Credibility

Why should someone believe that a platform with capabilities starting at the bottom can be secure?

Here are some facts, that are not immediately obvious, but which can be verified at a cost much smaller than that of building the system.

The kernel specifications are clear and largely unambiguous. This is in part due to our learning to document from the example of the “IBM/370 System Principles of Operation” from which several highly interoperable systems were successfully built. It was also in part due to access to Doug Engelbart’s ‘Augment’ system where the documentation was produced. We did not quite achieve the quality of the 370 manual but that was the style and it is not a large effort to enhance the definition as necessary for the plan described below.
Much the same can be said of the next layer of objects upon which most applications will rely.
It will be clear, without reading the code, that such a kernel can implement such specs which is to say that whether the currently implemented kernels meet the specs is not entirely germane to the ultimate argument.
That such a manner of assembling programs into a system is plausible can be seen from the many system components that were implemented and documented for the 370.

The plan is to present the detailed architecture to specialists in penetration, together with some tentative architecture above the kernel sufficient for some critical application to show that the total attack surface is vastly smaller than commercial systems, even in the presence of other applications with a large attack surface.

SELinix is reputed to be difficult to configure and utilize but I have no direct information to support this. We must, however, address usability of the resulting system. This is perhaps a later phase but perhaps an early tentative description of a system that includes many applications, perhaps with various degrees of security, on the same platform can be contemplated.

Most aficionados would call the Keykos kernel a ‘micro-kernel’ and many would point out that micro-kernels have been tried and ‘failed’. The Mac OS X has certainly not failed and that is built on Mach which evolved from a micro-kernel. OS X has a somewhat undeserved reputation for being secure but I suspect that the Windows enthusiasts are largely right that the professional malware folk have not crowed each other out on the Windows machines and thus don’t much bother with the Mac. There are a few security advantages that I am aware of on the Mac.

Apple has added many things to the Mach kernel and it is no longer small. Worse it has published no document that would allow an application builder to reason about the Mach architecture to design a secure application. Critical to this would be defining a category of things that their version of Mach does’t do. For instance is the only way for me to get a port for someone with that port to send it to me via another port. Such assurances are the key to building a secure app on a platform. OS X is treated as if the its only purpose was to support a Linux. Apple discourages application designers delving into the Mach level. This means that the encouraged application level has all of the architectural security problems of Linux, (and Unix).

Other micro kernel projects have also presumed that the exclusive goal was host Linux apps. They may not fail but they will fail to provide the designer the means to produce a secure app. The vulnerabilities will include those of the two system levels.