As well as an infrastructure of components and processes, a computer system also requires a security architecture defining its capacity to resist attacks and attempts at infiltration and providing its capability to detect and respond to threats and changing conditions.
With susceptibility to attack being as critical a factor to system stability as the potential failure of its component parts, this security architecture has to be based on a foundation of elements that are assured as being reliable.
In our relationships with institutions and other people, trust may be defined as that quality which assures us that when an individual or organization says that they’ll do something, they can be counted on to actually do it. In critical or sensitive situations, their success or failure in doing what they’ve promised can make or break a relationship or transaction.
An analogous situation exists with computing and security. The parts of a computer system or network which we depend upon to maintain its stability and resistance to attack or infiltration can spell the difference between a catastrophic data breach and the continuation of normal operations, if they fail to live up to our trust in them.
The Trusted Computing Base (TCB)
For a computer system, the trusted computing base or TCB comprises the set of all hardware, software, and firmware components that are critical to establishing and maintaining its security. Typically, the TCB consists of an operating system with all its in-built security controls, individual system hardware, network hardware and software, defined security procedures and protocols, and the actual physical location of the system itself.
In designing a trusted computing base for security architecture, there are usually provisions made for access control, user authentication support, giving privileges and authorization to specific applications or processes, protection against malware and other forms of system infiltration, and the backing up of data. Some form of testing or validation to verify the qualities of the Trusted Computing Base is typically assumed to have taken place before it can be put into use.
Maintaining the confidentiality and integrity of data on a system is a prime responsibility of the TCB. The trusted computing base is also charged with enforcing the system’s security policy, and is the only component of a system that operates at such a high level of trust. This means that if any part of the TCB is subverted or contains flaws, the overall security policy of a system may be compromised.
The trusted computing base is also responsible for monitoring several functions, which include:
- Input/Output operations: I/O operations are monitored because these involve transactions between components at the outermost fringes of a system (which may be less protected and are therefore not as trusted) and inner aspects of the system which are more highly secured.
- Execution domain switching: A computer system may be considered as consisting of inter-connected domains or “rings of protection”. Applications active in one domain typically need to call upon services or applications in other domains, and this activity needs to be monitored to regulate access to more sensitive information or services.
- Memory protection: The trusted computing base needs to monitor calls and references to the system memory, to verify the integrity and confidentiality of data in storage.
- Process activation: Potentially sensitive data may be put at risk when file access lists, registers, and process status information are invoked within a multi-tasking and multi-programming environment. So these activities have to be monitored and regulated.
The Reference Monitor
As the sum of all the protection mechanisms within a computer system, the Trusted Computing Base is responsible for enforcing security policy and has to continuously monitor all of these activities to ensure that the system functions correctly and adheres to all aspects of that policy. To accomplish this, the trusted computing base acts according to an abstract machine model known as the reference monitor.
The reference monitor works at the boundary between trusted and untrusted domains of a system. Its function is to validate access to objects (files, data, processes, etc.) by authorized subjects (persons, applications, processes, etc.). As the barrier between objects and subjects, the reference monitor maintains three characteristics to ensure its own stability:
- It controls all access, and cannot be bypassed.
- It can’t be altered and is protected from all types of modification.
- It can (and should) be tested and verified for its own validity.
The Security Kernel
Responsible for running the processes required to enforce functionality and to resist attacks, the security kernel is a tangible part, central to every computer system. The security kernel effectively does the “hard police work” at the security perimeter – the boundary between trusted and untrusted domains. For their own protection and integrity, all enforcement and control mechanisms are themselves located inside the security perimeter.
A Trusted Computing Base In Action
As an example, the trusted computing base of a health-care facility would typically have security mechanisms enforcing access control and user authentication over its clinical information database. Here, statistical security mechanisms would ensure that any records used in auditing or research would not hold enough residual information for individual patients to be identified. Communications security protocols would typically govern access to data in transit across the network, and availability controls like backups would ensure that records are protected in the event of theft or a natural disaster.
Share this Post