I'd worked on the previous system, KSOS, mentioned in the article. I wrote the file system and all of the drivers, while at an aerospace company. We'd used formal specifications in SPECIAL. Nobody could prove anything about SPECIAL yet, but I wrote a compiler-like syntax and type checker, so it was at least type valid. It was a good language for writing down invariants. I used it to describe file system consistency and recovery. Another group started work on PSOS, but never got past the design stage. I managed to avoid getting sucked into that, because it looked like a death march.
SRI, which was a think tank, just did abstract designs. It was extreme waterfall. One group wrote a spec, and a contractor implemented it. This did not work too well. They did have Boyer and Moore, and those two made real progress on proof systems. I used their prover for another project, and talked to them a lot. But they were not closely associated with PSOS. Specifications in SPECIAL, which is quantifier-oriented were not compatible with Boyer-Moore theory, which uses constructive mathematics and recursive functions.
The big problem in that era was that the hardware wasn't ready for secure operating systems. KSOS was for the 16-bit PDP-11 line, and it took a cram job to make it fit. The Modula I compiler wasn't very space-efficient. Optimizations had to come out to make it fit, and the result was too slow.
Microprocessors weren't quite ready yet. Neither Intel nor Motorola had a decent MMU. The suitable target machines were all minicomputers, which were on the way out. PSOS never got far enough to pick an implementation target.
Capability-based systems work, but they create a new problem - ticket management. You have lots of tickets which let some piece of software do something, and now you have to track and manage them. It's like physical key control. It's the same reason that Windows access control lists are little used. You also still have the delegation problem - A can't do X, but A can talk to B, which can do X. Most modern attacks involve that approach.
Most of the early secure OS work was funded by NSA. NSA had an internal division in those Cold War days - the important stuff was at Fort Meade, and the less-important stuff was some distance away at FANX, an annex out by Friendship (now BWI) Airport. FANX had personnel ("HR" today), training (including the cryptographic school), safe and lock testing and evaluation, networking, and computer security. Being exiled to FANX was bad for careers. This set back the computer security work.
There was also industry pushback. The operating system testing criteria were borrowed from the safe and lock people. Something submitted for testing got two tries. First try, the evaluators told the vendor what was wrong. Second try was pass/fail with no feedback. That's how locks for vaults were evaluated. Computer vendors (there was not much of a separate OS industry yet) hated this. They eventually got a testing system where "certified labs" did the testing, and a vendor could have as many tries as they were willing to pay for.
Some good secure OSs came out of that, and passed testing. But they were obscure, and for obscure hardware - Prime, Honeywell, etc. If you dig, you can find the approved products list from the 1980s.
What really killed all that was the growth of the computer industry. In the 1960s and 1970s, the government was the biggest purchaser of computers and electronics. As the industry grew, the government became a minor purchaser with a slow update cycle, and could not get design-level attention from major vendors. There was much grumbling about this from military people, especially the USAF, as they were sidelined during the 1980s.
1. In "If A1 was the answer, what was the question," thr author pointed out that features and assurance levels were mandated together. Buyers often didn't need specific features which made it more costly and slow to develop for nothing. The festures the market demanded weren't present. So, TCSEC-certified, high security was unmarketable.
2. In a similar vein, Lipner's "Ethics of Perfectiom" talked about how it took two to three quarters to make a significant change to the VAX Security Kernel. The market was wanting major features every quarter. They couldn't afford to lag behind all the competition in velocity.
3. Another person mentioned changes in DOD (other government?) purchasing policy to order COTS products from many vendors. Those vendors were also sometimes paying campaign contributions or hiring ex-Pentagon people to be favored. Their products weren't TCSEC A1. So, corruption and supplier diversity both forced government agencies to use insecure products which made secure products less competitive.
4. Similarly, the NSA started pushing lower-assurance like CC EAL4 and later Commercial Solutions for Classified. They were also selling GOTS gear guaranteed to get their approval. In these ways, they caused a surge of low-assurance competition with high-assurance vendors.
5. They promoted, required expensive certs for, and basically killed the Seperation Kernel Protection Profile. Spending millions on something that ultinately didn't matter to them doesn't inspire more EAL6+ certifications.
So, those are the examples I remember.
On the contrary, the whole selling point of capability-based systems is that they're the solution to preventing these sorts of confused-deputy attacks.
Part of it is inertia, but part of it is ignorance. Enthusiasts spend tons of money and effort building another GPU enabled terminal or safe programming languages - and maybe that's fine, but I wonder what we could've accomplished if people were simply aware what a well-designed capability OS could be like, because this is literally the only OS paradigm in existence (that I know of) that's even worth any serious effort.
OP is arguably the first paper that introduces ocaps. Some of the issues are discussed in "Capability Myths Demolished" https://papers.agoric.com/assets/pdf/papers/capability-myths...
Wasn’t that the reason why Microsoft went allout against Java? Write once, run anywhere. JVM was a “trojan horse” and theoretically could have dominated the world.
If a binary has the capability to withdraw money from my account, I don't want that capability given to just any binary.
The paper adds little to TCSEC/"Orange Book"/FOLDOC publications. Yet the poster doesn't deserve all the negative karma.
On a consumer CPU/GPU/NPU, software just isn't going to be enough to fix legacy design defects. Have a great day. =3
The IBM System/38 did this around the same time, along with its successor - the AS/400. When the AS/400 switched to POWER (or PowerPC AS), they started using standard RAM, but are still able to have a tag bit for each 16byte(?) pointer using ECC, but the instructions to do that aren't privileged. The AS/400 or "i" as it's now called is still around.
I don't think the authors had that in mind when they wrote this, but to look back at and imagine a future where such things had taken hold is truly scary.
"The road to hell is paved with good intentions."
In a capability system, you pass resource capabilitys to subsystems. You can not use resource handles that were not passed to you just like a function can not access variables that were not passed to it (except for explicit global variables.
In ambient authority systems, as a common example, you can just blindly convert what are effectively strings into resource handles (the metaphorical equivalent of casting integers to raw pointers). Your access is mediated by a orthogonal system that tells you which resource handles/pointers you are allowed to use. That is like having a program that runtime checks every pointer access is allowed instead of just preventing you from manufacturing pointers.
You coordinate across subsystems by naming certain resources in the global ambient space in a coordinated fashion (effectively a global variable which is basically just a named memory location in the common memory space). That way the subsystem knows the global you put their parameters/resources in.
While you can still program like that, everybody now knows it is a terrible way to live. Parameter passing and local variables with explicit global variables is almost always the way to go. That same lesson should be learned for operating systems.
Idk, just guessing
Rebuild everything from scratch, with AI agents. Then make them prove what they wrote.
