Size: px
Start display at page:

Download ""

Transcription

1 Reprintofapaperpresentedatthe8thACMSymposiumonOperatingSystem Principles,PacicGrove,California,14{16December1981.(ACMOperating DesignandVericationofSecureSystems SystemsReviewVol.15No.5pp.12-21) ComputerScienceLaboratory MenloParkCA94025USA SRIInternational JohnRushby kernelizedsecuresystemsandsuggestsnewtechniquesfortheirresolution. Thispaperreviewssomeofthedicultiesthatariseinthevericationof Itisproposedthatsecuresystemsshouldbeconceivedasdistributedsystems Abstract individualcomponentsandpartlythroughthemediationoftrustedfunctions inwhichsecurityisachievedpartlythroughthephysicalseparationoftheir performedwithinsomeofthosecomponents.thepurposeofasecuritykernel issimplytoallowsucha`distributed'systemtoactuallyrunwithinasingle processor;policyenforcementisnottheconcernofasecuritykernel. issuesignoredbypresentmethods. explicitlyaddressesthesecurityrelevantaspectsofinterrupthandlingandother functionsfromvericationofthesecuritykernel.thislattertaskmaybe accomplishedbyanewvericationtechniquecalled`proofofseparability'which Thisapproachdecouplesvericationofcomponentswhichperformtrusted NewcastleuponTyne,England,andwassponsoredby(whatwasthen)theRoyalSignalsRadar Establishment. ThisworkwasperformedwhiletheauthorwaswiththeComputingLaboratory,Universityof 1

2 Introduction term.anumberofkernelizedsystemshavebeenconstructed[12,19,25]andvarious Aformallyveriedsecuritykerneliswidelyconsideredtooerthemostpromising basisfortheconstructionoftrulysecurecomputersystems,atleastintheshort modelsofsecurityhavebeenformulatedtoserveasthebasisfortheirverication[6, problemsinitsapplication(see,forexample[1]).ishallexpandontheselater,but 9,28]. essaryinmostapplications,concernabouttheextenttowhichcurrenttechniques brieytheyincludethedicultyofverifyingthe`trustedprocesses'thatseemnec- Despitetheenthusiasmforthisapproach,thereremaincertaindicultiesand aboutwhetherpresentsecuritymodelsreallycapturetheessentialcharacteristicsof verifytheimplementationofthekernel(asopposedtoitsspecication),anddoubts asecuritykernelwithsucientaccuracytoprovideasoundtechnicalbasisfortheir verication.also,currentapproachestokerneldesignandvericationdeveloped outofconcernfortheproblemofprovidingmultilevelsecureoperationongeneralpurposemulti-usersystems whereasmanyofthepresent-dayapplicationswhich conventionalkernelhaveledtosystemsofconsiderablecomplexitywhosevericationpresentsdicultiesthatarequiteatvariancewiththeevidentsimplicityofthe taskwhichthesystemisintendedtoperform[2]. ofsomeoldapproaches[3,26,27])tothedesignandvericationofsecuresystemsand toarguethattheproblemsofconventionalkernelizedsystemsaretherebyavoided orovercome. Thepurposeofthispaperistopresentanewapproach(or,rather,are-working enshrinedinthemultilevelmodels.attemptstosupporttheseapplicationsona tems[5,11,13,24,33]whosesecurityrequirementsaresomewhatdierenttothose requiresomeformofguaranteedsecurityarespecial-purpose,single-functionsys- problemswithconventionalsystemshavetheirrootsintheuseofasecuritykernel whichattemptstoimposeasinglesecuritypolicyoverthewholesystem.thesecond sectionwillproposethatdistributedsystemsavoidmanyofthesedicultiesand Thepresentationisdividedintofoursections.Intherst,Ishallarguethatthe provideamoreappropriateconceptualbaseforthedesignofsecuresystems.insuch isolatedsingle-usermachinesandareabletocommunicatewitheachotherand asystem,thesubjectsofthesecuritypolicyareassignedtoprivateandphysically ofitscomponentsandpartlyonthecriticalfunctionsperformedbythetrusted `trustedcomponents'thatresideinsimilarlyisolatedanddedicatedmachines.the toaccesssharedresourcesonlythroughthemediationofspecialised(andveried) overallsecurityofsuchadistributedsystemrestspartlyonthephysicalseparation components.theconcretenatureoftheservicesprovidedbythesecomponents, andthelimitedinteractionbetweenthem,enablestheirsecuritypropertiestobe speciedandveriedcomparativelyeasily,andbyexistingtechniques. 2

3 environment.thereisabsolutelynointeractionbetweenthepropertiesrequiredof securitykernelwhichicalla`separationkernel'isusedtosimulatethedistributed supportedonasingleprocessor,whileretainingitssecurityproperties,ifatypeof Next,insection3,Ishallarguethataconceptuallydistributedsystemcanbe akernelofthistypeandthesecuritypropertiesrequiredofthesystemcomponents whichitsupports. arationkernelandsketchanappropriatemethodofvericationwhichicall`proof ofseparability'andwhichisdevelopedformallyinacompanionpapertothis[31]. Themathematicalmodelwhichunderliesthismethodofvericationexplicitlyaddressestheinterpretivecharacterofasecuritykernelandprovidesasoundformal concerningtheowofcontrolwhichareignoredbypresentmethods. basisforverifyingthesecurityrelevantaspectsofinterrupthandlingandotherissues 1Theprimarymotivationfortheuseofasecuritykernelisthedesiretoisolateand localiseall`securitycritical'softwareinoneplace thekernel.then,ifthekernel TheProblemofTrustedProcesses Finally,inSection4,Ishalloutlineaprecisespecicationoftheroleofasep- canbeproven`secure'insomeappropriatesense,allnon-kernelsoftwarebecomes (forexample,thatofuclasecureunix[25])havethecharacterofasophisticated irrelevanttothesecurityofthesystem.securitykernelsdierintheextentto protectionmechanismandguaranteethatnoobjectsupportedbythekernelmaybe accessedinanywayunlessitsrecorded`protectiondata'explicitlypermitsthattype whichtheyarecognizantoftheoverallsecuritypolicyofthesystem.somekernels ofaccess.thetaskofsettinguptheprotectiondatasothatitenforcessomeoverall securitypolicyisdelegatedtoa`policymanager'outsidethekernel.thelimitation ofthisapproachisthatitisconcernedonlytoprotectthephysicalrepresentations ofinformation,ratherthaninformationitself.thusitdoesnotcontrolthe`leakage' `informationow'expressibleinthemodel[28,32]whichunderliestheverication ofinformationthroughcovertsignallingpaths[15,17],noristhenotionofsuch ofthesekernels. directaccessorindirectleakage,isunacceptableand,inconsequence,securitykernelsintendedfortheseapplicationsmustnotonlyenforcethesecuritypolicyof Inmilitaryapplications,allunauthorizedowofinformation,whetherdueto thesystemonallnon-kernelsoftware,butmustalsoadheretoitthemselves,in formationow[17,20].thisimpliesthatthekernelmustenforceandobeyasingle, eredthatcertainsystemfunctionscannotbeaccommodatedwithinitsdiscipline. orderthattheirowninternalvariablesmaynotbecomeachannelforinsecurein- system-widesecuritypolicy.butoncethisapproachisadopted,itissoondiscov- anditsspoollesareatthehighestsecurityclassication,thenusersofmorelowly Aline-printerspoolerprovidesasimpleexampleofsuchafunction:ifthespooler 3

4 classicationcannotinspecttheirownspoolles evenfortheinnocentpurposeof discoveringtheprogressoftheirjobs.forthisreason,itisusualforspoollesto beclassiedattheleveloftheirownerswhilethespoolercontinuestorunatthe highestlevelsothatitmayreadspoollesofallclassications.butthenthespooler ictswiththe(kernelenforced)*-property[6]ofmultilevelsecurity.inorderto cannotdeletespoollesaftertheircontentshavebeenprinted forsuchactionconallowedtoviolatethe*-property. provideanacceptableuserinterface,whileavoidingtheproliferationofusedspool les,itseemsnecessarythatthespoolershouldbecomea`trustedprocess'andbe thekernel.inksos,forexample,thetrustedprocessescontain processesinordertoevadeoroverridethesecuritycontrolsnormallyenforcedby Inrealsystemstherearemanyfunctionswhichrequiretheprivilegesoftrusted oftheinterfacetoapacketswitchedcommunicationsnetworketc.)."[7, securespoolersforlineprinteroutput,dump/restoreprograms,portions \supportsoftwaretoaidtheday-to-dayoperationofthesystem(e.g., longerthesolearbiterofsecurity;itisnecessarytobesurethatthespecialprivileges Oncetrustedprocessesareadmittedtothesystem,however,thekernelisno page365] grantedtotrustedprocessesarenotabusedbythoseprocessesandmaynotbe usurpedbyother,untrusted,processes.inordertoguaranteesecurity,therefore, wemustverifythewholeofthe`trustedcomputingbase' thatis,thecombination provideabasisforthevericationofthiscombination:wedonotknowwhatitis ofkernelandtrustedprocesses.thedicultyisthatexistingformalmodelsdonot thatwehavetoprove!landwehr,forexample,observes: \:::inthenalversionoftheirmodel,bellandlapaduladidinclude Intheabsenceofanypreciseformulationoftheroleoftrustedprocesseswithina forestablishingwhenaprocessmaybetrusted."[16,page46] trustedprocesses.whatisnotincludedintheirexpositionisatechnique howpropertiesprovedoftrustedprocessescombinewiththoseprovedofasecurity justicationforspeakingofthe`verication'ofthesecurityofsuchsystemsatall. kernelinordertoestablishthesecurityofthecompletesystem,thereisnoreal modelofsecuresystembehaviour,andintheabsenceofanyformalunderstandingof dicultiesofverifyingthesecurityofthosesystemsshouldnotbeattributedto decienciesinthedesignofindividualkernels,however.rather: Theexistenceoftrustedprocesseswithinkernelizedsystemsandtheattendant \toalargeextentthey[trustedprocesses]representamismatchbetween theidealizationsofthemultilevelsecuritypolicyandthepracticalneeds ofarealuserenvironment."[7,page365] 4

5 inthoseprocessesthemselves,norinthefunctionswhichtheyperform,butinthe conceptionthatasecuritykernelshouldactasacentralizedagentfortheenforcementofauniformsystem-widesecuritypolicy.evenwithinasystemwhichis Thetruerootsofthedicultiescausedbytrustedprocessesarenottobefound restrictionsthatgovernthebehaviourofitsowncomponentscannotsimplybethat intendedtoenforceasinglesecuritypolicyatitsexternalinterface,therulesand nentandtoitsindividualrolewithinthelargersystem.thepropertiesrequired ofasecureline-printerspooler,forexample,dependasmuchonthefactthatitis aline-printerspoolerasonthesecuritypolicythatistobeenforced.weshould overallpolicyinmicrocosm,butmustbeparticulartothefunctionofeachcompo- seekasystemstructurethatallowseachcomponenttomakeitsowncontribution tothesecurityoftheoverallsystemandthattreatsallcontributionsequally as betsthe`weakestlink'natureofsecurity.weshouldnotelevatethesecurityrequirementsparticulartooneclassofcomponentstoaspecialstatusandimpose example[33]. themsystem-wideatwhateverinconveniencetocomponentswithdierentrequirements.thetruthofthispropositionbecomesself-evidentwhenweconsidersomeof thespecialisedapplicationsofsecuresystems.theaccatguardprovidesagood classiedsystemandamorelowlyone.messagesfromthelowsystemtothe HIGHoneareallowedthroughtheGuardwithouthindrance,butmessagesfrom HIGHtoLOWmustbedisplayedtoahuman`SecurityWatchOcer'whohas TheGuardisbasicallyafacilityfortheexchangeofmessagesbetweenahighly todecidewhethertheymaybedeclassiedtothelevelofthelowsystemand thenallowedthrough.noticethattheguardsupportsinformationowbetween thelowandhighsystemsinbothdirectionsandhastoenforcedierentsecurity onasecuritykernelthatenforcestherequirementsforjustonedirectionoftransfer requirementsoneach.itisplainlyinappropriate,therefore,tobaseitsconstruction whichenforcesamultilevelsecuritypolicythatpermitsinformationowinonlythe yetthisisexactlywhathasbeendone.theguardisbasedontheksoskernel contributedtotheoverallsecurityorveriabilityoftheguardanditiscertainlyno securityprincipleoftheksoskernel.itisnotclearhowtheuseofthiskernelhas accomplishedbytrustedprocesseswhosepurposeistogetroundthefundamental LOWtoHIGHdirection.Consequently,theHIGHtoLOWtransfershavetobe surprisetolearnthat: sumedfarmoreresourcesthanoriginallyplanned."[16,page46] \VericationofthetrustedprocessestobeusedintheGuardhascon- 5

6 andevenhardertoverifybecauseitdoesnotrepresentaseparationofconcernsbut 2Thecombinationofasecuritykernelandtrustedprocessesishardtounderstand SecurityandDistributedSystems attempttoseparatethepropertiesrequiredofasecuritykernelfromtheissuesthat securesystems,andamorecompellingbasisfortheirverication,thenweshould propertiesoftheother.ifwearetogainaclearerunderstandingofthenatureof aconfusionofthesame:neithermemberofthecombinationisindependentofthe giverisetotrustedprocesses. securitydoesnotrelyuponacentralmechanism(suchasasecuritykernel)isafunctionallydistributedsystem:onewhosevariousfunctionsareprovidedbyspecialised Averysimpleandnatural infactobvious modelforacomputersystemwhere individualsubsystemswhicharephysicallyseparatedfromeachotherandprovided withonlylimitedchannelsforcommunicationwithoneanother.oncesuchasystem structureisadopted,alotofsecurityproblemsjustvanishandothersareconsiderablysimplied. usersofdierentsecurityclassications.wecanimagineanidealizedsystemin numberofusersinwhichlesaretobetheonlymediumofinformationowbetween whicheachuserisgivenhisownprivate,physicallyisolated,single-usermachine Consider,forexample,theproblemofprovidingamultilevelsecureservicetoa andadedicatedcommunicationlinetoacommon,sharedle-server.theonly componentofthissystemthatneedstobetrustedisthele-server.providedthat singlecomponentadherestoandenforcesthemultilevelsecuritypolicy,thesecurity oftherestofthesystemfollowsfromthephysicalseparationofitscomponentsand theabsenceofdirectcommunicationspathsbetweenusersofdierentclassications. purpose:itsupportsnouserprogrammingandneedsnooperatingsystemsinceit runsjustoneprogram thele-serverprogram.inordertoguaranteethesecurity ofthewholesystem,allweneedtodoistoverifythatsingleprogramwithrespectto Nowconsiderthele-serverinmoredetail.Itisasystemdedicatedtoasingle amultilevelsecurele-servermatchesthesecuritymodeldevelopedatsri[9](which ismorethancanbesaidofasecuritykernel apointishallreturntolater)and anappropriatespecicationofitssecurityrequirements.itturnsoutthattheroleof thismodelthereforeprovidesbothaspecicationforthesecurityrequirementsof thele-serverandthejusticationforitsvericationbythemethodof`information owanalysis'[8,20,21]. thele-server.acentralprintingfacility,forexample,canbeprovidedbyaselfcontainedprinter-serverconnectedtoeachsingle-usermachine(andprobablythe Wecanaddfurthersharedresourcestothesysteminjustthesamewayas le-serveralso)byadditional,dedicatedcommunicationlines.theprinter-server correctsecurityclassicationofeachjobonitsheaderpageandmustnotprint mustobviouslysatisfysomesecurityrequirements.itmust,forexample,printthe 6

7 partsofonejobwithinanother,norfeedinputsfromoneuserbacktoanother, andsoon.furthermore,theprinter-servermayneedtoco-operatewiththeleserverandmayrequireservicesfromthele-serverthataredierentfromthose providedtoordinaryusers(forexample,theabilitytodeletespoollesofallsecurity eventobetotallyconsistentwith,somegeneralsetofpropertiessuchasthessand*-propertiesofmultilevelsecurity[6] eventhoughenforcementofmultilevel decidingjustwhataretherequirementsforasecureprintingservicewhenallresponsibilityforthisserviceiscompletelyisolatedandexposedwithinaself-contained component,thanwhenitisdivided,uneasilyandobscurely,betweenatrustedpro- Weare,however,inamuchbetterpositiontotackletheimportantproblemof classications).whateverthefullsetofrequirementsforasecureprinter-serverare, theymustbe,atleastinpart,specictoitsparticularfunction;wecannotexpect thesecurityrequirementsofsospecialisedatasktobecompletelyexpressedby,or securityistheoverallgoal. cessandasecuritykernel. printer-servers.theremust,forexample,besomeadditionalmechanismtoauthenticatetheidentitiesofusersastheylogintothesingle-usermachinesandtoinform theleandprinter-serversofthesecurityclassicationsassociatedwitheachuser. Arealsystemwillcontainmoresecurity-criticalfunctionsthanjustleand canbestbestudiedifthey,too,areisolatedasseparate,specialisedcomponents andformulatethesecuritypropertiesthatmustberequiredofeachcomponent withinadistributedsystem.thetaskofthesystemdesigneristhentoidentify Icontendthatthesecuritypropertiesrequiredoftheseandothercriticalservices individuallysothat,incombination,theyenforcethesecuritypolicyrequiredofthe systemoverall. ofthesysteminteractandcannotbestudiedindependentlyofeachother.the printer-server,forexample,requiresspecialservicesofthele-serverandbothof thesecomponentsdependuponinformationprovidedbytheauthenticationmech- Ofcourse,scepticswillpointoutthatthisisaformidabletask:thecomponents anism.butthedicultiesthatappearformidableherearenolesssoinacon- ventional,kernelizedsystem:thesamefunctionsandthesameinteractionsmust bepresenttherealso andwillbenolesssignicant,merelylessvisible.furthermore,theinteractionsinadistributedsystemarebetweenitscriticalcomponents. Thesecomponentshaveconcretetaskstoperformandtheirinteractionscanalso bespeciedconcretely:wecanstatepreciselywhatthespecialservicesarethat theprinter-serverrequiresofthele-serverandwecansatisfyourselvesthatthe ramicationsofthesespecialservicesarefullyunderstood.thisisquitedierentto grantingthelineprinterspoolerofakernelizedsystemadispensationtooutthe *-property. ampletointroducetheidea,politicalandeconomicconsiderationsgenerallydictate AlthoughIhavebeenusingageneral-purposemulti-usersystemasafamiliarex- 7

8 thatsecuregeneral-purposesystemsshouldemulatesomeexistingsystem andthis hamperstheadoptionofaradicallydierentimplementationtechnique.specialpurpose,single-functionsystemsarenotsoconstrained andaremoreableand morelikely,therefore,totakeadvantageofa`distributed'approachtosecurity.a designforatypeof`securenetworkfrontend'(snfe)willserveasanillustration. designissuesforsuchadevicearediscussedbyauerbach[4]andaparticulardesignisdescribedbybarnes[5].basically,theissuesareasfollows.aswellasa ASNFEisadevicethatisinterposedbetweenhostmachinesandanetworkin ordertoprovideend-to-endencryptionaroundthenetwork.someofthegeneral cryptographicdevice(a`crypto')thesnfemustcertainlycontaincomponentsfor thecommunicationslinestothehostononesideandthenetworkontheother. Wecancallthecomponentonthehostsidethe`red'componentandthatonthe handlingtheprotocols,messagebueringandsoonrequiredatitsinterfaceswith networksidethe`black'component.(thisterminologystemsfromcryptological nentandpassedtothecryptofromwheretheytravel,inencryptedform,tothe blackcomponentfortransmissionoverthenetwork.inordertoallowforred-black usages.)packetsofcleartextdatafromthehostarereceivedbytheredcompo- co-operation(essentially,theexchangeofpacketheaders),asecond,unencrypted channel(the`cleartextbypass')mustalsoconnecttheredandblackcomponents. notreachthenetworkincleartextform.itisthereforenecessarytobesurethat theredcomponentdoesnotusethecleartextbypasstosenduserdatadirectlyto theblackcomponent.thesoftwareintheredcomponentisconsideredtoolarge Thesecurityrequirementofthesystemisthatuserdatafromthehostmust andcomplextoallowitsvericationandsoa`censor'isinsertedintothebypassto performrigidproceduralchecksonthetracpassingthrough tocheckthatithas theappearanceoflegitimateprotocolexchanges,ratherthanrawcleartext.afairly bypasstoanacceptablelevel. simplecensorcanreducethebandwidthavailableforillicitcommunicationoverthe nicate,butwhatchannelsareavailableforthatcommunication:thechannelsvia thecensorandthecryptoareallowed,buttheremustbenoothers.itisnotclear howthisrequirementcouldbeexpressedintermsofthemodelsthatunderlycurrentconceptionsofasecuritykernelbutitiseasilyformulatedandunderstoodin showninthediagram.theonlysoftwarewhichperformsasecuritycriticaltaskin housedinseparate,isolatedboxesandconnectedbyjustthecommunicationslines thisdesignisthatofthecensor(thecryptoisatrustedphysicaldevice);securityis otherwiseachievedbythephysicaldistributionofthecomponentsandthephysically limitedcommunicationsprovidedbetweenthem. Observethatthecrucialissuehereisnotwhetherredandblackcancommu- thecontextofadistributedsystemdesign:thefourcomponentsofthesystemare 8

9 - Bypass - Red Black? Crypto 3computersystemsthatmustsatisfycertainsecurityrequirements.Recenthardware SofarIhavearguedthatdistributedsystemsoeranaturalbasisforthedesignof Re-introducingtheSecurityKernel directly thatis,asphysicallydistributedsystemscomposedofindependentprocessorsconnectedbyexternalcommunicationslines. developmentsmakeitfeasible,forcertainapplications,toimplementsuchdesigns thesecuritycharacteristicsofthedistributedsystemmustbeprovidedbylogical distributeddesignislargerelativetotheoverallscaleofthesystem,itwillbemore cost-eectivetoimplementtheentiresystemonasingleprocessor.inthiscase, Morecommonly,however,andespeciallywhenthenumberofcomponentsinthe ratherthanphysicalmechanismsandthiscanbeaccomplishedbyre-introducing thosecomponents.therolewhichiproposeforasecuritykernelissimplythatit rationofitscomponentsandpartlyonthecriticalfunctionsperformedbysomeof theconceptofasecuritykernel,butinadierentguisetothatseenpreviously. shouldre-create,withinasinglesharedmachine,anenvironmentwhichsupports Theoverallsecurityofadistributedsystemrestspartlyonthephysicalsepa- thevariouscomponentsofthesystem,andprovidesthecommunicationschannels betweenthem,insuchawaythatindividualcomponentsofthesystemcannotdistinguishthissharedenvironmentfromaphysicallydistributedone.ifthiscanbcuritypolicyenforcedbythesystem thatresponsibilityremainsembeddedinthe ofatrulydistributedsystem.observethatsuchakernelknowsnothingofthese- achieved,thensurelythesharedimplementationretainsallthesecurityproperties 9

10 criticalcomponents.andnotice,too,thatthosecriticalcomponentsrequirenospecialprivilegesofthekernel;wehavecompletelydecoupledthepropertiesrequired overallpurposeandpolicy. temrunsonitsownprivateandphysicallyisolatedmachine.thetaskofasecurity kernel,therefore,istoprovideanisolated`virtualmachine'(vm)foreachcomponentandtohandlecommunicationsbetweenthesevirtualmachines.akernel Inanideal,physicallydistributedimplementation,eachcomponentofthesys- ofthesecuritykernelfromthoseconcernedwiththelargerquestionsofthesystem's ofthisformisobviouslyverysimilartoa`virtualmachinemonitor'(vmm):that widelyrecognisedthatvmmsprovideasuitablebasisfortheconstructionofsecure hardwarebase(vm/370is,perhaps,thebestknownexampleofsuchasystem).itis is,asystemwhichprovideseachofitsuserswithaseparate,simulatedcopyofits systemsandatleasttwosystemshavebeenconstructedalongtheselines[12,26]. However,thetypeofkernelwhichIamproposingdiersfromaVMMinthatthere isnorequirementforittoprovidevmswhichareexactcopiesofthebasehardware kernel'andishallspeakofthevmswhichitsupportsas`regimes.' establishedterminology,ishallcallthisnewtypeofsecuritykernela`separation (orevenforallthevmstobealike) butthereisarequirementforittoprovide communicationschannelsbetweensomeofitsvms.inordertoavoidconfusionwith ofaseparationkernelandtodevelopatechniqueforverifyingtheseproperties. Beforedoingso,however,itseemsbesttoassistthereader'sintuitionandtoprovide somemotivationbyoutliningthedesignofaparticularseparationkernel. Thenextstepistodeduceaprecisestatementofthesecuritypropertiesrequired Theseparationkernelconcernedisanoperationaloneknownasthe`SecureUser AnExample T4DivisionoftheRoyalSignalsandRadarEstablishmentatMalvern,England,in Environment'(SUE).ItrunsonaPDP-11/34andwasdesignedandconstructedby ordertosupportapplicationssimilartothesnfedescribedearlier.oneofthechief designaimsofthesuewasthatitshouldbeminimallysmallandverysimple[5]. (TheSDCCommunicationsKernel[11]isasimilarsystem,thoughrathermore ittosupportpagingorvirtualmemorymanagementasfoundinthekernelsof complex.) regimes,eachofwhichexecutesaxed(andsmall)program,thereisnoneedfor general-purposesystemssuchaskvm/370[12].instead,amuchsimplermemoryresidentsystemispossibleinwhicheachregimeispermanentlyallocatedtoaxed partitionofrealmemorywhilethesueitselfoccupiesanotherxedpartition.the SUEmanipulatesthememorymanagementfeaturesofthePDP-11/34inorderto arrangeforitsownprotectionandthemutualisolationofitsregimes. BecausetheSUEisonlyrequiredtoprovideaxed(andsmall)numberof 10

11 schedulingfunctions.regimesaregivencontrolonaround-robinbasisandexecute untiltheysuspendvoluntarily(viaaswapcalltothesue).becausethewhole systemisdedicatedtoasinglefunction,`denialofservice'isnotasecurityproblem Inordertofurtherreduceitssizeandsimplifyitsdesign,theSUEperformsno (althoughitisclearlyareliabilityissue). machines(includingpdp-11s)sinceitusesabsoluteaddressesandtherebyevades theprotectionofthememorymanagementhardware.forthisreason,conventional kernelsmusthandleormediatealli/ooperationsandthisisasourceofsignicant Input/outputviaDirectMemoryAccess(DMA)posesasecuritythreatonmost excludedfromthesystem,almostallresponsibilityfori/ocanberemovedfrom complexityintheirdesign.thesueadoptsafarmoreruthlessapproach:dmais thesuesincethememorymanagementofapdp-11allowsdeviceregisterstobe permanentlyexcludedfromthesystem.(theeciencyproblemsthismightseem protectedjustlikeordinarymemorylocations.eachdevicesupportedbythesystem tocauseareovercomebytheuseofspecial-purposehardware[18].)withdma locatedintheaddressspaceofthatregime.responsibilityforeachdevicethenrests ispermanentlyandexclusivelyallocatedtoaxedregimeanditsdeviceregistersare withtheregimewhichcontrolsitsdeviceregisters.theonlyresponsibilityofthe SUEwithrespecttoI/Oactivityistoeldinterrupts(sincethehardwarevectors handling.returnfrominterruptssimilarlyrequiresminorassistancefromthesue. thesethroughkerneladdressspace)andpassthemontotheappropriateregimefor tweencertainregimes,thisdescriptionhassummariedjustaboutthewholeofthe SUE.Readerswillappreciatethat,incomparisonwithaconventionalsecuritykernel,theSUEisindeedsmallandsimple.(Itoccupiesabout5Kwords,includingall Apartfromtheprovisionofthecommunicationschannelsthatarerequiredbe- stackanddataspace.)whatweseeknowisavericationtechniquethatexploits thissimplicityinordertoprovideperspicuousandcompellingevidenceofthesue's security. 4Thetaskofaseparationkernelistocreateanenvironmentwhichisindistinguish- ablefromthatprovidedbyaphysicallydistributedsystem:itmustappearasifeach Verication regimeisaseparate,isolatedmachineandthatinformationcanonlyowfromone machinetoanotheralongknownexternalcommunicationslines.oneofthepropertieswemustproveofaseparationkernel,therefore,isthattherearenochannelsfor informationowbetweenregimesotherthanthoseexplicitlyprovided.inthecaseof thesnfedescribedearlier,forexample,theremustbenodirectchannelsbetween theredandblackregimes althoughthechannelsviathecryptoandthecensorare quitelegitimate.byallowingcertainchannelsanddemandingtheabsenceofall others,wecreatearatherdicultvericationproblem.itwouldbemucheasierto 11

12 demandtheabsenceofallchannels thatwouldcorrespondtoapolicyofisolation andseemsamorereasonablecandidateforverication.analogywithaphysically distributedsystemsuggestshowtheoriginalproblemcanbesimpliedinthisway: ifwecutthecommunicationchannelsthatareallowed,then,providedthereareno illicitchannelspresent,thecomponentsofthesystemwillbecomecompletelyisolated arenotphysicalwiresbutpropertiesofthekernelsoftware. fromoneanother.itnowremainstodiscoverhowto`cut'communicationlinesthat isactuallyaccomplishedinsoftware bytheuseofsharedobjects.ifregimesaand somesharedobject,sayx,whichthesendercanwriteandthereceivercanread.if Bhaveacommunicationchannelbetweenthem,thentheremust,atbottom,be Thesolutiontothisproblemiseasilyseenonceweconsiderhowcommunication to`cutting'thecommunicationchannelrepresentedbyx,withx1andx2taking B'sreferencestoXbyreferencestoanothernewobject,X2,thenthisisequivalent thepartsofthetwo`ends'producedbythecut.if,followingthis`cutting'ofthe wenowreplaceallofa'sreferencestoxbyreferencestoanewobject,x1,andallof isolated,thenitfollowsthatthiswastheonlychannelbetweenthem. erty(isolation)ofonesystem(thatwithits`wirescut')andinferanotherproperty `Xchannel,'weareabletodemonstratethattheAandBregimeshavebecome (absenceofillicitchannels)ofadierentsystem.however,ifthedierencesbetweenthetwosystemsareoftheverylimited,controlledformthatihavedescribed Thisisanindirectargumentandmayappearspecioustosome:weproveapropferencesbetweenthemmaybeunderstoodcompletely,then,surely,thetechnique issound.(formoreextendeddiscussion,andanexampleoftheapplicationofthe (involvingonlythe`aliasing'ofcertainnames),sothattheconsequencesofthedif- technique,see[30].) enforcesisolationonitsregimes:wemustprovethetotalabsenceofanyinformation owfromoneregimetoanother.thetechniquewhichhasbeenusedtoverify secureinformationowinkernelsconstructedbythemitrecorporation[20]and Wenowneedamethodforprovingthataseparationkernel(withits`wirescut') inksos[7,10],andwhichseemstobewidelyaccepted,isknownas`information kernel.butthisisnotso. owanalysis'(ifa)[21] sometimesalsocalled`securityowanalysis.'itmightbe thoughtthatthiswillalsoprovideasatisfactorytechniqueforverifyingaseparation nipulationsthatmustbeperformedbyaseparationkernel theswapoperation providesasimpleexample. OnereasonforthisisthatIFAcannotverifysomeofthemachine-levelma- savingofthecurrentcontentsofthegeneralregistersinaredsavearea,andtheir andblack.whentheredregimeisexecuting,itmayrelinquishthecpu byperformingaswapoperation.theeectsofthisoperationmustincludethe Consideraseparationkernelsupportingjusttworegimes,identiedasRED reloadingwithvaluesfromablacksavearea.vericationbyifarequiresthat 12

13 operationsinvokedbyredmayonlyaccessredvalues butitisevidentthat theswapoperationmustaccessbothredandblackvalues.itfollowsthat IFAcannotverifythesecurityofaSWAPoperation,eventhoughitismanifestly causeofthisfailureisthatifaisasyntactictechnique:itisconcernedonlywith thesecurityclassications(`colours')ofvariables,nottheirvalues.thisdeciency secure(see[30]formoreextendeddiscussionandsomeworkedexamples).the forexample,eachregimeisprovidedwithitsownsetofgeneralregisters)rather canbeovercomebyapplyingifatoahigh-levelspecicationofthekernel(inwhich, thantothekernelimplementationitself.thesecurityoftheimplementationcan levelspecications[23].inconventionalpractice,however,thissecondstageisnot thenbeestablishedbyshowingittobeacorrectimplementationofthesecurehigh- performed.forksos,forexample,only`illustrative'proofsoftheimplementation wereprovided[7]. toverifythecorrectnessofitsimplementationaswell.usingaseparationkernel, tionsisasignicanttask.itwouldbevastlymoredicultandhugelyexpensive amultilevelsecurelesystem,vericationofthesecurityofitshigh-levelspecica- BecausetheKSOSkernelcontains,amongotherthings,amechanismtosupport however,issuessuchasthevericationofamultilevelle-serverarefactoredoutand handledseparatelyfromthevericationofthekernel.almosttheentireactivityof aseparationkernelisconcernedwiththedetailedmanagementoffeaturesofthe basehardware.inordertoapplyifa,wemustabstractawayfromthesedetailsand provideahigh-levelspecication whosevericationwouldamounttolittlemore thanexhibitingatautology.almostthewholeburdenofverifyingthesecurityof therealkernelwouldthenfalltothe`correctness'stage.whilethisproceduremay besound,itisveryindirectandfailstoprovideoneoftheprincipalbenetswe issuesthatdetermineakernel's`security.' shoulddesireofakernelvericationtechnique:asharpenedunderstandingofthe owofcontrol inparticular,thehandlingofinterrupts.recallthatthesuekerneldoesverylittleexcepteldinterruptsandallowoneregimetoswapcontrol AmoreconclusiveargumentagainstIFAasavericationtechniqueforseparationkernelsisthatitisincomplete:itdoesnotaddressmattersconcerningthe toanother andifaprovidesnobasisforthevericationoftheseimportantand isdoubtfulwhetherthatmodelreallyprovidesasoundbasisforthevericationof themathematicalmodel[9]thatjustiesifaasavericationtechnique.infact,it trickymatters.questionsrelatingtocontrolowcannotevenbeformulatedwithin modelformulatesaspecicationofmultilevelsecurityforasystemwhichconsumes Manager'(SOM)ofPSOS[22] forwhichpurposeitiseminentlysuitable.the anysortofsecuritykernel butthenitwasnotformulatedforthatpurpose. inputsthataretaggedwiththeirsecurityclassicationsandproducessimilarly Feiertag'smodelwasintendedtoprovideabasisforverifyingthe`SecureObject taggedoutputs.`ordinary'programs,suchasthesomorale-server,aresound 13

14 atanytimeisnotindicatedbyatagaxedtotheinstructionbysomeexternal interpretationsofthismodel.butakernelisdierent.akernelisessentiallyan agent,butisdeterminedbythekernel'sownstate. onbehalfofitsregimes.theidentityoftheregimeonwhosebehalfitisoperating abstractinterpreter itbehaveslikeahardwareextensionandexecutesinstructions thatcapturesitsessentialcharacteristicsmorecompletelyandrealistically.robinson,oneofthoseresponsibleforthevericationofksos,hasobserved: Toprovideasoundbasisforthevericationofakernel,wereallyneedamodel \Despitecurrentsuccessesinprovingthatagivenpieceofkernelsoftware providessecurity,itcannotbeprovenwithexistingtechniquesthatthere isnowaytocircumventthatpieceofsoftware.theanswermaybeto addsomeexplicitnotionofinterpretationtothestatemachinemodel. Thisextendedmodelwouldmakeitpossibletoaddresssuchconcernsas tothis[31]andisusedtojustifyanewmethodforverifyingkernelswhichenforce Amodelwithsomeofthesecharacteristicsisdescribedinacompanionpaper parallelism,languagesemantics,andinterrupthandling."[29] section. ProofofSeparability thepolicyofisolation.aninformalexplanationofthismethodisgiveninthenext Thepurposeofaseparationkernelistosimulateadistributedenvironment.Tothe beindistinguishablefromthatofanisolatedmachinededicatedtoitsprivateuse. whilethesingle,sharedsystemthatisactuallyavailableiscalledthe`concrete' softwareineachregime,theenvironmentprovidedbyaseparationkernelshould machineshouldexactlycoincidewithitsownabstractmachine.asimilarrequirementexpressesthe`correctness'criterionforimplementationsofabstractdatatypestion'[14]:thatis,afunctionwhichmapsfromconcretetoabstractstates.the dierentabstractionssimultaneously(aseparateoneforeachregime)anditseems natural,therefore,toformulatethepropertiesrequiredofitintermsofmultiple abstractionfunctions. Wecancallthisimaginary,privatemachinethe`abstract'machineforthatregime, machine.whatwedesire,forsecurity,isthateachregime'sviewoftheconcrete Thislattercriterionmaybeformulatedpreciselyintermsofan`abstractionfunc- interestingfeatureofaseparationkernelisthatitisrequiredtosupportseveral BLACK.Nowsupposetheconcretemachineperformssomeoperation,COP,on BLACK.TheabstractionfunctionREDABSwillmapthestatesoftheconcrete machineintothoseofred'sabstractmachine,whileblackabsdoeslikewisefor Takethesimplecaseofasystemsupportingjusttworegimes REDand behalfoftheredregime.wemustrequirethattheeectsofthisoperation,as 14

15 machinefromaninitialstatextoanalstatey,wedemandthatredabs(y) formedbytheredabstractmachine.thus,ifexecutionofcoptakestheconcrete isexactlythesamestateoftheredabstractmachineasthatwhichresultsfrom perceivedbytheredregime,arejustasifsomeoperationredophadbeenper- otherwords,werequirethefollowingdiagramtocommute: applyingtheabstractoperationredoptotheabstractstateredabs(x).in 6 REDOP -6 REDABS REDABS Thisconditionensuresthattheregimewhichiscurrently`active'ontheconcrete COP - machinecannotdistinguishitsactualenvironmentfromthatofitsabstractmachine. Butitisalsocrucialthattheexecutionofaconcreteoperationonbehalfoftheactive regimeshouldnotaectthestateofthemachineperceivedbycurrently`inactive' regimes.forisolationbetweenredandblack,therefore,werequirethatthe concretestatetransitionfromxtoycausedbyexecutingcoponbehalfofred shouldcausenocorrespondingchangeinthestatesofinactiveregimes.thatis,we requirethatblackabs(x)=blackabs(y),orindiagrammaticform: I BLACKABS BLACKABS BecauseI/Odevicescandirectlyobserveandchangeaspectsoftheconcretemachine'sinternalstate(byreadingandwritingitsdeviceregisters,forexample),and canalsoinuenceitsinstructionsequencingmechanism(byraisinginterrupts),the COP - 15

16 ditionsontheirbehaviour.expressedinformally(andonlyfromtheredregime's activityofthesedevicesisrelevanttosecurity.consequently,wemustimposecon- pointofview),theseconditionsare: a)ifredabs(x)=redabs(y)andactivitybyaredi/odevicechanges thestateoftheconcretemachinefromxtox0,andthesameactivitywill alsochangeitfromytoy0,thenredabs(x0)=redabs(y0)(i.e.,state b)ifactivitybyanon-redi/odevicechangesthestateoftheconcretemachine changesintheredregimecausedbyredi/oactivitymustdependonlyon theactivityitselfandthepreviousstateoftheredregime). c)ifredabs(x)=redabs(y),thenanyoutputsproducedbyredi/o fromxtoy,thenredabs(x)=redabs(y)(i.e.,non-redi/odevices cannotchangethestateoftheredregime). d)ifredabs(x)=redabs(y),thenthenextoperationexecutedonbehalf oftheredregimemustalsobethesameinbothcases. devicesmustbethesameinbothcases. Conditionsa)andb)abovearetheanalogues,forI/Odevices,oftheconditions arability.'amoreprecisestatementofthesixconditionsmaybefoundinthe constitutethebasisforakernelvericationtechniquewhichicall`proofofsep- imposedoncpuoperationsbythecommutativediagramsgivenearlier.allsix Appendixtothispaper.Aformalderivationofthesixconditions,whichattempts conditions(thefouraboveandthetwoexpressedinthecommutativediagrams) relationshipbetweenthismethodandvericationbyifaisexaminedin[30],which todemonstratethattheyareexactlytherightconditions,isgivenin[31],whilethe morerealisticseriesofexampleapplicationsiscurrentlyinpreparation. securitykernelvericationsinceitisbasedonamorerealisticmodelandcanaddress alsocontainsasmallexampleoftheapplicationofthemethod.descriptionofa alltheimportantissues,includingthoserelatingtointerrupts,quitenaturally.also, itcorrespondstoastraightforwardintuitionaboutwhatsecurity`is'andencourages `ProofofSeparability'seemstobetechnicallysuperiortoothermethodsfor areinvisibletoallotherregimes). capableofcompletedescriptionintermsoftheobjectsknowntothatregime(and thekerneldesignertoexaminehissystemfromtheviewpointofeachindividual regimeinordertoensurethattheresultsofeveryactioninvokedbyaregimeare Conclusion IhaveproposedanapproachtothedesignandvericationofsecuresystemswhichI suggestisparticularlyappropriatetosmallspecial-purposeapplications.iadvocate 16

17 achievedpartlybythephysicalseparationoftheindividualcomponentsandpartly thatsecuresystemsshouldbeconceivedasdistributedsystemsinwhichsecurityis bythetrustedfunctionsperformedbysomeofthosecomponents.thetaskof specifyingandverifyingthepropertiesrequiredofthetrustedcomponentsinorder toachieveoverallsecurityshouldbetackledatthislevelofabstractionandonthe assumptionthatcomponentsarephysicallyisolatedfromoneanother.thepurpose ofasecuritykernelissimplytoallowsucha`distributed'systemtoactuallyrun withinasingleprocessor:itsroleistoprovideeachcomponentofthesystemwith anenvironmentwhichisindistinguishablefromthatwhichwouldbeprovidedbya canbehandledbyseparatevirtualmachinescanbetracedbacktoanderson[3]. of`levelsofkernels'[26,27]whiletheideathatthemanagementofsharedresources securitykernel.thereissomesimilaritybetweentheseproposalsandpopek'snotion trulyandphysicallydistributedsystem.policyenforcementisnottheconcernofa vericationofthecomponentswhichperformtrustedfunctionsfromtheverication ofthesecuritykernel.thislattertaskmaybeaccomplishedbyanewverication techniquewhichicall`proofofseparability.' Thisapproachachievesaseparationofconcernsbycompletelydecouplingthe securityisbasedonsimplermechanismsandwhosevericationiscorrespondingly simpler,morecompleteandmorecompellingthanisthecaseatpresent. Applicationofthesetechniquesshouldassistthedevelopmentofsystemswhose Separability.'Thestatementisexpressedintermsofaparticularformalmodelfor AThisappendixgivesamoreprecisestatementofthesixconditionsfor`Proofof Appendix fortheparticularchoiceofconditionsdeningproofofseparabilitymaybefound in[31]. completedescription,togetherwithargumentsforitssuitabilityandjustication computersystems.spacepermitsonlyatersedescriptionofthemodelhere;amore onthosestates.thesysteminteractswithitsenvironmentbyconsumingelements ofasetiofinputsandproducingelementsofasetoofoutputs.ateachtimestep, thesystememitsanoutputandchangesstate.theoutputemitteddependsupon ThemodelcomprisesanitesetSofstatesandasetOPSS!Sofoperations thesystem'sstateandthisactionismodelledbythefunctionoutput:s!o. selectionmechanismismodelledbythefunctionnextop:s!ops.thus,if andthesecondbytheselectionandexecutionofanoperation.theeectofreceiving aninputismodelledbythefunctioninput:si!s,whiletheoperation Statechangesoccurintwostages:therstiscausedbythereceiptofaninput, thecurrentstateofthesystemissandthecurrentvalueoftheinputavailablefrom theenvironmentisi,thesystemwillemittheoutputoutput(s)andmovetothe 17

18 of`colours.'exactlyoneuseris`active'atanytime:heistheuseruponwhose consumptionoftheinputi. statenextop(s)(s),wheres=input(s;i)istheintermediatestateresultingfrom dependsuponthestateofthesystemattheinstantwhenanoperationisselected behalfinstructionsarecurrentlybeingexecuted.theidentityoftheactiveuser Asharedsystemsupportsanumberof`users'whoareidentiedwithasetC usedtopickoutcomponentsofaparticularcolour.thus,whenc2c,i2i,and ponentswhichare`private'toeachuser.theprojectionfunctionextractis forexecution.itisdeterminedbythefunctioncolour:s!c. o2o,extract(c;i)andextract(c;o)denotethec-colouredcomponentsof Theinputsandoutputsofasharedsystemarecomposedofindividualcom- theinputiandtheoutputorespectively. usermustbecompletelyconsistentwiththatwhichcouldbeprovidedbyanonsharedsystemdedicatedtohisexclusiveuse.thisisachievedifeachuserc2c Forasharedsystemtobesecure,theinput/outputbehaviourperceivedbyeach canproduceasetscofc-coloured`abstractstates'andasetopscsc!scof c-coloured`abstractoperations,'togetherwith`abstractionfunctions' and ABOPc:OPS!OPSc c:s!sc whichsatisfy,8c2c;8s;s02s;8op2ops;8i;i02i: 1)COLOUR(s)=cc(op(s))=ABOPc(op)(c(s)), 2)COLOUR(s)6=cc(op(s))=c(s), 5)c(s)=c(s0) 4)EXTRACT(c;i)=EXTRACT(c;i0)c(INPUT(s;i))=c(INPUT(s;i0)), 3)c(s)=c(s0)c(INPUT(s;i))=c(INPUT(s0;i)), 6)COLOUR(s)=COLOUR(s0)=c^c(s)=c(s0) NEXTOP(s)=NEXTOP(s0). EXTRACT(c;OUTPUT(s))=EXTRACT(c;OUTPUT(s0)), Conditions1)and2)correspondtothetwocommutativediagramsinthetext,while conditions3)to6)correspondtothoselabelleda)tod)inthetext. ThesearetheformalstatementsofthesixconditionsforProofofSeparability. 18

19 References [1]S.R.AmesJr.Securitykernels:Asolutionoraproblem?InProceedingsof [2]S.R.AmesJr.andJ.G.Keeton-Williams.Demonstratingsecurityfortrusted thesymposiumonsecurityandprivacy,pages141{150,oakland,ca,april 1981.IEEEComputerSociety. applicationsonasecuritykernelbase.inproceedingsofthesymposiumonsecurityandprivacy,pages145{156,oakland,ca,april1980.ieeecomputer Society. Renninger,editor,ApproachestoPrivacyandSecurityinComputerSystems, [3]J.P.Anderson.Systemsarchitectureforsecurityandprotection.InC.R. [4]K.Auerbach.Securepersonalcomputing(technicalcorrespondence).CommunicationsoftheACM,23(1):36{37,January1980. Washington,D.C.,1974. pages49{50.nbsspecialpublication404,gposdcatalogno.c13.10:404, [5]D.H.Barnes.ComputersecurityintheRSREPPSN.InNetworks'80,pages [6]D.E.BellandL.J.LaPadula.Securecomputersystem:Uniedexpositionand Multicsinterpretation.TechnicalReportESD-TR ,MitreCorporation, 605{620.OnlineConferences,June1980. [7]T.A.BersonandG.L.BarksdaleJr.KSOS developmentmethodologyfora secureoperatingsystem.innationalcomputerconference,volume48,pages Bedford,MA,March1976. [8]D.E.DenningandP.J.Denning.Certicationofprogramsforsecureinformationow.CommunicationsoftheACM,20(7):504{513,July {371.AFIPSConferenceProceedings,1979. [9]R.J.Feiertag,K.N.Levitt,andL.Robinson.Provingmultilevelsecurityof [10]Ford. pages57{65,november1977. asystemdesign.insixthacmsymposiumonoperatingsystemprinciples, [11]D.L.Golber.TheSDCcommunicationskernel,August1981.Presentedat AerospaceandCommunicationsCorporation,PaloAlto,CA,March1978. KSOSvericationplan. TechnicalReportWDL-TR-7809,Ford [12]B.D.Goldetal.AsecurityretrotofVM/370.InNationalComputerConference,volume48,pages335{344.AFIPSConferenceProceedings,1979. DoDComputerSecurityIndustrySeminar.

20 [13]A.Hathaway.LSIguardsystemspecication(typeA).TechnicalReportDraft, [14]C.A.R.Hoare.Proofofcorrectnessofdatarepresentations.ActaInformatica, 1:271{281,1972. MITRECorporation,Bedford,MA,July1980. [15]B.W.Lampson.Anoteontheconnementproblem.Communicationsofthe [16]C.E.Landwehr.Assertionsforvericationofmultilevelsecuremilitarymessage ACM,16(10):613{615,October1973. [17]S.B.Lipner.Acommentontheconnementproblem.InFifthACMSymposiumonOperatingSystemPrinciples,pages192{196.ACM,1975. systems.acmsoftwareengineeringnotes,5(3):46{47,july1980. [18]A.F.MartinandJ.K.Parks.IntelligentX25level2lineunitsforpacketswitching.InNetworks'80,pages371{384.OnlineConferences,1980. [19]E.J.McCauleyandP.J.Drongowski.KSOS thedesignofasecureoperating [20]J.K.Millen.Securitykernelvalidationinpractice.Communicationsofthe system.innationalcomputerconference,volume48,pages345{353.afips ACM,19(5):243{250,May1976. ConferenceProceedings,1979. [21]J.K.Millen.Operatingsystemsecurityverication.TechnicalReportM79-223, [22]P.G.Neumann,R.S.Boyer,R.J.Feiertag,K.N.Levitt,andL.Robinson. Aprovablysecureoperatingsystem:Thesystem,itsapplications,andproofs. MITRECorporation,Bedford,MA,September1979. [23]P.G.Neumannetal.Softwaredevelopmentandproofsofmulti-levelsecurity Technicalreport,SRIInternational,May1980.SecondEdition,ReportCSL- [24]M.A.Padlipsky,K.J.Biba,andR.B.Neely.KSOS computernetwork InProc.2ndInternationalConferenceonSoftwareEngineering,pages421{428, applications.innationalcomputerconference,volume48,pages373{381. SanFrancisco,CA,1976. [25]G.J.Popeketal.UCLAsecureUNIX.InNationalComputerConference, [26]G.J.PopekandC.S.Kline.Averiableprotectionsystem.InProc.InternationalConferenceonReliableSoftware,pages294{304,LosAngeles,CA, volume48,pages355{364.afipsconferenceproceedings,

FromDependableComputingforCriticalApplications{5,Champaign,IL,September1995,pp.139{157;Volume10of theseriesindependablecomputingandfaulttolerantsystemspublishedbyieeecomputersocietypress. ByzantineAgreementwithAuthentication:Observationsand

More information

AmyP.Felty1,DouglasJ.Howe1,andFrankA.Stomp2 ProtocolVericationinNuprl? 2Dept.ofComp.Sci.,UCDavis,Davis,CA95616,USA.stomp@cs.ucdavis.edu 1BellLabs,MurrayHill,NJ07974,USA.ffelty,howeg@bell-labs.com whileretainingexistingadvantagesofthesystem,anddescribesapplicationoftheprovertoverifyingthescicachecoherenceprotocol.the

More information

CGS2 2003 2004 2005 2006 2007 2008 2009 2010 X X X X X

CGS2 2003 2004 2005 2006 2007 2008 2009 2010 X X X X X CGS2 Blue, GCS, time Black, GCS, time Red, GCS, time CGS2 Blue, GCS, time Black, GCS, time Red, GCS, time CGS1 Blue, GCS, time Black, GCS, time Red, GCS, time CGS2 (Discontinued) Blue, GCS, time Black,

More information

Private Developer Ground Lease. Example (Denver) C-1

Private Developer Ground Lease. Example (Denver) C-1 Appendix C Private Developer Ground Lease Example (Denver) C-1 C-2 C-3 C-4 C-5 C-6 C-7 C-8 C-9 C-10 C-11 C-12 C-13 C-14 C-15 C-16 C-17 C-18 C-19 C-20 C-21 C-22 C-23 C-24 C-25 C-26 C-27 C-28 C-29 C-30 C-31

More information

Draft&Model&Regulatory&Framework&for&Virtual&Currency!

Draft&Model&Regulatory&Framework&for&Virtual&Currency! February9,2015 ConferenceofStateBankSupervisors 112920thStreetNW,9 th Floor Washington,D.C.20036 164TownsendStreet#11 SanFrancisco,CA94107 Attn:EmergingPaymentsTaskForce Re: Draft&Model&Regulatory&Framework&for&Virtual&Currency

More information

Cartella colori PANTONE

Cartella colori PANTONE Process Yellow Pantone : 100 Pantone : 101 Pantone : 102 Pantone Yellow Pantone : 103 Pantone : 104 Pantone : 105 Pantone : 106 Pantone : 107 Pantone : 108 Pantone : 109 Pantone : 110 Pantone : 111 Pantone

More information

Touch n Go Sdn Bhd. Policy Standard Name. Applicable. Effective Date

Touch n Go Sdn Bhd. Policy Standard Name. Applicable. Effective Date 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 Appendix Rapidpass Product Appendix Rapidpass Product

More information

RTR for Quotes/Application Users Guide

RTR for Quotes/Application Users Guide RTR for Quotes/Application Users Guide Welcome to Real Time Rating! The following tutorial provides step-by-step instructions on how to utilize our web based rating system for quoting and new business

More information

Age at the Beginning of Placement (years old) Attention Homes, Inc. 20 4 200 185 144 15.32 Cathedral Home for Children. RTC Placements.

Age at the Beginning of Placement (years old) Attention Homes, Inc. 20 4 200 185 144 15.32 Cathedral Home for Children. RTC Placements. APPENDIX C COPs Providers Figure C.1 Residential Treatment Providers (July 1, 2004), with Average Length of Stay and Average Age of Children at the Beginning of Placement, FY '99 '04 Residential Treatment

More information

PANTONE Solid to Process

PANTONE Solid to Process PANTONE Solid to Process PANTONE C:0 M:0 Y:100 K:0 Proc. Yellow PC PANTONE C:0 M:0 Y:51 K:0 100 PC PANTONE C:0 M:2 Y:69 K:0 106 PC PANTONE C:0 M:100 Y:0 K:0 Proc. Magen. PC PANTONE C:0 M:0 Y:79 K:0 101

More information

Pantone Matching System Color Chart PMS Colors Used For Printing

Pantone Matching System Color Chart PMS Colors Used For Printing Pantone Matching System Color Chart PMS Colors Used For Printing Use this guide to assist your color selection and specification process. This chart is a reference guide only. Pantone colors on computer

More information

PANTONE Uncoated RGB

PANTONE Uncoated RGB PANTONE R:100 G:90 B:9 Yellow U PANTONE R:76 G:32 B:72 Purple U PANTONE R:99 G:90 B:13 Process Yellow U PANTONE R:100 G:86 B:9 Yellow 012 U PANTONE R:49 G:29 B:67 Violet U PANTONE R:86 G:29 B:49 Process

More information

Pantone Matching System Color Chart PMS Colors Used For Printing

Pantone Matching System Color Chart PMS Colors Used For Printing Pantone Matching System Color Chart PMS Colors Used For Printing Use this guide to assist your color selection and specification process. This chart is a reference guide only. Pantone colors on computer

More information

HSG Engineering Tech Bulletin

HSG Engineering Tech Bulletin Specifications subject to change OCT 2013; Rev. 1.3 HSG Engineering Tech Bulletin Recommended RS-485 Wiring for NetAXS-4/NetAXS-123 Loops Overview This document provides the recommended RS-485 wiring for

More information

Appendix B. NAICS Codes, Titles, and Descriptions

Appendix B. NAICS Codes, Titles, and Descriptions Appendix B. NAICS Codes, Titles, and Descriptions PART 1. 2002 NAICS 5418 ADVERTISING AND RELATED SERVICES 54181 ADVERTISING AGENCIES 541810 ADVERTISING AGENCIES 54182 PUBLIC RELATIONS AGENCIES 541820

More information

Training and Recertification Requirements For Massachusetts ABE Required Assessments

Training and Recertification Requirements For Massachusetts ABE Required Assessments Training and Recertification Requirements For Massachusetts ABE Required Assessments Following are the basic requirements for Massachusetts ABE practitioners to administer and/or score required learning

More information

PMS 105 PMS 106 PMS 107 PMS 108 PMS 109 PMS 110 PMS 111 PMS 112 PMS 113 PMS 114 PMS 115 PMS 116 PMS 117 PMS 118

PMS 105 PMS 106 PMS 107 PMS 108 PMS 109 PMS 110 PMS 111 PMS 112 PMS 113 PMS 114 PMS 115 PMS 116 PMS 117 PMS 118 Pantone Matching System Color Chart PMS Colors Used For Printing Use this guide to assist your color selection and specification process. This chart is a reference guide only. Pantone colors on computer

More information

Introduc)on* X.509*Cer)ficates* X.509* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$

Introduc)on* X.509*Cer)ficates* X.509* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$ Introduc)on* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$! How$secure$is$our$online$communication?$! Transport$Layer$Security$(TLS)/Secure$Sockets$Layer$ (SSL)$infrastructure$!

More information

68HC12 and HCS12 Instruction Set

68HC12 and HCS12 Instruction Set A 68HC12 and HCS12 Instruction Set Used with permission of Motorola, Inc. A-1 A-2 68HC12 and HCS12 Instruction Set Appendix A Appendix A 68HC12 and HCS12 Instruction Set A-3 CPU12 REFERENCE GUIDE A-4 68HC12

More information

Building Block 8: Sight Words

Building Block 8: Sight Words Building Block 8: Sight Words As your child starts to recognize words on sight, she'll become a more fluent reader. These cards are a colorful way to bulk up your kid's word bank. Table of Contents Early

More information

PANTONE Chart Builder 2.5.2 File: MPC2000_2500_3000 Page: 1 of 14

PANTONE Chart Builder 2.5.2 File: MPC2000_2500_3000 Page: 1 of 14 PANTONE Chart Builder 2.5.2 File: MPC2000_2500_3000 Page: 1 of 14 PANTONE Yellow CS C:2 M:9 Y:98 K:0 PANTONE Purple CS C:32 M:74 Y:0 K:0 PANTONE Pro. Yel. CS C:3 M:4 Y:100 K:0 PANTONE Hex. Yel. CS C:0

More information

Setup of Electronic Payment File Setup

Setup of Electronic Payment File Setup Electronic Payment File (EPF) Setup and Use The Electronic Payment Lock Box File (EPF) process now supports the use of multiple bank accounts in one file. Lockboxes are a way for tenants to mail in payments

More information

Editing Message Catalog for Change of Program Emails

Editing Message Catalog for Change of Program Emails SA - Registration In order to edit the information sent to the prospective students in the email communication the message catalog for each of the seven communications need to be updated. Each faculty

More information

Photo 1: This photograph shows drywall, joint compound, cove base mastic, carpet adhesive, and ceiling tile in store front No. 1.

Photo 1: This photograph shows drywall, joint compound, cove base mastic, carpet adhesive, and ceiling tile in store front No. 1. APPENDIX B PHOTOLOG Photo 1: This photograph shows drywall, joint compound, cove base mastic, carpet adhesive, and ceiling tile in store front No. 1. Photo 2: This photograph shows layered floor tile and

More information

TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 4: COMMUNITY SERYIC8S..."..84 UNIT 5: STANDARDS OF PRACTICE...98 UNIT 2: INTERPRETER SKILLS...

TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 4: COMMUNITY SERYIC8S.....84 UNIT 5: STANDARDS OF PRACTICE...98 UNIT 2: INTERPRETER SKILLS... TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 2: INTERPRETER SKILLS......37 UNIT 3: CULTURE AND MEDIATION......65 UNIT 4: COMMUNITY SERYIC8S......"..84 UNIT 5: STANDARDS OF PRACTICE...98 APPENDIX:

More information

G RAND S PORT VIN List

G RAND S PORT VIN List 0001 1G1YY2259T5600001 coupe Z51 red 0501 1G1YY2257T5600501 coupe Z51 black 0002 1G1YY2250T5600002 coupe base black 0502 1G1YY2259T5600502 coupe Z51 red 0003 1G1YY3255T5600003 convert F45 red 0503 1G1YY2250T5600503

More information

Jefferson-Shelby Youth Football 2008 Schedule

Jefferson-Shelby Youth Football 2008 Schedule Wk 1 MON 9-1 LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY Wk 1 TU 9-2 @ VH WHT @ HLA PHM @ HLA OM RED @ OM

More information

Networkfleet 3500 Product Line Installation Guide

Networkfleet 3500 Product Line Installation Guide Networkfleet 3500 Product Line Installation Guide Light/Medium Duty (L3500) Heavy Duty (H3500) Universal (U3500) www.networkcar.com/fleet Customer Care: (866) 227-7323 customercare@networkcar.com Table

More information

Appendix E: Marker Guidelines and Signs

Appendix E: Marker Guidelines and Signs Appendix E: Marker Guidelines and Signs Because of a project to systemetize all logos for the National Trails System, the logo design for the Anza Trail has changed from that shown in the final Comprehensive

More information

File Exchange Guide to downloading files

File Exchange Guide to downloading files File Exchange Guide to downloading files Last updated: November 2013 Supported by Resuscitation Council (UK) and Intensive Care National Audit & Research Centre (ICNARC) Contents 1. Introduction to File

More information

Online Appendix: Who Supports an Anti-Corruption Party? Theory with Evidence from India. August 22, 2015

Online Appendix: Who Supports an Anti-Corruption Party? Theory with Evidence from India. August 22, 2015 Online Appendix: Who Supports an Anti-Corruption Party? Theory with Evidence from India August 22, 2015 Table 1: Descriptive statistics of AAP/Cicero surveys (37,764 complete observations). Mean Std. Dev.

More information

Formal Foundations for Security Architecture

Formal Foundations for Security Architecture Formal Foundations for Security Architecture Ron van der Meyden (University of New South Wales Sydney, Australia) May 5, 2010 Overview Some recent Australian events MILS Security Towards a formal theory

More information

PANTONE ColorVANTAGE Process Simulations of PANTONE solid colors Page: 1 of 14

PANTONE ColorVANTAGE Process Simulations of PANTONE solid colors Page: 1 of 14 PANTONE ColorVANTAGE Process Simulations of PANTONE solid colors Page: 1 of 14 PANTONE Yellow CS R:245 G:222 B:0 PANTONE Purple CS R:158 G:56 B:181 PANTONE Pro. Yel. CS R:242 G:227 B:0 PANTONE Hex. Yel.

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.C.2 DATE: April 24, 2008 ****************************************************************************** SUBJECT: New Site Request: DSU AS in Business Management,

More information

E2E Project Management Process Governance (Electric Capital)

E2E Project Management Process Governance (Electric Capital) Attachment AG-1-8-10 Page 1 of 10 E2E Project Management Process Governance (Electric Capital) Report No. 1332 Final Distribution Final Report Audit Team: Report Grading: Number of Findings: Date of issue

More information

COP25- F&A Rate, Period and Exclusions Popup

COP25- F&A Rate, Period and Exclusions Popup COP25- F&A Rate, Period and Exclusions Popup Summary...1 Purpose...2 Screen Group...2 Account/CC Selection...3 F&A Rate, Periods and Exclusions Popup:...4 Report Generation...9 Page Access...9 Summary

More information

The MILS Component Integration Approach To Secure Information Sharing

The MILS Component Integration Approach To Secure Information Sharing The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar

More information

PMS 105 PMS 106 PMS 107 PMS 108 PMS 109 PMS 110 PMS 111 PMS 112 PMS 113 PMS 114 PMS 115 PMS 116 PMS 117 PMS 118

PMS 105 PMS 106 PMS 107 PMS 108 PMS 109 PMS 110 PMS 111 PMS 112 PMS 113 PMS 114 PMS 115 PMS 116 PMS 117 PMS 118 GW Pin & Patch Use this guide to assist your color selection and specification process. This chart is intended as a reference guide only. PANTONE Computer Video simulations displayed may not exactly match

More information

CONSTRUCTION SKILLS REGISTER HANDBOOK

CONSTRUCTION SKILLS REGISTER HANDBOOK CONSTRUCTION SKILLS REGISTER HANDBOOK CONTENTS INTRODUCTION Benefits of CSR 1 Supporters of CSR 1 How to apply for a CSR Card 1 Occupations available 1 Card Types 2-4 FURTHER INFORMATION CSR Plant Operator

More information

Wiring 3-Way Switches

Wiring 3-Way Switches Wiring 3-Way Switches (and 4-Way too) Information from numerous websites View of a 3- way switch. Brass traveler screw Note the different colored screws. Hot black screw The top one is brass and the

More information

Worldspan Go! Specials

Worldspan Go! Specials Worldspan Go! Specials Overview Introduction This document contains an overview of the Go! Specials tool available to users on Worldspan Go! Res. Need Help? Click on the link below to submit a question

More information

Convention on the Conservation of Migratory Species of Wild Animals

Convention on the Conservation of Migratory Species of Wild Animals Convention on the Conservation of Migratory Species of Wild Animals ORIGINAL: ENGLISH Distr. GENERAL CMS/ScC11/Doc.2.1 28 August 2002 ELEVENTH MEETING OF THE CMS SCIENTIFIC COUNCIL Bonn, 14-17 September

More information

How to move a SQL database from one server to another

How to move a SQL database from one server to another How to move a SQL database from one server to another Guide is applicable to these products: * Lucid CoPS, Lucid Rapid, LASS 8-11, LASS 11-15, LADS Plus and Lucid Ability (v6.0x-n) * Lucid Exact v1.xx-n

More information

PLOT 21: Cell phone measurement setup.

PLOT 21: Cell phone measurement setup. PLOT 21: Cell phone measurement setup. Red Trace - Bioprotector product not present, maximum hold measurement Black Trace - Both Large Bioprotector and Cell Phone Bioprotector products present. Observation:

More information

Duke*University* B.S.E.E.*1989,*Electrical*engineering*

Duke*University* B.S.E.E.*1989,*Electrical*engineering* ElizabethL.Hillman UniversityofCaliforniaHastingsCollegeoftheLaw mobile:510387>4385 200McAllisterStreet office:415565>4682 SanFrancisco,CA94102 email:hillman123@gmail.com AcademicPositions UniversityofCaliforniaHastingsCollegeoftheLaw

More information

Scheme Requirements. www.cscs.uk.com

Scheme Requirements. www.cscs.uk.com www.cscs.uk.com 13th revision - Dec 2014 Contents 1.0 Governance 2.0 Purpose of the Scheme 3.0 Scheme Aims 4.0 Scope 5.0 Occupations Covered 6.0 Types of Card Available 7.0 Health and Safety 8.0 Red Cards

More information

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods

More information

Simple Embroidery Business Plan Template

Simple Embroidery Business Plan Template This template is set up to make it easier for you to create your business plan. I created this in Microsoft Word and saved it as a.pdf so that it was readily available. If you would like to download the

More information

7. In the boxed unlabeled field, enter the last 4 digits of your Social Security number.

7. In the boxed unlabeled field, enter the last 4 digits of your Social Security number. CREATE YOUR MYVIEW LOGIN To access myview while ensuring security, you will be given an encrypted access key token. You will use this token the first time you log into myview. Once you have successfully

More information

Four Year Plan of Courses Fall 2014 to Summer 2018 Teacher Education Division

Four Year Plan of Courses Fall 2014 to Summer 2018 Teacher Education Division Four Year Plan of Courses Fall 2014 to Summer 2018 Teacher Education Division Fall, 2014 EDU 2005 EDU 2010 (Ford) online EDU 2020 (Branning/Newell) EDU 2040 (Bugg) online (Dickson) online EDU 3010 (Wegmann)

More information

Yasko Methylation Pathway Content and diagrams may not be reproduced without express permission from NRI

Yasko Methylation Pathway Content and diagrams may not be reproduced without express permission from NRI . This first diagram shows the pathways and Methylene 0 . This first diagram shows the pathways and Methylene MR 0 . This first diagram shows the pathways and Methylene MR B B 0 Nucleotides 4. This first

More information

Installation & Troubleshooting (for units manufactured after May 1, 2012)

Installation & Troubleshooting (for units manufactured after May 1, 2012) Installation & Troubleshooting (for units manufactured after May 1, 2012) Step 1: Connect the Bishop s Control Panel (BCP) to the green and white Phoenix relays located on the lower right hand corner of

More information

The Oracle Hacker's Handbook. Hacking and Defending Oracle

The Oracle Hacker's Handbook. Hacking and Defending Oracle Brochure More information from http://www.researchandmarkets.com/reports/2251170/ The Oracle Hacker's Handbook. Hacking and Defending Oracle Description: Knowledge is power, and the power can be yours

More information

A. Look at the Resource Sheet and Gantt Entry View Sheet to see what and where resources are over allocated.

A. Look at the Resource Sheet and Gantt Entry View Sheet to see what and where resources are over allocated. Microsoft Project Pro Steps to completing Project Pro Assignments PART B. (These instructions include all you need to know about adjusting your project in Microsoft Project Pro 2013 and may include instructions

More information

Appendix 3: CMT Programme Board Highlight Report - Template and Guidance notes

Appendix 3: CMT Programme Board Highlight Report - Template and Guidance notes Appendix 3: CMT Board Highlight Report - Template and Guidance notes What is it? This is an exception report that provides a quick means of assessing a programme s status. It allows CMT programme board

More information

Tabla de conversión Pantone a NCS (Natural Color System)

Tabla de conversión Pantone a NCS (Natural Color System) Tabla de conversión Pantone a NCS (Natural Color System) PANTONE NCS (más parecido) PANTONE NCS (más parecido) Pantone Yellow C NCS 0580-Y Pantone 3985C NCS 3060-G80Y Pantone Yellow U NCS 0580-Y Pantone

More information

Features. Dual View The Dual View function provides support for two displays.

Features. Dual View The Dual View function provides support for two displays. Dual monitor computing made easy Dual View KVMPTM Switches ATEN s advanced Dual View KVMPTM Switches allow access to computers from a single keyboard and mouse with dual displays. They provide support

More information

This activity will show you how to draw graphs of algebraic functions in Excel.

This activity will show you how to draw graphs of algebraic functions in Excel. This activity will show you how to draw graphs of algebraic functions in Excel. Open a new Excel workbook. This is Excel in Office 2007. You may not have used this version before but it is very much the

More information

Optimization of combined heating and cooling in Supermarkets

Optimization of combined heating and cooling in Supermarkets Optimization of combined heating and cooling in Supermarkets Funder-Kristensen T. 1 ; Fösel G. 2 and Bjerg P. 3 1 Ph.d. Head of Public & Industry Affairs, Danfoss, Nordborg, 6430, Denmark. 2 Dipl.-Ing.

More information

PANTONE color bridge CMYK PC Page: 1 of 14

PANTONE color bridge CMYK PC Page: 1 of 14 PANTONE color bridge CMYK PC Page: 1 of 14 PANTONE Pro. Yel. PC C:0 M:0 Y:100 K:0 PANTONE 100 PC C:0 M:0 Y:58 K:0 PANTONE 106 PC C:0 M:1 Y:70 K:0 PANTONE 113 PC C:0 M:4 Y:71 K:0 PANTONE 120 PC C:0 M:6

More information

Munsell Soil Color. Munsell Gradient No. Code

Munsell Soil Color. Munsell Gradient No. Code Munsell Gradient No. Munsell Soil Color Code Munsell Soil Color Description 10.0 10R 2.5/1 Reddish Black 10.0 10R 2.5/2 Very Dusky Red 10.0 10R 3/1 Dark Reddish 10.0 10R 3/2 Dusky Red 10.0 10R 3/3 Dusky

More information

Wireless radio cell. Fixed Network

Wireless radio cell. Fixed Network DataManagementforMobileComputing ComputerScienceDepartment, EvaggeliaPitoura http://www.cs.uoi.gr/~pitoura UniversityofIoannina, Ioannina,Greece SummerSchool,Jyvaskyla,August1998 & Introduction -mobileornomadiccomputing

More information

Charge and Discharge of a Capacitor

Charge and Discharge of a Capacitor Charge and Discharge of a Capacitor INTRODUCTION Capacitors 1 are devices that can store electric charge and energy. Capacitors have several uses, such as filters in DC power supplies and as energy storage

More information

Business Procedures: Send Secure Emails Created: 02-25-2014 Updated: 04-15-2014

Business Procedures: Send Secure Emails Created: 02-25-2014 Updated: 04-15-2014 Business Procedures: Send Secure Emails Created: 02-25-2014 Updated: 04-15-2014 Page 1 of 10 Overview From time to time it is necessary to be able to share confidential information with school districts

More information

APR-PRT3 Printer Module: C-Bus Programming Instructions

APR-PRT3 Printer Module: C-Bus Programming Instructions APR-PRT3 Printer Module: C-Bus Programming Instructions We hope this product performs to your complete satisfaction. Should you have any questions or comments, please visit www.paradox.com and send us

More information

March 8, 2010. Oak Park School District RFP for Pupil Transportation Services

March 8, 2010. Oak Park School District RFP for Pupil Transportation Services 40950 WOODWARD AVENUE, SUITE 350 BLOOMFIELD HILLS, MI 48304-5129 PHONE: (248) 258-2850 FAX: (248) 258-2851 March 8, 2010 Via Electronic Mail Pupil Transportation Services Proposers Direct Dial No.: (248)

More information

A new approach for dynamic optimization of water flooding problems

A new approach for dynamic optimization of water flooding problems A new approach for dynamic optimization of water flooding problems Rolf J. Lorentzen Aina M. Berg Geir Nævdal Erlend H. Vefring IRIS International Research Institute of Stavanger (formerly Rogaland Research)

More information

Fiscal Year 2013-14 LAUSD Debt Report and Debt Management Policy Changes

Fiscal Year 2013-14 LAUSD Debt Report and Debt Management Policy Changes Fiscal Year 2013-14 LAUSD Debt Report and Debt Management Policy Changes Presentation to the Budget, Facilities and Audit Committee Office of the Chief Financial Officer May 7, 2015 District s Debt Policy

More information

SW2A Module User Guide

SW2A Module User Guide 2 27C256 files in a 27C512 Create a file containing the 2 files using the SW2A.exe software and write it in a 27C512, then mount the EPROM in a socket without inserting the #1 pin that must be only connected

More information

Leveraging SANS and NIST to Evaluate New Security Tools

Leveraging SANS and NIST to Evaluate New Security Tools Leveraging SANS and NIST to Evaluate New Security Tools Agenda About TaaSera A Problem to Solve Overview of NIST Cybersecurity Framework Overview of SANS CSC-20 Call to Action Conclusion Q&A Company Founded

More information

Monthly Project Report

Monthly Project Report Purpose of this document To identify the requirements for monthly reporting on all projects that will enable appropriate control and management of projects at different levels within its governance structure.

More information

Software Upgrade for HKATS Participant Briefing Session. Sept 2012

Software Upgrade for HKATS Participant Briefing Session. Sept 2012 Software Upgrade for HKATS Participant Briefing Session Sept 2012 Agenda 1 2 Overview of Software Upgrade Dynamic Price Banding 3 Data Compression in Central Gateway 4 5 CLICK Trade Software Key Stages

More information

Suggested Electric Fan Wiring Diagrams

Suggested Electric Fan Wiring Diagrams Suggested Electric Fan Wiring Diagrams These diagrams show the use of relays, ON/OFF sensors, ON/OFF switches and ON/OFF fan controllers. Nothing here should be confused with the latest generation of VARIABLE

More information

Inland Marine Expo Exhibitor Rules and Regulations

Inland Marine Expo Exhibitor Rules and Regulations InlandMarineExpoExhibitorRulesandRegulations Onbehalfof,Iagreetoabidebyallrulesandregulations outlinedinthebelowagreement.iunderstandthattheexhibitorservicemanualanddirectemail updateswillbeprovidedtoexhibitorscontainingtheinformationnecessarytoparticipateatinland

More information

Create Expense Report: pcard Use to create an Expense Report for pcard purchases

Create Expense Report: pcard Use to create an Expense Report for pcard purchases Access the Create Expense Report task Note: All Red Asterisks (*) need to be completed. 1. Under Create Expense Report, enter and review details in the Expense Report Information section: a. Expense Report

More information

Key coding for Fiat / Alfa / Lancia / Iveco

Key coding for Fiat / Alfa / Lancia / Iveco Key coding for Fiat / Alfa / Lancia / Iveco This is PRELIMINARY WORKING DRAFT for SECONS Ltd. internal use and FiCOM users. Please excuse the typos and errors. Table of Contens Transponder types...1 Body

More information

CERTIFICATION OF COMPLIANCE

CERTIFICATION OF COMPLIANCE Item: 85023001, Artemis Plant Watercolors 25 ml - carmine red CEO. Item: 85023002, Artemis Plant Watercolors 25 ml - vermilion CEO. Item: 85023003, Artemis Plant Watercolors 25 ml - kamala orange CEO.

More information

Factoring Trinomials using Algebra Tiles Student Activity

Factoring Trinomials using Algebra Tiles Student Activity Factoring Trinomials using Algebra Tiles Student Activity Materials: Algebra Tiles (student set) Worksheet: Factoring Trinomials using Algebra Tiles Algebra Tiles: Each algebra tile kits should contain

More information

Chapter 4. Reserving Resources on StatusBoard 2.0. Objectives

Chapter 4. Reserving Resources on StatusBoard 2.0. Objectives Chapter 4 Reserving Resources on StatusBoard 2.0 Objectives Using Quick Schedule to reserve a resource right away and how to cancel the reservation when it s no longer needed. Using Calendar Schedule to

More information

Check List. Telehealth Credentialing and Privileging Sec. 482.22. Conditions of Participation Medical Staff

Check List. Telehealth Credentialing and Privileging Sec. 482.22. Conditions of Participation Medical Staff Check List Telehealth Credentialing and Privileging Sec. 482.22. Conditions of Participation Medical Staff The Centers for Medicare and Medicaid Services (CMS) final rule on credentialing and privileging

More information

Remember to leave your answers as unreduced fractions.

Remember to leave your answers as unreduced fractions. Probability Worksheet 2 NAME: Remember to leave your answers as unreduced fractions. We will work with the example of picking poker cards out of a deck. A poker deck contains four suits: diamonds, hearts,

More information

Motion Graphs. It is said that a picture is worth a thousand words. The same can be said for a graph.

Motion Graphs. It is said that a picture is worth a thousand words. The same can be said for a graph. Motion Graphs It is said that a picture is worth a thousand words. The same can be said for a graph. Once you learn to read the graphs of the motion of objects, you can tell at a glance if the object in

More information

R&S FT5066 Trusted Filter Radio control information filter red/black separation

R&S FT5066 Trusted Filter Radio control information filter red/black separation Secure Communications Data Sheet 02.00 R&S FT5066 Trusted Filter Radio control information filter red/black separation to STANAG R&S FT5066 Trusted Filter At a glance The R&S FT5066 trusted filter is developed

More information

How to Become a Pharmacist/Pharmacy Technician. Job Description

How to Become a Pharmacist/Pharmacy Technician. Job Description HowtoBecomeaPharmacist/PharmacyTechnician JobDescription PharmacyTechniciansworkalongsidePharmacistsandhavemanydifferent responsibilitiesintheirjobsetting.jobrequirementsincludemeasuringand labelingmedications,countingpills,workingwithpatientrecordsandtakinginsurance

More information

DESIGN LED 60 TRI STRIP - DMX CHANNEL TRAITS

DESIGN LED 60 TRI STRIP - DMX CHANNEL TRAITS DESIGN LED 60 TRI STRIP - DMX CHANNEL TRAITS DMX Operation Notes: The fixture will function in DMX mode whenever the unit is receiving a DMX signal. Please note that this will override all manual settings.

More information

Softstart. Upgrade to Torque control PSTB370 1050. Contents. 1. ESD Warning...2. 2. Tools...2. 3. PCB information...2. 4. Step by step...

Softstart. Upgrade to Torque control PSTB370 1050. Contents. 1. ESD Warning...2. 2. Tools...2. 3. PCB information...2. 4. Step by step... Softstart Upgrade to Torque control PST30 300 PSTB370 1050 1SFC132040M0201 RevA Dec-06 Contents 1. ESD Warning...2 2. Tools...2 3. PCB information...2 4. Step by step...3 5. Configuration of the LV board...7

More information

amymalanga sampleportfolio

amymalanga sampleportfolio amymalanga sampleportfolio am amymalanga 989 430.8188 amymalanga@gmail.com 1265 Downing Street #506 80218 Education Metropolitan State College of Denver January 2008-May 2010 BFA in Communication Design

More information

REPROGRAPHICS/QUICK COPIES

REPROGRAPHICS/QUICK COPIES Solar Financials University Hall 360 Phone: (818) 677-6685 Mail Code: 8337 REPROGRAPHICS/QUICK COPIES REPROGRAPHICS ENVELOPES STATIONERY BUSINESS CARDS REPROGRAPHICS: 1. Select the blue Reprographics hyperlink

More information

universal data model resource book v2

universal data model resource book v2 universal data model resource book v2 Online manuals are a fun way to have information An additional benefit of having the ability to keep and access user manuals on your pc is the fact keep these things

More information

Enterphone Solo. User/Installation Manual Part No. 421-2001

Enterphone Solo. User/Installation Manual Part No. 421-2001 Enterphone Solo User/Installation Manual Viscount Communication and Control Systems Inc. 4585 Tillicum Street, Burnaby, B.C., Canada V5J 5K9 Phone: (604) 327-9446 Toll Free: 1-800-476-3774 Fax: (604) 327-3859

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.C.1 DATE: January 20, 2011 ****************************************************************************** SUBJECT: New Site Request NSU, BS Marketing, Online Northern

More information

Facility Online Manager

Facility Online Manager Facility Online Manager Instruction for users FOM TM is an online accounting and instrument management software. This software can be used as a simple online scheduler for small research group, or as a

More information

The Risks that Pen Tests don t Find. OWASP 13 April 2012. The OWASP Foundation http://www.owasp.org

The Risks that Pen Tests don t Find. OWASP 13 April 2012. The OWASP Foundation http://www.owasp.org The Risks that Pen Tests don t Find 13 April 2012 Gary Gaskell Infosec Services gaskell@infosecservices.com 0438 603 307 Copyright The Foundation Permission is granted to copy, distribute and/or modify

More information

10DBMC International Conference On Durability of Building Materials and Components LYON [France] 17 20 April 2005

10DBMC International Conference On Durability of Building Materials and Components LYON [France] 17 20 April 2005 10DBMC International Conference On Durability of Building Materials and Components Wall Cladding System Durability Lessons Learned from the Premature Deterioration of Wood-Framed Construction Clad with

More information

535T Window Automation System

535T Window Automation System 535T Window Automation System Installation Guide NOTE: This product is intended for installation by a professional installer only! Any attempt to install this product by any person other than a trained

More information

Combined Proxy Re-Encryption

Combined Proxy Re-Encryption Combined Proxy Re-Encryption Orange Labs, Applied Crypto Group, Université de Caen Basse-Normandie, GREYC, Sébastien Canard et Julien Devigne Journées C2 2012, Dinard Proxy Re-Encryption ( PRE ) Second

More information

ONLINE APPLICATION INSTRUCTIONS

ONLINE APPLICATION INSTRUCTIONS ONLINE APPLICATION INSTRUCTIONS Welcome to the Air Force Aid Society s Education Grant Portal, home to the online application for the General Henry H. Arnold AFAS Education Grant Program. The following

More information