Trusted computing bases (TCB), i.e. the set of components that have to be trusted for a specific (security) objective, have grown large. Especially their Software parts consist of tens of million lines of code if based on modern commodity operating systems. We report on an ongoing effort to reduce the SW parts of TCBs. Key insights are that TCBs should be considered to be application-specific, can and should be based on isolated components and reuse legacy by splitting into critical and uncritical parts. The talk discusses security objectives, design principles, isolation alternatives (HLL vs VM vs Microkernels), and studies in detail VPFS, a file system implemented following these principles. We present concrete examples with orders of magnitude smaller TCB sizes than if run on commodity operating systems. We will also mention caveats and practical limitations.

10/94 ~ present Professor for Operating Systems, Institute for System Architecture,Computer Science Department, Dresden University of Technology.

4/94 ~ 7/94 Substitute Professor, Computer Science, University of Hildesheim

9/93 ~ 3/94 Sabbatical at International Computer Science Institute in Berkeley

3/84 ~ 9/94 PI of BirliX Research Project (high security operating system)GMD (German National Research Center for Computer Science)

4/79 ~ 2/84 Research assistant at University of Karlsruhe

문의: 민상렬 교수(880-7047)