Today our personal computers, from lap-tops to PDAs and smart-phones, are founded on an architecture developed by a group and for a group of people who all trusted each other. Early in the days of Microsoft Bill Gates said the security was of no concern for the personal computer. In time he changed his mind very publicly. The unsound architecture has been patched but not changed.
There is indeed today an inner sanctum in your computer, the kernel and a few other trusted programs, that are guarded at great effort but not well for without their correct function your computer will not even boot. Your bank credentials however are not in that sanctum and even that sanctum is often breached.
Perhaps the most glaring attribute of today’s systems is the size of the TCB. In effect all of the software on today’s computers is in the TCB. There is a portion of the system designed to protect itself, but that portion is so large and complex that bugs and vulnerabilities which allow subversion are regularly found.
Even the security policy which the kernel is designed to provide leaves the user’s world outside the kernel at risk to applications.
There is a tradition of describing simplistic patterns of capability usage and then pointing out problems that they do not address. The implication is that the capability paradigm is at fault. In my experience all of those patterns can be replaced by other capability patterns which solve the problem. The problems of confinement and revocation come to mind.
There is scuttlebutt that Apple recently removed an application that ostensibly reveals the ‘entitlements’ the other apps on the user’s system. This suggests to me that Apple presumes an entirely naïve user—a user ignorant of the laws of cyberspace. I think that I do not want to live in a world where someone else establishes secret laws about who has my data. See this too.
The current players in the space of cyberspace portals appear intent on limiting their customers to a benign utopia, reminiscent of AOL. We can do better than that, we can provide a pocket window into cyberspace where we can at once do banking safely and play games written by the Russians, and we can conceal our purchases and web browsing from Madison avenue. We might have to pay a pittance for these privileges.
Another cloud on the horizon is the complexity of hardware. There are two sorts of complexity: complex external specifications, and complex implementations. Intel’s authoritative description of the external behavior of their modern CPUs which Window’s and Apple’s lap-tops use now runs to 4000 pages. Their graphics hardware requires another 2500 pages. A fair part of this behavior is not relevant to TCB design but it is not easy to delimit that part. The graphics hardware of other companies is reportedly more complex and not documented.
The ARM CPU architecture in most pads and smart-phones is very substantially simpler in both specifications and implementations. Some platforms lack graphics hardware. It is plausible that graphics hardware could be included in a hardware platform so as not to be in the TCB but that is not a simple task.
My conclusion is that the TCB can be shrunk by two or three orders of magnitude with concomitant improvement in vulnerability rates while simultaneously affording new security patterns not currently supported. We thus break out of the walled garden plan once again. It is a lot of work.
To be addressed