← Church Machine

Figure 9 — Vulnerability Elimination by Construction

Each vulnerability class that plagues conventional architectures is eliminated not by software mitigation but by the absence of the hardware mechanism that enables it, combined with dual-gate TSB validation that enforces capability security on every access.

Vulnerability → Eliminated by Construction Vulnerability Class Conventional Cause What's Absent Dual-Gate Protection Status Buffer Overflow stack smash, heap spray format string attacks Flat memory with unchecked pointer arithmetic and raw array indexing ✗ No raw pointers ✗ No pointer arithmetic ✗ No unchecked indexing mLoad: bounds check on every read access GT enforces valid range GONE ROP / Code Reuse return-oriented programming JOP, gadget chains Writable return addresses on a software stack; branch to any address in flat memory ✗ No branch unit ✗ No writable return addr ✗ No flat code memory CALL requires E perm GT LAMBDA requires X perm GT RETURN from HW stack only GONE Code Injection shellcode, W^X bypass JIT spray Memory that is both writable and executable; inject bytes, then jump to them ✗ No self-modifying code ✗ No W+X memory ✗ No raw JMP/CALL mLoad: X perm = code W perm = data (disjoint) Domain purity enforced GONE Privilege Escalation root exploit, ring-0 kernel escape Hierarchical privilege rings; single bit flip in mode register grants all access ✗ No privilege rings ✗ No supervisor mode ✗ No kernel/user split Every access requires GT No global "root" exists TPERM can only attenuate GONE Use-After-Free dangling pointer deref double free Manual memory mgmt; freed pointer remains valid, reallocated memory accessible ✗ No raw pointers ✗ No manual free() ✗ No pointer aliasing mLoad: version check Freed → version bumped Stale GT → FAULT GONE Confused Deputy CSRF, ambient authority TOCTOU races Access based on caller identity (ACL); service uses its own ambient authority on behalf of caller ✗ No ambient authority ✗ No ACLs ✗ No identity-based access Capability = authority B-bit: explicit delegation mSave: B=1 required GONE Spectre / Meltdown side-channel leakage transient execution Speculative execution past security checks; cache timing reveals speculatively read data ✗ No speculative exec ✗ No cache hierarchy ✗ No branch prediction mLoad validates before any data reaches regs No transient window GONE DMA Attack FireWire/Thunderbolt direct memory access Device bus has direct access to physical memory, bypassing CPU security checks ✗ No ungated bus ✗ No DMA engine ✗ No bypass path I/O Mediator: sole path All device I/O gated by mLoad/mSave validation GONE The Elimination Principle Conventional security adds mitigations on top of a vulnerable architecture (ASLR, DEP, CFI, shadow stacks). The CTMM/Church Machine removes the hardware mechanism that enables each vulnerability class entirely. Dual-Gate Coverage Map mLoad Prevents ✓ Buffer overflow (bounds check) ✓ Code injection (X vs W perm disjoint) ✓ Use-after-free (version mismatch) ✓ ROP (E/X perm required for code entry) ✓ Privilege escalation (no ambient authority) ✓ Spectre (validates before data visible) ✓ DMA attack (sole gated path) mSave Prevents ✓ Confused deputy (B-bit = explicit delegation) ✓ Capability leakage (B=0 default, can't save) ✓ Foreign injection (F-bit detects remote) ✓ Stale persistence (version match on save) ✓ Seal forgery (seal recomputed on commit) ✓ GC evasion (G-bit reset on every save) ✓ Unbounded write (target bounds check) 8 vulnerability classes → 0 attack surface Conventional vs. CTMM/Church Machine Conventional: mitigate (patch, hope, repeat) CTMM: eliminate (absent hardware = zero surface)
Vulnerability class (eliminated)
mLoad (read gate) protection
mSave (write gate) protection
Eliminated by construction