February 2, 2010
1. TCB (Trusted Computing Base)
(a) Is trust a good thing? Why or why not?
(b) What is a trusted computing base?
(c) What can we do to reduce the size of the TCB?
(d) What components are included in the (physical analog of the) TCB for the following security goals:
i. Preventing break-ins to your apartment
ii. Locking up your bike
iii. Preventing people from riding BART for free
iv. Making sure no explosives are present on an airplane
v. Preventing all the money from being stolen from a bank vault
(a) It’s great to trust a friend, but it’s bad to have to trust a component in a system that has security goals.
It means that the component can violate your security goals if it fails. This is the difference between
and something that is
(b) It is the set of hardware and software on which we depend for correct enforcement of policy. If
part of the TCB is incorrect, the system’s security properties can no longer be guaranteed to be true.
(Paraphrased from Pﬂeeger.)
(c) Privilege separation can help reduce the size of the TCB. You will end up with more components, but
not all of them can violate your security goals if they break.
(d) (This list is not necessarily complete.)
i. the lock, the door, the walls, the windows, the roof, the ﬂoor, you, anyone who has a key
ii. the bike frame, the bike lock, the post you lock it to, the ground
iii. the ticket machines, the tickets, the turnstiles, the entrances, the employees
iv. the TSA employees, the security gates, the “one-way” exit gates, the fences surrounding the run-
way area (but NOT the airline employees, restaurant employees, others?)
v. the vault, the owner + the manager (together, but not separately, assuming one has the code and
the other has the key)
2. Security Principles
The following are the security principles we discussed in lecture:
A. Security is economics
B. Least privilege
CS 161, Spring 2010, Discussion 2