The person who administers the system must be careful to add only software that can be fully trusted to the TCB. Consider trusting software if, for example:. The system administrator must determine how much trust can be given to a particular program. This determination should include considering the value of the information resources on the system in deciding how much trust is required for a program to be installed with privilege.
The tcbck command audits the security state of the Trusted Computing Base. The security of the operating system is jeopardized when the TCB files are not properly protected or when configuration files have unsafe values. This file includes a description of all TCB files, configuration files, and trusted commands.
You should run the tcbck command to check the installation of trusted files at system initialization. You should run the tcbck command to check the file system any time you suspect the integrity of the system may have been compromised. This is done by issuing the following command:. When the tcbck command is used with the tree parameter, all files on the system are checked for correct installation this could take a long time.
If the tcbck command discovers any files that are potential threats to system security, you can alter the suspected file to remove the offending attributes. In addition, the following checks are performed on all other files in the file system:. Only attributes whose values can or should not be deduced from the current state of the file need be specified on the command line.
These can be found and added with the following command:. The description of this program can be removed with the following command:. The tcbck command provides a way to define and maintain a secure software configuration.
The tcbck command also ensures that all files maintained by its database are installed correctly and have not been modified. The program attribute lists an associated program that can check additional status. This attribute allows for more thorough and flexible checking than other attributes provide. You can use these checking programs to check the integrity and consistency of a file's contents and its relationship with other files.
Checking programs need not be bound to a particular file. The program should have the following aspects:. Installing or updating a program consists of importing files into the system, usually creating new directories for the program, and occasionally reconfiguring the system itself. From a security standpoint, the program may need to add user accounts, define new audit events, and assign privileges to one of the program files. However, there are two problems:.
To provide for secure program installation and update, two strategies are employed. Moreover, the reasoning behind a computer system's security depends on the proper understanding of its capabilities and limitations.
This means that because a computer with a TCB can do anything that a Von Neumann architecture computer can, there likely will be things that users do, intentionally or unintentionally, to make the system less secure. Thus, the mechanisms in the TCB should take the human security factor into consideration. By: Justin Stoltzfus Contributor, Reviewer. By: Satish Balakrishnan. Dictionary Dictionary Term of the Day.
High-Performance Cloud Computing. An ideal TCB is small and simple while still being able to provide the necessary security guarantees for the system. In good security architecture, there must be a strong reason behind the inclusion of any component in the TCB since each added component becomes an added single point of failure.
Some relevant questions to ask when designing a system aiming to be more secure include: Do the security properties this component is able to provide outweigh the risks posed by adding it? Perhaps counterintuitively, the more untrusted components a system has, the less attack surface it has.
This runtime encryption removes the host machine from the TCB for the application — a malicious or compromised host can no longer impact the confidentiality or integrity of the application or its data. The host can now be referred to as untrusted because its behavior is no longer critical to the security of the application. Ideally, cryptographic measurement or formal verification that a component is behaving as expected should be demonstrated by these components.
When designing a more secure system, the TCB should be kept as small as possible to reduce attack surface. As the sum of all the protection mechanisms within a computer system, the Trusted Computing Base is responsible for enforcing security policy and has to continuously monitor all of these activities to ensure that the system functions correctly and adheres to all aspects of that policy.
To accomplish this, the trusted computing base acts according to an abstract machine model known as the reference monitor. The reference monitor works at the boundary between trusted and untrusted domains of a system. Its function is to validate access to objects files, data, processes, etc. As the barrier between objects and subjects, the reference monitor maintains three characteristics to ensure its own stability:. Responsible for running the processes required to enforce functionality and to resist attacks, the security kernel is a tangible part, central to every computer system.
For their own protection and integrity, all enforcement and control mechanisms are themselves located inside the security perimeter. As an example, the trusted computing base of a health-care facility would typically have security mechanisms enforcing access control and user authentication over its clinical information database.
0コメント