Minimizing the TCB

Systems have grown enourmously in complexity. General purpose system software, libraries and software components have enabled the rapid development of systems known today. Extensible and modular code allows new functionality to be quickly and easily added to existing programs.

However, such facilities can have detrimental effects on security because they tend to increase the size of the Trusted Computing Base (TCB) for an application. First, the security of a system if often inversely proportional to it's size and complexity. General purpose code will contain functionality that is not necessary for every application, so the inclusion of such code will unecessarily increase an application TCB. Second, a lot of code is extensible and thus can behave in unpredictable ways. For example, browser plugin's have provided an easy avenue for attacker to insert trojan horses and "spyware" into victim's systems.

These problems can be addressed by first trying to identify the "True TCB" for an application. We start by identifying the actual security related operations of an application, and then identify all data and code that is needed to fulfill the operation. We then protect this operation by isolating it from the main operating system by using a Virtual Machine Monitor (VMM). The isolated portion will contain the security operation running on a small, minimal operating system so that the security component will only have to trust a small amount of code.