David Lie

U of Toronto

Reducing the Trusted Computing Base

As computing becomes more of an integral part of our society, the computing
systems we have designed have grown in size and complexity.  While this has
led to improved performance and utility, this complexity has not improved
the reliability and security, rather it has had a detrimental effect on
these aspects.  Today, faster more pervasive and tightly networked systems
have led to more serious consequences for security flaws, such as
distributed denial of service attacks and identity theft.

We attempt to address this problem by reducing the size of the trusted
computing base (TCB) in systems through a system we call containers.
Containers are virtualized hardware images implemented by a low-level
virtual machine monitor (VMM).  Rather than include a full operating system
with multiple applications, each container contains a minimal operating
system and a single application, which will be completely isolated from
other container except via explicit communication channels.  These smaller
systems result in simpler models which will be more amenable to formal
verification and analysis.