Background

There is a cluster of problems with the current design that are not exactly introduced by the TSS but which are, perhaps, best fixed by the TSS.

The current EXECUTE command causes the command system to loan SIK & SOK keys to a program that may not warrant trust by the user. The program may then control the command system.

A similar hazard with recent notoriety is where a bad program sends magic characters to the terminal so as to capture the loyalty of the terminal. When the user returns to the command system, the terminal issues commands not intended by the user.

The problem is to switch control of the terminal from a suspect program to a trusted program.

The CCK-SIK-SOK set need to be weakened so as to prevent: unprintable characters going to the terminal, and no bypassing of the prevention.

Another problem is to get back into communication with the command system when the suspect program fails to return to the command system.

As I look at the TAMM stuff (tamm) it seems that such a module already has some of the duty to protect the terminal user from a bad program. Perhaps TAMM should be expanded to provide a weakened CCK key and to provide a 256 bit SOK strainer to be set with the strong kind of TAMM CCK key. Characters sent by via the TAMM SOK would have to pass the strainer test.

I claim that these several functions should not be put into separate modules because a program that is not trusted to return your keys should not be trusted not to misuse them and vice-versa.

Following some communication with Charlie, I think that the switcher is a more appropriate place to establish control.

Some assertion such as the following may be true of almost all terminals and may be sufficient to avoid the "duped terminal" attack.

If a terminal is "reset" at the beginning of a session and receives only "standard characters" from the computer, then the terminal will send only those characters directly resulting from and corresponding to keyboard keystrokes. By "standard characters" we mean space, CR, LF, and the 94 printable ascii characters.

If SOK4 were to refuse to send other than a specifically enabled set the problem would be solved. The CCK4 key must be relativized to the branch somehow also.