secure, 230 | lattice model, 239 | trust, 231 | Bell “La Padula model, 241 | trusted process, 231 | simple security property, 242 | trusted software, 231 | *-property, 242 | trusted system, 231 | write-down, 242 | security policy, 232 | Biba model, 243 | military security policy, 232 | simple integrity policy, 243 | sensitivity level, 232 | integrity *-property, 243 | object, 232 | Graham “Denning model, 244 | need-to-know rule, 232 | Harrison “Ruzzo “Ullman model, 245 | compartment , 232 | take “grant system, 248 | classification, 234 | least privilege, 252 | clearance, 234 | economy of mechanism, 252 | dominance , 234 | open design, 252 | subject, 234 | complete mediation, 252 | hierarchical security, 235 | permission-based access, 252 | nonhierarchical security, 235 | separation of privilege, 252 | Clark “Wilson policy, 236 | least common mechanism, 252 | well- formed transaction, 237 | ease of use, 253 | constrained data item, 237 | user authentication, 253 | transformation procedure, 237 | memory protection, 254 | access triple, 237 | object access control, 254 | separation of duty, 237 | enforced sharing, 254 | Chinese wall policy, 237 | fair service, 254 | interprocess communication, 254 | formal verification, 278 | synchronization, 254 | proof of correctness, 278 | protected control data, 254 | theorem prover, 278 | user identification and authentication, 256 | validation, 281 | requirements checking, 281 | mandatory access control, 256 | design and code review, 281 | discretionary access control, 256 | module and system testing, 281 | object reuse, 256 | open source, 281 | magnetic remanence, 257 | evaluation, 282 | trusted path , 257 | Orange Book (TCSEC), 283 | audit, 257 | D, C1, C2, B1, B2, B3, A1 rating, 283 | audit log reduction, 258 | German Green Book, 286 | accountability, 258 | functionality class, 287 | intrusion detection, 259 | assurance level, 287 | kernel, 259 | British evaluation criteria, 287 | nucleus, 259 | claims language, 287 | core , 259 | action phrase, 287 | security kernel, 260 | target phrase, 288 | reference monitor, 260 | CLEF, 289 | tamperproofness, 261 | comparable evaluation, 289 | unbypassability, 261 | transferable evaluation, 289 | analyzability, 261 | ITSEC, 289 | trusted computing base (TCB), 261 | effectiveness, 289 | process activation, 262 | target of evaluation, 289 | execution domain switching, 263 | security-enforcing function, 289 | memory protection, 263 | mechanism, 290 | physical separation, 265 | strength of mechanism, 290 | temporal separation, 265 | target evaluation level, 290 | cryptographic separation, 266 | suitability of functionality, 290 | logical separation, 266 | binding of functionality, 290 | virtualization, 266 | vulnerabilities, 290 | virtual machine, 266 | Combined Federal Criteria, 291 | virtual memory, 267 | protection profile, 291 | layering, 269 | security target, 291 | hierarchically structured operating system, 271 | Common Criteria, 292 | extensibility, 294 | assurance, 273 | granularity, 294 | flaw exploitation, 274 | objectivity, 295 | I/O processing flaw, 274 | portability, 295 | access ambiguity flaw, 274 | emphatic assertion, 297 | incomplete mediation flaw, 275 | Unix, 298 | generality flaw, 274 | PR/SM, 299 | time-of-check to time-of-use flaw, 275 | logical partition manager, 300 | testing, 276 | domain, 300 | test coverage, 276 | VAX Security Kernel, 301 | penetration testing, 276 | | |