Computer Security in 2012

Background and Disclaimer: I worked on developing a secure computer platform, Keykos, from around 1970 to 1995. It provided a sound foundation upon which to provide a software platform highly resistant to the sort of malware that we commonly hear of now. It was a good foundation and ran for several years in a production environment, but lacked much of the superstructure that is expected of today’s personal computers. In particular it lacked a user interface to allow consultation with the user about security policies that only the user can define. My comments now are, of course, in light of that experience.

Today our personal computers, from lap-tops to PDAs and smart-phones, are founded on an architecture developed by a group and for a group of people who all trusted each other. Early in the days of Microsoft Bill Gates said the security was of no concern for the personal computer. In time he changed his mind very publicly. The unsound architecture has been patched but not changed.

There is indeed today an inner sanctum in your computer, the kernel and a few other trusted programs, that are guarded at great effort but not well for without their correct function your computer will not even boot. Your bank credentials however are not in that sanctum and even that sanctum is often breached.

Perhaps the most glaring attribute of today’s systems is the size of the TCB. In effect all of the software on today’s computers is in the TCB. There is a portion of the system designed to protect itself, but that portion is so large and complex that bugs and vulnerabilities which allow subversion are regularly found.

Even the security policy which the kernel is designed to provide leaves the user’s world outside the kernel at risk to applications.


A capability foundation requires a small foundation that limits itself to the security policy that a capability to some thing is necessary and sufficient to access that thing. The above is not quite complete but nearly so. That simplicity accounts for the small TCB of capability systems. One of the later Keykos kernels was 125 KB plus about that much more code outside the kernel that most applications relied on. It is reasonable to aspire to and even expect that much code to be correct, especially when the specification of its task is simple.

There is a tradition of describing simplistic patterns of capability usage and then pointing out problems that they do not address. The implication is that the capability paradigm is at fault. In my experience all of those patterns can be replaced by other capability patterns which solve the problem. The problems of confinement and revocation come to mind.

To Be Done

A great deal of software remains to be designed to involve the user in these security issues. Prior even to that is to design or discover the notions that the user must have to live in this new cyber world. Most people know that there are places and times where one does not wander in some cities. Apple, Microsoft and Google would have you believe that they can provide a walled garden in which you will find a safe part of cyberspace; they will keep the bad guys out and you should not worry. Their notion of safe includes observing you to see what sorts of ads to show you.

There is scuttlebutt that Apple recently removed an application that ostensibly reveals the ‘entitlements’ the other apps on the user’s system. This suggests to me that Apple presumes an entirely naïve user—a user ignorant of the laws of cyberspace. I think that I do not want to live in a world where someone else establishes secret laws about who has my data. See this too.

The current players in the space of cyberspace portals appear intent on limiting their customers to a benign utopia, reminiscent of AOL. We can do better than that, we can provide a pocket window into cyberspace where we can at once do banking safely and play games written by the Russians, and we can conceal our purchases and web browsing from Madison avenue. We might have to pay a pittance for these privileges.

Another cloud on the horizon is the complexity of hardware. There are two sorts of complexity: complex external specifications, and complex implementations. Intel’s authoritative description of the external behavior of their modern CPUs which Window’s and Apple’s lap-tops use now runs to 4000 pages. Their graphics hardware requires another 2500 pages. A fair part of this behavior is not relevant to TCB design but it is not easy to delimit that part. The graphics hardware of other companies is reportedly more complex and not documented.

The ARM CPU architecture in most pads and smart-phones is very substantially simpler in both specifications and implementations. Some platforms lack graphics hardware. It is plausible that graphics hardware could be included in a hardware platform so as not to be in the TCB but that is not a simple task.

My conclusion is that the TCB can be shrunk by two or three orders of magnitude with concomitant improvement in vulnerability rates while simultaneously affording new security patterns not currently supported. We thus break out of the walled garden plan once again. It is a lot of work.

To be addressed

This is vague but it indicates to me that Apple must involve the customer in issues of entitlement.