Trusted Computing Base TCB

 September 8, 2022 at 9:48 pm

Blog posts

What’s a Trusted Compute Base?

Early Documents


  • G. H. Nibaldi, 30 November 1979 PDF

A Trusted Computing Base (TCB) is the totality of access control mechanisms for an operating system.

A TCB is a hardware and softwere access control mechunism that establishes v protection environment to control the sharing of information in computer systems. A TCB is an implementation of a reference monitor, as defined in [Anderson 72), that controls when and how data is accessed.

Proof that the TCB will indeed enforce the relevant protection policy can only be provided through a fonrial, methodological approach to TCB design and verification... Because the TCB consists of all the security-related mechanisms, proof of its validity implies the remainder of the system will perform correctly with resWpct to the policy.

Reference Monitor

a TCB is an implementation cf a reference monitor.

  • complete mediation of access
  • self-protecting
  • verifiable

Minimizing the complexity of TCB software is a major factor in raising the confidence level that can be assigned to the protection mechanisms it provides.

...two general design goals to follow after identifying all security relevant operations for inclusion in the TCB are (a) to exclude from the TCB software any operations not strictly security-related so that one can focus attention on those that are, and (b) to make as full use as possible of protection features available in the hardware.


  • DoD 5200.28 STD, l5 Aug 83 PDF

The heart of a trusted computer system is the Trusted Computing Base (TCB) which contains all of the elements of the system responsible for supporting the security policy and supporting the isolation of objects (code and data) on which the protection is based.

... In the interest of understandable and maintainable protection, a TCB should be as simple as possible consistent with the functions it has to perform. Thus, the TCB includes hardware, firmware, and software critical to protection and must be designed and implemented such that system elements excluded from it need not be trusted to maintain protection.

Trusted Computing Base (TCB) - The totality of protection mechanisms within a computer system – including hardware, firmware, and software – the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a trusted computing base to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance) related to the security policy.

Now the concept of TCB is applicable not only in OS but also embedded systems, and focuses on a security-critical portion of the system, including hardware and software.

Some system (Class A1) still requires a formal design specification and verification of TCB to ensure high degrees of assurance.

Authentication in Distributed Systems: Theory and Practice

Another important concept is the ‘trusted computing base’ or TCB [9], a small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security

Some weaknesses of the TCB model

S&P 1997 Paper

Authentication in Distributed Systems: Theory and Practice,

ACM Transactions on Computer Systems, 1992

It’s not quite true that components outside the TCB can fail without affecting security. Rather, the system should be ‘fail-secure’: if an untrusted component fails, the system may deny access it should have granted, but it won’t grant access it should have denied.

An Efficient TCB for a Generic Content Distribution System

2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discover PDF

The trusted computing base (TCB) [1] for a system is a small amount of hardware and/or software that need to be trusted in order to realize the desired assurances. More specifically, the assurances are guaranteed even if all elements outside the TCB misbehave.

The lower the complexity of the elements in the TCB, the lower is the ability to hide malicious/accidental functionality in the TCB components. Consequently, in the design of any security solution it is necessary to lower the complexity of components in the TCB to the extent feasible.

More Recent Study

TCB Minimizing Model of Computation (TMMC)

Bushra, Naila.  Mississippi State University ProQuest Dissertations Publishing,  2019. 27664004. Paper

Reducing TCB Complexity for Security-Sensitive Applications: Three Case Studies

EuroSys, 2006 PDF

The security requirements fall into four main categories: confidentiality, integrity, recoverability, and availability. For clarity, we present the definition of these terms.

  • Confidentiality: Only authorized users (entities, principals, etc.) can access information (data, programs, etc.).
  • Integrity: Either information is current, correct, and complete, or it is possible to detect that these properties do not hold.
  • Recoverability: Information that has been damaged can be recovered eventually.
  • Availability: Data is available when and where an authorized user needs it.

Justifications of Reducing TCB

Relationships between selected software measures and latent bug-density: Guidelines for improving quality


It seems that nearly all code size/complexity measurements contributes to bug density, except Method Hiding Factor and Polymorphism Factor.

This work just focuses on C++ programs. What about using a different language, e.g., Rust?

Choice of Language also Matters

Rust in the Android platform

Rust modernizes a range of other language aspects, which results in improved correctness of code:

Other Related Work

Œuf: Minimizing the Coq Extraction TCB

Reducing TCB complexity for security-sensitive applications: Three case studies