I write this in late 2015. I wrote a similar note in 2011.
My friends and I, with the help of some investors, cobbled Keykos together in the 80’s to solve a class of security problems we saw then. Unfortunately few others saw those problems. We heard over and over that when and if security became important some module for Linux, Windows or Mac would be delivered to solve all those problems.
I want to describe Keykos today from a somewhat different perspective — same system—different perspective. There are other systems that may provide some or all of these advantages such as seL4, Capros, and possibly Hurd or early Mach. Cheri and Capsicum are also promising. You might notice that all of these systems are founded on capabilities. I plan to write on some of the differences between them and Keykos.
I think that I know how to build a system that includes gigabytes of code but where ‘mission critical code’ therein need rely on much less than a megabyte of code for its security and integrity. Furthermore a savvy user will be able to understand why this is so and need not take on faith that there is nothing to worry about. The system that I imagine will not try to remove from the user all security considerations. If the user consults with two companies that compete, the user will be involved in drawing the line between the two corresponding computer worlds. I find Apple’s ‘Spotlight Search’ (a search engine for my Mac) truly useful. So does any virus on my machine intent on exfiltrating secrets.
The system that I imagine today would provide hooks that many, perhaps most, users today would have little use for. I am not designing a system for everyone, yet. I am designing a system where selected highly sensitive computer activities are safe.
Hardware is a necessary and critical piece of this story. I have not seen descriptions, let alone authoritative descriptions of what today’s hardware does. I suspect that for many applications drastically simpler hardware will largely overcome this impediment.