human experiences can be addressed by different applications, allowing users to interact with each in a manner most conducive to that particular context. An alternative view makes use of a single architecture, perhaps encompassing a number of platforms, to present an extremely complete and often fine-grained representation of a particular context. Such systems are often comprised of many subsystems that present detailed interactions between one or more users and a single, often large-scale data model context. Among these subsystems may be components that have real-time constraints on the processes that they contain. An excellent example of this model is found in the avionics systems used to control aircraft.

Avionics systems on modern commercial jet airliners are capable of flying the plane from takeoff to landing in a purely hands-off mode. In most instances, they are not used this way but rather they provide the capability to pilots of fully monitoring all aircraft systems and of effecting control through a highly intuitive user interface. Moreover, these systems allow the integration of ancillary systems such as those for monitoring weather conditions that might affect aircraft operations. On military combat aircraft, such ancillary systems might also include weapons systems monitoring and control along with integration into wide-ranging threat assessment and targeting systems. Such complex environments are typically designed from the aspect of the applications that the platform must support within a single context. Major computer system components such as operating system support, database systems, graphic display and motor control are relegated to embedded components of larger scale dedicated systems. Therefore, we might think of an avionics system as a dedicated system that compartmentalizes along the application axis; a system dedicated to a single problem. In the next chapter, we will suggest a dedicated system that compartmentalizes along the user axis; specifically, a dedicated system providing an enhanced single user capability.

Historically, the deployment of secure cores involved the development and installation of all software on the computer platform during its manufacturing process. This had the characteristic that such software could be installed in read-only memory, making it essentially immutable. This is a very attractive characteristic from a security, and hence trust, viewpoint. Of course, a very unattractive aspect of this characteristic is that the software on a secure core is immutable and this is often, if not always, problematic with software in general. If software is determined to have errors in it, then it is useful to be able to fix it. Fixing software generally involves either removing the errant software and replacing it with good software, or altering the current software in place with a software patch, a concept perhaps borrowed from repairing an automobile tire that has a hole in it. If both the hardware platform as well as its contained software is immutable, then fixing becomes difficult if not impossible. It is a bit like fixing a wagon wheel on a covered wagon.

A solution to this general deficiency arose through the concept of introducing a virtual machine into secure cores. A virtual machine is essentially a pseudo-computer that exists purely within a software implementation. Thus, one can write software to run on a real computer platform that will then support the operation of a pseudo-computer within it. This provides a level of indirection in the software operation process that allows one to add new software onto a secure core.

First, the software that implements the virtual machine is installed on the secure core during the manufacturing process. This software is rather generically referred to as a virtual machine interpreter. Then, new software that is desired on the secure core platform is written as generic data to the secure core. Now this data can be input into the virtual machine interpreter et voila, new software has been loaded onto the secure core. As long as the appropriate protocols are followed, such software can be securely loaded onto a secure core even after it has been issued to a bearer of a wider system that encompasses the secure core; a personal electronic device.

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)