Editing Trusted computing base (section)

===A prerequisite to security===
Systems that don't have a trusted computing base as part of their design do not provide security of their own: they are only secure insofar as security is provided to them by external means (e.g. a computer sitting in a locked room without a network connection may be considered secure depending on the policy, regardless of the software it runs). This is because, as [[David J. Farber]] et al. put it,<ref>W. Arbaugh, D. Farber and J. Smith, [http://citeseer.ist.psu.edu/article/arbaugh97secure.html A Secure and Reliable Bootstrap Architecture], 1997, also known as the “aegis papers”.</ref> ''<nowiki>[i]n</nowiki> a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers''. As far as computer security is concerned, reasoning about the security properties of a computer system requires being able to make sound assumptions about what it can, and more importantly, cannot do; however, barring any reason to believe otherwise, a computer is able to do everything that a general [[Von Neumann architecture|Von Neumann machine]] can. This obviously includes operations that would be deemed contrary to all but the simplest security policies, such as divulging an [[email]] or [[password]] that should be kept secret; however, barring special provisions in the architecture of the system, there is no denying that the computer ''could be programmed'' to perform these undesirable tasks.

These special provisions that aim at preventing certain kinds of actions from being executed, in essence, constitute the trusted computing base. For this reason, the [[Trusted Computer System Evaluation Criteria|Orange Book]] (still a reference on the design of secure operating systems {{As of|2007|lc=on}}) characterizes the various security assurance levels that it defines mainly in terms of the structure and security features of the TCB.