No disagreement here. I saw a wonderful discussion recently by a researcher at Mentor Graphics about 2 things: VLSI design hacking and low level interconnect hacking. Things we call "hardware" and just assume are designed securely.

They are not. The hardware designers at the chip and board level know little or nothing about security techniques. They don't work with systems people who build with their hardware to limit undefined or covert behaviors.

Systems people in turn make unreasonable and often wrong assumptions about what is hard about hardware. Assumptions about what it won't do, in particular.

We need to treat hardware like we treat software. Full of bugs, easily compromised. There are approaches to reliability and security that we know, that are tractable. But to apply them we need to drop the fictional idea that hardware is hard... It's soft.

The principle of least privilege is one of those. The end to end argument should be applied to bus protocols like CAN, for the same reason.

On Oct 4, 2017 at 12:38 PM, <Dave Taht> wrote:

well, I still think the system is rotten to its (cpu) cores and much
better hardware support for security is needed to start from in order
to have better software. Multics pioneered a few things in that
department as I recall, but research mostly died in the 90s...

Blatant Plug: The mill cpu folk are giving a talk about how they do
secure interprocess communication tonight in san jose, ca. I'm going.
While I expect to be cheered up by the design (the underlying
architecture supports memory protections down to the byte, not page,
level, and may be largely immune to ROP) - I expect to be depressed by
how far away they still remain from building the darn thing.

https://millcomputing.com/event/inter-process-communication-talk-on-october-4-2017/