| secure, 230 | lattice model, 239 | | trust, 231 | Bell “La Padula model, 241 | | trusted process, 231 | simple security property, 242 | | trusted software, 231 | *-property, 242 | | trusted system, 231 | write-down, 242 | | security policy, 232 | Biba model, 243 | | military security policy, 232 | simple integrity policy, 243 | | sensitivity level, 232 | integrity *-property, 243 | | object, 232 | Graham “Denning model, 244 | | need-to-know rule, 232 | Harrison “Ruzzo “Ullman model, 245 | | compartment , 232 | take “grant system, 248 | | classification, 234 | least privilege, 252 | | clearance, 234 | economy of mechanism, 252 | | dominance , 234 | open design, 252 | | subject, 234 | complete mediation, 252 | | hierarchical security, 235 | permission-based access, 252 | | nonhierarchical security, 235 | separation of privilege, 252 | | Clark “Wilson policy, 236 | least common mechanism, 252 | | well- formed transaction, 237 | ease of use, 253 | | constrained data item, 237 | user authentication, 253 | | transformation procedure, 237 | memory protection, 254 | | access triple, 237 | object access control, 254 | | separation of duty, 237 | enforced sharing, 254 | | Chinese wall policy, 237 | fair service, 254 | | interprocess communication, 254 | formal verification, 278 | | synchronization, 254 | proof of correctness, 278 | | protected control data, 254 | theorem prover, 278 | | user identification and authentication, 256 | validation, 281 | | requirements checking, 281 | | mandatory access control, 256 | design and code review, 281 | | discretionary access control, 256 | module and system testing, 281 | | object reuse, 256 | open source, 281 | | magnetic remanence, 257 | evaluation, 282 | | trusted path , 257 | Orange Book (TCSEC), 283 | | audit, 257 | D, C1, C2, B1, B2, B3, A1 rating, 283 | | audit log reduction, 258 | German Green Book, 286 | | accountability, 258 | functionality class, 287 | | intrusion detection, 259 | assurance level, 287 | | kernel, 259 | British evaluation criteria, 287 | | nucleus, 259 | claims language, 287 | | core , 259 | action phrase, 287 | | security kernel, 260 | target phrase, 288 | | reference monitor, 260 | CLEF, 289 | | tamperproofness, 261 | comparable evaluation, 289 | | unbypassability, 261 | transferable evaluation, 289 | | analyzability, 261 | ITSEC, 289 | | trusted computing base (TCB), 261 | effectiveness, 289 | | process activation, 262 | target of evaluation, 289 | | execution domain switching, 263 | security-enforcing function, 289 | | memory protection, 263 | mechanism, 290 | | physical separation, 265 | strength of mechanism, 290 | | temporal separation, 265 | target evaluation level, 290 | | cryptographic separation, 266 | suitability of functionality, 290 | | logical separation, 266 | binding of functionality, 290 | | virtualization, 266 | vulnerabilities, 290 | | virtual machine, 266 | Combined Federal Criteria, 291 | | virtual memory, 267 | protection profile, 291 | | layering, 269 | security target, 291 | | hierarchically structured operating system, 271 | Common Criteria, 292 | | extensibility, 294 | | assurance, 273 | granularity, 294 | | flaw exploitation, 274 | objectivity, 295 | | I/O processing flaw, 274 | portability, 295 | | access ambiguity flaw, 274 | emphatic assertion, 297 | | incomplete mediation flaw, 275 | Unix, 298 | | generality flaw, 274 | PR/SM, 299 | | time-of-check to time-of-use flaw, 275 | logical partition manager, 300 | | testing, 276 | domain, 300 | | test coverage, 276 | VAX Security Kernel, 301 | | penetration testing, 276 | | |
