What is a trusted computing base?
A trusted computing base (TCB) is everything in a computing system that provides a secure environment for operations. This includes its hardware, firmware, software, operating system, physical locations, built-in security controls, and prescribed security and safety procedures.
The components of the TCB are the only components in the computing system that operate at a very high level of trust. But "trusted" does not necessarily mean "secure." It simply means that the components in the TCB are critical to the system's security.
That's why the TCB is charged with enforcing system-wide information security policies. It is also responsible for maintaining the confidentiality and integrity of the system's data. If the TCB is flawed or if its security is hampered in any way, the overall system's security and security policies can be compromised.
Trusted computing base explained
A TCB consists of multiple components. All these components work together to secure the computing system in expected and desired ways. As a result, if any one trusted component is compromised, the entire system may be compromised and fail to behave as expected.
Before the TCB is used, systems administrators usually test it or validate its qualities. By installing the TCB, system admins or IT managers can define user access to the trusted communication path. Doing this ensures secure communication between the TCB and its users. To enable the TCB's features, it's important to first install the operating system.
The TCB achieves system security by means of:
- provisioning methods like controlling access
- giving privileges only to specific applications or processes
- enforcing authorization to access specific resources
- enforcing user authentication
- taking regular data backups
- installing antivirus and antimalware software
The various components that constitute the TCB should work well together to maintain the system's security. Moreover, these components should only be part of the TCB if they are specifically designed to be part of the mechanisms governing the TCB's security, capabilities and performance. These mechanisms should take into account the human security factor in order to ensure that user weaknesses, mistakes or malicious behaviors don't affect the TCB's security posture.
Characteristics or guiding principles of a trusted computing base
An effective TCB has the following characteristics:
- Tamperproof. No external part of the computing system should be able to modify or tamper with the TCB's code or state. This will ensure that the TCB's integrity is maintained.
- Not bypassable. There should be no way to bypass the TCB to breach the system's security.
- Verifiable. Admins should be able to verify the TCB's correctness to ensure that its features and subsystems are secure.
- Simple. A simple TCB is easier to verify and maintain than a complex trusted computing implementation.
What does a trusted computing base monitor?
Among its several functions, the TCB is responsible for monitoring a variety of system activities, including:
Input/output operations. Because I/O operations involve transactions between components that may be less secure and components that are more secure, they may end up compromising system security. The TCB monitors such transactions to prevent security lapses.
Memory. The TCB also monitors any calls or references to the system memory. This action verifies the integrity and confidentiality of any data that may be temporarily stored in memory.
Process activation. In a multitasking and multi-programming environment, the TCB monitors activities where file access lists, registers and process status information are invoked. Such actions may lead to the compromise or loss of sensitive data, so they must be monitored by the TCB.
Switching of the execution domain. The TCB monitors systems with interconnected domains or rings of protection, where applications in one domain call upon applications or services in other domains. The goal is to regulate access to sensitive information or services, and prevent tampering, compromise or loss.
Working of trusted computer base. To enforce security policy, the TCB monitors the functioning of all system activities and aims to ensure that the system adheres to the policy. To this end, it acts according to the reference monitor which is an abstract machine model. The TCB also has a security kernel architecture to secure the system and resist attacks.
Reference monitor. The TCB acts as the reference monitor that works at the boundary between the trusted and untrusted domains of a computing system. It functions as a barrier between those domains and validates access to objects by authorized subjects.
The reference monitor has three distinct characteristics:
- It cannot be bypassed and it controls all access.
- It is protected from all types of modification so that it remains unaltered.
- It is tested and verified to maintain its validity.
Security kernel. The security kernel also provides a boundary between trusted and untrusted domains. It runs the necessary processes to enforce security functions and resist attacks. These enforcement and control mechanisms are themselves located inside the security perimeter.
Trusted computing base vs. trusted platform module
The TCB is not the same as a trusted platform module (TPM). A TPM usually refers to a specific chip or specification, while TCB is a security architecture term that refers to all components in a computing system that are critical for establishing and maintaining its overall security.
The components included in the TCB can vary from one system to another. But in general, every system with security properties has a TCB.
Learn the pros and cons of the Trusted Computing Platform and how and when to enable hardware-based TPM security on servers. Also, see how the Confidential Computing Consortium tapped the Linux Foundation, IT vendors to encrypt data in use.