guido at witmond.nl
Mon Dec 24 13:14:52 CET 2018
Hi Norman and the whole Genode team,
First, I recognize the feeling that you are enthusiastic about your work
and nobody seems to care. And how devastating that can feel.
I know that feeling from my attempt at designing and promoting my
authentication protocol that (I believe) could decimate most phishing
and identity theft attacks. I got so disappointed at the lack of
response that I disabled web statistics so I didn't have to see how
little visitors my site got. Now I've more or less given up on it.
Yet every time I see a news article about phishing or stolen (and
abused) passwords I'm reminded that I came up with something that could
have (helped to) prevent it.
Second, it's hard to create a new platform from scratch. As a rule of
thumb, for any new invention it takes roughly 15 years from invention to
market-readyness. So far, Genode Labs succeeded where others gave up.
Thanks for not giving up.
Third, it's very hard to bring innovation into the IT-world. The IT
community is very conservative.
Sandboxing to contain viruses is something that HP-Labs did 15 years ago
for Windows XP . Regrettably HP didn't succeed in selling it widely.
Just last week, Microsoft has added a sandbox to Win10 in an attempt to
An example of the conservatism: I explained some ideas of Genode
(micro-kernel, sandboxing, separation, pola) to a 30yo manager of a
software development company that advertised itself for writing secure
software. He found the ideas interesting but did not want to spend time
to research it. Not even reading on the topic. He said it was "academic
stuff that eventually shows up in Linux". I couldn't convince him that
it might be a good idea to be ahead of the curve. He was risk averse, as
are most IT-people. Genode needs to find people willing to take a risk
and reap the reward.
Every time I read about crypto malware holding a user or company hostage
for ransom I'm reminded that had they used Genode it could have (helped
to) prevent it.
I believe there is a huge market out there. The difficulty is getting
there. I hope my answers to this mail give some ideas how to proceed.
Now about your goals and questions:
> 1) Widening the audience of Sculpt OS
> Consequently, we should improve its ease of use.
For me a 1000 times this.
To me, the learning curve of Genode is steep. The learning curve of
(changing) Sculpt is steep too. Although I know most of the concepts of
the platform, I find it still hard to develop in. Lately I went deep
into changing the configuration of Virtualbox in Sculpt. What should be
a few hours took me more than a week. And the result was still hacky :-(
Although there are many examples, I'd like to see them listed from
simple to complex, each explaining a concept of Genode, builing on top
of the previous ones. It could grow into a Genode for Dummies.
Other wish: please describe how I can enable all kinds of debugging
modes. For example, when I make a XML syntax error in an init.config,
the app doesn't start but the log remains quiet.
Other example, at one point I added printf-logging to init-components to
trace the routing decisions so I could check that my config was correct.
It would be great if there was a config option for that.
> 2) Fostering the community spirit around our project
I think you have a nice (but small) community already, with your team
ready to answer any question quicky. Just keep doing that.
You've seen my recent write-up on adding a raw partition to virtualbox
in Sculpt. I thought of making it a blog so others can learn from it
too. (I'm not sure if that example makes a nice showcase of the ease of
> 3) Marketing of Genode-based products
I like the idea of cross-promotion between Genode and some companies
that use it. Put some showcases on your site. Perhaps with a small
testimonial from each company why they chose Genode.
Given the impossibility of convincing (conservative) people why Genode
is better than their current system, don't focus on technical details.
Instead focus on concrete benefits for (end) users:
- safe by design;
- protects privacy;
- little errors do not become catastrophes;
- robust against malware;
- no need for regular updates;
- updates don't break existing functionality;
- easy to use, also for non-computer users (see my dream system below).
> * What are your ambitions for 2019?
I still have my wish for running Genode on my server, running a
webserver for static and dynamic content. I ran a static web site on
Genode a few years ago. It lasted a week until it crashed due to a
resource leak, (memory, VFS-file descriptors). I could not debug it, so
the box runs Linux again.
I'd like to run a (small) dynamic web site on it. I.e. start with a blog
and comments section and private messaging. For parsing I use the a
composable parser generator such as the Hammer library  from the
Langsec  community. I think Langsec and Genode complement each other
I know some hackers (professional pentesters) interested in the idea of
a site that's very hard to hack, even if there are errors in my
implementation. I'm curious to their findings.
My goal is to get Genode on a server with some VMs for things not yet
ported. And get some hackers to pentest it.
> * Which areas of Genode would you like to see improved?
> How would you possibly contribute to these improvements?
Documentation. (I'll tell you my struggles, you improve the docs).
> * If you imagine a Genode-based system one year in the future,
> how would it look like?
My long term dream is Genode on a Desktop.
It has a desktop UI interface, double clicking opens an application in a
sandbox. The application has only access to its dependencies and
resources like fonts, etc.
However, the application does not have access to the user's files,
email, etc., not even network access. It the user wants to open a file,
the sandbox detects the application opening a file-browser and an
attempt to read /home/<user> and opens a Powerbox. The powerbox is a
trusted part of the OS that lets the user select one or more files. Only
these are the files that the application can read. (The powerbox is
described in HP-Labs paper  and other capability security papers on
The user of this system is a non-technical user, say a clerk at city
hall dealing with building permits. Their need is to approve or reject
building plans. As they get data from the outside, it must be considered
hostile. With current Linux, Mac and Windows systems, this clerk needs
to make a decision whether to open a certain email or not. After all, it
could be crypto-malware. So without opening the email, the clerk must
make a value judgement on its contents. That's a mission impossible.
Especially for a clerk without IT programming skills.
Genode can help here. Every parser (email, zip-files, photos, fonts,
audio, video, etc) run in separated sandboxes, all the user's resources
(files, emails, photos, address books, etc) are protected by powerboxes,
so if an email contains malware, it can't sneakily encrypt anything. In
fact, if the malware misbehaves, it probably triggers a powerbox for a
file-open dialog that the clerk did not request. The clerk forwards the
mail to the IT-department for analysis.
> * Do you have further ideas that would help making Genode relevant
> at a larger scale than today?
Since you ask about my Santa list :-)
Make it easy (both in documenting) and code support to port exisiting
Linux or Windows software to Genode. It could be a preconfigured Noux
instance that provides just enough to start the application. It needs
/usr, a bit of /etc, a private var and a powerbox to /home/<user>. It
needs a NIC environment with a configurable ingress and egress firewall.
Make it easy for an end-user to create separate of these sandboxes for a
single application, so the user can create separate mail-readers for
private mail, office mail, etc.
It should be easy to port and effortless to upgrade. Upgrades should be
build automatically by a build server so a small number of people can
manage a large set of programs. I'm thinking user application such as
libreoffice, gimp, photo, video, audio, bookkeeping. Software that
doesn't need linux kernel access, drivers or distribution packaging
I love to run a mail-stack consisting of server programs such as
postfix, dovecot, spamassissin, DNS-servers, DNSSEC signers, etc on Genode.
Best wishes for the holidays,
More information about the users