Sciweavers

SIGOPSE
2004
ACM

Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors

14 years 4 months ago
Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors
Secure systems are best built on top of a small trusted operating system: The smaller the operating system, the easier it can be assured or verified for correctness. In this paper, we oppose the view that virtual-machine monitors (VMMs) are the smallest systems that provide secure isolation because they have been specifically designed to provide little more than this property. The problem with this assertion is that VMMs typically do not support interprocess communication, complicating the use of untrusted components inside a secure systems. We propose extending traditional VMMs with features for secure message passing and memory sharing to enable the use of untrusted components in secure systems. We argue that moving system components out of the TCB into the untrusted part of the system and communicating with them using IPC reduces the overall size of the TCB. We argue that many secure applications can make use of untrusted components through trusted wrappers without risking securi...
Michael Hohmuth, Michael Peter, Hermann Härti
Added 30 Jun 2010
Updated 30 Jun 2010
Type Conference
Year 2004
Where SIGOPSE
Authors Michael Hohmuth, Michael Peter, Hermann Härtig, Jonathan S. Shapiro
Comments (0)