►
From YouTube: Towards Secure Computing: Navigating the Attack Surface
Description
Combine risk lowering strategies to get a *multiplicative* reduction in overall risk.
Mark S. Miller at UC Santa Cruz, April 2019
https://www.youtube.com/watch?v=wW9-KuezPp8&list=PLzDw4TTug5O0ywHrOz4VevVTYr6Kj_KtW is a quick 15 min talk on the central theme of this talk.
Our civilization today rests on infrastructure that is not only insecure, but insecurable.We cannot eliminate risk, but we can be vastly safer. Qualitative arguments have been made for various security architectures, but without any overall framework for comparing them as alternatives or as complements. We present a visualization of the attack surface as a way to reason about aggregate risk, and show how the composition of several techniques --- blockchains, object-capability languages, patterns, protocols, user interfaces, and smart contracts --- can produce a multiplicative decrease in risk without loss of functionality.
A
B
A
B
Okay,
so,
as
Cormac
said,
I'm
going
to
be
speaking
about
how
we
can
make
our
computers
more
secure,
I
consider
the
current
status
of
computer
security
to
be
a
disaster
and
a
disaster.
That's
not
addressable
within
the
paradigms
that
we're
currently
running
on
within
the
infrastructure
there
are
civilization
now
rests
on.
In
order
to
be
able
to
use
computers
for
issues
that
actually
matter,
we
need
something
better,
and
what
is
it
that
actually
matters
is
cooperation?
B
Cooperation
comes
at
a
price
and
safety,
and
what
we
need
to
do
is
to
lift
the
trade-off
curve.
We
need
to
figure
out
how
we
can
change
the
infrastructure
and
change
the
patterns
and
ways
of
thinking
with
which
you
use
the
infrastructure,
so
that
we
can
achieve
much
more
cooperation
for
the
same
level
of
risk
and
much
less
risk
for
the
same
level
of
cooperation.
If
we
can
lower
the
cost
of
cooperation,
we
can
arrive
at
a
much
more
cooperative
world,
so.
A
A
B
So
I'm
good
I'm,
the
I'm,
very
much
influenced
by
the
history
of
institutions
and
and
frameworks
for
interacting
in
human
society.
In
the
way
human
society
has
become
more
cooperative
over
time
in
Steven,
Pinker's,
better
angels
of
our
nature.
Enlightenment
now
documented
this
incredible
incredible
decrease
in
the
amount
of
violent
interactions
between
people
and
in
the
absence
of
violent
interaction.
You
have
a
system,
that's
dominated
by
mutually
voluntary
interaction.
An
assistant
and
and
mutually
voluntary
interaction
is
one
that's
generally
engaged
in
when
all
sides
anticipate
benefit
and
we've
seen
over
the
same
period
of
time.
B
Raising
of
people
out
of
poverty,
while
the
overall
populations
been
zooming
up
the
poverty
people
living
in
extreme
poverty
in
absolute
numbers,
not
just
as
a
proportion
has
been
plummeting
tremendously
so
so
I've
been
inspired
by
all
that.
I
won't
claim
that
that
all
of
the
richness
of
that
is
going
to
show
up
in
the
mechanisms.
I
present
them
that
talk,
but
the
thing
to
notice
about
those
institutions
is
that
the
market
fabric
is
largely
a
fabric
of
contracts
and
the
fabric
of
contracts
are
themselves.
The
meaning
of
a
contract,
ultimately
is
the
behavior.
B
It
provokes
in
an
enforcement
mechanism
and
for
all
legal
contracts
mean
by
a
legal
contract.
Is
that
the
info
behavior
that
it
invokes,
is
won
by
a
legal
system?
Our
legal
systems
are
expensive,
they
are
there,
they
they're,
backed
by
lawyers.
They.
The
rules
are
not
not
something
that
anybody
other
than
lawyers
can
understand
and
most
of
all
its
jurisdiction
based
and
markets.
Now,
especially
computer
mediated
markets,
just
don't
even
notice
jurisdictional
boundaries
they're
worldwide,
so
jurisdictional
based
law
based
on
expensive
experts
and
rules.
B
So
a
lot
of
this
evolution
of
cooperation
in
human
society
is
people
experimenting
like
with
democracy,
with
new
forms
of
governance.
Suddenly
we
have
a
tool
kit,
with
blockchain
based
smart
contracting,
for
people
to
try
out
new
forms
of
governance.
Things
like
few
Turkey,
which
is
governance
based
on
a
particular
feedback
loop
through
prediction
markets,
as
we
should
expect,
as
in
Baia
in
biology
most
mutations
of
fatal
fatal.
As
people
proceed
with
these
experiments,
we
should
expect
a
lot
of
failed
experiments,
because
people
are
complicated
and
governance
systems
putting
together.
B
People
are
complicated,
but
some
of
these
experiments
will
succeed
brilliantly
and
change
the
world.
So
that's
really
sort
of
my
long-term
sense
of
why
we're
doing
this
is
to
really
continue
to
accelerate
our
greater
ability
to
cooperate
with
each
other
and
to
do
so
by
lowering
the
risk
of
cooperation
so
about
that
risk.
In
order
to
take
steps
to
lower
risk.
B
We
need
some
framework
in
which
we
can
understand
how
different
techniques
for
lowering
risk
risk
might
interact
and
compose
together.
So
I'm
going
to
present
a
visualization
of
our
risk
as
an
attack,
surface
and
I'm
going
to
use
it
to
talk
about
expected
risk
expected
risk
is
just
the
flip
side
of
expected
value.
It's
the
integral
of
the
likelihood
of
an
exploitable
vulnerability
times
for
each
vulnerability.
The
amount
of
damage
that
vulnerability
might
cause,
if
exploited
so
the
so
the
area
of
the
surface
taken
together
is
a
good
first
measure
of
aggregate
risk.
B
I
should
I
should
just
say
by
that.
There's
many
second-order
terms,
there's
many
other
things
that
are
not
captured
in
this,
but
it's
good
to
have
a
first
approximation
that
gives
us
a
first
framework,
a
first
approximation
for
thinking
about
risk.
So
the
problem
with
likelihood
and
damage
is
they're
difficult
to
reason
about.
A
A
B
A
B
B
When
operating
systems
started
and
they
didn't
have
any
protection,
they
were
just
a
way
to
timeshare
the
underlying
machine.
So
all
the
participants,
all
the
the
users
of
the
operating
system,
had
access
to
all
of
the
resources,
so
everyone
could
mess
with
everything.
The
the
attack
surface
was
complete.
B
The
operating
systems
early
on
very
early
land
discovered
the
concept
of
separate
accounts
and
then
giving
access
to
resources
to
different
accounts
where
Allen
can
mess
with
Allen's
stuff
barb
can
mess
with
barb
stuff
Doug
can
mess
with
Doug
stuff
and
Barb
can
give
Allen
permission
to
mess
with
some
of
her
stuff.
Now,
there's
a
component
on
this
diagram
that
we'll
be
returning
to
again
and
again
as
we
proceed,
which
is
the
TCB
for
an
operating
system.
A
B
The
reason
I
just
said
TCB
is
because
every
time
I
introduce
the
word
trust
into
a
conversation.
People
get
confused,
so
I'll
just
make
a
side
comment
in
computer
security
discussions
anytime
somebody
says
trust
substitute
is
vulnerable
to
when
a
trusts
be
maybe
really
a
is
vulnerable
to
be.
Maybe
because
B
holds
a
gun
stays
it's
not
very
informative
to
talk
about
that
gun,
holding
situation
as
a
trusts,
B.
B
B
B
In
a
classic
operating
system,
where
Doug
is
running
installed,
applications
all
of
Doug's
applications
run
as
Doug,
and
therefore
every
application
can
destroy
can
do
anything.
The
Doug
can
do,
meaning
it
can
destroy
all
the
resources
that
Doug
is.
The
Doug
himself
has
the
ability
to
manipulate
so
at
this
level,
under
a
classic
operating
system.
The
attack
surface
was
also
complete.
B
B
Likewise,
when
I
visit
Facebook
Facebook,
you
know
all
of
my
stuff
at
Facebook
is
vulnerable
to
any
bug
on
my
Facebook
page
or
any
injection
on
my
Facebook
page,
but
my
my
resources
that
I
maintain
at
other
web
sites
or
not
so,
there's
this
division,
both
among
websites
and
among
apps,
that
that
is
a
next
level
down
of
hollowing
out
the
attack
surface.
So
we
have
made
progress
so
having
gotten
this
far,
what
more
can
we
do
to
reduce
our
risk?
B
B
Object
capability
systems,
first
of
all,
address
very
naturally
this
problem
of
too
much
authority,
and
it
does
it
in
a
compositional
form
which
we'll
come
back
to,
but
but
let's
let
me
first
of
all,
just
define
what
I
mean
by
object
capabilities,
a
good
place
to
start.
The
explanation
is
by
imagining
a
programming
list,
something
you
just
take
an
example
of
a
programming.
Language.
Java
is
a
perfectly
fine
example
where
the
language
itself
is
memory
safe
and
the
objects
are
truly
encapsulated
and
the
API
surface
of
the
objects
is
tamper
proof.
B
B
In
Java
these
object
references
are
already
a
form
of
permission.
It's
already
the
case
that
among
Java
objects,
if
Bob
does
not
already
have
a
reference
to
Carol
Bob
simply
cannot
access.
Carol
Bob
cannot
do
anything
to
provoke
the
activity
that
would
be
provoked
by
carrot
by
invoking
Carol's
methods.
B
However,
when
Alice
invokes
Bob
she's
doing
two
things
coupled
together
that
you
know
the
the
something
that
in
conventional
security
terminology
would
be
considered.
Two
things
to
an
object
program
is
just
one
action.
The
message
send
or
the
method
invocation
from
a
security
perspective.
Alice
is
both
exercising
her
right
to
invoke
Bob's,
behavior
and
Alice
is
authorizing
Bob
to
access
Carol
and
the
authorization
crucially
comes
only
in
the
context
of
a
request.
B
So
when
Bob
receives
the
permission
to
access,
Carol
Bob
understands
why
he's
given
that
permission
and
can
use
different
permissions
in
ways
that
respect
their
different
purposes?
So
so
that's
a
lot
of
that's
already
true
with
languages
like
Java,
but
they're
not
object
capability
languages.
The
main
differentiator
is
that,
in
an
object
capability,
language
only
object,
references
carry
causality,
an
object
cannot
cause
effects
on
the
world
outside
of
itself
other
than
by
invoking
references
that
are
holds.
B
It's
not
given
any
powerful
references
by
default
and
therefore
only
explicitly
provided
references
as
they
propagate
through
the
system
are.
Are
the
ability
are
the
things
that
that
provide
the
ability
for
one
object
to
cause
effects
elsewhere?
So,
with
this
restriction,
the
reference
graph
of
the
programming
language
literature
becomes
the
access
graph
of
the
access
control,
literature,
yeah.
B
So,
in
Java
by
the
rules
of
Java,
the
square
root
function
in
my
math
library
has
permission
to
delete
all
of
my
files.
Without
anybody
having
given
it
an
object,
the
square
root
function
is
already
able
to
simply
import
Java
dot,
IO
dot
file
and
by
that
magic
import.
It
is
then
able
to
to
do
anything
that
I
can
do
so.
B
There
is
a
job
is
actually
a
nice
example,
because
there's
an
object
capability
variant
of
Java
called
Joey,
then
by
Adrian
meddler
at
Berkeley,
that
which,
which
is
done
only
by
static
verification
imposed
in
front
of
Java.
So
any
any
Java
program
that
passes
the
Joey
verifier
is
a
Joey
program.
Joey
programs
cannot
obtain
permission
by
using
import
yeah.
A
B
I'll,
just
I'll,
just
I
mean
I
wasn't
planning
to
get
into
it
separately,
but
but
now
is
a
perfectly
good
time
to
mention
it
object.
References
are
unforgeable
and
the
unforgeable
'ti
does
not
depend
on
lack
of
knowledge,
and
this
is
actually
one
of
the
things
actually
very
nice
about
the
papers
about
Joey
is
they
said,
let's
assume,
there's
no
confidentiality.
Let's
assume
that
no
object
can
hold
any
secrets
from
any
other
object,
including
the
memory,
including,
let's
say,
Bob,
knowing
the
memory
location
of
Carol.
B
It's
still
the
case,
just
in
Java,
even
without
Joey
Bob,
not
knowing
the
memory
I
know
it
Bob.
Knowing
the
memory
address
of
Carol
does
not
give
Bob
any
ability
to
act
on
Carol
the
Java
object.
References
are
unforgeable
in
general
object
capabilities
by
definition,
so
not
in
general.
By
definition,
object
capabilities
are
unforgeable.
The
distributed
form
of
object,
capabilities
over
networks,
because
networks
between
mutually
suspicious
machines
over
open
networks
can
only
rely
on
cryptography
object.
B
B
So,
with
object
capabilities,
we
have
a
very
important
graph
connectivity
property.
We
call
only
connectivity
begets
connectivity
if
you
have
two
almost
isolated
subgraph.
Sorry,
if
you
have
two
isolated
sub-graphs,
they
must
remain
forever
isolated,
because
no
object
is
ever
in
a
position
to
introduce
them
and
that's
the
reason
why
why
normal
garbage
collection
is
transparent
is
because,
if
it's
not,
if
it's
not
otherwise
reachable,
it
can
be
thrown
away
without
any
visible
effect.
B
The
more
interesting
thing
from
a
security
perspective
is
that
two
sub
graphs,
which
are
almost
unreachable
from
each
other,
can
only
interact
or
become
further
connected,
according
to
the
behavior
of
an
object
that
had
that
the
objects
that
have
a
foot
in
both
sub
graphs
and
therefore
those
are
the
crucial
places
in
the
topology
to
place
the
objects
that
express
security
policy
and
returning
to
the
thing
about
any
of
Bob's
applications
can
delete
any
of
his
files
object.
Capabilities.
Give
us
a
very
natural
expression,
of
least
Authority,
which
is
the
starting
point.
B
Is
that
it
the
interface
to
an
object?
The
methods
of
an
object
are
the
means
by
which
other
objects
give
it
permission
and
the
objects.
Interface
generally
doesn't
ask
for
permission
that
is
unrelated
to
the
legitimate
job
is
supposed
to
do,
and
then
so
that's
already
a
huge
improvement
over
status
quo
and
then,
starting
from
there,
you
can
engage
in
security
patterns
to
reduce
Authority.
Yet
further.
B
So
having
presented
object,
capabilities
in
programming
language
terms,
I
wanted
to
emphasize
that
object.
Capabilities
are
a
general
logic
that
is
not
in
any
way
specific
to
programming
languages,
just
like
digital
logic
doesn't
care
whether
the
underlying
substrate
is
transistors
or
realize
the
the
logic
of
object,
capabilities
and
object
capability
security
patterns
doesn't
care
what
the
nature
of
the
substrate
our
object.
Capabilities
have
actually
been
implemented
across
this
entire
range
of
substrates
to.
B
B
So
so,
at
this
point,
I'm
going
to
be
talking
about
that
historical
system,
which
is
we
built
a
capability
oriented
user
interface,
a
capability
oriented
desktop
for
the
user
to
run
and
the
the
under
this
desktop.
The
various
caplets
under
the
desktop
would
receive
permissions
to
various
resources.
According
to
the
user
interface
actions
of
the
user,
these
weren't
new
user
interface
actions-
this
was
simply
new,
meaning
attributed
to
existing
familiar
user
interface
actions.
B
So
a
drag-and-drop
or
a
file
open,
dialog
box
would
give
the
receiving
agent
the
permission
to
operate
on
the
thing
that
the
user
selected
for
them
to
receive.
So
those
user
interface
actions.
Basically
saying
this
thing
should
operate
on.
That
thing
is
basically
the
user
in
the
role
of
message,
passing
sending
a
message
to
one
caplet,
with
arguments
being
other
things
that
they're
designating
and
as
with
message
passing
at
the
object
level.
B
However,
because
of
the
deeply
compositional
nature
of
object
capabilities,
it
doesn't
stop
at
this
scale.
We
we
can
continue
hollowing
out
the
attack
surface.
So,
let's
focus
in
on
the
cap.
Male
caplet,
the
cap.
Male
caplet,
is
not
giving
you
access
to
some
spreadsheet
file,
but
it
is
given
various
other
things,
including
very
dangerously.
A
PGP
key
ring.
B
B
B
As
a
module,
all
authority
given
to
that
module
must
come
in
initially
through
its
exports
imports,
so
the
exports
and
imports
of
the
module
are
the
is
the
wiring
of
how
the
how
the
objects
in
the
module
initially
come
to
be
connected
to
other
things,
so
we
have
the
further
division
of
authority.
So
what
have
we
done
here
with
this
repeating
pattern?.
B
By
by
hollowing
out
the
attack
surface
recursively
by
doing
it
at
at
every
level
of
composition,
we're
getting
a
multiplicative
benefit
and
there
is
a
fractal
that
I
think
is
a
good
analogy:
the
Menger
sponge,
but
any
fractal
where
you
remove
more
surface
area
at
every
scale.
Just
do
it
recursively.
If
at
each
scale
you
remove
half
of
the
surface,
then
as
you
do
it
recursively
the
remaining
aggregate
surface
measuring
your
aggregate
risk
is
1/2
times
1/2
times
1/2
approaching
0
in
the
limit.
A
B
Okay,
so
when
you
say
opened
up
an
opportunity
for
threat,
there
are
certainly
remaining
threats
that
are
not
obvious
from
the
diagrams
that
you're
seeing
that's.
Why
I
emphasize
first
order,
but
but
I'm
curious
when
you
say,
opened
up
effects
that
phrase
I
so
open
up
threats.
That
phrase
indicates
that
there
are
threats
that
weren't
there
before
you
did
this
okay.
B
So
that
is
correct
and
it's
very
important
and
one
of
the
and
that's
why
this
is
a
first
approximation
and
this
first
approximation.
One
way
to
think
about
the
the
main
thing
that
it's
not
saying
in
this
visualization
is.
This
is
mostly
about
sort
of
initial
eyes
and
an
initial
wiring
time
Authority,
and
it
the
graph
created
by
that
initial
handing
out
of
authority
is
then
dynamically
becomes
a
less
sparse
graph,
as
Alice
passes
to
Bob
a
reference
to
Carol,
so
that
parameter
passing
is
used
to
set
up
the
initial
situation.
B
B
B
A
B
I
would
say
that
the
security
properties
that
follow
from
Wright's
amplification
are
not
reflected
anything
you're.
Seeing
in
this
talk-
and
yes,
I
would
say
that
Wright's
amplification
is
a
second-order
effect
and
I.
If
I
understand
correctly,
the
kinds
of
separation
of
duty
violations
that
you're
concerned
with
will
correspond
to
Wright's
amplification.
A
B
B
What
Alice
does
is
she
creates
a
attenuating
forwarder,
something
that
acts
like
Carol
that
forwards
messages
to
Carol,
for
which
Alice
maintains
the
ability
to
control
the
forwarder,
so
something
that
simply
forwards
all
messages
and
tell
Carol
until
Alice
tells
it
to
stop
would
be
a
simple
revocation
device
that
is
attenuating
only
in
the
temporal
dimension,
and
you
can
have
also
and
and
part
of
the
wonderful
logic
of
object
capability
patterns.
Is
these
different
ways
of
attenuating
Authority?
B
So,
thank
you.
So
speaking
of
optimistic
laws
that
I'm
telling
you
the
the
big
one
that
went
by
when
I
showed
this
slide
is
that
the
fractals,
as
you
keep
hollowing
out,
removing,
let's
say,
half
the
surface
at
every
scale.
You
approach
zero
aggregate,
surface
area
which
would
imply
that
we
have
a
way
to
approach
zero
risk
and
we
do
not,
and
it's
and-
and
we
do
not
for
reasons
that-
are
that
that,
for
the
reasons
you
guys
have
raised
but
which
are
not
in
my
talk,
but
also
for
the
reasons
I'm
about
to
present.
B
So
in
order
to
see
to
what
degree
we
got
the
fractal
reduction
of
area
and
in
what
ways
we
do
not,
let's
quickly
go
over
the
same
process
again,
but
without
zooming.
Let's
stay
at
the
outer
scale,
so
we
first
did
the
area
reduction
strategy
of
simple
principle,
of
least
Authority
and
with
that's
what
that
did.
Is
it
contracted
the
each
box
in
the
horizontal
dimension.
B
Then
we
did
that
recursively
at
every
finer
scales,
and
we
did
that
everywhere.
We
can
so
that
resulted
in
this
reduction
of
density,
but
notice
that
there
are
some
boxes
on
this
diagram
that
are
undiminished
and
the
box
that
I
want
to
call
your
attention
to
are
at
each
level
the
TCB
of
that
level.
This
prints
of
least
Authority
does
not
reduce
the
TCB
risk.
B
The
TCB
still
has
to
cover
the
entire
width
of
the
box
that
it's
managing,
because
there
still
needs
to
be
a
mechanism
that
further
subdivides
authority
among
the
things
within
the
box.
So
if
we
can't
minimize
the
width
of
the
TCB,
what
we
can
do
is
reduce
its
height
and
we
can
do
that
at
every
level
by
by
doing
the
security
practices
that
we
all
know,
we
should
be
doing,
which
is
minimizing
our
TCB,
making
them
as
small
and
reviewable
as
possible
and
when
we
can
to
formally
verify
them.
B
So
this
goes
back
to
now
I'm
sort
of
going
back
to
the
earlier
thing
where
the
vertical
dimension
is
now
starting
to
approximate
probability
are
mixing
a
probability
agents,
but
the
reduction
of
height
were
trying
to
minimize
the
the
likelihood
that
there
is
a
vulnerability
by
by
minimizing
and
verifying
when
possible,
RT
C
B's,
and
this
notion
also
helps
us
direct
our
effort.
The
the
level
of
engineering
you
need
to
do
on
at
ECB
is
very,
very
expensive.
B
However,
there's
still
some
boxes
that
remain
undiminished
and
these
are
the
ones
with
in
which
we're
running
legacy
software.
Let's
say
that
we
convinced
Allen
and
Doug
to
run
cap
desk,
but
barb
is
still
running
her
conventional
system
and
all
of
her
conventional
application
programs.
So
her
internal
attack
surf
is
still
complete.
B
Doug
is
running
cap
desk
for
most
of
the
stuff,
but
there
is
a
particular
program
legacy
program
that
he's
running
that
he
arranges
to
run
within
that
manages
to
to
confine
it
so,
but
so
basically,
Doug
has
a
virtual
machine
that
has
all
the
old
stuff,
but
it
gives
all
of
the
the
resources
that
needs
to
be
managed
by
the
old
stuff
to
that
virtual
machine
and
then
at
a
yet
lower
level.
You
have
libraries
written
in
C
and
the
problem
is
that
we're
sitting
on
top
of
a
multi
trillion
dollar
software
industry.
B
If,
if
a
security
solution
says
well
to
start
out,
you
have
to
throw
away
all
your
old
software
and
start
over
from
scratch.
That's
a
way
to
achieve
security.
That
will
never
happen.
You
have
to
accommodate
legacy,
but
each
legacy
box
it
can
be
contained,
but
by
virtue
of
its
legacy
inside
the
the
legacy
box,
it
has
whatever
leakage
of
authority.
It
has
there's
new,
can't
assume
any
further
reduction.
B
What
we
can
do
is
divide
up
those
legacy
boxes
into
separate
boxes,
so,
instead
of
doug
having
one
desktop
running
under
a
virtual
machine
for
all
of
his
legacy
programs,
he
creates
a
separate
virtual
machine
for
each
of
his
legacy
programs
and
he
gives
each
of
those
virtual
machines
just
the
resources
that
that
program
needs
to
have,
and
this
issue
comes
up
at
the
operating
system
level.
It
comes
up
with
a
particular
application
management
system.
B
We
did
at
HP
called
Polaris
and
it
comes
up
even
at
the
level
of
C
libraries
that
are
FF
eyes
for
Java.
If
you
have
the
right
support
for
confining
c-code.
So
there's
this
very
wonderful
paper
on
using
the
Chery
capability
hardware
to
be
able
to
confine
fo
files
for
Java
that
are
written
in
C,
so
that
the
so
that,
even
though
they're
in
the
same
address
space,
the
integrity
of
the
Java
is
not
threatened
so
and
once
again,
cherry
is,
is
within
each
C.
B
A
B
What
I'm,
showing
what
I'm
trying
to
show
here
is,
is
not
that
there
is
white
space,
but
rather
that
the
height
is
minimized.
If
I
was
the
white
space
doesn't
have
any
semantic,
meaning
here
what
what
what
I
should
have
done
if
I'd
thought
about
the
the
misleading
this
of
the
white
spaces,
just
contract
that
row
to
the
height
of
view
of
the
red
row
and
and
notice
that
I
haven't
contracted
the
height
to
zero.
B
Even
when
you
have
a
verified
kernel
like
SEL
for
the
problem
with
formal
verification
is
that
in
just
the
same
way
we
started
with
the
problem
that
we
did
not
sure
what
our
program
means,
after
formal
verification
we're
now
facing
the
problem
of
wetters,
our
specification
and
the
specifications
for
these
systems
are
already
more
complicated
than
programs
that
I
can't
understand.
So
we
can
do
a
lot
to
reduce
the
risk,
but
we
can't
eliminate
it.
B
So
the
thing
I
want
to
emphasize
is
that
these
different
techniques
compose
together
well,
this
is
why
I
started
off
with
the
the
fractal
shape.
Is
that
every
every
technique
for
reducing
the
aggregate
area,
if
it's
orthogonal
to
the
other
techniques
they
composed
together,
to
give
you
a
multiplicative
benefit.
B
B
Historically,
old
work
on
software
security
started
with
a
bad
assumption.
It
started
by
saying,
given
uncorrupted
Hardware,
given
that
the
hardware
that
I
you
know
walk
home
from
the
store
with
is,
does
not
already
have
trapdoors
in
it,
and
the
only
reason
for
that
assumption
in
software
security
is
without
the
assumption.
None
of
software
security
does
us
any
good.
B
B
B
B
You
know
it's
it's
I'm,
you
know
with
doing
computer
security
for
a
long
time,
you
have
to
acquire
a
bit
of
paranoia,
so
I
I've
got
to
say
we
need
to
to
entertain
the
possibility
that
it
wasn't
accidental,
but
on
the
on
that
one
specifically
I
actually
think
with
very
high
probability.
It
was
accidental.
B
However,
one
of
the
things
that
we
know
from
software
companies
is
that
occasionally
the
government
issues
a
National
Security
Letter,
forcing
software
companies
to
corrupt
their
software
in
ways
that
serve
the
national
security
apparatus
and
also
force
the
software
company.
Not
to
reveal
that,
given
what
we
know
about
software
companies
to
me,
it
is
inconceivable
that
hardware
companies
that
Intel
has
not
received
National
Security
Letter,
forcing
it
to
put
in
trapdoors
and
not
talk
about
it.
A
B
Today,
we're
not
all
using
you
know
we're
not
using
time
sharing
interacting
with
each
other
through
time.
Sharing
a
single
machine,
primarily
we're
primarily
interacting
over
distributed
systems
and
distributed
systems,
introduces
another
fear
of
corruption,
which
is
this
is
what
I
call
the
cyberpunk
reference
assumption
and
sort
of
the
the
the
assumption
behind
a
lot
of
the
cryptography
work
that
the
cypherpunks
were
doing
in
the
late
90s
and
early
2000s,
which
is
over
here.
B
Alice
and
Bob,
are
interacting
with
each
other
by
virtue
of
Alice's
computer,
interacting
with
Bob's
computer
Alice
has
physical
access
to
her
computer
and
Bob?
Has
physical
access
to
his
computer
and
Alice
knows
that
at
least
she
hasn't
corrupted
her
own
Hardware?
At
least
she
hasn't
done
it
on
purpose.
So
she
has
some
level
of
trust
in
her
in
her
hardware,
but
she
doesn't
trust
Bob's
hardware
and
subject
and
symetrically
for
bob
so
classically
the
way
you
dealt
with
mutually
suspicious
machines.
B
Is
you
just
put
functionality
into
cryptographic
protocols
where
the
cryptographic
protocol
embodied
a
logic
of
interaction
such
that
Alice
and
Bob
can
successfully
realize
the
benefits
of
a
cooperative
opportunity
if
they
both
cooperate?
But
they're
each
protected
from
each
other's
misbehavior.
Well,
this
notion
of
a
cooperative
arrangement
where
we
can
have
a
structured
form
of
interaction,
we're
trying
to
arrange
that
if
it
goes
well,
we
get
benefit
but
we're
protected
from
each
other's
misbehavior.
B
Going
back
to
human
institutions
in
history,
contracts
are
a
rather
wonderful
notion
of
how
human
beings
create
custom
frameworks
of
interaction
that
they
then
bind
themselves
to
in
which
they
they
negotiated
them.
They
negotiated
their
nature
so
that
the
their
interaction
within
the
contract
would
create
benefits
of
cooperation
if
things
went
well,
but
also
protecting
them
from
each
other.
The
problem
is
that
the
expressiveness
that
we
want
from
contracts
is
well
beyond
what
we
can
engineer
into
it
into
point-to-point
cryptographic
protocols.
B
B
So
the
an
historical
way
to
address
that
is
by
introducing
a
mutually
trusted
third
party
to
act
as
contract
tests
to
run.
As
you
know,
if
Alice
and
Bob
find
that
they
can
mutually
trust
Carol
to
run
their
contract,
then
they
can
turn
the
contract
over
to
Carol
and
succeed
at
cooperating
through
that
contract.
B
A
great
example
would
be
a
great
analogy:
is
a
board
manager
for
a
board
game,
Alice
and
Bob
want
to
play
a
game
of
chess
Alice
runs
a
board
manager
for
chess,
ensuring
that
Alice
and
Bob
can
only
make
legal
moves
and
now,
but
Alice
and
Bob
can
rendezvous
at
mutually
trusted
Carol
and
play
a
game
of
chess.
Knowing
that
it'll
only
proceed
according
to
the
rules.
B
In
order
to
do
that,
in
order
for
that
arrangement
to
be
viable,
there
has
to
be
not
just
mutual
credibility
but
mutual
expected
credibility.
It
has
to
be
the
case
that,
for
a
set
of
interacting
parties,
there's
some
third
party
that
is
mutually
credible
to
all
of
them,
and
in
order
to
find
that
third
party,
it
has
to
be
the
case
that
there
are
already
some
third
parties
which
are
ones
that
they
mutually
expect.
B
B
So
at
the
level
of
the
replicated
computation,
they're
all
producing
exactly
the
same
computation,
it
should
proceed.
Terminus
tically
along
among
all,
well
behaved
replicators
replicas
in
exactly
that
way,
and
then
the
blockchain
does
this
massive
multi
way
cross
checking
to
ensure
that
they
all
agree
and
it's
by
virtue
of
that
diversity
of
the
underlying
platforms
and
then
the
massive
cross
checking
of
the
outcomes
of
that
deterministic
replication
that
we've
built
something
that
that's
a
computer
that
we
can
trust
to
act
to
execute
our
program.
B
According
to
the
semantics
of
the
instruction
set
that
the
underlying
machine
claims
to
have
the
underlying
machine.
In
this
case,
being
the
virtual
machine
in
the
thought
in
the
mutual
thought-bubble
of
all
the
validating
machines
and
now
Alice
and
Bob
can
take
a
look,
can
can
regard
that
virtual
machine
produced
by
the
blockchain
as
a
whole
as
a
trusted
enough
third
party
once
again
there's
some
red
in
there,
because
we
never
reduce
our
risk
to
zero.
B
But
it
can
be
credible
enough
that
for
a
wide
range
of
contracts,
with
real
value
at
stake,
that
will
often
be
good
and
with
regard
to
this
mutual
expectation
of
mutual
credibility,
the
global
nature
of
block
trains
like
aetherium,
give
us
global,
mutually
expected.
Credibility
gives
us
a
coordination
rendezvous
point
without
having
to
engage
in
complex
worldwide
negotiation
about
who
we
mutually
trust.
B
That
I'll
explain
is
the
answer
to
that
question.
The
contracts
have
many
many
terms
in
them
which
are
fundamentally
not
automatable
when
a
contract
says
something
like
good
faith
or
best
efforts.
All
of
these
terms
are
evoking
judgments
that
are
necessarily
human
judgments
about
other
humans,
so
a
hybrid
contract
is
in
general,
one
that
has
two
components
and
they're
both
negotiated
together.
B
There
is
the
program
code
that
is,
that
is
the
automated
portion
of
the
contract
and
then
there's
a
prose
text
written
in
a
natural
language
that
is
for
the
purpose
of
of
being
interpreted
by
humans
when
the
contract
is
under
dispute
in
order
to
resolve
the
dispute,
and
actually
so
I
won't
go
further
into
that,
but
but
right
so
it
is
very.
It
is
very
important.
It's
been,
it's
been
largely
neglected
in
I've,
been
talking
about
split
contracts.
B
We
have
to
go
through
a
world
in
which
we
know
how
to
automate
a
little
bit,
and
we
still
need
to
resort
to
prose
text
for
a
lot.
But
the
prose
text
does
not
have
to
be
a
legal
contract
interpreted
by
a
legal
jurisdiction.
It
can
be
just
a
judgment
by
a
set
of
auditors
that
were
pre
agreed
upon
when
the
original
contract
was
was
set
in
motion.
Yeah.
B
Yep
and
the
this
problem
that,
under
a
current
architecture,
whenever
we
link
in
a
library,
we
just
give
it
all
of
the
authority
of
the
program
we
linked
it
in
to
is
insanity,
but
it
is
what
is
practice
pervasively,
what
I'm
in
what
myself
and
others
at
a
goreck
as
well
as
collaborators
at
several
other
companies?
Salesforce
people
on
the
node
security
team
are
doing
a
safe
module
system
for
JavaScript
based
on
SES,
which
is
our
object
capability
subset
of
JavaScript
and
at
this
point,
I'm
getting
ahead
of
myself.
Yes,.
B
Blockchain
is
no
kind
of
ultimate
answer
to
a
credible
computer,
there's
a
trade-off
space
and
one
way
one
first
approximation.
You
know
a
first
order.
Consideration
of
the
trade-off
space
is
to
think
about
different
systems
that
require
K
out
of
an
agreement,
a
blockchain
like
Bitcoin
or
theory,
and
rosy
cash
used
Nakamoto
consensus,
which
just
requires
a
simple
majority,
classic
Byzantine
fault.
Tolerance
requires
two
thirds.
B
You
know,
obviously
there's
a
meaningful
thing
on
unanimity
and,
very
importantly,
at
the
lower
left
corner,
there's
a
solo
machine
which
is
just
the
one
out
of
one
agreement.
It's
just
a
program
running
on
a
single
machine
and
all
of
these
points
have
different
attributes
with
regard
to
a
set
of
trade-offs,
but
before
I
show
the
the
what
the
trade-off
space
looks
like
just
another
another
note
of
caution,
not
the
scale,
don't
take
the
copy,
the
specific
shades
of
color
that
I've
used
or
the
specific
placement
of
different
systems
on
the
slide
too
seriously.
B
So
the
main
thing
that
that
massive
multi
way
replication
gives
us
is
integrity
as
the
the
idea
that
the
underlying
machine
actually
proceeds
according
to
the
semantics
of
its
instructions,
that
there
are
programs
execute
according
to
what
the
program
says,
doesn't
mean
they're
correct.
The
program
might
still
be
buggy,
but
the
underlying
machine
is
correct.
B
So,
as
we
go
as
n
becomes
larger,
our
integrity
goes
up
quite
extremely
on
the
lower
left
is
the
way
we
do.
Almost
all
of
our
computation
today,
which
is
on
solar
machines
that
are
should
not
be
considered
credible,
and
especially
your
solar
machine
is
not
something
I
should
regard
as
credible
confidentiality.
The
issue
you're
raising
goes
as
almost
the
inverse
of
integrity,
except
that
the
you
fall
off
the
cliff
very
quickly.
B
Aetherium
is
great
for
integrity.
It
has
no
confidentiality.
Everything
that
happens
on
aetherium
is
completely
transparent
forever,
but
the
the
other
agents,
interacting
with
aetherium,
are
interacting
from
solo
machines
off
to
the
side
that
have
the
cryptographic
secrets
that,
in
turn,
interact
with
the
theory.
I
also
want
to
call
attention
here
in
general,
there's
another
caution
on
this
trade-off.
Space
is
the
trade-off.
Space
is
mostly
just
showing
what
follows
from
the
different
choices
of
K
and
n,
but
those
are
not
the
only
knobs
at
our
disposal.
B
Z
cache,
while
achieving
the
integrity
that
comes
from
being
a
Bitcoin
like
blockchain,
also
achieves
an
astonishing
amount
of
confidentiality.
By
virtue
of
zero
knowledge
proof,
all
the
validators
are
blindly
validating
that
the
Z
cache
computation
is
proceeding
correctly
without
being
able
to
see
it,
but
doing
that
for
general-purpose
computation
is
still
not
practical,
but
it
will
probably
be
a
while
before
it's
practical.
B
Yes,
Starks
is
getting
beyond
that,
but
if
you
read
about
I
mean
so
once
again
going
to
the
you
never
reduce
risk
to
zero
the
Z
cache
ritual
as
they
call
it
is
such
a
massive
multi
way.
Mutual
Assurance
such
that
if
one
of
the
participants
in
the
ritual
was
good,
even
if
all
of
the
other
ones
were
in
a
mutual
conspiracy
to
corrupt
it.
One
genuinely
good
one
would
be
adequate
to
initialize
Z
cache
to
a
secure
state.
B
B
So
with
availability,
the
block
chains
by
virtue
of
their
pervasive
replication,
are
reachable
from
anywhere.
Many
machines
will
stay
up,
no
matter
what
I
mean,
not
any
one
machine
will
stay
up,
no
matter
what,
but
many
of
the
machines
of
the
system
as
a
whole
will
be
up
at
any
one
moment.
So
those
systems
are
highly
available.
B
As
soon
as
you
get
even
a
little
bit
of
distribution,
you
suddenly
fall
off
a
cliff
on
performance.
The
sewing
machines
will
continue
to
be
important.
So
what
I'm,
trying
to
emphasize
with
this
trade
off
space
is
lots
of
different
points
in
this
trade
off
space
will
continue
to
exist,
because
people
will
have
many
different
trade-offs
with
regard
to
where
they
want
to
be
on
this
trade
off
space.
B
B
So
what
we're
doing
is
using
now
the
highlighted
elements
on
the
right
assess
is
secure,
ACMA
script,
it's
an
object
capability,
subset
of
JavaScript
that
was
enabled
by
enabling
mechanisms
I
originally
got
into
Atma
script
5
and
have
since
I've,
been
on
the
Atma
script
committee
since
about
2007,
and
now
we're
collaborating
with
a
bunch
of
other
parties,
the
ones
that
I
mentioned
before-
to
also
bring
more
of
these
security
mechanisms
directly
into
the
JavaScript
standard,
so
that
they
can
be
supported
more
directly.
But
right
now,
javascript
is
already
the
case.
B
We
can
run
SES
securely
on
the
on
something
that
conforms
to
the
existing
JavaScript
standard
doctor
says,
is
a
distributed
resilient,
secure,
Eknath
script,
where
there's
where
the
atmos
script
computation
is
made
persistent
and
distributed
via
the
new
cap.
Dp
protocol,
the
capability
transfer
protocol
and
the
agora
blockchain
is
an
is
the
the
first
blockchain
we're
building
we're
building
it
as
a
cosmos
zone.
B
So
cosmos
is
what
is
one
of
the
new
blockchain
startups
and
they're
building
a
very,
very
interesting
system
to
help
people
create
new
block
chains
that
have
some
custom
logic
that
are
able
to
participate
in
an
ecosystem
of
their
other
block
chains,
as
well
as
other
things.
So
they
have
very
similar
goals
that
we
do
with
regard
to
the
inter
operation.
B
So
over
here
we
have
the
range,
so
each
individual
square
over
here
is
a
physical
machine,
but
each
Tower
over
here
is
what
we
regard
as
a
machine
which
is
made
out
of
agreement
among
the
physical
machines
in
the
tower.
On
top
of
that,
we
place
the
level
of
abstraction.
We
call
the
that
level
where
you,
where
each
VAT
is
a
event.
B
Loop
is
a
container
holding
an
event
loop
that,
as
you
may
be
familiar
with
from
JavaScript
processes,
one
event
at
a
time
to
completion
before
it
accepts
the
next
event
and
these
vats
communicate
with
each
other,
so
that
the
object
layer
that
we
build
on
top
of
the
VAT
layer.
Every
object
is
in
some
vas,
so
the
vats
are
a
disjoint
partitioning
of
the
object.
Graph
objects
within
the
same
VAT
can
invoke
each
other
directly,
as
you
would
expect
in
a
normal
object.
B
Language,
but
objects
can
also
send
asynchronous
messages
to
objects
and
other
vets
and
cryptographically
down.
Through
these
layers,
we
ensure
that
the
distributed
communication
base
the
same
capability
safety
rules
as
the
local
implementations
modulo,
this
distinction
between
unforgeable
'ti
and
unguessable
'ti
and
then
finally,
we
build
on
all
of
that.
Our
a
smart
contract
framework
are
our
abstractions
for
electronic,
for
transferable
electronic
rights.
B
And
in
order
to
build
each
level
out
of
the
layer
below
you
engineer
various
protocols,
so
that
DP
turns
out
to
be
very
much
aligned
with
the
IBC
inter
blockchain
protocol
from
cosmos.
So
a
gorrik
and
cosmos
are
collaborating
on
reconciling
the
differences
between
IBC
and
VAT
DP.
Not
only
are
they
very
much
attacking,
essentially
the
same
problem,
they
actually
arrived
at
very
similar
solutions.
B
On
top
of
that,
we
have
our
capability
transport
protocol,
which
is
very
much
like
what
we
had
between
o
between
only
single
machines
and
the
old
pre
blockchain
days,
but
now
lifted
to
run
on
top
of
chains
and
other
agreement
mechanisms
as
well,
and
then
ERT
P
is
the
electronic
rights
transfer
protocol.
So
what's
going
on
here
is
that
in
order
we
always
could
have
built
smart
contracts
without
the
blockchain,
but
the
contracts
need
to
run
somewhere
and
contracts
are
sort
of
the
hot
spot
where
you
need
mutual
credibility.
B
B
But
it's
important
to
remember
that
block
chains
by
themselves
are
not
a
panacea.
This
is
often
missed
by
people
in
the
block
chain.
Space
which
is
a
block
chain,
now
gives
us
the
equivalent
of
reliable
Hardware
hardware
that
we
can
treat
that
we
can
treat
as
trustworthy
back
in
the
history
of
computer
security
before
before
block
chain.
B
All
of
software
security
was
making
the
assumption
that
they
had
that
hardware
anyway,
even
though
they
didn't
so
now
that
we've
given
them,
what
they've
already
assumed
everything
that
they
then
built
on,
that
assumption
is
now
relevant,
so
just
saying
block
chain
without
on
top
of
it,
building
the
kind
of
software
security
architecture
that
the
history
of
software
security
has
taught
us
are
good.
Architectures
won't
solve
the
problem.
A
This
to
be
a
positive
contribution
is
if
it
grows
within
the
current
system
of
human
institutions
and
current
non-profit
based
institutional
lessons
about
countable
range
14
cooperation,
and
it
needs
to
avert
not
because
they
suck
there's
a
separate
world
isolated
from
you,
but
as
a
world.
That's
continuously
so
another
very
important
claim
of
hybrid
contracts.
The
contract
which
throws
action
is
that
that
some
of
the
arrangements
that
are
very
interested.
A
Execution
coupled
with
its
but
sometimes
a
separate
legal
contract
which,
where
the
where
the
two
are
composed
together,
where
they
can
solve
problem
by
having
one
foot
with
legal
system
in
one
foot
in
cyberspace
that
you
can't
solve
well
just
in
one
system
by
itself.
So
altogether.
I
think
that
the
the
adoption
problem,
that
watching
others
but
having
is
largely.
A
Due
to
follow
the
ideology
of
we
needed
pure
separated
world,
rather
than
even
if
we
have
sort
of
a
pure
uncorrupted
technology,
what
extreme
of
what
we
don't!
We
need
the
entire
continuum
of
compromise
between
that
in
the
real
world
hook
it
up
in
a
rich
way
to
the
real
world
of
human
institutions
in
the
overcomers.
A
A
A
A
A
Starts
off
by
saying,
let's
assume
a
link
over
channels,
let's,
let's,
let's
assume
away
the
hard
problem
and
now,
let's
solve
easy
problem-
and
you
know
like
like
with
you
know,
software
security
as
a
whole
in
insecure
Homburg.
Maybe
if
we
saw
the
easy
problem,
we
can
come
back
to
the
hard
problem
later
and
find
that
you
can
do
something
that
makes
the
solution
an
easy
problem
relevant,
but
right
now
on
covert
channels
inside
shadows
huge.
A
There
are
some
special
cases
we
can
solve
very
well
with
confidentiality
and
we
have
a
challenge
page
on
the
web.
That
shows
the
use
of
SES
security
strip
to
address
one
of
those
special
cases
for
comfort
of
confidentiality,
precisely
which
is
a
lot
of
our
libraries.
Are
the
library
not
so
much
our
applications
to
hold
many
of
our
libraries
for
libraries
that
do
a
transformation
or
job
parsers
and
generators
and
pattern
recognizers
and
just
a
tremendous
amount
of
our
software
as
one
that
doesn't
need
to
cause
any
effects
on
the
outside
world.
A
A
He
can
still
signal
on
covert
inside
channels
to
other
software
that
can
measure
relation.
So
we
can
still
emit
one
so
I
channels,
but
it
cannot
perceive
such
channels.
There
are
challenges
we
have
a
hugely
a
breach
of
side
channel,
but
even
being
able
to
estimate
milliseconds
is
enough
easily.
You
leave
the
data
inside
sugar
and
then
we
challenge
anybody
to
write
software.
We
did
within
the
SDR
sandbox,
but
everything's
in
one
address.
So
it's
all
the
meltdown
inspector
assumptions
are
violated.
A
Everything
is
in
one
address
space,
but
the
the
challenge
code
that
you
run
is
run
without
any
ability
to
integration.
We
actually
didn't
have
some
responsible
disclosures
of
some
bugs
to
defend
against
that
were
very
interesting.
Those
are
bugs.
Are
our
friend
bugs
in
the
concept
we
fix
those.
So
that's
that's
an
important
special
case.
There
is
a
recent
paper
by
the
SEO
formulas
that
I
frankly
haven't
read.
Despite
that,
I
would
recommend
that
qualification
read
everything
bsl-4.
That's
right,
but
it's
one
that
they
call
time
protection
where
they
create
basically
separate
worlds.
A
That
understand
reasonable
assumptions,
have
no
side
channels
between
me
and
they
do
it
not
by
sharing
a
single
SEO
file
for
a
kernel
money,
but
basically
by
using
SEO
for
as
a
virtual
machine
monitor
to
create
multiple
SEO
forests
instantiation.
So
each
subsystem
is
running
full
SEO
for
as
only
those
large
brain
foods
that
can
take
a
leak
to
each
other,
but
finally
call
attention
to
the
two
parts
of
greenery.
A
A
lot
of
computation
is
run
when
small
machines,
or
it
works,
and
these
small-scale
replicated
forms
within
a
single
organization
and
a
single
possible,
not
so
much
the
same
machines
and
if
they
were
running
provably
secure.
So
the
fact
that
they're
running
within
the
physical
box
of
a
house
gives
you
a
somewhat
defensible
initial
boundary
for
side
channels.
Given
that
you
take
all
the
software
measures
around
that
that
people
almost
and
then
having
to
jelly
I'll,
just
mention
C
cache
again
and
then
skip.
A
You're,
sorry
so
I'll
bet
they've,
always
kind
of
been
a
little
bit
horrified
by
the
concept
of
smart
contracts
and
they're,
like
oh
you'll,
be
living
in
your
apartment.
You
know
your
apartment
at
least,
will
be
controlled
by
smart
contract
and
then
what?
If
there's
a
bug
in
your
apartment?
You
know
so.
A
A
A
It's
a
long
question.
It
was
very
interrupted
with
other
parts
of
the
questions
with
regard
to
the
department.
Access
to
wave
deals
that
you
want
to
capability
system
is
is
what
I
mentioned
that
they
were
melted
with
the
attenuating
Pole.
Is
you
don't
give
out?
The
object
itself
represents
permanent
irrevocable
permission
to
provoke
the
entirety
of
the
through
the
objects
API.
If
you
want
to
give
something
less
than
you,
don't
try
to
build
some
access
control
mechanism
into
the
object
itself.
A
Rather,
you
create
other
objects
in
front
of
that
object
where
the
other
objects
can
impose
some
attenuation,
one
of
the
messages
that
they
forward
throats
forward
through
only
a
subset
of
transforms
of
messages
in
some
way.
A
great
example
that
shows
how
important
this
notion
of
attenuation
is
is
an
MMU
is
essentially
presenting
as
virtual
memory,
a
very
important
attenuation
and
physically
so
remapping
things
that
also
comes
up
a
lot
where
you're
not
just
allowing
the
substantive
accesses
through
you're
doing
it
by
remapping
names.
A
A
So
with
Linux
containers
is
what
it
gives
me
is
a
system
with
the
semantics
of
Linux,
which
is
already
hopelessly
insecure.
But
what
a
virtual
machine
gives
me
is
a
semantics
of
a
modern
instruction
set
which,
if
it's
a
principle,
not
an
instruction
set
good
system,
these
remote
distinctions
and
appropriate
mapping
of
the
in
the
new
weather,
a
purely
virtual
peripera
virtual.
A
Those
are
underlying
primitives
that
are
extremely
good
for
building
secure
operating
systems.
So
you
didn't
know
I
assume
you
don't
know
this
for
sure,
but
I
assume
you
can
write
SEO
for
under
a
virtual
machine
that
formulates
the
hardware
than
SEO
for
is
assuming,
but
you
can't
run
SEO
for
on
top
of
the
Linux
people,
so
by
building
a
Linux
container
you're
starting
off
in
a
situation
which
already
lost
in
any
building
situation,
which
you
virtual
world.
A
Let
me
caution
everybody
that
testy
linux
describes
what
it's
doing
using
the
tongue
capabilities.
They
are
not
capabilities;
they
do
not
even
resemble
capabilities.
There
are
about
as
far
from
capabilities
as
a
concept
as
you
can
get,
and
yes,
beyond
that,
I
am
NOT
a
fan
of
it.
So
if
you
want
to
start
with
UNIX
and
build
something
that
has
some
good
security
properties,
I
am
a
fan
of
capsicum
capsicum
is
a
modified
FreeBSD
kernel.
There's
a
project
to
put
those
nations.
A
That
UNIX
domain
sockets
the
file
descriptors
per,
gets
domain,
sockets,
essentially
already
obeyed
capabilities,
so
a
program
can
throw
itself
into
capability
mode,
in
which
case
it's
running
in
a
is
this
essential
with
everything
that's
not
capability
like
turned
off
and
then
with
the
set
of
services
as
alternatives
capability
based
alternatives
to
the
things
that
were
turned
off,
where
the
alternatives
present
the
service
in
a
capability
to
bring
it
together
and
once
again
any
security
prescription
that
says,
throw
away
your
multi
trillion-dollar
legacy
and
start
over
from
scratch.
It's
just
a
prescription.
A
A
So
that
capability
expectation
is
built
in
there
right
now
today,
you're
targeting
around
yeah,
but
unfortunately
the
capability
of
handling
capability,
nature
and
Mach
isn't
he's
nowhere
exposed
or
made
use
of.
So
it's
kind
of
it's
got.
They
paid
all
the
cost
about
a
capability
system
underneath
achieving
the
benefit.
A
There's
there's
another
case
where
they
achieve
some
of
them
and
it's
also
a
surprisingly
pervasive
every
Qualcomm
chip.
That's
the
main
processor
check
of
the
sulfur,
so
figure
all
your
cell
phones
are
built
with
a
essentially
with
two
CPUs
one
running
your
your
your
mobile
operating
systems.
You
want
actually
doing
the
phone
cell
phone
software
itself.
A
A
It
is
not
a
capability
system,
but
its
capability
influenced
SEL
for
is
the
genuine
capability
system
and
is
a
phony
verified
high
performance
microphone.
So
one
can
imagine
a
future
in
which
are
all
conscious
are
upgraded
to
no
an
SEO,
in
which
case
our
the
cell
phone
system.
We
can't
run
software
one
tremendously
better
system
to
run
software
and
then
the
roller
message
for
any
other
questions.
Okay,.