A Trusted Computing Base for Embedded Systems

John Rushby

Proceedings 7th DoD/NBS Computer Security Conference, Gaithersburg, Maryland, September 24-26 1984 (pp. 294-311)


The structure of many secure systems has been based on the idea of a security kernel--an operating system nucleus that performs all trusted functions. The difficulty with this approach is that the security kernel tends to be rather large, complex, and unstructured.

This paper proposes an alternative structure for secure embedded systems. The structure comprises three layers. At the bottom is a Domain Separation Mechanism which is responsible for maintaining isolated "domains" (also known as "processes" or "virtual machines") and for providing controlled channels for their intercommunication. The other resources of the system (for example, devices and the more abstract entities, such as file systems, built upon them) are each controlled by independent resource managers which comprise the second layer of the system. The applications code provides the third layer. Components in both the resource management and applications layers are protected from each other by the domain separation mechanism. The Trusted Computing Base is composed of the domain separation mechanism and a reference validation mechanism associated with each resource.

The benefit of this approach is that it leads to a separation of concerns: each component of the embedded system performs a single, well-defined activity and can be understood (and verified) in relative isolation from all other components. Implementation and language issues are also discussed.

PDF only

BibTeX Entry

	AUTHOR = {John Rushby},
	BOOKTITLE = {Proceedings 7th DoD/NBS Computer Security Initiative
	TITLE = {A Trusted Computing Base for Embedded Systems},
	ADDRESS = {Gaithersburg, MD},
	PAGES = {294--311},
	YEAR = 1984,
	MONTH = sep

Having trouble reading our papers?
Return to John Rushby's bibliography page
Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page