Proc. of the Fourth European Dependable Computing Conference, Toulouse,
France, October 2002
Keywords: Secure Systems, Fault-Tolerant Systems and Components,
Architectures for Dependable Systems, Distributed Fault-Tolerance, Byzantine
Faults, Security Kernel, Real-Time, COTS
We discuss essentially three things in this paper: (1) The TTCB is a
simple component providing a small set of basic secure services.
It aims at building a new style of protocols to achieve intrusion tolerance,
which for the most part execute in insecure, arbitrary failure environments,
and resort to the TTCB only in crucial parts of their operation. (2) Besides,
the TTCB is a synchronous device supplying functions that may be an enabler
of a new generation of timed secure protocols, until now known to be fragile
due to attacks on timing assumptions. (3) Finally, we present a design
methodology that establishes our hybrid failure assumptions in a well-founded
manner. It helps us to achieve a robust design, despite using exclusively
COTS components, with the advantage of allowing the security kernel to
be easily deployed on widely used platforms.