Computer Security, The Very Idea

I am unfamiliar with the details of ActiveX controls but text arrives from a strange computer and is interpreted by the user’s computer as instructions to be obeyed in a context where such instructions can damage any of the user’s data. (Today, 2014, Microsoft provides extensive warnings about AtciveX and notes that now each activation requires explicit user permission.) Fred McLain provides some details on the mechanism and the partial protections provided by some browsers. The same pattern has marred several other attempts to make imported material more convenient to the recipient.

I find it strange that this pattern has been repeated so many times, even after the publicity of previous failures. Perhaps there is a feeling that obeying commands from external sources is so powerful an idea that we must wish away the fatal consequences. There is little evident attempt, except for Java, W7, Safe-Tcl (too) and E to gain the benefits of executing unexamined code safely. We will say more about Java later.

In order to give a simple existence proof that at least some of these problems can be solved let me put two ideas together in ways that are not obvious to everyone.

Separate Machine
If I need badly enough to run your program then I can buy a new computer with the correct software installed, call your site, fetch your code and run it. The worst that can happen to me is that I will have to reinstall all of the software on the new computer. I lose none of my secrets and little of my work for they do not reside on that computer. The new computer must not be networked and if there is an infrared link on the back I must tape it over. I must hope that there is not an “air port” as in recent Macs, over which a virus can jump to a nearby gullible machine. If it has bluetooth or WiFi I may need a Faraday cage.
Virtual Machines
There are several implementations of the virtual machine idea. A program provides the illusion of several machines thru simulation. A simulated machine can run an entire OS just like a real machine. Technical tricks make this much more efficient than might first be thought. This supports the same strategy as the separate machine. See this for more details on one such system.

We thus have a constructive existence proof that you can, within one machine, keep secrets from other programs in the same machine.

These examples may seem trivial but they may overcome the frame of mind that I sense in some people that the problem is so hard that we can’t even think about it, or that if we did then the human interface would be incomprehensible to the user. I claim that the two computer solution is easy for the user to understand and a metaphorical two machines on one real machine would be very nearly as easy and cheaper as well as more convenient. A graphical depiction of the two machines and any connections they might have completes the metaphor.