First see Chip Morningstar’s recent comments and my detailed notes thereon.
Chip’s thrust will happen somehow if we survive long enough and now is the time to start. I want to push for a quick fix with early payoff for many critical problems. It is also a necessary part of Chip’s larger project.
Like Chip I will be blunt. Current OS architecture is badly wrong. Fixing all the Unix or Linux or OpenBSD bugs will not solve the problems. The same goes for Windows and Mac OS X. iOS and Android have moved 10% in the direction that I propose but as best I can tell they have done this by adding code to a base already far too complex. Current OS’s all assume that we supply global textual names for everything and much later decide how to say that some programs can’t access everything. These insights go back to 1965 and Dennis & van Horn’s PDP-1 system. I wish I could give a short snappy proof for these claims but today I can’t.
I do, however, make some bald claims:
The new kernel entirely upsets affordances of conventional kernels. The next 256 KB of code fills in function that civilizes capability discipline while itself being confined by that discipline. A third layer is composed of hacks to fool legacy code with virtual environments sufficient to get their jobs done. Capability savvy code does not use or rely on this third layer. This third layer is not in the security “reliance set”. The third layer gets some credibility from the success of virtual machines which are known to actually provide useful environments. Here is some Keykos experience with such a layer. More recent virtual machines provide a tad of sharing without sacrificing security. Our safe sharing goes far beyond. There are many details to be filled in and I will miss some.
These claims are indeed bald but can be vetted at a minuscule cost compared to the issues that the press suggests. Regarding formal proofs.
In short we swap out the kernel and replace it with a much smaller capability kernel and a level of capability savvy logic, maintaining the hardware and applications.
My claims are based on experience with Keykos. There are several similar technologies that might also serve.
Apple provides an impressive document on iPhone security. Apple’s considerations are nearly disjoint and complementary to these.
Keykos was designed for different purposes than what drives us here. Those original advantages survive, such as metering access to data, confinement, and quite a few more.
much about OS X.
There is much hype here, but also considerable value, I think.
Succinct description of why caps are good