Secure system design should be guided by two principles: (1) system security should not impede third-party developers, who are often the main source of innovation, and (2) systems that secure third-party extensions also improve security by reducing the amount of specially-privileged first-party code.
Unfortunately, very few systems today adhere to these principles. This is not merely a result of poor system building. It is hard to design highly extensible systems that are both secure and useful. Moreover, the research community often fails to evaluate novel designs under real-world usage by actual practitioners. As a result, many promising research approaches remain difficult to adopt in practice.
I'll describe Tock, an operating system for microcontrollers we designed with these principles in mind. I'll discuss how we continuously evaluate Tock by engaging with practitioners, and how lessons from practitioners have fed back into the system's design.