Why should someone believe that a platform with capabilities starting at the bottom can be secure?

Here are some facts, that are not immediately obvious, but which can be verified at a cost much smaller than that of building the system.

The plan is to present the detailed architecture to specialists in penetration, together with some tentative architecture above the kernel sufficient for some critical application to show that the total attack surface is vastly smaller than commercial systems, even in the presence of other applications with a large attack surface.

SELinix is reputed to be difficult to configure and utilize but I have no direct information to support this. We must, however, address usability of the resulting system. This is perhaps a later phase but perhaps an early tentative description of a system that includes many applications, perhaps with various degrees of security, on the same platform can be contemplated.

Most aficionados would call the Keykos kernel a ‘micro-kernel’ and many would point out that micro-kernels have been tried and ‘failed’. The Mac OS X has certainly not failed and that is built on Mach which evolved from a micro-kernel. OS X has a somewhat undeserved reputation for being secure but I suspect that the Windows enthusiasts are largely right that the professional malware folk have not crowed each other out on the Windows machines and thus don’t much bother with the Mac. There are a few security advantages that I am aware of on the Mac.

Apple has added many things to the Mach kernel and it is no longer small. Worse it has published no document that would allow an application builder to reason about the Mach architecture to design a secure application. Critical to this would be defining a category of things that their version of Mach does’t do. For instance is the only way for me to get a port for someone with that port to send it to me via another port. Such assurances are the key to building a secure app on a platform. OS X is treated as if the its only purpose was to support a Linux. Apple discourages application designers delving into the Mach level. This means that the encouraged application level has all of the architectural security problems of Linux, (and Unix).

Other micro kernel projects have also presumed that the exclusive goal was host Linux apps. They may not fail but they will fail to provide the designer the means to produce a secure app. The vulnerabilities will include those of the two system levels.