the competence is defined once and for all. The performance of the secure core is established through the use of applications, which are means of instructing the computer. Applications need to retain states of their operations, and therefore require memory that can be written more than once. Actually, this memory can be used for storing the applications themselves, which can subsequently be modified at will, providing means to actually vary the performance of the secure core, still within the limits of the competence of the machine. If a threat is discovered that affects an application, it can be addressed by changing this application. However, if a threat is discovered that affects the competence of the machine, that is a defect in the operating system, that threat may deny any usefulness to the secure core, and this can lead to a full series of secure cores needing to be replaced.

While the read-only memory static properties are a problem when there are defects in the operating system, it is, on a contrary, a benefit when there are none, as the fact that the operating system cannot be modified increases the trust in the secure core. For that reason, plus the economic reality that read-only memory was far cheaper than forms of memories that can be modified, it is only around year 2000 that new forms of secure core rewritable memories could be at the same time sufficiently trusted to carry an operating system and inexpensive enough to satisfy the needs of volume production. When that happened, an important change had occurred, because suddenly not only the performance of a secure core, but also its competence, could be changed, albeit, of course, within the limit of the physical capabilities of the electronics involved: if the secure core doesn’t have a fingerprint sensor, no change in the operating system will provide one.

The performance of a computer is effected through applications. Applications are sets of instructions to the operating system that affect the sensori-motor part of the secure core. For example, an application may decide to activate the fingerprint sensor. For this, it will simply instruct the operating system to do so. How the operating system does it, the application doesn’t know. It just trusts the operating system to do what it’s told. (Similarly, when we decide to move our finger, the actual operations leading to our finger actually moving are not part of our conscious experience: in computer parlance, our application has ordered the finger to move, our operating system has performed the moving.) This separation of functions is a necessary feature of complex systems, as we cannot imagine each application having to spell out again and again all the elementary operations, which easily number in the million, that lead to any action. By issuing higher orders, tremendous gains are made in the capability of the machine to effect its work. But now, this creates the very situation that we wanted to illustrate here.

Let’s say that we want an application to change its behavior, let’s say by only activating the fingerprint sensor at the explicit request of the user instead of doing it systematically at each use of the secure core We can effectuate this change in the application without modifying any other part of the secure core. The application still instructs the operating system to activate the fingerprint sensor; simply, it now waits for an order to do so instead of doing it all the time. However, let’s now consider that we need to change the operating system itself because we discovered that its handling of the fingerprint sensor activation is faulty. To take an illustrative example, let’s consider that the problem comes from the fact that the fingerprint sensor draws so much electricity that another sensor, say an antenna, needs to be shut down first. To solve that problem, the operating system, which knows about power consumption, needs to shut down the antenna each time the fingerprint sensor is required, and conversely, needs to shut down the fingerprint sensor each time the antenna is in use. However, when that happens, it obviously affects both the fingerprint sensor operation and the antenna operation. For example, the current antenna application cannot trust the operating system to allow it to operate continuously anymore.

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)