Trusted computing base: Difference between revisions

===Software parts of the TCB need to protect themselves===

As outlined by the aforementioned Orange Book, software portions of the trusted computing base need to protect themselves against tampering to be of any effect. This is due to the [[von Neumann architecture]] implemented by virtually all modern computers: since [[machine code]] can be processed as just another kind of data, it can be read and overwritten by any program barring special [[memory management]] provisions that subsequently have to be treated as part of the TCB. Specifically, the trusted computing base must at least prevent its own software from being written to.

In many modern [[CPU]]s, the protection of the memory that hosts the TCB is achieved by adding in a specialized piece of hardware called the [[memory management unit]] (MMU), which is programmable by the operating system to allow and deny access to specific ranges of the system memory to the programs being run. Of course, the operating system is also able to disallow such programming to the other programs. This technique is called [[supervisor mode]]; compared to more crude approaches (such as storing the TCB in [[Read-only memory|ROM]], or equivalently, using the [[Harvard architecture]]), it has the advantage of allowing the security-critical software to be upgraded in the field, although allowing secure upgrades of the trusted computing base poses bootstrap problems of its own.<ref>[http://citeseer.ist.psu.edu/article/arbaugh97secure.html A Secure and Reliable Bootstrap Architecture], ''op. cit.''</ref> Richi