Date Added: Jan 2011
The authors argue that the conventional privilege separation of a processor has inherent limitations in protecting software with higher security requirements, and hence, a new system of protection should be devised to overcome these limitations. To enable the new protection, an operating system needs to be restructured into two layers: the security kernel which implements the new protection system, and the management kernel which manages resources. The security kernel protects the applications even when the management kernel is compromised. The security kernel should be made very thin and simple, thus making it suitable for small devices like handsets and smart sensors & actuators.