GLOSSARY OF COMPUTER SECURITY ACRONYMS
AIS Automated Information System
COMPUSEC Computer Security
COMSEC Communications Security
CSTVRP Computer Security Technical Vulnerability Reporting Program
DAA Designated Approving Authority
DAC Discretionary Access Control
DES Data Encryption Standard
DPL Degausser Products List
DTLS Descriptive Top-Level Specification
EPL Evaluated Products List
ETL Endorsed Tools List
FTLS Formal Top-Level Specification
MAC Mandatory Access Control
NCSC National Computer Security Center
NTISSC National Telecommunications and Information Systems Security
Committee
OPSEC Operations Security
SAISS Subcommittee on Automated Information Systems Security of NTISSC
SSO System Security Officer
STS Subcommittee on Telecommunications Security of NTISSC
TCB Trusted Computing Base
TCSEC DoD Trusted Computer System Evaluation Criteria
GLOSSARY OF COMPUTER SECURITY TERMS
*-property (or star property)
A Bell-La Padula security model rule allowing a subject write access to an
object only if the security level of the object dominates the security level
of the subject. Also called confinement property.
-A-
acceptance inspection
The final inspection to determine whether or not a facility or
nspection is held immediately after facility and software testing and is the
basis for commissioning or accepting the information system.
access
A specific type of interaction between a subject and an object that
access control
The process of limiting access to the resources of a system only to
authorized programs, processes, or other systems (in a network). Synonymous
access control mechanism
Hardware or software features, operating procedures, management
unauthorized access and to permit authorized access in an automated system.
access level
The hierarchical portion of the security level used to identify the
access level, in conjunction with the nonhierarchical categories, forms the
label.
access list
A list of users, programs, and/or processes and the specifications
of access categories to which each is assigned.
access period
A segment of time, generally expressed on a daily or weekly basis,
access port
A logical or physical identifier that a computer uses to distinguish
access type
The nature of an access right to a particular device, program, or
file (e.g., read, write, execute, append, modify, delete, or create).
accountability
The property that enables activities on a system to be traced to
ndividuals who may then be held responsible for their actions.
accreditation
A formal declaration by the DAA that the AIS is approved to operate
n a particular security mode using a perscribed set of safeguards.
Accreditation is the official management authorization for operation of an AIS
and is based on the certification process as well as other management
considerations. The accreditation statement affixes security responsibility
accreditation authority
Synonymous with Designated Approving Authority.
add-on security
The retrofitting of protection mechanisms, implemented by hardware
or software.
administrative security
The management constraints and supplemental controls established to
assurance
A measure of confidence that the security features and architecture
of an AIS accurately mediate and enforce the security policy.
attack
The act of trying to bypass security controls on a system. An
attack may be active, resulting in the alteration of data; or passive,
not necessarily mean that it will succeed. The degree of success depends on
the vulnerability of the system or activity and the effectiveness of existing
countermeasures.
audit trail
A chronological record of system activities that is sufficient to
enable the reconstruction, reviewing, and examination of the sequence of
environments and activities surrounding or leading to an operation, a
authenticate
(1) To verify the identity of a user, device, or other entity in a
computer system, often as a prerequisite to allowing access to resources in a
(2) To verify the integrity of data that have been stored,
transmitted, or otherwise exposed to possible unauthorized modification.
authenticator
The means used to confirm the identity or to verify the eligibility
of a station, originator, or individual.
authorization
The granting of access rights to a user, program, or process.
automated data processing security
Synonymous with automated information systems security.
automated information system (AIS)
An assembly of computer hardware, software and/or firmware
configured to collect, create, communicate, compute, disseminate, process,
automated information system security
Measures and controls that protect an AIS against denial of service
and unauthorized (accidental or intentional) disclosure, modification, or
operational procedures, accountability procedures, and access controls at the
central computer facility, remote computer, and terminal facilities;
management constraints; physical structures and devices; and personnel and
communication controls needed to provide an acceptable level of risk for the
AIS and for the data and information contained in the AIS. It includes the
totality of security safeguards needed to provide an acceptable protection
level for an AIS and for data handled by an AIS.
automated security monitoring
The use of automated procedures to ensure that security controls are
not circumvented.
availability of data
The state when data are in the place needed by the user, at the time
the user needs them, and in the form needed by the user.
-B-
back door
Synonymous with trap door.
backup plan
Synonymous with contingency plan.
Bell-La Padula model
A formal state transition model of computer security policy that
n a computer system are divided into abstract sets of subjects and objects.
The notion of a secure state is defined, and it is proven that each state
transition preserves security by moving from secure state to secure state,
thereby inductively proving that the system is secure. A system state is
objects are in accordance with a specific security policy. In order to
s made as to whether the subject is authorized for the specific access mode.
See star property (*-property) and simple security property.
benign environment
A nonhostile environment that may be protected from external hostile
elements by physical, personnel, and procedural security countermeasures.
between-the-lines entry
Unauthorized access obtained by tapping the temporarily inactive
terminal of a legitimate user. See piggyback.
beyond A1
A level of trust defined by the DoD Trusted Computer System
Evaluation Criteria (TCSEC) that is beyond the state-of-the-art technology
available at the time the criteria were developed. It includes all the
A1-level features plus additional ones not required at the A1 level.
browsing
The act of searching through storage to locate or acquire
nformation without necessarily knowing of the existence or the format of the
nformation being sought.
-C-
call back
A procedure for identifying a remote terminal. In a call back, the
number of the remote terminal to reestablish the connection. Synonymous with
capability
A protected identifier that both identifies the object and specifies
the access rights to be allowed to the accessor who possesses the capability.
category
A restrictive label that has been applied to classified or
unclassified data as a means of increasing the protection of the data and
further restricting access to the data.
certification
The comprehensive evaluation of the technical and nontechnical
accreditation process, that establishes the extent to which a particular
closed security environment
An environment in which both of the following conditions hold true:
(1) Application developers (including maintainers) have sufficient clearances
and authorizations to provide an acceptable presumption that they have not
ntroduced malicious logic. (2) Configuration control provides sufficient
assurance that applications and the equipment are protected against the
ntroduction of malicious logic prior to and during the operation of system
applications.
communications security (COMSEC)
Measures taken to deny unauthorized persons information derived from
telecommunications of the U.S. Government concerning national security, and
to ensure the authenticity of such telecommunicatons. Communications security
ncludes cryptosecurity, transmission security, emission security, and
compartment
A class of information that has need-to-know access controls beyond
those normally provided for access to Confidential, Secret or Top Secret
nformation.
compartmented security mode
See modes of operation.
compromise
A violation of the security policy of a system such that
unauthorized disclosure of sensitive information may have occurred.
compromising emanations
Unintentional data-related or intelligence-bearing signals that, if
ntercepted and analyzed, disclose the information transmission received,
TEMPEST.
computer abuse
The misuse, alteration, disruption or destruction of data processing
computer cryptography
The use of a crypto-algorithm in a computer, microprocessor, or
microcomputer to perform encryption or decryption in order to protect
nformation or to authenticate users, sources, or information.
computer fraud
Computer-related crimes involving deliberate misrepresentation,
alteration or disclosure of data in order to obtain something of value
(usually for monetary gain). A computer system must have been involved in the
communications; or computer hardware, systems software, or firmware.
computer security (COMPUSEC)
Synonymous with automated information systems security.
computer security subsystem
A device designed to provide limited computer security features in a
larger system environment.
Computer Security Technical Vulnerability Reporting Program (CSTVRP)
A program that focuses on technical vulnerabilities in commercially
available hardware, firmware and software products acquired by DoD. CSTVRP
technical vulnerability and corrective measure information to DoD components
on a need-to-know basis.
concealment system
A method of achieving confidentiality in which sensitive information
s hidden by embedding it in irrelevant data.
confidentiality
The concept of holding sensitive data in confidence, limited to an
appropriate set of individuals or organizations.
configuration control
The process of controlling modifications to the system's hardware,
firmware, software, and documentation that provides sufficient assurance that
the system is protected against the introduction of improper modifications
management.
configuration management
The management of security features and assurances through control
of changes made to a system's hardware, software, firmware, documentation,
test, test fixtures and test documentation throughout the development and
operational life of the system. Compare configuration control.
confinement
The prevention of the leaking of sensitive data from a program.
confinement channel
Synonymous with covert channel.
confinement property
Synonymous with star property (*-property).
contamination
The intermixing of data at different sensitivity and need-to-know
levels. The lower level data is said to be contaminated by the higher level
level of protection.
contingency plan
A plan for emergency response, backup operations, and post-disaster
ensure the availability of critical resources and facilitate the continuity of
operations in an emergency situation. Synonymous with disaster plan and
emergency plan.
control zone
The space, expressed in feet of radius, surrounding equipment
technical control to preclude an unauthorized entry or compromise.
controlled access
See access control.
controlled sharing
The condition that exists when access control is applied to all
users and components of a system.
cost-risk analysis
The assessment of the costs of providing data protection for a
countermeasure
Any action, device, procedure, technique, or other measure that
covert channel
A communications channel that allows two cooperating processes to
transfer information in a manner that violates the system's security policy.
Synonymous with confinement channel.
covert storage channel
A covert channel that involves the direct or indirect writing of a
nvolve a finite resource (e.g., sectors on a disk) that is shared by two
covert timing channel
A covert channel in which one process signals information to another
by modulating its own use of system resources (e.g., CPU time) in such a way
that this manipulation affects the real response time observed by the second
Criteria
See DoD Trusted Computer System Evaluation Criteria.
crypto-algorithm
A well-defined procedure or sequence of rules or steps used to
cryptography
The principles, means and methods for rendering information
unintelligible, and for restoring encrypted information to intelligible form.
cryptosecurity
The security or protection resulting from the proper use of
technically sound cryptosystems.
-D-
Data Encryption Standard (DES)
A cryptographic algorithm for the protection of unclassified data,
ntended for public and government use.
Synonymous with information flow control.
The property that data meet an a priori expectation of quality.
The protection of data from unauthorized (accidental or intentional)
modification, destruction, or disclosure.
An administrative decision or procedure to remove or reduce the
See modes of operation.
A temporary classification reflecting the highest classification
being processed in a system. The default classification is included in the
caution statement affixed to the object.
To reduce magnetic flux density to zero by applying a reverse
magnetizing field.
An electrical device that can generate a magnetic field for the
A list of commercially produced degaussers that meet National
Security Agency specifications. This list is included in the NSA Information
Systems Security Products and Services Catalogue, and is available through the
Government Printing Office.
Any action or series of actions that prevent any part of a system
from functioning in accordance with its intended purpose. This includes any
action that causes unauthorized destruction, modification, or delay of
Descriptive Top-Level Specification (DTLS)
A top-level specification that is written in a natural language
(e.g., English), an informal design notation, or a combination of the two.
Designated Approving Authority (DAA)
The official who has the authority to decide on accepting the
to accept those safeguards.
Synonymous with call back.
The service whereby a computer terminal can use the telephone to
nitiate and effect communication with a computer.
Synonymous with contingency plan.
A means of restricting access to objects based on the identity and
need-to-know of the user, process and/or groups to which they belong. The
controls are discretionary in the sense that a subject with a certain access
any other subject. Compare mandatory access control.
DoD Trusted Computer System Evaluation Criteria (TCSEC)
A document published by the National Computer Security Center
containing a uniform set of basic requirements and evaluation classes for
assessing degrees of assurance in the effectiveness of hardware and software
the design and evaluation of systems that will process and/or store sensitive
or classified data. This document is Government Standard DoD 5200.28-STD and
s frequently referred to as "The Criteria" or "The Orange Book."
The unique context (e.g., access control parameters) in which a
ability to access. See process and subject.
Security level S1 is said to dominate security level S2 if the
the nonhierarchical categories of S1 include all those of S2 as a subset.
-E-
emanations
See compromising emanations.
embedded system
A system that performs or controls a function, either in whole or in
emergency plan
Synonymous with contingency plan.
emission security
The protection resulting from all measures taken to deny
unauthorized persons information of value that might be derived from intercept
and from an analysis of compromising emanations from systems.
end-to-end encryption
The protection of information passed in a telecommunications system
by cryptographic means, from point of origin to point of destination.
Endorsed Tools List (ETL)
The list of formal verification tools endorsed by the NCSC for the
Enhanced Hierarchical Development Methodology
An integrated set of tools designed to aid in creating, analyzing,
modifying, managing, and documenting program specifications and proofs. This
methology includes a specification parser and typechecker, a theorem prover,
and a multi-level security checker. Note: This methodology is not based upon
the Hierarchical Development Methodology.
entrapment
The deliberate planting of apparent flaws in a system for the
environment
The aggregate of external procedures, conditions, and objects that
affect the development, operation, and maintenance of a system.
erasure
A process by which a signal recorded on magnetic media is removed.
Erasure is accomplished in two ways: (1) by alternating current erasure, by
magnetic field to the media; or (2) by direct current erasure, by which the
media are saturated by applying a unidirectional magnetic field.
Evaluated Products List (EPL)
A list of equipments, hardware, software, and/or firmware that have
been evaluated against, and found to be technically compliant, at a particular
level of trust, with the DoD TCSEC by the NCSC. The EPL is included in the
National Security Agency Information Systems Security Products and Services
Catalogue, which is available through the Government Printing Office.
executive state
One of several states in which a system may operate and the only one
n which certain privileged instructions may be executed. Such instructions
cannot be executed when the system is operating in other (e.g., user) states.
Synonymous with supervisor state.
exploitable channel
Any information channel that is usable or detectable by subjects
external to the trusted computing base whose purpose is to violate the
-F-
fail safe
Pertaining to the automatic protection of programs and/or processing
a system.
fail soft
Pertaining to the selective termination of affected nonessential
failure access
An unauthorized and usually inadvertent access to data resulting
from a hardware or software failure in the system.
failure control
The methodology used to detect and provide fail-safe or fail-soft
fault
A condition that causes a device or system component to fail to
fetch protection
A system-provided restriction to prevent a program from accessing
file protection
The aggregate of all processes and procedures in a system designed
to inhibit unauthorized access, contamination, or elimination of a file.
file security
The means by which access to computer files is limited to authorized
users only.
flaw hypothesis methodology
A systems analysis and penetration technique in which specifications
and documentation for the system are analyzed and then flaws in the system are
of the estimated probability that a flaw exists and, assuming a flaw does
exist, on the ease of exploiting it, and on the extent of control or
compromise it would provide. The prioritized list is used to direct a
flow control
See information flow control.
formal access approval
Documented approval by a data owner to allow access to a particular
category of information.
Formal Development Methodology
A collection of languages and tools that enforces a rigorous method
of verification. This methodology uses the Ina Jo specification language for
of requirements, high-level design, and program design.
formal proof
A complete and convincing mathematical argument, presenting the full
logical justification for each proof step, for the truth of a theorem or set
of theorems.
formal security policy model
A mathematically precise statement of a security policy. To be
adequately precise, such a model must represent the initial state of a system,
the way in which the system progresses from one state to another, and a
a TCB, the model must be supported by a formal proof that if the initial state
of the system satisfies the definition of a "secure" state and if all
assumptions required by the model hold, then all future states of the system
models, denotational semantics models, and algebraic specification models.
See Bell-La Padula model and security policy model.
Formal Top-Level Specification (FTLS)
A top-level specification that is written in a formal mathematical
language to allow theorems showing the correspondence of the system
The process of using formal proofs to demonstrate the consistency
between a formal specification of a system and a formal security policy model
(design verification) or between the formal specification and its high level
front-end security filter
A security filter, which could be implemented in hardware or
functional testing
The segment of security testing in which the advertised security
mechanisms of the system are tested, under operational conditions, for correct
operation.
-G-
An expression of the relative size of a data object; e.g.,
A processor that provides a filter between two disparate systems
operating at different security levels or between a user terminal and a data
base to filter out data that the user is not authorized to access.
Gypsy Verification Environment
An integrated set of tools for specifying, coding, and verifying
both specification and programming features. This methology includes an
editor, a specification processor, a verification condition generator, a
user-directed theorem prover, and an information flow tool.
-H-
A dialogue between two entities (e.g., a user and a computer, a
computer and another computer, or a program and another program) for the
Hierarchical Development Methodology
A methodology for specifying and verifying the design programs
nclude the Special specification processor, the Boyer-Moore theorem prover,
and the Feiertag information flow tool.
A set of conventions governing the format and control of data that
are passed from a host to a front-end machine.
-I-
identification
The process that enables recognition of an entity by a system,
mpersonating
Synonymous with spoofing.
ncomplete parameter checking
A system design flaw that results when all parameters have not been
fully anticipated for accuracy and consistency, thus making the system
vulnerable to penetration.
ndividual accountability
The ability to associate positively the identity of a user with the
time, method, and degree of access to a system.
nformation flow control
A procedure to ensure that information transfers within a system are
not made from a higher security level object to an object of a lower security
level. See covert channel, simple security property, star property
(*-property). Synonymous with data flow control and flow control.
The person responsible to the DAA for ensuring that security is
beginning of the concept development plan through its design, development,
operation, maintenance, and secure disposal.
A catalogue issued quarterly by the National Security Agency that
ncorporates the DPL, EPL, ETL, PPL and other security product and service
lists. This catalogue is available through the U.S. Government Printing
Office, Washington, DC 20402, (202) 783-3238.
ntegrity
Sound, unimpaired or perfect condition.
nterdiction
See denial of service.
nternal security controls
Hardware, firmware, and software features within a system that
solation
The containment of subjects and objects in a system in such a way
that they are separated from one another, as well as from the protection
controls of the operating system.
-J-
This document contains no entries beginning with the letter.
-K-
This document contains no entries beginning with the letter.
-L-
least privilege
The principle that requires that each subject be granted the most
The application of this principle limits the damage that can result from
accident, error, or unauthorized use.
limited access
Synonymous with access control.
list-oriented
A computer protection system in which each protected object has a
list of all subjects authorized to access it. Compare ticket-oriented.
lock-and-key protection system
A protection system that involves matching a key or password with a
logic bomb
A resident computer program that triggers the perpetration of an
unauthorized act when particular states of the system are realized.
loophole
An error of omission or oversight in software or hardware that
-M-
magnetic remanence
A measure of the magnetic flux density remaining after removal of
the applied magnetic force. Refers to any data remaining on magnetic storage
media after removal of the power.
maintenance hook
Special instructions in software to allow easy maintenance and
additional feature development. These are not clearly defined during access
for design specification. Hooks frequently allow entry into the code at
unusual points or without the usual checks, so they are a serious security
are special types of trap doors.
malicious logic
Hardware, software, or firmware that is intentionally included in a
mandatory access control (MAC)
A means of restricting access to objects based on the sensitivity
(as represented by a label) of the information contained in the objects and
the formal authorization (i.e., clearance) of subjects to access information
of such sensitivity. Compare discretionary access control.
masquerading
Synonymous with spoofing.
mimicking
Synonymous with spoofing.
modes of operation
A description of the conditions under which an AIS functions, based
on the sensitivity of data processed and the clearance levels and
authorizations of the users. Four modes of operation are authorized:
(1) Dedicated Mode
An AIS is operating in the dedicated mode when each user
terminals, or remote hosts, has all of the following:
a. A valid personnel
clearance for all information on the system.
b. Formal access approval for, and has signed
nondisclosure agreements for all the information stored and/or processed
(including all compartments, subcompartments and/or special access programs).
c. A valid need-to-know for all information
contained within the system.
(2) System-High Mode
An AIS is operating in the system-high mode when each user
or remote hosts has all of the following:
a. A valid personnel clearance for all
nformation on the AIS.
b. Formal access approval for, and has signed
nondisclosure agreements for all the information stored and/or processed
(including all compartments, subcompartments, and/or special access programs).
c. A valid need-to-know for some of the
nformation contained within the AIS.
(3) Compartmented Mode
An AIS is operating in the compartmented mode when each
user with direct or indirect access to the AIS, its peripherals, remote
terminals, or remote hosts, has all of the following:
a. A valid personnel clearance for the most
b. Formal access approval for, and has signed
nondisclosure agreements for that information to which he/she is to have
access.
c. A valid need-to-know for that information to
(4) Multilevel Mode
An AIS is operating in the multilevel mode when all the
following statements are satisfied concerning the users with direct or
ndirect access to the AIS, its peripherals, remote terminals, or remote
a. Some do not have a valid personnel clearance
for all the information processed in the AIS.
b. All have the proper clearance and have the
appropriate formal access approval for that information to which he/she is to
c. All have a valid need-to-know for that
nformation to which they are to have access.
multilevel device
A device that is used in a manner that permits it to simultaneously
accomplish this, sensitivity labels are normally stored on the same physical
medium and in the same form (i.e., machine-readable or human-readable) as the
multilevel secure
A class of system containing information with different
access to information for which they lack authorization.
multilevel security mode
See modes of operation.
multiple access rights terminal
A terminal that may be used by more than one class of users; for
example, users with different access rights to data.
multiuser mode of operation
A mode of operation designed for systems that process sensitive
unclassified information in which users may not have a need-to-know for all
nformation processed in the system. This mode is also for microcomputers
mutually suspicious
The state that exists between interacting processes (subsystems or
-N-
National Computer Security Assessment Program
A program designed to evaluate the interrelationship of empirical
comprehensively incorporating information from the CSTVRP. The assessment
of facts from relevant reported cases. Such scenarios are a powerful,
analysis.
National Computer Security Center (NCSC)
Originally named the DoD Computer Security Center, the NCSC is
National Security Decision Directive 145 (NSDD 145)
Signed by President Reagan on l7 September l984, this directive is
entitled "National Policy on Telecommunications and Automated Information
Systems Security." It provides initial objectives, policies, and an
organizational structure to guide the conduct of national activities toward
nformation; establishes a mechanism for policy development; and assigns
mplementation responsibilities.
National Telecommunications and Information Systems Security Advisory
Memoranda/ Instructions (NTISSAM, NTISSI)
NTISS Advisory Memoranda and Instructions provide advice,
assistance, or information of general interest on telecommunications and
NTISSAMs/NTISSIs are promulgated by the National Manager for
Telecommunications and Automated Information Systems Security and are
National Telecommunications and Information System Security Directives (NTISSD)
NTISS Directives establish national-level decisions relating to
NTISS policies, plans, programs, systems, or organizational delegations of
authority. NTISSDs are promulgated by the Executive Agent of the Government
for Telecommunications and Information Systems Security, or by the Chairman of
the NTISSC when so delegated by the Executive Agent. NTISSDs are binding upon
all federal departments and agencies.
need-to-know
The necessity for access to, knowledge of, or possession of specific
nformation required to carry out official duties.
network front end
A device that implements the necessary network protocols, including
network.
NSDD 145
See National Security Decision Directive 145.
-O-
object
A passive entity that contains or receives information. Access to
an object potentially implies access to the information it contains. Examples
of objects are: records, blocks, pages, segments, files, directories,
object reuse
The reassignment and reuse of a storage medium (e.g., page frame,
the media.
open security environment
An environment that includes those systems in which at least one of
the following conditions holds true: (l) Application developers (including
maintainers) do not have sufficient clearance or authorization to provide an
acceptable presumption that they have not introduced malicious logic. (2)
Configuration control does not provide sufficient assurance that applications
are protected against the introduction of malicious logic prior to and during
the operation of system applications.
Operations Security (OPSEC)
An analytical process by which the U.S. Government and its
capabilities and intentions by identifying, controlling, and protecting
evidence of the planning and execution of sensitive activities and operations.
Orange Book
Alternate name for DoD Trusted Computer Security Evaluation
Criteria.
overt channel
A path within a computer system or network that is designed for the
authorized transfer of data. Compare covert channel.
overwrite procedure
A stimulation to change the state of a bit followed by a known
-P-
A mode of operation wherein all personnel have the clearance but not
necessarily formal access approval and need-to-know for all information
contained in the system. Not to be confused with compartmented security mode.
A protected/private character string used to authenticate an
dentity.
The successful act of bypassing the security mechanisms of a system.
The characteristics or identifying marks that may be produced by a
A study to determine the feasibility and methods for defeating
controls of a system.
The portion of security testing in which the evaluators attempt to
circumvent the security features of a system. The evaluators may be assumed
to use all system design and implementation documentation, which may include
listings of system source code, manuals, and circuit diagrams. The evaluators
The processing of various levels of sensitive information at
the next when there are different users with differing authorizations.
A description of the type of authorized interactions a subject can
The procedures established to ensure that all personnel who have
access to sensitive information have the required authority as well as
appropriate clearances.
The application of physical barriers and control procedures as
Gaining unauthorized access to a system via another user's
legitimate connection. See between-the-lines entry.
A list of commercially produced equipments that meet TEMPEST and
other requirements prescribed by the National Security Agency. This list is
ncluded in the NSA Information Systems Security Products and Services
Catalogue, issued quarterly and available through the Government Printing
Office.
Eliminating the displaying of characters in order to preserve their
the input terminal.
A set of instructions (e.g., interrupt handling or special computer
nstructions) to control features (such as storage protection features) that
are generally executable only when the automated system is operating in the
executive state.
Synonymous with administrative security.
A program in execution. See domain and subject.
An informal description of the overall design of a system that
appropriate to the evaluation class, of formal and informal techniques is used
to show that the mechanisms are adequate to enforce the security policy.
One of a hierarchy of privileged modes of a system that gives
certain access rights to user programs and processes authorized to operate in
a given mode.
Those portions of the TCB whose normal function is to deal with the
control of access between subjects and objects. Their correct operation is
essential to the protection of the data on the system.
A set of rules and formats, semantic and syntactic, that permits
entities to exchange information.
An apparent loophole deliberately implanted in an operating system
Also known as the Computer Security Act of 1987, this law creates a
means for establishing minimum acceptable security practices for improving the
This law assigns to the National Institute of Standards and Technology
The removal of sensitive data from an AIS, AIS storage device, or
This action is performed in such a way that there is assurance proportional to
the sensitivity of the data that the data may not be reconstructed. An AIS
must be disconnected from any external network before a purge. After a purge,
the medium can be declassified by observing the review procedures of the
-Q-
This document contains no entries beginning with the letter.
-R-
A fundamental operation that results only in the flow of information
from an object to a subject.
Permission to read information.
The actions necessary to restore a system's computational capability
and data files after a system failure.
An access-control concept that refers to an abstract machine that
mediates all accesses to objects by subjects.
An implementation of the reference monitor concept. A security
kernel is a type of reference validation mechanism.
The probability of a given system performing its mission adequately
for a specified period of time under the expected operating conditions.
The portion of risk that remains after security measures have been
applied.
Data left in storage after processing operations are complete, but
before degaussing or rewriting has taken place.
The process of ensuring that a resource not be directly accessible
by a subject, but that it be protected so that the reference monitor can
Any area to which access is subject to special restrictions or
controls for reasons of security or safeguarding of property or material.
The probability that a particular threat will exploit a particular
vulnerability of the system.
The process of identifying security risks, determining their
magnitude, and identifying areas needing safeguards. Risk analysis is a part
of risk management. Synonymous with risk assessment.
Synonymous with risk analysis.
The disparity between the minimum clearance or authorization of
of data processed by a system. See CSC-STD-003-85 and CSC-STD-004-85 for a
complete explanation of this term.
The total process of identifying, controlling, and eliminating or
minimizing uncertain events that may affect system resources. It includes
-S-
See security safeguards.
Searching through object residue to acquire unauthorized data.
The set of procedures appropriate for controlling changes to a
changes will not lead to violations of the system's security policy.
A condition in which no subject can access any object in an
unauthorized manner.
A subsystem that contains its own implementation of the reference
monitor concept for those resources it controls. However, the secure
control of subjects and the more primitive system objects.
Those security mechanisms whose correct operation is necessary to
ensure that the security policy is enforced.
An evaluation done to assess the degree of trust that can be placed
n systems for the secure handling of sensitive information. One type, a
features and assurances of a computer product from a perspective that excludes
the application environment. The other type, a system evaluation, is done for
the purpose of assessing a system's security safeguards with respect to a
accreditation process.
A security analysis, usually performed on hardware at gate level, to
encountered.
The security-relevant functions, mechanisms, and characteristics of
A trusted subsystem that enforces a security policy on the data that
An error of commission or omission in a system that may allow
A security analysis performed on a formal system specification that
locates potential flows of information within the system.
The hardware, firmware, and software elements of a TCB that
mplement the reference monitor concept. It must mediate all accesses, be
A piece of information that represents the security level of an
object.
The combination of a hierarchical classification and a set of
nonhierarchical categories that represents the sensitivity of information.
Elements of software, firmware, hardware, or procedures that are
ncluded in a system for the satisfaction of security specifications.
The boundary where security controls are in effect to protect
assets.
The set of laws, rules, and practices that regulate how an
organization manages, protects, and distributes sensitive information.
A formal presentation of the security policy enforced by the system.
manages, protects, and distributes sensitive information. See Bell-La Padula
model and formal security policy model.
The highest and lowest security levels that are permitted in or on a
The types and levels of protection necessary for equipment, data,
nformation, applications, and facilities to meet security policy.
A description of minimum requirements necessary for a system to
maintain an acceptable level of security.
The protective measures and controls that are prescribed to meet the
but are not necessarily limited to: hardware and software security features,
operating procedures, accountability procedures, access and distribution
controls, management constraints, personnel security, and physical structures,
areas, and devices. Also called safeguards.
A detailed description of the safeguards required to protect a
An examination and analysis of the security safeguards of a system
as they have been applied in an operational environment to determine the
A process used to determine that the security features of a system
are implemented as designed. This includes hands-on functional testing,
Any information, the loss, misuse, modification of, or unauthorized
access to, could affect the national interest or the conduct of Federal
of Title 5, U.S. Code, but that has not been specifically authorized under
criteria established by an Executive order or an act of Congress to be kept
classified in the interest of national defense or foreign policy.
sensitivity label
A piece of information that represents the security level of an
object. Sensitivity labels are used by the TCB as the basis for mandatory
access control decisions.
See simple security property.
A Bell-La Padula security model rule allowing a subject read access
to an object only if the security level of the subject dominates the security
level of the object. Synonymous with simple security condition.
An automated information systems device that is used to process data
of a single security level at any one time.
Software Development Methodologies
Methodologies for specifying and verifying design programs for
language. See Enhanced Hierarchical Development Methodology, Formal
Development Methodology, Gypsy Verification Environment and Hierarchical
Development Methodology.
General purpose (executive, utility or software development tools)
and applications programs or routines that protect data handled by a system.
A process that plans, develops and documents the quantitative
operational and interface requirements.
An attempt to gain access to a system by posing as an authorized
user. Synonymous with impersonating, masquerading or.mimicking.
A system that is physically and electrically isolated from all other
belonging to one user remaining available to the system while another user is
using the system (e.g., a personal computer with nonremovable storage media
A system that is physically and electrically isolated from all other
belonging to other users remaining in the system (e.g., a personal computer
See *-property, page 2.
State Delta Verification System
A system designed to give high confidence regarding microcode
to check proofs concerning the course of that computation.
A variable that represents either the state of the system or the
An object that supports both read and write accesses.
Subcommittee on Automated Information Systems Security (SAISS)
NSDD-145 authorizes and directs the establishment, under the NTISSC,
of a permanent Subcommittee on Automated Information Systems Security. The
SAISS is composed of one voting member from each organization represented on
the NTISSC.
Subcommittee on Telecommunications Security (STS)
NSDD-145 authorizes and directs the establishment, under the NTISSC,
of a permanent Subcommittee on Telecommunications Security. The STS is
composed of one voting member from each organization represented on the
NTISSC.
An active entity, generally in the form of a person, process, or
A subjects security level is equal to the security level of the
objects to which it has both read and write access. A subjects security level
must always be dominated by the clearance of the user with which the subject
s associated.
Synonymous with executive state.
System Development Methodologies
Methodologies developed through software engineering to manage the
complexity of system development. Development methodologies include software
engineering aids and high-level design analysis tools.
See modes of operation.
system integrity
The quality that a system has when it performs its intended function
n an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
The lowest security level supported by a system at a particular time
or in a particular environment.
System Security Officer (SSO)
See Information System Security Officer.
Systems Security Steering Group
The senior government body established by NSDD-145 to provide
top-level review and policy guidance for the telecommunications security and
automated information systems security activities of the U.S. Government.
This group is chaired by the Assistant to the President for National Security
Affairs and consists of the Secretary of State, Secretary of Treasury, the
Secretary of Defense, the Attorney General, the Director of the Office of
Management and Budget, and the Director of Central Intelligence.
-T-
tampering
An unauthorized modification that alters the proper functioning of
an equipment or system in a manner that degrades the security or functionality
t provides.
technical attack
An attack that can be perpetrated by circumventing or nullifying
technical vulnerability
A hardware, firmware, communication, or software flaw that leaves a
computer processing system open for potential exploitation, either externally
or internally, thereby resulting in risk for the owner, user, or manager of
the system.
TEMPEST
The study and control of spurious electronic signals emitted by
electrical equipment.
terminal identification
The means used to uniquely identify a terminal to a system.
threat
Any circumstance or event with the potential to cause harm to a
threat agent
A method used to exploit a vulnerability in a system, operation, or
facility.
threat analysis
The examination of all actions and events that might adversely
affect a system or operation.
threat monitoring
The analysis, assessment, and review of audit trails and other data
collected for the purpose of searching out system events that may constitute
violations or attempted violations of system security.
ticket-oriented
A computer protection system in which each subject maintains a list
of unforgeable bit patterns, called tickets, one for each object the subject
s authorized to access. Compare list-oriented.
time-dependent password
A password that is valid only at a certain time of day or during a
top-level specification
A nonprocedural description of system behavior at the most abstract
level; typically, a functional specification that omits all implementation
tranquility
A security model rule stating that the security level of an object
cannot change while the object is being processed by an AIS.
trap door
A hidden software or hardware mechanism that can be triggered to
terminal. Software developers often introduce trap doors in their code to
enable them to reenter the system and perform certain functions. Synonymous
Trojan horse
A computer program with an apparently or actually useful function
that contains additional (hidden) functions that surreptitiously exploit the
legitimate authorizations of the invoking process to the detriment of security
or integrity.
trusted computer system
A system that employs sufficient hardware and software assurance
measures to allow its use for simultaneous processing of a range of sensitive
or classified information.
Trusted Computing Base (TCB)
The totality of protection mechanisms within a computer system,
ncluding hardware, firmware, and software, the combination of which is
components that together enforce a unified security policy over a product or
trusted distribution
A trusted method for distributing the TCB hardware, software, and
firmware components, both originals and updates, that provides methods for
any changes to the TCB that may occur.
trusted identification forwarding
An identification method used in networks whereby the sending host
can verify that an authorized user on its system is attempting a connection to
another host. The sending host transmits the required user authentication
nformation to the receiving host. The receiving host can then verify that
the user is validated for access to its system. This operation may be
transparent to the user.
trusted path
A mechanism by which a person at a terminal can communicate
the TCB and cannot be imitated by untrusted software.
trusted process
A process whose incorrect or malicious execution is capable of
violating system security policy.
trusted software
The software portion of the TCB.
-U-
untrusted process
A process that has not been evaluated or examined for adherence to
the secuity policy. It may include incorrect or malicious code that attempts
to circumvent the security mechanisms.
user
Person or process accessing an AIS either by direct connections
(i.e., via terminals), or indirect connections (i.e., prepare input data or
user ID
A unique symbol or character string that is used by a system to
dentify a specific user.
user profile
Patterns of a user's activity that can be used to detect changes in
normal routines.
-V-
verification
The process of comparing two levels of system specification for
object code). This process may or may not be automated.
virus
A self-propagating Trojan horse, composed of a mission component, a
trigger component, and a self-propagating component.
vulnerability
A weakness in system security procedures, system design,
mplementation, internal controls, etc., that could be exploited to violate
vulnerability analysis
The systematic examination of systems in order to determine the
adequacy of security measures, identify security deficiencies, and provide
vulnerability assessment
A measurement of vulnerability which includes the susceptibility of
a particular system to a specific attack and the opportunities available to a
threat agent to mount that attack.
-W-
An estimate of the effort or time needed by a potential penetrator
A fundamental operation that results only in the flow of information
from a subject to an object.
Permission to write to an object.
-X,Y,Z-
This document contains no entries beginning with the letters X, Y, or Z.
