The Way Forward

There is much work to be done before a capability platform can serve modern needs on modern hardware. But there is much recent experience that shows the way and software with liberal licenses they begin with. Keykos and Capros are the two candidates that I have in mind. Neither has been adapted to modern graphics although the Keykos Luna version ran the X11 graphics system using the early bit-per-pixel graphics of that hardware.

I suspect that some potential supporters will want to better understand the quality of security that can be expected of such a system. Keykos and perhaps Capros are already well enough documented to provide attackers enough information to design attacks. We have concrete information on the size of the code that presents an attack surface; indeed we have the code. Capros runs on available hardware and Keykos with graphics runs on somewhat obsolete hardware. For the simplest applications about ½ MB of code needs to be correct to provide security. I suspect this is several or orders of magnitude smaller than conventional commercial platforms.

A collaborative effort between someone with: (1) detailed knowledge of some browser structure, (2) capability design patterns, could produce a design for a hardened browser that would support perhaps a wide class of browser based applications securely. This design effort could provide an estimate of the security that such a project could provide and in what circumstances.

I do not want to quote numbers but a small capability savvy team with frequent access to browser savvy experts could produce a viable estimate in a few months. This could support an architecturally based security review, which would likely provide architectural design feedback as the security properties and requirements came into better focus. Making a running system around the resulting plans would take somewhat more effort.

Two somewhat different application areas can be addressed: the personal computer or workstation, and the server. Most of the work is in common between these two but servers typically lack display requirements. Even servers must be administered and a bullet proof server may not supply adequate security without a secure work station from which to administer it, as well as secure clients to access the server.

Similar to the server is the infrastructure control computers (or ‘industrial control systems’), with the same need for administration.