Users often need to perform functions through direct interaction with the TSF. A trusted path provides confidence that a user is communicating directly with the TSF whenever it is invoked. A user's response via the trusted path guarantees that untrusted applications cannot intercept or modify the user's response. Similarly, trusted channels are one approach for secure communication between the TSF and remote IT products.
Figure 1.2 of this part of the CC illustrates the relationships between the various types of communication that may occur within a TOE or network of TOEs (i.e. Internal TOE transfers, Inter-TSF transfers, and Import/Export Outside of TSF Control) and the various forms of trusted paths and channels.
Absence of a trusted path may allow breaches of accountability or access control in environments where untrusted applications are used. These applications can intercept user-private information, such as passwords, and use it to impersonate other users. As a consequence, responsibility for any system actions cannot be reliably assigned to an accountable entity. Also, these applications could output erroneous information on an unsuspecting user's display, resulting in subsequent user actions that may be erroneous and may lead to a security breach.
Figure M.1 shows the decomposition of this class into its constituent components.
Figure M.1 - Trusted path/channels class decomposition