Which of the following statements pertaining to the trusted computing base (TCB) is false?
A.
Its enforcement of security policy is independent of parameters supplied by system administrators.
B.
It is defined in the Orange Book.
C.
It includes hardware, firmware and software.
D.
A higher TCB rating will require that details of their testing procedures and documentation be reviewed with
more granularity.
Explanation:
The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within it and the
correct input by system administrative personnel of parameters related to security policy. For example, if Jane
only has a “CONFIDENTIAL” clearance, a system administrator could foil the correct operation of a TCB by
providing input to the system that gave her a “SECRET” clearance. “It is defined in the Orange Book” is an
incorrect choice. The TCB is defined in the Orange Book (TCSEC or Trusted Computer System Evaluation
Criteria). “It includes hardware, firmware and software” is incorrect. The TCB does includes the combination of
all hardware, firmware and software responsible for enforcing the security policy. “A higher TCB rating will
require that details of their testing procedures and documentation be reviewed with more granularity” is
incorrect. As the level of trust increases (D through A), the level of scrutiny required during evaluation increases
as well.
CBK, pp. 323 – 324, 329 – 330 AIO3, pp.269 – 272.