Trusted computing base

Trusted computing base

The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs occurring inside the TCB might jeopardize the security properties of the entire system. By contrast, parts of a computer system outside the TCB supposedly cannot misbehave in a way that would leak any more privileges than was granted to them in the first place in accordance to the security policy.

The careful design and implementation of a system's trusted computing base is paramount to its overall security. Modern operating systems strive to reduce the size of the TCB so that an exhaustive examination of its code base (by means of manual or computer-assisted software audit or program verification) becomes feasible.

Definition and characterization

In the classic paper "Authentication in Distributed Systems: Theory and Practice" [B. Lampson, M. Abadi, M. Burrows and E. Wobber, [ Authentication in Distributed Systems: Theory and Practice] , ACM Transactions on Computer Systems 1992, on page 6.] Lampson et al define the trusted computing base of a computer system as simply: "a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security."

This pedagogical definition, while clear and convenient to get hold of the concept, is neither theoretically exact not intended to be, as e.g. a network server process under a UNIX-like operating system might fall victim to a security breach and compromise an important part of the system's security, yet is not part of the operating system's TCB. The Orange Book, another classic computer security literature reference, therefore provides [ [ Department of Defense trusted computer system evaluation criteria] , DoD 5200.28-STD, 1985. In the glossary under entry Trusted Computing Base (TCB).] a more formal definition of the TCB of a computer system, as

: "the totality of protection mechanisms within it, including hardware, firmware, and software, the combination of which is responsible for enforcing a computer security policy."

The Orange Book further explains that

: " [t] he ability of a trusted computing base to enforce correctly a unified security policy depends on the correctness of the mechanisms within the trusted computing base, the protection of those mechanisms to ensure their correctness, and the correct input of parameters related to the security policy."

In other words, a given piece of hardware or software is a part of the TCB if and only if it has been designed to be a part of the mechanism that provides its security to the computer system. In operating systems, this typically consists of the kernel (or microkernel) and a select set of system utilities (for example, setuid programs and daemons in UNIX systems). In programming languages that have security features designed in such as Java and E, the TCB is formed of the language runtime and standard library [M. Miller, C. Morningstar and B. Frantz, [ Capability-based Financial Instruments (An Ode to the Granovetter diagram)] , in paragraph "Subjective Aggregation".] .

Properties of the TCB

Predicated upon the security policy: “TCB is in the eye of the consultant”

It should be pointed out that as a consequence of the above Orange Book definition, the boundaries of the TCB depend closely upon the specifics of how the security policy is fleshed out. In the network server example above, even though, say, a Web server that serves a multi-user application is not part of the operating system's TCB, it has the responsibility of performing access control so that the users cannot usurp the identity and privileges of each other. In this sense, it definitely is part of the TCB of the larger computer system that comprises the UNIX server, the user's browsers and the Web application; in other words, breaching into the Web server through e.g. a buffer overflow may not be regarded as a compromise of the operating system proper, but it certainly constitutes a damaging exploit on the Web application.

This fundamental relativity of the boundary of the TCB is exemplifed by the concept of the target of evaluation (TOE) in the Common Criteria security process: in the course of a Common Criteria security evaluation, one of the first decisions that must be made is the boundary of the audit in terms of the list of system components that will come under scrutiny.

A prerequisite to security

Systems that don't have a trusted computing base as part of their design do not provide security of their own: they are only secure insofar as security is provided to them by external means (e.g. a computer sitting in a locked room without a network connection may be considered secure depending on the policy, regardless of the software it runs). This is because, as David J. Farber et al. put it [ W. Arbaugh, D. Farber and J. Smith, [ A Secure and Reliable Bootstrap Architecture] , 1997, also known as the “aegis papers”.] , " [i] n a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers". As far as computer security is concerned, reasoning about the security properties of a computer system requires being able to make sound assumptions about what it can, and more importantly, cannot do; however, barring any reason to believe otherwise, a computer is able to do everything that a general Von Neumann machine can. This obviously includes operations that would be deemed contrary to all but the simplest security policies, such as divulging an email or password that should be kept secret; however, barring special provisions in the architecture of the system, there is no denying that the computer "could be programmed" to perform these undesirable tasks.

These special provisions that aim at preventing certain kinds of actions from being executed, in essence, constitute the trusted computing base. For this reason, the Orange Book (still a reference on the design of secure operating systems design as of 2007) characterizes the various security assurance levels that it defines mainly in terms of the structure and security features of the TCB.

Software parts of the TCB need to protect themselves

As outlined by the aforementioned Orange Book, software portions of the trusted computing base need to protect themselves against tampering to be of any effect. This is due to the von Neumann architecture implemented by virtually all modern computers: since machine code can be processed as just another kind of data, it can be read and overwritten by any program barring special memory management provisions that subsequently have to be treated as part of the TCB. Specifically, the trusted computing base must at least prevent its own software from being written to.

In many modern CPUs, the protection of the memory that hosts the TCB is achieved by adding in a specialized piece of hardware called the memory management unit (MMU), which is programmable by the operating system to allow and deny access to specific ranges of the system memory to the programs being run. Of course, the operating system is also able to disallow such programming to the other programs. This technique is called supervisor mode; compared to more crude approaches (such as storing the TCB in ROM, or equivalently, using the Harvard architecture), it has the advantage of allowing the security-critical software to be upgraded in the field, although allowing secure upgrades of the trusted computing base poses bootstrap problems of its own [ [ A Secure and Reliable Bootstrap Architecture] , "op. cit."] .

Trusted vs. trustworthy

As stated above, trust in the trusted computing base is required to make any progress in ascertaining the security of the computer system. In other words, the trusted computing base is “trusted” first and foremost in the sense that it "has" to be trusted, and not necessarily that it is trustworthy. Real-world operating systems routinely have security-critical bugs discovered in them, which attests of the practical limits of such trust [Bruce Schneier, [ The security patch treadmill] (2001)] .

The Coyotos project intends to bring the techniques of formal software verification into the craft of operating systems design, with the aim of providing a general-purpose really secure TCB. Similarly, researchers at NICTA and its spinout [ Open Kernel Labs] are working on the formal verification of a new version of the L4 microkernel, with a completely verified kernel due to be delivered by mid-2008.cite journal
last = Heiser
first = Gernot
authorlink = Gernot Heiser
coauthors = Elphinstone, Kevin; Kuz, Ihor; Klein, Gerwin, Petters, Stefan M.
month = July
year = 2007
title = Towards Trustworthy Computing Systems: Taking Microkernels to the Next Level
journal = Operating Systems Review
volume = 41
issue = 3
pages = 3–11
doi = 10.1145/1278901.1278904
url =
] Meanwhile, careful, mostly manual code reviews of the TCB codebase and the patch treadmill process are the best one can do to minimize the gap between trust and trustworthiness.

TCB size

Due to the aforementioned need to apply costly techniques such as formal verification or manual review, the size of the TCB has immediate consequences on the economics of the TCB assurance process, and the trustworthiness of the resulting product (in terms of the mathematical expectation of the number of bugs not found during the verification or review). In order to reduce costs and security risks, the TCB should therefore be kept as small as possible. This is a key argument in the debate opposing microkernel proponents and monolithic kernel aficionados [Andrew S. Tanenbaum, [ Tanenbaum-Torvalds debate, part II] (may 12, 2006)] . The aforementioned Coyotos kernel will be of the microkernel kind for this reason, despite the possible performance issues that this choice entails.


AIX materializes the trusted computing base as an optional component in its install-time package management system [ [ AIX 4.3 Elements of Security] , August 2000, chapter 6.] .

See also

* Orange Book


External links

* [ AIX TCB overview article]

* [ Trustifier TCB overview]

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Trusted Computing — (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. With Trusted Computing the computer will consistently behave in specific ways, and… …   Wikipedia

  • Trusted Computing — (TC) ist eine Technologie, die von der Trusted Computing Group entwickelt und beworben wird. Der Ausdruck ist dem Fachausdruck Trusted System entlehnt, hat jedoch eine eigene Bedeutung. Trusted Computing bedeutet, dass der Betreiber eines PC… …   Deutsch Wikipedia

  • Trusted Computing Platform Alliance — Trusted Computing Group Pour les articles homonymes, voir TCG. Le Trusted Computing Group (TCG, nommé jusqu en 2003 TCPA pour Trusted Computing Platform Alliance) est un consortium d entreprises d informatique (Compaq, HP, IBM, Intel, Microsoft,… …   Wikipédia en Français

  • Trusted computing — Dieser Artikel oder Abschnitt bedarf einer Überarbeitung. Näheres ist auf der Diskussionsseite angegeben. Hilf mit, ihn zu verbessern, und entferne anschließend diese Markierung. Trusted Computing (TC) ist eine Technologie, die von der Trusted… …   Deutsch Wikipedia

  • Trusted Computing Group — Pour les articles homonymes, voir TCG. Le Trusted Computing Group (TCG, nommé jusqu en 2003 TCPA pour Trusted Computing Platform Alliance) est un consortium d entreprises d informatique (Compaq, HP, IBM, Intel, Microsoft, AMD, etc.) visant à… …   Wikipédia en Français

  • Trusted Computing Group — Infobox Company company name = Trusted Computing Group company company type = Consortium location city = Beaverton, Oregon [ [ us/ Trusted Computing Group: Contact Us ] ] location country = USA… …   Wikipedia

  • Trusted Computing — Informatique de confiance L’informatique de confiance est un projet de grandes sociétés d informatique, incluant plusieurs technologies, suscitant de très vifs débats notamment sur la préservation des libertés individuelles et de la vie privée de …   Wikipédia en Français

  • Комплекс средств защиты (КСЗ) Trusted computing base — 12. Комплекс средств защиты Совокупность программных и технических средств, создаваемая и поддерживаемая для обеспечения защиты средств вычислительной техники или автоматизированных систем от несанкционированного доступа к информации Источник:… …   Словарь-справочник терминов нормативно-технической документации

  • Next-Generation Secure Computing Base — The Next Generation Secure Computing Base (NGSCB), formerly known as Palladium, is a software architecture designed by Microsoft which is expected to implement parts of the controversial Trusted Computing concept on future versions of the… …   Wikipedia

  • Next Generation Secure Computing Base — Dieser Artikel oder Abschnitt bedarf einer Überarbeitung. Näheres ist auf der Veraltet (Januar 2004) angegeben. Hilf mit, ihn zu verbessern, und entferne anschließend diese Markierung. Die Next Generation Secure Computing Base (NGSCB) ist eine… …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”