Small Trusted Primitives for Dependable Systems
Secure, fault-tolerant distributed systems are difficult to build, to validate, and to operate. Conservative design for such systems dictates that their security and fault tolerance depend on a very small number of assumptions taken on faith; such assumptions are typically called the "Trusted Computing Base" (TCB) of a system. However, a rich trade-o exists between larger TCBs and more secure, more fault-tolerant, or more efficient systems. In the authors' recent work, they have explored this trade-off by defining "Small," generic trusted primitives - for example, an attested, monotonically sequenced FIFO buffer of a few hundred machine words guaranteed to hold appended words until eviction - and showing how such primitives can improve the performance, fault tolerance, and security of systems using them.