Perspective from 2011

Darpa Begs Hackers: Secure Our Networks, End ‘Season of Darkness’
Office of the National Counterintelligence Executive

There is a hint of desperation in recent news about computer security. An almost universal implicit assumption is that computer platform architectures are immutable givens from on high. Never mentioned is the notion that platform architecture might be improved. If any attention is paid to the platform it is in the form of “What can we add to the platform to make it safe?”. Most of the rest of the dialog is how to make laws and do diplomacy to solve the problem. We suggest here that the vast majority of these problems have technical solutions; they are proactive to prevent damage, rather than reactive attempts to find and punish the perpetrators.

I propose two theses:

The second is closely related to Tony Hoare’s “The unavoidable price of reliability is simplicity.”. Reliability and security are not the same, but they support each other. When capabilities are at the lowest levels of platform architecture and other software on which the application relies, then carefully architected applications may be made vastly more secure than any implementation of those applications on today’s commercial platforms.

Capabilities are not conventional but they are simple. They do not directly reflect common kernel level security notions, but they solve the real problems and many others unaddressed by the lowest levels of conventional platforms. Capability notions can be seen in the parameter logic in many of today’s computer languages. In particular capability platforms can host critical applications so as to reduce the set of software that they are vulnerable to, to only those software elements that the application actually needs, and to reduce even those exposures. In current platforms, each of the abstraction layers is so complex as to provide a large attack surface each of which a sophisticated virus can penetrate to the lowest level and subvert the entire system and any application thereon making all applications vulnerable to all software on the platform.

Compatible environments can be built in the capability world that run applications designed for conventional systems, but the degree of extra security they gain depends in complex ways on the application implementation. Several unmodified complex Unix applications ran on the Luna version of Keykos. The 370 Keykos ran unmodified CMS applications as fast as in their native environment.

Capability platforms, such as Keykos, do not aspire to make the whole platform secure, but to provide very secure niches within which sensitive applications can run securely as they were designed.