In the field of computing, there is a tension between systems that provide a high degree of security on the one hand, and systems that provide large number of functional features and a high degree of extensibility on the other hand. Security in the field of computing depends on the ability to understand and predict the behavior of a computer system (that is, the behavior of both the software and the hardware) with a high degree of certainty—i.e., the ability to ensure that the system will not, through inadvertent misuse or deliberate attack, behave in some manner other than that for which it was designed. For example, a computer system that is designed to protect copyrighted material from copying is only trustworthy to the extent that we can be assured the system will actually do what it was designed to do. Large, open architectures, however, tend to be unwieldy and complex, which makes it difficult to analyze their behavior, since there are a large number of variables that can affect that behavior. At the present time, it seems unlikely that a large complex program such as a full-service operating system or word processor could have its behavior verified to a high degree of certainty. It is possible to write a small program whose behavior can be tested and verified under a wide variety of conditions and classes of attack, but such a program would only be able to perform a limited set of functions. Thus, a tension exists between providing a large amount of functionality and providing a high degree of security.
One solution that has been proposed is to run two systems side by side—one large system that has a high degree of functionality, and another small system that has a high degree of security. Thus, a full-service operating system such as WINDOWS XP could be run along side a small, high-assurance operating system. Whenever an event occurred in the full-service operating system that needed to be performed in a tightly-controlled manner with a high-degree of trust, the task could be passed to the high-assurance operating system.
Operating systems provide environments in which other programs can execute. However, the mere fact that two operating systems can exist side by side does not address the problem of how a given application can make use of both environments. It would be desirable for an application to use the full-featured environment to perform most functions (i.e., those not requiring a high degree of security), and to use the high-assurance environment to perform functions that do require a high degree of security. Moreover, it is desirable to use these two environments in a way that provides an integrated user experience.
In view of the foregoing, there is a need for a system that overcomes the drawbacks of the prior art.