It's sad that they did the research[1] and solved computer security about 40 years ago[2], and then proceeded to lose that hard won knowledge over time.
People will think you are exaggerating, you aren’t. They will also think I’m exaggerating that you aren’t, I’m not. Learning about capability-based microkernels and realizing this has been a solved problem for years, and is actually one of the rare easy freebie problems in computing, is a highly sobering experience!
Only thing I disagree on is that we lost that knowledge, we did not, there isn’t much to capabilities, they actually simplify OS design IMO.
Capabilities-based OSes aren't magic. Their robustness still depends on underlying assumptions, which may or may not hold. See eg relevant disclaimers in seL4 whitepaper(s).
And hardware glitches are a thing (edit: and supply chain attacks).
But I do agree that verified correct software can offer very strong guarantees that go well beyond those of commonly deployed software. We could have been in a much better place today.
their robustness lives in hardware capabilities. amd64 and intel x86_64 have quite good features but people dont use them well. For example you can have your microkernel be at the hypervisor level and thoroughly isolate devices etc through IOMMU and have almost no attack surface to get access deep enough to make significant changes to the security posture.
still not immune to be hacked ofc. I think the last step would be making it common place again to build these things custom. that way they'd have to have more specific information available as threat actors to exploit you. It'd be harder to have generic methods affecting millions of systems.
regardless there are no silverbullets, and tradecraft/opsec will always be a thing.
most compromises are because people hand out keys unwittingly rather than 0days and crazy sploits. (they do happen though, but its more expensive than fishing and just loggin on under some dudes credentials)
But what does that mean? Can I browse a webpage, open a doc, if those are listed as specific usage? And if not, what's the purpose of this and why are people talking about it with such import?
most people dont do a lot on their machines. they have specific tasks they want to do. The idea is to isolate by default and crack open gaps by policy. You can still do 'anything' but you wouldnt want to enable 'anything' to be possible in the policy..
building such an OS for many years now..Qubes gets close enough but its super heavy, trying to support existing apps. I make my own so its super light weight, but no one will use it but me because their toolz arent supported (nothing is :D).
there are some BSD spinoffs like 5BSD which might end up with a good capability model but even there things like capsicum have their limits and IOMMU based isolation is still a dream. (because entire OS kernel is in one privilege level, accessible as root user, so DMA capable devices kill a lot of those securities).
(my os puts every subsystem, service, device driver, app etc. in their own hardware VM, likely there will be IPC bugs or hypercall bugs still tho in that case)
Nowadays with AI its getting more to a point where people can actually build these systems for themselves. Maybe that is a bigger threat to these big corporate tech companies than some security things. It will allow nations and companies to detach from their Tech...
Only thing I disagree on is that we lost that knowledge, we did not, there isn’t much to capabilities, they actually simplify OS design IMO.