Size: px
Start display at page:

Download ""

Transcription

1 Reprintofapaperpresentedatthe8thACMSymposiumonOperatingSystem Principles,PacicGrove,California,14{16December1981.(ACMOperating DesignandVericationofSecureSystems SystemsReviewVol.15No.5pp.12-21) ComputerScienceLaboratory MenloParkCA94025USA SRIInternational JohnRushby kernelizedsecuresystemsandsuggestsnewtechniquesfortheirresolution. Thispaperreviewssomeofthedicultiesthatariseinthevericationof Itisproposedthatsecuresystemsshouldbeconceivedasdistributedsystems Abstract individualcomponentsandpartlythroughthemediationoftrustedfunctions inwhichsecurityisachievedpartlythroughthephysicalseparationoftheir performedwithinsomeofthosecomponents.thepurposeofasecuritykernel issimplytoallowsucha`distributed'systemtoactuallyrunwithinasingle processor;policyenforcementisnottheconcernofasecuritykernel. issuesignoredbypresentmethods. explicitlyaddressesthesecurityrelevantaspectsofinterrupthandlingandother functionsfromvericationofthesecuritykernel.thislattertaskmaybe accomplishedbyanewvericationtechniquecalled`proofofseparability'which Thisapproachdecouplesvericationofcomponentswhichperformtrusted NewcastleuponTyne,England,andwassponsoredby(whatwasthen)theRoyalSignalsRadar Establishment. ThisworkwasperformedwhiletheauthorwaswiththeComputingLaboratory,Universityof 1

2 Introduction term.anumberofkernelizedsystemshavebeenconstructed[12,19,25]andvarious Aformallyveriedsecuritykerneliswidelyconsideredtooerthemostpromising basisfortheconstructionoftrulysecurecomputersystems,atleastintheshort modelsofsecurityhavebeenformulatedtoserveasthebasisfortheirverication[6, problemsinitsapplication(see,forexample[1]).ishallexpandontheselater,but 9,28]. essaryinmostapplications,concernabouttheextenttowhichcurrenttechniques brieytheyincludethedicultyofverifyingthe`trustedprocesses'thatseemnec- Despitetheenthusiasmforthisapproach,thereremaincertaindicultiesand aboutwhetherpresentsecuritymodelsreallycapturetheessentialcharacteristicsof verifytheimplementationofthekernel(asopposedtoitsspecication),anddoubts asecuritykernelwithsucientaccuracytoprovideasoundtechnicalbasisfortheir verication.also,currentapproachestokerneldesignandvericationdeveloped outofconcernfortheproblemofprovidingmultilevelsecureoperationongeneralpurposemulti-usersystems whereasmanyofthepresent-dayapplicationswhich conventionalkernelhaveledtosystemsofconsiderablecomplexitywhosevericationpresentsdicultiesthatarequiteatvariancewiththeevidentsimplicityofthe taskwhichthesystemisintendedtoperform[2]. ofsomeoldapproaches[3,26,27])tothedesignandvericationofsecuresystemsand toarguethattheproblemsofconventionalkernelizedsystemsaretherebyavoided orovercome. Thepurposeofthispaperistopresentanewapproach(or,rather,are-working enshrinedinthemultilevelmodels.attemptstosupporttheseapplicationsona tems[5,11,13,24,33]whosesecurityrequirementsaresomewhatdierenttothose requiresomeformofguaranteedsecurityarespecial-purpose,single-functionsys- problemswithconventionalsystemshavetheirrootsintheuseofasecuritykernel whichattemptstoimposeasinglesecuritypolicyoverthewholesystem.thesecond sectionwillproposethatdistributedsystemsavoidmanyofthesedicultiesand Thepresentationisdividedintofoursections.Intherst,Ishallarguethatthe provideamoreappropriateconceptualbaseforthedesignofsecuresystems.insuch isolatedsingle-usermachinesandareabletocommunicatewitheachotherand asystem,thesubjectsofthesecuritypolicyareassignedtoprivateandphysically ofitscomponentsandpartlyonthecriticalfunctionsperformedbythetrusted `trustedcomponents'thatresideinsimilarlyisolatedanddedicatedmachines.the toaccesssharedresourcesonlythroughthemediationofspecialised(andveried) overallsecurityofsuchadistributedsystemrestspartlyonthephysicalseparation components.theconcretenatureoftheservicesprovidedbythesecomponents, andthelimitedinteractionbetweenthem,enablestheirsecuritypropertiestobe speciedandveriedcomparativelyeasily,andbyexistingtechniques. 2

3 environment.thereisabsolutelynointeractionbetweenthepropertiesrequiredof securitykernelwhichicalla`separationkernel'isusedtosimulatethedistributed supportedonasingleprocessor,whileretainingitssecurityproperties,ifatypeof Next,insection3,Ishallarguethataconceptuallydistributedsystemcanbe akernelofthistypeandthesecuritypropertiesrequiredofthesystemcomponents whichitsupports. arationkernelandsketchanappropriatemethodofvericationwhichicall`proof ofseparability'andwhichisdevelopedformallyinacompanionpapertothis[31]. Themathematicalmodelwhichunderliesthismethodofvericationexplicitlyaddressestheinterpretivecharacterofasecuritykernelandprovidesasoundformal concerningtheowofcontrolwhichareignoredbypresentmethods. basisforverifyingthesecurityrelevantaspectsofinterrupthandlingandotherissues 1Theprimarymotivationfortheuseofasecuritykernelisthedesiretoisolateand localiseall`securitycritical'softwareinoneplace thekernel.then,ifthekernel TheProblemofTrustedProcesses Finally,inSection4,Ishalloutlineaprecisespecicationoftheroleofasep- canbeproven`secure'insomeappropriatesense,allnon-kernelsoftwarebecomes (forexample,thatofuclasecureunix[25])havethecharacterofasophisticated irrelevanttothesecurityofthesystem.securitykernelsdierintheextentto protectionmechanismandguaranteethatnoobjectsupportedbythekernelmaybe accessedinanywayunlessitsrecorded`protectiondata'explicitlypermitsthattype whichtheyarecognizantoftheoverallsecuritypolicyofthesystem.somekernels ofaccess.thetaskofsettinguptheprotectiondatasothatitenforcessomeoverall securitypolicyisdelegatedtoa`policymanager'outsidethekernel.thelimitation ofthisapproachisthatitisconcernedonlytoprotectthephysicalrepresentations ofinformation,ratherthaninformationitself.thusitdoesnotcontrolthe`leakage' `informationow'expressibleinthemodel[28,32]whichunderliestheverication ofinformationthroughcovertsignallingpaths[15,17],noristhenotionofsuch ofthesekernels. directaccessorindirectleakage,isunacceptableand,inconsequence,securitykernelsintendedfortheseapplicationsmustnotonlyenforcethesecuritypolicyof Inmilitaryapplications,allunauthorizedowofinformation,whetherdueto thesystemonallnon-kernelsoftware,butmustalsoadheretoitthemselves,in formationow[17,20].thisimpliesthatthekernelmustenforceandobeyasingle, eredthatcertainsystemfunctionscannotbeaccommodatedwithinitsdiscipline. orderthattheirowninternalvariablesmaynotbecomeachannelforinsecurein- system-widesecuritypolicy.butoncethisapproachisadopted,itissoondiscov- anditsspoollesareatthehighestsecurityclassication,thenusersofmorelowly Aline-printerspoolerprovidesasimpleexampleofsuchafunction:ifthespooler 3

4 classicationcannotinspecttheirownspoolles evenfortheinnocentpurposeof discoveringtheprogressoftheirjobs.forthisreason,itisusualforspoollesto beclassiedattheleveloftheirownerswhilethespoolercontinuestorunatthe highestlevelsothatitmayreadspoollesofallclassications.butthenthespooler ictswiththe(kernelenforced)*-property[6]ofmultilevelsecurity.inorderto cannotdeletespoollesaftertheircontentshavebeenprinted forsuchactionconallowedtoviolatethe*-property. provideanacceptableuserinterface,whileavoidingtheproliferationofusedspool les,itseemsnecessarythatthespoolershouldbecomea`trustedprocess'andbe thekernel.inksos,forexample,thetrustedprocessescontain processesinordertoevadeoroverridethesecuritycontrolsnormallyenforcedby Inrealsystemstherearemanyfunctionswhichrequiretheprivilegesoftrusted oftheinterfacetoapacketswitchedcommunicationsnetworketc.)."[7, securespoolersforlineprinteroutput,dump/restoreprograms,portions \supportsoftwaretoaidtheday-to-dayoperationofthesystem(e.g., longerthesolearbiterofsecurity;itisnecessarytobesurethatthespecialprivileges Oncetrustedprocessesareadmittedtothesystem,however,thekernelisno page365] grantedtotrustedprocessesarenotabusedbythoseprocessesandmaynotbe usurpedbyother,untrusted,processes.inordertoguaranteesecurity,therefore, wemustverifythewholeofthe`trustedcomputingbase' thatis,thecombination provideabasisforthevericationofthiscombination:wedonotknowwhatitis ofkernelandtrustedprocesses.thedicultyisthatexistingformalmodelsdonot thatwehavetoprove!landwehr,forexample,observes: \:::inthenalversionoftheirmodel,bellandlapaduladidinclude Intheabsenceofanypreciseformulationoftheroleoftrustedprocesseswithina forestablishingwhenaprocessmaybetrusted."[16,page46] trustedprocesses.whatisnotincludedintheirexpositionisatechnique howpropertiesprovedoftrustedprocessescombinewiththoseprovedofasecurity justicationforspeakingofthe`verication'ofthesecurityofsuchsystemsatall. kernelinordertoestablishthesecurityofthecompletesystem,thereisnoreal modelofsecuresystembehaviour,andintheabsenceofanyformalunderstandingof dicultiesofverifyingthesecurityofthosesystemsshouldnotbeattributedto decienciesinthedesignofindividualkernels,however.rather: Theexistenceoftrustedprocesseswithinkernelizedsystemsandtheattendant \toalargeextentthey[trustedprocesses]representamismatchbetween theidealizationsofthemultilevelsecuritypolicyandthepracticalneeds ofarealuserenvironment."[7,page365] 4

5 inthoseprocessesthemselves,norinthefunctionswhichtheyperform,butinthe conceptionthatasecuritykernelshouldactasacentralizedagentfortheenforcementofauniformsystem-widesecuritypolicy.evenwithinasystemwhichis Thetruerootsofthedicultiescausedbytrustedprocessesarenottobefound restrictionsthatgovernthebehaviourofitsowncomponentscannotsimplybethat intendedtoenforceasinglesecuritypolicyatitsexternalinterface,therulesand nentandtoitsindividualrolewithinthelargersystem.thepropertiesrequired ofasecureline-printerspooler,forexample,dependasmuchonthefactthatitis aline-printerspoolerasonthesecuritypolicythatistobeenforced.weshould overallpolicyinmicrocosm,butmustbeparticulartothefunctionofeachcompo- seekasystemstructurethatallowseachcomponenttomakeitsowncontribution tothesecurityoftheoverallsystemandthattreatsallcontributionsequally as betsthe`weakestlink'natureofsecurity.weshouldnotelevatethesecurityrequirementsparticulartooneclassofcomponentstoaspecialstatusandimpose example[33]. themsystem-wideatwhateverinconveniencetocomponentswithdierentrequirements.thetruthofthispropositionbecomesself-evidentwhenweconsidersomeof thespecialisedapplicationsofsecuresystems.theaccatguardprovidesagood classiedsystemandamorelowlyone.messagesfromthelowsystemtothe HIGHoneareallowedthroughtheGuardwithouthindrance,butmessagesfrom HIGHtoLOWmustbedisplayedtoahuman`SecurityWatchOcer'whohas TheGuardisbasicallyafacilityfortheexchangeofmessagesbetweenahighly todecidewhethertheymaybedeclassiedtothelevelofthelowsystemand thenallowedthrough.noticethattheguardsupportsinformationowbetween thelowandhighsystemsinbothdirectionsandhastoenforcedierentsecurity onasecuritykernelthatenforcestherequirementsforjustonedirectionoftransfer requirementsoneach.itisplainlyinappropriate,therefore,tobaseitsconstruction whichenforcesamultilevelsecuritypolicythatpermitsinformationowinonlythe yetthisisexactlywhathasbeendone.theguardisbasedontheksoskernel contributedtotheoverallsecurityorveriabilityoftheguardanditiscertainlyno securityprincipleoftheksoskernel.itisnotclearhowtheuseofthiskernelhas accomplishedbytrustedprocesseswhosepurposeistogetroundthefundamental LOWtoHIGHdirection.Consequently,theHIGHtoLOWtransfershavetobe surprisetolearnthat: sumedfarmoreresourcesthanoriginallyplanned."[16,page46] \VericationofthetrustedprocessestobeusedintheGuardhascon- 5

6 andevenhardertoverifybecauseitdoesnotrepresentaseparationofconcernsbut 2Thecombinationofasecuritykernelandtrustedprocessesishardtounderstand SecurityandDistributedSystems attempttoseparatethepropertiesrequiredofasecuritykernelfromtheissuesthat securesystems,andamorecompellingbasisfortheirverication,thenweshould propertiesoftheother.ifwearetogainaclearerunderstandingofthenatureof aconfusionofthesame:neithermemberofthecombinationisindependentofthe giverisetotrustedprocesses. securitydoesnotrelyuponacentralmechanism(suchasasecuritykernel)isafunctionallydistributedsystem:onewhosevariousfunctionsareprovidedbyspecialised Averysimpleandnatural infactobvious modelforacomputersystemwhere individualsubsystemswhicharephysicallyseparatedfromeachotherandprovided withonlylimitedchannelsforcommunicationwithoneanother.oncesuchasystem structureisadopted,alotofsecurityproblemsjustvanishandothersareconsiderablysimplied. usersofdierentsecurityclassications.wecanimagineanidealizedsystemin numberofusersinwhichlesaretobetheonlymediumofinformationowbetween whicheachuserisgivenhisownprivate,physicallyisolated,single-usermachine Consider,forexample,theproblemofprovidingamultilevelsecureservicetoa andadedicatedcommunicationlinetoacommon,sharedle-server.theonly componentofthissystemthatneedstobetrustedisthele-server.providedthat singlecomponentadherestoandenforcesthemultilevelsecuritypolicy,thesecurity oftherestofthesystemfollowsfromthephysicalseparationofitscomponentsand theabsenceofdirectcommunicationspathsbetweenusersofdierentclassications. purpose:itsupportsnouserprogrammingandneedsnooperatingsystemsinceit runsjustoneprogram thele-serverprogram.inordertoguaranteethesecurity ofthewholesystem,allweneedtodoistoverifythatsingleprogramwithrespectto Nowconsiderthele-serverinmoredetail.Itisasystemdedicatedtoasingle amultilevelsecurele-servermatchesthesecuritymodeldevelopedatsri[9](which ismorethancanbesaidofasecuritykernel apointishallreturntolater)and anappropriatespecicationofitssecurityrequirements.itturnsoutthattheroleof thismodelthereforeprovidesbothaspecicationforthesecurityrequirementsof thele-serverandthejusticationforitsvericationbythemethodof`information owanalysis'[8,20,21]. thele-server.acentralprintingfacility,forexample,canbeprovidedbyaselfcontainedprinter-serverconnectedtoeachsingle-usermachine(andprobablythe Wecanaddfurthersharedresourcestothesysteminjustthesamewayas le-serveralso)byadditional,dedicatedcommunicationlines.theprinter-server correctsecurityclassicationofeachjobonitsheaderpageandmustnotprint mustobviouslysatisfysomesecurityrequirements.itmust,forexample,printthe 6

7 partsofonejobwithinanother,norfeedinputsfromoneuserbacktoanother, andsoon.furthermore,theprinter-servermayneedtoco-operatewiththeleserverandmayrequireservicesfromthele-serverthataredierentfromthose providedtoordinaryusers(forexample,theabilitytodeletespoollesofallsecurity eventobetotallyconsistentwith,somegeneralsetofpropertiessuchasthessand*-propertiesofmultilevelsecurity[6] eventhoughenforcementofmultilevel decidingjustwhataretherequirementsforasecureprintingservicewhenallresponsibilityforthisserviceiscompletelyisolatedandexposedwithinaself-contained component,thanwhenitisdivided,uneasilyandobscurely,betweenatrustedpro- Weare,however,inamuchbetterpositiontotackletheimportantproblemof classications).whateverthefullsetofrequirementsforasecureprinter-serverare, theymustbe,atleastinpart,specictoitsparticularfunction;wecannotexpect thesecurityrequirementsofsospecialisedatasktobecompletelyexpressedby,or securityistheoverallgoal. cessandasecuritykernel. printer-servers.theremust,forexample,besomeadditionalmechanismtoauthenticatetheidentitiesofusersastheylogintothesingle-usermachinesandtoinform theleandprinter-serversofthesecurityclassicationsassociatedwitheachuser. Arealsystemwillcontainmoresecurity-criticalfunctionsthanjustleand canbestbestudiedifthey,too,areisolatedasseparate,specialisedcomponents andformulatethesecuritypropertiesthatmustberequiredofeachcomponent withinadistributedsystem.thetaskofthesystemdesigneristhentoidentify Icontendthatthesecuritypropertiesrequiredoftheseandothercriticalservices individuallysothat,incombination,theyenforcethesecuritypolicyrequiredofthe systemoverall. ofthesysteminteractandcannotbestudiedindependentlyofeachother.the printer-server,forexample,requiresspecialservicesofthele-serverandbothof thesecomponentsdependuponinformationprovidedbytheauthenticationmech- Ofcourse,scepticswillpointoutthatthisisaformidabletask:thecomponents anism.butthedicultiesthatappearformidableherearenolesssoinacon- ventional,kernelizedsystem:thesamefunctionsandthesameinteractionsmust bepresenttherealso andwillbenolesssignicant,merelylessvisible.furthermore,theinteractionsinadistributedsystemarebetweenitscriticalcomponents. Thesecomponentshaveconcretetaskstoperformandtheirinteractionscanalso bespeciedconcretely:wecanstatepreciselywhatthespecialservicesarethat theprinter-serverrequiresofthele-serverandwecansatisfyourselvesthatthe ramicationsofthesespecialservicesarefullyunderstood.thisisquitedierentto grantingthelineprinterspoolerofakernelizedsystemadispensationtooutthe *-property. ampletointroducetheidea,politicalandeconomicconsiderationsgenerallydictate AlthoughIhavebeenusingageneral-purposemulti-usersystemasafamiliarex- 7

8 thatsecuregeneral-purposesystemsshouldemulatesomeexistingsystem andthis hamperstheadoptionofaradicallydierentimplementationtechnique.specialpurpose,single-functionsystemsarenotsoconstrained andaremoreableand morelikely,therefore,totakeadvantageofa`distributed'approachtosecurity.a designforatypeof`securenetworkfrontend'(snfe)willserveasanillustration. designissuesforsuchadevicearediscussedbyauerbach[4]andaparticulardesignisdescribedbybarnes[5].basically,theissuesareasfollows.aswellasa ASNFEisadevicethatisinterposedbetweenhostmachinesandanetworkin ordertoprovideend-to-endencryptionaroundthenetwork.someofthegeneral cryptographicdevice(a`crypto')thesnfemustcertainlycontaincomponentsfor thecommunicationslinestothehostononesideandthenetworkontheother. Wecancallthecomponentonthehostsidethe`red'componentandthatonthe handlingtheprotocols,messagebueringandsoonrequiredatitsinterfaceswith networksidethe`black'component.(thisterminologystemsfromcryptological nentandpassedtothecryptofromwheretheytravel,inencryptedform,tothe blackcomponentfortransmissionoverthenetwork.inordertoallowforred-black usages.)packetsofcleartextdatafromthehostarereceivedbytheredcompo- co-operation(essentially,theexchangeofpacketheaders),asecond,unencrypted channel(the`cleartextbypass')mustalsoconnecttheredandblackcomponents. notreachthenetworkincleartextform.itisthereforenecessarytobesurethat theredcomponentdoesnotusethecleartextbypasstosenduserdatadirectlyto theblackcomponent.thesoftwareintheredcomponentisconsideredtoolarge Thesecurityrequirementofthesystemisthatuserdatafromthehostmust andcomplextoallowitsvericationandsoa`censor'isinsertedintothebypassto performrigidproceduralchecksonthetracpassingthrough tocheckthatithas theappearanceoflegitimateprotocolexchanges,ratherthanrawcleartext.afairly bypasstoanacceptablelevel. simplecensorcanreducethebandwidthavailableforillicitcommunicationoverthe nicate,butwhatchannelsareavailableforthatcommunication:thechannelsvia thecensorandthecryptoareallowed,buttheremustbenoothers.itisnotclear howthisrequirementcouldbeexpressedintermsofthemodelsthatunderlycurrentconceptionsofasecuritykernelbutitiseasilyformulatedandunderstoodin showninthediagram.theonlysoftwarewhichperformsasecuritycriticaltaskin housedinseparate,isolatedboxesandconnectedbyjustthecommunicationslines thisdesignisthatofthecensor(thecryptoisatrustedphysicaldevice);securityis otherwiseachievedbythephysicaldistributionofthecomponentsandthephysically limitedcommunicationsprovidedbetweenthem. Observethatthecrucialissuehereisnotwhetherredandblackcancommu- thecontextofadistributedsystemdesign:thefourcomponentsofthesystemare 8

9 - Bypass - Red Black? Crypto 3computersystemsthatmustsatisfycertainsecurityrequirements.Recenthardware SofarIhavearguedthatdistributedsystemsoeranaturalbasisforthedesignof Re-introducingtheSecurityKernel directly thatis,asphysicallydistributedsystemscomposedofindependentprocessorsconnectedbyexternalcommunicationslines. developmentsmakeitfeasible,forcertainapplications,toimplementsuchdesigns thesecuritycharacteristicsofthedistributedsystemmustbeprovidedbylogical distributeddesignislargerelativetotheoverallscaleofthesystem,itwillbemore cost-eectivetoimplementtheentiresystemonasingleprocessor.inthiscase, Morecommonly,however,andespeciallywhenthenumberofcomponentsinthe ratherthanphysicalmechanismsandthiscanbeaccomplishedbyre-introducing thosecomponents.therolewhichiproposeforasecuritykernelissimplythatit rationofitscomponentsandpartlyonthecriticalfunctionsperformedbysomeof theconceptofasecuritykernel,butinadierentguisetothatseenpreviously. shouldre-create,withinasinglesharedmachine,anenvironmentwhichsupports Theoverallsecurityofadistributedsystemrestspartlyonthephysicalsepa- thevariouscomponentsofthesystem,andprovidesthecommunicationschannels betweenthem,insuchawaythatindividualcomponentsofthesystemcannotdistinguishthissharedenvironmentfromaphysicallydistributedone.ifthiscanbcuritypolicyenforcedbythesystem thatresponsibilityremainsembeddedinthe ofatrulydistributedsystem.observethatsuchakernelknowsnothingofthese- achieved,thensurelythesharedimplementationretainsallthesecurityproperties 9

10 criticalcomponents.andnotice,too,thatthosecriticalcomponentsrequirenospecialprivilegesofthekernel;wehavecompletelydecoupledthepropertiesrequired overallpurposeandpolicy. temrunsonitsownprivateandphysicallyisolatedmachine.thetaskofasecurity kernel,therefore,istoprovideanisolated`virtualmachine'(vm)foreachcomponentandtohandlecommunicationsbetweenthesevirtualmachines.akernel Inanideal,physicallydistributedimplementation,eachcomponentofthesys- ofthesecuritykernelfromthoseconcernedwiththelargerquestionsofthesystem's ofthisformisobviouslyverysimilartoa`virtualmachinemonitor'(vmm):that widelyrecognisedthatvmmsprovideasuitablebasisfortheconstructionofsecure hardwarebase(vm/370is,perhaps,thebestknownexampleofsuchasystem).itis is,asystemwhichprovideseachofitsuserswithaseparate,simulatedcopyofits systemsandatleasttwosystemshavebeenconstructedalongtheselines[12,26]. However,thetypeofkernelwhichIamproposingdiersfromaVMMinthatthere isnorequirementforittoprovidevmswhichareexactcopiesofthebasehardware kernel'andishallspeakofthevmswhichitsupportsas`regimes.' establishedterminology,ishallcallthisnewtypeofsecuritykernela`separation (orevenforallthevmstobealike) butthereisarequirementforittoprovide communicationschannelsbetweensomeofitsvms.inordertoavoidconfusionwith ofaseparationkernelandtodevelopatechniqueforverifyingtheseproperties. Beforedoingso,however,itseemsbesttoassistthereader'sintuitionandtoprovide somemotivationbyoutliningthedesignofaparticularseparationkernel. Thenextstepistodeduceaprecisestatementofthesecuritypropertiesrequired Theseparationkernelconcernedisanoperationaloneknownasthe`SecureUser AnExample T4DivisionoftheRoyalSignalsandRadarEstablishmentatMalvern,England,in Environment'(SUE).ItrunsonaPDP-11/34andwasdesignedandconstructedby ordertosupportapplicationssimilartothesnfedescribedearlier.oneofthechief designaimsofthesuewasthatitshouldbeminimallysmallandverysimple[5]. (TheSDCCommunicationsKernel[11]isasimilarsystem,thoughrathermore ittosupportpagingorvirtualmemorymanagementasfoundinthekernelsof complex.) regimes,eachofwhichexecutesaxed(andsmall)program,thereisnoneedfor general-purposesystemssuchaskvm/370[12].instead,amuchsimplermemoryresidentsystemispossibleinwhicheachregimeispermanentlyallocatedtoaxed partitionofrealmemorywhilethesueitselfoccupiesanotherxedpartition.the SUEmanipulatesthememorymanagementfeaturesofthePDP-11/34inorderto arrangeforitsownprotectionandthemutualisolationofitsregimes. BecausetheSUEisonlyrequiredtoprovideaxed(andsmall)numberof 10

11 schedulingfunctions.regimesaregivencontrolonaround-robinbasisandexecute untiltheysuspendvoluntarily(viaaswapcalltothesue).becausethewhole systemisdedicatedtoasinglefunction,`denialofservice'isnotasecurityproblem Inordertofurtherreduceitssizeandsimplifyitsdesign,theSUEperformsno (althoughitisclearlyareliabilityissue). machines(includingpdp-11s)sinceitusesabsoluteaddressesandtherebyevades theprotectionofthememorymanagementhardware.forthisreason,conventional kernelsmusthandleormediatealli/ooperationsandthisisasourceofsignicant Input/outputviaDirectMemoryAccess(DMA)posesasecuritythreatonmost excludedfromthesystem,almostallresponsibilityfori/ocanberemovedfrom complexityintheirdesign.thesueadoptsafarmoreruthlessapproach:dmais thesuesincethememorymanagementofapdp-11allowsdeviceregisterstobe permanentlyexcludedfromthesystem.(theeciencyproblemsthismightseem protectedjustlikeordinarymemorylocations.eachdevicesupportedbythesystem tocauseareovercomebytheuseofspecial-purposehardware[18].)withdma locatedintheaddressspaceofthatregime.responsibilityforeachdevicethenrests ispermanentlyandexclusivelyallocatedtoaxedregimeanditsdeviceregistersare withtheregimewhichcontrolsitsdeviceregisters.theonlyresponsibilityofthe SUEwithrespecttoI/Oactivityistoeldinterrupts(sincethehardwarevectors handling.returnfrominterruptssimilarlyrequiresminorassistancefromthesue. thesethroughkerneladdressspace)andpassthemontotheappropriateregimefor tweencertainregimes,thisdescriptionhassummariedjustaboutthewholeofthe SUE.Readerswillappreciatethat,incomparisonwithaconventionalsecuritykernel,theSUEisindeedsmallandsimple.(Itoccupiesabout5Kwords,includingall Apartfromtheprovisionofthecommunicationschannelsthatarerequiredbe- stackanddataspace.)whatweseeknowisavericationtechniquethatexploits thissimplicityinordertoprovideperspicuousandcompellingevidenceofthesue's security. 4Thetaskofaseparationkernelistocreateanenvironmentwhichisindistinguish- ablefromthatprovidedbyaphysicallydistributedsystem:itmustappearasifeach Verication regimeisaseparate,isolatedmachineandthatinformationcanonlyowfromone machinetoanotheralongknownexternalcommunicationslines.oneofthepropertieswemustproveofaseparationkernel,therefore,isthattherearenochannelsfor informationowbetweenregimesotherthanthoseexplicitlyprovided.inthecaseof thesnfedescribedearlier,forexample,theremustbenodirectchannelsbetween theredandblackregimes althoughthechannelsviathecryptoandthecensorare quitelegitimate.byallowingcertainchannelsanddemandingtheabsenceofall others,wecreatearatherdicultvericationproblem.itwouldbemucheasierto 11

12 demandtheabsenceofallchannels thatwouldcorrespondtoapolicyofisolation andseemsamorereasonablecandidateforverication.analogywithaphysically distributedsystemsuggestshowtheoriginalproblemcanbesimpliedinthisway: ifwecutthecommunicationchannelsthatareallowed,then,providedthereareno illicitchannelspresent,thecomponentsofthesystemwillbecomecompletelyisolated arenotphysicalwiresbutpropertiesofthekernelsoftware. fromoneanother.itnowremainstodiscoverhowto`cut'communicationlinesthat isactuallyaccomplishedinsoftware bytheuseofsharedobjects.ifregimesaand somesharedobject,sayx,whichthesendercanwriteandthereceivercanread.if Bhaveacommunicationchannelbetweenthem,thentheremust,atbottom,be Thesolutiontothisproblemiseasilyseenonceweconsiderhowcommunication to`cutting'thecommunicationchannelrepresentedbyx,withx1andx2taking B'sreferencestoXbyreferencestoanothernewobject,X2,thenthisisequivalent thepartsofthetwo`ends'producedbythecut.if,followingthis`cutting'ofthe wenowreplaceallofa'sreferencestoxbyreferencestoanewobject,x1,andallof isolated,thenitfollowsthatthiswastheonlychannelbetweenthem. erty(isolation)ofonesystem(thatwithits`wirescut')andinferanotherproperty `Xchannel,'weareabletodemonstratethattheAandBregimeshavebecome (absenceofillicitchannels)ofadierentsystem.however,ifthedierencesbetweenthetwosystemsareoftheverylimited,controlledformthatihavedescribed Thisisanindirectargumentandmayappearspecioustosome:weproveapropferencesbetweenthemmaybeunderstoodcompletely,then,surely,thetechnique issound.(formoreextendeddiscussion,andanexampleoftheapplicationofthe (involvingonlythe`aliasing'ofcertainnames),sothattheconsequencesofthedif- technique,see[30].) enforcesisolationonitsregimes:wemustprovethetotalabsenceofanyinformation owfromoneregimetoanother.thetechniquewhichhasbeenusedtoverify secureinformationowinkernelsconstructedbythemitrecorporation[20]and Wenowneedamethodforprovingthataseparationkernel(withits`wirescut') inksos[7,10],andwhichseemstobewidelyaccepted,isknownas`information kernel.butthisisnotso. owanalysis'(ifa)[21] sometimesalsocalled`securityowanalysis.'itmightbe thoughtthatthiswillalsoprovideasatisfactorytechniqueforverifyingaseparation nipulationsthatmustbeperformedbyaseparationkernel theswapoperation providesasimpleexample. OnereasonforthisisthatIFAcannotverifysomeofthemachine-levelma- savingofthecurrentcontentsofthegeneralregistersinaredsavearea,andtheir andblack.whentheredregimeisexecuting,itmayrelinquishthecpu byperformingaswapoperation.theeectsofthisoperationmustincludethe Consideraseparationkernelsupportingjusttworegimes,identiedasRED reloadingwithvaluesfromablacksavearea.vericationbyifarequiresthat 12

13 operationsinvokedbyredmayonlyaccessredvalues butitisevidentthat theswapoperationmustaccessbothredandblackvalues.itfollowsthat IFAcannotverifythesecurityofaSWAPoperation,eventhoughitismanifestly causeofthisfailureisthatifaisasyntactictechnique:itisconcernedonlywith thesecurityclassications(`colours')ofvariables,nottheirvalues.thisdeciency secure(see[30]formoreextendeddiscussionandsomeworkedexamples).the forexample,eachregimeisprovidedwithitsownsetofgeneralregisters)rather canbeovercomebyapplyingifatoahigh-levelspecicationofthekernel(inwhich, thantothekernelimplementationitself.thesecurityoftheimplementationcan levelspecications[23].inconventionalpractice,however,thissecondstageisnot thenbeestablishedbyshowingittobeacorrectimplementationofthesecurehigh- performed.forksos,forexample,only`illustrative'proofsoftheimplementation wereprovided[7]. toverifythecorrectnessofitsimplementationaswell.usingaseparationkernel, tionsisasignicanttask.itwouldbevastlymoredicultandhugelyexpensive amultilevelsecurelesystem,vericationofthesecurityofitshigh-levelspecica- BecausetheKSOSkernelcontains,amongotherthings,amechanismtosupport however,issuessuchasthevericationofamultilevelle-serverarefactoredoutand handledseparatelyfromthevericationofthekernel.almosttheentireactivityof aseparationkernelisconcernedwiththedetailedmanagementoffeaturesofthe basehardware.inordertoapplyifa,wemustabstractawayfromthesedetailsand provideahigh-levelspecication whosevericationwouldamounttolittlemore thanexhibitingatautology.almostthewholeburdenofverifyingthesecurityof therealkernelwouldthenfalltothe`correctness'stage.whilethisproceduremay besound,itisveryindirectandfailstoprovideoneoftheprincipalbenetswe issuesthatdetermineakernel's`security.' shoulddesireofakernelvericationtechnique:asharpenedunderstandingofthe owofcontrol inparticular,thehandlingofinterrupts.recallthatthesuekerneldoesverylittleexcepteldinterruptsandallowoneregimetoswapcontrol AmoreconclusiveargumentagainstIFAasavericationtechniqueforseparationkernelsisthatitisincomplete:itdoesnotaddressmattersconcerningthe toanother andifaprovidesnobasisforthevericationoftheseimportantand isdoubtfulwhetherthatmodelreallyprovidesasoundbasisforthevericationof themathematicalmodel[9]thatjustiesifaasavericationtechnique.infact,it trickymatters.questionsrelatingtocontrolowcannotevenbeformulatedwithin modelformulatesaspecicationofmultilevelsecurityforasystemwhichconsumes Manager'(SOM)ofPSOS[22] forwhichpurposeitiseminentlysuitable.the anysortofsecuritykernel butthenitwasnotformulatedforthatpurpose. inputsthataretaggedwiththeirsecurityclassicationsandproducessimilarly Feiertag'smodelwasintendedtoprovideabasisforverifyingthe`SecureObject taggedoutputs.`ordinary'programs,suchasthesomorale-server,aresound 13

14 atanytimeisnotindicatedbyatagaxedtotheinstructionbysomeexternal interpretationsofthismodel.butakernelisdierent.akernelisessentiallyan agent,butisdeterminedbythekernel'sownstate. onbehalfofitsregimes.theidentityoftheregimeonwhosebehalfitisoperating abstractinterpreter itbehaveslikeahardwareextensionandexecutesinstructions thatcapturesitsessentialcharacteristicsmorecompletelyandrealistically.robinson,oneofthoseresponsibleforthevericationofksos,hasobserved: Toprovideasoundbasisforthevericationofakernel,wereallyneedamodel \Despitecurrentsuccessesinprovingthatagivenpieceofkernelsoftware providessecurity,itcannotbeprovenwithexistingtechniquesthatthere isnowaytocircumventthatpieceofsoftware.theanswermaybeto addsomeexplicitnotionofinterpretationtothestatemachinemodel. Thisextendedmodelwouldmakeitpossibletoaddresssuchconcernsas tothis[31]andisusedtojustifyanewmethodforverifyingkernelswhichenforce Amodelwithsomeofthesecharacteristicsisdescribedinacompanionpaper parallelism,languagesemantics,andinterrupthandling."[29] section. ProofofSeparability thepolicyofisolation.aninformalexplanationofthismethodisgiveninthenext Thepurposeofaseparationkernelistosimulateadistributedenvironment.Tothe beindistinguishablefromthatofanisolatedmachinededicatedtoitsprivateuse. whilethesingle,sharedsystemthatisactuallyavailableiscalledthe`concrete' softwareineachregime,theenvironmentprovidedbyaseparationkernelshould machineshouldexactlycoincidewithitsownabstractmachine.asimilarrequirementexpressesthe`correctness'criterionforimplementationsofabstractdatatypestion'[14]:thatis,afunctionwhichmapsfromconcretetoabstractstates.the dierentabstractionssimultaneously(aseparateoneforeachregime)anditseems natural,therefore,toformulatethepropertiesrequiredofitintermsofmultiple abstractionfunctions. Wecancallthisimaginary,privatemachinethe`abstract'machineforthatregime, machine.whatwedesire,forsecurity,isthateachregime'sviewoftheconcrete Thislattercriterionmaybeformulatedpreciselyintermsofan`abstractionfunc- interestingfeatureofaseparationkernelisthatitisrequiredtosupportseveral BLACK.Nowsupposetheconcretemachineperformssomeoperation,COP,on BLACK.TheabstractionfunctionREDABSwillmapthestatesoftheconcrete machineintothoseofred'sabstractmachine,whileblackabsdoeslikewisefor Takethesimplecaseofasystemsupportingjusttworegimes REDand behalfoftheredregime.wemustrequirethattheeectsofthisoperation,as 14

15 machinefromaninitialstatextoanalstatey,wedemandthatredabs(y) formedbytheredabstractmachine.thus,ifexecutionofcoptakestheconcrete isexactlythesamestateoftheredabstractmachineasthatwhichresultsfrom perceivedbytheredregime,arejustasifsomeoperationredophadbeenper- otherwords,werequirethefollowingdiagramtocommute: applyingtheabstractoperationredoptotheabstractstateredabs(x).in 6 REDOP -6 REDABS REDABS Thisconditionensuresthattheregimewhichiscurrently`active'ontheconcrete COP - machinecannotdistinguishitsactualenvironmentfromthatofitsabstractmachine. Butitisalsocrucialthattheexecutionofaconcreteoperationonbehalfoftheactive regimeshouldnotaectthestateofthemachineperceivedbycurrently`inactive' regimes.forisolationbetweenredandblack,therefore,werequirethatthe concretestatetransitionfromxtoycausedbyexecutingcoponbehalfofred shouldcausenocorrespondingchangeinthestatesofinactiveregimes.thatis,we requirethatblackabs(x)=blackabs(y),orindiagrammaticform: I BLACKABS BLACKABS BecauseI/Odevicescandirectlyobserveandchangeaspectsoftheconcretemachine'sinternalstate(byreadingandwritingitsdeviceregisters,forexample),and canalsoinuenceitsinstructionsequencingmechanism(byraisinginterrupts),the COP - 15

16 ditionsontheirbehaviour.expressedinformally(andonlyfromtheredregime's activityofthesedevicesisrelevanttosecurity.consequently,wemustimposecon- pointofview),theseconditionsare: a)ifredabs(x)=redabs(y)andactivitybyaredi/odevicechanges thestateoftheconcretemachinefromxtox0,andthesameactivitywill alsochangeitfromytoy0,thenredabs(x0)=redabs(y0)(i.e.,state b)ifactivitybyanon-redi/odevicechangesthestateoftheconcretemachine changesintheredregimecausedbyredi/oactivitymustdependonlyon theactivityitselfandthepreviousstateoftheredregime). c)ifredabs(x)=redabs(y),thenanyoutputsproducedbyredi/o fromxtoy,thenredabs(x)=redabs(y)(i.e.,non-redi/odevices cannotchangethestateoftheredregime). d)ifredabs(x)=redabs(y),thenthenextoperationexecutedonbehalf oftheredregimemustalsobethesameinbothcases. devicesmustbethesameinbothcases. Conditionsa)andb)abovearetheanalogues,forI/Odevices,oftheconditions arability.'amoreprecisestatementofthesixconditionsmaybefoundinthe constitutethebasisforakernelvericationtechniquewhichicall`proofofsep- imposedoncpuoperationsbythecommutativediagramsgivenearlier.allsix Appendixtothispaper.Aformalderivationofthesixconditions,whichattempts conditions(thefouraboveandthetwoexpressedinthecommutativediagrams) relationshipbetweenthismethodandvericationbyifaisexaminedin[30],which todemonstratethattheyareexactlytherightconditions,isgivenin[31],whilethe morerealisticseriesofexampleapplicationsiscurrentlyinpreparation. securitykernelvericationsinceitisbasedonamorerealisticmodelandcanaddress alsocontainsasmallexampleoftheapplicationofthemethod.descriptionofa alltheimportantissues,includingthoserelatingtointerrupts,quitenaturally.also, itcorrespondstoastraightforwardintuitionaboutwhatsecurity`is'andencourages `ProofofSeparability'seemstobetechnicallysuperiortoothermethodsfor areinvisibletoallotherregimes). capableofcompletedescriptionintermsoftheobjectsknowntothatregime(and thekerneldesignertoexaminehissystemfromtheviewpointofeachindividual regimeinordertoensurethattheresultsofeveryactioninvokedbyaregimeare Conclusion IhaveproposedanapproachtothedesignandvericationofsecuresystemswhichI suggestisparticularlyappropriatetosmallspecial-purposeapplications.iadvocate 16

17 achievedpartlybythephysicalseparationoftheindividualcomponentsandpartly thatsecuresystemsshouldbeconceivedasdistributedsystemsinwhichsecurityis bythetrustedfunctionsperformedbysomeofthosecomponents.thetaskof specifyingandverifyingthepropertiesrequiredofthetrustedcomponentsinorder toachieveoverallsecurityshouldbetackledatthislevelofabstractionandonthe assumptionthatcomponentsarephysicallyisolatedfromoneanother.thepurpose ofasecuritykernelissimplytoallowsucha`distributed'systemtoactuallyrun withinasingleprocessor:itsroleistoprovideeachcomponentofthesystemwith anenvironmentwhichisindistinguishablefromthatwhichwouldbeprovidedbya canbehandledbyseparatevirtualmachinescanbetracedbacktoanderson[3]. of`levelsofkernels'[26,27]whiletheideathatthemanagementofsharedresources securitykernel.thereissomesimilaritybetweentheseproposalsandpopek'snotion trulyandphysicallydistributedsystem.policyenforcementisnottheconcernofa vericationofthecomponentswhichperformtrustedfunctionsfromtheverication ofthesecuritykernel.thislattertaskmaybeaccomplishedbyanewverication techniquewhichicall`proofofseparability.' Thisapproachachievesaseparationofconcernsbycompletelydecouplingthe securityisbasedonsimplermechanismsandwhosevericationiscorrespondingly simpler,morecompleteandmorecompellingthanisthecaseatpresent. Applicationofthesetechniquesshouldassistthedevelopmentofsystemswhose Separability.'Thestatementisexpressedintermsofaparticularformalmodelfor AThisappendixgivesamoreprecisestatementofthesixconditionsfor`Proofof Appendix fortheparticularchoiceofconditionsdeningproofofseparabilitymaybefound in[31]. completedescription,togetherwithargumentsforitssuitabilityandjustication computersystems.spacepermitsonlyatersedescriptionofthemodelhere;amore onthosestates.thesysteminteractswithitsenvironmentbyconsumingelements ofasetiofinputsandproducingelementsofasetoofoutputs.ateachtimestep, thesystememitsanoutputandchangesstate.theoutputemitteddependsupon ThemodelcomprisesanitesetSofstatesandasetOPSS!Sofoperations thesystem'sstateandthisactionismodelledbythefunctionoutput:s!o. selectionmechanismismodelledbythefunctionnextop:s!ops.thus,if andthesecondbytheselectionandexecutionofanoperation.theeectofreceiving aninputismodelledbythefunctioninput:si!s,whiletheoperation Statechangesoccurintwostages:therstiscausedbythereceiptofaninput, thecurrentstateofthesystemissandthecurrentvalueoftheinputavailablefrom theenvironmentisi,thesystemwillemittheoutputoutput(s)andmovetothe 17

18 of`colours.'exactlyoneuseris`active'atanytime:heistheuseruponwhose consumptionoftheinputi. statenextop(s)(s),wheres=input(s;i)istheintermediatestateresultingfrom dependsuponthestateofthesystemattheinstantwhenanoperationisselected behalfinstructionsarecurrentlybeingexecuted.theidentityoftheactiveuser Asharedsystemsupportsanumberof`users'whoareidentiedwithasetC usedtopickoutcomponentsofaparticularcolour.thus,whenc2c,i2i,and ponentswhichare`private'toeachuser.theprojectionfunctionextractis forexecution.itisdeterminedbythefunctioncolour:s!c. o2o,extract(c;i)andextract(c;o)denotethec-colouredcomponentsof Theinputsandoutputsofasharedsystemarecomposedofindividualcom- theinputiandtheoutputorespectively. usermustbecompletelyconsistentwiththatwhichcouldbeprovidedbyanonsharedsystemdedicatedtohisexclusiveuse.thisisachievedifeachuserc2c Forasharedsystemtobesecure,theinput/outputbehaviourperceivedbyeach canproduceasetscofc-coloured`abstractstates'andasetopscsc!scof c-coloured`abstractoperations,'togetherwith`abstractionfunctions' and ABOPc:OPS!OPSc c:s!sc whichsatisfy,8c2c;8s;s02s;8op2ops;8i;i02i: 1)COLOUR(s)=cc(op(s))=ABOPc(op)(c(s)), 2)COLOUR(s)6=cc(op(s))=c(s), 5)c(s)=c(s0) 4)EXTRACT(c;i)=EXTRACT(c;i0)c(INPUT(s;i))=c(INPUT(s;i0)), 3)c(s)=c(s0)c(INPUT(s;i))=c(INPUT(s0;i)), 6)COLOUR(s)=COLOUR(s0)=c^c(s)=c(s0) NEXTOP(s)=NEXTOP(s0). EXTRACT(c;OUTPUT(s))=EXTRACT(c;OUTPUT(s0)), Conditions1)and2)correspondtothetwocommutativediagramsinthetext,while conditions3)to6)correspondtothoselabelleda)tod)inthetext. ThesearetheformalstatementsofthesixconditionsforProofofSeparability. 18

19 References [1]S.R.AmesJr.Securitykernels:Asolutionoraproblem?InProceedingsof [2]S.R.AmesJr.andJ.G.Keeton-Williams.Demonstratingsecurityfortrusted thesymposiumonsecurityandprivacy,pages141{150,oakland,ca,april 1981.IEEEComputerSociety. applicationsonasecuritykernelbase.inproceedingsofthesymposiumonsecurityandprivacy,pages145{156,oakland,ca,april1980.ieeecomputer Society. Renninger,editor,ApproachestoPrivacyandSecurityinComputerSystems, [3]J.P.Anderson.Systemsarchitectureforsecurityandprotection.InC.R. [4]K.Auerbach.Securepersonalcomputing(technicalcorrespondence).CommunicationsoftheACM,23(1):36{37,January1980. Washington,D.C.,1974. pages49{50.nbsspecialpublication404,gposdcatalogno.c13.10:404, [5]D.H.Barnes.ComputersecurityintheRSREPPSN.InNetworks'80,pages [6]D.E.BellandL.J.LaPadula.Securecomputersystem:Uniedexpositionand Multicsinterpretation.TechnicalReportESD-TR ,MitreCorporation, 605{620.OnlineConferences,June1980. [7]T.A.BersonandG.L.BarksdaleJr.KSOS developmentmethodologyfora secureoperatingsystem.innationalcomputerconference,volume48,pages Bedford,MA,March1976. [8]D.E.DenningandP.J.Denning.Certicationofprogramsforsecureinformationow.CommunicationsoftheACM,20(7):504{513,July {371.AFIPSConferenceProceedings,1979. [9]R.J.Feiertag,K.N.Levitt,andL.Robinson.Provingmultilevelsecurityof [10]Ford. pages57{65,november1977. asystemdesign.insixthacmsymposiumonoperatingsystemprinciples, [11]D.L.Golber.TheSDCcommunicationskernel,August1981.Presentedat AerospaceandCommunicationsCorporation,PaloAlto,CA,March1978. KSOSvericationplan. TechnicalReportWDL-TR-7809,Ford [12]B.D.Goldetal.AsecurityretrotofVM/370.InNationalComputerConference,volume48,pages335{344.AFIPSConferenceProceedings,1979. DoDComputerSecurityIndustrySeminar.

20 [13]A.Hathaway.LSIguardsystemspecication(typeA).TechnicalReportDraft, [14]C.A.R.Hoare.Proofofcorrectnessofdatarepresentations.ActaInformatica, 1:271{281,1972. MITRECorporation,Bedford,MA,July1980. [15]B.W.Lampson.Anoteontheconnementproblem.Communicationsofthe [16]C.E.Landwehr.Assertionsforvericationofmultilevelsecuremilitarymessage ACM,16(10):613{615,October1973. [17]S.B.Lipner.Acommentontheconnementproblem.InFifthACMSymposiumonOperatingSystemPrinciples,pages192{196.ACM,1975. systems.acmsoftwareengineeringnotes,5(3):46{47,july1980. [18]A.F.MartinandJ.K.Parks.IntelligentX25level2lineunitsforpacketswitching.InNetworks'80,pages371{384.OnlineConferences,1980. [19]E.J.McCauleyandP.J.Drongowski.KSOS thedesignofasecureoperating [20]J.K.Millen.Securitykernelvalidationinpractice.Communicationsofthe system.innationalcomputerconference,volume48,pages345{353.afips ACM,19(5):243{250,May1976. ConferenceProceedings,1979. [21]J.K.Millen.Operatingsystemsecurityverication.TechnicalReportM79-223, [22]P.G.Neumann,R.S.Boyer,R.J.Feiertag,K.N.Levitt,andL.Robinson. Aprovablysecureoperatingsystem:Thesystem,itsapplications,andproofs. MITRECorporation,Bedford,MA,September1979. [23]P.G.Neumannetal.Softwaredevelopmentandproofsofmulti-levelsecurity Technicalreport,SRIInternational,May1980.SecondEdition,ReportCSL- [24]M.A.Padlipsky,K.J.Biba,andR.B.Neely.KSOS computernetwork InProc.2ndInternationalConferenceonSoftwareEngineering,pages421{428, applications.innationalcomputerconference,volume48,pages373{381. SanFrancisco,CA,1976. [25]G.J.Popeketal.UCLAsecureUNIX.InNationalComputerConference, [26]G.J.PopekandC.S.Kline.Averiableprotectionsystem.InProc.InternationalConferenceonReliableSoftware,pages294{304,LosAngeles,CA, volume48,pages355{364.afipsconferenceproceedings,

FromDependableComputingforCriticalApplications{5,Champaign,IL,September1995,pp.139{157;Volume10of theseriesindependablecomputingandfaulttolerantsystemspublishedbyieeecomputersocietypress. ByzantineAgreementwithAuthentication:Observationsand

More information

AmyP.Felty1,DouglasJ.Howe1,andFrankA.Stomp2 ProtocolVericationinNuprl? 2Dept.ofComp.Sci.,UCDavis,Davis,CA95616,USA.stomp@cs.ucdavis.edu 1BellLabs,MurrayHill,NJ07974,USA.ffelty,howeg@bell-labs.com whileretainingexistingadvantagesofthesystem,anddescribesapplicationoftheprovertoverifyingthescicachecoherenceprotocol.the

More information

CGS2 2003 2004 2005 2006 2007 2008 2009 2010 X X X X X

CGS2 2003 2004 2005 2006 2007 2008 2009 2010 X X X X X CGS2 Blue, GCS, time Black, GCS, time Red, GCS, time CGS2 Blue, GCS, time Black, GCS, time Red, GCS, time CGS1 Blue, GCS, time Black, GCS, time Red, GCS, time CGS2 (Discontinued) Blue, GCS, time Black,

More information

Private Developer Ground Lease. Example (Denver) C-1

Private Developer Ground Lease. Example (Denver) C-1 Appendix C Private Developer Ground Lease Example (Denver) C-1 C-2 C-3 C-4 C-5 C-6 C-7 C-8 C-9 C-10 C-11 C-12 C-13 C-14 C-15 C-16 C-17 C-18 C-19 C-20 C-21 C-22 C-23 C-24 C-25 C-26 C-27 C-28 C-29 C-30 C-31

More information

Draft&Model&Regulatory&Framework&for&Virtual&Currency!

Draft&Model&Regulatory&Framework&for&Virtual&Currency! February9,2015 ConferenceofStateBankSupervisors 112920thStreetNW,9 th Floor Washington,D.C.20036 164TownsendStreet#11 SanFrancisco,CA94107 Attn:EmergingPaymentsTaskForce Re: Draft&Model&Regulatory&Framework&for&Virtual&Currency

More information

Cartella colori PANTONE

Cartella colori PANTONE Process Yellow Pantone : 100 Pantone : 101 Pantone : 102 Pantone Yellow Pantone : 103 Pantone : 104 Pantone : 105 Pantone : 106 Pantone : 107 Pantone : 108 Pantone : 109 Pantone : 110 Pantone : 111 Pantone

More information

Touch n Go Sdn Bhd. Policy Standard Name. Applicable. Effective Date

Touch n Go Sdn Bhd. Policy Standard Name. Applicable. Effective Date 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 Appendix Rapidpass Product Appendix Rapidpass Product

More information

RTR for Quotes/Application Users Guide

RTR for Quotes/Application Users Guide RTR for Quotes/Application Users Guide Welcome to Real Time Rating! The following tutorial provides step-by-step instructions on how to utilize our web based rating system for quoting and new business

More information

Age at the Beginning of Placement (years old) Attention Homes, Inc. 20 4 200 185 144 15.32 Cathedral Home for Children. RTC Placements.

Age at the Beginning of Placement (years old) Attention Homes, Inc. 20 4 200 185 144 15.32 Cathedral Home for Children. RTC Placements. APPENDIX C COPs Providers Figure C.1 Residential Treatment Providers (July 1, 2004), with Average Length of Stay and Average Age of Children at the Beginning of Placement, FY '99 '04 Residential Treatment

More information

PANTONE Solid to Process

PANTONE Solid to Process PANTONE Solid to Process PANTONE C:0 M:0 Y:100 K:0 Proc. Yellow PC PANTONE C:0 M:0 Y:51 K:0 100 PC PANTONE C:0 M:2 Y:69 K:0 106 PC PANTONE C:0 M:100 Y:0 K:0 Proc. Magen. PC PANTONE C:0 M:0 Y:79 K:0 101

More information

Pantone Matching System Color Chart PMS Colors Used For Printing

Pantone Matching System Color Chart PMS Colors Used For Printing Pantone Matching System Color Chart PMS Colors Used For Printing Use this guide to assist your color selection and specification process. This chart is a reference guide only. Pantone colors on computer

More information

Pantone Matching System Color Chart PMS Colors Used For Printing

Pantone Matching System Color Chart PMS Colors Used For Printing Pantone Matching System Color Chart PMS Colors Used For Printing Use this guide to assist your color selection and specification process. This chart is a reference guide only. Pantone colors on computer

More information

HSG Engineering Tech Bulletin

HSG Engineering Tech Bulletin Specifications subject to change OCT 2013; Rev. 1.3 HSG Engineering Tech Bulletin Recommended RS-485 Wiring for NetAXS-4/NetAXS-123 Loops Overview This document provides the recommended RS-485 wiring for

More information

Appendix B. NAICS Codes, Titles, and Descriptions

Appendix B. NAICS Codes, Titles, and Descriptions Appendix B. NAICS Codes, Titles, and Descriptions PART 1. 2002 NAICS 5418 ADVERTISING AND RELATED SERVICES 54181 ADVERTISING AGENCIES 541810 ADVERTISING AGENCIES 54182 PUBLIC RELATIONS AGENCIES 541820

More information

Introduc)on* X.509*Cer)ficates* X.509* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$

Introduc)on* X.509*Cer)ficates* X.509* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$ Introduc)on* By:$Holz,$Braun,$Kammenhuber,$and$Carle$ Presented$by:$William$Garrard$! How$secure$is$our$online$communication?$! Transport$Layer$Security$(TLS)/Secure$Sockets$Layer$ (SSL)$infrastructure$!

More information

Training and Recertification Requirements For Massachusetts ABE Required Assessments

Training and Recertification Requirements For Massachusetts ABE Required Assessments Training and Recertification Requirements For Massachusetts ABE Required Assessments Following are the basic requirements for Massachusetts ABE practitioners to administer and/or score required learning

More information

68HC12 and HCS12 Instruction Set

68HC12 and HCS12 Instruction Set A 68HC12 and HCS12 Instruction Set Used with permission of Motorola, Inc. A-1 A-2 68HC12 and HCS12 Instruction Set Appendix A Appendix A 68HC12 and HCS12 Instruction Set A-3 CPU12 REFERENCE GUIDE A-4 68HC12

More information

PANTONE Chart Builder 2.5.2 File: MPC2000_2500_3000 Page: 1 of 14

PANTONE Chart Builder 2.5.2 File: MPC2000_2500_3000 Page: 1 of 14 PANTONE Chart Builder 2.5.2 File: MPC2000_2500_3000 Page: 1 of 14 PANTONE Yellow CS C:2 M:9 Y:98 K:0 PANTONE Purple CS C:32 M:74 Y:0 K:0 PANTONE Pro. Yel. CS C:3 M:4 Y:100 K:0 PANTONE Hex. Yel. CS C:0

More information

Setup of Electronic Payment File Setup

Setup of Electronic Payment File Setup Electronic Payment File (EPF) Setup and Use The Electronic Payment Lock Box File (EPF) process now supports the use of multiple bank accounts in one file. Lockboxes are a way for tenants to mail in payments

More information

Editing Message Catalog for Change of Program Emails

Editing Message Catalog for Change of Program Emails SA - Registration In order to edit the information sent to the prospective students in the email communication the message catalog for each of the seven communications need to be updated. Each faculty

More information

Photo 1: This photograph shows drywall, joint compound, cove base mastic, carpet adhesive, and ceiling tile in store front No. 1.

Photo 1: This photograph shows drywall, joint compound, cove base mastic, carpet adhesive, and ceiling tile in store front No. 1. APPENDIX B PHOTOLOG Photo 1: This photograph shows drywall, joint compound, cove base mastic, carpet adhesive, and ceiling tile in store front No. 1. Photo 2: This photograph shows layered floor tile and

More information

TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 4: COMMUNITY SERYIC8S..."..84 UNIT 5: STANDARDS OF PRACTICE...98 UNIT 2: INTERPRETER SKILLS...

TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 4: COMMUNITY SERYIC8S.....84 UNIT 5: STANDARDS OF PRACTICE...98 UNIT 2: INTERPRETER SKILLS... TABLE OF CONTENTS UNIT 1: ETHICS AND CONDUCT...7 UNIT 2: INTERPRETER SKILLS......37 UNIT 3: CULTURE AND MEDIATION......65 UNIT 4: COMMUNITY SERYIC8S......"..84 UNIT 5: STANDARDS OF PRACTICE...98 APPENDIX:

More information

Jefferson-Shelby Youth Football 2008 Schedule

Jefferson-Shelby Youth Football 2008 Schedule Wk 1 MON 9-1 LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY LABOR DAY Wk 1 TU 9-2 @ VH WHT @ HLA PHM @ HLA OM RED @ OM

More information

Networkfleet 3500 Product Line Installation Guide

Networkfleet 3500 Product Line Installation Guide Networkfleet 3500 Product Line Installation Guide Light/Medium Duty (L3500) Heavy Duty (H3500) Universal (U3500) www.networkcar.com/fleet Customer Care: (866) 227-7323 customercare@networkcar.com Table

More information

Formal Foundations for Security Architecture

Formal Foundations for Security Architecture Formal Foundations for Security Architecture Ron van der Meyden (University of New South Wales Sydney, Australia) May 5, 2010 Overview Some recent Australian events MILS Security Towards a formal theory

More information

File Exchange Guide to downloading files

File Exchange Guide to downloading files File Exchange Guide to downloading files Last updated: November 2013 Supported by Resuscitation Council (UK) and Intensive Care National Audit & Research Centre (ICNARC) Contents 1. Introduction to File

More information

Online Appendix: Who Supports an Anti-Corruption Party? Theory with Evidence from India. August 22, 2015

Online Appendix: Who Supports an Anti-Corruption Party? Theory with Evidence from India. August 22, 2015 Online Appendix: Who Supports an Anti-Corruption Party? Theory with Evidence from India August 22, 2015 Table 1: Descriptive statistics of AAP/Cicero surveys (37,764 complete observations). Mean Std. Dev.

More information

PANTONE ColorVANTAGE Process Simulations of PANTONE solid colors Page: 1 of 14

PANTONE ColorVANTAGE Process Simulations of PANTONE solid colors Page: 1 of 14 PANTONE ColorVANTAGE Process Simulations of PANTONE solid colors Page: 1 of 14 PANTONE Yellow CS R:245 G:222 B:0 PANTONE Purple CS R:158 G:56 B:181 PANTONE Pro. Yel. CS R:242 G:227 B:0 PANTONE Hex. Yel.

More information

Appendix E: Marker Guidelines and Signs

Appendix E: Marker Guidelines and Signs Appendix E: Marker Guidelines and Signs Because of a project to systemetize all logos for the National Trails System, the logo design for the Anza Trail has changed from that shown in the final Comprehensive

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.C.2 DATE: April 24, 2008 ****************************************************************************** SUBJECT: New Site Request: DSU AS in Business Management,

More information

E2E Project Management Process Governance (Electric Capital)

E2E Project Management Process Governance (Electric Capital) Attachment AG-1-8-10 Page 1 of 10 E2E Project Management Process Governance (Electric Capital) Report No. 1332 Final Distribution Final Report Audit Team: Report Grading: Number of Findings: Date of issue

More information

COP25- F&A Rate, Period and Exclusions Popup

COP25- F&A Rate, Period and Exclusions Popup COP25- F&A Rate, Period and Exclusions Popup Summary...1 Purpose...2 Screen Group...2 Account/CC Selection...3 F&A Rate, Periods and Exclusions Popup:...4 Report Generation...9 Page Access...9 Summary

More information

The MILS Component Integration Approach To Secure Information Sharing

The MILS Component Integration Approach To Secure Information Sharing The MILS Component Integration Approach To Secure Information Sharing Carolyn Boettcher, Raytheon, El Segundo CA Rance DeLong, LynuxWorks, San Jose CA John Rushby, SRI International, Menlo Park CA Wilmar

More information

CONSTRUCTION SKILLS REGISTER HANDBOOK

CONSTRUCTION SKILLS REGISTER HANDBOOK CONSTRUCTION SKILLS REGISTER HANDBOOK CONTENTS INTRODUCTION Benefits of CSR 1 Supporters of CSR 1 How to apply for a CSR Card 1 Occupations available 1 Card Types 2-4 FURTHER INFORMATION CSR Plant Operator

More information

Worldspan Go! Specials

Worldspan Go! Specials Worldspan Go! Specials Overview Introduction This document contains an overview of the Go! Specials tool available to users on Worldspan Go! Res. Need Help? Click on the link below to submit a question

More information

How to move a SQL database from one server to another

How to move a SQL database from one server to another How to move a SQL database from one server to another Guide is applicable to these products: * Lucid CoPS, Lucid Rapid, LASS 8-11, LASS 11-15, LADS Plus and Lucid Ability (v6.0x-n) * Lucid Exact v1.xx-n

More information

PLOT 21: Cell phone measurement setup.

PLOT 21: Cell phone measurement setup. PLOT 21: Cell phone measurement setup. Red Trace - Bioprotector product not present, maximum hold measurement Black Trace - Both Large Bioprotector and Cell Phone Bioprotector products present. Observation:

More information

Scheme Requirements. www.cscs.uk.com

Scheme Requirements. www.cscs.uk.com www.cscs.uk.com 13th revision - Dec 2014 Contents 1.0 Governance 2.0 Purpose of the Scheme 3.0 Scheme Aims 4.0 Scope 5.0 Occupations Covered 6.0 Types of Card Available 7.0 Health and Safety 8.0 Red Cards

More information

Duke*University* B.S.E.E.*1989,*Electrical*engineering*

Duke*University* B.S.E.E.*1989,*Electrical*engineering* ElizabethL.Hillman UniversityofCaliforniaHastingsCollegeoftheLaw mobile:510387>4385 200McAllisterStreet office:415565>4682 SanFrancisco,CA94102 email:hillman123@gmail.com AcademicPositions UniversityofCaliforniaHastingsCollegeoftheLaw

More information

Convention on the Conservation of Migratory Species of Wild Animals

Convention on the Conservation of Migratory Species of Wild Animals Convention on the Conservation of Migratory Species of Wild Animals ORIGINAL: ENGLISH Distr. GENERAL CMS/ScC11/Doc.2.1 28 August 2002 ELEVENTH MEETING OF THE CMS SCIENTIFIC COUNCIL Bonn, 14-17 September

More information

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box Penetration Testing Penetration Testing Types Black Box oless productive, more difficult White Box oopen, team supported, typically internal osource available Gray Box (Grey Box) omixture of the two Methods

More information

7. In the boxed unlabeled field, enter the last 4 digits of your Social Security number.

7. In the boxed unlabeled field, enter the last 4 digits of your Social Security number. CREATE YOUR MYVIEW LOGIN To access myview while ensuring security, you will be given an encrypted access key token. You will use this token the first time you log into myview. Once you have successfully

More information

Four Year Plan of Courses Fall 2014 to Summer 2018 Teacher Education Division

Four Year Plan of Courses Fall 2014 to Summer 2018 Teacher Education Division Four Year Plan of Courses Fall 2014 to Summer 2018 Teacher Education Division Fall, 2014 EDU 2005 EDU 2010 (Ford) online EDU 2020 (Branning/Newell) EDU 2040 (Bugg) online (Dickson) online EDU 3010 (Wegmann)

More information

A. Look at the Resource Sheet and Gantt Entry View Sheet to see what and where resources are over allocated.

A. Look at the Resource Sheet and Gantt Entry View Sheet to see what and where resources are over allocated. Microsoft Project Pro Steps to completing Project Pro Assignments PART B. (These instructions include all you need to know about adjusting your project in Microsoft Project Pro 2013 and may include instructions

More information

Appendix 3: CMT Programme Board Highlight Report - Template and Guidance notes

Appendix 3: CMT Programme Board Highlight Report - Template and Guidance notes Appendix 3: CMT Board Highlight Report - Template and Guidance notes What is it? This is an exception report that provides a quick means of assessing a programme s status. It allows CMT programme board

More information

Optimization of combined heating and cooling in Supermarkets

Optimization of combined heating and cooling in Supermarkets Optimization of combined heating and cooling in Supermarkets Funder-Kristensen T. 1 ; Fösel G. 2 and Bjerg P. 3 1 Ph.d. Head of Public & Industry Affairs, Danfoss, Nordborg, 6430, Denmark. 2 Dipl.-Ing.

More information

Tabla de conversión Pantone a NCS (Natural Color System)

Tabla de conversión Pantone a NCS (Natural Color System) Tabla de conversión Pantone a NCS (Natural Color System) PANTONE NCS (más parecido) PANTONE NCS (más parecido) Pantone Yellow C NCS 0580-Y Pantone 3985C NCS 3060-G80Y Pantone Yellow U NCS 0580-Y Pantone

More information

Features. Dual View The Dual View function provides support for two displays.

Features. Dual View The Dual View function provides support for two displays. Dual monitor computing made easy Dual View KVMPTM Switches ATEN s advanced Dual View KVMPTM Switches allow access to computers from a single keyboard and mouse with dual displays. They provide support

More information

Wireless radio cell. Fixed Network

Wireless radio cell. Fixed Network DataManagementforMobileComputing ComputerScienceDepartment, EvaggeliaPitoura http://www.cs.uoi.gr/~pitoura UniversityofIoannina, Ioannina,Greece SummerSchool,Jyvaskyla,August1998 & Introduction -mobileornomadiccomputing

More information

This activity will show you how to draw graphs of algebraic functions in Excel.

This activity will show you how to draw graphs of algebraic functions in Excel. This activity will show you how to draw graphs of algebraic functions in Excel. Open a new Excel workbook. This is Excel in Office 2007. You may not have used this version before but it is very much the

More information

Munsell Soil Color. Munsell Gradient No. Code

Munsell Soil Color. Munsell Gradient No. Code Munsell Gradient No. Munsell Soil Color Code Munsell Soil Color Description 10.0 10R 2.5/1 Reddish Black 10.0 10R 2.5/2 Very Dusky Red 10.0 10R 3/1 Dark Reddish 10.0 10R 3/2 Dusky Red 10.0 10R 3/3 Dusky

More information

Fiscal Year 2013-14 LAUSD Debt Report and Debt Management Policy Changes

Fiscal Year 2013-14 LAUSD Debt Report and Debt Management Policy Changes Fiscal Year 2013-14 LAUSD Debt Report and Debt Management Policy Changes Presentation to the Budget, Facilities and Audit Committee Office of the Chief Financial Officer May 7, 2015 District s Debt Policy

More information

Business Procedures: Send Secure Emails Created: 02-25-2014 Updated: 04-15-2014

Business Procedures: Send Secure Emails Created: 02-25-2014 Updated: 04-15-2014 Business Procedures: Send Secure Emails Created: 02-25-2014 Updated: 04-15-2014 Page 1 of 10 Overview From time to time it is necessary to be able to share confidential information with school districts

More information

APR-PRT3 Printer Module: C-Bus Programming Instructions

APR-PRT3 Printer Module: C-Bus Programming Instructions APR-PRT3 Printer Module: C-Bus Programming Instructions We hope this product performs to your complete satisfaction. Should you have any questions or comments, please visit www.paradox.com and send us

More information

March 8, 2010. Oak Park School District RFP for Pupil Transportation Services

March 8, 2010. Oak Park School District RFP for Pupil Transportation Services 40950 WOODWARD AVENUE, SUITE 350 BLOOMFIELD HILLS, MI 48304-5129 PHONE: (248) 258-2850 FAX: (248) 258-2851 March 8, 2010 Via Electronic Mail Pupil Transportation Services Proposers Direct Dial No.: (248)

More information

A new approach for dynamic optimization of water flooding problems

A new approach for dynamic optimization of water flooding problems A new approach for dynamic optimization of water flooding problems Rolf J. Lorentzen Aina M. Berg Geir Nævdal Erlend H. Vefring IRIS International Research Institute of Stavanger (formerly Rogaland Research)

More information

SW2A Module User Guide

SW2A Module User Guide 2 27C256 files in a 27C512 Create a file containing the 2 files using the SW2A.exe software and write it in a 27C512, then mount the EPROM in a socket without inserting the #1 pin that must be only connected

More information

Leveraging SANS and NIST to Evaluate New Security Tools

Leveraging SANS and NIST to Evaluate New Security Tools Leveraging SANS and NIST to Evaluate New Security Tools Agenda About TaaSera A Problem to Solve Overview of NIST Cybersecurity Framework Overview of SANS CSC-20 Call to Action Conclusion Q&A Company Founded

More information

Monthly Project Report

Monthly Project Report Purpose of this document To identify the requirements for monthly reporting on all projects that will enable appropriate control and management of projects at different levels within its governance structure.

More information

Software Upgrade for HKATS Participant Briefing Session. Sept 2012

Software Upgrade for HKATS Participant Briefing Session. Sept 2012 Software Upgrade for HKATS Participant Briefing Session Sept 2012 Agenda 1 2 Overview of Software Upgrade Dynamic Price Banding 3 Data Compression in Central Gateway 4 5 CLICK Trade Software Key Stages

More information

Check List. Telehealth Credentialing and Privileging Sec. 482.22. Conditions of Participation Medical Staff

Check List. Telehealth Credentialing and Privileging Sec. 482.22. Conditions of Participation Medical Staff Check List Telehealth Credentialing and Privileging Sec. 482.22. Conditions of Participation Medical Staff The Centers for Medicare and Medicaid Services (CMS) final rule on credentialing and privileging

More information

Factoring Trinomials using Algebra Tiles Student Activity

Factoring Trinomials using Algebra Tiles Student Activity Factoring Trinomials using Algebra Tiles Student Activity Materials: Algebra Tiles (student set) Worksheet: Factoring Trinomials using Algebra Tiles Algebra Tiles: Each algebra tile kits should contain

More information

Inland Marine Expo Exhibitor Rules and Regulations

Inland Marine Expo Exhibitor Rules and Regulations InlandMarineExpoExhibitorRulesandRegulations Onbehalfof,Iagreetoabidebyallrulesandregulations outlinedinthebelowagreement.iunderstandthattheexhibitorservicemanualanddirectemail updateswillbeprovidedtoexhibitorscontainingtheinformationnecessarytoparticipateatinland

More information

Create Expense Report: pcard Use to create an Expense Report for pcard purchases

Create Expense Report: pcard Use to create an Expense Report for pcard purchases Access the Create Expense Report task Note: All Red Asterisks (*) need to be completed. 1. Under Create Expense Report, enter and review details in the Expense Report Information section: a. Expense Report

More information

Chapter 4. Reserving Resources on StatusBoard 2.0. Objectives

Chapter 4. Reserving Resources on StatusBoard 2.0. Objectives Chapter 4 Reserving Resources on StatusBoard 2.0 Objectives Using Quick Schedule to reserve a resource right away and how to cancel the reservation when it s no longer needed. Using Calendar Schedule to

More information

CERTIFICATION OF COMPLIANCE

CERTIFICATION OF COMPLIANCE Item: 85023001, Artemis Plant Watercolors 25 ml - carmine red CEO. Item: 85023002, Artemis Plant Watercolors 25 ml - vermilion CEO. Item: 85023003, Artemis Plant Watercolors 25 ml - kamala orange CEO.

More information

Key coding for Fiat / Alfa / Lancia / Iveco

Key coding for Fiat / Alfa / Lancia / Iveco Key coding for Fiat / Alfa / Lancia / Iveco This is PRELIMINARY WORKING DRAFT for SECONS Ltd. internal use and FiCOM users. Please excuse the typos and errors. Table of Contens Transponder types...1 Body

More information

Motion Graphs. It is said that a picture is worth a thousand words. The same can be said for a graph.

Motion Graphs. It is said that a picture is worth a thousand words. The same can be said for a graph. Motion Graphs It is said that a picture is worth a thousand words. The same can be said for a graph. Once you learn to read the graphs of the motion of objects, you can tell at a glance if the object in

More information

Facility Online Manager

Facility Online Manager Facility Online Manager Instruction for users FOM TM is an online accounting and instrument management software. This software can be used as a simple online scheduler for small research group, or as a

More information

How to Become a Pharmacist/Pharmacy Technician. Job Description

How to Become a Pharmacist/Pharmacy Technician. Job Description HowtoBecomeaPharmacist/PharmacyTechnician JobDescription PharmacyTechniciansworkalongsidePharmacistsandhavemanydifferent responsibilitiesintheirjobsetting.jobrequirementsincludemeasuringand labelingmedications,countingpills,workingwithpatientrecordsandtakinginsurance

More information

R&S FT5066 Trusted Filter Radio control information filter red/black separation

R&S FT5066 Trusted Filter Radio control information filter red/black separation Secure Communications Data Sheet 02.00 R&S FT5066 Trusted Filter Radio control information filter red/black separation to STANAG R&S FT5066 Trusted Filter At a glance The R&S FT5066 trusted filter is developed

More information

REPROGRAPHICS/QUICK COPIES

REPROGRAPHICS/QUICK COPIES Solar Financials University Hall 360 Phone: (818) 677-6685 Mail Code: 8337 REPROGRAPHICS/QUICK COPIES REPROGRAPHICS ENVELOPES STATIONERY BUSINESS CARDS REPROGRAPHICS: 1. Select the blue Reprographics hyperlink

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.C.1 DATE: January 20, 2011 ****************************************************************************** SUBJECT: New Site Request NSU, BS Marketing, Online Northern

More information

Softstart. Upgrade to Torque control PSTB370 1050. Contents. 1. ESD Warning...2. 2. Tools...2. 3. PCB information...2. 4. Step by step...

Softstart. Upgrade to Torque control PSTB370 1050. Contents. 1. ESD Warning...2. 2. Tools...2. 3. PCB information...2. 4. Step by step... Softstart Upgrade to Torque control PST30 300 PSTB370 1050 1SFC132040M0201 RevA Dec-06 Contents 1. ESD Warning...2 2. Tools...2 3. PCB information...2 4. Step by step...3 5. Configuration of the LV board...7

More information

amymalanga sampleportfolio

amymalanga sampleportfolio amymalanga sampleportfolio am amymalanga 989 430.8188 amymalanga@gmail.com 1265 Downing Street #506 80218 Education Metropolitan State College of Denver January 2008-May 2010 BFA in Communication Design

More information

universal data model resource book v2

universal data model resource book v2 universal data model resource book v2 Online manuals are a fun way to have information An additional benefit of having the ability to keep and access user manuals on your pc is the fact keep these things

More information

Enterphone Solo. User/Installation Manual Part No. 421-2001

Enterphone Solo. User/Installation Manual Part No. 421-2001 Enterphone Solo User/Installation Manual Viscount Communication and Control Systems Inc. 4585 Tillicum Street, Burnaby, B.C., Canada V5J 5K9 Phone: (604) 327-9446 Toll Free: 1-800-476-3774 Fax: (604) 327-3859

More information

The Risks that Pen Tests don t Find. OWASP 13 April 2012. The OWASP Foundation http://www.owasp.org

The Risks that Pen Tests don t Find. OWASP 13 April 2012. The OWASP Foundation http://www.owasp.org The Risks that Pen Tests don t Find 13 April 2012 Gary Gaskell Infosec Services gaskell@infosecservices.com 0438 603 307 Copyright The Foundation Permission is granted to copy, distribute and/or modify

More information

10DBMC International Conference On Durability of Building Materials and Components LYON [France] 17 20 April 2005

10DBMC International Conference On Durability of Building Materials and Components LYON [France] 17 20 April 2005 10DBMC International Conference On Durability of Building Materials and Components Wall Cladding System Durability Lessons Learned from the Premature Deterioration of Wood-Framed Construction Clad with

More information

535T Window Automation System

535T Window Automation System 535T Window Automation System Installation Guide NOTE: This product is intended for installation by a professional installer only! Any attempt to install this product by any person other than a trained

More information

Combined Proxy Re-Encryption

Combined Proxy Re-Encryption Combined Proxy Re-Encryption Orange Labs, Applied Crypto Group, Université de Caen Basse-Normandie, GREYC, Sébastien Canard et Julien Devigne Journées C2 2012, Dinard Proxy Re-Encryption ( PRE ) Second

More information

ONLINE APPLICATION INSTRUCTIONS

ONLINE APPLICATION INSTRUCTIONS ONLINE APPLICATION INSTRUCTIONS Welcome to the Air Force Aid Society s Education Grant Portal, home to the online application for the General Henry H. Arnold AFAS Education Grant Program. The following

More information

To the Instructor... vii. Lesson Planning and Answers to Review Questions. Introduction to Health Information Management

To the Instructor... vii. Lesson Planning and Answers to Review Questions. Introduction to Health Information Management Contents To the Instructor... vii Lesson Planning and Answers to Review Questions PART 1 Introduction to Health Information Management CHAPTER 1 Health Care Delivery Systems...3 CHAPTER 2 The Health Information

More information

3704-0147 Lithichrome Stone Paint- LT Blue Gallon 3704-0001 Lithichrome Stone Paint- Blue 2 oz 3704-0055 Lithichrome Stone Paint- Blue 6 oz 3704-0082

3704-0147 Lithichrome Stone Paint- LT Blue Gallon 3704-0001 Lithichrome Stone Paint- Blue 2 oz 3704-0055 Lithichrome Stone Paint- Blue 6 oz 3704-0082 Lithichrome Colors Item Number Item Description 120-COL Lithichrome Stone Paint - Any Size or Color 3704-0011 Lithichrome Stone Paint- LT Blue 2 oz 3704-0066 Lithichrome Stone Paint- LT Blue 6 oz 3704-0093

More information

The Construction Industry s Leading Certification Card Scheme

The Construction Industry s Leading Certification Card Scheme The Construction Industry s Leading Certification Card Scheme How SmartCards work SmartCards can be read using an enabled smartphone, tablet device or Card reader connected to a laptop or PC Android Smartphones

More information

STANDARD OPERATING INSTRUCTION. Worksite Safety Traffic Management Procedure

STANDARD OPERATING INSTRUCTION. Worksite Safety Traffic Management Procedure STANDARD OPERATING INSTRUCTION Worksite Safety Traffic Management Procedure November 2012 Title System Reference Number Approved By Worksite Safety Traffic Management People and Wellbeing SOI-GVW-329 Manager

More information

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik Common Criteria Protection Profile Cryptographic Modules, Security Level Enhanced BSI-CC-PP-0045 Endorsed by the Foreword This Protection Profile - Cryptographic Modules, Security Level Enhanced - is issued

More information

Point-of-Sale (POS) Malware: Tactics and Strategies for Protecting Customer Payment Information

Point-of-Sale (POS) Malware: Tactics and Strategies for Protecting Customer Payment Information Point-of-Sale (POS) Malware: Tactics and Strategies for Protecting Customer Payment Information Bit9 and Carbon Black Jeffrey J. Guy 20 Feb 14 jjguy@bit9.com @jjguy 2014 Bit9. All Rights Reserved Introduction

More information

WIRING HARNESS FOR AS635P4. BLUE PLUG RED, BLUE, BLACK, WHITE - Plug in dual stage sensor harness

WIRING HARNESS FOR AS635P4. BLUE PLUG RED, BLUE, BLACK, WHITE - Plug in dual stage sensor harness WIRING HARNESS FOR AS635P4 ANTENNA NOT USED 5 PIN WHITE PLUG 2 PIN WHITE PLUG GREEN - PARKING BRAKE INPUT (-) BLUE - NOT USED 3 PIN BLUE PLUG RED, BLUE, BLACK, WHITE - Plug in dual stage sensor harness

More information

Softstart. Changing of Printed Circuit Board, Display, Keypad and upgrade to Torque control PSTB370 1050. Contents. 1. ESD Warning...2. 2. Tools...

Softstart. Changing of Printed Circuit Board, Display, Keypad and upgrade to Torque control PSTB370 1050. Contents. 1. ESD Warning...2. 2. Tools... Softstart Changing of Printed Circuit Board, Display, Keypad and upgrade to Torque control PST30 300 PSTB370 1050 1SFC132009M0201 Rev A Dec-06 Contents 1. ESD Warning...2 2. Tools...2 3. PCB information...2

More information

DESTINY 1/19/96 # 800-6006A

DESTINY 1/19/96 # 800-6006A DESTINY TABLE OF CONTENTS KEYPAD AND PHONE DIGIT QUICK REFERENCE NOTE: KEYPAD AND PHONE DIGIT QUICK REFERENCE POWER STATUS HOME AWAY MONITOR DESTINY INTRODUCTION CONTROL PANEL DETECTION DEVICES SWITCHES

More information

Watchdog International Ltd

Watchdog International Ltd Watchdog International Ltd Child On-line Protection in the Pacific Islands Industry Involvement September 2014 September 2014 Filtering 1 Presentation Overview Introduction The Industry Industry COP Initiatives

More information

New Employment Forms - Appendix A

New Employment Forms - Appendix A New Employment Forms - Appendix A The following new forms are available for use. They can be used electronically for easy emailing or printed for fax. Your Recruiting Specialist will forward these forms

More information

Security Issues and Solutions in Peer-topeer Systems for Real-time Communications

Security Issues and Solutions in Peer-topeer Systems for Real-time Communications Security Issues and Solutions in Peer-topeer Systems for Real-time Communications draft-schulzrinne-p2prg-rtc-security-00 Henning Schulzrinne Enrico Marocco Emil Ivov March 2009 (IETF 74) IETF - P2PRG

More information

An Analysis of the NRC's Assessment of the Doctoral Programs in Public Affairs

An Analysis of the NRC's Assessment of the Doctoral Programs in Public Affairs An Analysis of the NRC's Assessment of the Doctoral Programs in Public Affairs Göktuğ Morçöl & Sehee Han Pennsylvania State University Prepared for the NASPAA Annual Conference November 2014, Albuquerque,

More information

ACADEMIC AFFAIRS COUNCIL ******************************************************************************

ACADEMIC AFFAIRS COUNCIL ****************************************************************************** ACADEMIC AFFAIRS COUNCIL AGENDA ITEM: 4.D.1 DATE: April 16, 2009 ****************************************************************************** SUBJECT: Intent to Plan BHSU AS in Human Services Black Hills

More information

Family Connection by Naviance

Family Connection by Naviance Family Connection by Naviance 1 Family Connection We are pleased to introduce Family Connection from Naviance, a web based service designed especially for students and parents. Family Connection is a comprehensive

More information