The Trusted Installer

We explore here design issues for a trusted installer for an operating system such as Keykos.

The trusted installer is a TCB service that installs new code in a capability system such as Keykos. It accepts a pile of bits — a package — that aspires to be obeyed as code in the system. The system user or operator, user here, presumably has some incentive to install this package and delivers the package to the installer. The user trusts the installer and perhaps the producer of the package does as well.

There are several standard contracts, one of which may be mutually agreeable to the user and the producer of the package. The installer is aware of some of these contracts and a particular contract is identified by a code within the package. For each of these standard contracts, the installer includes a copy of the contract in English and also a body of code written by someone who understands that contract and is capability savvy. If the user agrees then this code installs the software so that the terms of the contract are enforced by capability discipline. Some of the contract clauses may favor the package producer, especially if the hardware is to some degree tamper resistant. A permanent record of the installation is made and an ability to undo the installation is produced and registered thus: A new object which is the landlord’s agent to the installation is created and returned to the caller of the installer. This is the landlord’s key (a capability). Normally the landlord is an agent totally loyal to the user. Companies who buy computers for their employees may have other plans. The installer keeps a list of these keys which have not been evicted. Orders (methods) on the landlord’s key are to:

Note that this does not give the landlord (user) access to the innards. Normally the code within the package returns some capabilities to the user. These are normally the capabilities by which the user enjoys the benefits of the installation.

An apartment has been created.

The time and space control features described above need to be factored out so that they may be used more generally than for installers.


We explore a few possible contracts now. They each grant the tenant code keys to:
Discrete Insider
Such a package will result in an object with no access outside the computer. Note that the user does not get access to the innards of this object so there is a degree of propriety for the producer assuming that the user does not subvert the system. Such an application is unable to send data out of the computer. This is suitable for an address list keeper.
Ambassador
This is someone else’s agent. He is presumed to be in constant contact with someone outside the computer. He might thus produce useful weather forecasts, but don’t tell him you secrets. Such a package will result in an object with extra access to the Internet but outside the company’s firewall or NAT box.
Personal emissary
Your bank (like Bank of America) may want to provide code that runs in your machine, communicates securely with the bank’s computer, and talks to you or your personal financial assistant (an object that from another source) about bank things. You may as well trust this code to do crypto right and give it authority to build TCP circuits on the internet and encrypt them.
Any of these contracts may have riders which are options for extra capabilities. For instance you may want in insider app that is able to send a command to your mail program to initiate new mail to a specific mail address.

The window capability is vague at this point. It might include receiving text pasted into the window, or the window might allow text copy from the window.