Size: px
Start display at page:

Download ""

Transcription

1 Reprintofapaperpresentedatthe8thACMSymposiumonOperatingSystem Principles,PacicGrove,California,14{16December1981.(ACMOperating DesignandVericationofSecureSystems SystemsReviewVol.15No.5pp.12-21) ComputerScienceLaboratory MenloParkCA94025USA SRIInternational JohnRushby kernelizedsecuresystemsandsuggestsnewtechniquesfortheirresolution. Thispaperreviewssomeofthedicultiesthatariseinthevericationof Itisproposedthatsecuresystemsshouldbeconceivedasdistributedsystems Abstract individualcomponentsandpartlythroughthemediationoftrustedfunctions inwhichsecurityisachievedpartlythroughthephysicalseparationoftheir performedwithinsomeofthosecomponents.thepurposeofasecuritykernel issimplytoallowsucha`distributed'systemtoactuallyrunwithinasingle processor;policyenforcementisnottheconcernofasecuritykernel. issuesignoredbypresentmethods. explicitlyaddressesthesecurityrelevantaspectsofinterrupthandlingandother functionsfromvericationofthesecuritykernel.thislattertaskmaybe accomplishedbyanewvericationtechniquecalled`proofofseparability'which Thisapproachdecouplesvericationofcomponentswhichperformtrusted NewcastleuponTyne,England,andwassponsoredby(whatwasthen)theRoyalSignalsRadar Establishment. ThisworkwasperformedwhiletheauthorwaswiththeComputingLaboratory,Universityof 1

2 Introduction term.anumberofkernelizedsystemshavebeenconstructed[12,19,25]andvarious Aformallyveriedsecuritykerneliswidelyconsideredtooerthemostpromising basisfortheconstructionoftrulysecurecomputersystems,atleastintheshort modelsofsecurityhavebeenformulatedtoserveasthebasisfortheirverication[6, problemsinitsapplication(see,forexample[1]).ishallexpandontheselater,but 9,28]. essaryinmostapplications,concernabouttheextenttowhichcurrenttechniques brieytheyincludethedicultyofverifyingthe`trustedprocesses'thatseemnec- Despitetheenthusiasmforthisapproach,thereremaincertaindicultiesand aboutwhetherpresentsecuritymodelsreallycapturetheessentialcharacteristicsof verifytheimplementationofthekernel(asopposedtoitsspecication),anddoubts asecuritykernelwithsucientaccuracytoprovideasoundtechnicalbasisfortheir verication.also,currentapproachestokerneldesignandvericationdeveloped outofconcernfortheproblemofprovidingmultilevelsecureoperationongeneralpurposemulti-usersystems whereasmanyofthepresent-dayapplicationswhich conventionalkernelhaveledtosystemsofconsiderablecomplexitywhosevericationpresentsdicultiesthatarequiteatvariancewiththeevidentsimplicityofthe taskwhichthesystemisintendedtoperform[2]. ofsomeoldapproaches[3,26,27])tothedesignandvericationofsecuresystemsand toarguethattheproblemsofconventionalkernelizedsystemsaretherebyavoided orovercome. Thepurposeofthispaperistopresentanewapproach(or,rather,are-working enshrinedinthemultilevelmodels.attemptstosupporttheseapplicationsona tems[5,11,13,24,33]whosesecurityrequirementsaresomewhatdierenttothose requiresomeformofguaranteedsecurityarespecial-purpose,single-functionsys- problemswithconventionalsystemshavetheirrootsintheuseofasecuritykernel whichattemptstoimposeasinglesecuritypolicyoverthewholesystem.thesecond sectionwillproposethatdistributedsystemsavoidmanyofthesedicultiesand Thepresentationisdividedintofoursections.Intherst,Ishallarguethatthe provideamoreappropriateconceptualbaseforthedesignofsecuresystems.insuch isolatedsingle-usermachinesandareabletocommunicatewitheachotherand asystem,thesubjectsofthesecuritypolicyareassignedtoprivateandphysically ofitscomponentsandpartlyonthecriticalfunctionsperformedbythetrusted `trustedcomponents'thatresideinsimilarlyisolatedanddedicatedmachines.the toaccesssharedresourcesonlythroughthemediationofspecialised(andveried) overallsecurityofsuchadistributedsystemrestspartlyonthephysicalseparation components.theconcretenatureoftheservicesprovidedbythesecomponents, andthelimitedinteractionbetweenthem,enablestheirsecuritypropertiestobe speciedandveriedcomparativelyeasily,andbyexistingtechniques. 2

3 environment.thereisabsolutelynointeractionbetweenthepropertiesrequiredof securitykernelwhichicalla`separationkernel'isusedtosimulatethedistributed supportedonasingleprocessor,whileretainingitssecurityproperties,ifatypeof Next,insection3,Ishallarguethataconceptuallydistributedsystemcanbe akernelofthistypeandthesecuritypropertiesrequiredofthesystemcomponents whichitsupports. arationkernelandsketchanappropriatemethodofvericationwhichicall`proof ofseparability'andwhichisdevelopedformallyinacompanionpapertothis[31]. Themathematicalmodelwhichunderliesthismethodofvericationexplicitlyaddressestheinterpretivecharacterofasecuritykernelandprovidesasoundformal concerningtheowofcontrolwhichareignoredbypresentmethods. basisforverifyingthesecurityrelevantaspectsofinterrupthandlingandotherissues 1Theprimarymotivationfortheuseofasecuritykernelisthedesiretoisolateand localiseall`securitycritical'softwareinoneplace thekernel.then,ifthekernel TheProblemofTrustedProcesses Finally,inSection4,Ishalloutlineaprecisespecicationoftheroleofasep- canbeproven`secure'insomeappropriatesense,allnon-kernelsoftwarebecomes (forexample,thatofuclasecureunix[25])havethecharacterofasophisticated irrelevanttothesecurityofthesystem.securitykernelsdierintheextentto protectionmechanismandguaranteethatnoobjectsupportedbythekernelmaybe accessedinanywayunlessitsrecorded`protectiondata'explicitlypermitsthattype whichtheyarecognizantoftheoverallsecuritypolicyofthesystem.somekernels ofaccess.thetaskofsettinguptheprotectiondatasothatitenforcessomeoverall securitypolicyisdelegatedtoa`policymanager'outsidethekernel.thelimitation ofthisapproachisthatitisconcernedonlytoprotectthephysicalrepresentations ofinformation,ratherthaninformationitself.thusitdoesnotcontrolthe`leakage' `informationow'expressibleinthemodel[28,32]whichunderliestheverication ofinformationthroughcovertsignallingpaths[15,17],noristhenotionofsuch ofthesekernels. directaccessorindirectleakage,isunacceptableand,inconsequence,securitykernelsintendedfortheseapplicationsmustnotonlyenforcethesecuritypolicyof Inmilitaryapplications,allunauthorizedowofinformation,whetherdueto thesystemonallnon-kernelsoftware,butmustalsoadheretoitthemselves,in formationow[17,20].thisimpliesthatthekernelmustenforceandobeyasingle, eredthatcertainsystemfunctionscannotbeaccommodatedwithinitsdiscipline. orderthattheirowninternalvariablesmaynotbecomeachannelforinsecurein- system-widesecuritypolicy.butoncethisapproachisadopted,itissoondiscov- anditsspoollesareatthehighestsecurityclassication,thenusersofmorelowly Aline-printerspoolerprovidesasimpleexampleofsuchafunction:ifthespooler 3

4 classicationcannotinspecttheirownspoolles evenfortheinnocentpurposeof discoveringtheprogressoftheirjobs.forthisreason,itisusualforspoollesto beclassiedattheleveloftheirownerswhilethespoolercontinuestorunatthe highestlevelsothatitmayreadspoollesofallclassications.butthenthespooler ictswiththe(kernelenforced)*-property[6]ofmultilevelsecurity.inorderto cannotdeletespoollesaftertheircontentshavebeenprinted forsuchactionconallowedtoviolatethe*-property. provideanacceptableuserinterface,whileavoidingtheproliferationofusedspool les,itseemsnecessarythatthespoolershouldbecomea`trustedprocess'andbe thekernel.inksos,forexample,thetrustedprocessescontain processesinordertoevadeoroverridethesecuritycontrolsnormallyenforcedby Inrealsystemstherearemanyfunctionswhichrequiretheprivilegesoftrusted oftheinterfacetoapacketswitchedcommunicationsnetworketc.)."[7, securespoolersforlineprinteroutput,dump/restoreprograms,portions \supportsoftwaretoaidtheday-to-dayoperationofthesystem(e.g., longerthesolearbiterofsecurity;itisnecessarytobesurethatthespecialprivileges Oncetrustedprocessesareadmittedtothesystem,however,thekernelisno page365] grantedtotrustedprocessesarenotabusedbythoseprocessesandmaynotbe usurpedbyother,untrusted,processes.inordertoguaranteesecurity,therefore, wemustverifythewholeofthe`trustedcomputingbase' thatis,thecombination provideabasisforthevericationofthiscombination:wedonotknowwhatitis ofkernelandtrustedprocesses.thedicultyisthatexistingformalmodelsdonot thatwehavetoprove!landwehr,forexample,observes: \:::inthenalversionoftheirmodel,bellandlapaduladidinclude Intheabsenceofanypreciseformulationoftheroleoftrustedprocesseswithina forestablishingwhenaprocessmaybetrusted."[16,page46] trustedprocesses.whatisnotincludedintheirexpositionisatechnique howpropertiesprovedoftrustedprocessescombinewiththoseprovedofasecurity justicationforspeakingofthe`verication'ofthesecurityofsuchsystemsatall. kernelinordertoestablishthesecurityofthecompletesystem,thereisnoreal modelofsecuresystembehaviour,andintheabsenceofanyformalunderstandingof dicultiesofverifyingthesecurityofthosesystemsshouldnotbeattributedto decienciesinthedesignofindividualkernels,however.rather: Theexistenceoftrustedprocesseswithinkernelizedsystemsandtheattendant \toalargeextentthey[trustedprocesses]representamismatchbetween theidealizationsofthemultilevelsecuritypolicyandthepracticalneeds ofarealuserenvironment."[7,page365] 4

5 inthoseprocessesthemselves,norinthefunctionswhichtheyperform,butinthe conceptionthatasecuritykernelshouldactasacentralizedagentfortheenforcementofauniformsystem-widesecuritypolicy.evenwithinasystemwhichis Thetruerootsofthedicultiescausedbytrustedprocessesarenottobefound restrictionsthatgovernthebehaviourofitsowncomponentscannotsimplybethat intendedtoenforceasinglesecuritypolicyatitsexternalinterface,therulesand nentandtoitsindividualrolewithinthelargersystem.thepropertiesrequired ofasecureline-printerspooler,forexample,dependasmuchonthefactthatitis aline-printerspoolerasonthesecuritypolicythatistobeenforced.weshould overallpolicyinmicrocosm,butmustbeparticulartothefunctionofeachcompo- seekasystemstructurethatallowseachcomponenttomakeitsowncontribution tothesecurityoftheoverallsystemandthattreatsallcontributionsequally as betsthe`weakestlink'natureofsecurity.weshouldnotelevatethesecurityrequirementsparticulartooneclassofcomponentstoaspecialstatusandimpose example[33]. themsystem-wideatwhateverinconveniencetocomponentswithdierentrequirements.thetruthofthispropositionbecomesself-evidentwhenweconsidersomeof thespecialisedapplicationsofsecuresystems.theaccatguardprovidesagood classiedsystemandamorelowlyone.messagesfromthelowsystemtothe HIGHoneareallowedthroughtheGuardwithouthindrance,butmessagesfrom HIGHtoLOWmustbedisplayedtoahuman`SecurityWatchOcer'whohas TheGuardisbasicallyafacilityfortheexchangeofmessagesbetweenahighly todecidewhethertheymaybedeclassiedtothelevelofthelowsystemand thenallowedthrough.noticethattheguardsupportsinformationowbetween thelowandhighsystemsinbothdirectionsandhastoenforcedierentsecurity onasecuritykernelthatenforcestherequirementsforjustonedirectionoftransfer requirementsoneach.itisplainlyinappropriate,therefore,tobaseitsconstruction whichenforcesamultilevelsecuritypolicythatpermitsinformationowinonlythe yetthisisexactlywhathasbeendone.theguardisbasedontheksoskernel contributedtotheoverallsecurityorveriabilityoftheguardanditiscertainlyno securityprincipleoftheksoskernel.itisnotclearhowtheuseofthiskernelhas accomplishedbytrustedprocesseswhosepurposeistogetroundthefundamental LOWtoHIGHdirection.Consequently,theHIGHtoLOWtransfershavetobe surprisetolearnthat: sumedfarmoreresourcesthanoriginallyplanned."[16,page46] \VericationofthetrustedprocessestobeusedintheGuardhascon- 5

6 andevenhardertoverifybecauseitdoesnotrepresentaseparationofconcernsbut 2Thecombinationofasecuritykernelandtrustedprocessesishardtounderstand SecurityandDistributedSystems attempttoseparatethepropertiesrequiredofasecuritykernelfromtheissuesthat securesystems,andamorecompellingbasisfortheirverication,thenweshould propertiesoftheother.ifwearetogainaclearerunderstandingofthenatureof aconfusionofthesame:neithermemberofthecombinationisindependentofthe giverisetotrustedprocesses. securitydoesnotrelyuponacentralmechanism(suchasasecuritykernel)isafunctionallydistributedsystem:onewhosevariousfunctionsareprovidedbyspecialised Averysimpleandnatural infactobvious modelforacomputersystemwhere individualsubsystemswhicharephysicallyseparatedfromeachotherandprovided withonlylimitedchannelsforcommunicationwithoneanother.oncesuchasystem structureisadopted,alotofsecurityproblemsjustvanishandothersareconsiderablysimplied. usersofdierentsecurityclassications.wecanimagineanidealizedsystemin numberofusersinwhichlesaretobetheonlymediumofinformationowbetween whicheachuserisgivenhisownprivate,physicallyisolated,single-usermachine Consider,forexample,theproblemofprovidingamultilevelsecureservicetoa andadedicatedcommunicationlinetoacommon,sharedle-server.theonly componentofthissystemthatneedstobetrustedisthele-server.providedthat singlecomponentadherestoandenforcesthemultilevelsecuritypolicy,thesecurity oftherestofthesystemfollowsfromthephysicalseparationofitscomponentsand theabsenceofdirectcommunicationspathsbetweenusersofdierentclassications. purpose:itsupportsnouserprogrammingandneedsnooperatingsystemsinceit runsjustoneprogram thele-serverprogram.inordertoguaranteethesecurity ofthewholesystem,allweneedtodoistoverifythatsingleprogramwithrespectto Nowconsiderthele-serverinmoredetail.Itisasystemdedicatedtoasingle amultilevelsecurele-servermatchesthesecuritymodeldevelopedatsri[9](which ismorethancanbesaidofasecuritykernel apointishallreturntolater)and anappropriatespecicationofitssecurityrequirements.itturnsoutthattheroleof thismodelthereforeprovidesbothaspecicationforthesecurityrequirementsof thele-serverandthejusticationforitsvericationbythemethodof`information owanalysis'[8,20,21]. thele-server.acentralprintingfacility,forexample,canbeprovidedbyaselfcontainedprinter-serverconnectedtoeachsingle-usermachine(andprobablythe Wecanaddfurthersharedresourcestothesysteminjustthesamewayas le-serveralso)byadditional,dedicatedcommunicationlines.theprinter-server correctsecurityclassicationofeachjobonitsheaderpageandmustnotprint mustobviouslysatisfysomesecurityrequirements.itmust,forexample,printthe 6

7 partsofonejobwithinanother,norfeedinputsfromoneuserbacktoanother, andsoon.furthermore,theprinter-servermayneedtoco-operatewiththeleserverandmayrequireservicesfromthele-serverthataredierentfromthose providedtoordinaryusers(forexample,theabilitytodeletespoollesofallsecurity eventobetotallyconsistentwith,somegeneralsetofpropertiessuchasthessand*-propertiesofmultilevelsecurity[6] eventhoughenforcementofmultilevel decidingjustwhataretherequirementsforasecureprintingservicewhenallresponsibilityforthisserviceiscompletelyisolatedandexposedwithinaself-contained component,thanwhenitisdivided,uneasilyandobscurely,betweenatrustedpro- Weare,however,inamuchbetterpositiontotackletheimportantproblemof classications).whateverthefullsetofrequirementsforasecureprinter-serverare, theymustbe,atleastinpart,specictoitsparticularfunction;wecannotexpect thesecurityrequirementsofsospecialisedatasktobecompletelyexpressedby,or securityistheoverallgoal. cessandasecuritykernel. printer-servers.theremust,forexample,besomeadditionalmechanismtoauthenticatetheidentitiesofusersastheylogintothesingle-usermachinesandtoinform theleandprinter-serversofthesecurityclassicationsassociatedwitheachuser. Arealsystemwillcontainmoresecurity-criticalfunctionsthanjustleand canbestbestudiedifthey,too,areisolatedasseparate,specialisedcomponents andformulatethesecuritypropertiesthatmustberequiredofeachcomponent withinadistributedsystem.thetaskofthesystemdesigneristhentoidentify Icontendthatthesecuritypropertiesrequiredoftheseandothercriticalservices individuallysothat,incombination,theyenforcethesecuritypolicyrequiredofthe systemoverall. ofthesysteminteractandcannotbestudiedindependentlyofeachother.the printer-server,forexample,requiresspecialservicesofthele-serverandbothof thesecomponentsdependuponinformationprovidedbytheauthenticationmech- Ofcourse,scepticswillpointoutthatthisisaformidabletask:thecomponents anism.butthedicultiesthatappearformidableherearenolesssoinacon- ventional,kernelizedsystem:thesamefunctionsandthesameinteractionsmust bepresenttherealso andwillbenolesssignicant,merelylessvisible.furthermore,theinteractionsinadistributedsystemarebetweenitscriticalcomponents. Thesecomponentshaveconcretetaskstoperformandtheirinteractionscanalso bespeciedconcretely:wecanstatepreciselywhatthespecialservicesarethat theprinter-serverrequiresofthele-serverandwecansatisfyourselvesthatthe ramicationsofthesespecialservicesarefullyunderstood.thisisquitedierentto grantingthelineprinterspoolerofakernelizedsystemadispensationtooutthe *-property. ampletointroducetheidea,politicalandeconomicconsiderationsgenerallydictate AlthoughIhavebeenusingageneral-purposemulti-usersystemasafamiliarex- 7

8 thatsecuregeneral-purposesystemsshouldemulatesomeexistingsystem andthis hamperstheadoptionofaradicallydierentimplementationtechnique.specialpurpose,single-functionsystemsarenotsoconstrained andaremoreableand morelikely,therefore,totakeadvantageofa`distributed'approachtosecurity.a designforatypeof`securenetworkfrontend'(snfe)willserveasanillustration. designissuesforsuchadevicearediscussedbyauerbach[4]andaparticulardesignisdescribedbybarnes[5].basically,theissuesareasfollows.aswellasa ASNFEisadevicethatisinterposedbetweenhostmachinesandanetworkin ordertoprovideend-to-endencryptionaroundthenetwork.someofthegeneral cryptographicdevice(a`crypto')thesnfemustcertainlycontaincomponentsfor thecommunicationslinestothehostononesideandthenetworkontheother. Wecancallthecomponentonthehostsidethe`red'componentandthatonthe handlingtheprotocols,messagebueringandsoonrequiredatitsinterfaceswith networksidethe`black'component.(thisterminologystemsfromcryptological nentandpassedtothecryptofromwheretheytravel,inencryptedform,tothe blackcomponentfortransmissionoverthenetwork.inordertoallowforred-black usages.)packetsofcleartextdatafromthehostarereceivedbytheredcompo- co-operation(essentially,theexchangeofpacketheaders),asecond,unencrypted channel(the`cleartextbypass')mustalsoconnecttheredandblackcomponents. notreachthenetworkincleartextform.itisthereforenecessarytobesurethat theredcomponentdoesnotusethecleartextbypasstosenduserdatadirectlyto theblackcomponent.thesoftwareintheredcomponentisconsideredtoolarge Thesecurityrequirementofthesystemisthatuserdatafromthehostmust andcomplextoallowitsvericationandsoa`censor'isinsertedintothebypassto performrigidproceduralchecksonthetracpassingthrough tocheckthatithas theappearanceoflegitimateprotocolexchanges,ratherthanrawcleartext.afairly bypasstoanacceptablelevel. simplecensorcanreducethebandwidthavailableforillicitcommunicationoverthe nicate,butwhatchannelsareavailableforthatcommunication:thechannelsvia thecensorandthecryptoareallowed,buttheremustbenoothers.itisnotclear howthisrequirementcouldbeexpressedintermsofthemodelsthatunderlycurrentconceptionsofasecuritykernelbutitiseasilyformulatedandunderstoodin showninthediagram.theonlysoftwarewhichperformsasecuritycriticaltaskin housedinseparate,isolatedboxesandconnectedbyjustthecommunicationslines thisdesignisthatofthecensor(thecryptoisatrustedphysicaldevice);securityis otherwiseachievedbythephysicaldistributionofthecomponentsandthephysically limitedcommunicationsprovidedbetweenthem. Observethatthecrucialissuehereisnotwhetherredandblackcancommu- thecontextofadistributedsystemdesign:thefourcomponentsofthesystemare 8

9 - Bypass - Red Black? Crypto 3computersystemsthatmustsatisfycertainsecurityrequirements.Recenthardware SofarIhavearguedthatdistributedsystemsoeranaturalbasisforthedesignof Re-introducingtheSecurityKernel directly thatis,asphysicallydistributedsystemscomposedofindependentprocessorsconnectedbyexternalcommunicationslines. developmentsmakeitfeasible,forcertainapplications,toimplementsuchdesigns thesecuritycharacteristicsofthedistributedsystemmustbeprovidedbylogical distributeddesignislargerelativetotheoverallscaleofthesystem,itwillbemore cost-eectivetoimplementtheentiresystemonasingleprocessor.inthiscase, Morecommonly,however,andespeciallywhenthenumberofcomponentsinthe ratherthanphysicalmechanismsandthiscanbeaccomplishedbyre-introducing thosecomponents.therolewhichiproposeforasecuritykernelissimplythatit rationofitscomponentsandpartlyonthecriticalfunctionsperformedbysomeof theconceptofasecuritykernel,butinadierentguisetothatseenpreviously. shouldre-create,withinasinglesharedmachine,anenvironmentwhichsupports Theoverallsecurityofadistributedsystemrestspartlyonthephysicalsepa- thevariouscomponentsofthesystem,andprovidesthecommunicationschannels betweenthem,insuchawaythatindividualcomponentsofthesystemcannotdistinguishthissharedenvironmentfromaphysicallydistributedone.ifthiscanbcuritypolicyenforcedbythesystem thatresponsibilityremainsembeddedinthe ofatrulydistributedsystem.observethatsuchakernelknowsnothingofthese- achieved,thensurelythesharedimplementationretainsallthesecurityproperties 9

10 criticalcomponents.andnotice,too,thatthosecriticalcomponentsrequirenospecialprivilegesofthekernel;wehavecompletelydecoupledthepropertiesrequired overallpurposeandpolicy. temrunsonitsownprivateandphysicallyisolatedmachine.thetaskofasecurity kernel,therefore,istoprovideanisolated`virtualmachine'(vm)foreachcomponentandtohandlecommunicationsbetweenthesevirtualmachines.akernel Inanideal,physicallydistributedimplementation,eachcomponentofthesys- ofthesecuritykernelfromthoseconcernedwiththelargerquestionsofthesystem's ofthisformisobviouslyverysimilartoa`virtualmachinemonitor'(vmm):that widelyrecognisedthatvmmsprovideasuitablebasisfortheconstructionofsecure hardwarebase(vm/370is,perhaps,thebestknownexampleofsuchasystem).itis is,asystemwhichprovideseachofitsuserswithaseparate,simulatedcopyofits systemsandatleasttwosystemshavebeenconstructedalongtheselines[12,26]. However,thetypeofkernelwhichIamproposingdiersfromaVMMinthatthere isnorequirementforittoprovidevmswhichareexactcopiesofthebasehardware kernel'andishallspeakofthevmswhichitsupportsas`regimes.' establishedterminology,ishallcallthisnewtypeofsecuritykernela`separation (orevenforallthevmstobealike) butthereisarequirementforittoprovide communicationschannelsbetweensomeofitsvms.inordertoavoidconfusionwith ofaseparationkernelandtodevelopatechniqueforverifyingtheseproperties. Beforedoingso,however,itseemsbesttoassistthereader'sintuitionandtoprovide somemotivationbyoutliningthedesignofaparticularseparationkernel. Thenextstepistodeduceaprecisestatementofthesecuritypropertiesrequired Theseparationkernelconcernedisanoperationaloneknownasthe`SecureUser AnExample T4DivisionoftheRoyalSignalsandRadarEstablishmentatMalvern,England,in Environment'(SUE).ItrunsonaPDP-11/34andwasdesignedandconstructedby ordertosupportapplicationssimilartothesnfedescribedearlier.oneofthechief designaimsofthesuewasthatitshouldbeminimallysmallandverysimple[5]. (TheSDCCommunicationsKernel[11]isasimilarsystem,thoughrathermore ittosupportpagingorvirtualmemorymanagementasfoundinthekernelsof complex.) regimes,eachofwhichexecutesaxed(andsmall)program,thereisnoneedfor general-purposesystemssuchaskvm/370[12].instead,amuchsimplermemoryresidentsystemispossibleinwhicheachregimeispermanentlyallocatedtoaxed partitionofrealmemorywhilethesueitselfoccupiesanotherxedpartition.the SUEmanipulatesthememorymanagementfeaturesofthePDP-11/34inorderto arrangeforitsownprotectionandthemutualisolationofitsregimes. BecausetheSUEisonlyrequiredtoprovideaxed(andsmall)numberof 10

11 schedulingfunctions.regimesaregivencontrolonaround-robinbasisandexecute untiltheysuspendvoluntarily(viaaswapcalltothesue).becausethewhole systemisdedicatedtoasinglefunction,`denialofservice'isnotasecurityproblem Inordertofurtherreduceitssizeandsimplifyitsdesign,theSUEperformsno (althoughitisclearlyareliabilityissue). machines(includingpdp-11s)sinceitusesabsoluteaddressesandtherebyevades theprotectionofthememorymanagementhardware.forthisreason,conventional kernelsmusthandleormediatealli/ooperationsandthisisasourceofsignicant Input/outputviaDirectMemoryAccess(DMA)posesasecuritythreatonmost excludedfromthesystem,almostallresponsibilityfori/ocanberemovedfrom complexityintheirdesign.thesueadoptsafarmoreruthlessapproach:dmais thesuesincethememorymanagementofapdp-11allowsdeviceregisterstobe permanentlyexcludedfromthesystem.(theeciencyproblemsthismightseem protectedjustlikeordinarymemorylocations.eachdevicesupportedbythesystem tocauseareovercomebytheuseofspecial-purposehardware[18].)withdma locatedintheaddressspaceofthatregime.responsibilityforeachdevicethenrests ispermanentlyandexclusivelyallocatedtoaxedregimeanditsdeviceregistersare withtheregimewhichcontrolsitsdeviceregisters.theonlyresponsibilityofthe SUEwithrespecttoI/Oactivityistoeldinterrupts(sincethehardwarevectors handling.returnfrominterruptssimilarlyrequiresminorassistancefromthesue. thesethroughkerneladdressspace)andpassthemontotheappropriateregimefor tweencertainregimes,thisdescriptionhassummariedjustaboutthewholeofthe SUE.Readerswillappreciatethat,incomparisonwithaconventionalsecuritykernel,theSUEisindeedsmallandsimple.(Itoccupiesabout5Kwords,includingall Apartfromtheprovisionofthecommunicationschannelsthatarerequiredbe- stackanddataspace.)whatweseeknowisavericationtechniquethatexploits thissimplicityinordertoprovideperspicuousandcompellingevidenceofthesue's security. 4Thetaskofaseparationkernelistocreateanenvironmentwhichisindistinguish- ablefromthatprovidedbyaphysicallydistributedsystem:itmustappearasifeach Verication regimeisaseparate,isolatedmachineandthatinformationcanonlyowfromone machinetoanotheralongknownexternalcommunicationslines.oneofthepropertieswemustproveofaseparationkernel,therefore,isthattherearenochannelsfor informationowbetweenregimesotherthanthoseexplicitlyprovided.inthecaseof thesnfedescribedearlier,forexample,theremustbenodirectchannelsbetween theredandblackregimes althoughthechannelsviathecryptoandthecensorare quitelegitimate.byallowingcertainchannelsanddemandingtheabsenceofall others,wecreatearatherdicultvericationproblem.itwouldbemucheasierto 11

12 demandtheabsenceofallchannels thatwouldcorrespondtoapolicyofisolation andseemsamorereasonablecandidateforverication.analogywithaphysically distributedsystemsuggestshowtheoriginalproblemcanbesimpliedinthisway: ifwecutthecommunicationchannelsthatareallowed,then,providedthereareno illicitchannelspresent,thecomponentsofthesystemwillbecomecompletelyisolated arenotphysicalwiresbutpropertiesofthekernelsoftware. fromoneanother.itnowremainstodiscoverhowto`cut'communicationlinesthat isactuallyaccomplishedinsoftware bytheuseofsharedobjects.ifregimesaand somesharedobject,sayx,whichthesendercanwriteandthereceivercanread.if Bhaveacommunicationchannelbetweenthem,thentheremust,atbottom,be Thesolutiontothisproblemiseasilyseenonceweconsiderhowcommunication to`cutting'thecommunicationchannelrepresentedbyx,withx1andx2taking B'sreferencestoXbyreferencestoanothernewobject,X2,thenthisisequivalent thepartsofthetwo`ends'producedbythecut.if,followingthis`cutting'ofthe wenowreplaceallofa'sreferencestoxbyreferencestoanewobject,x1,andallof isolated,thenitfollowsthatthiswastheonlychannelbetweenthem. erty(isolation)ofonesystem(thatwithits`wirescut')andinferanotherproperty `Xchannel,'weareabletodemonstratethattheAandBregimeshavebecome (absenceofillicitchannels)ofadierentsystem.however,ifthedierencesbetweenthetwosystemsareoftheverylimited,controlledformthatihavedescribed Thisisanindirectargumentandmayappearspecioustosome:weproveapropferencesbetweenthemmaybeunderstoodcompletely,then,surely,thetechnique issound.(formoreextendeddiscussion,andanexampleoftheapplicationofthe (involvingonlythe`aliasing'ofcertainnames),sothattheconsequencesofthedif- technique,see[30].) enforcesisolationonitsregimes:wemustprovethetotalabsenceofanyinformation owfromoneregimetoanother.thetechniquewhichhasbeenusedtoverify secureinformationowinkernelsconstructedbythemitrecorporation[20]and Wenowneedamethodforprovingthataseparationkernel(withits`wirescut') inksos[7,10],andwhichseemstobewidelyaccepted,isknownas`information kernel.butthisisnotso. owanalysis'(ifa)[21] sometimesalsocalled`securityowanalysis.'itmightbe thoughtthatthiswillalsoprovideasatisfactorytechniqueforverifyingaseparation nipulationsthatmustbeperformedbyaseparationkernel theswapoperation providesasimpleexample. OnereasonforthisisthatIFAcannotverifysomeofthemachine-levelma- savingofthecurrentcontentsofthegeneralregistersinaredsavearea,andtheir andblack.whentheredregimeisexecuting,itmayrelinquishthecpu byperformingaswapoperation.theeectsofthisoperationmustincludethe Consideraseparationkernelsupportingjusttworegimes,identiedasRED reloadingwithvaluesfromablacksavearea.vericationbyifarequiresthat 12

13 operationsinvokedbyredmayonlyaccessredvalues butitisevidentthat theswapoperationmustaccessbothredandblackvalues.itfollowsthat IFAcannotverifythesecurityofaSWAPoperation,eventhoughitismanifestly causeofthisfailureisthatifaisasyntactictechnique:itisconcernedonlywith thesecurityclassications(`colours')ofvariables,nottheirvalues.thisdeciency secure(see[30]formoreextendeddiscussionandsomeworkedexamples).the forexample,eachregimeisprovidedwithitsownsetofgeneralregisters)rather canbeovercomebyapplyingifatoahigh-levelspecicationofthekernel(inwhich, thantothekernelimplementationitself.thesecurityoftheimplementationcan levelspecications[23].inconventionalpractice,however,thissecondstageisnot thenbeestablishedbyshowingittobeacorrectimplementationofthesecurehigh- performed.forksos,forexample,only`illustrative'proofsoftheimplementation wereprovided[7]. toverifythecorrectnessofitsimplementationaswell.usingaseparationkernel, tionsisasignicanttask.itwouldbevastlymoredicultandhugelyexpensive amultilevelsecurelesystem,vericationofthesecurityofitshigh-levelspecica- BecausetheKSOSkernelcontains,amongotherthings,amechanismtosupport however,issuessuchasthevericationofamultilevelle-serverarefactoredoutand handledseparatelyfromthevericationofthekernel.almosttheentireactivityof aseparationkernelisconcernedwiththedetailedmanagementoffeaturesofthe basehardware.inordertoapplyifa,wemustabstractawayfromthesedetailsand provideahigh-levelspecication whosevericationwouldamounttolittlemore thanexhibitingatautology.almostthewholeburdenofverifyingthesecurityof therealkernelwouldthenfalltothe`correctness'stage.whilethisproceduremay besound,itisveryindirectandfailstoprovideoneoftheprincipalbenetswe issuesthatdetermineakernel's`security.' shoulddesireofakernelvericationtechnique:asharpenedunderstandingofthe owofcontrol inparticular,thehandlingofinterrupts.recallthatthesuekerneldoesverylittleexcepteldinterruptsandallowoneregimetoswapcontrol AmoreconclusiveargumentagainstIFAasavericationtechniqueforseparationkernelsisthatitisincomplete:itdoesnotaddressmattersconcerningthe toanother andifaprovidesnobasisforthevericationoftheseimportantand isdoubtfulwhetherthatmodelreallyprovidesasoundbasisforthevericationof themathematicalmodel[9]thatjustiesifaasavericationtechnique.infact,it trickymatters.questionsrelatingtocontrolowcannotevenbeformulatedwithin modelformulatesaspecicationofmultilevelsecurityforasystemwhichconsumes Manager'(SOM)ofPSOS[22] forwhichpurposeitiseminentlysuitable.the anysortofsecuritykernel butthenitwasnotformulatedforthatpurpose. inputsthataretaggedwiththeirsecurityclassicationsandproducessimilarly Feiertag'smodelwasintendedtoprovideabasisforverifyingthe`SecureObject taggedoutputs.`ordinary'programs,suchasthesomorale-server,aresound 13

14 atanytimeisnotindicatedbyatagaxedtotheinstructionbysomeexternal interpretationsofthismodel.butakernelisdierent.akernelisessentiallyan agent,butisdeterminedbythekernel'sownstate. onbehalfofitsregimes.theidentityoftheregimeonwhosebehalfitisoperating abstractinterpreter itbehaveslikeahardwareextensionandexecutesinstructions thatcapturesitsessentialcharacteristicsmorecompletelyandrealistically.robinson,oneofthoseresponsibleforthevericationofksos,hasobserved: Toprovideasoundbasisforthevericationofakernel,wereallyneedamodel \Despitecurrentsuccessesinprovingthatagivenpieceofkernelsoftware providessecurity,itcannotbeprovenwithexistingtechniquesthatthere isnowaytocircumventthatpieceofsoftware.theanswermaybeto addsomeexplicitnotionofinterpretationtothestatemachinemodel. Thisextendedmodelwouldmakeitpossibletoaddresssuchconcernsas tothis[31]andisusedtojustifyanewmethodforverifyingkernelswhichenforce Amodelwithsomeofthesecharacteristicsisdescribedinacompanionpaper parallelism,languagesemantics,andinterrupthandling."[29] section. ProofofSeparability thepolicyofisolation.aninformalexplanationofthismethodisgiveninthenext Thepurposeofaseparationkernelistosimulateadistributedenvironment.Tothe beindistinguishablefromthatofanisolatedmachinededicatedtoitsprivateuse. whilethesingle,sharedsystemthatisactuallyavailableiscalledthe`concrete' softwareineachregime,theenvironmentprovidedbyaseparationkernelshould machineshouldexactlycoincidewithitsownabstractmachine.asimilarrequirementexpressesthe`correctness'criterionforimplementationsofabstractdatatypestion'[14]:thatis,afunctionwhichmapsfromconcretetoabstractstates.the dierentabstractionssimultaneously(aseparateoneforeachregime)anditseems natural,therefore,toformulatethepropertiesrequiredofitintermsofmultiple abstractionfunctions. Wecancallthisimaginary,privatemachinethe`abstract'machineforthatregime, machine.whatwedesire,forsecurity,isthateachregime'sviewoftheconcrete Thislattercriterionmaybeformulatedpreciselyintermsofan`abstractionfunc- interestingfeatureofaseparationkernelisthatitisrequiredtosupportseveral BLACK.Nowsupposetheconcretemachineperformssomeoperation,COP,on BLACK.TheabstractionfunctionREDABSwillmapthestatesoftheconcrete machineintothoseofred'sabstractmachine,whileblackabsdoeslikewisefor Takethesimplecaseofasystemsupportingjusttworegimes REDand behalfoftheredregime.wemustrequirethattheeectsofthisoperation,as 14

15 machinefromaninitialstatextoanalstatey,wedemandthatredabs(y) formedbytheredabstractmachine.thus,ifexecutionofcoptakestheconcrete isexactlythesamestateoftheredabstractmachineasthatwhichresultsfrom perceivedbytheredregime,arejustasifsomeoperationredophadbeenper- otherwords,werequirethefollowingdiagramtocommute: applyingtheabstractoperationredoptotheabstractstateredabs(x).in 6 REDOP -6 REDABS REDABS Thisconditionensuresthattheregimewhichiscurrently`active'ontheconcrete COP - machinecannotdistinguishitsactualenvironmentfromthatofitsabstractmachine. Butitisalsocrucialthattheexecutionofaconcreteoperationonbehalfoftheactive regimeshouldnotaectthestateofthemachineperceivedbycurrently`inactive' regimes.forisolationbetweenredandblack,therefore,werequirethatthe concretestatetransitionfromxtoycausedbyexecutingcoponbehalfofred shouldcausenocorrespondingchangeinthestatesofinactiveregimes.thatis,we requirethatblackabs(x)=blackabs(y),orindiagrammaticform: I BLACKABS BLACKABS BecauseI/Odevicescandirectlyobserveandchangeaspectsoftheconcretemachine'sinternalstate(byreadingandwritingitsdeviceregisters,forexample),and canalsoinuenceitsinstructionsequencingmechanism(byraisinginterrupts),the COP - 15

16 ditionsontheirbehaviour.expressedinformally(andonlyfromtheredregime's activityofthesedevicesisrelevanttosecurity.consequently,wemustimposecon- pointofview),theseconditionsare: a)ifredabs(x)=redabs(y)andactivitybyaredi/odevicechanges thestateoftheconcretemachinefromxtox0,andthesameactivitywill alsochangeitfromytoy0,thenredabs(x0)=redabs(y0)(i.e.,state b)ifactivitybyanon-redi/odevicechangesthestateoftheconcretemachine changesintheredregimecausedbyredi/oactivitymustdependonlyon theactivityitselfandthepreviousstateoftheredregime). c)ifredabs(x)=redabs(y),thenanyoutputsproducedbyredi/o fromxtoy,thenredabs(x)=redabs(y)(i.e.,non-redi/odevices cannotchangethestateoftheredregime). d)ifredabs(x)=redabs(y),thenthenextoperationexecutedonbehalf oftheredregimemustalsobethesameinbothcases. devicesmustbethesameinbothcases. Conditionsa)andb)abovearetheanalogues,forI/Odevices,oftheconditions arability.'amoreprecisestatementofthesixconditionsmaybefoundinthe constitutethebasisforakernelvericationtechniquewhichicall`proofofsep- imposedoncpuoperationsbythecommutativediagramsgivenearlier.allsix Appendixtothispaper.Aformalderivationofthesixconditions,whichattempts conditions(thefouraboveandthetwoexpressedinthecommutativediagrams) relationshipbetweenthismethodandvericationbyifaisexaminedin[30],which todemonstratethattheyareexactlytherightconditions,isgivenin[31],whilethe morerealisticseriesofexampleapplicationsiscurrentlyinpreparation. securitykernelvericationsinceitisbasedonamorerealisticmodelandcanaddress alsocontainsasmallexampleoftheapplicationofthemethod.descriptionofa alltheimportantissues,includingthoserelatingtointerrupts,quitenaturally.also, itcorrespondstoastraightforwardintuitionaboutwhatsecurity`is'andencourages `ProofofSeparability'seemstobetechnicallysuperiortoothermethodsfor areinvisibletoallotherregimes). capableofcompletedescriptionintermsoftheobjectsknowntothatregime(and thekerneldesignertoexaminehissystemfromtheviewpointofeachindividual regimeinordertoensurethattheresultsofeveryactioninvokedbyaregimeare Conclusion IhaveproposedanapproachtothedesignandvericationofsecuresystemswhichI suggestisparticularlyappropriatetosmallspecial-purposeapplications.iadvocate 16

17 achievedpartlybythephysicalseparationoftheindividualcomponentsandpartly thatsecuresystemsshouldbeconceivedasdistributedsystemsinwhichsecurityis bythetrustedfunctionsperformedbysomeofthosecomponents.thetaskof specifyingandverifyingthepropertiesrequiredofthetrustedcomponentsinorder toachieveoverallsecurityshouldbetackledatthislevelofabstractionandonthe assumptionthatcomponentsarephysicallyisolatedfromoneanother.thepurpose ofasecuritykernelissimplytoallowsucha`distributed'systemtoactuallyrun withinasingleprocessor:itsroleistoprovideeachcomponentofthesystemwith anenvironmentwhichisindistinguishablefromthatwhichwouldbeprovidedbya canbehandledbyseparatevirtualmachinescanbetracedbacktoanderson[3]. of`levelsofkernels'[26,27]whiletheideathatthemanagementofsharedresources securitykernel.thereissomesimilaritybetweentheseproposalsandpopek'snotion trulyandphysicallydistributedsystem.policyenforcementisnottheconcernofa vericationofthecomponentswhichperformtrustedfunctionsfromtheverication ofthesecuritykernel.thislattertaskmaybeaccomplishedbyanewverication techniquewhichicall`proofofseparability.' Thisapproachachievesaseparationofconcernsbycompletelydecouplingthe securityisbasedonsimplermechanismsandwhosevericationiscorrespondingly simpler,morecompleteandmorecompellingthanisthecaseatpresent. Applicationofthesetechniquesshouldassistthedevelopmentofsystemswhose Separability.'Thestatementisexpressedintermsofaparticularformalmodelfor AThisappendixgivesamoreprecisestatementofthesixconditionsfor`Proofof Appendix fortheparticularchoiceofconditionsdeningproofofseparabilitymaybefound in[31]. completedescription,togetherwithargumentsforitssuitabilityandjustication computersystems.spacepermitsonlyatersedescriptionofthemodelhere;amore onthosestates.thesysteminteractswithitsenvironmentbyconsumingelements ofasetiofinputsandproducingelementsofasetoofoutputs.ateachtimestep, thesystememitsanoutputandchangesstate.theoutputemitteddependsupon ThemodelcomprisesanitesetSofstatesandasetOPSS!Sofoperations thesystem'sstateandthisactionismodelledbythefunctionoutput:s!o. selectionmechanismismodelledbythefunctionnextop:s!ops.thus,if andthesecondbytheselectionandexecutionofanoperation.theeectofreceiving aninputismodelledbythefunctioninput:si!s,whiletheoperation Statechangesoccurintwostages:therstiscausedbythereceiptofaninput, thecurrentstateofthesystemissandthecurrentvalueoftheinputavailablefrom theenvironmentisi,thesystemwillemittheoutputoutput(s)andmovetothe 17

18 of`colours.'exactlyoneuseris`active'atanytime:heistheuseruponwhose consumptionoftheinputi. statenextop(s)(s),wheres=input(s;i)istheintermediatestateresultingfrom dependsuponthestateofthesystemattheinstantwhenanoperationisselected behalfinstructionsarecurrentlybeingexecuted.theidentityoftheactiveuser Asharedsystemsupportsanumberof`users'whoareidentiedwithasetC usedtopickoutcomponentsofaparticularcolour.thus,whenc2c,i2i,and ponentswhichare`private'toeachuser.theprojectionfunctionextractis forexecution.itisdeterminedbythefunctioncolour:s!c. o2o,extract(c;i)andextract(c;o)denotethec-colouredcomponentsof Theinputsandoutputsofasharedsystemarecomposedofindividualcom- theinputiandtheoutputorespectively. usermustbecompletelyconsistentwiththatwhichcouldbeprovidedbyanonsharedsystemdedicatedtohisexclusiveuse.thisisachievedifeachuserc2c Forasharedsystemtobesecure,theinput/outputbehaviourperceivedbyeach canproduceasetscofc-coloured`abstractstates'andasetopscsc!scof c-coloured`abstractoperations,'togetherwith`abstractionfunctions' and ABOPc:OPS!OPSc c:s!sc whichsatisfy,8c2c;8s;s02s;8op2ops;8i;i02i: 1)COLOUR(s)=cc(op(s))=ABOPc(op)(c(s)), 2)COLOUR(s)6=cc(op(s))=c(s), 5)c(s)=c(s0) 4)EXTRACT(c;i)=EXTRACT(c;i0)c(INPUT(s;i))=c(INPUT(s;i0)), 3)c(s)=c(s0)c(INPUT(s;i))=c(INPUT(s0;i)), 6)COLOUR(s)=COLOUR(s0)=c^c(s)=c(s0) NEXTOP(s)=NEXTOP(s0). EXTRACT(c;OUTPUT(s))=EXTRACT(c;OUTPUT(s0)), Conditions1)and2)correspondtothetwocommutativediagramsinthetext,while conditions3)to6)correspondtothoselabelleda)tod)inthetext. ThesearetheformalstatementsofthesixconditionsforProofofSeparability. 18

19 References [1]S.R.AmesJr.Securitykernels:Asolutionoraproblem?InProceedingsof [2]S.R.AmesJr.andJ.G.Keeton-Williams.Demonstratingsecurityfortrusted thesymposiumonsecurityandprivacy,pages141{150,oakland,ca,april 1981.IEEEComputerSociety. applicationsonasecuritykernelbase.inproceedingsofthesymposiumonsecurityandprivacy,pages145{156,oakland,ca,april1980.ieeecomputer Society. Renninger,editor,ApproachestoPrivacyandSecurityinComputerSystems, [3]J.P.Anderson.Systemsarchitectureforsecurityandprotection.InC.R. [4]K.Auerbach.Securepersonalcomputing(technicalcorrespondence).CommunicationsoftheACM,23(1):36{37,January1980. Washington,D.C.,1974. pages49{50.nbsspecialpublication404,gposdcatalogno.c13.10:404, [5]D.H.Barnes.ComputersecurityintheRSREPPSN.InNetworks'80,pages [6]D.E.BellandL.J.LaPadula.Securecomputersystem:Uniedexpositionand Multicsinterpretation.TechnicalReportESD-TR ,MitreCorporation, 605{620.OnlineConferences,June1980. [7]T.A.BersonandG.L.BarksdaleJr.KSOS developmentmethodologyfora secureoperatingsystem.innationalcomputerconference,volume48,pages Bedford,MA,March1976. [8]D.E.DenningandP.J.Denning.Certicationofprogramsforsecureinformationow.CommunicationsoftheACM,20(7):504{513,July {371.AFIPSConferenceProceedings,1979. [9]R.J.Feiertag,K.N.Levitt,andL.Robinson.Provingmultilevelsecurityof [10]Ford. pages57{65,november1977. asystemdesign.insixthacmsymposiumonoperatingsystemprinciples, [11]D.L.Golber.TheSDCcommunicationskernel,August1981.Presentedat AerospaceandCommunicationsCorporation,PaloAlto,CA,March1978. KSOSvericationplan. TechnicalReportWDL-TR-7809,Ford [12]B.D.Goldetal.AsecurityretrotofVM/370.InNationalComputerConference,volume48,pages335{344.AFIPSConferenceProceedings,1979. DoDComputerSecurityIndustrySeminar.

20 [13]A.Hathaway.LSIguardsystemspecication(typeA).TechnicalReportDraft, [14]C.A.R.Hoare.Proofofcorrectnessofdatarepresentations.ActaInformatica, 1:271{281,1972. MITRECorporation,Bedford,MA,July1980. [15]B.W.Lampson.Anoteontheconnementproblem.Communicationsofthe [16]C.E.Landwehr.Assertionsforvericationofmultilevelsecuremilitarymessage ACM,16(10):613{615,October1973. [17]S.B.Lipner.Acommentontheconnementproblem.InFifthACMSymposiumonOperatingSystemPrinciples,pages192{196.ACM,1975. systems.acmsoftwareengineeringnotes,5(3):46{47,july1980. [18]A.F.MartinandJ.K.Parks.IntelligentX25level2lineunitsforpacketswitching.InNetworks'80,pages371{384.OnlineConferences,1980. [19]E.J.McCauleyandP.J.Drongowski.KSOS thedesignofasecureoperating [20]J.K.Millen.Securitykernelvalidationinpractice.Communicationsofthe system.innationalcomputerconference,volume48,pages345{353.afips ACM,19(5):243{250,May1976. ConferenceProceedings,1979. [21]J.K.Millen.Operatingsystemsecurityverication.TechnicalReportM79-223, [22]P.G.Neumann,R.S.Boyer,R.J.Feiertag,K.N.Levitt,andL.Robinson. Aprovablysecureoperatingsystem:Thesystem,itsapplications,andproofs. MITRECorporation,Bedford,MA,September1979. [23]P.G.Neumannetal.Softwaredevelopmentandproofsofmulti-levelsecurity Technicalreport,SRIInternational,May1980.SecondEdition,ReportCSL- [24]M.A.Padlipsky,K.J.Biba,andR.B.Neely.KSOS computernetwork InProc.2ndInternationalConferenceonSoftwareEngineering,pages421{428, applications.innationalcomputerconference,volume48,pages373{381. SanFrancisco,CA,1976. [25]G.J.Popeketal.UCLAsecureUNIX.InNationalComputerConference, [26]G.J.PopekandC.S.Kline.Averiableprotectionsystem.InProc.InternationalConferenceonReliableSoftware,pages294{304,LosAngeles,CA, volume48,pages355{364.afipsconferenceproceedings,

FromDependableComputingforCriticalApplications{5,Champaign,IL,September1995,pp.139{157;Volume10of theseriesindependablecomputingandfaulttolerantsystemspublishedbyieeecomputersocietypress. ByzantineAgreementwithAuthentication:Observationsand

More information

AmyP.Felty1,DouglasJ.Howe1,andFrankA.Stomp2 ProtocolVericationinNuprl? 2Dept.ofComp.Sci.,UCDavis,Davis,CA95616,USA.stomp@cs.ucdavis.edu 1BellLabs,MurrayHill,NJ07974,USA.ffelty,howeg@bell-labs.com whileretainingexistingadvantagesofthesystem,anddescribesapplicationoftheprovertoverifyingthescicachecoherenceprotocol.the

More information

Private Developer Ground Lease. Example (Denver) C-1

Private Developer Ground Lease. Example (Denver) C-1 Appendix C Private Developer Ground Lease Example (Denver) C-1 C-2 C-3 C-4 C-5 C-6 C-7 C-8 C-9 C-10 C-11 C-12 C-13 C-14 C-15 C-16 C-17 C-18 C-19 C-20 C-21 C-22 C-23 C-24 C-25 C-26 C-27 C-28 C-29 C-30 C-31

More information

Compound Interest Factors for Continuous Compounding, Discrete Cash Flows

Compound Interest Factors for Continuous Compounding, Discrete Cash Flows B A P P E N D I X Compound Interest Factors for Continuous Compounding, Discrete Cash Flows 520 APPENDIX B r 1% 1 1.0101 0.99005 1.0000 1.0000 1.0101 0.99005 0.00000 2 1.0202 0.98020 0.49750 2.0101 0.50755

More information

Touch n Go Sdn Bhd. Policy Standard Name. Applicable. Effective Date

Touch n Go Sdn Bhd. Policy Standard Name. Applicable. Effective Date 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 Appendix Rapidpass Product Appendix Rapidpass Product

More information

Draft&Model&Regulatory&Framework&for&Virtual&Currency!

Draft&Model&Regulatory&Framework&for&Virtual&Currency! February9,2015 ConferenceofStateBankSupervisors 112920thStreetNW,9 th Floor Washington,D.C.20036 164TownsendStreet#11 SanFrancisco,CA94107 Attn:EmergingPaymentsTaskForce Re: Draft&Model&Regulatory&Framework&for&Virtual&Currency

More information

FORD FOCUS FOCUS_2016_V1_MASTER_240x185 Cover.indd /09/ :32:25

FORD FOCUS FOCUS_2016_V1_MASTER_240x185 Cover.indd /09/ :32:25 FORD FOCUS 6 7 Powered by FORD EcoBoost 8 9 10 11 14 15 16 17 18 250 PS. 345 Nm 0-62mph 6.5s 20 21 22 23 24 25 26 27 28 29 30 32 33 1 4 2 5 3 6 4 34 35 x 87 37 39 42 46 48 4 8 1 2 3 9 8 8 6 5 5 4

More information

Appendix B. NAICS Codes, Titles, and Descriptions

Appendix B. NAICS Codes, Titles, and Descriptions Appendix B. NAICS Codes, Titles, and Descriptions PART 1. 2002 NAICS 5418 ADVERTISING AND RELATED SERVICES 54181 ADVERTISING AGENCIES 541810 ADVERTISING AGENCIES 54182 PUBLIC RELATIONS AGENCIES 541820

More information

FORD RANGER _Ranger_2015.5_COVER_V1.indd /08/ :10:37

FORD RANGER _Ranger_2015.5_COVER_V1.indd /08/ :10:37 FORD RANGER 2 3 4 5 1.8 cu.m 6 7 8 9 10 11 1 4 6 10 9 7 2 8 5 3 12 13 3500kg 14 15 16 17 18 19 20 21 22 23 24 25 26 28 29 30 [Nm] 475 450 425 400 375 350 325 300 275 [kw] [PS] 180 245 165 224 150 204

More information

68HC12 and HCS12 Instruction Set

68HC12 and HCS12 Instruction Set A 68HC12 and HCS12 Instruction Set Used with permission of Motorola, Inc. A-1 A-2 68HC12 and HCS12 Instruction Set Appendix A Appendix A 68HC12 and HCS12 Instruction Set A-3 CPU12 REFERENCE GUIDE A-4 68HC12

More information

E2E Project Management Process Governance (Electric Capital)

E2E Project Management Process Governance (Electric Capital) Attachment AG-1-8-10 Page 1 of 10 E2E Project Management Process Governance (Electric Capital) Report No. 1332 Final Distribution Final Report Audit Team: Report Grading: Number of Findings: Date of issue

More information

Introduc)on* X.509*Cer)ficates* X.509* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$

Introduc)on* X.509*Cer)ficates* X.509* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$ Introduc)on* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$! How$secure$is$our$online$communication?$! Transport$Layer$Security$(TLS)/Secure$Sockets$Layer$ (SSL)$infrastructure$!

More information

Editing Message Catalog for Change of Program Emails

Editing Message Catalog for Change of Program Emails SA - Registration In order to edit the information sent to the prospective students in the email communication the message catalog for each of the seven communications need to be updated. Each faculty

More information

TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 4: COMMUNITY SERYIC8S..."..84 UNIT 5: STANDARDS OF PRACTICE...98 UNIT 2: INTERPRETER SKILLS...

TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 4: COMMUNITY SERYIC8S.....84 UNIT 5: STANDARDS OF PRACTICE...98 UNIT 2: INTERPRETER SKILLS... TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 2: INTERPRETER SKILLS......37 UNIT 3: CULTURE AND MEDIATION......65 UNIT 4: COMMUNITY SERYIC8S......"..84 UNIT 5: STANDARDS OF PRACTICE...98 APPENDIX:

More information

Wiring 3-Way Switches

Wiring 3-Way Switches Wiring 3-Way Switches (and 4-Way too) Information from numerous websites View of a 3- way switch. Brass traveler screw Note the different colored screws. Hot black screw The top one is brass and the

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.C.2 DATE: April 24, 2008 ****************************************************************************** SUBJECT: New Site Request: DSU AS in Business Management,

More information

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods

More information

Duke*University* B.S.E.E.*1989,*Electrical*engineering*

Duke*University* B.S.E.E.*1989,*Electrical*engineering* ElizabethL.Hillman UniversityofCaliforniaHastingsCollegeoftheLaw mobile:510387>4385 200McAllisterStreet office:415565>4682 SanFrancisco,CA94102 email:hillman123@gmail.com AcademicPositions UniversityofCaliforniaHastingsCollegeoftheLaw

More information

The Oracle Hacker's Handbook. Hacking and Defending Oracle

The Oracle Hacker's Handbook. Hacking and Defending Oracle Brochure More information from http://www.researchandmarkets.com/reports/2251170/ The Oracle Hacker's Handbook. Hacking and Defending Oracle Description: Knowledge is power, and the power can be yours

More information

Features. Dual View The Dual View function provides support for two displays.

Features. Dual View The Dual View function provides support for two displays. Dual monitor computing made easy Dual View KVMPTM Switches ATEN s advanced Dual View KVMPTM Switches allow access to computers from a single keyboard and mouse with dual displays. They provide support

More information

Wireless radio cell. Fixed Network

Wireless radio cell. Fixed Network DataManagementforMobileComputing ComputerScienceDepartment, EvaggeliaPitoura http://www.cs.uoi.gr/~pitoura UniversityofIoannina, Ioannina,Greece SummerSchool,Jyvaskyla,August1998 & Introduction -mobileornomadiccomputing

More information

RTR for Quotes/Application Users Guide

RTR for Quotes/Application Users Guide RTR for Quotes/Application Users Guide Welcome to Real Time Rating! The following tutorial provides step-by-step instructions on how to utilize our web based rating system for quoting and new business

More information

Understanding Software Security

Understanding Software Security Understanding Software Security In Support of Federal Compliance Pravir Chandra Director of Strategic Services, Fortify (an HP Company) Alexander Fry Software Security Consultant, Strong Crypto LLC Is

More information

Inland Marine Expo Exhibitor Rules and Regulations

Inland Marine Expo Exhibitor Rules and Regulations InlandMarineExpoExhibitorRulesandRegulations Onbehalfof,Iagreetoabidebyallrulesandregulations outlinedinthebelowagreement.iunderstandthattheexhibitorservicemanualanddirectemail updateswillbeprovidedtoexhibitorscontainingtheinformationnecessarytoparticipateatinland

More information

Age at the Beginning of Placement (years old) Attention Homes, Inc. 20 4 200 185 144 15.32 Cathedral Home for Children. RTC Placements.

Age at the Beginning of Placement (years old) Attention Homes, Inc. 20 4 200 185 144 15.32 Cathedral Home for Children. RTC Placements. APPENDIX C COPs Providers Figure C.1 Residential Treatment Providers (July 1, 2004), with Average Length of Stay and Average Age of Children at the Beginning of Placement, FY '99 '04 Residential Treatment

More information

CGS2 2003 2004 2005 2006 2007 2008 2009 2010 X X X X X

CGS2 2003 2004 2005 2006 2007 2008 2009 2010 X X X X X CGS2 Blue, GCS, time Black, GCS, time Red, GCS, time CGS2 Blue, GCS, time Black, GCS, time Red, GCS, time CGS1 Blue, GCS, time Black, GCS, time Red, GCS, time CGS2 (Discontinued) Blue, GCS, time Black,

More information

How to Become a Pharmacist/Pharmacy Technician. Job Description

How to Become a Pharmacist/Pharmacy Technician. Job Description HowtoBecomeaPharmacist/PharmacyTechnician JobDescription PharmacyTechniciansworkalongsidePharmacistsandhavemanydifferent responsibilitiesintheirjobsetting.jobrequirementsincludemeasuringand labelingmedications,countingpills,workingwithpatientrecordsandtakinginsurance

More information

universal data model resource book v2

universal data model resource book v2 universal data model resource book v2 Online manuals are a fun way to have information An additional benefit of having the ability to keep and access user manuals on your pc is the fact keep these things

More information

Uka Tarsadia University. C. G. Patel Institute of Technology. M. Tech. Semester XXX AUTOMOBILE AIR CONDITIONING

Uka Tarsadia University. C. G. Patel Institute of Technology. M. Tech. Semester XXX AUTOMOBILE AIR CONDITIONING C. G. Patel Institute of Technology M. Tech. Semester 2 040200XXX AUTOMOBILE AIR CONDITIONING EFFECTIVE FROM July-2015 Syllabus version: 1.02 SEMESTER - 2 Automobile Air Conditioning (040200XXX) Credits:

More information

Oil Filter Cut-Away Comparison Kit

Oil Filter Cut-Away Comparison Kit Oil Filter Cut-Away Comparison Kit Motorcraft Oil Filter Construction Steel Case- Multiple flutes for easy removal Efficient Filter Media Corrugated Steel Center Tube Anti-Drain-Back Valve Pressure Relief

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.C.1 DATE: January 20, 2011 ****************************************************************************** SUBJECT: New Site Request NSU, BS Marketing, Online Northern

More information

Health and Safety Training (Statutory)

Health and Safety Training (Statutory) HEALTH AND SAFETY MATRIX 1.1 Abrasive Wheels Training Asbestos Training Banksman Training Chainsaw Training Chemical Agents Training Confined Spaces Training C1 Management Grade Confined Spaces Training

More information

Security Issues and Solutions in Peer-topeer Systems for Real-time Communications

Security Issues and Solutions in Peer-topeer Systems for Real-time Communications Security Issues and Solutions in Peer-topeer Systems for Real-time Communications draft-schulzrinne-p2prg-rtc-security-00 Henning Schulzrinne Enrico Marocco Emil Ivov March 2009 (IETF 74) IETF - P2PRG

More information

STAINLESS STEEL PIPE SPOOL PARTS CATALOG

STAINLESS STEEL PIPE SPOOL PARTS CATALOG STAINLESS STEEL PIPE SPOOL PARTS CATALOG Contact Info: 509.628.9141 mmartin@intermechinc.com PART NUMBERING & DESCRIPTION PIPE SPOOL PIECE 304-X-PS-A 316-X-PS-A X = PIPE SIZE PS = PIPE SPOOL A = FACE TO

More information

Watchdog International Ltd

Watchdog International Ltd Watchdog International Ltd Child On-line Protection in the Pacific Islands Industry Involvement September 2014 September 2014 Filtering 1 Presentation Overview Introduction The Industry Industry COP Initiatives

More information

CIPURSE V2 Certification Program

CIPURSE V2 Certification Program www.osptalliance.org Legal This document is copyright 2014 by the OSPT Alliance. 1. You may, without charge, copy (for internal purposes only) and share this document with your members, employees, and

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.D.1 DATE: April 16, 2009 ****************************************************************************** SUBJECT: Intent to Plan BHSU AS in Human Services Black Hills

More information

New Employment Forms - Appendix A

New Employment Forms - Appendix A New Employment Forms - Appendix A The following new forms are available for use. They can be used electronically for easy emailing or printed for fax. Your Recruiting Specialist will forward these forms

More information

Training and Recertification Requirements For Massachusetts ABE Required Assessments

Training and Recertification Requirements For Massachusetts ABE Required Assessments Training and Recertification Requirements For Massachusetts ABE Required Assessments Following are the basic requirements for Massachusetts ABE practitioners to administer and/or score required learning

More information

Related Key Differential Attacks on 27 rounds of XTEA and Full-round GOST

Related Key Differential Attacks on 27 rounds of XTEA and Full-round GOST Related Key Differential Attacks on 27 rounds of XTEA and ull-round GOST Youngdai Ko 1, Seokhie Hong 1, Wonil Lee 1, Sangjin Lee 1, and Ju-Sung Kang 2 1 Center for Information Security Technologies (CIST),

More information

Transferring AIS to a different computer

Transferring AIS to a different computer Transferring AIS to a different computer AIS can easily be transferred from one computer to another. There are several different scenarios for transferring AIS to another computer. Since AIS is designed

More information

Networkfleet 3500 Product Line Installation Guide

Networkfleet 3500 Product Line Installation Guide Networkfleet 3500 Product Line Installation Guide Light/Medium Duty (L3500) Heavy Duty (H3500) Universal (U3500) www.networkcar.com/fleet Customer Care: (866) 227-7323 customercare@networkcar.com Table

More information

The Portland Company: Historic Significance and Integrity. Introduction 1 Methodology 1 Executive Summary 2

The Portland Company: Historic Significance and Integrity. Introduction 1 Methodology 1 Executive Summary 2 The Portland Company: Historic Significance and Integrity Introduction 1 Methodology 1 Executive Summary 2 SECTION I: Historic Significance of the Portland Company National Historic Significance 9 State

More information

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract A Security Flaw in the X509 Standard Santosh Chokhani CygnaCom Solutions, Inc Abstract The CCITT X509 standard for public key certificates is used to for public key management, including distributing them

More information

Academic Affairs Council. DATE: March 9, 2006 *************************************************************************

Academic Affairs Council. DATE: March 9, 2006 ************************************************************************* Academic Affairs Council AGENDA ITEM: 10.C.2 DATE: March 9, 2006 ************************************************************************* SUBJECT: New Site Request: USD: Educational Specialist (Ed.S)

More information

C.D. Stylinski CV (2010) Page 1 of 6

C.D. Stylinski CV (2010) Page 1 of 6 CurriculumVitae CathlynDavisStylinski AppalachianLaboratory UniversityofMarylandCenterforEnvironmentalScience 301BraddockRoad Frostburg,MD21532 Education 2000 Ph.D.(Ecology)UniversityofCalifornia,Davis/SanDiegoStateUniversity

More information

2016 EARLY INVESTIGATOR GRANT APPLICATION TITLE PAGE

2016 EARLY INVESTIGATOR GRANT APPLICATION TITLE PAGE TITLE PAGE Principal Investigator, Degree: Division: Address: City/State/Zip/Country: Phone: Email: Institution Address: City/State/Zip/Country: Phone: Email: Title of Proposed Project: Amount of Funding

More information

TRADING PROCEDURES FOR CURRENCY FUTURES TRADED ON THE AUTOMATED TRADING SYSTEM OF THE EXCHANGE ( HKATS ) Table of Contents

TRADING PROCEDURES FOR CURRENCY FUTURES TRADED ON THE AUTOMATED TRADING SYSTEM OF THE EXCHANGE ( HKATS ) Table of Contents TRADING PROCEDURES FOR CURRENCY FUTURES TRADED ON THE AUTOMATED TRADING SYSTEM OF THE EXCHANGE ( HKATS ) Table of Contents CHAPTER 1 TRADING Page 1.1 Method of Trading... 1-1 CHAPTER 2 ELIGIBILITY TO TRADE

More information

2B.1 Chilled-Water Return (and Supply) Temperature...119. 2B.3 Cooling-Water Supply Temperature / Flow... 124

2B.1 Chilled-Water Return (and Supply) Temperature...119. 2B.3 Cooling-Water Supply Temperature / Flow... 124 Appendix 2B: Chiller Test Results...119 2B.1 Chilled-Water Return (and Supply) Temperature...119 2B.2 Chilled-Water Flow... 122 2B.3 Cooling-Water Supply Temperature / Flow... 124 2B.4 Pressure/Temperature...

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.D.1 DATE: February 26, 2009 ****************************************************************************** SUBJECT: Intent to Plan: BHSU AS in Advanced Manufacturing

More information

Trailer Parts. Jockey Wheels. Tow Balls. Couplings. Jockey Wheel Parts. Coupling Locks

Trailer Parts. Jockey Wheels. Tow Balls. Couplings. Jockey Wheel Parts. Coupling Locks Trailer Parts Tow Balls 7115 1 7/8 Machined 7116 50mm Machined 7117 Long Shank 7116A Black Plastic Cover 7116B Chrome Plated Plastic Cover Jockey Wheels 7301 Telescopic 6 clamp 7302 Swivel 6 solid wheel

More information

Cellphone Security. David Wagner U.C. Berkeley

Cellphone Security. David Wagner U.C. Berkeley Cellphone Security David Wagner U.C. Berkeley Û ºÖÐݺ٠1 Organization Analog cellphones: historical notes US digital cellphones European digital cellphones (GSM) 2 In the beginning... Earliest cellphones

More information

Application for a Business Loan

Application for a Business Loan NORTH WEST DEVELOPMENT CORPORATION (SOC) LIMITED (Registration No.1999/002625/07) Application for a Business Loan This application is subject to ITC check. 1. For what purpose do you require a loan? Tick

More information

Annex 12 Overlays Paris, 5th June 2014 IG CMS II 3rd meeting 1

Annex 12 Overlays Paris, 5th June 2014 IG CMS II 3rd meeting 1 Annex 12 Overlays Paris, 5th June 2014 IG CMS II 3rd meeting 1 Presentation summary Recall on how ISO 16505 covers overlays Status on how UN R46 Annex 12 deals with overlays vs ISO 16505 OICA new proposal

More information

Appendix F.: The Contract with Struktur AG, Sttugart, Germany 01/29

Appendix F.: The Contract with Struktur AG, Sttugart, Germany 01/29 Appendix F.: The Contract with Struktur AG, Sttugart, Germany 01/29 Author: Vincent, Chung-Wei Lin 林 崇 偉 P.148 Appendix F.: The Contract with Struktur AG, Sttugart, Germany 02/29 Author: Vincent, Chung-Wei

More information

TRADING PROCEDURES FOR EXCHANGE FUND NOTE FUTURES ( EFN FUTURES ) TRADED ON THE AUTOMATED TRADING SYSTEM OF THE EXCHANGE ( HKATS ) Table of Contents

TRADING PROCEDURES FOR EXCHANGE FUND NOTE FUTURES ( EFN FUTURES ) TRADED ON THE AUTOMATED TRADING SYSTEM OF THE EXCHANGE ( HKATS ) Table of Contents TRADING PROCEDURES FOR EXCHANGE FUND NOTE FUTURES ( EFN FUTURES ) TRADED ON THE AUTOMATED TRADING SYSTEM OF THE EXCHANGE ( HKATS ) Table of Contents CHAPTER 1 TRADING Page 1.1 Method of Trading... 1-1

More information

Formal Foundations for Security Architecture

Formal Foundations for Security Architecture Formal Foundations for Security Architecture Ron van der Meyden (University of New South Wales Sydney, Australia) May 5, 2010 Overview Some recent Australian events MILS Security Towards a formal theory

More information

AWinningStrategyforRoulette

AWinningStrategyforRoulette AWinningStrategyforRoulette logreturn. Keywordsandphrases:Roulette,Bayesstrategy,Dirichletprior,convexloss,expected UniversityofWisconsinatMadison JeromeH.Klotz logcapitalafternplaysforlossfunction,weshowthatthebayesstrategyfora

More information

Appendix 4 to Contract C13/806 MONITORING AND REVIEW ARRANGEMENTS

Appendix 4 to Contract C13/806 MONITORING AND REVIEW ARRANGEMENTS Appendix 4 to Contract C13/806 MONITORING AND REVIEW ARRANGEMENTS CONTENTS Page 1. General Requirements... 4 2. Specific Monitoring Requirements... 4 Appendices Page 2 of 6 Page 3 of 6 1. General Requirements

More information

In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

More information

CHAPTER 15 NOMINAL MEASURES OF CORRELATION: PHI, THE CONTINGENCY COEFFICIENT, AND CRAMER'S V

CHAPTER 15 NOMINAL MEASURES OF CORRELATION: PHI, THE CONTINGENCY COEFFICIENT, AND CRAMER'S V CHAPTER 15 NOMINAL MEASURES OF CORRELATION: PHI, THE CONTINGENCY COEFFICIENT, AND CRAMER'S V Chapters 13 and 14 introduced and explained the use of a set of statistical tools that researchers use to measure

More information

curbi for Schools Technical Overview October 2014

curbi for Schools Technical Overview October 2014 curbi for Schools Technical Overview October 2014 Background Overview School Requirements curbi Standard Mode curbi School Mode curbi4schools ipad app Device Enrolment Process Features Alerts Costs Parent

More information

Information for members about the Lifetime Allowance charge

Information for members about the Lifetime Allowance charge Information for members about the Lifetime Allowance charge Introduction The value of your pension benefits that exceed the Lifetime Allowance (LTA) are subject to a LTA charge at the time benefits are

More information

Regency TAFE, SA. An evaluation of the effects of PermaFrost treatment on a Fujitsu Heat Pump. July 2008. Prepared by

Regency TAFE, SA. An evaluation of the effects of PermaFrost treatment on a Fujitsu Heat Pump. July 2008. Prepared by Regency TAFE, SA An evaluation of the effects of PermaFrost treatment on a Fujitsu Heat Pump July 2008 Prepared by Andrew Pang Andrew Pang & Associates Pty Ltd Phone: 0438 188 180 Facsimile: 9331 0898

More information

How to Use SimClam CMS 1500 Practice Software

How to Use SimClam CMS 1500 Practice Software Note: these instructions are for the version of SimClaim that appears in Green s Understanding Health Insurance, 12 th edition, and Clack/Renfroe, Medical Billing 101, 2 nd Edition CONTENTS How to Access

More information

Appendix A Business Impact Assessment

Appendix A Business Impact Assessment Stopping cash payments at Forde House and Forde Road offices Business Impact Assessment December 2015 1 Appendix A Business Impact Assessment Business Impact Assessment Proposal: To stop taking cash payments

More information

Details and the software-download are available at: www.telebanking-mbs.at.

Details and the software-download are available at: www.telebanking-mbs.at. Details and the software-download are available at: www.telebanking-mbs.at. Please note the hard- and software-requirements. It is required to run the installation as administrator. 2013 telebanking Helpdesk

More information

KeyEscrowinMutuallyMistrustingDomains?

KeyEscrowinMutuallyMistrustingDomains? KeyEscrowinMutuallyMistrustingDomains? Abstract.Inthispaperwepresentakeyescrowsystemwhichmeets L.Chen,D.GollmannandC.J.Mitchell possiblerequirementsforinternationalkeyescrow,wheredierentdomainsmaynottrusteachother.inthissystemmultiplethirdparties,

More information

Security in Electronic Payment Systems

Security in Electronic Payment Systems Security in Electronic Payment Systems Jan L. Camenisch, Jean-Marc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH-8092 Zurich e-mail: {camenisch, stadler}@inf.ethz.ch

More information

Office for Oregon Health Policy and Research. Health Insurance Coverage in Oregon 2011 Oregon Health Insurance Survey Statewide Results

Office for Oregon Health Policy and Research. Health Insurance Coverage in Oregon 2011 Oregon Health Insurance Survey Statewide Results Office for Oregon Health Policy and Research Health Insurance Coverage in Oregon 2011 Oregon Health Insurance Survey Statewide Results September 2011 Table of Contents Executive Summary... ii 2011 Health

More information

Policy impediments to expanding access to online courses

Policy impediments to expanding access to online courses Title: Date: Policyimpedimentstoexpandingaccesstoonlinecourses June2009 Question:WhatarethepolicyimpedimentstoexpandingaccessforK 12 studentstoonlinecoursesincalifornia? Response: Toansweryourquestion,weconductedaliteraturesearch

More information

HILARY S WHOLESALE LIMITED HILARY S FOOD HYGIENE AND FOOD SAFETY QUALITY CONTROL STATEMENT

HILARY S WHOLESALE LIMITED HILARY S FOOD HYGIENE AND FOOD SAFETY QUALITY CONTROL STATEMENT HILARY S WHOLESALE LIMITED HILARY S FOOD HYGIENE AND FOOD SAFETY QUALITY CONTROL STATEMENT This is the Food Hygiene and Food Safety Statement of Hilary s Wholesale Limited. Under the Food Hygiene (England)

More information

HSG Engineering Tech Bulletin

HSG Engineering Tech Bulletin Specifications subject to change OCT 2013; Rev. 1.3 HSG Engineering Tech Bulletin Recommended RS-485 Wiring for NetAXS-4/NetAXS-123 Loops Overview This document provides the recommended RS-485 wiring for

More information

Scheme Requirements. www.cscs.uk.com

Scheme Requirements. www.cscs.uk.com www.cscs.uk.com 13th revision - Dec 2014 Contents 1.0 Governance 2.0 Purpose of the Scheme 3.0 Scheme Aims 4.0 Scope 5.0 Occupations Covered 6.0 Types of Card Available 7.0 Health and Safety 8.0 Red Cards

More information

The MILS Component Integration Approach To Secure Information Sharing

The MILS Component Integration Approach To Secure Information Sharing The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar

More information

timeout StoR!msg0 RtoS?ack0

timeout StoR!msg0 RtoS?ack0 c1997kluweracademicpublishers,boston.manufacturedinthenetherlands. FormalMethodsinSystemDesign,,?{??(1997) SymbolicVericationofCommunication ProtocolswithInniteStateSpacesusingQDDs queues.itiswell-knownthatmostinterestingvericationproblems,suchasdeadlockdetection,

More information

Appendix 2-7: Temporary Modifications in Regulation Schedules in Water Year 2011

Appendix 2-7: Temporary Modifications in Regulation Schedules in Water Year 2011 2012 South Florida Environmental Report Appendix 2-7 Appendix 2-7: Temporary Modifications in Regulation Schedules in Water Year 2011 Chandra Pathak 1 A. Temporary Regulation Modifications Due to Construction

More information

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

More information

CONSTRUCTION SKILLS REGISTER HANDBOOK

CONSTRUCTION SKILLS REGISTER HANDBOOK CONSTRUCTION SKILLS REGISTER HANDBOOK CONTENTS INTRODUCTION Benefits of CSR 1 Supporters of CSR 1 How to apply for a CSR Card 1 Occupations available 1 Card Types 2-4 FURTHER INFORMATION CSR Plant Operator

More information

Policy 40 Trust Funds

Policy 40 Trust Funds Policy 40 Trust Funds Owner: ILF Scotland Subject: Trust Funds Version: 1.0 Last Amended: 1 July 2015 Date Reviewed: Next Review: 1 May 2016 Introduction 1.1 This policy applies to all existing users.

More information

c360 SharePoint Integration User Guide Microsoft Dynamics CRM 4.0 compatible c360 Solutions, Inc.

c360 SharePoint Integration User Guide Microsoft Dynamics CRM 4.0 compatible c360 Solutions, Inc. c360 SharePoint Integration User Guide Microsoft Dynamics CRM 4.0 compatible c360 Solutions, Inc. Products@c360.com www.c360.com c360 Solutions All Rights Reserved Contents c360 SharePoint Integration...

More information

New Energy-Efficiency Home and Vehicle Tax Credits. Energy Efficiency Can Lower Your Federal Tax Bill as Well as Your Energy Bills

New Energy-Efficiency Home and Vehicle Tax Credits. Energy Efficiency Can Lower Your Federal Tax Bill as Well as Your Energy Bills New Energy-Efficiency Home and Vehicle Tax Credits Energy Efficiency Can Lower Your Federal Tax Bill as Well as Your Energy Bills 1. Introduction to Tax Credits 2. Tax Credit Examples 3. Hybrid Vehicle

More information

Institutional Investor Group Exchange Form

Institutional Investor Group Exchange Form Institutional Investor Group Exchange Form Please print clearly in capital letters and black ink. This form is to be used to request the exchange of shares between funds in identically registered accounts

More information

Big Ideas Math. Log Race

Big Ideas Math. Log Race Eponential and Logarithmic Functions Big Ideas Math Log Race u Materials: 6-sided die Game board chips Game cards Paper Pencil u Directions: Students pla in teams of plaers. Plaers take turns rolling the

More information

IY2760/CS3760: Part 6. IY2760: Part 6

IY2760/CS3760: Part 6. IY2760: Part 6 IY2760/CS3760: Part 6 In this part of the course we give a general introduction to network security. We introduce widely used security-specific concepts and terminology. This discussion is based primarily

More information

STRATEGIC PLANNING SYSTEM. User Manual for Submission of Priorities, Objectives, and Strategies

STRATEGIC PLANNING SYSTEM. User Manual for Submission of Priorities, Objectives, and Strategies STRATEGIC PLANNING SYSTEM User Manual for Submission of Priorities, Objectives, and Strategies Presented by the Office of Institutional Effectiveness April 2014 Overview The strategic planning effort is

More information

link2 token, claim link4 token

link2 token, claim link4 token IF:AnIntermediateRepresentationforSDL Krimma,LaurentMounieraandJosephSifakisa MariusBozgaa,Jean-ClaudeFernandezb,LucianGhirvua,SusanneGrafa,Jean-Pierre anditsapplications averimag,centreequation,2avenuedevignate,f-38610gieres,

More information

How To Allow and Block Emails using White or Black List

How To Allow and Block Emails using White or Black List How To Allow and Block Emails using White or Black List Applicable Version: 10.00 onwards Overview Cyberoam s Anti Spam detects Spam mails by checking IP addresses, Domain, Email addresses or RBL (Real-time

More information

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper Tetsu Iwata Department of Computer and Information Sciences, Ibaraki University 4 12 1 Nakanarusawa, Hitachi, Ibaraki 316-8511,

More information

How to Hire Student Assistants HR 9.0

How to Hire Student Assistants HR 9.0 How to Hire Student Assistants HR 9.0 IRT Service Desk January 4, 2012 916.278.7337 AIRC 2005 www.csus.edu/irt/servicedesk Overview In this document you will learn how to perform initial and concurrent

More information

Appendix: Posters from Forum. Lawrence-Allen Revitalization Community Forum April 28, 2011 Page 33

Appendix: Posters from Forum. Lawrence-Allen Revitalization Community Forum April 28, 2011 Page 33 Appendix: Posters from Forum Lawrence-Allen Revitalization Community Forum April 28, 2011 Page 33 Lawrence-Allen Revitalization Community Forum April 28, 2011 Page 34 STATION 1: LAWRENCE-ALLEN REVITALIZATION

More information

Document Administration

Document Administration Contents Vendor Document Workflow Managing the Lifecycle of a Document Collaborating, Editing, and Executing a Document Key Takeaway Points Appendix: Process 2 Introduction As a Document Administrator

More information

Application for Health Coverage & Help Paying Costs

Application for Health Coverage & Help Paying Costs Application for Health Coverage & Help Paying Costs Use this application to see what coverage you qualify for You may qualify for a free or low cost program even if you earn as much as 94,000 a year (for

More information

Software security, by the numbers. October 20, 2015

Software security, by the numbers. October 20, 2015 Software security, by the numbers October 20, 2015 Why are we here? 2 Chris Wysopal, CTO & Co-Founder 15+ years focused solely on application security One of the original security researchers from mid

More information

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME-05-2012-01 Rev. A

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME-05-2012-01 Rev. A WiNG 5.X How To Policy Based Routing Cache Redirection Part No. TME-05-2012-01 Rev. A MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark

More information