Program logic bugs vs input/environmental errors

H. S. Teoh via Digitalmars-d digitalmars-d at puremagic.com
Sat Nov 1 07:56:16 PDT 2014 

On Sat, Nov 01, 2014 at 10:52:31AM +0000, Kagamin via Digitalmars-d wrote:
> On Friday, 31 October 2014 at 21:06:49 UTC, H. S. Teoh via Digitalmars-d
> wrote:
> >This does not mean that process isolation is a "silver bullet" -- I
> >never said any such thing.
> 
> But made it sound that way:
>
> >The only failsafe solution is to have multiple redundant processes,
> >so when one process becomes inconsistent, you fallback to another
> >process, *decoupled* process that is known to be good.
> 
> If you think a hacker rooted the server, how do you know other
> perfectly isolated processes are good? Not to mention you suggested to
> build a system from *communicating* processes, which doesn't sound
> like perfect isolation at all.

You're confusing the issue. Process-level isolation is for detecting
per-process faults. If you want to handle server-level faults, you need
external monitoring per server, so that when it detects a possible
exploit on one server, it shuts down the server and fails over to
another server known to be OK.

And I said decoupled, not isolated. Decoupled means they can still
communicate with each other, but with a known protocol that insulates
them from each other's faults. E.g. you don't send binary executable
code over the communication lines and the receiving process blindly runs
it, but you send data in a predefined format that is verified by the
receiving party before acting on it. I'm pretty sure this is obvious.


> >You don't shutdown the *entire* network unless all redundant
> >components have failed.
> 
> If you have a hacker in your network, the network is compromised and
> is in an unknown state, why do you want the network to continue
> operation? You contradict yourself.

The only contradiction here is introduced by you. If one or two servers
on your network have been compromised, does that mean the *entire*
network is compromised? No it doesn't. It just means those one or two
servers have been compromised. So you have monitoring tools setup to
detect problems within the network and isolate the compromised servers.
If you are no longer sure the entire network is in a good state, e.g. if
your monitoring tools can't detect certain large-scale problems, then
sure, go ahead and shutdown the entire network. It depends on what
granularity you're operating at. A properly-designed reliable system
needs to have multiple levels of monitoring and failover. You have
process-level decoupling, server-level, network-level, etc.. You can't
just rely on a single level of granularity and expect it to solve
everything.


T

-- 
Leather is waterproof.  Ever see a cow with an umbrella?

More information about the Digitalmars-d mailing list