System Security Capabilities
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- The Trusted Computing Base and the reference monitor
- Memory protection: isolation, rings, DEP, and ASLR
- Hardware crypto and trust: TPM, HSM, secure boot, and TEE
- Exam-pattern recognition
Hardware crypto and trust capabilities compared
| Capability | What it is | Scope | Primary purpose | Key fact |
|---|---|---|---|---|
| TPM (Trusted Platform Module) | Secure cryptoprocessor fixed to a platform (TCG spec; 2.0 current) | One machine | Platform integrity measurement, attestation, key binding | Keys are non-exportable; boot measurements stored in PCRs |
| HSM (Hardware Security Module) | Dedicated, often network-attached crypto module | Many systems | High-volume key generation, storage, signing | Validated to FIPS 140-3 (four security levels) |
| Secure cryptoprocessor (general) | Tamper-resistant chip running crypto inside its boundary | Component | Keep keys/operations off the main CPU and out of memory | TPM and HSM are both specific kinds of secure cryptoprocessor |
| TEE / enclave | Hardware-isolated execution region in the CPU | Process / code region | Protect code+data even from a privileged OS | Shrinks the TCB to the enclave plus the CPU |
| Memory protection (rings, isolation, DEP, ASLR) | CPU+OS features isolating process memory | Whole OS | Stop one process corrupting another or the kernel | Assumes the kernel itself is trustworthy |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.