Essay 9

Rule-Set Modeling of a Trusted Computer System

Leonard J. LaPadula

7KLV HVVD\ GHVFULEHV D QHZ DSSURDFK WR IRUPDO PRGHOLQJ RI D WUXVWHG FRPSXWHU V\VWHP $ ILQLWHVWDWH PDFKLQH PRGHOV WKH DFFHVV RSHUDWLRQVRIWKHWUXVWHGFRPSXWHUV\VWHPZKLOHDVHSDUDWH UXOH VHW H[SUHVVHV WKH V\VWHP·V WUXVW SROLFLHV $ SRZHUIXO IHDWXUH RI WKLV DS SURDFKLVLWVDELOLW\WRILWVHYHUDOZLGHO\GLIIHULQJWUXVWSROLFLHVHDVLO\ ZLWKLQWKHVDPHPRGHO:HZLOOVKRZKRZWKLVDSSURDFKWRPRGHOLQJ UHODWHVWRJHQHUDOLGHDVRIDFFHVVFRQWURODV\RXPLJKWH[SHFW:HZLOO DOVR UHODWH WKLV DSSURDFK WR WKH LPSOHPHQWDWLRQ RI UHDO V\VWHPV E\ FRQQHFWLQJ WKH UXOH VHW RI WKH PRGHO WR WKH V\VWHP RSHUDWLRQV RI D 8QL[6\VWHP9V\VWHP7KHWUXVWSROLFLHVZHGHPRQVWUDWHLQWKHUXOH VHWRIWKHPRGHOLQFOXGHWKHPDQGDWRU\DFFHVVFRQWUROSROLF\RI81,; 6\VWHP 90/6 D YHUVLRQ RI WKH &ODUN:LOVRQ LQWHJULW\ SROLF\ DQG WZRVXSSRUWLQJSROLFLHVWKDWLPSOHPHQWUROHV

7KHPRGHOLQJDSSURDFKZHZLOOGLVFXVVJUHZRXWRIVHYHUDOLGHDV GHYHORSHG LQ WKH *HQHUDOL]HG )UDPHZRUN IRU $FFHVV &RQWURO *)$& SURMHFWGLUHFWHGE\$EUDPV>$%5$@7KHYLVLRQRIWKDWSURMHFWZDV WR JDLQ JUHDWHU XWLOLW\ LQ RXU trusted computer systems E\ FUHDWLQJ D WHFKQRORJ\IRUSXWWLQJDULFKVHWRIYDULRXVaccess control policiesLQWRD VLQJOHWUXVWHGFRPSXWHUV\VWHP2XUPRGHOLQJDSSURDFKUHVSRQGVWR WKHFKDOOHQJHRIWKDWYLVLRQDVH[SUHVVHGLQWKHVHREMHFWLYHV

‡ 0DNHLWHDV\WRVWDWHIRUPDOL]HDQGDQDO\]HDFFHVVFRQWUROSROLFLHV EHVLGHV WUDGLWLRQDO mandatory access control 0$&  DQG discretionary access control '$& WRLQFUHDVHWKHDYDLODELOLW\RIGLYHUVHDVVXUHG VHFXULW\SROLFLHV ‡ 0DNHLWIHDVLEOHWRFRQILJXUHDV\VWHPZLWKVHFXULW\SROLFLHVFKRVHQ IURPDYHQGRUSURYLGHGVHWRIRSWLRQVZLWKFRQILGHQFHWKDWWKHUH

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  VXOWLQJ V\VWHP·V security policy PDNHV VHQVH DQG ZLOO EH SURSHUO\ HQIRUFHG ‡ &RQVWUXFW WKH model LQ D PDQQHU WKDW DOORZV RQH WR VKRZ WKDW LW VDWLVILHVDQDFFHSWHGGHILQLWLRQRIHDFKVHFXULW\SROLF\LWUHSUHVHQWV

7KHUHPDLQGHURIWKLVHVVD\KDVWKUHHSDUWV

‡ )LUVW ZH GLVFXVV WKH *HQHUDOL]HG )UDPHZRUN IRU $FFHVV &RQWURO YLHZ RI D trusted system *)$& PRWLYDWHV WKH DSSURDFK ZH KDYH WDNHQWRPRGHOLQJ ‡ 1H[WZHGHVFULEHWKHPRGHOLQJDSSURDFK ‡ )LQDOO\ ZH LOOXVWUDWH HOHPHQWVRI WKH state-machine model DQG WKH rule-set model³WKHWZRFRPSRQHQWVRIWKHFRPSOHWHPRGHO

2YHUYLHZRIWKH*HQHUDOL]HG)UDPHZRUNIRU$FFHVV&RQ WURO 7KH *HQHUDOL]HG )UDPHZRUN IRU $FFHVV &RQWURO WKHVLV DVVHUWV WKDW DOO access controlLVEDVHGRQDVPDOOVHWRIIXQGDPHQWDOFRQFHSWV>$%5$@ %RUURZLQJVRPHRILWVWHUPLQRORJ\DQGFRQFHSWVIURP WKH ,62 ´:RUNLQJ 'UDIW RQ $FFHVV &RQWURO )UDPHZRUNµ >,62@ *)$& VWDUWV ZLWK WKH SUHPLVHWKDWDOODFFHVVFRQWUROSROLFLHVFDQEHYLHZHGDVrulesH[SUHVVHG LQ WHUPV RI attributes E\ authorities 7KH WKUHH PDLQ HOHPHQWV RI DFFHVV FRQWUROLQDWUXVWHGFRPSXWHUV\VWHPDUH

$XWKRULW\$QDXWKRUL]HGDJHQWPXVWGHILQHVHFXULW\SROLF\LGHQ WLI\ UHOHYDQW VHFXULW\ LQIRUPDWLRQ DQG DVVLJQ YDOXHV WR FHUWDLQ DWWULEXWHVRIcontrolled resources

$WWULEXWHV $WWULEXWHV GHVFULEH FKDUDFWHULVWLFV RU SURSHUWLHV RI subjectsDQGobjects7KHFRPSXWHUV\VWHPZLOOEDVHLWVGHFLVLRQV DERXW DFFHVV FRQWURO RQ WKH DWWULEXWHV RI WKH VXEMHFWV DQG RE MHFWVLWFRQWUROV([DPSOHVRIDWWULEXWHVDUH

VHFXULW\FODVVLILFDWLRQ W\SHRIREMHFW GRPDLQRISURFHVV GDWHDQGWLPHRIODVWPRGLILFDWLRQ RZQHULGHQWLILFDWLRQ

 7KHUHDGHUZLOOILQGDGGLWLRQDODQDO\VLVDQGDFRPSOHWHSROLF\PRGHOLQP\UH SRUW>/$3$@

 ,QIRUPDWLRQ6HFXULW\ 5XOHV $ VHW RI IRUPDOL]HG H[SUHVVLRQV GHILQHV WKH UHODWLRQVKLSV DPRQJ DWWULEXWHV DQG RWKHU VHFXULW\ LQIRUPDWLRQ IRU DFFHVV FRQWUROGHFLVLRQVLQWKHFRPSXWHUV\VWHPUHIOHFWLQJWKHVHFXULW\ SROLFLHVGHILQHGE\DXWKRULW\

7KH JHQHUDOL]HG IUDPHZRUN H[SOLFLWO\ UHFRJQL]HV WZR SDUWV RI DFFHVV FRQWURO³DGMXGLFDWLRQDQGHQIRUFHPHQW:HXVHWKHWHUPaccess control decision facility $') WRGHQRWHWKHDJHQWWKDWDGMXGLFDWHVDFFHVVFRQWURO UHTXHVWV DQG WKH WHUP access control enforcement facility $()  IRU WKH DJHQW WKDW HQIRUFHV WKH $')·V GHFLVLRQV ,Q D WUXVWHG FRPSXWHU V\VWHP WKH$()FRUUHVSRQGVWRWKHV\VWHPIXQFWLRQVRIWKHtrusted computing base 7&%  DQG WKH $') FRUUHVSRQGV WR WKH access control rules WKDW HPERG\ WKH V\VWHP·V VHFXULW\ SROLF\ DOVR SDUW RI WKH 7&% )LJXUH  GHSLFWV WKH JHQHUDOL]HGIUDPHZRUNLQWKHWHUPVMXVWGHVFULEHG

subject (6) enables (1) requests access access

(2) invokes policy AEF ADF (4) responds: "yes" + set-attributes

(7) access (5) updates (3) refers to

object ACI ACR

Figure 1. Overview of the Generalized Framework for Access Control.

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  )RUPDOPRGHOLQJDSSURDFK

%DFNJURXQG 7KH *)$& JRDOV WUDQVODWH LQWR WKHVH REMHFWLYHV IRU RXU formal model

‡ 'HYHORSDPRGHOLQJWHFKQRORJ\LQZKLFKLWLVHDV\WRH[SUHVVYDUL RXVSROLFLHVEHVLGHVWUDGLWLRQDO0$&DQG'$& ‡ )DVKLRQ WKH PRGHOLQJ WHFKQRORJ\ WR HQDEOH WKH VHOHFWLRQ RI D GH VLUHG VHW RI VHFXULW\ SROLFLHV IURP VRPH SUHHYDOXDWHG VHW ZLWKRXW KDYLQJWRUHHYDOXDWHWKHUHVXOWLQJFROOHFWLRQRISROLFLHV ‡ 3URYLGHIRUVKRZLQJWKDWDPRGHOVDWLVILHVDQDFFHSWHGGHILQLWLRQRI HDFKVHFXULW\SROLF\HQIRUFHGE\WKHPRGHO

2XUUXOHVHWPRGHOLQJKDVPXFKLQFRPPRQZLWKWUDGLWLRQDOVWDWHPD FKLQHPRGHOLQJ,WGLIIHUVVLJQLILFDQWO\WKRXJKLQWKHZD\LWVHWVXSac- cess rules0RGHOVOLNHWKH%HOO/D3DGXODPRGHO>%(//@DQGWKHUHFHQW &RPSDUWPHQWHG0RGH:RUNVWDWLRQPRGHO>0,//@LQFOXGHDFFHVVFRQWURO UXOHV LQ WKHLU rules of operation ,Q WKHVH PRGHOV DQ 2SHQ )LOH UXOH GH VFULEHV ERWK DFFHVV SROLF\ DQG V\VWHP EHKDYLRU 7KH UXOH XVHV EXLOWLQ FULWHULDWRGHFLGHZKHWKHUWRSHUPLWWKH2SHQ)LOHUHTXHVWDQGWKHUXOH GHVFULEHVWKHEHKDYLRURIWKHPRGHOHGV\VWHPDVDstate transition$W\SL FDOnondisclosureFULWHULRQLVZKHWKHUWKHsecurity levelRIWKHVXEMHFWPDN LQJ WKH 2SHQ )LOH UHTXHVW dominates WKH VHFXULW\ OHYHO RI WKH REMHFW LW ZDQWVWRRSHQ ,QIRUPDWLRQ DIIHFWHG E\ WKH WUDQVLWLRQ PLJKW LQFOXGH WKH VHWRIREMHFWVFXUUHQWO\KHOGRSHQE\WKHVXEMHFWWKDWPDGHWKHUHTXHVW 2XUDSSURDFKVHSDUDWHVWKHGHFLVLRQFULWHULDIURPWKHVWDWH WUDQVLWLRQ GHVFULSWLRQV $ UXOH VHW HPERGLHV WKH VHFXULW\ SROLFLHV RI WKH PRGHOHG V\VWHPZKLOHDILQLWHVWDWHPDFKLQHPRGHOGHVFULEHVWKHEHKDYLRURIWKH V\VWHP 7KXV ZH KDYH SDUWLWLRQHG WKH V\VWHP IXQFWLRQ 2SHQ )LOH  LQWR WZRRSHUDWLRQV

 'HFLGHLIWKHUHTXHVWVKRXOGEHJUDQWHG ,VWKHVXEMHFWDOORZHGWR RSHQWKHUHIHUHQFHGREMHFW"  *UDQWWKHUHTXHVW RSHQWKHILOH RUQRW UHWXUQDQHUURULQGLFDWLRQ 

)LJXUHGHSLFWVWKLVUXOHVHWDSSURDFK

6WUXFWXUHRIWKH0RGHO$WUXVWHGFRPSXWHUV\VWHPEXLOWDFFRUGLQJWR RXUPRGHOLQJSODQKDVWZRPDMRUSDUWVLQVLGHLWVTrusted Computing Base 7&% ,QWKH,62WHUPLQRORJ\ZHPHQWLRQHGHDUOLHURXU7&%KDVDQac- cess enforcement facility $() DQGDQaccess decision facility $') ,QWKLV

 ,QIRUPDWLRQ6HFXULW\ VFKHPH WKH $() RZQV DQG RSHUDWHV WKH V\VWHP RSHUDWLRQV WKDW DUH DYDLODEOHWRFRPSXWHUSURJUDPVWKDWLWUXQV7KH$')NHHSVWKHUXOHVHW WKDWH[SUHVVHVWKHDFFHVVSROLFLHVRIWKHV\VWHP:KHQDFRPSXWHUSUR JUDPDWWHPSWVWRH[HFXWHVRPHV\VWHPRSHUDWLRQWKH$()DSSHDOVWRWKH $')IRUDQDFFHVVGHFLVLRQ$VZHSRLQWHGRXWHDUOLHUWKHUXOHVHWRIWKH $') H[SUHVVHV WKH DFFHVV SROLFLHV RI WKH V\VWHP 7KXV WKH $') ZLOO HYDOXDWHWKHUXOHVHWHDFKWLPHWKH$()DSSHDOVWRLWIRUDQDFFHVVGHFL VLRQ1DWXUDOO\WKH$()ZLOOSURYLGHVRPHVHWRIDUJXPHQWVWRWKH$') ZKHQ LW LQYRNHV WKH $') 7KHVH DUJXPHQWV SURYLGH RU GHILQH ZKDWHYHU DFFHVVFRQWUROLQIRUPDWLRQ $&, WKH$')QHHGVIRUGHFLVLRQPDNLQJ

process

Trusted Computing Base

System Access Control

request for decision answer

Open File function system rule set

Read File function MAC Policy Rules Write File function CWI Policy Rules FC Policy Rules SIM Policy Some Other function Rules

Figure 2. Rule-Set Modeling

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  $SSO\LQJDQ$()$')SDUWLWLRQLQJWRRXUPRGHOLQJJLYHVXV

‡ $ PRGHO RI WKH V\VWHP RSHUDWLRQV FRQVWLWXWLQJ DQ $() :H WUHDW WKLVPRGHODVDVWDWHPDFKLQHDQGFDOOLWWKH6WDWH0DFKLQH0RGHO 7KH6WDWH0DFKLQH0RGHODEVWUDFWO\GHVFULEHVWKHLQWHUIDFHRIFRP SXWHU 352&(66(6WRWKHV\VWHP V7&%DQGGHILQHVWKHUHODWLRQVKLS RIWKHV\VWHPRSHUDWLRQVWRWKHV\VWHP VWUXVWSROLFLHV ‡ $ PRGHO RI WKH VHFXULW\ SROLF\ YLHZHG DV DQ $') :H GHILQH WKLV PRGHODVDUXOHVHWDQGFDOOLWWKH5XOH6HW0RGHO,WGHILQHVWKHVH FXULW\SROLFLHVRIWKHWUXVWHGFRPSXWHUV\VWHP

7KH 6WDWH 0DFKLQH DQG 5XOH 6HW 0RGHOV QHHG DQ LQWHUIDFH EHWZHHQ WKHP7KLVLQWHUIDFHDOORZVWKHVWDWHPDFKLQH WR LQYRNH WKH UXOH VHW IRU DGMXGLFDWLRQRIDSURFHVV VUHTXHVW7KHGHVLJQ RI WKH LQWHUIDFH GHSHQGV RQVHYHUDOFULWLFDOIDFWRUV

‡ :KDWV\VWHPZLOOWKH6WDWH0DFKLQH0RGHOGHVFULEH" ‡ +RZGHWDLOHGLVWKHVWDWHPDFKLQH VUHSUHVHQWDWLRQRIWKHV\VWHPWR EH" ‡ :LOOWKHUXOHVHWGHDOZLWKWKHVDPHOHYHORIGHWDLODVWKHVWDWHPD FKLQHRUZLOOLWGHDOZLWKDEVWUDFWLRQVRIWKHV\VWHP VHOHPHQWVDQG EHKDYLRU"

:HKDYHGHFLGHGWKHVHLVVXHVIRUWKLVHVVD\DVIROORZV

‡ 7KH6WDWH0DFKLQH0RGHOWDUJHWVWKHFODVVRI81,;Ž6\VWHP9V\V WHPV ‡ 7KH VWDWH PDFKLQH KDV D WUDQVLWLRQ UXOH IRU HDFK 81,;Ž6\VWHP 9 system call(DFKtransition rule LVDQDEVWUDFWLRQRILWVFRUUHVSRQGLQJ V\VWHPFDOOEXWWKHDEVWUDFWLRQSUHVHUYHVWKHHVVHQWLDOIXQFWLRQDO LW\RIWKHV\VWHPFDOO ‡ 7KH UXOH VHW DGGUHVVHV HVVHQWLDOO\ WKH VDPH OHYHO RI GHWDLO DV WKH VWDWHPDFKLQH%XWWRWKHH[WHQWWKDWRXUDUWRIPRGHOLQJDOORZV ZHJHQHUDOL]HLW WR PDNH LW XVHIXO ZLWK RWKHU VWDWH PDFKLQHV

,QWHUIDFH%HWZHHQWKH6WDWH0DFKLQHDQGWKH5XOH6HW2XUPRGHO LQJPLUURUVDWUXVWHGFRPSXWHUV\VWHPLQZKLFKWKH7&%KDVWZRSDUWV 7KHaccess control enforcement $() SDUWDIIRUGVV\VWHPVHUYLFHVWRSURF HVVHVDQGGHWHUPLQHVWKHEHKDYLRURIWKHV\VWHP7KHaccess control deci- sion facility $')  SDUW UHPHPEHUV WKH V\VWHP V VHFXULW\ SROLFLHV DQG GHFLGHVZKHWKHUSURFHVVHV UHTXHVWVVDWLVI\WKRVHSROLFLHV7KH$()SDUW FRPPXQLFDWHV ZLWK WKH $') SDUW WKURXJK VRPH DSSURSULDWH LQWHUIDFH 2XUPRGHOLQJDSSURDFKKDVWKHVDPHVWUXFWXUH

 ,QIRUPDWLRQ6HFXULW\ ‡ 7KH 6WDWH 0DFKLQH 0RGHO HQIRUFHPHQW DJHQW  FRUUHVSRQGV WR WKH $()SDUWRIWKHWUXVWHGFRPSXWHUV\VWHP V7&% ‡ 7KH5XOH6HW0RGHO MXGLFLDODJHQW FRUUHVSRQGVWRWKH$')SDUWRI WKH7&%

7KH6WDWH0DFKLQH0RGHOKDVUXOHVRIRSHUDWLRQ(DFKUXOHRIRSHUDWLRQ DEVWUDFWO\GHVFULEHVVRPHEHKDYLRURIWKHPRGHOHGV\VWHP7KH5XOH6HW 0RGHO KDV rules of access (DFK UXOH RI DFFHVV GHVFULEHV VRPH VHFXULW\ SROLF\RIWKHPRGHOHGV\VWHP :H UHODWH WKH PRGHOV WR HDFK RWKHU ZLWK DQ LQWHUIDFH 7KH LQWHUIDFH SHUPLWV FRPPXQLFDWLRQ EHWZHHQ WKH VWDWH PDFKLQH DQG WKH UXOH VHW %ULHIO\ WKH FRPPXQLFDWLRQ RFFXUV WKURXJK PHVVDJHV :H ZLOO VHH WKH IRUPDOVWUXFWXUHRIWKHVHPHVVDJHVODWHU /HW VFRQVLGHUDQH[DPSOHXVLQJD UHDO V\VWHP DV DQ DQDORJXH RI RXU PRGHO V VWUXFWXUH 7KH UHDO V\VWHP IRU WKLV H[DPSOH LV 81,; 6\VWHP 9 :HLPDJLQHWKDWLWV kernelKDVWZRSDUWV DQ$()SDUWZKLFKZHFDOOWKH $()NHUQHO DQG DQ $') SDUW ZKLFK ZH FDOO WKH $')NHUQHO ,PDJLQH WKDW D SURFHVV LQYRNHV WKH 2SHQ V\VWHP FDOO WR RSHQ D ILOH IRU UHDGLQJ 7KH$()NHUQHOVHQGVDPHVVDJHWRWKH$')NHUQHOWRILQGRXWLIWKHSUR FHVV VUHTXHVWLVYDOLG7KHPHVVDJHPXVWFRQWDLQRUUHIHUHQFHWKHDFFHVV FRQWUROLQIRUPDWLRQ $&, QHHGHGE\WKH$')NHUQHOWRPDNHLWVGHFLVLRQ 7KH $&, FRXOG LQFOXGH PDQ\ SRVVLEOH LWHPV RI LQIRUPDWLRQ 6RPH EDVLF LQIRUPDWLRQLWHPVOLNHO\WREHQHHGHGDUHLGHQWLILFDWLRQRIWKHUHTXHVWLQJ SURFHVVLGHQWLILFDWLRQRIWKHILOHWREHRSHQHGDQGDWWULEXWHVRIWKHSURF HVV DQG WKH ILOH 7KH $')NHUQHO PD\ XVH RWKHU DFFHVV FRQWURO FRQWH[W $&&  LQIRUPDWLRQ VXFK DV WKH WLPH RI GD\ WR PDNH LWV GHFLVLRQ 7KH $')NHUQHOUHWXUQVWKHGHFLVLRQWRWKH$()NHUQHO7KH$()NHUQHOWKHQ FRPSOHWHVWKH2SHQV\VWHPFDOOHQDEOLQJWKHUHTXHVWHGDFFHVVLIWKHGH FLVLRQZDVIDYRUDEOHRUUHWXUQLQJDQHUURUPHVVDJHLIQRW 2XU PRGHO RSHUDWHV LQ PXFK WKH VDPH PDQQHU 7KH 6WDWH 0DFKLQH 0RGHOFRUUHVSRQGVWRWKH$()NHUQHO&RUUHVSRQGLQJWRHDFKV\VWHPFDOO VXSSRUWHGE\WKH$()NHUQHOZHKDYHDUXOHRIRSHUDWLRQLQWKH6WDWH0D FKLQH 0RGHO 7KH 5XOH 6HW 0RGHO FRUUHVSRQGV WR WKH $')NHUQHO 7KH 5XOH6HW0RGHOH[SUHVVHVWKHVHFXULW\SROLFLHVRIWKHPRGHOHGV\VWHPLQ LWV UXOHV RI DFFHVV (DFK UXOH RI RSHUDWLRQ LQ WKH 6WDWH 0DFKLQH 0RGHO LQYRNHVWKH5XOH6HW0RGHOZLWKDIXQFWLRQZHFDOO$FFHVV5XOHV7KH DUJXPHQWVRIWKHIXQFWLRQ$FFHVV5XOHVFRUUHVSRQGWRWKHPHVVDJHVH[ FKDQJHGEHWZHHQWKH$()NHUQHODQG$')NHUQHO $JDLQOHW VFRQVLGHUDVLPSOHH[DPSOHEDVHGRQWKHQRWLRQRIDQ2SHQ V\VWHPFDOO$UXOHRIRSHUDWLRQIRUDEVWUDFWO\GHVFULELQJWKH2SHQRSHUD WLRQPLJKWEHWKHIROORZLQJ 2SHQ ILOHBQDPHPRGH  &21',7,21 $FFHVV5XOHV RSHQPRGHFXUUHQWBSURFHVVBDFLILOHBDFL

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  ())(&7 2SHQB6HW FXUUHQWBSURFHVV  2SHQB6HW FXUUHQWBSURFHVV 81,21 ILOHBQDPH PRGH 7KH&21',7,21PHDQVWKDWLIWKHIXQFWLRQ$FFHVV5XOHVLVWUXHWKHQGR WKH DFWLRQV JLYHQ LQ ())(&7 ,Q WKLV FDVH WKH ())(&7 LV WR DGG WKH QDPHGILOHWRWKHVHWRIILOHVDFFHVVLEOHE\WKHUHTXHVWLQJSURFHVVDQGWR VHWLWVDFFHVVPRGH :HGHILQHWKHLQWHUIDFHEHWZHHQWKHVWDWHPDFKLQHDQGWKHUXOHVHWE\ VSHFLI\LQJWKHYDOLGDUJXPHQWVIRU$FFHVV5XOHV$WHDFKLQYRFDWLRQRIWKH 5XOH6HW0RGHOWKH6WDWH0DFKLQH0RGHOLGHQWLILHVWKHGHVLUHGDFWLRQRI WKHSURFHVVDQGDVHWRIUHOHYDQWDWWULEXWHV DFFHVVFRQWUROLQIRUPDWLRQ  6RZHFDQGHILQHWKHQHHGHGLQWHUIDFHE\DVHWRIUHTXHVWVZLWKDSSURSUL DWHDFFHVVFRQWUROLQIRUPDWLRQ:HZLOOXVHVHYHUDOWHUPVIRUWKHQHHGHG LQIRUPDWLRQ:HH[SODLQWKRVHWHUPVQRZWRVKRZWKHLUVSHFLILFPHDQLQJV IRUWKHLQWHUIDFHGHILQLWLRQ

ILOH D VHW RI DWWULEXWHV DVVRFLDWHG ZLWK D 81,; ILOH

GLUHFWRU\ D VHW RI DWWULEXWHV DVVRFLDWHG ZLWK D 81,; GLUHFWRU\

LSF D VHW RI DWWULEXWHV DVVRFLDWHG ZLWK D 81,; VWRUDJH REMHFW XVHG IRU LQWHUSURFHVV FRP PXQLFDWLRQ WKHVH REMHFWV PD\ EH PHVVDJH TXHXHVRUVHPDSKRUHV

VFG D VHW RI DWWULEXWHV DVVRFLDWHG ZLWK D 81,; V\VWHP REMHFW WKDW VWRUHV V\VWHP FRQWURO GDWD WKHUHIRUH WKH DFURQ\P VFG  WKH LQRGHLVDQH[DPSOH:KHQZHXVHVFGLQ WKHVXEVHTXHQWLQWHUIDFHGHILQLWLRQZHDOVR VKRZZKDWWKHVFGLVUHIHUULQJWRHLWKHUD ILOHRUDGLUHFWRU\

$ ILQDO ZRUG LV QHHGHG KHUH EHIRUH SUHVHQWLQJ WKH LQWHUIDFH PHVVDJHV 7KH UHDGHU ZLOO VHH WKH UHTXHVWV &+$1*(52/( DQG 02',)< $775,%87(LQWKHLQWHUIDFH7KHVHUHTXHVWVKDYHQRFRXQWHUSDUWLQWKH VHWRI81,;6\VWHP9V\VWHPFDOOV:HLQFOXGHWKHPWRKHOSH[SRVLWLRQRI YDULRXVVHFXULW\SROLFLHVODWHULQWKLVHVVD\7KHQWKHLUPHDQLQJDQGXVH VKRXOGEHFRPHFOHDU (DFK HOHPHQW RI WKH LQWHUIDFH GHILQLWLRQ KDV WKH IRUP UHTXHVW DUJX PHQWOLVW 7KHUHTXHVWXVXDOO\LGHQWLILHVWKHDFWLRQWKDWDSURFHVVZDQWV WRGREXWDOVRPD\EHXVHGIRUFRPPXQLFDWLRQRILQIRUPDWLRQIURPWKH 6WDWH0DFKLQH0RGHOWRWKH5XOH6HW0RGHO7KHDUJXPHQWOLVWLGHQWLILHVD

 ,QIRUPDWLRQ6HFXULW\ VHWRIDFFHVVFRQWUROLQIRUPDWLRQ $&, ,QWKHOLVWWKDWIROORZVWHUPVOLNH SURFHVVRUREMHFWDUHVKRUWKDQGIRUDWWULEXWHVDVVRFLDWHGZLWKDSURF HVV RU DWWULEXWHV DVVRFLDWHG ZLWK DQ REMHFW 0RGHOHUV VKRXOG FKRRVH ZKDWHYHUUHTXHVWVPDNHVHQVHIRUWKHV\VWHPWKH\ZLVKWRPRGHO:HGH VFULEHUHTXHVWVKHUHWKDWVHHPDSSURSULDWHIRUGHWDLOHGPRGHOLQJRIV\V WHPVOLNH81,;6\VWHP9

‡ )RU HDFK V\VWHP FDOO RI 81,; 6\VWHP 9 DV GHILQHG E\ %DFK >%$&+@WKHUHLVDWOHDVWRQHUHTXHVWWKDWUHODWHVWRLWVIXQFWLRQ DOLW\2QWKHRWKHUKDQGDVLQJOHUXOHRIRSHUDWLRQWKDW PRGHOV D V\VWHPFDOOPLJKWXVHVHYHUDOUHTXHVWV$&UHDWH)LOHUXOHRIRSHUD WLRQ IRU H[DPSOH PLJKW LQYRNH $FFHVV5XOHV WZLFH )LUVW LW PLJKW QHHG WR NQRZ LI WKH UHTXHVWLQJ SURFHVV KDV SHUPLVVLRQ WR VHDUFK WKHGLUHFWRU\LQZKLFKWKHILOHZLOOEHORFDWHG7KHQLIWKHVHDUFKLV YDOLGLWDJDLQ ZRXOG DSSHDO WR WKH $FFHVV5XOHV IRU D SROLF\ GHFL VLRQRQFUHDWLQJWKHILOH ‡ 7KHVHWRIUHTXHVWVZHKDYHGHILQHGKHUHLVQRWPLQLPDO)RUH[DP SOHZHKDYHVHYHUDOUHTXHVWVWKDWUHSUHVHQWYDULDWLRQVRIZULWLQJWR DQREMHFWIRUWKHVHVHSDUDWHUHTXHVWVZHFRXOGKDYHVXEVWLWXWHGD VLQJOH UHTXHVW ZLWK DUJXPHQWV , EHOLHYH P\ FKRLFH HQKDQFHV WKH LQWXLWLYHXQGHUVWDQGLQJRIWKHPRGHOHUDQGDIIRUGVJUHDWHUIOH[LELO LW\LQPRGHOLQJWKHFODVVRIV\VWHPVZHKDYHWDUJHWHG

+HUHLVWKHOLVWRIUHTXHVWV

‡ $/,$6 SURFHVV ILOH  7KH SURFHVV LV DWWHPSWLQJ WR FUHDWH DQ DOLDV IRUWKHILOH$VWDWHPDFKLQHPRGHORI81,;ZRXOGXVHWKLVUHTXHVW LQLWVUXOHRIRSHUDWLRQIRUOLQNLQJWRDILOH ‡ $/7(5 SURFHVV LSF  7KH SURFHVV ZLVKHV WR DFFHVV WKH FRQWURO LQIRUPDWLRQ IRU DQ LSFW\SH REMHFW 7KLV UHTXHVW UHODWHV WR UHDGLQJ RUPRGLI\LQJGDWDDERXWWKHLSFW\SHREMHFW7KLVLVVLPLODUWRWKH PRGLI\SHUPLVVLRQVGDWD DQG JHWSHUPLVVLRQVGDWD UHTXHVWV GH ILQHGEHORZIRUWKHDFFHVVFRQWUROLQIRUPDWLRQDVVRFLDWHGZLWKILOHV DQG GLUHFWRULHV ,Q D 81,; HQYLURQPHQW WKLV UHTXHVW ZRXOG EH XVHG E\ WKH V\VWHP FDOOV WKDW FRQWURO PHVVDJH TXHXHV VHPD SKRUHVDQGVKDUHGPHPRU\ ‡ &+$1*(2:1(5 SURFHVV VFG ILOHGLUHFWRU\  7KH SURFHVV ZDQWV WR FKDQJH WKH RZQHU RI WKH LQGLFDWHG REMHFW $Q VFG REMHFW LV RQH WKDW FRQWDLQV V\VWHP DFFHVV FRQWURO LQIRUPDWLRQ ,Q 81,; WKLV LV WKHLQRGH7KHSDUHQWKHWLFDOUHPDUNILOHGLUHFWRU\PHDQVWKDWWKH VFGSHUWDLQVWR D ILOH RU GLUHFWRU\ 7KH DWWULEXWH VHW SDVVHG WR WKH 5XOH6HW0RGHOZLOOFRQVLVWRIDWWULEXWHVRIWKHILOHRUGLUHFWRU\DQG DQDWWULEXWHWKDWLGHQWLILHVWKHREMHFWWREHPRGLILHG ‡ &+$1*(52/( SURFHVV UROH DWWULEXWH UROH YDOXH  7KH SURFHVV ZDQWV WR FKDQJH WKH 52/( RI WKH RZQHU RI WKH SURFHVV 7KH DUJX

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  PHQWUROHDWWULEXWHQDPHVWKHDWWULEXWHWRPRGLI\DQGWKHDUJX PHQWUROHYDOXHJLYHVWKHGHVLUHGUROH ‡ &/21( SURFHVVSURFHVV 3URFHVVZDQWVWRFUHDWHDFORQHRILW VHOI SURFHVV ,Q D 81,; HQYLURQPHQW WKLV FRUUHVSRQGV WR D IRUN V\VWHPFDOO ‡ &5($7( SURFHVV ILOHGLUHFWRU\VFGLSF  7KH SURFHVV ZDQWV WR FUHDWHDQHZILOHGLUHFWRU\VFGW\SHREMHFWRULSFW\SHREMHFW ‡ '(/(7( SURFHVV ILOHGLUHFWRU\LSF  7KH SURFHVV ZDQWV WR GHOHWH WKHLQGLFDWHGREMHFW ‡ '(/(7('$7$ SURFHVV ILOH  7KH SURFHVV ZDQWV WR WUXQFDWH UH PRYHDOOGDWDIURP WKHILOH ‡ (;(&87( SURFHVVILOH 7KHSURFHVVZDQWVWRH[HFXWHWKHILOH7KLV UHTXHVWFRPSDUHVWRWKH81,;H[HFV\VWHPFDOO ‡ *(73(50,66,216'$7$ SURFHVV VFG ILOHGLUHFWRU\  7KH SURF HVV ZDQWV WR UHDG GLVFUHWLRQDU\ DFFHVV SHUPLVVLRQV IRU WKH LQGL FDWHGILOHRUGLUHFWRU\ ‡ *(767$786'$7$ SURFHVV VFG ILOHGLUHFWRU\  7KH SURFHVV ZDQWV WR UHDG VWDWXV GDWD DERXW WKH ILOH RU GLUHFWRU\ 7KLV FRUUH VSRQGV WR D 81,; VWDW V\VWHP FDOO ZKLFK FDQ UHWXUQ LQIRUPDWLRQ VXFKDVILOHW\SHILOHRZQHUDFFHVVSHUPLVVLRQVDQGILOHVL]H ‡ 02',)<$&&(66'$7$ SURFHVV VFG ILOHGLUHFWRU\  7KH SURFHVV ZDQWVWRPRGLI\DFFHVVLQIRUPDWLRQDERXWWKHREMHFWVXFK DV WKH WLPHRIODVWPRGLILFDWLRQ7KLVFRPSDUHVWRWKH81,;XWLPHV\VWHP FDOO ‡ 02',)<$775,%87( SURFHVV XVHUSURFHVVREMHFW DWWULEXWH YDOXH  7KH SURFHVV ZDQWV WR PRGLI\ DQ DWWULEXWH RI WKH XVHU WKH SURFHVVRUDQREMHFW7KHDUJXPHQWDWWULEXWHQDPHVWKHDWWULEXWH WRFKDQJHDQGWKHDUJXPHQWYDOXHJLYHVWKHQHZYDOXH ‡ 02',)<3(50,66,216'$7$ SURFHVV VFG ILOHGLUHFWRU\  7KH SURFHVV ZDQWV WR PRGLI\ GLVFUHWLRQDU\ DFFHVV SHUPLVVLRQV RI WKH REMHFW7KLVUHTXHVWSDUDOOHOVWKH81,;FKPRGV\VWHPFDOO ‡ 5($' SURFHVVGLUHFWRU\ 7KHSURFHVVZDQWVWRUHDGGDWDIURPWKH LQGLFDWHGGLUHFWRU\ ‡ 5($'$775,%87( SURFHVV XVHUSURFHVVREMHFW DWWULEXWH  7KH SURFHVVZDQWVWRUHDGDQDWWULEXWHRIWKHXVHUWKHSURFHVVRUDQ REMHFW7KHDUJXPHQWDWWULEXWHQDPHVWKHDWWULEXWHWRUHDG ‡ 5($' :5,7(23(1 SURFHVVILOHLSF 7KHSURFHVVZDQWVWRRSHQ WKHREMHFWIRUUHDGLQJDQGZULWLQJ,Q81,;WKHREMHFWLVHLWKHUDILOH RUDPHVVDJHTXHXH ‡ 5($'23(1 SURFHVVILOH 7KHSURFHVV ZDQWV WR RSHQ WKH ILOH IRU UHDGLQJ ‡ 6($5&+ SURFHVV GLUHFWRU\  7KH $()SDUW RI WKH 7&% QHHGV WR UHDGWKHGLUHFWRU\DVSDUWRIVRPHRWKHURSHUDWLRQUHTXHVWHGE\WKH SURFHVV7KLVFRUUHVSRQGVWRVHDUFKLQJDGLUHFWRU\LQ81,;VRDOO

 ,QIRUPDWLRQ6HFXULW\ UXOHV RI RSHUDWLRQ WKDW PRGHO V\VWHP FDOOV XVLQJ WKH 81,; QDPHL VXEURXWLQHZLOOLQYRNH$FFHVV5XOHVZLWKWKLVUHTXHVW ‡ 6(1'6,*1$/ SURFHVVSURFHVV SURFHVVZDQWVWRVHQGDVLJ QDOWRSURFHVV7KLVSDUDOOHOVWKH81,;NLOOV\VWHPFDOO ‡ 7(50,1$7( SURFHVV 7KHV\VWHPKDVWHUPLQDWHGWKHSURFHVV7KH 6WDWH 0DFKLQH 0RGHO JLYHV WKLV UHTXHVW WR WKH 5XOH 6HW 0RGHO IRU LQIRUPDWLRQ RQO\ 7KLV UHTXHVW HQDEOHV WKH 5XOH 6HW 0RGHO WR XS GDWHLWVLQIRUPDWLRQEDVHLIQHFHVVDU\ ‡ 75$&( SURFHVVSURFHVV SURFHVVZDQWVWRWUDFHSURFHVV7KH UXOHVHWZLOOLQWHUSUHWWKLVWRPHDQUHDGZULWHWKHPHPRU\RISURF HVV7KLVHTXDWHVWRWKH81,;SWUDFHV\VWHPFDOO ‡ :5,7( SURFHVVGLUHFWRU\ 7KHSURFHVVZDQWVWRZULWHGDWDWRWKH GLUHFWRU\7KH81,;FUHDWV\VWHPFDOOPD\KDYHWRVHDUFKDGLUHF WRU\EHIRUHFUHDWLQJDILOH7KXVLQD81,;V\VWHPEXLOWDFFRUGLQJ WRRXUPRGHOLQJSDUDGLJPWKHFUHDWV\VWHPFDOOZRXOGXVHWKLVUH TXHVWWRFKHFNWKHSURFHVV VSHUPLVVLRQWRVHDUFKWKHGLUHFWRU\LQ YROYHG ‡ :5,7(23(1 SURFHVVILOH 7KHSURFHVVZDQWVWRRSHQWKHILOH

([DPSOHVRIWKH0RGHO&RPSRQHQWV

6WDWH 0DFKLQH 0RGHO 7KH 81,;Ž6\VWHP 9 V\VWHP DV GHVFULEHG E\ %DFK>%$&+@VKDSHVWKH QDWXUH RI RXU 6WDWH 0DFKLQH 0RGHO :H ZLOO QRWGHYHORSDFRPSOHWH6WDWH0DFKLQH0RGHOLQWKLVHVVD\VLQFHZHZDQW WRH[SODLQWKHPRGHOLQJDSSURDFKQRWEXLOGDWUXVWHGFRPSXWHUV\VWHP 2Q WKH RWKHU KDQG ZH KDYH WULHG WR DFKLHYH WKH EUHDGWK DQG GHSWK RI FRYHUDJHQHHGHGWRPDNHREYLRXVZKDWDPRGHOHUVKRXOGGR7RWKLVHQG WKLVVHFWLRQFRQWDLQVUXOHVRIRSHUDWLRQWKDWDEVWUDFWO\GHVFULEHPDQ\RI WKH NH\ V\VWHP FDOOV RI 81,; 6\VWHP 9 7KH VHOHFWHG UXOHV DGHTXDWHO\ GHPRQVWUDWHWKHPRGHOLQJDSSURDFKZHKDYHGHVFULEHG

,QWURGXFWLRQ7KH6WDWH0DFKLQH0RGHOLVDVWDWHWUDQVLWLRQPDFKLQH,WV UXOHV RI RSHUDWLRQ GHILQH WKH YDOLG WUDQVLWLRQV IRU WKH PRGHOHG V\VWHP 5HFDOO ZH VDLG HDUOLHU WKDW WKH VWDWH PDFKLQH KDV D WUDQVLWLRQ UXOH IRU HDFK81,;6\VWHP9V\VWHPFDOO:HYDOLGO\FRXOGKDYHFKRVHQLQVWHDGWR PDNH WKH PRGHO UXOHV PRUH SULPLWLYH WKDQ V\VWHP FDOOV 'RLQJ VR JLYHV WKHEHQHILWRIVLPSOHUUXOHVRIRSHUDWLRQEXWKDVWKHXQGHVLUDEOHHIIHFWRI PRYLQJ WKH PRGHO DQRWKHU OHYHO DZD\ IURP WKH UHDO V\VWHP 7KH DGGL WLRQDO OHYHO GHPDQGV D RQHWRPDQ\ PDSSLQJ RI V\VWHP FDOO WR UXOHV RI RSHUDWLRQE\WKHGHVLJQHURUHYDOXDWRURIWKHV\VWHP

$QH[DPSOHZLOOVKRZWKHGLIIHUHQFHEHWZHHQWKHWZRDSSURDFKHV7DN LQJWKHPRUHDEVWUDFWDSSURDFKZHPLJKWGHILQHWKH2SHQUXOHRIRSHUD WLRQLQWKHIROORZLQJIRUPDVZHVDZHDUOLHU

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  2SHQ ILOHBQDPHPRGH  &21',7,21 67$786 ILOHBQDPH  DFWLYH $1' $FFHVV5XOHV RSHQPRGHFXUUHQWBSURFHVVBDFLILOHBDFL ())(&7 2SHQB6HW FXUUHQWBSURFHVV  2SHQB6HW FXUUHQWBSURFHVV 81,21 ILOHBQDPH PRGH

7KH81,;RSHQV\VWHPFDOOKDVDQRSWLRQWRFUHDWHWKHQDPHGILOHXQ GHU FHUWDLQ FLUFXPVWDQFHV ,W DOVR SURYLGHV DQ RSWLRQ IRU WKH SURFHVV WR FDXVHWKHILOHWREHWUXQFDWHG KDYH DOO LWV GDWD HUDVHG  GXULQJ RSHQLQJ 7KHDERYHIRUPRIWKHRSHQUXOHGRHVQRWUHIOHFWWKHVHRSWLRQV,QWKHIRO ORZLQJIRUPZHVKRZQRWRQO\WKHVHRSWLRQVEXWDGGLWLRQDOGHWDLOVRIWKH V\VWHPFDOOVXFKDVGLUHFWRU\VHDUFKLQJ

5XOHVRI2SHUDWLRQ7KLVVHFWLRQJLYHVWKH6WDWH0DFKLQHPRGHOVSHFLIL FDWLRQIRUWKHIROORZLQJUXOHVRIRSHUDWLRQ 2SHQ 5HDG )RUN &UHDWH ([HFXWH .LOO 8QOLQN

‡ 2SHQ ILOHBQDPH PRGH WUXQFDWHBRSWLRQ FUHDWHBRSWLRQ  7KH RSHQV\VWHPFDOOLVWKHILUVWRSHUDWLRQDSURFHVVSHUIRUPVWRDFFHVVGDWD LQ ILOH :KHQ VXFFHVVIXO WKH FDOO UHWXUQV D ILOH GHVFULSWRU WKDW ZLOO EH XVHG E\ RWKHU ILOH RSHUDWLRQV VXFK DV UHDGLQJ ZULWLQJ GHWHUPLQLQJ VWDWXVDQGFORVLQJWKHILOH,IWKHILOHGRHVQRWH[LVWDQGWKHFUHDWHBRSWLRQ DUJXPHQWLQGLFDWHVWKDWWKHSURFHVVZLVKHVWRFUHDWHWKHILOHLQWKLVFDVH WKHQ WKH FDOO ZLOO FUHDWH WKH ILOH DQG RSHQ LW LQ WKH PRGH VSHFLILHG 7KH PRGH DUJXPHQW LQGLFDWHV WKH W\SH RI RSHQ VXFK DV UHDGLQJ RU ZULWLQJ

 2The reader with computer systems experience should have no trouble understanding the language that expresses the rules. The reader who may not be familiar with computer programming languages or who may want to verify the meaning of a language form should see appendix 1, which gives a description of the language as well as the modeling constructs employed. 3The arguments used in this essay are similar to those defined by Bach (Bach, 1986) but I have changed the names, invented some new ones, and sometimes rearranged them for clarity of the rules.

 ,QIRUPDWLRQ6HFXULW\ DQGWKHWUXQFDWHBRSWLRQVKRZVZKHWKHUWKHSURFHVVZDQWVDOOWKHFXUUHQW GDWDLQWKHILOHFOHDUHG ,) $FFHVV5XOHV VHDUFK GLUHFWRU\BQDPH>FXUUHQW GLUHFWRU\ RU GLUHFWRU\ IURPVSHFLILHGSDWKQDPH@ 7+(1 6(/(&7&$6(67$786 ILOHBQDPH &$6(67$786 ILOHBQDPH  DFWLYH WKHGLUHFWRU\VHDUFKZDVYDOLG DQGWKHILOHH[LVWV 6(/(&7&$6(WUXQFDWHBRSWLRQ &$6(21 ,) 127 $FFHVV5XOHV GHOHWHGDWDFXUUHQWBSURFHVVILOHBQDPH  7+(1 HUURUH[LW (/6( > WUXQFDWHWKHILOH @ > RSHQWKHILOH @ 23(1 FXUUHQWBSURFHVV ILOHBQDPH   23(1 FXUUHQWBSURFHVV ILOHBQDPH 6(781,21^PRGH` VHWDWWULEXWHV QRUPDOH[LW

&$6(2)) ,) PRGH UHDG$1' $FFHVV5XOHV UHDGRSHQFXUUHQWBSURFHVVILOHBQDPH 25 PRGH ZULWH$1' $FFHVV5XOHV ZULWHRSHQFXUUHQWBSURFHVVILOHBQDPH 25 PRGH UHDG ZULWH$1' $FFHVV5XOHV UHDG ZULWHRSHQFXUUHQWBSURFHVVILOHBQDPH 7+(1 > RSHQWKHILOH @ VHWDWWULEXWHV 23(1 FXUUHQWBSURFHVV ILOHBQDPH   23(1 FXUUHQWBSURFHVV ILOHBQDPH 6(781,21^PRGH` QRUPDOH[LW (/6( HUURUH[LW

 4I show the first argument to the open call (and others) as file_name. This may actually be a pathname involving one or more directories. When file_name is used as a parameter to the Access-Rules, the reader should understand that the name of the file itself, not the full pathname, is intended.

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  &$6( 67$786 ILOHBQDPH   XQXVHG  WKH GLUHFWRU\ VHDUFK ZDV YDOLGDQGWKHILOHGRHVQRWH[LVW 6(/(&7&$6(FUHDWHBRSWLRQ &$6(FUHDWHBRSWLRQ 21 FUHDWHWKHILOHDQGRSHQLWIRUWKHW\SHRIDFFHVVVSHFLILHGE\ WKHPRGHDUJXPHQW > FUHDWHWKHDWWULEXWHVHWIRUWKHILOHDQGVHWWKHEDVLFYDOXHV VXFKDVREMHFWLGHQWLILHU @ ,) $FFHVV5XOHV FUHDWHFXUUHQWBSURFHVVILOHBQDPH  7+(1 VHWDWWULEXWHV > FUHDWHWKHILOH @ FKHFNZKHWKHUFXUUHQWBSURFHVVPD\RSHQWKHILOH ,) PRGH UHDG$1' $FFHVV5XOHV UHDGRSHQFXUUHQWBSURFHVVILOHBQDPH 25 PRGH ZULWH$1' $FFHVV5XOHV ZULWHRSHQFXUUHQWBSURFHVVILOHBQDPH 25 PRGH UHDG ZULWH$1' $FFHVV5XOHV UHDG ZULWHRSHQ FXUUHQWBSURFHVV ILOHBQDPH  7+(1 VHWDWWULEXWHV > RSHQWKHILOH @ 23(1 FXUUHQWBSURFHVV ILOHBQDPH  23(1 FXUUHQWBSURFHVV ILOHBQDPH  6(781,21 ^PRGH` QRUPDOH[LW (/6( HUURUH[LW (/6( HUURUH[LW &$6(FUHDWHBRSWLRQ 2)) HUURUH[LW &$6( 67$786 ILOHBQDPH   LQDFFHVVLEOH  WKH GLUHFWRU\ VHDUFK IDLOHGHJSHUPLVVLRQGHQLHGGLUHFWRU\QRQH[LVWHQWHWF

HUURUH[LW (1'6(/(&7 (/6( HUURUH[LW

‡ 5HDG ILOHBGHVFULSWRU EXIIHU VL]H  7KH UHDG V\VWHP FDOO FDXVHV D VSHFLILHG QXPEHU RI E\WHV VL]H  WR EH PRYHG IURP DQ RSHQ ILOH ILOHBGHVFULSWRU  WR D GDWD VWUXFWXUH EXIIHU  LQ WKH UH TXHVWLQJ SURFHVV 7KH UHDG VWDUWV DW WKH QH[W E\WH DIWHU WKH ODVW

 ,QIRUPDWLRQ6HFXULW\ E\WH WUDQVIHUUHG E\ D UHDG FDOO VR WKDW VXFFHVVLYH UHDGV RI D ILOH GHOLYHUWKHILOHGDWDLQVHTXHQFH

,) UHDG LV LQ 23(1 FXUUHQWBSURFHVV REMHFW>LGHQWLILHG E\ ILOHBGHVFULSWRU@ $1' $FFHVV5XOHV UHDGFXUUHQWBSURFHVVREMHFW 7+(1 VHWDWWULEXWHV > UHDGWKHILOH @ QRUPDOH[LW (/6( HUURUH[LW

‡ )RUN  7KHIRUNV\VWHPFDOOHQDEOHVDSURFHVVWRFUHDWHD QHZ SURFHVV 7KH FUHDWHG SURFHVV FDOOHG WKH FKLOG SURFHVV LV LGHQWLFDOWRWKHSURFHVVWKDWFUHDWHVLWWKHSDUHQWSURFHVVH[FHSW IRU WKHLU SURFHVV LGHQWLILHUV $OVR VRPH SURFHVVLQWHUQDO YDUL DEOH V RIWKHFKLOGDUHVHWE\WKHNHUQHOVRWKDWWKHFKLOGSURFHVV FDQUHFRJQL]HLWVHOIDVWKHFKLOGZKHQLWUXQVSUHVXPDEO\VRWKDW LWFDQGRVRPHWKLQJGLIIHUHQWIURPLWVSDUHQW

> FUHDWHWKHQHZSURFHVVLIUHVRXUFHVDUHDYDLODEOH @ ,) $FFHVV5XOHV FORQHFXUUHQWBSURFHVVQHZBSURFHVV  7+(1 VHWDWWULEXWHV 2SHQ QHZBSURFHVV REMHFW   2SHQ FXUUHQWBSURFHVV REMHFW  IRU DOO RE MHFWVLQWKHV\VWHP WKHQHZSURFHVVLQKHULWVDFFHVVWRDOOWKHREMHFWVWKHFXUUHQWSURFHVV FDQDFFHVV > FRPSOHWHWKHIRUNRSHUDWLRQ @ QRUPDOH[LW (/6( HUURUH[LW

‡ FUHDW ILOHBQDPHPRGH 7KHFUHDW FUHDWH V\VWHPFDOOFUH DWHV D QHZ ILOH LQ WKH V\VWHP %XW LI WKH ILOH DOUHDG\ H[LVWV WKH NHUQHORSHQVLWDQGWUXQFDWHVLWLISHUPLVVLEOH

,) $FFHVV5XOHV VHDUFK GLUHFWRU\BQDPH>FXUUHQW GLUHFWRU\ RU GLUHFWRU\ IURPVSHFLILHGSDWKQDPH@ 7+(1 6(/(&7&$6(67$786 ILOHBQDPH

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  &$6(67$786 ILOHBQDPH  DFWLYH WKHGLUHFWRU\VHDUFKZDVYDOLG DQGWKHILOHH[LVWV FKHFNLILWLVSHUPLVVLEOHWRGHOHWHWKHGDWDLQWKHILOHDQGZULWH RSHQLW VDYH DWWULEXWHYDOXHVRIFXUUHQWBSURFHVVDQGILOHBQDPH  ,) $FFHVV5XOHV GHOHWHGDWDFXUUHQWBSURFHVVILOHBQDPH 7+(1 VHWDWWULEXWHV ,) $FFHVV5XOHV ZULWHRSHQFXUUHQWBSURFHVVILOHBQDPH 7+(1 VHWDWWULEXWHV FOHDUWKHILOHDQGZULWHRSHQLW  23(1 FXUUHQWBSURFHVV ILOHBQDPH   23(1 FXUUHQWBSURFHVV ILOHBQDPH 6(781,21^PRGH` QRUPDOH[LW (/6( UHVWRUH  UHVWRUH WKH DWWULEXWH YDOXHV RI FXUUHQWBSURFHVV DQG ILOHBQDPH  HUURUH[LW (/6( HUURUH[LW &$6( 67$786 ILOHBQDPH   XQXVHG  WKH GLUHFWRU\ VHDUFK ZDV YDOLGDQGWKHILOHGRHVQRWH[LVW FKHFNLILWLVSHUPLVVLEOHWRFUHDWHWKHILOHZULWHWKHUHOHYDQWGL UHFWRU\DQGZULWHRSHQWKHILOH VDYH VDYHWKHDWWULEXWHYDOXHVRIFXUUHQWBSURFHVVILOHBQDPHDQG GLUHFWRU\  ,) $FFHVV5XOHV FUHDWHFXUUHQWBSURFHVVILOHBQDPH 7+(1 VHWDWWULEXWHV ,) $FFHVV5XOHV ZULWH FXUUHQWBSURFHVV GLUHFWRU\  GLUHFWRU\ LV IRXQGE\WKHQDPHLNHUQHOVXEURXWLQHLQ81,; 7+(1 VHWDWWULEXWHV ,) $FFHVV5XOHV ZULWHRSHQFXUUHQWBSURFHVVILOHBQDPH 7+(1 VHWDWWULEXWHV FUHDWHWKHILOHZLWKDSSURSULDWHGLUHFWRU\HQWU\DQGZULWH RSHQLW  (/6(

 ,QIRUPDWLRQ6HFXULW\ UHVWRUH  UHVWRUH WKH DWWULEXWH YDOXHV RI FXUUHQWBSURFHVV ILOHBQDPHDQGGLUHFWRU\  HUURUH[LW (/6( UHVWRUH  DWWULEXWH YDOXHV RI FXUUHQWBSURFHVV ILOHBQDPH DQG GLUHFWRU\  HUURUH[LW (/6( HUURUH[LW (/6( HUURUH[LW

‡ H[HF ILOHBQDPH 7KHH[HFV\VWHPFDOOFDXVHVSURFHVVH[HFXWLRQWR FRQWLQXHZLWKWKHFRGHFRQWDLQHGLQWKHQDPHGILOH 7KLV VKRXOG QRW EH FRQIXVHG ZLWK FUHDWLQJ D QHZ SURFHVV ZKLFK LV WKH QRUPDO UHVXOW RI D IRUNV\VWHPFDOO7KHH[HFXWLRQRIWKHFRGHVSHFLILHGE\WKHH[HFV\VWHP FDOO LV SDUW RI WKH SURFHVV WKDW LQYRNHG WKH H[HF V\VWHP FDOO 7KXV WKH RSHQILOHVRIWKHSURFHVVDUHVWLOORSHQDIWHUDVXFFHVVIXOH[HF

,) $FFHVV5XOHV VHDUFK GLUHFWRU\BQDPH>FXUUHQW GLUHFWRU\ RU GLUHFWRU\ IURPVSHFLILHGSDWKQDPH@ 7+(1 6(/(&7&$6(67$786 ILOHBQDPH &$6(67$786 ILOHBQDPH  DFWLYH WKHGLUHFWRU\VHDUFKZDVYDOLG DQGWKHILOHH[LVWV ,) $FFHVV5XOHV H[HFXWHFXUUHQWBSURFHVVILOHBQDPH 7+(1 VHWDWWULEXWHV FDUU\RXWWKHH[HFLQJRIWKHILOHQDPH  QRUPDOH[LW (/6( HUURUH[LW &$6( 67$786 ILOHBQDPH   XQXVHG  WKH GLUHFWRU\ VHDUFK ZDV YDOLGDQGWKHILOHGRHVQRWH[LVW HUURUH[LW (/6( HUURUH[LW

‡ NLOO SURFHVVLGHQWLILHUVLJQDO 7KHNLOOV\VWHPFDOOHQDEOHVDSUR FHVVWRVHQGRQHRIDQXPEHURIVLJQDOVWRDQRWKHUSURFHVV7KH6,*.,// VLJQDO FDXVHV WKH NHUQHO WR WHUPLQDWH WKH WDUJHW SURFHVV LI DSSURSULDWH

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  DXWKRUL]DWLRQV DUH VDWLVILHG ,I WKH VLJQDO LV DQ\ RI WKH RWKHU YDOLG VLJ QDOVWKHQ WKH SURFHVV HV  UHFHLYLQJ WKH VLJQDO ZLOO SURFHVV WKH VLJQDO LQ DFFRUGDQFHZLWKWKHVSHFLILFDWLRQHVWDEOLVKHGE\LWV WKHLU VLJQDOV\VWHP FDOO V RUZLWKWKHGHIDXOWVSHFLILFDWLRQIRUWKHVLJQDO

,) WKHSURFHVVLGHQWLILHUDQGVLJQDODUJXPHQWVDUHYDOLG 7+(1 6(/(&7&$6(VLJQDO &$6(VLJQDOLV6,*.,// WKHVHQGLQJSURFHVVLVDWWHPSWLQJWRNLOOD SURFHVVRUJURXSRISURFHVVHV )25($&+SURFHVV VSHFLILHGE\WKHSURFHVVLGHQWLILHUDUJXPHQW  WHUPLQDWHWKHSURFHVV 23(1 SURFHVVILOHBQDPH  ^`IRUHYHU\ILOHBQDPH $FFHVV5XOHV WHUPLQDWHSURFHVV  (1')25($&+ QRUPDOH[LW

&$6((/6( )25($&+SURFHVV VSHFLILHGE\WKHSURFHVVLGHQWLILHUDUJXPHQW  ,) $FFHVV5XOHV VHQGVLJQDOFXUUHQWBSURFHVVSURFHVV  <(6 7+(1 VHWDWWULEXWHV VHQGWKHVSHFLILHGVLJQDOWRWKHSURFHVV (/6( HUURUH[LW (1')25($&+ QRUPDOH[LW (/6( HUURUH[LW

‡ XQOLQN ILOHBQDPH  7KH XQOLQN V\VWHP FDOO UHPRYHV D GLUHFWRU\ HQWU\IRUDILOH,QJHQHUDODQXPEHURIGLUHFWRU\HQWULHVPD\H[LVWIRUD  5The real or effective user ID of the sending process must match the effective or saved effective user ID of the receiving process, unless the effective user ID of the sending pro- cess is super-user. Recall that we do not model super-user access controls or controls based on user IDs. 6{} denotes the empty set. 7Recall from the Interface Definition that the terminate message means that the system has terminated the process. The State Machine Model gives this request to the Policy Model for information only. It enables the Policy Model to update its information base, if necessary.

 ,QIRUPDWLRQ6HFXULW\ JLYHQILOHFUHDWHGYLDWKHOLQNV\VWHPFDOO$ILOHLVQRWGHOHWHGXQWLODOOLWV QDPHV OLQNV KDYHEHHQUHPRYHG ,) $FFHVV5XOHV VHDUFK GLUHFWRU\BQDPH>FXUUHQW GLUHFWRU\ RU GLUHFWRU\ IURPVSHFLILHGSDWKQDPH@ 7+(1 6(/(&7&$6(67$786 ILOHBQDPH &$6(67$786 ILOHBQDPH  DFWLYH WKHGLUHFWRU\VHDUFKZDVYDOLG DQGWKHILOHH[LVWV ,) XQOLQNLQJWKHILOHZLOOGHOHWHWKHILOHLWVHOI 7+(1 ,) $FFHVV5XOHV GHOHWHFXUUHQWBSURFHVVILOHBQDPH 7+(1 GHOHWHWKHILOHUHPRYHGLUHFWRU\HQWU\DQGUHWXUQILOHVSDFH WRV\VWHPSRRO  67$786 ILOHBQDPH  XQXVHG QRUPDOH[LW (/6( HUURUH[LW (/6( XQOLQNWKHILOHUHPRYHGLUHFWRU\HQWU\  QRUPDOH[LW &$6( 67$786 ILOHBQDPH   XQXVHG  WKH GLUHFWRU\ VHDUFK ZDV YDOLGDQGWKHILOHGRHVQRWH[LVW HUURUH[LW (/6( HUURUH[LW

$GGLWLRQDO UHPDUNV 7KH PRGHOHU KDV FKRLFHV WR PDNH $ IXQGDPHQWDO GHFLVLRQLVZKHWKHUWKHUXOHVRIRSHUDWLRQRIWKHVWDWHPDFKLQHPRGHOZLOO PDSRQHWRRQHWRV\VWHPFDOOVRUQRW6XFFHVVIXOPRGHOLQJFDQEHGRQH HLWKHUZD\7KHGLIIHUHQFHV EHWZHHQ WKH WZR DSSURDFKHV FDQ EH FKDUDF WHUL]HG DV WUDGHRIIV DV \RX PLJKW H[SHFW ,I WKH UXOHV RI RSHUDWLRQ DUH RQHWRRQH ZLWK WKH V\VWHP FDOOV WKH\ LQFOXGH D ZHDOWK RI GHWDLO DQG PDNHVXEVHTXHQWDVVXUDQFHHIIRUWVHDVLHU,IWKHUXOHVRIRSHUDWLRQPDS PDQ\WRRQHWRWKHV\VWHPFDOOVWKHUXOHVFDQEHVLPSOHUDQGWKHPRGHO ZLOOWKHQEHHDVLHUWRXQGHUVWDQGDQGDQDO\]H7KHPRGHOHUPXVWGHFLGH KRZWRDSSURDFKWKLVLVVXHEDVHGRQDQXQGHUVWDQGLQJRI WKH PRGHOHG FODVVRIV\VWHPVDQGWKHSXUSRVHVRIWKHPRGHOLQJ +DYLQJGHFLGHGWKHEDVLFDSSURDFKWKHPRGHOHUVKRXOGH[DPLQHHDFK RSHUDWLRQWKHV\VWHPSURYLGHVIRUSURFHVVHV,Q81,;6\VWHP9WKHVHRS HUDWLRQVDUHV\VWHPFDOOV7KHPRGHOHUVKRXOGILJXUHRXWZKDWHDFKV\V WHP FDOO GRHV WR WKH VWDWH RI WKH V\VWHP DQG ZKHWKHU LW UHODWHV WR WKH V\VWHP VVHFXULW\SROLFLHV(YHU\V\VWHPFDOOSRWHQWLDOO\KDVUHOHYDQFHWR

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  VRPHSROLF\:KDWZHPHDQKHUHDUHWKHSROLFLHVGHILQHGE\WKH5XOH6HW 0RGHO6RPHV\VWHPFDOOVKDYHQRUHOHYDQFHWRWUDGLWLRQDOPDQGDWRU\DF FHVVFRQWUROSROLF\EXWVLJQLILFDQWUHOHYDQFHWRWKH&ODUN:LOVRQ,QWHJULW\ 3ROLF\ /RRNLQJ DW WKH V\VWHP FDOOV LQ WKLV ZD\ DWWUDFWV DWWHQWLRQ WR QHHGHGFRQVWUDLQWVLQRQHRUPRUHSROLFLHVWKDWWKHPRGHOHUPLJKWRWKHU ZLVHRYHUORRN 7KHPRGHOHUVKRXOGGHFLGHLIWKHUXOHVRIRSHUDWLRQQHHGHGWRPRGHOWKH V\VWHP FDOOV H[LVW LQ WKH VWDWH PDFKLQH PRGHO ,I QRW WKH\ VKRXOG RI FRXUVHEHDGGHGWRWKHPRGHO7KHPRGHOHUDOVRVKRXOGGHILQHKRZHDFK UXOHXVHVWKHLQWHUIDFHGHILQLWLRQWRLQYRNHWKH5XOH6HW0RGHO 7KLV DSSURDFK JLYHV KLJK FRQILGHQFH WKDW D V\VWHP V LPSOHPHQWDWLRQ FRXOGFOHDUO\GHULYHIURPWKHHOHPHQWVRIWKHIRUPDOPRGHOLQVWHDGRIDG GLWLRQDOO\GHSHQGLQJRQPDQ\GHVLJQDQGSROLF\GHFLVLRQVQRWDGGUHVVHG LQWKHPRGHO

5XOH6HW0RGHO7KLVVHFWLRQGHVFULEHVD5XOH6HW0RGHOIRUDWUXVWHG FRPSXWHUV\VWHPWKDWLPSOHPHQWVWKHIROORZLQJIRXUSROLFLHV

‡ DPDQGDWRU\DFFHVVFRQWURO 0$& SROLF\ ‡ D&ODUN:LOVRQLQWHJULW\ &:, SROLF\ ‡ DIXQFWLRQDOFRQWURO )& SROLF\ ‡ DVHFXULW\LQIRUPDWLRQPRGLILFDWLRQ 6,0 SROLF\

7KH0$&SROLF\UHSUHVHQWVWKH0$&SROLF\RI$PHULFDQ7HOHSKRQHDQG 7HOHJUDSK V $7 7 6\VWHP90/65HOHDVH7KLVV\VWHPUHFHLYHG D % UDWLQJ IURP WKH 1DWLRQDO &RPSXWHU 6HFXULW\ &HQWHU LQ  7KH 0$&SROLF\VKRZVWKHWUDGLWLRQDOVHFXULW\SROLF\IRUDWUXVWHGFRPSXWHU V\VWHP,WVLQFOXVLRQVKRZVWKDWRWKHUSROLFLHVFDQEHLQWHJUDWHGZLWKWKH WUDGLWLRQDOQRQGLVFORVXUHVHFXULW\UHTXLUHPHQWV7KLVSROLF\XVHVDODWWLFH RI VHFXULW\ OHYHOV DV WKH EDVLV IRU LWV DFFHVV GHFLVLRQV 7KH &:, SROLF\ SURYLGHVFRQWURORYHUPRGLILFDWLRQRILQIRUPDWLRQE\UHJXODWLQJWKHWUDQV DFWLRQVWKDWXVHUVFDQDSSO\WRILOHVRILQIRUPDWLRQ7KLVSROLF\HPSOR\V UROHV DQG W\SHV DQG H[HFXWHFRQWURO OLVWV WKH &ODUN:LOVRQ WULSOHV  ,WV LQFOXVLRQ VKRZV KRZ WKH FRPPHUFLDO GDWD SURFHVVLQJ UHTXLUHPHQWV GH VFULEHG E\ &ODUN DQG :LOVRQ &/$5  FDQ EH PRGHOHG DQG LQWHJUDWHG ZLWKWKH0$&SROLF\IRUD81,;V\VWHP7KHIXQFWLRQDOFRQWURO )& SROLF\ LPSOHPHQWVDJHQHUDOUROHDQGW\SHSROLF\LQWHUPVRIV\VWHPUROHVRIXV HUVDQGFDWHJRULHVRIREMHFWV7KLVSROLF\DOORZVWKHUROHVV\VWHPDGPLQ  8The evaluated product was System V/MLS, Version 1.1.2, running with UNIX System V Release 3.1.1 on the AT&T 3B2/500 or AT&T 3B2/600 minicomputers. Through the rating maintenance program (RAMP) of the NCSC, the rating was extended in Septem- ber, 1990 to System V/MLS Release 1.2.0 and 630/MLS Release 1.2.0 running with UNIX System V Release 3.1.1 on the AT&T 3b2/500 and AT&T3B2/600 minicomputers and the AT&T 630 MTG terminal.

 ,QIRUPDWLRQ6HFXULW\ LVWUDWRUVHFXULW\RIILFHUDQGXVHUDQGKDVWKHFDWHJRULHVJHQHUDOVHFX ULW\ DQG V\VWHP 7KH VHFXULW\ LQIRUPDWLRQ PRGLILFDWLRQ 6,0  SROLF\ LV EDVHGRQW\SHVRIV\VWHPGDWDDQGV\VWHPUROHVRIXVHUV7KLVSROLF\DO ORZVRQO\WKHVHFXULW\RIILFHUWRFKDQJHWKHV\VWHP VVHFXULW\LQIRUPDWLRQ 7KLV HVVD\ IRFXVHV PDLQO\ RQ WKH 0$& DQG &:, SROLFLHV EXW LQFOXGHV WKH )& DQG 6,0 SROLFLHV IRU FRPSOHWHQHVV $ XVHIXO WUXVWHG FRPSXWHU V\VWHPPXVWSURYLGHWKHNLQGVRIDFFHVVFRQWUROGHILQHGE\)&DQG6,0 EXWIRUPDOPRGHOVW\SLFDOO\KDYHQRWLQFOXGHGVXFKSROLFLHV ,ZLOOSUHVHQWWKHIRXUSROLFLHVRIWKLVPRGHOLQGHWDLOLQWKLVVHFWLRQ%XW , ZLOO QRW JLYH FRPSOHWH SROLFLHV EHFDXVH WKH SXUSRVH LV WR GHVFULEH WKH DSSURDFKQRWWRSURYLGHDFRPSOHWHIRUPDOPRGHO%HIRUHGHVFULELQJWKH SROLFLHVPRGHOHGLQWKLVHVVD\ZHQHHGWRDGGUHVVWKHLVVXHRIZK\WKH 5XOH 6HW 0RGHO GRHV QRW LQFOXGH WKH GLVFUHWLRQDU\ DFFHVV FRQWURO '$& DQGLGHQWLW\EDVHGDFFHVVFRQWURO ,%$& RI81,;6\VWHP9

6\VWHP9'$&DQG,%$&81,;6\VWHP9FRQWUROVDFFHVVWRUHVRXUFHV WKURXJK LWV 'LVFUHWLRQDU\ $FFHVV &RQWURO '$&  DQG ,GHQWLW\%DVHG $F FHVV&RQWURO ,%$& 7KH'$&FDSDELOLW\VXSSRUWVWKHDELOLW\ RI WKH V\V WHP DQG LWV XVHUV WR GHFLGH ZKR PD\ DFFHVV WKH ILOHV WKH\ RZQ DQG LQ ZKDW PDQQHU ,W XVHV WKH IDPLOLDU UHDG ZULWH DQG H[HFXWH SULYLOHJHV :KDWWKHNHUQHOHQVXUHVLVWKDWWKHSHUPLVVLRQVGHILQHGE\WKHXVHUVDQG WKH V\VWHP ZLOO EH HQIRUFHG %XW LQ DGGLWLRQ WKH NHUQHO LQFRUSRUDWHV D QRQGLVFUHWLRQDU\ SROLF\ EDVHG RQ VXSHUXVHU SULYLOHJHV DQG WKH VHYHUDO W\SHVRIXVHULGHQWLILHUV UHDOHIIHFWLYHVDYHG WKDWLWXVHV7KLVLGHQWLW\ EDVHG DFFHVV FRQWURO ,%$&  SROLF\ DQG WKH XVHUGHILQHG '$& SROLF\ DUH WKHDFFHVVFRQWURORI81,;6\VWHP9 2XUPRGHOLQFOXGHVQHLWKHURIWKHVHSROLFLHV7KH,%$&SROLF\RI81,; LVW\SLFDOO\QRWPRGHOHGDOWKRXJKLWLVWKHNLQGRISROLF\WKDWVKRXOGEHRI LQWHUHVW WR WKH PRGHOHU $ PRUH HODERUDWH ,%$& SROLF\ FDQ UHSODFH WKH 81,;VXSHUXVHUDSSURDFKLQWUXVWHGFRPSXWHUV\VWHPVWRSURYLGHEHWWHU VHSDUDWLRQ RI GXW\ ,QVWHDG RI PRGHOLQJ WKH VXSHUXVHUEDVHG ,%$& RI 81,;WKLV5XOH6HW0RGHOKDVDIXQFWLRQDOFRQWUROSROLF\ZKLFKKDVEHW WHUVHSDUDWLRQRIGXW\DQGLVDOVRIDUOHVVFRPSOLFDWHGWKDQWKH,%$&RI 81,; )RUPDOPRGHOVRIWHQGRLQFOXGHWKH'$&SROLF\7KLVIRUPDOPRGHOGRHV QRWEHFDXVHLQVKRUWLWLVQRWDQLQWHUHVWLQJSROLF\,WVKRXOGFHUWDLQO\EH LQFOXGHGLQWKHVWDWHPDFKLQHUHSUHVHQWDWLRQRID81,;V\VWHPDVVXP LQJLWVOHYHORIGHWDLOLVDSSURSULDWHWRWKHPRGHO%XWLWUHDOO\GRHVQ WEH ORQJLQWKH5XOH6HW0RGHOEHFDXVH'$&LVQRWDSROLF\WKHV\VWHPFDQ HQIRUFH '$&LVDPHFKDQLVPE\ZKLFKXVHUVDWWHPSWWRLPSRVHWKHLU RZQVKDULQJSROLF\RQWKHUHVRXUFHVWKH\RZQ%XWWKHUH VQRDVVXUDQFH WKDW WKH\ ZLOO VXFFHHG )RU H[DPSOH D Trojan Horse FDQ HDVLO\ GHIHDW D XVHU V QRQGLVFORVXUH REMHFWLYHV VLQFH WKH '$& PHFKDQLVP SURYLGHV QR  9Note that the system in this context is System V, not System V/MLS. AT&T's System V/MLS additionally incorporates the mandatory access control (MAC) policy.

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  ZD\IRUDXVHUWRSURKLELWFRS\LQJDILOHKHKDVDOORZHGWR EH UHDG 1RU GRHVWKH'$&PHFKDQLVPDGHTXDWHO\VXSSRUWLQWHJULW\REMHFWLYHVEHFDXVH LWSURYLGHVQRZD\IRUDXVHUWRVSHFLI\KRZRWKHUVPLJKWPRGLI\REMHFWV WKDWKHRZQV,QVXPPDU\WKH'$&PHFKDQLVPGRHVQRWVWURQJO\VXS SRUW DQ\ NQRZQ ZHOO FRQFHLYHG SROLF\ REMHFWLYH WKDW XVHUV DUH OLNHO\ WR KDYHDQLQWHUHVWLQ ,QWKLVIRUPDOPRGHOZHDVVXPHWKDWDIDYRUDEOH'$&FKHFNZKHQDS SURSULDWH SUHFHGHV HDFK LQYRFDWLRQ RI WKH 5XOH 6HW 0RGHO E\ WKH 6WDWH 0DFKLQH0RGHO$Q\RIWKHIRXUSROLFLHVZHKDYHLQFOXGHGLQWKH5XOH6HW 0RGHOFDQRYHUULGHDIDYRUDEOH'$&GHFLVLRQ

$FFHVV&RQWURO,QIRUPDWLRQ7RVXSSRUWWKHSROLFLHVGHVFULEHGKHUHLQWKH IROORZLQJ DWWULEXWHV LQ WKUHH JURXSV RI DFFHVV FRQWURO LQIRUPDWLRQ $&,  DUHQHHGHG(DFKDWWULEXWHVKRZQKHUHLVH[SODLQHGLQRQHRIWKHSROLF\ GHVFULSWLRQVWKDWIROORZ

86(5$&, 9$/8(6 XVHULGHQWLILHU &:, DXVHULGHQWLILHU DFFHVVDSSURYDOV 0$& DVHFXULW\OHYHO V\VWHPUROH )& 6,0 XVHUVHFXULW\RIILFHURUDGPLQLVWUDWRU LQWHJULW\UROH &:, 1,/73XVHU73PDQDJHU,93XVHURU,93 PDQDJHU

352&(66$&, 9$/8(6 RZQHU SRLQWHU WR 86(5 ³ $&, VHFXULW\OHYHO DVHFXULW\OHYHO SURFHVVLGHQWLILHU DSURFHVVLGHQWLILHU SURFHVVW\SH 1,/73,93RU73,&'

2%-(&7$&, 9$/8(6 VHFXULW\OHYHO 0$& DVHFXULW\OHYHO REMHFWLGHQWLILHU &:, DQREMHFWLGHQWLILHU REMHFWFDWHJRU\ )& JHQHUDOVHFXULW\RUV\VWHP REMHFWW\SH 0$& ILOHGLUHFWRU\LSFRUVFG SURJUDPW\SH &:, 1,/73,93RU73,&' GDWDW\SH 6,0 &:, 1,/&',&',,&RUVL

 ,QIRUPDWLRQ6HFXULW\ 0DQGDWRU\DFFHVVFRQWUROSROLF\0DQGDWRU\DFFHVVFRQWUROLVEDVHGRQ VHFXULW\OHYHOVRIWKHSURFHVVHVXVHUVDQGREMHFWVRIWKHV\VWHPDQGWKH UHTXHVWRIWKHSURFHVV7KLVSROLF\DIIHFWV

‡ DFFHVVRISURFHVVHVWRREMHFWV IRUH[DPSOHUHDGLQJZULWLQJDQG GHOHWLQJILOHVGLUHFWRULHVDQGPHVVDJHTXHXHV ‡ RWKHUDVSHFWVRISURFHVVLQJ IRUH[DPSOHVSDZQLQJDFKLOGSURF HVVDQGVHQGLQJDVLJQDOWRDQRWKHUSURFHVV

7KH SROLF\ GHVFULEHG KHUH UHSUHVHQWV WKH 0$& SROLF\ RI 81,; 6\VWHP 90/65HOHDVH )/,1 DQGXVHVWKHW\SHVRIREMHFWVGHILQHGIRU WKDWLPSOHPHQWDWLRQ6\VWHP90/6LVDPXOWLXVHUPXOWLWDVNLQJRSHU DWLQJV\VWHPWKDWPDLQWDLQV81,;6\VWHP9DSSOLFDWLRQFRPSDWLELOLW\,Q DGGLWLRQWRXVLQJWKHWUDGLWLRQDOSURWHFWLRQPHFKDQLVPVRIWKH81,;RS HUDWLQJV\VWHPWRSURYLGH'$&6\VWHP90/6SURYLGHV0$&WROLPLWWKH GLVWULEXWLRQ RI LQIRUPDWLRQ WR DXWKRUL]HG XVHUV 7KH 0$& SROLF\ LV FRQ VLVWHQWZLWKWKH%HOO/D3DGXODPRGHO 1&6& DQGVDWLVILHV'2'SROLF\ %DVLFDOO\ WKH 0$& SROLF\ GHSHQGV RQ WKH VHFXULW\OHYHO DWWULEXWH RI SURFHVVHVDQGREMHFWVDQGRQWKHREMHFWW\SHDWWULEXWHRIREMHFWV 7KHREMHFWW\SHYDOXHVGHILQHGIRUWKLVSROLF\DUHILOHGLUHFWRU\LSF DQG VFG ILOH DQG GLUHFWRU\ KDYH WKHLU REYLRXV 81,; PHDQLQJV LSF PHDQV LQWHUSURFHVV FRPPXQLFDWLRQ WKH PHVVDJH TXHXH DQG VKDUHG PHPRU\LQ81,;PDSWRWKLVW\SHVFGPHDQVV\VWHPFRQWUROGDWDWKH LQRGHLQ81,;PDSVWRWKLVW\SH*HQHUDOO\V\VWHPFRQWUROGDWDUHIHUVWR GDWDWKHV\VWHPXVHVWRFRQWUROLWVRSHUDWLRQV ,QWKHQH[WVHYHUDOWDEOHVWKHOHWWHU3VWDQGVIRUWKHVHFXULW\OHYHORI WKHSURFHVVPDNLQJWKHUHTXHVWIRUDFFHVVWKHOHWWHU2VWDQGV IRU WKH VHFXULW\OHYHORIWKHUHIHUHQFHGREMHFW! LQGLFDWHVWKHXVXDOGRPLQDWHV UHODWLRQEHWZHHQOHYHOVDQG LQGLFDWHVHTXDOLW\EHWZHHQOHYHOV 7DEOHWKURXJKGHILQHUHVSHFWLYHO\WKHSROLFLHVIRUFRQWUROOLQJ DF FHVVRIDSURFHVVWRDQREMHFWRIW\SHVILOHGLUHFWRU\WSFDQGVFG

 10We could model additional types as well. We might, for example, wish to include a type "communications-device", realized as a socket in some UNIX systems, if we wanted to have intercomputer communiations reflected in our model.

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  7DEOH0$&SROLF\IRUREMHFWVRIW\SHILOH

,IWKHUHTXHVWLV WKHQDFFHVVLVDOORZHGLI FUHDWH 2LVVHWHTXDOWR3 GHOHWH 3 2 GHOHWHGDWD 3 2 H[HFXWH 3! 2 UHDG QRFRQGLWLRQ UHDGRSHQ 3! 2 UHDG ZULWHRSHQ 3 2 ZULWH QRFRQGLWLRQ VHHIRRWQRWHIRUUHDGDERYH ZULWHRSHQ 3 2

7DEOH0$&SROLF\IRUREMHFWVRIW\SHGLUHFWRU\

,IWKHUHTXHVWLV WKHQDFFHVVLVDOORZHGLI FUHDWH 2LVVHWHTXDOWR3 GHOHWH 3 2 UHDG 3! 2 VHDUFK 3! 2 ZULWH 3 2

 11A distinction is made between read and read-open and between write and write-open in this model. Read-open (write-open) enables the process to read (write) the object, read (write) actually transfers data from (to) the open object into (from) the memory space of the process. The MAC policy for controlling read (write) access applies at the read-open (write-open) and no MAC policy applies to the transfer of the data. Other models can be conceived in which a floating label policy for the security level of the object might be applied when a read or write (an actual transfer of data) occurs, similar to the floating information label policy of the CMW model (MILL90). 12"Write" to a directory includes addition, modification, and deletion of entries in the di- rectory.

 ,QIRUPDWLRQ6HFXULW\ 7DEOH0$&SROLF\IRUREMHFWVRIW\SHLSF

,IWKHUHTXHVWLV WKHQDFFHVVLVDOORZHGLI DOWHU 3 2 FUHDWH 2LVVHWHTXDOWR3 GHOHWH 3 2 UHDG QRFRQGLWLRQ UHDG ZULWHRSHQ 3 2 ZULWH QRFRQGLWLRQ

7DEOH0$&SROLF\IRUREMHFWVRIW\SHVFG

,IWKHUHTXHVWLV WKHQDFFHVVLVDOORZHGLI FKDQJHRZQHU 3 2 FUHDWH 2LVVHWHTXDOWR3 GHOHWH 3 2 JHWSHUPLVVLRQVGDWD 3! 2 JHWVWDWXVGDWD 3! 2 PRGLI\DFFHVVGDWD 3 2 PRGLI\SHUPLVVLRQVGDWD 3 2

7KH UHTXHVWV JHWSHUPLVVLRQVGDWD DQG JHWVWDWXVGDWD FRXOG EH PRG HOHGDVXQGLVWLQJXLVKHGUHDGVRIWKHV\VWHPFRQWUROGDWD6LPLODUO\WKH FKDQJHRZQHU PRGLI\DFFHVVGDWD DQG PRGLI\SHUPLVVLRQVGDWD FRXOG EH PRGHOHG DV XQGLVWLQJXLVKHG ZULWHV ,Q WKLV PRGHO WKH VHSDUDWH UH TXHVWVKDYHEHHQXVHGWRLOOXVWUDWHWKHSRVVLELOLW\RIPDNLQJDFFHVVFRQ WURO GHFLVLRQV RQ WKH EDVLV RI WKH GLVWLQFWLRQV UHSUHVHQWHG E\ WKHVH UHTXHVWV

7DEOHGHILQHVWKH0$&SROLF\JRYHUQLQJSURFHVVPDQDJHPHQW

7DEOH0$&SROLF\IRUSURFHVVPDQDJHPHQW

,IWKHUHTXHVWLV WKHQDFFHVVLVDOORZHGLI FORQH 3LVVHWHTXDOWR3 VHQGVLJQDO 3 3

 13The distinction between read and read-open and between write and write-open for files applies also to ipc objects in this model.

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  &ODUN:LOVRQLQWHJULW\SROLF\7KHLQWHJULW\SROLF\FRPHVGLUHFWO\IURPWKH &ODUN:LOVRQ,QWHJULW\ &:, SROLF\ &/$5 ,KDYHDWWHPSWHGWRPRGHO WKHLUSROLF\LQDVVWUDLJKWIRUZDUGDPDQQHUDVSRVVLEOHXVLQJWKHLUFRQ FHSWVWHUPLQRORJ\DQGSRLQWRIYLHZDVOLWHUDOO\DVSRVVLEOH,QDGGLWLRQ, KDYHLQFOXGHGWKHDQFLOODU\SROLF\WKDWDSSHDUVWRPHQHFHVVDU\WRVXS SRUW WKHLU LQWHQWLRQV )RU WKH FRQYHQLHQFH RI WKH UHDGHU D VXPPDU\ RI WKH&ODUN:LOVRQPRGHO VFHUWLILFDWLRQDQGHQIRUFHPHQWUXOHV LV JLYHQ LQ $SSHQGL[%%XWWKHUHDGHULVHQFRXUDJHGWRUHDGWKHLUSDSHU &/$5 IRU DQ XQGHUVWDQGLQJ RI WKHLU PRWLYDWLRQ DQG D JUHDWHU DSSUHFLDWLRQ RI WKHLUPRGHO 7KH &:, SROLF\ SURYLGHV IRU ERWK H[WHUQDO DQG LQWHUQDO FRQVLVWHQF\ RI GDWD0HDVXUHVIRUH[WHUQDOFRQVLVWHQF\VXFKDVWKHLU,QWHJULW\9HULILFD WLRQ3URFHGXUHV ,93V HQVXUHWKDWWKHGDWDVWRUHGLQWKHFRPSXWHUV\V WHP FRUUHFWO\ PRGHOV WKH VWDWH RI WKH UHDOZRUOG V\VWHPV LW UHODWHV WR 0HDVXUHV IRU LQWHUQDO FRQVLVWHQF\ HQVXUH WKDW PRGLILFDWLRQ RI GDWD UH VXOWV LQ D YDOLG VWDWH $QG VRPH &:, UXOHV GHDO ZLWK WKH UHODWLRQVKLS EHWZHHQWKHLQWHUQDODQGH[WHUQDOFRQVLVWHQF\RIGDWD7KHLQWHJULW\FRQ WUROSROLF\LQWKLVPRGHOIRFXVHVRQWKHUXOHVIRULQWHUQDOFRQVLVWHQF\DQG DOVRVXSSRUWVWKHFDSDELOLW\WRHQVXUHH[WHUQDOFRQVLVWHQF\6RPHRIWKH &:,UXOHVWKDWGHDOZLWKH[WHUQDOFRQVLVWHQF\DUHQDWXUDOO\QRWUHIOHFWHG LQWKLVLQWHUQDOV\VWHPPRGHO

,QWHJULW\FRQWUROLQWKHPRGHOLVEDVHGRQ

‡ LQWHJULW\FRQWUROOHG SURJUDPV FDOOHG 7UDQVIRUPDWLRQ 3URFHGXUHV 73V DQG,QWHJULW\9HULILFDWLRQ3URFHGXUHV ,93V ‡ LQWHJULW\FRQWUROOHGREMHFWVFDOOHG&RQVWUDLQHG'DWD,WHPV &',V ‡ XVHU SHUPLVVLRQV WR DSSO\ FHUWDLQ 73V WR VSHFLILHG &',V DQG SHU PLVVLRQWRDSSO\DQ,93WRD&',

8VHUVDQGREMHFWVLQWKHFRPSXWHUV\VWHPKDYHWKHIROORZLQJDWWULEXWHV WRVXSSRUWLQWHJULW\FRQWURO

‡ 7KHREMHFWDWWULEXWHSURJUDPW\SHPD\KDYHWKHIROORZLQJYDOXHV

73 PHDQVWKDWWKHREMHFWLVD&:,73 ,93 PHDQVWKDWWKHREMHFWLVD&:,,93 73,&' PHDQV WKDW WKH REMHFW LV D VSHFLDO 73 WKDW RSHUDWHVRQ&:,LQWHJULW\FRQWUROGDWD 1,/ PHDQV WKDW WKH REMHFW LV QRW DQ LQWHJULW\ FRQWUROOHGREMHFW

 14NIL has its obvious meaning -- nothing -- which, in this context amounts to saying that the object is not any of the other types defined. The attribute "program-type" could be

 ,QIRUPDWLRQ6HFXULW\ 7KHXVHRIWKHVHDWWULEXWHYDOXHVIRUFRQWUROOLQJH[HFXWLRQRILQWHJ ULW\UHODWHGSURJUDPVLVGLVFXVVHGODWHU

‡ 7KHREMHFWDWWULEXWHGDWDW\SHPD\KDYHWKHIROORZLQJYDOXHV

&', PHDQVWKDWWKHREMHFWLVD&:,&', &',,& PHDQVWKDWWKHREMHFWLVD&:,&',WKDWLV XVHGIRULQWHJULW\FRQWURO 1,/ PHDQV WKDW WKH GDWD LV QRW LQWHJULW\ FRQWUROOHG WKDW LV LQ WKH WHUPLQRORJ\ RI &ODUN DQG :LOVRQ LW LV DQ 8QFRQVWUDLQHG 'DWD,WHP 8', 

‡ 7KHXVHUDWWULEXWHLQWHJULW\UROHPD\KDYHWKHIROORZLQJYDOXHV

73XVHU PHDQVWKDWWKHXVHULVDXWKRUL]HGWR H[HFXWH 7UDQVIRUPDWLRQ 3URFHGXUHV 73V 73PDQDJHU PHDQVWKDWWKHXVHULVDXWKRUL]HGWR PDQDJH FUHDWH GHOHWH DQG PRGLI\ FHUWDLQ LQWHJULW\ REMHFWV VSHFLILHG EHORZ ,93XVHU PHDQVWKDWWKHXVHULVDXWKRUL]HGWR H[HFXWH ,QWHJULW\ 9HULILFDWLRQ 3URFH GXUHV ,93V ,93PDQDJHU PHDQVWKDWWKHXVHULVDXWKRUL]HGWR PDQDJH,93VDVVSHFLILHGEHORZ 1,/ PHDQVWKDWWKHXVHUKDVQRLQWHJULW\ UROH

‡ 7KHDXWKRUL]DWLRQVRIDXVHUZLWKDQLQWHJULW\UROHDUHGHVFULEHGLQ 7DEOH

 used for other policies as well, in which case other values might be defined for it. In this model, this attribute is used only for enforcing the integrity policy. 15An example is the User-Transformation Procedures Associations (UTPA) table of this model, described subsequently.

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  7DEOH&:,3ROLF\IRU([HFXWH&UHDWH'HOHWHDQG0RGLI\

8VHULQ PD\ PD\FUHDWHRU PD\ LQWHJULW\UROH H[HFXWH GHOHWH PRGLI\ 73XVHU 73V 73PDQDJHU 73,&' 73V &',,& 73,&'V &',,&V ,93XVHU ,93V ,93PDQDJHU ,93V&',V

&ODUNDQG:LOVRQUHTXLUHWKDWWKHV\VWHP´PDLQWDLQDOLVWRIUHODWLRQVRI WKH IRUP 8VHU,' 73L &',D &',E &',F   ZKLFK UHODWHV D XVHU D 73DQGWKHGDWDREMHFWVWKDW73PD\UHIHUHQFH RQ EHKDOI RI WKDW XVHU )XUWKHU WKH V\VWHP PXVW HQVXUH WKDW RQO\ H[HFXWLRQV GHVFULEHG LQ RQH RI WKH UHODWLRQV DUH SHUIRUPHG 7KLV PRGHO XVHV D 8VHU 7UDQVIRUPDWLRQ 3URFHGXUHV $VVRFLDWLRQV 873$  WDEOH WR FDSWXUH WKH &ODUN:LOVRQ WULSOHV (DFK HQWU\ LQ WKH WDEOH LV DQ RUGHUHG WULSOH RI WKH IRUP

XVHULGHQWLILHU73OLVWRI&',V

1RFRQVWUDLQWLVSXWRQPRGHVRURUGHURIDFFHVVVLQFH&ODUNDQG:LO VRQGRQRWUHTXLUHLWDOWKRXJKRQHFDQFRQFHLYHDV\VWHPLQZKLFKVXFK FRQVWUDLQWVZRXOGVHUYHDXVHIXOSXUSRVH6WLOORWKHUSROLFLHVLQWKHV\V WHPPD\FRQVWUDLQWKH73ZLWKUHVSHFWWRPRGHRIDFFHVV)RUH[DPSOH ZKHQD73DWWHPSWVWRRSHQD&',IRUZULWLQJWKH73PXVWEHDOORZHGWR ZULWHWKH&',E\WKH0$&SROLF\RIWKHV\VWHP 7KH873$VDWLVILHVWKH&:,UHTXLUHPHQWWRPDLQWDLQDOLVWRIUHODWLRQV 2QH FDQ LPDJLQH PDQ\ GHVLJQV IRU HQVXULQJ WKDW RQO\ H[HFXWLRQV GH VFULEHGLQWKH873$DUHSHUIRUPHG)RUH[DPSOHZHFRXOGGHILQHDQHZ V\VWHP FDOO VD\ DSSO\ 73OLVWBRIB&',V  DSSO\ ZRXOG EH OLNH WKH H[HF V\VWHPFDOOEXWKDYLQJWKHDGGLWLRQDOVHFRQGDUJXPHQW7KLVDUJXPHQW VKRZV ZKLFK &',V WKH UHTXHVWLQJ SURFHVV ZLVKHV WKH 73 WR RSHUDWH RQ 7KHNHUQHOZRXOGSDVVWKHDUJXPHQWVRIWKLVV\VWHPFDOOWRWKHUXOHVHW 7KHUXOHVHWZRXOGFKHFNWKH873$WRVHHLIWKHOLVWRI&',VZDVYDOLGIRU WKH RZQHU RI WKH UHTXHVWLQJ SURFHVV 7KH GLIILFXOW\ LV WKDW WKH HQIRUFH PHQW SURYLGHG E\ WKLV DSSURDFK LV ZHDN /DFNLQJ DQ\ RWKHU DFFHVV FKHFNVWKH73FRXOGDFFHVVVRPH&',IRUZKLFKWKHXVHULVQRWDXWKRU L]HG2QHPD\DUJXHWKDWWKH73KDVEHHQFHUWLILHGWRRSHUDWHFRUUHFWO\VR WKDWLWVKRXOGRQO\FDUU\RXWFRUUHFWSURFHGXUHV7KLVZRXOGSRVVLEO\EH DFFHSWDEOHLIDOOFRUUHFWDQGDXWKRUL]HGH[HFXWLRQVZHUHEXLOWLQWRWKH73 DQGFHUWLILHG&ODUNDQG:LOVRQVXJJHVWKRZHYHUWKDWDQLPSRUWDQW UHVHDUFKJRDOPXVWEHWRVKLIWDVPXFKRIWKHVHFXULW\EXUGHQDVSRVVLEOH IURPFHUWLILFDWLRQWRHQIRUFHPHQWVLQFHWKHFHUWLILFDWLRQSURFHVV

 ,QIRUPDWLRQ6HFXULW\ LV FRPSOH[ SURQH WR HUURU DQG PXVW EH UHSHDWHG DIWHU HDFK SURJUDP FKDQJH$OVRXVLQJDSSO\HIIHFWLYHO\UXOHVRXWLQWHUDFWLRQEHWZHHQWKH XVHUDQGWKH73,GHDOO\WKHXVHUVKRXOGEHDEOHWRSURYLGHLQSXWDUJX PHQWVVSHFLI\LQJZKLFK&',VWRRSHUDWHRQ 7KHUHIRUHLQWKLVPRGHORI&:,WKHLQLWLDOUHTXHVWRIWKHSURFHVVLVRQO\ D UHTXHVW WR RSHUDWH WKH 73 ,Q WKH 81,; HQYLURQPHQW WKLV LV DQ H[HF V\VWHPFDOOLQZKLFKWKHSURFHVVQDPHVWKHREMHFWWRH[HFXWH:KHQWKH QDPHGREMHFWLVD73LWVSURJUDPW\SHDWWULEXWHKDVWKHYDOXH73:KHQ WKH73 VXEVHTXHQWO\ PDNHV UHTXHVWV IRU DFFHVV WR &',V WKRVH UHTXHVWV DUHDGMXGLFDWHGE\WKHUXOHVHWLQWKHXVXDOPDQQHU,QDGGLWLRQWKHUXOH VHWNHHSVDUHFRUGRIWKH&',VEHLQJDFFHVVHGHQVXULQJDWHDFKUHTXHVW WKDWWKHUHTXHVWHGDFFHVVLVDOORZHGE\RQHRIWKHWULSOHVGHILQHGLQWKH 873$ 7KLV LGHD QHHGV IXUWKHU HODERUDWLRQ SURYLGHG LQ WKH IROORZLQJ SDUDJUDSKV :KHQDSURFHVVH[HFXWHVD73RQHRIWKHUXOHVIRULQWHJULW\FRQWUROZLOO DGGWKHSURFHVVLGHQWLILHURIWKHSURFHVVWRDOOWULSOHVLQWKH873$KDYLQJ WKHXVHULGHQWLILHURIWKHRZQHURIWKHSURFHVVDQGVSHFLI\LQJWKHQDPHG 737KLVPDUNVDOOFDQGLGDWHH[HFXWLRQVRIWKHQDPHG73E\WKLVSURFHVV 1RWHWKDWWKHVDPHXVHUPD\DOUHDG\KDYHRWKHUH[HFXWLRQVRIWKLV73LQ SURJUHVV:KHQWKH73 QRZDSURFHVVKDYLQJWKHSURFHVVLGHQWLILHURIWKH SURFHVV WKDW H[HFXWHG LW  DWWHPSWV WR DFFHVV DQ REMHFW WKDW LV D &', RQHRIWKHLQWHJULW\FRQWUROUXOHVZLOOUHPRYHWKHSURFHVVLGHQWLILHURIWKH SURFHVVIURPDOOWULSOHVLQWKH873$FXUUHQWO\PDUNHGZLWKWKLVSURFHVV LGHQWLILHU EXW QRW KDYLQJ WKH QDPHG &', OLVWHG 7KLV UHGXFHV WKH VHW RI FDQGLGDWHH[HFXWLRQVRIWKHQDPHG73E\WKLVSURFHVV,IDIWHUWDNLQJWKLV DFWLRQ WKHUH DUH QR HQWULHV LQ WKH 873$ PDUNHG ZLWK WKLV SURFHVV LGHQWLILHU WKHQ WKH DWWHPSWHG DFFHVV E\ WKH 73 RQ EHKDOI RI WKH XVHU LV QRWYDOLGDQGWKHUHTXHVWZLOOEHGHQLHG7KHQH[WVHTXHQFHRIWDEOHVLO OXVWUDWHVWKLVPHWKRG

6XSSRVHXVHU$LVDOORZHGWRDSSO\73LQDQ\RIWKHIROORZLQJ ZD\V

‡ WR&',VDQG ‡ WR&',VDQGRU ‡ WR&',VDQG

7KLVLVLOOXVWUDWHGLQ7DEOHWKHXVHUWUDQVIRUPDWLRQSURFHGXUHVDVVR FLDWLRQV 873$ WDEOH

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  7DEOH8VHU7UDQVIRUPDWLRQ3URFHGXUHV$VVRFLDWLRQV 873$

XVHU 73 &',V SURFHVVHV

XVHU$ 73 &',&', XVHU$ 73 &',&', XVHU$ 73 &',&',    XVHU= HWF HWF

6XSSRVHDSURFHVVKDYLQJSURFHVVLGHQWLILHU3,' UHTXHVWV H[HFXWLRQ RI 73RQEHKDOIRIXVHU$$VVXPLQJWKHUHTXHVWHGDFWLRQLVDXWKRUL]HGWKH 873$WDEOHLVPDUNHGDVIROORZV

XVHU$ 73 &',&', 3,' XVHU$ 73 &',&', 3,' XVHU$ 73 &',&', 3,'

7KHSURFHVVLVQRZNQRZQDVD73W\SHSURFHVV,IWKHSURFHVVUHTXHVWV DFFHVVWR&',WKHWDEOHLVPRGLILHGZLWKWKHIROORZLQJUHVXOW

XVHU$ 73 &',&', 3,' XVHU$ 73 &',&', XVHU$ 73 &',&', 3,'

,IWKHSURFHVVQRZUHTXHVWVDFFHVVWR&',WKHWDEOHLVPRGLILHGZLWK WKHIROORZLQJUHVXOW

XVHU$ 73 &',&', XVHU$ 73 &',&', XVHU$ 73 &',&', 3,'

,IWKHSURFHVVQRZUHTXHVWVDFFHVVWR&',WKHUHTXHVWLVLQYDOLG

7KLVDSSURDFKWRHQIRUFLQJWKH&ODUN:LOVRQWULSOHVKDVWKHDGYDQWDJH WKDWLWGRHVQRWUHTXLUHDQHZV\VWHPFDOORUGDWDVWUXFWXUHLQWKH81,; HQYLURQPHQW 7KH VFKHPH MXVW RXWOLQHG GHVFULEHV WKH VLWXDWLRQ ZKHQ D SURFHVVH[HFXWHVMXVWDVLQJOH737KHLQWHJULW\SROLF\PXVWDOVRFRYHUWKH FDVHV ZKHUH D 73W\SH SURFHVV DWWHPSWV WR H[HFXWH DQRWKHU ILOH 81,; H[HF RUDWWHPSWVWRFORQHLWVHOI 81,;IRUN  ,ID73W\SHSURFHVVZHUHWRIRUNDFKLOGWKHFKLOGZRXOGEHLGHQWLFDOWR WKHSDUHQWZLWKUHVSHFWWRH[HFXWDEOHFRGHDQGRSHQILOHV HJWKH&',V EHLQJZRUNHGRQ +RZHYHULWPDNHVQRVHQVHIRUD73W\SHFKLOGWRFRQ WLQXH SURFHVVLQJ ZLWK WKH H[HFXWDEOH FRGH RI LWV SDUHQW VLQFH WR GR VR

 ,QIRUPDWLRQ6HFXULW\ ZRXOG UHTXLUH XQZDUUDQWHG FRPSOH[ FRRUGLQDWLRQ EHWZHHQ SDUHQW DQG FKLOGWRSUHVHUYHLQWHJULW\,WUHDOO\RQO\PDNHVVHQVHWRFRQVLGHUWKHFDVH WKDWWKHFKLOGH[HFXWHVQHZFRGHWKDWLVDQHZ73$OORZLQJD73W\SH SURFHVVWRVSDZQDQRWKHU73W\SHSURFHVVLQWKLVZD\DGGVWRWKHFRP SOH[LW\RIWKHFHUWLILFDWLRQRIWKHRULJLQDO73FRGHEXWDGGVQRIXQFWLRQDO FDSDELOLW\ $FFRUGLQJ WR &ODUN DQG :LOVRQ WKH FHUWLILFDWLRQ WDVN VKRXOG EHNHSWDVVLPSOHDVSRVVLEOHE\KDYLQJWKHV\VWHPHQIRUFHDV PXFK RI WKHLQWHJULW\SROLF\DVSRVVLEOH7KHQHHGHGIXQFWLRQDOLW\HQIRUFHGE\WKH V\VWHPLQWKHVFKHPHDERYHLVDFKLHYHGE\DQRUGLQDU\SURFHVVFORQLQJD SURFHVVWKDWFKDQJHVLWVHOILQWRD73W\SHSURFHVVE\H[HFXWLQJD73W\SH REMHFW,QVKRUWLWLVQHLWKHUGHVLUDEOHQRUQHFHVVDU\IRUD73W\SHSURF HVVWRFORQHLWVHOI 7KXV WR FDUU\ RXW WKH LQWHQW RI WKH &ODUN:LOVRQ LQWHJULW\ SROLF\ DV , XQGHUVWDQGLWZLWKRXWVLJQLILFDQWO\PRGLI\LQJWKH6\VWHP9V\VWHPFDOOV WKHDELOLW\RIDSURFHVVWRH[HFXWH H[HFV\VWHPFDOO DQGFORQH IRUNV\V WHPFDOO PXVWEHFRQVWUDLQHGLQWKHIROORZLQJZD\V

‡ :KHQDQRUGLQDU\SURFHVVH[HFXWHVDQREMHFWRIW\SH73,93RU 73,&' WKH SURFHVV H[HFXWLQJ WKH REMHFW EHFRPHV WKH W\SH RI WKH REMHFW7KDWLVLWVSURFHVVW\SHDWWULEXWHWDNHVRQWKHYDOXHRIWKH SURJUDPW\SH DWWULEXWH RI WKH REMHFW :KHQ DQ RUGLQDU\ SURFHVV H[HFXWHVD73W\SHREMHFWWKH873$WDEOHLVXSGDWHGDVGHVFULEHG DERYH$73,93RU73,&'W\SHSURFHVVLVDOORZHGWRH[HFXWHRQO\ DQREMHFWRILWVRZQW\SH:KHQD73W\SHSURFHVVH[HFXWHVD 73 W\SHREMHFWQRFKDQJHVDUHPDGHWRWKH873$$OORZLQJWKHRULJL QDO73WRH[HFXWHD73W\SHREMHFWLVDFRQYHQLHQFHUHODWHGWRKRZD 73LVRUJDQL]HGLQWRXQLWVRIH[HFXWDEOHFRGH ‡ $ 73 ,93 RU 73,&'W\SH SURFHVV LV QRW DOORZHG WR FORQH 81,; IRUN 

7KHIROORZLQJDGGLWLRQDOFRQVWUDLQWVDUHQHHGHGWRVXSSRUWWKHLQWHQW RIWKH&:,SROLF\LQWKH81,;6\VWHP90/6HQYLURQPHQW

‡ &KDQJLQJRZQHUVKLSRI73V,93V73,&'VDQG&',VLVQRWDOORZHG E\&:,SROLF\ ‡ $OLDVLQJ YLD WKH OLQN V\VWHP FDOO LQ 81,;  RI ILOH QDPHV LV QRW D JRRGSUDFWLFHXQGHUWKH&:,3ROLF\%\DOLDVLQJDQRUGLQDU\XVHU FRXOG GHIHDW WKH DWWHPSW RI DQ DXWKRUL]HG XVHU WKDW LV 73

 16In this context, an ordinary process is one whose process-type equals NULL. 17Obviously, a certain amount of interpretation is involved here; the constraints I have specified seem reasonable to me but I recognize that other interpretations of the intent of Clark-Wilson integrity are possible.

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  PDQDJHU  WR UHPRYH D 73 IURP WKH V\VWHP 2XU SROLF\ WKHQ LV WKDW RQO\ LQGLYLGXDO V ZLWK DQ DSSURSULDWH UROH FDQ JLYH DQ LQWHJ ULW\FRQWUROOHG REMHFW DQ DOLDV 6SHFLILFDOO\ D XVHU LQ WKH UROH 73 PDQDJHUPD\DOLDV73V73,&'VDQG&',VZKLOHDXVHULQWKHUROH ,93PDQDJHUPD\DOLDV,93VDQG&',,&V ‡ 7UDFLQJ YLDWKHSWUDFHV\VWHPFDOOLQ81,; RI73V,93VRU73,&'V VKRXOG QRW EH DOORZHG XQGHU WKH &:, SROLF\ VLQFH WUDFLQJ ZRXOG HQDEOHPRGLILFDWLRQRID73RU,93GXULQJLWVH[HFXWLRQ ‡ 2QO\ DXWKRUL]HG XVHUV PD\ DFTXLUH RU PRGLI\ VWDWXV LQIRUPDWLRQ DERXW LQWHJULW\FRQWUROOHG REMHFWV 6SHFLILFDOO\ D XVHU LQ WKH UROH 73PDQDJHU PD\ UHDGPRGLI\ VWDWXV LQIRUPDWLRQ DERXW 73V 73,&'V DQG &',V $ XVHU LQ WKH ,93PDQDJHU UROH PD\ UHDGPRGLI\VWDWXVLQIRUPDWLRQDERXW,93VDQG&',,&V ‡ 2XULQWHJULW\SROLF\DOORZVD73W\SHSURFHVVWRUHFHLYHDVLJQDO YLD WKHNLOOV\VWHPFDOOLQ81,;6\VWHP9 IURPDQRQ73W\SHSURFHVV SUHVXPDEO\WKHSDUHQWSURFHVVWKDWVSDZQHGWKH73W\SHSURFHVV  7KHGDQJHUKHUHLVWKDWWKH73SURFHVVFRXOGEHNLOOHG WHUPLQDWHG DWVXFKDWLPHWKDWWKH&',VRQZKLFKLWZDVRSHUDWLQJZRXOGEH OHIWLQDQXQGHILQHGVWDWH$MXVWLILFDWLRQIRUDOORZLQJWKHVLJQDOLQJ DQ\ZD\ LV WKDW LW SUHVHUYHV IXQFWLRQDOLW\ DQG WKH 73 FDQ EH GH VLJQHGWRWDNHDSSURSULDWHDFWLRQRQWKH&',VEHIRUHH[LWLQJ7KLV SUHVHUYHVIXQFWLRQDOLW\EXWGRHVSXWWKHEXUGHQRQWKHFHUWLILFDWLRQ RIWKH73WRHQVXUHWKDWWKH73KDQGOHVVLJQDOVDSSURSULDWHO\

)XQFWLRQDO FRQWURO SFOLF\ )XQFWLRQDO FRQWURO )&  XVHV V\VWHPUROHV RI XVHUVDQGFDWHJRULHVRIREMHFWV7KHV\VWHPUROHVDUHXVHUVHFXULW\RIIL FHU DQG DGPLQLVWUDWRU 7KH FDWHJRULHV DUH JHQHUDO VHFXULW\ DQG V\V WHP:KHQDSURFHVVZKRVHRZQHUKDVV\VWHPUROH5UHTXHVWVDFFHVVWR DQREMHFWKDYLQJREMHFWFDWHJRU\&WKH)&SROLF\DOORZVWKHDFFHVVRQO\LI 5LVFRPSDWLEOHZLWK&:HGHILQHLVFRPSDWLEOHZLWKDVIROORZV

‡ XVHULVFRPSDWLEOHZLWKJHQHUDO ‡ DGPLQLVWUDWRULVFRPSDWLEOHZLWKJHQHUDODQGV\VWHP ‡ VHFXULW\RIILFHULVFRPSDWLEOHZLWKJHQHUDODQGVHFXULW\

$IXQFWLRQDOFRQWUROSROLF\FDQDQGSUREDEO\VKRXOGEHPRUHHODERUDWH WKDQWKHRQHMXVWGHVFULEHG,WFDQIRUH[DPSOHVSHFLI\ZKRFDQFKDQJH ZKDW DWWULEXWHV RI ZKDW HQWLWLHV $QG LW V WKH ORJLFDO SODFH WR KDYH WKH SROLF\WKDWJRYHUQVWUXVWHGVXEMHFWVVXFKDVGDHPRQVRIWKH81,;V\V WHP%XWWKHVLPSOHSROLF\MXVWJLYHQVDWLVILHVWKHJRDOVRIWKLVHVVD\VR ZHGHYHORSLWQRIXUWKHUKHUH

 18The UNIX unlink operation actually deletes a file only when all links to it have been deleted.

 ,QIRUPDWLRQ6HFXULW\ 6HFXULW\LQIRUPDWLRQPRGLILFDWLRQ 6,0 SROLF\7KHSROLF\IRUPRGLILFDWLRQ RIVHFXULW\LQIRUPDWLRQXVHVW\SHVRIGDWDDQGV\VWHPUROHVRIXVHUV7KH GDWDW\SHQHHGHGIRUWKLVSROLF\LVVL7KHYDOXHVLPHDQVWKHREMHFWFRQ WDLQVVHFXULW\LQIRUPDWLRQ,Q81,;IRUH[DPSOHWKHHWFSDVVZRUGILOH ZRXOG KDYH WKLV YDOXH IRU LWV GDWDW\SH DWWULEXWH 1,/ PHDQV WKH REMHFW FRQWDLQV RUGLQDU\ XVHU RU V\VWHP GDWD 7KH GDWDDWWULEXWH PD\ KDYH RWKHU YDOXHV DV ZHOO VXFK DV WKRVH WKH &:, 3ROLF\ XVHV %XW WKH 6,0 3ROLF\WUHDWVDOOYDOXHVRWKHUWKDQVLWKHVDPHDV1,/ :KHQDSURFHVVUHTXHVWVDFFHVVWRGDWDRIW\SHVLLQDPRGHWKDWHQ DEOHV PRGLILFDWLRQ RI WKH LQIRUPDWLRQ WKH 6,0 3ROLF\ DOORZV WKH DFFHVV RQO\LIWKHV\VWHPUROHRIWKHRZQHURIWKHSURFHVV LHWKHXVHU LVVHFX ULW\RIILFHU $VZLWKWKH)&3ROLF\WKH6,03ROLF\FRXOGHQFRPSDVVPRUHHODERUDWH UXOHV RI RSHUDWLRQ EXW WKH VLPSOH IRUP JLYHQ KHUH VXIILFHV IRU WKH SXU SRVHVRIWKLVHVVD\

5XOHVRIWKHUXOHVHWPRGHO)RXUJURXSVRIUXOHVGHILQHWKHSROLFLHVGH VFULEHGDERYH

‡ PDQGDWRU\D$FFHVVFRQWURO 0$& 5XOHV ‡ &ODUN:LOVRQLQWHJULW\ &:, UXOHV ‡ IXQFWLRQDOFRQWURO )& 5XOHV ‡ VHFXULW\L,QIRUPDWLRQPRGLILFDWLRQ 6,0 UXOHV

(DFKSROLF\RIWKH5XOH6HW0RGHOLVLPSOHPHQWHGDVRQHRUPRUHUXOHV :KHQ FRPELQHG DV GHVFULEHG EHORZ WKH UXOHV FRQVWLWXWH WKH $FFHVV 5XOHVIXQFWLRQ (DFKUXOHLVDQH[SUHVVLRQKDYLQJRQHRIIRXUYDOXHV

‡ <(6 7KLV YDOXH PHDQV WKDW WKH UHTXHVW RI WKH 6WDWH 0DFKLQH 0RGHOKDVEHHQHYDOXDWHGE\WKHUXOHDQGWKHUHVXOWLVWKDWWKHUH TXHVWPD\EHJUDQWHGDFFRUGLQJWRWKHUXOH VSROLF\ ‡ 127KLVYDOXHPHDQVWKDWWKHUHTXHVWRIWKH6WDWH0DFKLQH0RGHO KDVEHHQHYDOXDWHGE\WKHUXOHDQGWKHUHVXOW LV WKDW WKH UHTXHVW PD\QRWEHJUDQWHGDFFRUGLQJWRWKHUXOH VSROLF\ ‡ '&7KLVYDOXHPHDQVWKDWWKHUHTXHVWRIWKH6WDWH0DFKLQH0RGHO KDVEHHQUHFRJQL]HGE\WKHUXOHEXWWKHUXOH VSROLF\GRHVQRWUH TXLUH DQ\ FKHFNV RI DWWULEXWH YDOXHV DQGRU UHODWLRQV DPRQJ DW WULEXWH YDOXHV 7KH UXOH V SROLF\ LV WROHUDQW RI WKH UHTXHVW LQ WKH VHQVHWKDWWKHSROLF\GRHVQ WFDUH '& '&LVVLPLODUWR<(6EXW SURYLGHVDGGLWLRQDOLQIRUPDWLRQXVHIXOIRUDQDO\VLVRIDUXOHVHW ‡ 81'(),1('7KLVYDOXHPHDQVWKDWWKH UHTXHVW RI WKH 6WDWH 0D FKLQH 0RGHO KDV QRW EHHQ UHFRJQL]HG E\ WKH UXOH 81'(),1(' LV GLIIHUHQWIURP12DQG'&LQWKDWERWK12DQG'&LQGLFDWHWKDWWKH 5XOH 6HW 0RGHO LV FRJQL]DQW RI WKH UHTXHVW 81'(),1(' QRW RQO\

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  SURYLGHVXVHIXOLQIRUPDWLRQIRUDQDO\VLVRIDUXOHVHWEXWLQDV\V WHPLPSOHPHQWDWLRQPLJKWVHUYHWRGHWHFWLPSURSHUFRQILJXUDWLRQV RIWKHV\VWHP

KHUH ‡

 ,QIRUPDWLRQ6HFXULW\ 2ULJLQDOWH[WUHVXPHV

IRUPDO PHWKRGV FORVHU WR WKH ILQDO VWDJHV RI LPSOHPHQWDWLRQ ³ FRP SOHWHIXQFWLRQDOGHVLJQDQGFRGLQJ

$SSHQGL[ $0RGHOODQJXDJHDQGFRQVWUXFWV

/DQJXDJHIRUH[SUHVVLQJUXOHV7KHPHWKRGIRUH[SUHVVLQJWKHPRGHO·V UXOHVGHSDUWVIURPWKHWUDGLWLRQDOXVH RI PDWKHPDWLFDO QRWDWLRQ $ PL[ WXUHRISURJUDPPLQJODQJXDJHVWDWHPHQWVDQGOLPLWHGPDWKHPDWLFDOQR WDWLRQFUHDWHVDVSHFLILFDWLRQODQJXDJHWKDWLVLQWXLWLYHO\XQGHUVWDQGDEOH WRDEURDGDXGLHQFH %RWKUXOHVRIRSHUDWLRQDQGUXOHVRIWKHUXOHVHWDUHGHILQHGLQD ODQ JXDJHWKDWORRNVOLNHDSURJUDPPLQJODQJXDJH7ZREDVLFODQJXDJHFRQ VWUXFWV DUH XVHG WR RUJDQL]H VWDWHPHQWV DQG VKRZ WKHLU LQWHUUHODWLRQVKLSV6(/(&7&$6(DQG,)7+(1(/6( 7KH6(/(&7&$6(VWDWHPHQWKDVWKHIROORZLQJV\QWD[

6(/(&7&$6(DWWULEXWH &$6(DWWULEXWHYDOXH VWDWHPHQWEORFN &$6(DWWULEXWHYDOXH VWDWHPHQWEORFN

  

&$6((/6( VWDWHPHQWEORFNQ (1'6(/(&7

$VWDWHPHQWEORFNLVRQHRUPRUHVWDWHPHQWV,QGLYLGXDOVWDWHPHQWVDUH WHUPLQDWHGE\DVHPLFRORQ7KHYDOXHRIWKH6(/(&7&$6(VWDWHPHQWLV WKH YDOXH RI WKH VWDWHPHQWEORFN IROORZLQJ WKH &$6( LGHQWLILHG E\ WKH FXUUHQW YDOXH RI WKH VHOHFWHG DWWULEXWH )RU H[DPSOH WKH QH[W 6(/(&7 &$6(KDVWKHYDOXHRIVWDWHPHQWEORFNZKHQWKH´DPRXQWµLV

6(/(&7&$6(DPRXQW &$6( VWDWHPHQWEORFN &$6( VWDWHPHQWEORFN

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  &$6((/6( VWDWHPHQWEORFNQ (1'6(/(&7

,IWKHFXUUHQWYDOXHRIWKHVHOHFWHGDWWULEXWHLVQRWLGHQWLILHGE\RQHRI WKH&$6(VJLYHQWKHQWKHYDOXHRIWKH6(/(&7&$6(VWDWHPHQWLVWKH YDOXHRIWKH&$6((/6(VWDWHPHQWEORFN $ILQDOZRUGRQWKH6(/(&7&$6(VWDWHPHQW7KH(1'6(/(&7SDUW RIWKHVWDWHPHQWZLOOEHRPLWWHGZKHQQRDPELJXLW\UHVXOWV³WKHXVHRI LQGHQWDWLRQZLOOPDNHFOHDUWKHVFRSHRID6(/(&7&$6( 7KH,)7+(1(/6(VWDWHPHQWKDVWKHIROORZLQJV\QWD[

,) %RROHDQH[SUHVVLRQ 7+(1 VWDWHPHQWEORFN (/6( VWDWHPHQWEORFN

7KH ,) 7+(1 (/6( VWDWHPHQW KDV LWV XVXDO PHDQLQJ $ %RROHDQ H[ SUHVVLRQLVDQH[SUHVVLRQFRQVLVWLQJRIDWWULEXWHVDQGUHODWLRQDORUORJLFDO RSHUDWLRQVDQGKDYLQJDYDOXHRI758(RU)$/6( $)25($&+VWDWHPHQWLVDOVRXVHIXO,WVV\QWD[LV

)25($&+SURFHVV VWDWHPHQWEORFN (1')25($&+

%HFDXVHDWWULEXWHVPD\DSSO\WRPRUHWKDQRQHNLQGRIHQWLW\WKHODQ JXDJHFODULILHVDQDPELJXRXVUHIHUHQFHWRDQDWWULEXWHE\TXDOLI\LQJHDFK DWWULEXWHZLWKWKHQDPHRIWKHHQWLW\WKHDWWULEXWHEHORQJVWR)RUH[DP SOHWKHDWWULEXWH´VHFXULW\OHYHOµDSSOLHVWRSURFHVVHVDQGVHYHUDONLQGVRI REMHFWV´VHFXULW\OHYHO SURFHVV µUHIHUVWRWKHVHFXULW\OHYHORIWKHSURFHVV 5XOHVRIRSHUDWLRQXVHWKHIRUP´>  @µWRLGHQWLI\DV\VWHPRSHUD WLRQ)RUH[DPSOHWKH2SHQUXOHXVHVWKHVWDWHPHQW> WUXQFDWHWKHILOH @ WRVWDQGIRUWKH8QL[RSHUDWLRQWKDWGHOHWHVWKHGDWDLQDILOH5XOHVPD\ XVHWKHIRUP´    µ WR HQFORVH D FRPPHQW VXFK DV  WKH GLUHFWRU\ VHDUFKZDVYDOLGDQGWKHILOHH[LVWV DSSHDULQJLQWKH2SHQUXOH %RROHDQH[SUHVVLRQVDQGDOOVWDWHPHQWVH[FHSWWKH6(/(&7&$6(DQG WKH ,) 7+(1 (/6( HQG ZLWK D VHPLFRORQ %RROHDQ H[SUHVVLRQV XVH WKH XVXDOLQHTXDOLW\RSHUDWRUV´ µDQG´!µDQGXVH´ µIRUH[SUHVVLQJHTXDO LW\/RJLFDORSHUDWRUVVXFKDV$1'DQG25DUHXVHGLQREYLRXVZD\V 5XOHVXVHWKHVSHFLILFDWLRQV´VHWDWWULEXWHµDQG´VHWDWWULEXWHVµWRPDQ DJH WKH YDOXHV RI DWWULEXWHV 7KH UXOHV RI WKH UXOHVHW PRGHO XVH ´VHW

 ,QIRUPDWLRQ6HFXULW\ DWWULEXWHµWRGHVLJQDWHWKHYDOXHWKDWDQDWWULEXWHVKRXOGKDYHLIWKHFXU UHQWUHTXHVWLVJUDQWHG7KHV\QWD[IRUWKLVXVHLV

VHWDWWULEXWH DWWULEXWHBQDPHDWWULEXWHBYDOXH

7KH UXOHV RI WKH VWDWHPDFKLQH PRGHO XVH ´VHWDWWULEXWHVµ WR LQGLFDWH WKDW WKH\ DUH FDUU\LQJ RXW WKH VHWDWWULEXWH VSHFLILFDWLRQV JLYHQ E\ WKH UXOHV RI WKH UXOHVHW PRGHO 6XSSRVH IRU H[DPSOH WKH VWDWHPDFKLQH PRGHOLQYRNHVWKHUXOHVHWPRGHOZLWKDFUHDWHILOHUHTXHVW6XSSRVHWKDW WKH UXOHV RI WKH UXOHVHW PRGHO DSSURYH WKH UHTXHVW DQG JLYH WZR VHW DWWULEXWHVSHFLILFDWLRQV

VHWDWWULEXWH VHFXULW\OHYHO ILOH 6(&5(7 VHWDWWULEXWH REMHFWFDWHJRU\ ILOH JHQHUDO

7KHQ WKH SRUWLRQ RI WKH FUHDWH UXOH WKDW FDUULHV RXW WKH FUHDWH UHTXHVW ZLOO LQFOXGH D VHWDWWULEXWH VWDWHPHQW 7KH PHDQLQJ RI WKH VWDWHPHQW LV WKDWWKHVHFXULW\OHYHORIWKHILOHLVVHWWRWKHYDOXH6(&5(7DQGWKHRE MHFWFDWHJRU\RIWKHILOHLVVHWWRWKHYDOXHJHQHUDO

&RQVWUXFWVRIWKHVWDWHPDFKLQHPRGHO

7\SHV$W\SHLVDFODVVWKDWLVGHILQHGE\WKHFRPPRQDWWULEXWHVSRV VHVVHGE\DOOLWVPHPEHUV7KHQDPHRIHDFKW\SHVXJJHVWVDXVHIXOLQ WHUSUHWDWLRQIRUWKHFODVV7KHPRGHOXVHVWKHIROORZLQJW\SHV

UHTXHVW ^DOLDV DOWHU FKDQJHRZQHU FKDQJHUROH FORQH FUHDWH GHOHWH GHOHWHGDWD H[HFXWH JHWSHUPLVVLRQVGDWD JHW VWDWXVGDWD PRGLI\DFFHVVGDWD PRGLI\DWWULEXWH PRG LI\SHUPLVVLRQVGDWD UHDG UHDGDWWULEXWH UHDG ZULWH RSHQ UHDGRSHQ VHDUFK VHQGVLJQDO WHUPLQDWH WUDFH ZULWHZULWHRSHQ` SURFHVV ILOH GLUHFWRU\ LSF VFG VLJQDO REMHFW>DILOHGLUHFWRU\LSFRUVFG@ SKDVH^´DFWLYHµ´XQXVHGµ´LQDFFHVVLEOHµ` IODJ^212))` PRGH^´UHDGµ´ZULWHµ´UHDG ZULWHµ`

9DULDEOHV $ YDULDEOH LV DQ DOWHUDEOH HQWLW\ 7KH YDULDEOHV RI WKH VWDWH PDFKLQH PRGHO GHILQH WKH V\VWHP VWDWHV :H FDQ WKLQN RI YDULDEOHV DV

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  IXQFWLRQV ZKRVH GRPDLQV DUH W\SHV -XVW DV QDWXUDOO\ ZH FDQ UHJDUG WKHPDVUHFRUGVRILQIRUPDWLRQFRQWDLQLQJRQHRUPRUHLWHPVRIGDWD7KH PRGHOXVHVWKHIROORZLQJYDULDEOHV

FXUUHQWBSURFHVVSURFHVV QHZBSURFHVVSURFHVV ILOHBQDPHILOH GLUHFWRU\BQDPHGLUHFWRU\ WUXQFDWHBRSWLRQIODJ FUHDWHBRSWLRQIODJ 67$786 REMHFW SKDVH 23(1 SURFHVVREMHFW VHW PRGH

&RQVWDQWV

758( )$/6( 21 2))

([SUHVVLRQV

$FFHVV5XOHV UHTXHVWSURFHVVREMHFWSURFHVVREMHFW  ([WHQGHG%RROHDQ

(IIHFWV$QHIIHFWLVDQDFWLRQRIWKHVWDWHPDFKLQH7KHPRGHOXVHVWKH IROORZLQJHIIHFWV

QRUPDOH[LW HUURUH[LW VHWDWWULEXWHV VDYH UHVWRUH

$SSHQGL[%6XPPDU\RIWKH&ODUN:LOVRQLQWHJULW\ PRGHO &HUWLILFDWLRQ5XOH$OO,93VPXVWSURSHUO\HQVXUHWKDWDOO&',VDUHLQD YDOLGVWDWHDWWKHWLPHWKH,93LVUXQ

&HUWLILFDWLRQ 5XOH  $OO 73V PXVW EH FHUWLILHG WR EH YDOLG 7KDW LV WKH\ PXVWWDNHD&',WRDYDOLGILQDOVWDWHJLYHQWKDWLWLVLQDYDOLGVWDWHWR EHJLQ ZLWK )RU HDFK 73 DQG HDFK VHW RI &',V WKDW LW PD\ PDQLSXODWH WKHVHFXULW\RIILFHUPXVWVSHFLI\D´UHODWLRQµZKLFKGHILQHVWKDWH[HFXWLRQ $UHODWLRQLVWKXVRIWKHIRUP 73L &',D&',E&',F ZKHUHWKHOLVW

 ,QIRUPDWLRQ6HFXULW\ RI&',VGHILQHVDSDUWLFXODUVHWRIDUJXPHQWVIRUZKLFKWKH73KDVEHHQ FHUWLILHG

(QIRUFHPHQW 5XOH  7KH V\VWHP PXVW PDLQWDLQ WKH OLVW RI UHODWLRQV VSHFLILHGLQ&HUWLILFDWLRQ5XOHDQGPXVWHQVXUHWKDWWKHRQO\PDQLSX ODWLRQ RI DQ\ &', LV E\ D 73 ZKHUH WKH 73 LV RSHUDWLQJ RQ WKH &', DV VSHFLILHGLQVRPHUHODWLRQ

(QIRUFHPHQW5XOH7KHV\VWHPPXVWPDLQWDLQDOLVWRIUHODWLRQVRIWKH IRUP 8VHU,'73L &',D &',E &',F   ZKLFK UHODWHV D XVHU D 73 DQG WKH GDWD REMHFWV WKDW 73 PD\ UHIHUHQFH RQ EHKDOI RI WKDW XVHU ,W PXVW HQVXUH WKDW RQO\ H[HFXWLRQV GHVFULEHG LQ RQH RI WKH UHODWLRQV DUH SHUIRUPHG

&HUWLILFDWLRQ5XOH7KHOLVWRIUHODWLRQVLQ(QIRUFHPHQW5XOHPXVWEH FHUWLILHGWRPHHWWKHVHSDUDWLRQRIGXW\UHTXLUHPHQW

(QIRUFHPHQW5XOH7KHV\VWHPPXVWDXWKHQWLFDWHWKHLGHQWLW\RIHDFK XVHUDWWHPSWLQJWRH[HFXWHD73

&HUWLILFDWLRQ5XOH$OO73VPXVWEHFHUWLILHGWRZULWHWRDQDSSHQGRQO\ &', WKHORJ DOOLQIRUPDWLRQQHFHVVDU\WRSHUPLWWKHQDWXUHRIWKHRSHUD WLRQWREHUHFRQVWUXFWHG

&HUWLILFDWLRQ5XOH$Q\73WKDWWDNHVD8',DVDQLQSXWYDOXHPXVWEH FHUWLILHG WR SHUIRUP RQO\ YDOLG WUDQVIRUPDWLRQV RU HOVH QR WUDQVIRUPD WLRQVIRUDQ\SRVVLEOHYDOXHRIWKH8',7KHWUDQVIRUPDWLRQVKRXOGWDNH WKHLQSXWIURPD8',WRD&',RUWKH8',LVUHMHFWHG7\SLFDOO\WKLVLVDQ HGLWSURJUDP>1RWHWRWKHUHDGHU0\PRGHORI&ODUN:LOVRQLQWHJULW\DO ORZVD73WRDFFHVVDQ\8',LQWKHQRUPDOPDQQHUIRUDFFHVVWRDQREMHFW E\DSURFHVVLQWKLVV\VWHPVXEMHFWWRWKHFRQVWUDLQWVRIWKHRWKHU WKDQ LQWHJULW\  SROLFLHV LPSOHPHQWHG E\ WKH $') ,W LV XS WR WKH FHUWLILFDWLRQ SURFHVVWRHQVXUHWKDWWKH73DFFHVVHVRQO\WKRVH8',VLWVKRXOGDFFHVV IRU D SDUWLFXODU H[HFXWLRQ %XW WKLV LV QRW LQ NHHSLQJ ZLWK WKH VSLULW RI PRYLQJ DV PXFK DV SRVVLEOH IURP FHUWLILFDWLRQ WR HQIRUFHPHQW DV VXJ JHVWHGE\&ODUNDQG:LOVRQ2QHSRVVLELOLW\IRUFKDQJLQJWKLVDSSURDFKLV WRDGGWKHQDPHVRIWKHDOORZHG8',VIRUDSDUWLFXODU73WRWKHWULSOHVRU SHUKDSVEHWWHUWRWKH73&',VUHODWLRQZKLFKZRXOGKDYHWREHDGGHGWR WKHPRGHOVLQFHLWLVFXUUHQWO\ QRW LQFOXGHG 'RLQJ VR ZRXOG PHDQ WKDW WKH73&',UHODWLRQLVQRORQJHUUHGXQGDQWZLWKWKHWULSOHV@

(QIRUFHPHQW 5XOH  2QO\ WKH DJHQW SHUPLWWHG WR FHUWLI\ HQWLWLHV PD\ FKDQJHWKHOLVWRIVXFKHQWLWLHVDVVRFLDWHGZLWKRWKHUHQWLWLHV³VSHFLIL FDOO\WKRVHDVVRFLDWHGZLWKD73$QDJHQWZKRFDQFHUWLI\DQHQWLW\PD\ QRW WKDWLVPXVWQRW KDYHDQ\H[HFXWHULJKWVZLWKUHVSHFWWRWKDWHQWLW\

5XOH6HW0RGHOLQJRID7UXVWHG&RPSXWHU6\VWHP  $FNQRZOHGJPHQWV ,WKDQN0DUVKDOO$EUDPVIRUKLVIXQGDPHQWDOLQVLJKWVRQDFFHVVFRQ WUROWKDWOHGWRWKHPRGHOLQJDSSURDFKGHVFULEHGLQWKLVHVVD\DQGIRUKLV HQFRXUDJHPHQWGXULQJWKHZULWLQJRIWKLVHVVD\,WKDQN-DPHV:LOOLDPV RIWKH0,75(&RUSRUDWLRQIRUVKDULQJZLWKPHKLVYLHZVRQWKHVWDJHVRI HODERUDWLRQRIUHTXLUHPHQWVIRUWUXVWHGV\VWHPVDQGIRUPDQ\FRQYHUVD WLRQV DERXW IRUPDO PRGHOLQJ , WKDQN &KDUOHV : )OLQN ,, RI $7 7 %HOO /DERUDWRULHVIRUKLVSDWLHQWDQGFRPSUHKHQVLYHH[SODQDWLRQVRIPDQ\GH VLJQDVSHFWVDQGV\VWHPFDOOVRI6\VWHP90/65HOHDVH

 ,QIRUPDWLRQ6HFXULW\