Small codebase as a prerequisite for security

[Sean Lynch]

I laughed out loud when I read on the Invisible Things Labs' Blog that Xen
is "only" a "few hundreds of thousands of lines of code."[1] Sure, this is
small compared to most modern monolithic desktop OSes, but it's not
particularly small compared to a stripped down Linux kernel build, and it's
absolutely gigantic compared to a modern microkernel. The Nova
Microhypervisor and seL4 are each about 9000 SLOC.

But when I shared this disbelief with a couple of friends who at least have
a passing understanding of computer security, each of them just shrugged.
And of course both Nova and seL4 have had a lot of trouble gaining any kind
of foothold in the market.

Am I completely off base in thinking that it should be self-evident that
one should start building any secure system by minimizing the size of their
trusted computing base? Or is the issue that applications are still the
source of most vulnerabilities, so it's premature to try to make the kernel
super secure? Or that there are too many ways to violate isolation in a
microkernel by compromising shared server processes?

I ask because I am wondering if I should "learn to stop worrying and love
the bomb" and (re-)embrace Xen and/or Linux, or if I should continue
pursuing some approach along the lines of seL4/Nova/Genode for building
secure systems?

[1]
http://theinvisiblethings.blogspot.com/2012/09/how-is-qubes-os-different-from.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20160210/d7e36bcb/attachment.html>