It should be pointed out that asAs a consequence of the above Orange Book definition, the boundaries of the TCB depend closely upon the specifics of how the security policy is fleshed out. In the network server example above, even though, say, a [[Web server]] that serves a [[multi-user]] application is not part of the operating system's TCB, it has the responsibility of performing [[access control]] so that the users cannot usurp the identity and privileges of each other. In this sense, it definitely is part of the TCB of the larger computer system that comprises the UNIX server, the user's browsers and the Web application; in other words, breaching into the Web server through e.g. a [[buffer overflow]] may not be regarded as a compromise of the operating system proper, but it certainly constitutes a damaging [[exploit (computer security)|exploit]] on the Web application.
This fundamental relativity of the boundary of the TCB is exemplified by the concept of the 'target of evaluation' ('TOE') in the [[Common Criteria]] security process: in the course of a Common Criteria security evaluation, one of the first decisions that must be made is the boundary of the audit in terms of the list of system components that will come under scrutiny.
