Dancing With Giants: Wimpy Kernels For On-Demand Isolated I/O

To be trustworthy, security-sensitive applications must be formally verified and hence small and simple; i.e., wimpy. Thus, they cannot include a variety of basic services available only in large and untrustworthy commodity systems; i.e., in giants. Hence, wimps must securely compose with giants to survive on commodity systems; i.e., rely on giants' services but only after efficiently verifying their results. This paper presents a security architecture based on a wimpy kernel that provides on-demand isolated I/O channels for wimp applications, without bloating the underlying trusted computing base. The size and complexity of the wimpy kernel are minimized by safely outsourcing I/O subsystem functions to an untrusted commodity operating system and exporting driver and I/O subsystem code to wimp applications. Using the USB subsystem as a case study, this paper illustrates the dramatic reduction of wimpy-kernel size and complexity; e.g., over 99% of the USB code base is removed. Performance measurements indicate that the wimpy kernel architecture exhibits the desired execution efficiency.