25:
310:. As far as computer security is concerned, reasoning about the security properties of a computer system requires being able to make sound assumptions about what it can, and more importantly, cannot do; however, barring any reason to believe otherwise, a computer is able to do everything that a general
301:
Systems that don't have a trusted computing base as part of their design do not provide security of their own: they are only secure insofar as security is provided to them by external means (e.g. a computer sitting in a locked room without a network connection may be considered secure depending on
276:
so that the users cannot usurp the identity and privileges of each other. In this sense, it definitely is part of the TCB of the larger computer system that comprises the UNIX server, the user's browsers and the Web application; in other words, breaching into the Web server through e.g. a
216:
he ability of a trusted computing base to enforce correctly a unified security policy depends on the correctness of the mechanisms within the trusted computing base, the protection of those mechanisms to ensure their correctness, and the correct input of parameters related to the security
428:
Due to the aforementioned need to apply costly techniques such as formal verification or manual review, the size of the TCB has immediate consequences on the economics of the TCB assurance process, and the trustworthiness of the resulting product (in terms of the
364:(MMU), which is programmable by the operating system to allow and deny a running program's access to specific ranges of the system memory. Of course, the operating system is also able to disallow such programming to the other programs. This technique is called
420:, proving functional correctness of the C implementation of the kernel. This makes seL4 the first operating-system kernel which closes the gap between trust and trustworthiness, assuming the mathematical proof is free from error.
292:
security process: in the course of a Common
Criteria security evaluation, one of the first decisions that must be made is the boundary of the audit in terms of the list of system components that will come under scrutiny.
113:
occurring inside the TCB might jeopardize the security properties of the entire system. By contrast, parts of a computer system that lie outside the TCB must not be able to misbehave in a way that would leak any more
433:
of the number of bugs not found during the verification or review). In order to reduce costs and security risks, the TCB should therefore be kept as small as possible. This is a key argument in the debate preferring
263:
As a consequence of the above Orange Book definition, the boundaries of the TCB depend closely upon the specifics of how the security policy is fleshed out. In the network server example above, even though, say, a
392:
in the trusted computing base is required to make any progress in ascertaining the security of the computer system. In other words, the trusted computing base is “trusted” first and foremost in the sense that it
333:(still a reference on the design of secure operating systems as of 2007) characterizes the various security assurance levels that it defines mainly in terms of the structure and security features of the TCB.
397:
to be trusted, and not necessarily that it is trustworthy. Real-world operating systems routinely have security-critical bugs discovered in them, which attests to the practical limits of such trust.
222:
In other words, a given piece of hardware or software is a part of the TCB if and only if it has been designed to be a part of the mechanism that provides its security to the computer system. In
376:), it has the advantage of allowing security-critical software to be upgraded in the field, although allowing secure upgrades of the trusted computing base poses bootstrap problems of its own.
610:; Andronick, June; Cock, David; Derrin, Philip; Elkaduwe, Dhammika; Engelhardt, Kai; Kolanski, Rafal; Norrish, Michael; Sewell, Thomas; Tuch, Harvey; Winwood, Simon (October 2009).
341:
As outlined by the aforementioned Orange Book, software portions of the trusted computing base need to protect themselves against tampering to be of any effect. This is due to the
203:
the totality of protection mechanisms within it, including hardware, firmware, and software, the combination of which is responsible for enforcing a computer security policy.
208:
In other words, trusted computing base (TCB) is a combination of hardware, software, and controls that work together to form a trusted base to enforce your security policy.
353:
provisions that subsequently have to be treated as part of the TCB. Specifically, the trusted computing base must at least prevent its own software from being written to.
329:
These special provisions that aim at preventing certain kinds of actions from being executed, in essence, constitute the trusted computing base. For this reason, the
173:
a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security.
467:
330:
322:
that should be kept secret; however, barring special provisions in the architecture of the system, there is no denying that the computer
191:
314:
can. This obviously includes operations that would be deemed contrary to all but the simplest security policies, such as divulging an
288:
This fundamental relativity of the boundary of the TCB is exemplified by the concept of the 'target of evaluation' ('TOE') in the
647:
129:
strive to reduce the size of the TCB so that an exhaustive examination of its code base (by means of manual or computer-assisted
349:
can be processed as just another kind of data, it can be read and overwritten by any program. This can be prevented by special
666:
516:
125:
The careful design and implementation of a system's trusted computing base is paramount to its overall security. Modern
360:, the protection of the memory that hosts the TCB is achieved by adding in a specialized piece of hardware called the
157:. The latter refers to processes which are allowed to violate the system's access-control rules. In the classic paper
453:
materializes the trusted computing base as an optional component in its install-time package management system.
190:
and compromise an important part of the system's security, yet is not part of the operating system's TCB. The
281:
may not be regarded as a compromise of the operating system proper, but it certainly constitutes a damaging
178:
Both definitions, while clear and convenient, are neither theoretically exact nor intended to be, as e.g. a
115:
282:
243:
235:
198:
literature reference, therefore provides a more formal definition of the TCB of a computer system, as
308:
n a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers
110:
342:
311:
247:
150:
42:
361:
272:
application is not part of the operating system's TCB, it has the responsibility of performing
545:
401:
130:
35:
611:
574:
562:
512:
450:
373:
239:
134:
8:
631:
154:
404:, which uses mathematical proof techniques to show the absence of bugs. Researchers at
528:
477:
439:
350:
195:
102:
90:
71:
409:
369:
223:
126:
593:
365:
303:
289:
278:
187:
165:
119:
86:
50:
589:
430:
417:
389:
273:
179:
161:
46:
660:
607:
472:
346:
106:
546:
Capability-based
Financial Instruments (An Ode to the Granovetter diagram)
413:
435:
227:
146:
635:
336:
269:
265:
462:
302:
the policy, regardless of the software it runs). This is because, as
319:
98:
94:
497:
Rushby, John (1981). "Design and
Verification of Secure Systems".
250:, the TCB is formed of the language runtime and standard library.
529:
Department of
Defense trusted computer system evaluation criteria
368:; compared to more crude approaches (such as storing the TCB in
605:
231:
405:
315:
183:
513:
Authentication in
Distributed Systems: Theory and Practice
159:
Authentication in
Distributed Systems: Theory and Practice
357:
118:
than are granted to them in accordance to the system's
16:
Set of all computer components critical to its security
412:
have recently performed such a formal verification of
258:
531:, DoD 5200.28-STD, 1985. In the glossary under entry
345:
implemented by virtually all modern computers: since
230:) and a select set of system utilities (for example,
599:
337:
Software parts of the TCB need to protect themselves
242:designed with built-in security features, such as
140:
619:22nd ACM Symposium on Operating System Principles
658:
511:B. Lampson, M. Abadi, M. Burrows and E. Wobber,
501:. Pacific Grove, California, US. pp. 12–21.
499:8th ACM Symposium on Operating System Principles
385:
186:-like operating system might fall victim to a
296:
575:A Secure and Reliable Bootstrap Architecture
563:A Secure and Reliable Bootstrap Architecture
226:, this typically consists of the kernel (or
612:"seL4: Formal verification of an OS kernel"
379:
621:. Big Sky, Montana, US. pp. 207–220.
565:, 1997, also known as the “aegis papers”.
544:M. Miller, C. Morningstar and B. Frantz,
149:, who defined it as the combination of
659:
496:
211:The Orange Book further explains that
561:W. Arbaugh, D. Farber and J. Smith,
517:ACM Transactions on Computer Systems
326:to perform these undesirable tasks.
101:components that are critical to its
18:
606:Klein, Gerwin; Elphinstone, Kevin;
259:Predicated upon the security policy
13:
636:Tanenbaum-Torvalds debate, part II
14:
678:
23:
641:
141:Definition and characterization
625:
583:
568:
555:
538:
522:
505:
490:
1:
483:
372:, or equivalently, using the
253:
49:in tone and meet Knowledge's
667:Computer security procedures
648:AIX 4.3 Elements of Security
594:The security patch treadmill
533:Trusted Computing Base (TCB)
7:
456:
445:
423:
164:et al. define the TCB of a
10:
683:
400:The alternative is formal
297:A prerequisite to security
69:
650:, August 2000, chapter 6.
431:mathematical expectation
343:von Neumann architecture
285:on the Web application.
70:Not to be confused with
380:Trusted vs. trustworthy
151:operating system kernel
550:Subjective Aggregation
362:memory management unit
145:The term goes back to
79:trusted computing base
418:L4 microkernel family
402:software verification
240:programming languages
238:in UNIX systems). In
374:Harvard architecture
137:) becomes feasible.
135:program verification
105:, in the sense that
43:improve this article
632:Andrew S. Tanenbaum
324:could be programmed
312:Von Neumann machine
440:monolithic kernels
416:, a member of the
194:, another classic
89:is the set of all
478:Hardware security
351:memory management
224:operating systems
196:computer security
127:operating systems
72:Trusted Computing
68:
67:
51:quality standards
674:
651:
645:
639:
629:
623:
622:
616:
603:
597:
587:
581:
572:
566:
559:
553:
542:
536:
526:
520:
519:1992, on page 6.
509:
503:
502:
494:
410:Open Kernel Labs
408:and its spinout
182:process under a
63:
60:
54:
27:
26:
19:
682:
681:
677:
676:
675:
673:
672:
671:
657:
656:
655:
654:
646:
642:
630:
626:
614:
604:
600:
588:
584:
573:
569:
560:
556:
548:, in paragraph
543:
539:
527:
523:
510:
506:
495:
491:
486:
459:
448:
426:
382:
366:supervisor mode
356:In many modern
339:
306:et al. put it,
304:David J. Farber
299:
290:Common Criteria
279:buffer overflow
261:
256:
188:security breach
166:computer system
143:
120:security policy
111:vulnerabilities
87:computer system
75:
64:
58:
55:
40:
28:
24:
17:
12:
11:
5:
680:
670:
669:
653:
652:
640:
624:
608:Heiser, Gernot
598:
590:Bruce Schneier
582:
567:
554:
537:
521:
504:
488:
487:
485:
482:
481:
480:
475:
470:
465:
458:
455:
447:
444:
425:
422:
381:
378:
338:
335:
298:
295:
274:access control
268:that serves a
260:
257:
255:
252:
220:
219:
206:
205:
180:network server
176:
175:
142:
139:
131:software audit
66:
65:
31:
29:
22:
15:
9:
6:
4:
3:
2:
679:
668:
665:
664:
662:
649:
644:
638:(12 May 2006)
637:
633:
628:
620:
613:
609:
602:
595:
591:
586:
580:
576:
571:
564:
558:
551:
547:
541:
534:
530:
525:
518:
514:
508:
500:
493:
489:
479:
476:
474:
471:
469:
466:
464:
461:
460:
454:
452:
443:
441:
437:
432:
421:
419:
415:
411:
407:
403:
398:
396:
391:
387:
377:
375:
371:
367:
363:
359:
354:
352:
348:
344:
334:
332:
327:
325:
321:
317:
313:
309:
305:
294:
291:
286:
284:
280:
275:
271:
267:
251:
249:
245:
241:
237:
234:programs and
233:
229:
225:
218:
214:
213:
212:
209:
204:
201:
200:
199:
197:
193:
189:
185:
181:
174:
171:
170:
169:
167:
163:
160:
156:
152:
148:
138:
136:
132:
128:
123:
121:
117:
112:
108:
104:
100:
96:
92:
88:
84:
80:
73:
62:
59:February 2020
52:
48:
44:
38:
37:
34:reads like a
32:This article
30:
21:
20:
643:
627:
618:
601:
585:
578:
570:
557:
549:
540:
532:
524:
507:
498:
492:
473:Trust anchor
449:
436:microkernels
427:
399:
394:
383:
355:
347:machine code
340:
328:
323:
307:
300:
287:
262:
221:
215:
210:
207:
202:
177:
172:
158:
153:and trusted
144:
124:
82:
78:
76:
56:
33:
468:Orange Book
331:Orange Book
228:microkernel
192:Orange Book
147:John Rushby
45:to make it
484:References
384:As stated
270:multi-user
266:Web server
254:Properties
168:as simply
116:privileges
463:Black box
155:processes
97:, and/or
661:Category
579:op. cit.
457:See also
446:Examples
424:TCB size
320:password
103:security
99:software
95:firmware
91:hardware
36:textbook
283:exploit
236:daemons
217:policy.
162:Lampson
85:) of a
47:neutral
41:Please
596:(2001)
232:setuid
615:(PDF)
406:NICTA
390:trust
386:above
316:email
414:seL4
358:CPUs
246:and
244:Java
184:UNIX
107:bugs
77:The
451:AIX
438:to
395:has
370:ROM
318:or
133:or
109:or
83:TCB
663::
634:,
617:.
592:,
577:,
515:,
442:.
388:,
122:.
93:,
552:.
535:.
248:E
81:(
74:.
61:)
57:(
53:.
39:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.