Arithmetic Logic Unit - ALU - Performs computation

Bus Interface Unit - BIU - I/O to CPU

Uses an Evaluation Assurance Level - EAL Control Unit - Coordinates other CPU components
EAL1 - Functionally Tested CPU Components Floating Point Unit - FPU
EAL2 - Structurally Tested Memory Management Unit - MMU
EAL3 - Methodically tested and checked Pre-Fetch Unit
Common Criteria
EAL4 - Methodically designed, tested and reviewed Protection Test Unit
EAL5 - Semi-formally designed and tested
EAL6 - Semi-formally verified design and tested
EAL7 - Formally verified design and tested
Operating (or Run)
Problem (or Application)
CPU States
Supervisory - Privileged Instruction
Evaluates on Functionality and Assurance Wait
Functionality rating F1 - F10 ITSEC
Assurance rating E0 - E6

Multiprogramming - can load more than one program in memory at one time
Multitasking - can handle requests from several different processes loaded
OS Terms into memory at the same time
Trusted Computer Systems Evaluation Criteria - TCSEC
Multithreading - can run multiple threads simultaneously
A1 - Verified Design
A - Verified Protection Multiprocessing - has more than one CPU
B1 - Labeled Security - Objects are classified
B2 - Structured Protection
B - Mandatory Protection
TCSEC
B3 - Secure Domains Orange Security
C1 - Discretionary Security
Book Architecture 1973 - First formal confidentiality model

C2 - Controlled Access - reasonable

and Design State-machine model
C - Discretionary Protection Mike Smith Simple security property - no read up
commercial apps
26/04/10 - Rev.28 Bell-LaPadula * property - no write down
Evaluated but fail
D - Minimal Security Strong star property - subject's = object's clearance for RW
Discretionary property and trusted subject

1977 - First integrity lattice based model

Simple integrity property - no read down
Biba
Covert channels * integrity property - no write up
Race conditions
1987 - commercial, e.g. banking
Emanations Unconstrained Data Item - UDI
Maintenance hooks Issues Constrained Data Item - CDI
Clarke-Wilson
Reveal as little as possible Integrity Verification Procedures - IVPs
Access
Limit access - need to know Transformation Procedures - TPs
Control
Disable unused services and accounts Countermeasures Models Object access rights to subjects
Use strong authentication Access Matrix

Rights a subject can transfer to/from another subject or object

Take Grant create, revoke, take, grant
Information Flow Model
Trusted Computer Base - TCB - the total combination of protection mechanisms within a
computer system, including hardware, firmware and software to enforce security policy. Noninterference Model

Access Control - ability to permit or deny the use of an object by a subject Brewer and Nash Model - dynamically changing access controls

Reference Monitor - system component that enforces access controls on an object Terms Graham-Denning Model - How subjects and objects should be created and deleted - access rights
Mediate all accesses Confidentiality - Bell-LaPadula, Access Matrix and Take-Grant
Be protected from modification Security Kernel - hardware, firmware and software that Integrity - Biba and Clarke-Wilson
Be verified as correct implement the reference monitor concept
1. Prevent unauthorized modifications
2. Prevent authorized users from improper modifications
Three goals of integrity
3. Maintain internal and external consistency - well-formed transaction