We investigate a new point in the design space of red/green systems [19,
30], which provide the user with a highly-protected, yet also highly-constrained trusted (“green”) environment for performing security-sensitive transactions, as well as a high-performance, general-purpose environment for all other (non-security-sensitive or “red”) applications. Through the design and implementation of the Lockdown architecture, we evaluate whether partitioning, rather than virtualizing, resources and devices can lead to better security or performance for red/-green systems. We also design a simple external interface to allow the user to securely learn which environment is active and easily switch between them. We find that partitioning offers a new tradeoff between security, performance, and usability. On the one hand, partitioning can improve the security of the “green” environment and the performance of the “red” environment (as compared with a virtualized solution). On the other hand, with current systems, partitioning makes switching between environments quite slow (13-31 seconds), which may prove intolerable to users.
An important consideration when you’re building an application is the usability of the security features that you’ll be employing. Security experts frequently lament that security has been bolted onto applications as an afterthought, however the security community has committed the exact same sin in reverse, placing usability considerations in second place behind security, if they were considered at all. As a result, we spent the 1990s building and deploying security that wasn’t really needed, and now that we’re experiencing widespread phishing attacks with viruses and worms running rampant and the security is actually needed, we’re finding that no-one can use it.