microsoft and Oracle have removed CAS and JAAS from CLR/JVM respectively as they have failed to provided the software isolated model that was expected from them.
"The lowest-level x86 interrupt dispatch code is written in assembly language and C. Once this code has done its job, it invokes the kernel, which runtime system and garbage collector are written in Sing# (an extended version of Spec#, itself an extension of C#) and runs in unprotected mode. The hardware abstraction layer is written in C++ and runs in protected mode."
The point is that drivers and apps are managed code and can be software isolated, obviously some of the kernel is unsafe.
CAS was fined grain runtime model that added significant overhead and was never close to being verified, software isolation was coarse grained just like a hardware process and had much less overhead with the goal of verification, more here:
Software isolation can still be exploited thanks to logical bugs, this was the whole issue with security exploits in Java applets.
Hence why there is really no alternative to multi-processes for security critical code.
You refer to Singularity, yet after Singularity, Microsoft Research was went down the path of exploriing other alternatives.
If the security model was so great, they would have doubled down on it.
Instead, after so many interactions, the main researchers have come out with Azure Sphere, which uses C (!) with a custom Linux kernel, and all the security layers are enforced via hardware.
Hardware isolation can be exploited due to bugs too and have been quite a bit lately so the alternative doesn't solve that problem.
Conflating Java applet security with software isolated processes as implemented in Singularity is not doing a service to the research work done there. Much of the SIP design was in response to the lessons learned in Java and .Net.
The problem with SIP is everything to be isolated must be written in a managed language. That means everyone has to get on board with a managed runtime most likely GC'd. At one point MS thought they could get everyone on board to .Net but at some point they realized that wasn't going to happen and decided its better to go with the status quo of C/C++ development.
Maybe we will see a resurgence of SIP with Rust or Webassembly. The idea of verifiably safe code where all safety checks are done ahead of time by the compiler has many advantages that can't be ignored forever.
Indeed. The existence of Rust as a safe language without a GC shows that a system that can only run safe code can be as efficient as systems that expose raw hardware.
In 90s and 00s they did this with languages similar to Java because low level safe languages weren’t yet invented. If this idea ever resurfaces it will be done with languages similar to rust and will be competitive with and likely more efficient than unsafe systems. This will potentially be a nice convergence with power-efficient RISCV chips that don’t include an MMU or a supervisor mode.
I am more interested in papers proving that SIPs aren't able to be exploited via logic errors attacks, like it happened in Java Applets due to logic errors on the serialisation library.
SIPs don't do nothing for "We have learned that multiprocessing is the only safe path to program stability, ease of scaling across clusters and less security exploits."
Which was my whole point since the beggining.
Yeah SIPs are nice, hardly any different from other managed OSes since the 60's, with Burroughs being the first one.
Many of those actually were used in production, while Singularity never left the crib, it died on version 2.0 with nothing more than a CLI interface.
Then everyone moved into other projects, hardly any security assessement was done to the whole stack, so how can you assert SIP capabilities to withstand a black hat attack?
SIP are not new, those previous systems you mentioned are a form of them, many shared hardware address space across all processes and relied on the programming language being safe for isolation but they where built in a time when running untrusted code was not really thought about, it was more about not crashing the whole system by accident.
SIP are a form of multiprocess designed for safety and stability reducing exploits and potentially scaling across clusters. Singularity and Midori heavily relied on message passing for IPC which would have allowed cluster scale out.
These where research projects there was plenty the security work available some of it I linked. Much of the work revolved around verifiability of the code to guarantee no cross process breakout without hardware checks.
How do you assert hardware checks can withstand a black hat attack? They obviously haven't been lately.
By doing what Azure Sphere project has done, paying bounties to researches to actually exploit systems in production, not just theory.
JAAS and CAS were also secure until black hats started to look into them, and since they are beyond repair, have now been thrown away, replaced by OS containers and multiprocesses.
Because Singularity is hardly any different from something like SavaJe OS, in what concerns use of type safe programming language as security boundary.
It was abandoned in 2006 and SIP were never validated in production under real attacks.
Even Midori had more real use, having powered Asian Bing subnet for a while.
To worship it in 2021 is just theory without pratical results.
I have concerns about hardware as a security boundary as well, more so lately, as should you I hope and it's much more difficult to patch hardware.
Again Midori used SIP's so it was validated in production, right?
Projecting worship on to me is not productive, no need to be childish about this. All the points you bring up for software isolation exist with hardware isolation, formal verification could help both and there is a lot of work in that area.
I think software needs to become safe by default, the endless buffer overflows need to stop. If you then take the stance user land software must be written in a safe language then the need for hardware isolation might not need to exist in it's current form and thats very interesting to me, thats all.
