Essentially a trusted system is any system featuring a Trusted Computing Base (TCB), which is defined as:
The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to enforce correctly a unified security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance level) related to the security policy.
- NCSC-TG-004 (Teal Green Book)

This TCB is the foundation of the system, all other security depends on the security policy it is enforcing. In systems like Next-Generation Secure Computing Base (NGSCB fka Palladium) the protection mechanisms start with the Fritz chip. This chip uses encryption technologies to determine what hardware and software can be considered "trusted." All hardware and software components of the TCB are trusted, but not all trusted components are part of the TCB. This ensures a high level of assurance to the TCB, while still allowing the user a great degree of flexibility.

Here is where things get a little trickier, and where the authors are clearly ignorant. Components of the TCB MUST undergo considerable formal validation and verification. Trusted components beyond the scope of the TCB merely require formal validation. All other components require no inspection of any kind. That's right, no inspection whatsoever! They could contain viruses, or other malware... heck they could even simple be malware. This is the beauty of the trusted systems.

Pictures 3 levels... the first level is the TCB. At this level no changes can be made without the express permission of (in this case) the Fritz chip. (This represents a giant leap forward from traditional trusted systems that are evaluated with very specific components.)
The second level is trusted non-TCB components, including but not limited to Digital Rights Management (DRM) and additional hardware components. Components at this level have a greater degree of assurance since the TCB can still monitor them for unauthorized manipulation, preventing boot sector viruses, NIC modifications, infected components, and perhaps even remote users from initiating actions limited to local users only, regardless the level of compromise the system may find itself in.
The third level is where untrusted components exist.

A hierarchical system of dominance must be overt for this system to work. For example, when playing a trusted DRM controlled media the system will launch its trusted media player as a trusted subject (assuming the user is trusted) however, if the media is untrusted DRM the TCB will need to provide a closed compartment for the trusted media player to operate as a trusted subject. This allows the DRM controls to be authenticated by the Fritz chip, yet protects the system from potentially damaging code within the media. Finally untrusted, non-DRM media is played by either the trusted media player running as an untrusted subject or an untrusted media player of the users choice. This ensures with even greater assurance against malware and doesn’t needlessly tap the Fritz chip capabilities.

Many users will complain that this technology removes the control they can exert over their system. This is true, however let us not forget SUN Microsystems’ slogan: “The Network is the Computer.” Security issues transcend the individual system so it only makes sense that security solutions must as well. Stop for a moment and think… why is it ok that other people with insecure computers can be compromised and force you the taxpayer (investigations cost for DDOS attacks etc) and you the customer (compromised accounts investigations) to eat those costs? You can’t have complete control over your car (safety and emissions standards), because you need to share the roads with the rest of us and can't just impose intolorable risks on us, why should your computer be any different?

Now, of course you can retain control over your system but rejecting this technology, but in time service providers and vendors and perhaps even ISPs will start only allowing specific trusted applications to access their services. This allows them to dramatically reduce their risks and since the technology is beneficial to most corporations (reduced security budget) and users (reduced worry) it will be more and more tolerable to utilize DRM based accesses.

I for one embrace the idea.

cheers,

catch