[Syllable-kernel] Syllable security and "trusted computing"

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I've made a few notes on potential ways we could tighten up the Syllable 
security model at the kernel level beyond the typical x86 OS.  This is 
based partially on the architecture of OpenVMS and partially on the 
Microsoft/Intel "trusted computing" initiative.

First, every UNIX OS as well as Windows uses only two of the four 
"rings" of protection on x86.  The kernel and all modules run in Ring 0 
and all user programs run in Ring 3.  Ring 0 can bypass all protections. 
  What's interesting about the special hardware support that is being 
added for "Palladium" (what Intel calls "LaGrande Technology", or LT), 
is that they've essentially had to add a new "Ring -1" that is more 
privileged than the layer at which the normal operating system runs, in 
order to be able to assure the privacy and security that Windows itself 
is apparently not able to provide.  This is stupid:  if we have Rings 1 
and 2, as well as (in recent x86 chips) efficient ways to switch between 
rings (e.g. SYSENTER/SYSEXIT on Intel, SYSCALL/SYSRET on AMD), then we 
could theoretically put as little as possible in Ring 0 and have the 
majority of kernel threads running in Ring 1, Ring 2, or Ring 3.

So why use Rings 1 and 2 at all?  Why not have the "microkernel" portion 
in ring 0 and put everything else in ring 3?  Well, from a performance 
standpoint, it may be possible to set up the shared portion of the 
virtual memory space ("kernel space") so that particular areas are 
available to all code running at ring 1, while other data structures 
would require ring 0.  OTOH, it's quite possible that rings 1 and 2 are 
essentially useless unless you are writing some old-style segmented 
memory or 16/32-bit OS.  Perhaps that explains why the only OS I could 
find which uses more than 2 rings was OS/2, which uses ring 2 for user 
code segments with privileges to access I/O ports directly.

FWIW, here are the names of the four different privilege modes used by 
VMS.  I still need to learn what the two inner levels are used for, but 
at least the names give a hint as to the level of "need to know" 
privileges that each layer of a more-secure OS might have:

0 - kernel
1 - executive
2 - supervisor
3 - user

I have a couple of notes here on the requirements needed for a Syllable 
user to be able to "fully control any storage or disclosure" of whatever 
personal info they want to protect:

- user data in the pagefile would be encrypted (using a randomly 
generated key stored in RAM only)

- secure browsing mode:
   - no caching of pages/images to disk
   - URL history tracking in memory only
   - no cookies saved, or optional encrypted cookie file

- support for encrypting any file saved to disk, configured at the file 
or folder level (see NTFS).

- no unauthorized screen grabs or keystroke/mouse loggers.
- built-in secure delete (see GNU shred).

- "magic key sequence" always pops up the OS-provided task manager or 
login screen (e.g. Windows CTRL-ALT-DEL) and can't be trapped by 
malicious programs to create a fake login screen.

Jake