Download Reducing the Trusted Computing Base David Lie University of Toronto

Reducing the Trusted Computing Base
David Lie
Department of Electrical and Computer Engineering
University of Toronto
1
TCB’s are Complex
•
Trusted Computing Base: The components of a system that an
application must trust to function correctly
Application
(Application Dependent)
Application
Libraries
Other Applications
(10K’s of LOC)
(Millions of LOC)
Operating System & Hardware
(Millions of LOC)
•
Total Exposure for an application is in the millions to 10’s of
millions of LOC at least!
David Lie
Usenix Security 2005 WIPS
2
Isolate Application in a Separate VMM
•
One approach is to isolate the application in a separate VMM [Terra]
– VMM is added to the TCB, but TCB is still reduced because
unrelated applications are removed
Application
(Application Dependent)
Application
Libraries
Other Applications
(10K’s of LOC)
(Millions of LOC)
Operating
Operating
System
System &Operating
HardwareSystem
(Millions of LOC)
(Millions of LOC)
(Millions of LOC)
Virtual Machine Monitor
(10K’s LOC)
David Lie
Usenix Security 2005 WIPS
3
Reducing the TCB
•
However, the isolated application still has a TCB of millions of
LOC:
– Can we do better?
Security
Critical
Component
Application
App
(Application Dependent)
Minimal OS
(~10K LOC)
Application
Libraries
Other Applications
(10K’s of LOC)
(Millions of LOC)
Operating System
Operating Operating
System System
(Millions of LOC)
(Millions of LOC)
(Millions of LOC)
Virtual Machine Monitor
(10K’s LOC)
David Lie
Usenix Security 2005 WIPS
4
Total TCB Reduction
•
Millions of LOC → 10K’s LOC ~ 100x reduction
– OS is customizable for each component, only has
functionality the component needs
•
Small TCB can be made more secure:
– Easier for code audit
– Many tools (static and dynamic) scale exponentially with the
size of code
– Less effort/cost to harden smaller code base
– Can be protected by implementing in safer language
David Lie
Usenix Security 2005 WIPS
5