Trusted VS Untrusted
When we run a program, we usually do so in an environment. It could be a Linux OS, a virtual machine or a Docker container. Securing that environnement is as critical as securing our code.
Easier said than done though! All the programs that run aside of ours, like the different standard libraries, the different softwares and even OS's kernel, can extend the attack surface. They could interact with our program and tamper with it.
Cue to one of the major principles in computer security... We must always try to reduce the attack surface and consequently, keep the computing base minimal!
Achieving this principle is at the core of Confidential Computing, by defining an environment which is highly isolated, but can, in certain conditions, communicate with the outside world.
The Trusted Computing Base or TCB level defines this minimal environment. Remember this acronym because we'll be using it a lot!
What is a Trusted Computing Base (TCB)?
The TCB refers to the system components where the security of that system is established and maintained.
When we talk about a "trusted" computing base, we don't necessarily mean that the system is secure, but that these components are critical for the system’s security. They are the root of trust, because the system assumes they are secure enough to be trusted.
We must, after all, start trusting somewhere. This is actually what defines a TCB and why it must be as minimal as possible.
To better understand what is a TCB, let's take an example: a web application is hosted on a private instance. This is a common architecture for an instance hosted by a cloud provider.
The web app's TCB level is defined in this order:
- First, we need to trust the code of the application itself.
- Then the operating system, because it does all the necessary low-level operations.
- The hypervisor which runs the guest's operating system and manages all the memory through the different guest.
- And, finally, the hardware which runs all these components.
Each one of these layers presents a consequent surface attack, and by adding it to the TCB, we must keep in mind that the security of each layer must be tested. But it can be easier said than done as each layer contains several vulnerable entry points that we are not aware of, which makes it harder to secure.