As vaporware goes, Ted Nelson's Xanadu, the Dynabook, and general purpose secure operating systems are hard to beat. Each was announced more than 25 years ago, and none have actually been delivered. The highest practically achievable assurance rating for commodity operating systems under current standards, EAL4, might be characterized politely as "does not meet expectations." We must (and can) do better."

The EROS operating system is an attempt to construct a usefully secure system from the ground up. The design goal of the system might be stated as: "Given that only a very small number of programs can be made reliable and trustworthy, design a system that is robust. In particular, assume that actively hostile programs will be executed (through malice, enticement,
ignorance, or error), and construct a system that is robust in the face of this assumption."

Following the failures of the Mach microkernel and the i432 microprocessor, capability-based operating systems were abandoned in the mid-1970's for performance reasons. EROS, a software-implemented capability system that runs on commodity hardware, outperforms current commodity operating systems on microbenchmarks, and is presently the fastest protected microkernel in existence. It is based on a formally specified information flow model, and the correctness of its core security features have been formally verified.  EROS's predecessor, the KeyKOS system, has been running production applications since 1982, with a measured MTBF in the field exceeding 15 years.

This talk will provide an overview of the EROS system. The talk opens with a "reality check" challenging commonly held assumptions about how to achieve security. It identifies a set of feasible security objectives, and describes a system architecture that directly supports these objectives. Along the way, we will discuss the pros and cons of capabilities as a protection
primitive and the security implications of composing systems from authenticatable, secure components.

Updated 11 November 2002