Robustly secure computer systems

Abstract

For over 30 years, system software has been bound by compatibility with legacy applications. The system software base, whether proprietary or open source, is dominated by the programming language C and the POSIX operating system specification. Even when commercial operating systems stray from this model, they don't go very far.Unfortunately, the POSIX/C base was constructed in a more benign environment than today and before many security issues were widely understood. Rather than fix these issues, compatibility has been deemed more important than security, and so this base has been kept intact with all its flaws. As a result, programmers routinely create software with security holes---even in the most security critical software---and today's systems are easily attacked.We propose a new paradigm of system discontinuity which emphasizes security over compatibility by removing those constructs in our system software which lead to security holes in applications. Of course, removing parts of the interface will break applications, and hence the discontinuity. To deal with this situation, we advocate the use of virtual machines to enable multiple operating systems to run concurrently. Thus high security OSs can be used for the most security sensitive applications. Compatibility is maintained for less security sensitive applications using legacy operating systems. Over time, legacy applications can migrate to a more secure OS, thus raising the security of all applications.