Roadmap 2019

Guido Witmond guido at witmond.nl
Mon Dec 24 13:14:52 CET 2018 

Hi Norman and the whole Genode team,


First, I recognize the feeling that you are enthusiastic about your work 
and nobody seems to care. And how devastating that can feel.

I know that feeling from my attempt at designing and promoting my 
authentication protocol that (I believe) could decimate most phishing 
and identity theft attacks. I got so disappointed at the lack of 
response that I disabled web statistics so I didn't have to see how 
little visitors my site got. Now I've more or less given up on it.

Yet every time I see a news article about phishing or stolen (and 
abused) passwords I'm reminded that I came up with something that could 
have (helped to) prevent it.


Second, it's hard to create a new platform from scratch. As a rule of 
thumb, for any new invention it takes roughly 15 years from invention to 
market-readyness. So far, Genode Labs succeeded where others gave up. 
Thanks for not giving up.


Third, it's very hard to bring innovation into the IT-world. The IT 
community is very conservative.

Sandboxing to contain viruses is something that HP-Labs did 15 years ago 
for Windows XP [1]. Regrettably HP didn't succeed in selling it widely. 
Just last week, Microsoft has added a sandbox to Win10 in an attempt to 
contain malware.

An example of the conservatism: I explained some ideas of Genode 
(micro-kernel, sandboxing, separation, pola) to a 30yo manager of a 
software development company that advertised itself for writing secure 
software. He found the ideas interesting but did not want to spend time 
to research it. Not even reading on the topic. He said it was "academic 
stuff that eventually shows up in Linux". I couldn't convince him that 
it might be a good idea to be ahead of the curve. He was risk averse, as 
are most IT-people. Genode needs to find people willing to take a risk 
and reap the reward.

Every time I read about crypto malware holding a user or company hostage 
for ransom I'm reminded that had they used Genode it could have (helped 
to) prevent it.

I believe there is a huge market out there. The difficulty is getting 
there. I hope my answers to this mail give some ideas how to proceed.



Now about your goals and questions:

 > 1) Widening the audience of Sculpt OS
 > Consequently, we should improve its ease of use.

For me a 1000 times this.

To me, the learning curve of Genode is steep. The learning curve of 
(changing) Sculpt is steep too. Although I know most of the concepts of 
the platform, I find it still hard to develop in. Lately I went deep 
into changing the configuration of Virtualbox in Sculpt. What should be 
a few hours took me more than a week. And the result was still hacky :-(

Although there are many examples, I'd like to see them listed from 
simple to complex, each explaining a concept of Genode, builing on top 
of the previous ones. It could grow into a Genode for Dummies.

Other wish: please describe how I can enable all kinds of debugging 
modes. For example, when I make a XML syntax error in an init.config, 
the app doesn't start but the log remains quiet.

Other example, at one point I added printf-logging to init-components to 
trace the routing decisions so I could check that my config was correct. 
It would be great if there was a config option for that.


 > 2) Fostering the community spirit around our project

I think you have a nice (but small) community already, with your team 
ready to answer any question quicky. Just keep doing that.

You've seen my recent write-up on adding a raw partition to virtualbox 
in Sculpt. I thought of making it a blog so others can learn from it 
too. (I'm not sure if that example makes a nice showcase of the ease of 
Sculpt :-).


 > 3) Marketing of Genode-based products

I like the idea of cross-promotion between Genode and some companies 
that use it. Put some showcases on your site. Perhaps with a small 
testimonial from each company why they chose Genode.

Given the impossibility of convincing (conservative) people why Genode 
is better than their current system, don't focus on technical details. 
Instead focus on concrete benefits for (end) users:
- safe by design;
- protects privacy;
- little errors do not become catastrophes;
- robust against malware;
- no need for regular updates;
- updates don't break existing functionality;
- easy to use, also for non-computer users (see my dream system below).


 > * What are your ambitions for 2019?

I still have my wish for running Genode on my server, running a 
webserver for static and dynamic content. I ran a static web site on 
Genode a few years ago. It lasted a week until it crashed due to a 
resource leak, (memory, VFS-file descriptors). I could not debug it, so 
the box runs Linux again.

I'd like to run a (small) dynamic web site on it. I.e. start with a blog 
and comments section and private messaging. For parsing I use the a 
composable parser generator such as the Hammer library [2] from the 
Langsec [3] community. I think Langsec and Genode complement each other 
nicely.

I know some hackers (professional pentesters) interested in the idea of 
a site that's very hard to hack, even if there are errors in my 
implementation. I'm curious to their findings.

My goal is to get Genode on a server with some VMs for things not yet 
ported. And get some hackers to pentest it.


 > * Which areas of Genode would you like to see improved?
 >    How would you possibly contribute to these improvements?

Documentation. (I'll tell you my struggles, you improve the docs).


 > * If you imagine a Genode-based system one year in the future,
 >    how would it look like?

My long term dream is Genode on a Desktop.

It has a desktop UI interface, double clicking opens an application in a 
sandbox. The application has only access to its dependencies and 
resources like fonts, etc.

However, the application does not have access to the user's files, 
email, etc., not even network access. It the user wants to open a file, 
the sandbox detects the application opening a file-browser and an 
attempt to read /home/<user> and opens a Powerbox. The powerbox is a 
trusted part of the OS that lets the user select one or more files. Only 
these are the files that the application can read. (The powerbox is 
described in HP-Labs paper [1] and other capability security papers on 
the net).

The user of this system is a non-technical user, say a clerk at city 
hall dealing with building permits. Their need is to approve or reject 
building plans. As they get data from the outside, it must be considered 
hostile. With current Linux, Mac and Windows systems, this clerk needs 
to make a decision whether to open a certain email or not. After all, it 
could be crypto-malware. So without opening the email, the clerk must 
make a value judgement on its contents. That's a mission impossible. 
Especially for a clerk without IT programming skills.

Genode can help here. Every parser (email, zip-files, photos, fonts, 
audio, video, etc) run in separated sandboxes, all the user's resources 
(files, emails, photos, address books, etc) are protected by powerboxes, 
so if an email contains malware, it can't sneakily encrypt anything. In 
fact, if the malware misbehaves, it probably triggers a powerbox for a 
file-open dialog that the clerk did not request. The clerk forwards the 
mail to the IT-department for analysis.

 >
 > * Do you have further ideas that would help making Genode relevant
 >    at a larger scale than today?

Since you ask about my Santa list :-)

Make it easy (both in documenting) and code support to port exisiting 
Linux or Windows software to Genode. It could be a preconfigured Noux 
instance that provides just enough to start the application. It needs 
/usr, a bit of /etc, a private var and a powerbox to /home/<user>. It 
needs a NIC environment with a configurable ingress and egress firewall.

Make it easy for an end-user to create separate of these sandboxes for a 
single application, so the user can create separate mail-readers for 
private mail, office mail, etc.

It should be easy to port and effortless to upgrade. Upgrades should be 
build automatically by a build server so a small number of people can 
manage a large set of programs. I'm thinking user application such as 
libreoffice, gimp, photo, video, audio, bookkeeping. Software that 
doesn't need linux kernel access, drivers or distribution packaging 
specific things.

I love to run a mail-stack consisting of server programs such as 
postfix, dovecot, spamassissin, DNS-servers, DNSSEC signers, etc on Genode.


Best wishes for the holidays,

Guido.



1: http://www.hpl.hp.com/techreports/2004/HPL-2004-221.html
2: https://github.com/UpstandingHackers/hammer
3: http://langsec.org/

More information about the users mailing list