trust, 242
trusted process, 245
trusted product, 245
trusted software, 245
trusted computing base, 245
trusted system, 245
security policy, 245
military security policy, 246
sensitivity level, 246
object, 246
need-to-know rule, 246
compartment, 246
classification, 248
clearance, 248
dominance, 248
subject, 248
hierarchical security, 248
nonhierarchical security, 248
ClarkWilson policy, 250
well-formed transaction, 250
constrained data item, 250
transformation procedure, 250
access triple, 250
separation of duty, 250
Chinese wall policy, 251
lattice model, 253
BellLa Padula model, 254
simple security property, 255
*-property, 255
write-down, 256
Biba model, 257
simple integrity policy, 257
integrity *-property, 257
GrahamDenning model, 257
HarrisonRuzzoUllman model, 259
command, 259
condition, 259
primitive operation, 259
protection system, 260
takegrant system, 261
least privilege, 265
economy of mechanism, 265
open design, 265
complete mediation, 265
permission-based access, 266
separation of privilege, 266
least common mechanism, 266
ease of use, 266
user authentication, 266
memory protection, 266
object access control, 266
enforced sharing, 267
fair service, 267
interprocess communication, 267
synchronization, 267
protected control data, 267
user identification and authentication, 269
mandatory access control, 269
discretionary access control, 269
object reuse, 270
magnetic remanence, 270
trusted path, 270
audit, 272
accountability, 272
audit log reduction, 272
intrusion detection, 273
kernel, 274
nucleus, 274
core, 274
security kernel, 274
reference monitor, 275
reference monitor properties:
tamperproof, 275
unbypassable, 275
analyzable, 275
trusted computing base (TCB), 275
process activation, 276
execution domain switching, 276
memory protection, 276
physical separation, 279
temporal separation, 279
cryptographic separation, 279
logical separation, 279
virtualization, 280
virtual machine, 280
virtual memory, 281
layering, 283
hierarchically structured operating system, 285
assurance, 287
flaw exploitation, 288
user interface processing flaw, 288
access ambiguity flaw, 288
incomplete mediation flaw, 288
generality flaw, 289
time-of-check to time-of-use flaw, 289
testing, 290
penetration testing, 291
tiger team analysis, 291
ethical hacking, 291
formal verification, 292
proof of correctness, 292
theorem prover, 292
validation, 295
requirements checking, 295
design and code review, 295
module and system testing, 295
open source, 295
evaluation, 296
Orange Book (TCSEC), 297
D, C1, C2, B1, B2, B3, A1 rating, 297
German Green Book, 300
functionality class, 301
assurance level, 301
British evaluation criteria, 301
claims language, 301
action phrase, 301
target phrase, 301
CLEF, 302
comparable evaluation, 303
transferable evaluation, 303
ITSEC, 303
effectiveness, 303
target of evaluation, 303
security-enforcing function, 303
mechanism, 303
strength of mechanism, 303
target evaluation level, 303
suitability of functionality, 303
binding of functionality, 304
vulnerabilities, 304
Combined Federal Criteria, 304
protection profile, 305
security target, 306
Common Criteria, 307
extensibility, 309
granularity, 309
speed, 309
thoroughness, 309
objectivity, 309
portability, 309
emphatic assertion, 311