1

Recently I've been learning the concept of trusted computing base, and I've seen 2 types of TCB:

  • Kernel-based TCB
  • Micro-kernel TCB

    • Where, from my understanding, the main difference is that in the former we have many OS oriented processes, like file system or virtual memory management system running in the kernel (therefore in the most trusted level, highest permissions), and in the later we move as much as possible to run in the user space. (with usually lesser permissions)
    What the rational behind making a smaller kernel? Isn't it more secure to run, for example, device drivers in the kernel?
    sel
    • 413
    • 1
    • 4
    • 7

    1 Answers1

    1

    Code running in the kernel mode always have full permissions to do anything, including to crash the kernel or to corrupt its internal data structure. User mode drivers restricts those capabilities so that communication with the micro kernel are forced to be done over well specified interface. For example, if a storage device driver had a bug such that a pointer it uses as destination for a copy buffer sometimes is used uninitialized, in macrokernel, there's a chance that the uninitialized pointer can point to the kernel's own memory, and the driver might overwrite the kernel's data structure, like the process table, likely leading to a total system crash (kernel panic). In a microkernel, since the driver can't write directly to the kernel memory, such errors would at most just crash the device driver itself, and the kernel can restart the device driver process.

    In general, the thinking is that microkernel have a better security architecture than a macrokernel, however it comes at a performance penalty. Modern micro- and macrokernels employs a number of tricks to minimize their weaknesses.

    Lie Ryan
    • 31,089
    • 6
    • 68
    • 93
    • 1
      1/2 Offtopic: And driver restrictions are so high that no one figured out yet how to actually make W10 sound work properly. – Overmind Jul 04 '17 at 10:07