Nexus: An Operating System for Trustworthy Computing
An increasing number of machines are equipped with hardware that can be used to support trustworthy computing. Trustworthy computing enables applications to make strong assurances about their behavior. Existing operating systems do not provide the right execution environment for trustworthy computing, and so are unable to fully exploit this emerging opportunity.
The Nexus is a new operating system for trustworthy computing. Its microkernel architecture greatly reduces the size of the trusted computing base (TCB) by moving functionality out of the kernel. For instance, device drivers and system services such as capabilities and networking run safely at user level. Secondary storage are not part of the hardware TCB: application data is protected from the implementation of devices such as disks. Nexus functionality is decomposed into small components: applications interact only with the system functionality that they actually need, and thus their construction intrinsically embodies the principle of least privilege.
We are developing new abstractions for trustworthy computing and incorporating these into the Nexus. Active attestation is a more general form of attestation that can attest to application-specific, run-time properties about a program. Active attestation support rich access control policies to local and remote services. Secure memory regions abstract away untrusted storage, providing applications with integrity and confidentiality. Secure memory regions enable a wide range of trustworthy computing services and applications, such as implementing linear, or limited-number-of-use, capabilities.
The Nexus enables interesting new applications. Applications we have built on top of the Nexus include:
- Media player application that enables rights-holders to define flexible, maintainable access control policies where protected media can be played by any media player that matches a set of properties.
- Spam-free e-mail system that defeats spam by enabling e-mail senders to mark messages as having been typed in by a human, which clearly distinguishes such messages from those that have been generated automatically.
- Attested MACEDON application, where access to the peer-to-peer overlay is restricted to nodes that are running acceptable versions of the software.