To be useful, security primitives must be available on commodity computers with demonstrable assurance and understandable by ordinary users with minimum effort. Trusted computing bases comprising a hypervisor, which implements the reference monitor, and virtual machines whose layered operating system services are formally verified, will continue to fail these criteria for client-side commodity computers. We argue that demonstrable high assurance will continue to elude commodity computers, and complex policies that require management of multiple subjects, object types, and permissions will continue to be misunderstood and misused by most users. We also argue that high-assurance, usable commodity computers require only two security primitives: partitions for isolated code execution, and trustworthy communication between partitions and between users and partitions. Usability requirements for isolated partitions are modest: users need to know when to use a small trusted system partition and when to switch to a larger untrusted one; developers need to isolate and assure only few security-sensitive code modules within an application; and security professionals needed to maintain only the trusted partition and a few isolated modules in the untrusted one. Trustworthy communication, which requires partitions and users to decide whether to accept input from or provide output to others, is more challenging because it requires trust, not merely secure (i.e., confidential and authentic) communication channels.
展开▼