This paper proposes an alternative structure for secure embedded systems. The structure comprises three layers. At the bottom is a Domain Separation Mechanism which is responsible for maintaining isolated "domains" (also known as "processes" or "virtual machines") and for providing controlled channels for their intercommunication. The other resources of the system (for example, devices and the more abstract entities, such as file systems, built upon them) are each controlled by independent resource managers which comprise the second layer of the system. The applications code provides the third layer. Components in both the resource management and applications layers are protected from each other by the domain separation mechanism. The Trusted Computing Base is composed of the domain separation mechanism and a reference validation mechanism associated with each resource.
The benefit of this approach is that it leads to a separation of concerns: each component of the embedded system performs a single, well-defined activity and can be understood (and verified) in relative isolation from all other components. Implementation and language issues are also discussed.
PDF only
@inproceedings{Rushby84:TCB, AUTHOR = {John Rushby}, BOOKTITLE = {Proceedings 7th DoD/NBS Computer Security Initiative Conference}, TITLE = {A Trusted Computing Base for Embedded Systems}, ADDRESS = {Gaithersburg, MD}, PAGES = {294--311}, YEAR = 1984, MONTH = sep }