(from https://genode.org/documentation/general-overview/index)

== Mastering complexity through application-specific trusted computing bases

> Because software complexity correlates with the likelihood for bugs, having security-sensitive functionality depending on high-complexity software is risky. The term trusted_computing_base (TCB) was coined to describe the amount of code that must not be compromised to uphold security. In addition to the code of the sensitive application, the TCB comprises each system component that has direct or indirect control over the execution of the application (affecting availability and integrity) or that can access the processed information (affecting confidentiality and integrity). On monolithic OSes, the TCB complexity can be regarded as a global system property because it is dominated by the complexity of the kernel and the privileged processes, which are essentially the same for each concurrently executed application. On Genode, the amount of security-critical code can largely differ for each application depending on the position of the application within Genode's process tree and the used services. To illustrate the difference, an email-signing application executed on Linux has to rely on a TCB complexity of millions of lines of code (LOC). Most of the code, however, does not provide functionality required to perform the actual cryptographic function of the signing application. Still, the credentials of the user are exposed to an overly complex TCB including the network stack, device drivers, and file systems. In contrast, Genode allows the cryptographic function to be executed with a specific TCB that consists only of components that are needed to perform the signing function. For the signing application, the TCB would contain the microkernel (20 KLOC), the Genode OS framework (10 KLOC), a minimally-complex GUI (2 KLOC), and the signing application (15 KLOC). These components stack up to a complexity of less than 50,000 LOC.

> Genode tailors the trusted computing base for each application individually. The figure on the right illustrates the TCB of the yellow marked process. Naturally, it contains the hierarchy of parents and those processes that provide services used by the application (the left component at the third level).

Qubes-OS is a tool for letting you run your digital life in a series of boxes which are separate from each other. So, if one gets infected, the others aren't. It is similar to the trend of using Virtual Machines to separate areas of concern to try to limit the damage of a rogue process.

Genode takes a different approach entirely. Instead of dividing your computer into a few boxes, each of which is subject to any rogue process, it gives each and every process NO access to anything else, except for those things explicitly provided.

The analogy I like to use is that of a wallet.

The Windows, MacOS, Unix, Linux, etc.. approach is to hand over the users wallet to any program that is running, and hope the program doesn't misuse it. Anything in the wallet (your system) is at risk.

The Qubes-OS approach is to do the above, but to have the ability to have more than one wallet, to divide up the risk a tiny bit.

The Genode approach is much like a human uses a wallet, you decide what resources are required, and ONLY those resources are at risk.

The ease of use is that it is effectively impossible to limit the resources a process can access in other systems, whereas in Genode, it is almost drag and drop.