[nickpsecurity]

I replied with a pile of high assurance browser designs last time you said that. Such work could be turned into a production system. It's what Google did, actually, by turning OP Web Browser into Chromium. Weakened its security to make Chrome lightening fast. Yet, Chromium work was way harder to build than just getting one of these prototypes into better shape. They managed that, someone could manage other goal.

Besides, you can always isolate that part onto an untrusted board with KVM switch built in like I used to do. Push-button easy.

[tptacek]

The reason I cite browsers here is that browsers are very hard to get right (content-controlled full-featured programming languages along with renderers for every mainstream file type). I think they serve as a pretty good illustration of why the high-assurance software approach fails for consumer computing.

I'll take high-assurance consumer software seriously when it produces a browser that is competitive with IE on Twitter, Facebook, and Google Mail.

I don't think solutions that involve KVM switches are meaningful in the real world. Journalists aren't going to KVM switch from their browser to their word processor. I'm not interested in litigating this point; I am un-convinceable on it. I'm not much more receptive to systems that devolve to the software equivalent of KVM switches.

[nickpsecurity]

"browsers are very hard to get right (content-controlled full-featured programming languages along with renderers for every mainstream file type). I think they serve as a pretty good illustration of why the high-assurance software approach fails for consumer computing."

This is true. They may not be able to be represented directly in a way that spots every failure model. However, what's been done repeatedly in high-assurance is isolation and information flow mechanisms that can contain problems of arbitrary programs. Several did this for browsing while others did whole VM's. You've been satisifed with low assurance software isolating or mitigating problems in such apps. Why not high assurance doing same thing given it's worked before for other apps?

Side note, Burroughs 1961 machine had hardware checks to enforce pointer bounds, mark code/data separate in memory w/ cpu checks per instruction, protect stack, and interface check function calls. Everything but interface check had almost no performance overhead in various implementations. Various ways to do interface checks at different cost-benefit. Holding off on that one. Yet, even the others should severely constrain what attackers can do given almost every injection starts with pointer or stack manipulation followed by data being executed. All three are blocked by Burroughs architecture. That's huge security benefit with almost no performance hit that can be automated by compilers. CHERI went further than that with a port of FreeBSD and C lib on theirs.

"when it produces a browser that is competitive with IE on Twitter, Facebook, and Google Mail."

I know many use Webkit and Javascript engines. Microsoft's Xax was used with PDF readers and such. Whether it handles the stuff competitively is still a good benchmark which I have little data on. What would you say competitive means here? All the features work, page loads reasonably fast, and web apps run reasonably fast? Would that do for future measurements or anything else in mind? I'll try to see if I can get anyone in the projects to run them.

"I don't think solutions that involve KVM switches are meaningful in the real world."

The money that's made selling them, including companies that specialize in it, argues otherwise. The question is where they're meaningful and to whom for what price.

"Journalists aren't going to KVM switch from their browser to their word processor. "

That's a semi-strawman. There's a ton of companies and individuals that go through extra trouble for the sake of security. A flip of a switch and drag-and-drop transfer icon is way less trouble. So, the market is bigger than you suggest. Let's say it's a journalist anyway as I get what use-case you're describing. My concept was an All-in-One desktop PC with Trusted and Untrusted functionality with the physical computers, separation, switches, etc built-in. Almost all of it is hidden except for CMW-style windows representing different security levels and physical button/switch for changing. Leads to...

" I'm not much more receptive to systems that devolve to the software equivalent of KVM switches."

...basically a QubesOS or browser-VM-like solution with hardware-enforced separation that otherwise doesn't look any different from these. Tenix already did an ugly version of this to high-assurance. A more usable one is possible. Anyway, you saying you don't believe a journalist or layperson concerned about privacy/security would ever use a QubesOS-like solution to separate low and high risk, work and play, secret and public, or something similar? I think a number would. Only difference is mine would be implemented different inside. Even could have a software switch if absolutely necessary.