> . For example, a kernel like SeL4, which could directly run sandboxed applications, like banking apps. Apps run in this way could prove they are running in a sandbox. ... Then also allow the kernel to run linux as a process, and run whatever you like there, however you want.

This won't work. It's turtles all the way down and it will just end up back where we are now.

More software will demand installation in the sandboxed enclave. Outside the enclave the owner of the device would be able to exert control over the software. The software makers don't want the device owners exerting control of the software (for 'security', or anti-copyright infringement, or preventing advertising avoidance). The end user is the adversary as much as the scammer, if not more.

The problem at the root of this is the "right" some (entitled) developers / companies believe they have to control how end users run "their" software on devices that belongs to the end users. If a developer wants that kind of control of the "experience" the software should run on a computer they own, simply using the end user's device as "dumb terminal".

Those economics aren't as good, though. They'd have to pay for all their compute / storage / bandwidth, versus just using the end user's. So much cheaper to treat other people's devices like they're your own.

It's the same "privatize gains, socialize losses" story that's at the root of so many problems.

▲

josephg 8 hours ago | parent [-]

Good point. I didn't think of that.

It may still be an improvement over the situation now though. At least something like this would let you run arbitrary software on the device. That software just wouldn't have "root", since whatever you run would be running in a separate container from the OS and banking apps and things.

It would also allow 3rd party app stores, since a 3rd party app store app could be a sandboxed application itself, and then it could in turn pass privileges to any applications it launches.

▲

EvanAnderson 8 hours ago | parent [-]

It's what we have now.

I can run an emulator in the browser my phone and run whatever software I want. The software inside that emulator doesn't get access to cool physical hardware features. It runs at a performance loss. It doesn't have direct network access. Second class software.

▲

josephg 7 hours ago | parent [-]

Its not what we have now, for the reasons you list. Web software runs slowly and doesn't have access to the hardware.

SeL4 and similar sandboxing mechanisms run programs at full, native speed. In a scheme like I'm proposing, all software would be sandboxed using the same mechanism, including banking apps and 3rd party software. Everything can run fast and take full advantage of the hardware and all exposed APIs. Apps just can't mess with one another. So random programs can't mess with the banking app.

Some people in this thread have proposed using separate devices for secure computing (eg banking) and "hacking". That's probably the right thing in practice. But you could - at least technically - build a device that let you do both on top of SeL4. Just have different sandboxed contexts for each type of software. (And the root kernel would have to be trusted).

▲

EvanAnderson 6 hours ago | parent [-]

I'm not familiar with SeL4 other than in the abstract sense that I know it's a verified kernel.

I interpreted your statement "Then also allow the kernel to run linux as a process, and run whatever you like there, however you want." as the Linux process being analogous to a VM. Invoking an emulator wasn't really the right analogy. Sorry about that.

For me it comes down to this:

As long as the root-of-trust in the device is controlled by the device owner the copyright cartels, control-freak developers, companies who profit end users viewing ads, and interests who would create "security" by removing user freedom (to get out of fraud liability) won't be satisfied.

Likewise, if that root-of-trust in the device isn't controlled by the device owner then they're not really the device owner.

	▲	josephg 5 hours ago \| parent [-]
		Yes; I think that's the real impasse here. As I say, I think there is a middle ground where the device owners keep the keys, but programmers can run whatever software they want within sandboxes - including linux. And sandboxes aren't just "an app". They could also nest, and contain 3rd party app stores and whatever wild stuff people want to make. But a design like this might please nobody. Apple doesn't want 3rd party app stores. Or really hackers to do anything they don't approve of. And hackers want actual root.