How we built an Ethereum operating system that is upgradeable, secure and easy to use
For users, Aragon Core is the easiest way to create unstoppable organizations. The UI abstracts away technical details, and lets the user focus on what matters.
When using Aragon Core, users don't usually notice that:
They are interacting with many distinct apps, created by different developers
The Dapp always tries to find a way how a user can perform the desired action, even if they don't have permission to directly do so
The smart contracts and frontend of Aragon Core and its apps are fully upgradeable
That can sound simple, but it isn't. There are many technical challenges to overcome. Like creating an app platform with full sandboxing. Traversing the access control list so users can perform actions they don't have direct permission over. Having decentralized and censorship-resistant upgradeability.
From a technical perspective, Aragon Core is an operating system for human organizations.
A computer operating system manages which processes have access to the computer's resources. They do that by:
Implementing a kernel, which has drivers that let the software control the hardware
Implementing a permission system, to manage which processes can access each resource
Implementing a self-upgrade system, for bugs and enhancements
The general concept goes as follows: You wouldn't want a Tetris app to own full control over your RAM. That would enable tampering with other apps or stealing precious information.
Similarly, you wouldn't want a CryptoKitties app to have full control over the funds of your DAO.
The role of the OS is to impose a rule system to not let that happen.
How Aragon Core is an OS
The kernel is a very simple smart contract. It keeps track of an Access Control List app, which it uses for permission management of the entire DAO.
The kernel also knows where to find its installed apps and handles upgradeability of the apps, by keeping references to the actual code that the apps execute.
In conventional operating systems, you usually have normal users, and admins. We thought about how to translate that into an OS for humans, and discovered it wasn't enough.
What we came up with was a much richer permissions systems.
Thanks to aragonOS, any resource or functionality can be assigned a role. Only entities that have permission to call that role can access that resource. Those permissions are all set in the Access Control List.
With aragonOS, permissions are as follows:
Entity E can call Function F (Param P...) on App A, only if Z satisfies Rules R, and Permission Manager PM can revoke or reassign that permission.
Simplified this would be:
An entity can call a function on an app, and its manager can revoke or reassign that permission. This enables for virtually infinite combinations and functionality permissions-wise.
In a conventional OS, when you want to perform an action but you don't have permission to do so, you will need to use another user with elevated permissions. On *nix based systems like Linux and MacOS you would use sudo. Or in a Windows environment, an account with Administrator privileges.
In our case, it's not that simple. Since permissions are so abundant, there may be multiple paths to escalate permissions. For example, a token holder may have permission to create a voting, and the voting app may have permission to withdraw funds.
In that case, Aragon Core will display this to the user as they attempt to withdraw funds. Users can present their intent for performing an action by trying to execute it. They don't have to think about what the process for executing that action may be. By traversing the Access Control List, Aragon Core automatically comes up with the path needed for executing the action.
Permission management is key for allowing security at the smart contract level. That'd be the equal of kernel, filesystem and process security in a conventional OS.
Yet Aragon Core being all about the user facing frontend, security is also required in the UI environment. This is similar to how many operating systems enforce app sandboxing. An app shouldn't be able to access or tamper with another app that's running.
Sandboxing is very challenging to implement in the frontend. Our solution is a combination of sandboxed iframes, cross-origin messaging and platform APIs.
All apps run inside sandboxed iframes, and only communicate with Aragon Core using aragon.js. Aragon Core provides APIs for accessing smart contracts, displaying notifications and signing transactions. While signing transactions, a panel opens up in Aragon Core, not inside the app. Apps cannot prompt users to sign transactions directly, and they cannot interact with the contracts of other apps. Thus all transactions are securely handled by Aragon Core, reducing the attack surface.
Aren't iframes and third party apps a bad user experience? Thanks to Aragon UI, all Aragon apps can look and behave the same. That's amazing for user experience. Operating systems have leveraged this for decades. Confusing and incoherent user experiences lead to more errors and less comfort.
We have been inspired by Apple and how they built their ecosystems, both in desktop and mobile. While I have been a Linux user and lover since I was 12, I recognize that regarding UX, Apple knows what it does.
The easiest way to create Dapps
Aragon Core is a complete platform for Dapp development.