Trusted Operating Systems (Pfleeger Ch. 7)

	Security vs. assurance vs. trust
		Security is binary, absolute, intrinsic
		Assurance is performace relative to expectations
		Trust is receiver-centric, based on history, relative, graded
	
	Certification vs. accreditation
		Enforcement of security policy
		Sufficiency of controls
		Evaluation - in assumed environment vs. as deployed

	Policies
	    Military - Multilevel Compartmented System (MLS)
		Sensitivity: TS/S/C/R/U = rank or level - hierarchical
		Compartmented: need-to-know categories (set-based) -
			non-hierarchical
		Labels = <level, category set>
		    Objects - Classification
		    Subjects - Clearance
		Dominance
			L1 = <R1,C1> >= <R2,C2> = L2 (L1 dominates L2) iff
				R1 >= R2 and
				C1 contains C2
		Subject S with label L1 is only allowed to read an object O
			with label L2 if L1 >= L2
	    Commercial
		Clark-Wilson
		Separation of Duty
		Chinese Wall (Conflict of Interest)

	Models
	    MLS
		Lattice model
			Lattice <S,R> is a partially ordered set (poset) S 
			with partial order <= (transitive and antisymmetric) 
			such that for any s1, s2 in S, there exists 
			a least upper bound (LUB) u, s1 <= u and s2 <= u, 
				and for all u' where s1, s2 <= u', u <= u';
			and a greatest lower bound (GLB) l, l <= s1, l <= s2
				and for all l' where l' <= s1, s2, l' <= l;
 
		BLP
		Biba
	    Theoretical Limitations
		Graham-Denning
		Harrison-Ruzzo-Ullman
		Take-Grant
	    RBAC

	Design
	    Design elements
		Least privilege
		Economy of mechanism
		Open design
		Complete mediation
		Permission-based
		Separation of privilege
		Least common mechanism
	    Features
		User authentication
		Memory protection
		File & device I/O access control
		Object allocation & access control
		Sharing enforcement
		Fairness
		IPC/synchronization
		OS protection (esp. protection data protection)
	    Trusted OS Features
		User I&A
		DAC
		MAC
		Object reuse protection
		Complete mediation
		Audit/audit reduction
		Trusted path
		IDS
	    Kernelized Design
		Reference Monitor
			tamperproof
			always invoked
			small enough to be trusted
		TCB
		    consists of
			H/W
			files
			protected memory
			IPC
		    monitors
			process activation	
			execution domain switching
			memory protection
			I/O operation
	    Separation/Isolation
	    Virtualization
	    Layered Design

	Assurance
	    Flaws
	    Assurance methods
	    Evaluation
		TCSEC - Orange Book
		Green Book
		British Evaluation
		European ITSEC Evaluation
		Canadian Criteria
		Common Criteria
	    Non-assurance

	Case Studies
	    Unix
	    PR/SM
	    Vax
	    TMach