Mercurial > docs > diploma
comparison thesis/tex/4-MasqmailsFuture.tex @ 188:afb72fb64962
worked on discussion on architecture
| author | meillo@marmaro.de |
|---|---|
| date | Mon, 29 Dec 2008 21:43:52 +0100 |
| parents | 7f4d97584a6f |
| children | 79803ad327ca |
comparison
equal
deleted
inserted
replaced
| 187:7f4d97584a6f | 188:afb72fb64962 |
|---|---|
| 243 | 243 |
| 244 | 244 |
| 245 \subsubsection*{Discussion on architecture} | 245 \subsubsection*{Discussion on architecture} |
| 246 | 246 |
| 247 %fixme: why is there a need for a new arch?? | 247 %fixme: why is there a need for a new arch?? |
| 248 | 248 Adding authentication and encryption support is limited to a narrow region in the code. Such features are addable to the current code base without much problem. In contrast do support for new protocols or mail processing interfaces to external programs require a lot of effort. Changes in many parts of the source code are required. It is no good idea to implement large retro-fitted features in a software that is critical in security and reliability, like \masqmail. Worse if these features need changes in the program's structure, like adding mail scanning interfaces would do. |
| 249 | 249 |
| 250 A program's architecture is probably the most influencing design decision, and has the greatest impact on the program's future capabilities. %fixme: search quote ... check if good | 250 If such features are needed, it is best do redesign the program's structure and rebuild it. A program's structure is primary its architecture. Which is probably the most influencing design decision, and has the greatest impact on the program's future capabilities. The architecture defines what the program can do, how it can be used. If the architecture does not fit the requirements, develpement reached a dead end \dots\ further work will make everything worse. The only good solution is to change the architecture, which, sadley but most likely, means a redesign from scratch. |
| 251 | 251 |
| 252 \masqmail's current artitecture is monolitic like \sendmail's and \exim's. But more than the other two, is it one block of interweaved code. \sendmail\ provides now, with its \name{milter} interface, standardized connection channels to external modules. \exim\ has a highly structured code with many internal interfaces, like the one for supported authentication ``modules''. \masqmail\ has none of them; it is what \sendmail\ was in the beginning: a single large block. | 252 \masqmail's current artitecture is monolitic like \sendmail's and \exim's. But more than the other two, is it one block of interweaved code. \sendmail\ provides now, with its \name{milter} interface, standardized connection channels to external modules. \exim\ has a highly structured code with many internal interfaces, a good example is the one for authentication ``modules''. %fixme: add ref |
| 253 \masqmail\ has none of them; it is what \sendmail\ was in the beginning: a single large block. | |
| 253 | 254 |
| 254 Figure \ref{fig:masqmail-arch} is an attempt to depict \masqmail's internal structure. | 255 Figure \ref{fig:masqmail-arch} is an attempt to depict \masqmail's internal structure. |
| 255 | 256 |
| 256 \begin{figure} | 257 \begin{figure} |
| 257 \begin{center} | 258 \begin{center} |
| 258 \input{input/masqmail-arch.tex} | 259 \input{input/masqmail-arch.tex} |
| 259 \end{center} | 260 \end{center} |
| 260 \caption{Internal architecture of \masqmail} | 261 \caption{Internal structure of \masqmail} |
| 261 \label{fig:masqmail-arch} | 262 \label{fig:masqmail-arch} |
| 262 \end{figure} | 263 \end{figure} |
| 263 | 264 |
| 264 \sendmail\ improved its old architecture, for example by adding the milter interface. \exim\ was designed and is carefully maintained with a modular-like code structure in mind. \qmail\ started from scratch with a ``security-first'' approach, \postfix\ improved on it, and \name{sendmail X}/\name{MeTA1} tries to adopt the best of \qmail\ and \postfix, to completely replace the old \sendmail\ architecture. \person{Hafiz} \cite{hafiz05}. describes this evolution of \mta\ architecture very well. | 265 \sendmail\ improved its old architecture, for example by adding the milter interface. \exim\ was designed and is carefully maintained with a modular-like code structure in mind. \qmail\ started from scratch with a ``security-first'' approach, \postfix\ improved on it, and \name{sendmail X}/\name{MeTA1} tries to adopt the best of \qmail\ and \postfix, to completely replace the old \sendmail\ architecture. \person{Hafiz} \cite{hafiz05}. describes this evolution of \mta\ architecture very well. |
| 265 | 266 |
| 266 Every one of the popular \MTA{}s is more modular, or became more modular over time, than \masqmail\ is. Modern requirements like spam protection and future requirements like the use of new mail transport protocols demand modular designs for keeping the software simple. Simplicity is a key property for security. | 267 Every one of the popular \MTA{}s is more modular, or became more modular over time, than \masqmail\ is. Modern requirements like spam protection and future requirements like---probably---the use of new mail transport protocols demand modular designs for keeping the software simple. Simplicity is a key property for security. ``[T]he essence of security engenieering is to build systems that are as simple as possible.''\cite[page 45]{graff03} |
| 267 | 268 |
| 268 \person{Hafiz} agrees: | 269 \person{Hafiz} agrees: ``The goal of making software secure can be better achieved by making the design simple and easier to understand and verify.''\cite[page 64]{hafiz05} He identifies the security of \qmail\ to come from it's \name{compartmentalization}, which goes hand in hand with modularity: |
| 269 \begin{quote} | 270 \begin{quote} |
| 270 The goal of making software secure can be better achieved by making the design simple and easier to understand and verify. \cite[page64]{hafiz05} | 271 A perfect example is the contrast between the feature envy early \sendmail\ architecture implemented as one process and the simple, modular architecture of \qmail. The security of \qmail\ comes from its compartmentalized simple processes that perform one task only and are therefore testable for security. \cite[page 64]{hafiz05} |
| 271 \end{quote} | 272 \end{quote} |
| 272 He identifies the security of \qmail\ to come from it's \name{compartmentalization}, which goes hand in hand with modularity: | 273 As well does \person{Dent}: ``The modular architecture of Postfix forms the basis for much of its security.''\cite[page 7]{dent04} Modularity is also needed to satisfy modern \MTA\ requirements, in providing a clear interface to add functionality without increasing the overall complexity much. |
| 273 \begin{quote} | 274 |
| 274 A perfect example is the contrast between the feature envy early \sendmail\ architecture implemented as one process and the simple, modular architecture of \qmail. The security of \qmail\ comes from its compartmentalized simple processes that perform one task only and are therefor testable for security. \cite[page 64]{hafiz05} | 275 Security comes from good design, as \person{Graff} and \person{van Wyk} explain: |
| 275 \end{quote} | |
| 276 As well does \person{Dent}: ``The modular architecture of Postfix forms the basis for much of its security.''\cite[page 7]{dent04} | |
| 277 | |
| 278 Modularity is needed for supporting modern \MTA\ requirements, providing a clear interface to add further functionality without increasing the overall complexity much. Modularity is also an enabler for security. Security comes from good design, as \person{Graff} and \person{van Wyk} explain: | |
| 279 \begin{quote} | 276 \begin{quote} |
| 280 Good design is the sword and shield of the security-conscious developer. Sound design defends your application from subversion or misuse, protecting your network and the information on it from internal and external attacks alike. It also provides a safe foundation for future extensions and maintainance of the software. | 277 Good design is the sword and shield of the security-conscious developer. Sound design defends your application from subversion or misuse, protecting your network and the information on it from internal and external attacks alike. It also provides a safe foundation for future extensions and maintainance of the software. |
| 281 % | 278 % |
| 282 %Bad design makes life easier for attackers and harder for the good guys, especially if it contributes to a false sends of security while obscuring pertinent failings. | 279 %Bad design makes life easier for attackers and harder for the good guys, especially if it contributes to a false sends of security while obscuring pertinent failings. |
| 283 \cite[page 55]{graff03} | 280 \cite[page 55]{graff03} |
| 284 \end{quote} | 281 \end{quote} |
| 285 | 282 |
| 286 \person{Hafiz} adds: ``The major idea is that security cannot be retrofitted into an architecture.''\cite[page 64]{hafiz05} | 283 |
| 287 | 284 All this leads to a rewrite of \masqmail, using a modern, modular architecture, \emph{if} further features need to be added, ones that require changes in \masqmail's structure. As well is a rewrite needed, if \masqmail\ should become a modern \MTA, with good quality properties. |
| 288 All this leads to one logical step: The rewrite of \masqmail\ using a modern, modular architecture, to get a modern \MTA\ satisfying nowadays needs. | 285 |
| 289 | 286 But redesigning and rewriting a software from scratch is hard. It takes time to design a new architecture, which must prove it is secure and reliable. And much time and work is needed to implement the design, test it, fix bugs, and so on. Thus the gain of a new design must overweight the effort needed to spend. |
| 290 | 287 |
| 291 | 288 \person{Wheeler}'s program \name{sloccount} calculates following estimations for \masqmail's code base as of version 0.2.21 (excluding library code): |
| 292 << what would be needed (effort) >> | 289 {\small |
| 293 | 290 \begin{verbatim} |
| 294 The next section is a design | 291 Total Physical Source Lines of Code (SLOC) = 9,041 |
| 295 | 292 Development Effort Estimate, Person-Years (Person-Months) = 2.02 (24.22) |
| 296 | 293 (Basic COCOMO model, Person-Months = 2.4 * (KSLOC**1.05)) |
| 297 | 294 Schedule Estimate, Years (Months) = 0.70 (8.39) |
| 295 (Basic COCOMO model, Months = 2.5 * (person-months**0.38)) | |
| 296 Estimated Average Number of Developers (Effort/Schedule) = 2.89 | |
| 297 Total Estimated Cost to Develop = $ 272,690 | |
| 298 (average salary = $56,286/year, overhead = 2.40). | |
| 299 SLOCCount, Copyright (C) 2001-2004 David A. Wheeler | |
| 300 \end{verbatim} | |
| 301 } | |
| 302 The development cost is not relevant for a \freesw\ project of volunteer developers, but the time needed is. About 24 man-months are estimated. The current code base was written almost completely by Oliver \person{Kurth} within four years, in his spare time. This means he needed around twice as much time. | |
| 303 | |
| 304 Given the asumptions that an equal amount of code is to be produced, a third of existing code can be reused plus concepts and experience, and development speed is like \person{Kurth}'s. Then it would take about two years to have a redesigned new \masqmail\ with the same features. Less time could be needed if a simpler architecture allows faster develpement, better testing, and less bugs. | |
| 305 | |
| 306 The further section describes a new modern design for \masqmail. A plan to rewrite \masqmail\ from scratch. | |
| 307 | |
| 308 | |
| 309 | |
| 310 %\person{Hafiz} adds: ``The major idea is that security cannot be retrofitted into an architecture.''\cite[page 64]{hafiz05} | |
| 298 | 311 |
| 299 | 312 |
| 300 | 313 |
| 301 | 314 |
| 302 \section{A design from scratch} | 315 \section{A design from scratch} |