I don't see a contradiction (although I'm not an American). I have no problems with people smoking, snorting, injecting, or otherwise consuming any drugs that they want. I do object if they blow smoke in public areas or leave needles (especially used ones) lying around in public places.

I would be in favour of banning smoking anything in public places (including places of work) and permitting people to take any drugs that they want in their own home. There are some difficult areas (for example, should people with children be allowed to smoke whatever they like at home around their children?) but the general rule of thumb should be that you can do whatever you want to your own body and mind, just don't do it to anyone else.

Not really. Whuffle is more sensible as a currency concept - it's fungible. There's no difference in how you can use Whuffle based on who gave it to you. There are some interesting economics papers based on the idea that anyone can create a mint and the value of its currency would be tracked based on the reputation of the person.

It's difficult to rate-limit login attempts from a botnet. The attack pattern I see on my server is one IP making three login attempts, then another IP making three login attempts, and so on. I do rate limit (via temporary IP blocking) attempts from one IP, but it doesn't help much. Of course, they're all doing password-based login attempts and I disable password-based SSH logins for all Internet-connected machines...

Yup. Compiling for the Burroughs architecture was easier than many segment-based systems, because they allowed segment descriptors to be placed in main memory, with the CPU responsible for tracking the value type by updating a tag. We adapt this slightly so that we only require one tag bit per 256 bits of main memory (the paper describes the implementation of this in some detail, but I'm happy to answer questions) to be able to safely store capabilities in main memory. Our design also allows normal C data structures to work as expected. You can mix C code compiled for MIPS and C code compiled for CHERI in the same binary (though you only get coarse-grained protection in the MIPS code).

The Burroughs architecture had very little impact on the computer architecture community, but was enormously influential in the design of VMs for high-level languages. One of our goals is to pull out the aspects of such VMs that are required for memory protection and put them back in the hardware, so a buggy VM has a far more limited security impact. My student's work on JNI dramatically reduced the amount of C code in the trusted computing base for the JVM implementation that he used.

The flippant answer is all that your paranoia deserves. The work was undertaken by SRI and The University of Cambridge. The funding was provided by DARPA, but that's the extent of their involvement (other than creating a program with the goal of being able to redesign any aspect of computing with security in mind).

The code is no more or less meriting an independent audit than any other open source code. Less, actually, because we don't anticipate anyone actually using our open source reference implementation in production, we hope that CPU vendors will take the ISA extensions and apply them to their own chips, but we expect that (if they do) they'll do independent reimplementations. At the ISA levels, we have PVS / SAL proofs that we'll be publishing soon that the ISA does provide the desired security properties and you're welcome to audit those too.

Systemd definitely solves a problem that exists. Unfortunately, it solves it in the same way that a nuclear warhead solves the problem of rat infestation.

My Windows NT 4.0 disk had a PowerPC installer on it. I never found a CHRP machine to run it on though. I tried it on a PowerPC Mac once, but couldn't get it to boot. Windows 2000 only shipped for IA32.

The most obvious example is the byte-swapping load instructions. There are some other examples if you can find the papers by the VirtualPC authors, which explain them in detail. It's been quite a few years since I paid attention to anything PowerPC related.

You might want to go back and read some press releases from the AIM alliance at that time. Or even look at the ISA: there are a lot of things in there that only make sense if you want to emulate m68k or x86. They were positioning PowerPC as a migration path from m68k and i386 systems and being able to emulate both at a reasonable speed was part of this strategy.

Spoken like someone who has no idea about the market at the time. The PowerPC was introduced in 1992, announced in 1991. At the time, Intel's flagship x86 part was the 486 but they were trying to kill the x86 line. They'd released the i860 (RISC, not x86-compatible) in 1989 and tech magazines were saying it would kill x86. Windows NT was originally written for the i860 and only later ported to x86, so even Windows looked like it might not be tied to x86 in the long term.

1992 saw the launch of the Alpha and MIPS R4K, and 1993 saw the SPARCv9 ISA. It didn't look like a 32-bit architecture that was hacked onto a legacy 16-bit ISA had much of a long-term future. IBM and Motorola were two of the biggest players in CPU manufacturing and they teamed up to produce something that would provide a migration path for m68k and i386 software. The PowerPC architecture was based on IBM's POWER architecture but extended to make it easy to emulate m68k and i386 at reasonable speeds. Microsoft was signed up to port Windows NT and it looked like you'd be able to run Windows and MacOS (the two most popular desktop operating systems) and possibly some of the other less-popular ones (most of which were m68k-based) on the same hardware. IBM and Motorola were both going to produce chips, so there was guaranteed to be competition, which would bring down prices, and they were soliciting other companies to produce implementations of the architecture. Within a few years, PowerPC would be faster and cheaper than x86 and would run more software. At least, that was the theory. It sounded quite plausible, but history didn't quite work out like that.

Those numbers don't tell the whole story. iBooks doesn't exist to make a profit selling books, it exists to make the iPad seem like a plausible platform for reading books. Similarly, Amazon gets a significant benefit from locking people into the Kindle ecosystem. The $180M in cash that Apple gets is nice, but it's nothing compared to having a load of people who have bought books that will only work on an Apple device.

PowerPC was pushed by the AIM alliance: Apple, IBM, Motorola. The latter two developed and produced chips. Apple had some input. The goal was an ISA that made it easy to emulate both m68k and i386.

Yup, it's on GitHub in two repositories, one for LLVM and one for clang. We've been pushing the fixes for MIPS IV upstream, but there are some changes to the mid-level optimisers to make them aware that not all pointers are integers and some extensions to the platform-independent code generators for the same.

We've upstreamed all of the FreeBSD changes required for the base processor (BERI) and the development boards, so FreeBSD 10 will run out of the box on CHERI (it just won't expose any of the capability features). The CHERI-enabled version of FreeBSD is also on GitHub.

The code for the processor is just in a tarball at the moment. We're going to move it to some sensible public revision control system once we've worked out how much of our internal svn history wants to be included in the public release.

Yes, we're looking forward to the seL4 release. Somewhat cautiously, as there's no mention of a license (if it's GPL'd, we probably won't put any effort into it). In CHERI, we have store-capability and load-capability permissions on both capabilities and pages. To implement the seL4 model (where capabilities are stored in special pages), we'd only need to use the TLB-grandularity protections, but it would be more interesting to provide fine-grained capability storage, which would reduce a bit of the difficulty in programming for seL4.

We're also interested in the impact on the proofs in seL4. For example, seL4 currently assumes that the TLB is correct as an axiom (read the errata sheet for any production CPU to see how valid that is). With CHERI, we have some proofs extending down into the ISA and into the implementation and it would be interesting to see how these could be coupled to have a proven-secure systems. The folks at UT Austin and Centaur are (independently of us, but we talk to them periodically) working hard on proving that properties of higher-level HDLs are mapped correctly to gate layouts, so in a few years it may be possible to have a microkernel with security properties proven correct right down to the gate level.

Ilya Bakulin is currently working on porting FreeBSD to run atop L4 and is interested in extending this port to run on seL4. That would also be an interesting approach when combined with CHERI, allowing a full FreeBSD to run with some critical services moved out and into a tiny TCB.

We haven't specifically looked at key storage, but we are looking at potential ways of extending the approach to heterogeneous multicore systems, so that access to main memory could be delegated to accelerators (at varying levels of coupling) via capabilities and capabilities could be used to mediate access to accelerators. In this scheme, it would be possible to provide an encryption coprocessor that would store keys internally and perform encryption and decryption operations on blocks of memory delegated to it from userspace.

This is part of a more general problem, which is that most accelerator designs currently follow the model of a device, which requires kernel mediation to use and don't really support virtualisation well. The design you want is a resource that's cheap to access from userspace and easy to multiplex. Once you have that, it's easy to have useful crypto coprocessors (i.e. ones that cause a speedup for everything, rather than a slowdown for anything smaller than a few tens of KBs).