Transparent mistrust: OS support for cryptography-in-the-large

This position paper advocates the development of new mechanisms to support cooperative computing requiring less than complete trust. Traditional OS security mechanisms have assumed a monolithic or hierarchical model for controlling and arbitrating access to local resources. Operating systems authenticate users as they log in and enforce controlled access to files, devices and memory. Distributed systems change the picture somewhat, with less-trusted clients obtaining some resources from centralized servers, but typically retain some notion of central authority within a framework of global trust and control. Boundaries of trust are going to become increasingly important to future workstation operating systems. Cryptographic algorithms and protocols can protect these boundaries, but the interfaces to them need some attention first. Our experiences, which are admittedly within the research environment, lead us to believe that cryptographic protection can be quite practical across a variety of layers of the system; importantly, no one layer emerges as a decisive winner as to where this protection best belongs. (The application layer, however, does appear to be the clear loser.)