Computer security is a solved problem for systems with a fully-specified set of capabilities, usage patterns, and legal operations. You follow the Principle of Least Privilege, build in defense in depth, use capabilities, and never expose anything that the user doesn't have a reason to access.

The problem is that the constraints this imposes on the system usually do not line up with the constraints that the market will pay for. It's very common for customers to change their mind; decide they need to hack around access protections; add new users with new roles that are some hybrid of current access; ask for new features; not think through who should have access to new features; want to enable serendipity where untrusted users discover new use-cases and new markets for their product; and so on. It's also very common for them to ignore security as a differentiator when making their purchase decision, figuring that if there's a breach, somebody else will pay for it, or they'll be long gone from the company and unable to be blamed for it. So the market ends up bypassing the secure solutions that exist and choosing to buy insecure systems that can offer the features they want right now.

When security is absolutely critical, like in military or certain financial applications, it's pretty easy to achieve. There are companies like Galois that specialize in "high assurance systems". But they are expensive for their feature set, and so the general public would rather buy from cheaper and more insecure options.

Eventually we're going to have to collectively decide that the operating system is the correct place to enforce capabilities, as is done in mainframe OSs.

Memory holing any mention of this solution isn't productive in the long run.

Yes, the operating system is the correct place to enforce capabilities.

The problem with this is that no mainstream OS does this correctly, which means that correctly doing security requires writing a new OS and getting all the userspace programs ported over to it (which is a non-trivial port, because the programming model for capabilities is pretty significantly different from mainstream OSes). It's very hard to convince users to ditch their entire computing ecosystem for a new one unless all of their devices get pwned and they can't access their computing ecosystem anyway.

I'm convinced the way this will be done is to take a capabilities based OS, and tack on an emulation layer to allow Windows or Linux binaries to run, and only let them see the things that the user has decided they need to see, by emulating the dialog boxes to the app, and then transparently enforcing those choices. Thus a copy of a windows Text editor could run, and ONLY get access to the file the user chooses, without having to re-write anything.

The crux of the issue is command line programs... I'm not sure how to deal with those, but I suspect it'll be an outer job control language.

You're right about Bell-LaPadula, but note that model isn't used as much as the Biba model, the basis of Windows UAP. Even "solved" problems tend to evolve or get superceded over time; nothing seems to stay solved for long!

Windows UAP is a horrible thing. It would be far better to just replace the system dialog boxes like file open, save, etc. with power boxes that then give file capabilities to applications.

It would be minimal work to refactor applications, and provide almost perfect security with no UX change.

This is how macOS apps work by default these days. Each sandboxed app can R/W to a private "container" directory only, and to access anything else you present an "open" dialog that gives you back a special URL object with the requested capabilities for that resource. This is pretty fascinating: https://www.mothersruin.com/software/Archaeology/reverse/boo...

Hmm? As the joke goes, the only secure computer is the one which is turned off. But I guess, that's not even true nowadays (taking security keys from cooled memory modules).