Domain 3 of 8 · Chapter 4 of 10

System Security Capabilities

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The Trusted Computing Base and the reference monitor
  • Memory protection: isolation, rings, DEP, and ASLR
  • Hardware crypto and trust: TPM, HSM, secure boot, and TEE
  • Exam-pattern recognition

Hardware crypto and trust capabilities compared

CapabilityWhat it isScopePrimary purposeKey fact
TPM (Trusted Platform Module)Secure cryptoprocessor fixed to a platform (TCG spec; 2.0 current)One machinePlatform integrity measurement, attestation, key bindingKeys are non-exportable; boot measurements stored in PCRs
HSM (Hardware Security Module)Dedicated, often network-attached crypto moduleMany systemsHigh-volume key generation, storage, signingValidated to FIPS 140-3 (four security levels)
Secure cryptoprocessor (general)Tamper-resistant chip running crypto inside its boundaryComponentKeep keys/operations off the main CPU and out of memoryTPM and HSM are both specific kinds of secure cryptoprocessor
TEE / enclaveHardware-isolated execution region in the CPUProcess / code regionProtect code+data even from a privileged OSShrinks the TCB to the enclave plus the CPU
Memory protection (rings, isolation, DEP, ASLR)CPU+OS features isolating process memoryWhole OSStop one process corrupting another or the kernelAssumes the kernel itself is trustworthy

Decision tree

Protect code even from acompromised OS?YesNoTEE / enclaveshrinks TCB to enclave + CPUKey ops high-volume or sharedacross many systems?YesNoHSM (FIPS 140-3 validated)central, scalable key store / signingTPMper-machine trust, attestationBoot trust: enforce or record?Block unsignedProve what ranSecure bootMeasured bootPCRs + attestation

Cheat sheet

  • The TCB is everything the system trusts unconditionally, so keep it small
  • The reference monitor must be always-invoked, tamperproof, and verifiable: all three
  • The security kernel is the implementation; the reference monitor is the concept
  • Process isolation gives each process its own virtual address space
  • Protection rings put the kernel in Ring 0 and user code in Ring 3
  • DEP/NX stops code from executing in data regions
  • ASLR randomizes load addresses so attackers cannot predict where to jump
  • DEP and ASLR are complementary, not substitutes
  • Memory protection assumes a trustworthy kernel and falls once Ring 0 is compromised
  • A secure cryptoprocessor keeps keys inside a tamper-resistant boundary
  • A TPM binds trust to one platform: keys, boot measurements, and attestation
  • TPM sealing requires a specific platform state; binding only requires the TPM
  • An HSM is the high-volume, shared, high-assurance key store
  • FIPS 140-3 defines four increasing security levels for crypto modules
  • Secure boot enforces by refusing unsigned code; measured boot records what ran
  • A hardware root of trust is trusted unconditionally because its misbehavior cannot be detected
  • A TEE isolates code from a compromised OS by shrinking the TCB
  • Code placed in a TEE becomes part of the TCB and must stay small and verified
  • Capabilities enforce a policy; a security model decides it
  • Encryption is the capability for confidentiality on media or infrastructure you don't control

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. Trusted Computing Base: NIST Computer Security Resource Center glossary Whitepaper
  2. Reference Monitor: NIST Computer Security Resource Center glossary (SP 800-53 Rev. 5) Whitepaper
  3. Trusted Platform Module Technology Overview
  4. FIPS 140-3, Security Requirements for Cryptographic Modules Whitepaper