# From: Peter Johnson # aka Rottz @ Undernet acceptance procedure => a procedure which takes objects produced during the development, production and maintenance processes for a Target of Evaluation and, as a positive act, places them under the controls of a Configuration Control system.Acceptance Procedure - a procedure which takes objects produced during the development, production and maintenance processes for a Target of Evaluation and, as a positive act, places them under the controls of a Configuration Control system. acceptance inspection => The final inspection to determine whether or not a facility or system meets the specified technical and performance standards. Note: This inspection is held immediately after facility and software testing nd is the basis for commissioning or accepting the information system. access => (1) A specific type of interaction between a subject and an object that results in the flow of information from one to the other. (2) The ability and the means necessary to approach, to store or retrieve data, to communicate with, or to make use of any resource of an ADP system. access control => Process of limiting access to the resources of an IT product only to authorized users, programs, processes, systems, or other IT products. access control List => Mechanism implementing discretionary access control in an IT product that identifies the users who may access an object and the type of access to the object that a user is permitted. access control Mechanism => Security safeguards designed to detect and prevent unauthorized access, and to permit authorized access in an IT product. access mediation => Process of monitoring and controlling access to the resources of an IT product, including but not limited to the monitoring and updating of policy at- tributes during accesses as well as the protection of unauthorized or inappropriate accesses (see Access Control). access right => A granted permission for a User or Subject to carry out an Access Type. access level => The hierarchical portion of the security level used to identify the sensitivity of data and the clearance or authorization of users. Note: The access level, in conjunction with the nonhierarchical categories, forms the sensitivity label of an object. See category, security level, and sensitivity label. access period => A segment of time, generally expressed on a daily or weekly basis, during which access rights prevail. access port => A logical or physical identifier that a computer uses to distinguish different terminal input/output data streams. access type => The nature of an access right to a particular device, program, or file (e.g., read, write, execute, append, modify, delete, or create). accountability => The property that enables activities on a system to be traced to individuals who may then be held responsible for their actions. accreditation => The administrative process of granting authority. add-on security => The retrofitting of protection mechanisms, implemented by hardware or software. administration documentation => The information about a Target of Evaluation supplied by the developer for use by an administrator. administrative security => The management constraints and supplemental controls established to provide an acceptable level of protection for data. Synonymous with procedural security. administrator => a person in contact with the Target of Evaluation who is responsible for maintaining its operational capability. algorithm => A mathematical procedure that can usually be explicitly encoded in a set of computer language instructions that manipulate data. Cryptographic algorithms are mathematical procedures used for such purposes as encrypting and decrypting messages and signing documents digitally. API => Application Program Interface - System access point or library function that has a well- defined syntax and is accessible from application programs or user code to provide well-defined functionality. architectural design => a phase of the Development Process wherein the top level definition and design of a Target of Evaluation is specified. assignment => Requirement in a protection profile taken directly as stated, without change, from the list of components or derived by placing a bound on a threshold definition. Note: The assignment of environment-specific requirements to generic component requirements is performed when a component requirement corresponds to an environment-specific requirement. assurance => the confidence that may be held in the security provided by a Target of Evaluation. assurance level => In evaluation criteria, a specific level on a hierarchical scale representing successively increased confidence that a TOE adequately fulfills the security requirements. attack => The act of trying to bypass security controls on a system. An attack may be active, resulting in the alteration of data; or passive, resulting in the release of data. Note: The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures. audit => Independent review and examination of records and activities to determine compliance with established usage policies and to detect possible inadequacies in product technical security policies of their enforcement. audit trail => A chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results. augmentation => The addition of one or more assurance component(s) to an assurance authenticate => (1) To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. (2) To verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification. authentication => (1) To establish the validity of a claimed identity. (2) To provide protection against fraudulent transactions by establishing the validity of message, station, individual, or originator. authenticator => The means used to confirm the identity or to verify the eligibility of a station, originator, or individual. authorised user => A user who has a specific right or permission to do something described in the TSP. authorization => The granting of access rights to a user, program, or process. authorized - Entitled to a specific mode of access. AIS => Automated Information System - Any equipment or interconnected systems or subsystems of equipment that is used in the automatic acquisition, storage, manipula- tion, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware. [NSTISSI 4009]

Note: Included are computers, word processing systems, networks, or other electronic information handling systems, and associated equipment. ADP => Automated Data Processing - Synonymous with automated information systems security. availability => The prevention of the unauthorised withholding of information or resources. back door => Synonymous with trap door. backup plan => Synonymous with contingency plan. bandwidth => Rate at which information is transmitted through a channel=2E (See channel capacity) Note: Bandwidth is originally a term used in analog communication, measured in Hertz, and related to information rate by the "sampling theorem" (generally attributed to H. Nyquist although the theorem was in fact known before Nyquist used it in communication theory). Nyquist's sampling theorem says that the information rate in bits (samples) per second is at most twice the bandwidth in Hertz of an analog signal created from a square wave. In a covert-channel context "bandwidth" is given in bits/ second rather than Hertz and is commonly used, in an abuse of terminology, as a synonym for information rate. basic component => a component that is identifiable at the lowest hierarchical level of specification produced during Detailed Design. bell-La padula model => A formal state transition model of computer security policy that describes a set of access control rules. In this formal model, the entities in a computer system are divided into abstract sets of subjects and objects. The notion of a secure state is defined, and it is proven that each state transition preserves security by moving from secure state to secure state, thereby inductively proving that the system is secure. A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a specific security policy. In order to determine whether or not a specific access mode is allowed, the clearance of a subject is compared to the classification of the object, and a determination is made as to whether the subject is authorized for the specific access mode. See star property (*-property) and simple security property. benign environment => A nonhostile environment that may be protected from external hostile elements by physical, personnel, and procedural security countermeasures. between-the-lines entry => Unauthorized access obtained by tapping the temporarily inactive terminal of a legitimate user. beyond A1 => A level of trust defined by the DoD Trusted Computer System Evaluation Criteria (TCSEC) that is beyond the state-of-the-art technology available at the time the criteria were developed. It includes all the A1-level features plus additional ones not required at the A1 level. binding of security functionality => The ability of security enforcing functions and mechanisms to work together in a way which is mutually supportive and provides an integrated and effective whole. bit => Short for binary digit - 0 or 1. Keys are strings of bits. browsing => The act of searching through storage to locate or acquire information without necessarily knowing of the existence or the format of the information being sought. call back => A procedure for identifying a remote terminal. In a call back, the host system disconnects the caller and then dials the authorized telephone number of the remote terminal to reestablish the connection. Synonymous with dial back. CTCPEC => Canadian Trusted Computer Product Evaluation Criteria - Canadian secure products criteria. candidate TCB subset => The identification of the hardware, firmware, and software that make up the proposed TCB subset, along with the identification of its subjects and objects; one of the conditions for evaluation by parts. capability => A protected identifier that both identifies the object and specifies the access rights to be allowed to the accessor who possesses the capability. In a capability-based system, access to protected objects such as files is granted if the would-be accessor possesses a capability for the object. category => A restrictive label that has been applied to classified or unclassified data as a means of increasing the protection of the data and further restricting access to the data. cellular transmission => Data transmission via interchangeable wireless (radio) communications in a network of numerous small geographic cells. Most current technology is analog - represented as electrical levels, not bits. However, the trend is toward digital cellular data transmission. certification => The technical evaluation of a system's security features, made as part of and in support of the approval/accreditation process, that establishes the extent to which a particular computer system's design and implementation meet a set of specified security requirements. certification body => an independent and impartial national organisation that performs certification. channel => An information transfer path within a system. May also refer to the mechanism by which the path is effected. channel capacity => Maximum possible error-free rate, measured in bits per second, at which information can be sent along a communications path. class => A group of related Families which reflects a specific set of security cleartext => Intelligible data, the semantic content of which is available. Also referred to as plaintext. closed user group => a closed user group permits users belonging to a group to communicate with each other, but precludes communications with other users who are not members of the group. closed security environment => An environment in which both of the following conditions hold true: (1) Application developers (including maintainers) have sufficient clearances and authorizations to provide an acceptable presumption that they have not introduced malicious logic. (2) Configuration control provides sufficient assurance that applications and the equipment are protected against the introduction of malicious logic prior to and during the operation of system applications. CCITS => Common Criteria for Information Technology Security - Evolving international security evaluation criteria being developed by the US, Canada, the UK, Germany, and France. communication channel => the physical media and devices which provide the means for transmitting information from one component of a network to (one or more) other components. communication link => the physical means of connecting one location to another for the purpose of transmitting and/or receiving data. COMSEC => communications security - Measures taken to deny unauthorized persons information derived from telecommunications of the U.S. Government concerning national security, and to ensure the authenticity of such telecommunicatons. Communications security includes cryptosecurity, transmission security, emission security, and physical security of communications security material and information. compartment => (1) A designation applied to a type of sensitive information, indicating the special handling procedures to be used for the information and the general class of people who may have access to the information. It can refer to the designation of information belonging to one or more categories. (2) A class of information in the US government that has need-to-know access controls beyond those normally provided for access to Confidential, Secret, or Top Secret information. compartmented security mode => See modes of operation. component => a device or set of devices, consisting of hardware, along with its firmware, and/or software that performs a specific function on a computer communications network. A component is a part of the larger system, and may itself consist of other components. Examples include modems, telecommunications controllers, message switches, technical control devices, host computers, gateways, communications subnets, etc. component reference monitor => an access control concept that refers to an abstract machine that mediates all access to objects within a component by subjects within the component. compromise => a violation of the security system such that an unauthorized disclosure of sensitive information may have occurred. compromising emanations => Unintentional data-related or intelligence-bearing signals that, if intercepted and analyzed, disclose the information transmission received, handled, or otherwise processed by any information processing equipment. See TEMPEST. CSTVRP => Computer Security Technical Vulnerability Reporting Program - A program that focuses on technical vulnerabilities in commercially available hardware, firmware and software products acquired by DoD. CSTVRP provides for the reporting, cataloging, and discreet dissemination of technical vulnerability and corrective measure information to DoD components on a need-to-know basis. abuse => The misuse, alteration, disruption or destruction of data processing resources. The key aspect is that it is intentional and improper. architecture => The set of layers and protocols (including formats and standards that different hardware/software must comply with to achieve stated objectives) which define a computer system. Computer architecture features can be available to application programs and system programmers in several modes, including a protected mode. For example, the system-level features of computer architecture may include: (1) memory management, (2) protection, (3) multitasking, (4) input/output, (5) exceptions and multiprocessing, (6) initialization, (7) coprocessing and multiprocessing, (8) debugging, and (9) cache management. cryptography => The use of a crypto-algorithm in a computer, microprocessor, or microcomputer to perform encryption or decryption in order to protect information or to authenticate users, sources, or information. fraud => Computer-related crimes involving deliberate misrepresentation, alteration or disclosure of data in order to obtain something of value (usually for monetary gain). A computer system must have been involved in the perpetration or coverup of the act or series of acts. A computer system might have been involved through improper manipulation of input data; output or results; applications programs; data files; computer operations; communications; or computer hardware, systems software, or firmware. security => Synonymous with automated information systems security. security subsystem => A device designed to provide limited computer security features in a larger system environment. concealment system => A method of achieving confidentiality in which sensitive information is hidden by embedding it in irrelevant data. confidentiality => (1) The assurance that information is not disclosed to inappropriate entities or processes. (2) The property that information is not made available or disclosed to unauthorized entities. (3) The prevention of the unauthorized disclosure of information. (4) The concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organizations. configuration => the selection of one of the sets of possible combinations of features of a Target of Evaluation. configuration control => management of changes made to a system's hardware, software, firmware, and documentation throughout the development and operational life of the system. configuration management => The management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, test, test fixtures and test documentation throughout the development and operational life of the system. Compare configuration control. confinement => The prevention of the leaking of sensitive data from a program. confinement channel => Synonymous with covert channel. confinement property => Synonymous with star property (*-property). connection => a liaison, in the sense of a network interrelationship, between two hosts for a period of time. The liaison is established (by an initiating host) for the purpose of information transfer (with the associated host); the period of time is the time required to carry out the intent of the liaison (e.g., transfer of a file, a chatter session, delivery of mail). In many cases, a connection (in the sense of this glossary) will coincide with a host-host connection (in a special technical sense) established via TCP or equivalent protocol. However a connection (liaison) can also exist when only a protocol such as IP is in use (IP has no concept of a connection that persists for a period of time). Hence, the notion of connection as used here is independent of the particular protocols in use during a liaison of two hosts. constrained => A qualifier implying: within the TSF Scope of Control construction => the process of creating a Target of Evaluation. consumers => Individuals or groups responsible for specifying requirements for IT product security (e.g., policy makers and regulatory officials, system architects, integrators, acquisition managers, product purchasers, and end users. contamination => The intermixing of data at different sensitivity and need-to-know levels. The lower level data is said to be contaminated by the higher level data; thus, the contaminating (higher level) data may not receive the required level of protection. content-dependent access control => Access control in which access is determined by the value of the data to be accessed. context-dependent access control => Access control in which access is determined by the specific circumstances under which the data is being accessed. contingency plan => A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. Synonymous with disaster plan and emergency plan. control objective => Required result of protecting information within an IT product and its immediate environment. control zone => The space, expressed in feet of radius, surrounding equipment processing sensitive information, that is under sufficient physical and technical control to preclude an unauthorized entry or compromise. controlled access => See access control. controlled sharing => The condition that exists when access control is applied to all users and components of a system. corporate security policy => The set of laws, rules and practices that regulate how assets including sensitive information are managed, protected and distributed within a user organisation. correctness => In security evaluation, the preservation of relevant properties between successive levels of representations. Examples of representations could be: top-level functional specification, detailed design specification, actual implementation. An aspect of assurance. cost-risk analysis => The assessment of the costs of providing data protection for a system versus the cost of losing or compromising the data. countermeasure => Action, device, procedure, technique, or other measure that reduces the vulnerability of an AIS. covert channel => A communication channel that allows a process to transfer information in a manner that violates the system's security policy. See also: Covert Storage Channel, Covert Timing Channel. covert storage channel => A covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels. covert timing channel => A covert channel in which one process signals information to another by modulating its own use of system resources (e.g=2E, CPU time) in such a way that this manipulation affects the real response time observed by the second process. criteria => See DoD Trusted Computer System Evaluation Criteria. Examples of other criteria are the Information Technology Security Evaluation Criteria (Europe), Canadian Trusted Computer Product Evaluation Criteria, Federal Criteria for Information Technology Security: Draft (US), and the forthcoming Common Criteria for Information Technology Security (international). critical mechanism => a mechanism within a Target of Evaluation whose failure would create a security weakness. Customer - the person or organisation that purchases a Target of Evaluation. cryptoalgorithm => A well-defined procedure or sequence of rules or steps used to produce a key stream or ciphertext from plaintext and vice versa. cryptography => (1) The principles, means, and methods for rendering information unintelligible, and for restoring encrypted information to intelligible form. (2) The transformation of ordinary text, or "plaintext," into coded form by encryption and the transformation of coded text into plaintext by decryption. Cryptography can be used to support digital signature, key management or exchange, and communications privacy. cryptosecurity => The security or protection resulting from the proper use of technically sound cryptosystems. data => Information with a specific physical representation. data confidentiality => the state that exists when data is held in confidence and is protected from unauthorized disclosure. DES => Data Encryption Standard - (1) A cryptographic algorithm for the protection of unclassified data, published in US Federal Information Processing Standard (FIPS) 46. The DES, which was approved by the US National Institute of Standards and Technology (NIST), is intended for public and government use. (2) A NIST Federal Information Processing Standard and commonly used secret key cryptographic algorithm for encrypting and decrypting data and performing other functions. For example, DES can be used to check message integrity. DES specifies a key length of 56 bits. data integrity => (1) The state that exists when computerized data is the same as that in the source documents and has not been exposed to accidental or malicious alteration or destruction. (2) The property that data has not been exposed to accidental or malicious alteration or destruction=2E data flow control => Synonymous with information flow control. data security => The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure. database management system => A computer system whose main function is to facilitate the sharing of a common set of data among many different users. It may or may not maintain semantic relationships among the data items. DBMS => Abbreviation for "database management system." decomposition => Requirement in a protection profile that spans several components. Note: The decomposition of a specific requirement becomes necessary when that requirement must be assigned to multiple components of the generic product requirements during the interpretation process. dedicated security mode => the mode of operation in which the system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specific period of time. Compare Multilevel Security Mode, System High Security Mode. default classification => A temporary classification reflecting the highest classification being processed in a system. The default classification is included in the caution statement affixed to the object. degauss => To reduce magnetic flux density to zero by applying a reverse magnetizing field. DPL => Degausser Products List - A list of commercially produced degaussers that meet US National Security Agency (NSA) specifications. This list is included in NSA's "Information Systems Security Products and Services Catalogue," available through the US Government Printing Office. degausser => An electrical device that can generate a magnetic field for the purpose of degaussing magnetic storage media. Degausser Products List (DPL) A list of commercially produced degaussers that meet National Security Agency specifications. This list is included in the NSA Information Systems Security Products and Services Catalogue, and is available through the Government Printing Office. delivery => the process whereby a copy of the Target of Evaluation is transferred from the developer to a customer. DOS => Denial Of Service - (1) The prevention of authorized access to system assets or services or the delaying of time-critical operations. (2) Any action or series of actions that prevents any part of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized destruction, modification, or delay of service. (Synonymous with interdiction.) dependency => Condition in which the correctness of one TCB subset is contingent (depends for its correctness) on the correctness of another TCB subset. Note: A TCB subset A depends for its correctness on TCB subset B if and only if the (engineering) arguments of the correct implementation of A with respect to its specification assume, wholly or in part, that the specification of B has been implemented correctly. depends => A TCB subset A depends (for its correctness) on TCB subset B if and only if the (engineering) arguments of the correct implementation of A with respect to its specification assume, wholly or in part, that the specification of B has been implemented correctly. DTLS => Descriptive Top-Level Specification - A top-level specification that is written in a natural language (e.g., English), an informal design notation, or a combination of the two. DAA => Designated Approving Authority - Official with the authority to formally assume responsibility for operating an IT product, an AIS, or network at an acceptable level of risk. detailed design => a phase of the Development Process wherein the top level definition and design of a Target of Evaluation is refined and expanded to a level of detail that can be used as a basis for implementation. developer => the person or organisation that manufactures a Target of Evaluation. developer security => the physical, procedural and personnel security controls imposed by a developer on his Development Environment. development assurance => Sources of IT product assurance ranging from how a product was designed and implemented to how it is tested, operated and maintained. development assurance component => Fundamental building block, specifying how an IT product is developed, from which development assurance requirements are assembled. development assurance package => Grouping of development assurance components assembled to ease specification and common understanding of how an IT product is developed. development assurance requirements => Requirements in a protection profile which address how each conforming IT product is developed including the production of ap- propriate supporting developmental process evidence and how that product will be maintained. development environment => the organisational measures, procedures and standards used whilst constructing a Target of Evaluation. development process => The set of phases and tasks whereby a Target of Evaluation is constructed, translating requirements into actual hardware and software. dial back => Synonymous with call back. dialup => The service whereby a computer terminal can use the telephone to initiate and effect communication with a computer. digital signature => A cryptographic method, provided by public key cryptography, used by a message's recipient and any third party to verify the identity of the message's sender. It can also be used to verify the authenticity of the message. A sender creates a digital signature or a message by transforming the message with his or her private key. A recipient, using the sender's public key, verifies the digital signature by applying a corresponding transformation to the message and the signature. DSS => Digital Signature Standard - A US Federal Information Processing Standard proposed by NIST (National Institute of Standards and Technology) to support digital signature. digital telephony => Telephone systems that use digital communications technology. disaster plan => Synonymous with contingency plan. DAC => Discretionary Access Control - a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that: (a) A subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject; (b) DAC is often employed to enforce need-to-know; (c) Access control may be changed by an authorized individual. Compare to Mandatory Access Control. documentation => the written (or otherwise recorded) information about a Target of Evaluation required for an evaluation. This information may, but need not, be contained within a single document produced for the specified purpose. TCSEC => DoD Trusted Computer System Evaluation Criteria - A document published by the National Computer Security Center containing a uniform set of basic requirements and evaluation classes for assessing degrees of assurance in the effectiveness of hardware and software security controls built into systems. These criteria are intended for use in the design and evaluation of systems that will process and/or store sensitive or classified data. This document is Government Standard DoD 5200.28-STD and is frequently referred to as "The Criteria" or "The Orange Book." domain => The unique context (for example, access control parameters) in which a program is operating - in effect, the set of objects that a subject has the ability to access. Note: A subject's domain determines which access control attributes an object must have for a subject operating in that domain to have a designated form of access. (See process and subject.) dominate => Security level S1 is said to dominate security level S2 if the hierarchical classification of S1 is greater than or equal to that of S2 and the non-hierarchical categories of S1 include all those of S2 as a subset. ease of use => an aspect of the assessment of the effectiveness of a Target of Evaluation, namely that it cannot be configured or used in a manner which is insecure but which an administrator or end-user would reasonably believe to be secure. effectiveness => In security evaluations, an aspect of assurance assessing how well the applied security functions and mechanisms working together will actually satisfy the security requirements. element => An indivisible security requirement which is to be satisfied during an evaluation. emanations => See compromising emanations. embedded system => A system that performs or controls a function, either in whole or in part, as an integral element of a larger system or subsystem. emergency plan => Synonymous with contingency plan. emission security => The protection resulting from all measures taken to deny unauthorized persons information of value that might be derived from intercept and from an analysis of compromising emanations from systems=2E encryption => The process of making information indecipherable to protect it from unauthorized viewing or use, especially during transmission or storage. Encryption is based on an algorithm and at least one key. Even if the algorithm is known, the information cannot be decrypted without the key(s). end user => A person in contact with a target of evaluation who makes use only of its operational capability. end to end encryption => The protection of information passed in a telecommunications system by cryptographic means, from point of origin to point of destination. ETL => Endorsed Tools List - The list of formal verification tools endorsed by the NCSC for the development of systems with high levels of trust=2E environment => (1) All entities - users, procedures, conditions, objects, AISs (automated information systems), and other IT (information technology) products - that interact with (affect the development, operation, and maintenance of) an IT product. (2) The aggregate of external procedures, conditions, and objects that affect the development, operation, and maintenance of a system. erasure => A process by which a signal recorded on magnetic media is removed. Erasure is accomplished in two ways: (1) by alternating current erasure, by which the information is destroyed by applying an alternating high and low magnetic field to the media; or (2) by direct current erasure, by which the media are saturated by applying a unidirectional magnetic field. evaluation => Technical assessment of a component's, product's, subsystem's, or system's security properties that establishes whether or not the component, product, subsystem, or system meets a specific set of requirements. Note: Evaluation is a term that causes much confusion in the security community, because it is used in many different ways. It is sometimes used in the general English sense (judgement or determination of worth or quality). Based on common usage of the term in the security community, one can distinguish between two types of evaluation: (1) evaluations that exclude the environment, and (2) evaluations that include the environment. This second type of evaluation, an assessment of a system's security properties with respect to a specific operational mission, is termed certification within this document. Evaluations that exclude the environment, the type of evaluations considered herein, are assessments of the security properties against a defined criteria. evaluation assurance => Source of IT product assurance based on the kind and intensity of the evaluation analysis performed on the product. ealuation assurance Component => Fundamental building block, specifying the type and the rigor of required evaluation activities, from which evaluation assurance requirements are assembled. evaluation assurance package => Grouping of evaluation assurance components assembled to ease specification and common understanding of the type and the rigor of re- quired evaluation activities. evaluation assurance requirements => Requirements in a protection profile which address both the type and the rigor of activities that must occur during product evaluation. evaluation criteria => A set of requirements defining the conditions under which an evaluation is performed. These requirements can also be used in specification and development of systems and products. evaluator => the independent person or organisation that performs an evaluation. evaluator actions => a component of the evaluation criteria for a particular phase or aspect of evaluation, identifying what the evaluator must do to check the information supplied by the sponsor of the evaluator, and the additional activities he must perform. evaluators => Individuals or groups responsible for the independent assessment of IT product security (e.g., product evaluators, system security officers, system certifiers, and system accreditors). executive state => (1) One of several states in which a system may operate and the only one in which certain privileged instructions may be executed. Such instructions cannot be executed when the system is operating in other (for example, user) states. Synonymous with supervisor state. (2) A privileged state that can be used by supervisory software for multitasking operations. Reliable multitasking requires protection, such as segment-level protection. For example, segment-level protection can have the following protection checks: (a) type check, (b) limit check, (c) restriction of addressable domain, (d) restriction of procedure entry points, and (e) restriction of instruction set. explain => Give required information and show that it satisfies all relevant requirements. exploitable channel => Covert channel that is usable or detectable by subjects external to the AIS's trusted computing base and can be used to violate the AIS's technical security policy. (See covert channel.) external security controls => Measures which include physical, personnel, procedural, and administrative security requirements and a separate certification and accreditation process that govern physical access to an IT product.

Note: These measures constitute assumptions and boundary conditions that are part of the environment described in a protection profile. fail safe => Pertaining to the automatic protection of programs and/or processing systems to maintain safety when a hardware or software failure is detected in a system. fail soft => Pertaining to the selective termination of affected nonessential processing when a hardware or software failure is detected in a system. failure access => An unauthorized and usually inadvertent access to data resulting from a hardware or software failure in the system. failure control => The methodology used to detect and provide fail-safe or fail-soft recovery from hardware and software failures in a system. family => Grouping of related components that all address the same type of fault => A condition that causes a device or system component to fail to perform in a required manner. fetch protection => (1) A system-provided restriction to prevent a program from accessing data in another user's segment of storage. (2) The aggregate of all processes and procedures in a system designed to inhibit unauthorized access, contamination, or elimination of a file. file protection => The aggregate of all processes and procedures in a system designed to inhibit unauthorized access, contamination, or elimination of a file. file security => The means by which access to computer files is limited to authorized users only. flaw => An error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed. flaw hypothesis methodology => A system analysis and penetration technique where specifications and documentation for the system are analyzed and then flaws in the system are hypothesized. The list of hypothesized flaws is then prioritized on the basis of the estimated probability that a flaw actually exists and, assuming a flaw does exist, on the ease of exploiting it and on the extent of control or compromise it would provide. The prioritized list is used to direct the actual testing of the system. formal => Based upon precise and unambiguous syntax and semantics. - Human user - A person who interacts with the TOE. formal development methodology => A collection of languages and tools that enforces a rigorous method of verification. This methodology uses the Ina Jo specification language for successive stages of system development, including identification and modeling of requirements, high-level design, and program design. formal model of security policy => an underlying model of security policy expressed in a formal style, i.e. an abstract statement of the important principles of security that a TOE will enforce. formal proof => A complete and convincing mathematical argument, presenting the full logical justification for each proof step, for the truth of a theorem or set of theorems. The formal verification process uses formal proofs to show the truth of certain properties of formal specification and for showing that computer programs satisfy their specifications. formal specification => Statement about a product made using the restricted syntax and grammar of a formal reasoning system and a set of terms that have been precisely and uniquely defined of specified. Note: The formal statement should be augmented by an informal explanation of the conventions used and the ideas being expressed. A well- formed syntax and semantics with complete specification of all constructs used must be referenced. FTLS => Formal Top-Level Specification - A Top-Level Specification that is written in a formal mathematical language to allow theorems showing the correspondence of the system specification to its formal requirements to be hypothesized and formally proven. formal verification => The process of u sing formal proofs to demonstrate the consistency (design verification) between a formal specification of a system and a formal security policy model or (implementation verification) between the formal specification and its program implementation. formal access approval => Documented approval by a data owner to allow access to a particular category of information. formal security policy model => A mathematically precise statement of a security policy. To be adequately precise, such a model must represent the initial state of a system, the way in which the system progresses from one state to another, and a definition of a "secure" state of the system. To be acceptable as a basis for a TCB, the model must be supported by a formal proof that if the initial state of the system satisfies the definition of a "secure" state and if all assumptions required by the model hold, then all future states of the system will be secure. Some formal modeling techniques include: state transition models, denotational semantics models, and algebraic specification models. See Bell-La Padula model and security policy model. security filter => A security filter, which could be implemented in hardware or software, that is logically separated from the remainder of the system to protect the system's integrity. functional component => Fundamental building block, specifying what an IT product must be capable of doing, from which functional protection requirements are assembled. functional package => Grouping of functional components assembled to ease specification and common understanding of what an IT product is capable of doing. functional protection requirements => Requirements in a protection profile which address what conforming IT products must be capable of doing. functional testing => The portion of security testing in which the advertised features of a system are tested for correct operation. functional unit => a functionally distinct part of a basic component. functionality => The totality of functional properties of a TOE that contributes to security. functionality class => a predefined set of complementary security enforcing functions capable of being implemented in a Target of Evaluation. general-purpose system => A computer system that is designed to aid in solving a wide variety of problems. generic threat => Class of threats with common characteristics pertaining to vulnerabilities, agents, event sequences, and resulting misfortunes=2E global requirements => Those which require analysis of the entire system and for which separate analysis of the individual TCB (trusted computing base) subsets does not suffice. granularity => Relative fineness or coarseness to which an access control mechanism or oth- er IT product aspect can be adjusted. Note: Protection at the file level is considered course granularity, whereas protection at the field level is considered to be finer granularity. group => Named collection of user identifiers. gypsy verification environment => An integrated set of tools for specifying, coding, and verifying programs written in the Gypsy language, a language similar to Pascal which has both specification and programming features. This methology includes an editor, a specification processor, a verification condition generator, a user-directed theorem prover, and an information flow tool. handshaking procedure => A dialogue between two entities (e.g., a user and a computer, a computer and another computer, or a program and another program) for the purpose of identifying and authenticating the entities to one another. hierarchical decomposition => the ordered, structured reduction of a system or a component to primitives. hierarchical development methodology => A methodology for specifying and verifying the design programs written in the Special specification language. The tools for this methodology include the Special specification processor, the Boyer-Moore theorem prover, and the Feiertag information flow tool. host => any computer-based system connected to the network and containing the necessary protocol interpreter software to initiate network access and carry out information exchange across the communications network. This definition encompasses typical "mainframe" hosts, generic terminal support machines (e.g., ARPANET TAC, DoDIIS NTC), and workstations connected directly to the communications subnetwork and executing the intercomputer networking protocols. A terminal is not a host because it does not contain the protocol software needed to perform information exchange; a workstation (by definition) is a host because it does have such capability. identification => The process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names. impersonating => Synonymous with spoofing. implementation => a phase of the Development Process wherein the detailed specification of a Target of Evaluation is translated into actual hardware and software. individual accountability => The ability to associate positively the identity of a user with the time, method, and degree of access to a system. informal => Expressed in natural language. informal specification => Statement about (the properties of) a product made using the gram- mar, syntax, and common definitions of a natural language (e.g., English). >Note: While no notational restrictions apply, the informal specification is also required to provide defined meanings for terms which are used in a context other than that accepted by normal usage. information protection policy => Set of laws, rules, and practices that regulate how an IT product will, within specified limits, counter threats expected in the product's assumed operational environment. ISSO => Information System Security Officer - The person responsible to the DAA for ensuring that security is provided for and implemented throughout the life cycle of an AIS from the beginning of the concept development plan through its design, development, operation, maintenance, and secure disposal. ITSEC => Information Technology Security Evaluation Criteria - European security evaluation criteria for targets of evaluation (TOE). information flow control => A procedure to ensure that information transfers within a system are not made from a higher security level object to an object of a lower security level. See covert channel, simple security property, star property (*-property). Synonymous with data flow control and flow control. information processing standard => A set of detailed technical guidelines used to establish uniformity to support specific functions and/or interoperability in hardware, software, or telecommunications development, testing, and/or operation. information protection policy => Set of laws, rules, and practices that regulate how an IT (information technology) product will, within specified limits, counter threats expected in the product's assumed operational environment. IT => Information Technology - An international term for an information system, which consists of one or more automated information systems (AISs) or computer systems and communications systems. integrity => a) The property that information or resources are not improperly affected. b) The property that assumptions about the known or expected state of information or resources remain true. integrity policy => a security policy to prevent unauthorized users from modifying, viz., writing, sensitive information. See also Security Policy. interdiction => See denial of service - DOS. internal security controls => Mechanisms implemented in the hardware, firmware, and soft- ware of an IT product which provide protection for the IT product. internal subject => a subject which is not acting as direct surrogate for a user. A process which is not associated with any user but performs system-wide functions such as packet switching, line printer spooling, and so on. Also known as a daemon or a service machine. interoperability => The ability of computers to act upon information received from one another. isolation => The containment of subjects and objects in a system in such a way that they are separated from one another, as well as from the protection controls of the operating system. IT Security => The state of security in an IT system. IT System => A specific IT installation, with a particular purpose and operational environment. key management => A method of electronically transmitting, in a secure fashion, a secret key for use with a secret key cryptographic system. Key management can be used to support communications privacy. This method can be accomplished most securely with public key cryptographic systems, which do not require the sharing of secret keys with third parties. Instead, a secret key is encrypted with a recipient's public key, and the recipient decrypts the result with his or her private key to receive the secret key. A variation of key management that is based on key exchange does not require encrypting the secret key. key escrow system => An electronic means of reconstructing a secret key (for secret key encryption) or a private key (for public key encryption)=2E The reconstructed key can then be used in a process to decrypt a communication. key => A long string of seemingly random bits used with cryptographic algorithms to create or verify digital signatures and encrypt or decrypt messages and conversations. The keys must be known or guessed to forge a digital signature or decrypt an encrypted message. label => see Security Label and Sensitivity Label. lattice => A partially ordered set for which every pair of elements has a greatest lower bound and a least upper bound. least privilege => The principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use. limited access => Synonymous with access control. list oriented => A computer protection system in which each protected object has a list of all subjects authorized to access it. Compare ticket-oriented. local requirements => Those for which separate analysis of the individual TCB (trusted computing base) subsets suffices to determine compliance for the composite TCB. (See the trusted database interpretation of the Trusted Computer System Evaluation Criteria for further information.) lock and key protection system => A protection system that involves matching a key or password with a specific access requirement. logic bomb => A resident computer program that triggers the perpetration of an unauthorized act when particular states of the system are realized. loophole => An error of omission or oversight in software or hardware that permits circumventing the system security policy. *-property => (Star Property) - A Bell-LaPadula security model rule allowing a subject write access to an object only if the security level of the subject is dominated by the security level of the object. Also known as the Confinement Property. star property => A Bell-LaPadula security model rule allowing a subject write access to an object only if the security level of the subject is dominated by the security level of the object. Also known as the Confinement Property. machine user => A machine, group of machines or other logical entity outside of the TOE with interacts with the TOE. magnetic remanence => A measure of the magnetic flux density remaining after removal of the applied magnetic force. Refers to any data remaining on magnetic storage media after removal of the power. maintenance hook => Special instructions in software to allow easy maintenance and additional feature development. These are not clearly defined during access for design specification. Hooks frequently allow entry into the code at unusual points or without the usual checks, so they are a serious security risk if they are not removed prior to live implementation. Maintenance hooks are special types of trap doors. malicious logic => Hardware, software, or firmware that is intentionally included in a system for an unauthorized purpose; e.g., a Trojan horse. mandatory access control => A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity. masquerading => Synonymous with spoofing. mechanism => Operating system entry point or separate operating system support program that performs a specific action or related group of actions. metadata => (1) Data referring to other data; data (such as data structures, indices, and pointers) that are used to instantiate an abstraction (such as "process," "task," "segment," "file," or "pipe"). (2) A special database, also referred to as a data dictionary, containing descriptions of the elements (e.g., relations, domains, entities, or relationships) of a database. mimicking => Synonymous with spoofing. modes of operation => A description of the conditions under which an AIS functions, based on the sensitivity of data processed and the clearance levels and authorizations of the users. multilevel device => A device that is used in a manner that permits it to simultaneously process data of two or more security levels without risk of compromise. To accomplish this, sensitivity labels are normally stored on the same physical medium and in the same form (i.e., machine-readable or human-readable) as the data being processed. multilevel secure => A class of system containing information with different sensitivities that simultaneously permits access by users with different security clearances and needs-to- know, but prevents users from obtaining access to information for which they lack authorization. multilevel security mode => the mode of operation that allows two or more classification levels of information to be processed simultaneously within the same system when some users are not cleared for all levels of information present. Compare Dedicated Security Mode, System High Security Mode. mutually suspicious => The state that exists between interacting processes (subsystems or programs) in which neither process can expect the other process to function securely with respect to some property. NCSC => National Computer Security Center - Originally named the DoD Computer Security Center, the NCSC is responsible for encouraging the widespread availability of trusted computer systems throughout the Federal Government. NSDD 145 => National Security Decision Directive 145 - Signed by President Reagan on l7 September l984, this directive is entitled "National Policy on Telecommunications and Automated Information Systems Security." It provides initial objectives, policies, and an organizational structure to guide the conduct of national activities toward safeguarding systems that process, store, or communicate sensitive information; establishes a mechanism for policy development; and assigns implementation responsibilities. NTISSD => National Telecommunications and Information System Security Directives - NTISS Directives establish national-level decisions relating to NTISS policies, plans, programs, systems, or organizational delegations of authority. NTISSDs are promulgated by the Executive Agent of the Government for Telecommunications and Information Systems Security, or by the Chairman of the NTISSC when so delegated by the Executive Agent. NTISSDs are binding upon all federal departments and agencies. NTISSI => National Telecommunications and Information Systems Security Advisory Memoranda/ Instructions - NTISS Advisory Memoranda and Instructions provide advice, assistance, or information of general interest on telecommunications and systems security to all applicable federal departments and agencies. NTISSAMs/NTISSIs are promulgated by the National Manager for Telecommunications and Automated Information Systems Security and are recommendatory. need to know => (1) Access to, or knowledge or possession of, specific information required to carry out official duties. (2) The necessity for access to, knowledge of, or possession of specific information required to carry out official duties. network architecture => the set of layers and protocols (including formats and standards that different hardware/software must comply with to achieve stated objectives) which define a Network. network component => a network subsystem which is evaluatable for compliance with the trusted network interpretations, relative to that policy induced on the component by the overall network policy. network connection => A network connection is any logical or physical path from one host to another that makes possible the transmission of information from one host to the other. An example is a TCP connection. But also, when a host transmits an IP datagram employing only the services of its "connectionless" Internet Protocol interpreter, there is considered to be a connection between the source and the destination hosts for this transaction. network reference monitor => an access control concept that refers to an abstract machine that mediates all access to objects within the network by subjects within the network. network security => the protection of networks and their services from unauthorized modification, destruction, or disclosure. Providing an assurance that the network performs its critical functions correctly and there are no harmful side-effects. Includes providing for information accuracy=2E network security architecture => a subset of network architecture specifically addressing security-relevant issues. network sponsor => the individual or organization that is responsible for stating the security policy enforced by the network, for designing the network security architecture to properly enforce that policy, and for ensuring that the network is implemented in such a way that the policy is enforced. For commercial, off-the- shelf systems, the network sponsor will normally be the vendor. For a fielded network system, the sponsor will normally be the project manager or system administrator. network system => a system which is implemented with a collection of interconnected network components. A network system is based on a coherent security architecture and design. NTCB => Network trusted computing base - the totality of protection mechanisms within a network system -- including hardware, firmware, and software -- the combination of which is responsible for enforcing a security policy. (See also Trusted Computing Base.) network front end => A device that implements the necessary network protocols, including security-related protocols, to allow a computer system to be attached to a network. nondiscretionary access control => Means of restricting access to objects based largely on administrative actions. (See mandatory access control=2E) normal operation => Process of using a system. object => A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, blocks, pages, segments, files, directories, directory trees, and programs, as well as bits, bytes, words, fields, processors, video displays, keyboards, clocks, printers, network nodes, etc. object reuse => The reassignment and reuse of a storage medium (e.g., page frame, disk sector, magnetic tape) that once contained one or more objects. To be securely reused and assigned to a new subject, storage media must contain no residual data (magnetic remanence) from the object(s) previously contained in the media. open security environment => An environment that includes those systems in which at least one of the following conditions holds true: (l) Application developers (including maintainers) do not have sufficient clearance or authorization to provide an acceptable presumption that they have not introduced malicious logic. (2) Configuration control does not provide sufficient assurance that applications are protected against the introduction of malicious logic prior to and during the operation of system applications. operating procedure => a set of rules defining correct use of a Target of Evaluation. operation => the process of using a Target of Evaluation. operational documentation => the information produced by the developer of a Target of Evaluation to specify and explain how customers should use it. OPSEC => Operations Security - An analytical process by which the U.S. Government and its supporting contractors can deny to potential adversaries information about capabilities and intentions by identifying, controlling, and protecting evidence of the planning and execution of sensitive activities and operations. orange book => Alternate name for DoD Trusted Computer Security Evaluation Criteria. OSI => The International Organization for Standardization provides a framework for defining the communications process between systems. This framework includes a network architecture, consisting of seven layers. The architecture is referred to as the Open Systems Interconnection (OSI) Model or Reference Model. Services and the protocols to implement it for the different layers of the model are defined by international standards. From a systems viewpoint, the bottom three layers support the components of the network necessary to transmit a message, the next three layers generally pertain to the characteristics of the communicating end systems, and the top layer supports the end users. The seven layers are: (1) Physical Layer, (2) Link Layer, (3) Network Layer, (4) Transport Layer, (5) Session Layer, (6) Presentation Layer, and (7) Application Layer. output => Information that has been exported by a TCB. overt channel => an overt channel is a path within a network which is designed for the authorized transfer of data. overwrite procedure => A stimulation to change the state of a bit followed by a known pattern. See magnetic remanence. owner => User granted privileges with respect to security attributes and privileges affecting specific subjects and objects. package => A set of components combined together to satisfy a set of identified objectives. partial order => A relation that is symmetric (a is related to a), transitive (if a is related to b and b is related to c, then a is related to c), and antisymmetric (if a is related to b and b is related to a, then a and b are identical.) partitioned security mode => A mode of operation wherein all personnel have the clearance but not necessarily formal access approval and need-to-know for all information contained in the system. Not to be confused with compartmented security mode. passive => (1) A property of an object or network object that it lacks logical or computational capability and is unable to change the information it contains. (2) Those threats to the confidentiality of data which, if realized, would not result in any unauthorized change in the state of the intercommunicating systems (e.g., monitoring and/or recording of data)=2E password => Protected/private character string used to authenticate an identity or to authorize access to data. penetration => the successful violation of a protected system. penetration testing => tests performed by an evaluator on the Target of Evaluation in order to confirm whether or not known vulnerabilities are actually exploitable in practice. penetration signature => The characteristics or identifying marks that may be produced by a penetration. penetration study => A study to determine the feasibility and methods for defeating controls of a system. periods processing => The processing of various levels of sensitive information at distinctly different times. Under periods processing, the system must be purged of all information from one processing period before transitioning to the next when there are different users with differing authorizations. permissions => A description of the type of authorized interactions a subject can have with an object. Examples include: read, write, execute, add, modify, and delete. personnel security => The procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances. physical security => The application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information. piggyback => Gaining unauthorized access to a system via another user's legitimate connection. See between-the-lines entry. plaintext => See cleartext. PPL => Preferred Products List - A list of commercially produced equipments that meet TEMPEST and other requirements prescribed by the National Security Agency. This list is included in the NSA Information Systems Security Products and Services Catalogue, issued quarterly and available through the Government Printing Office. primitive => An ordering relation between TCB subsets based on dependency (see "depends" above). A TCB subset B is more primitive than a second TCB subset A (and A is less primitive than B) if (a) A directly depends on B or (b) a chain of TCB subsets from A to B exists such that each element of the chain directly depends on its successor in the chain. print suppression => Eliminating the displaying of characters in order to preserve their secrecy; e.g., not displaying the characters of a password as it is keyed at the input terminal. privacy => (1) the ability of an individual or organization to control the collection, storage, sharing, and dissemination of personal and organizational information. (2) The right to insist on adequate security of, and to define authorized users of, information or systems. Note: The concept of privacy cannot be very precise and its use should be avoided in specifications except as a means to require security, because privacy relates to "rights" that depend on legislation. private key => The undisclosed key in a matched key pair - private key and public key - that each party safeguards for public key cryptography. privilege => Special authorization that is granted to particular users to perform security rel- evant operations. privileged instructions => A set of instructions (e.g., interrupt handling or special computer instructions) to control features (such as storage protection features) that are generally executable only when the automated system is operating in the executive state. procedural security => Synonymous with administrative security. process => a program in execution. It is completely characterized by a single current execution point (represented by the machine state) and address space. producers => Providers of IT (information technology) product security (for example, product vendors, product developers, security analysts, and value-added resellers). product => A package of IT software and/or hardware, providing functionality designed for use or incorporation within a multiplicity of systems. product rationale => a description of the security capabilities of a product, giving the necessary information for a prospective purchaser to decide whether it will help to satisfy his system security objectives. production => the process whereby copies of the Target of Evaluation are generated for distribution to customers. profile => Detailed security description of the physical structure, equipment component, lo- cation, relationships, and general operating environment of an IT product or AIS. (See Protection Profile.) profile assurance => Measure of confidence in the technical soundness of a protection profile. proprietary information => Information that is owned by a private enterprise and whose use and/or distribution is restricted by that enterprise.

Note: Proprietary information may be related to the company's products, business, or activities, including but not limited to: financial information, data or statements; trade secrets; product research and development information; existing and future product designs and performance specifications; marketing plans or techniques; schematics; client lists; computer programs; processes; and trade secrets or other company confidential information. protection philosophy => An informal description of the overall design of a system that delineates each of the protection mechanisms employed. A combination (appropriate to the evaluation class) of formal and informal techniques is used to show that the mechanisms are adequate to enforce the security policy. PP => Protection Profile - A combination of security requirements including assurance and functional requirements with associated rationale and target environment protection ring => One of a hierarchy of privileged modes of a system that gives certain access rights to user programs and processes authorized to operate in a given mode. protocols => A set of rules and formats, semantic and syntactic, that permits entities to exchange information. pseudoflaw => An apparent loophole deliberately implanted in an operating system program as a trap for intruders. public key cryptography => Cryptography using two matched keys (or asymmetric cryptography) in which a single private key is not shared by a pair of users. Instead, users have their own key pairs. Each key pair consists of a matched private and public key. Public key cryptography can perform (1) digital signature, (2) secure transmission or exchange of secret keys, and/or (3) encryption and decryption. Examples of public key cryptography are DSS (Digital Signature Standard) and RSA (Rivest, Shamir, and Adleman). purge => The removal of sensitive data from an AIS, AIS storage device, or peripheral device with storage capacity, at the end of a processing period. This action is performed in such a way that there is assurance proportional to the sensitivity of the data that the data may not be reconstructed. An AIS must be disconnected from any external network before a purge. After a purge, the medium can be declassified by observing the review procedures of the respective agency. rating => a measure for the assurance that may be held in a Target of Evaluation, consisting of a reference to its security target, an evaluation level established by assessment of the correctness of its implementation and consideration of its effectiveness in the context of actual or proposed operational use, and a confirmed rating of the minimum strength of its security mechanisms. RC2 => (Rivest Cipher 2 ): Two secret key encryption systems that are implemented in mass-market software. These systems are proprietary and are marketed by RSA Data Security, Inc. RC2 and RC4 can be used with various key lengths, such as 40 bits or 56 bits. read => A fundamental operation that results only in the flow of information from an object to a subject. read access => Permission to read information. ROM => Read-Only Memory - A storage area in which the contents can be read but not altered during normal computer processing. real time => The actual time in which something, such as the communication of information, takes place. recovery procedures => The actions necessary to restore a system's computational capability and data files after a system failure. refinements => Requirement in a protection profile taken to a lower level of abstraction than the component on which it is based. Note: The refinement of a component requirement is necessary when multiple environment-specific requirements must be assigned to a single component requirement. reliability => The probability of a given system performing its mission adequately for a specified period of time under the expected operating conditions. requirements => Phase of the Development Process wherein the top level definition of the functionality of the system is produced. residual risk => The portion of risk that remains after security measures have been applied. residue => Data left in storage after processing operations are complete, but before degaussing or rewriting has taken place. resource => anything used or consumed while performing a function. The categories of resources are: time, information, objects (information containers), or processors (the ability to use information). specific examples are: CPU time; terminal connect time; amount of directly-addressable memory; disk space; number of I/O requests per minute, etc. restricted area => Any area to which access is subject to special restrictions or controls for reasons of security or safeguarding of property or material. risk => The expected loss due to, or impact of, anticipated threats in light of system vulner- abilities and strength or determination of relevant threat agents. risk analysis => The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management. Synonymous with risk assessment. risk index => The disparity between the minimum clearance or authorization of system users and the maximum sensitivity (e.g., classification and categories) of data processed by a system. See CSC-STD-003-85 and CSC-STD-004-85 for a complete explanation of this term. risk management => The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. role => A defined set of functionally related operations, and the authorisations necessary to perform those operations, which may be assigned to users. RSA => A public key algorithm invented by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman (RSA). RSA can be used to generate digital signatures, encrypt messages, and provide key management for DES (Data Encryption Standard), RC2 (Rivest Cipher 2), RC4 (Rivest Cipher 4), and other secret key algorithms. RSA performs the key management process, in part, by encrypting a secret key for an algorithm such as DES, RC2, or RC4 with the recipient's public key for secure transmission to the recipient. This secret key can then be used to support private communications. safeguards => See security safeguards. scavenging => Searching through object residue to acquire unauthorized data. secrecy policy => a security policy to prevent unauthorized users from reading sensitive information. See also Security Policy secret key => The key that two parties share and keep secret for secret key cryptography. Given secret key algorithms of equal strength, the approximate difficulty of decrypting encrypted messages by brute force search can be measured by the number of possible keys. For example, a key length of 56 bits is over 65,000 times stronger or more resistant to attack than a key length of 40 bits. secure state => A condition in which no subject can access any object in an unauthorized manner. secure subsystem => A subsystem that contains its own implementation of the reference monitor concept for those resources it controls. However, the secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects. Security => The combination of confidentiality, integrity and availability. [ITSEC] Security Audit Trail - Set of records that collectively provide documentary evidence of pro- cessing used to aid in tracing from original transactions forward to related records and reports, and/or backwards from records and reports to their component source transactions. security administrator => A user or user role about which assumptions of correct behaviour need to be made to ensure the continuing correct operation of the TOE. security architecture => the subset of computer architecture dealing with the security of the computer or network system. See computer architecture, network architecture. security attribute => Information, controlled by the TSF and used in TSP enforcement, about a user, subject, resource or object. security domain => Scope of potential interaction as enforced by the TSF. security enforcing => that which directly contributes to satisfying the security objectives of the Target of Evaluation. SF => Security Function - A part or parts of the TOE which enforce a closely related subset of the rules and objectives from the TOE Security Policy (TSP). SFP => Security Function Policy (SFP) - A closely related subset of the rules and objectives of the TSP. The security policy enforced by a security function (SF). security kernel => The hardware, firmware, and software elements of a Trusted Computing Base that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct. security level => The combination of a hierarchical classification and a set of non-hierarchical categories that represents the sensitivity of information. security mechanism => the logic or algorithm that implements a particular security enforcing or security relevant function in hardware and software. security objectives => The contribution to security which a system or product is intended to achieve. security policy => A set of rules and procedures regulating the use of information including its processing, storage, distribution and presentation. security relevant => that which is not security enforcing, but must function correctly for the Target of Evaluation to enforce security. security target => a specification of the security required of a Target of Evaluation, used as a baseline for evaluation. The security target will specify the security enforcing functions of the Target of Evaluation. It will also specify the security objectives, the threats to those objectives, and any specific security mechanisms that will be employed. security testing => A process used to determine that the security features of a system are implemented as designed and that they are adequate for a proposed application environment. This process includes hands-on functional testing, penetration testing, and verification. See also: Functional Testing, Penetration Testing, Verification. security audit trail => The set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to related records and reports, and/or backward from records and reports to their component source transactions. security evaluation => An evaluation done to assess the degree of trust that can be placed in systems for the secure handling of sensitive information. One type, a product evaluation, is an evaluation performed on the hardware and software features and assurances of a computer product from a perspective that excludes the application environment. The other type, a system evaluation, is done for the purpose of assessing a system's security safeguards with respect to a specific operational mission and is a major step in the certification and accreditation process. security fault analysis => A security analysis, usually performed on hardware at gate level, to determine the security properties of a device when a hardware fault is encountered. security features => The security-relevant functions, mechanisms, and characteristics of system hardware and software. Security features are a subset of system security safeguards. security filter => A trusted subsystem that enforces a security policy on the data that pass through it. security flaw => An error of commission or omission in a system that may allow protection mechanisms to be bypassed. security measures => Elements of software, firmware, hardware, or procedures that are included in a system for the satisfaction of security specifications. security perimeter => The boundary where security controls are in effect to protect assets. security range => The highest and lowest security levels that are permitted in or on a system, system component, subsystem or network. security requirements => The types and levels of protection necessary for equipment, data, information, applications, and facilities to meet security policy. security safeguards => The protective measures and controls that are prescribed to meet the security requirements specified for a system. Those safeguards may include but are not necessarily limited to: hardware and software security features, operating procedures, accountability procedures, access anddistribution controls, management constraints, personnel security, and physical structures, areas, and devices. Also called safeguards. security specifications => A detailed description of the safeguards required to protect a system. security target => (1) A specification of the security required of a target of evaluation, used as a baseline for evaluation. The security target will specify the security-enforcing functions of the target of evaluation. It will also specify the security objectives, the threats to those objectives, and any specific security mechanisms that will be used. (2) Product-specific description, elaborating the more general requirements in a protection profile and including all evidence generated by the producers, of how a specific IT (information technology) product meets the security requirements of a given protection profile. security testing => A process used to determine that the security features of a system are implemented as designed. This includes hands-on functional testing, penetration testing, and verification. sensitive information => Any information, the loss, misuse, modification of, or unauthorized access to, could affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, U.S. Code, but that has not been specifically authorized under criteria established by an Executive order or an act of Congress to be kept classified in the interest of national defense or foreign policy. shall => Indication that a requirement must be met unless a justification of why it cannot be met is given and accepted. should => Indication of an objective requirement that requires less justification for non-con- formancy and should be more readily approved. Note: Should is often used when a specific requirement is not feasible in some situations or with common current technology. simple security condition => A Bell-LaPadula security model rule allowing a subject read access to an object only if the security level of the subject dominates the security level of the object. simple security property => A Bell-La Padula security model rule allowing a subject read access to an object only if the security level of the subject dominates the security level of the object. Synonymous with simple security condition. single level device => A device that is used to process data of a single security level at any one time. Since the device need not be trusted to separate data of different security levels, sensitivity labels do not have to be stored with the data being processed. site certification => The comprehensive assessment of the technical and nontechnical security functions of an IT (information technology) system in its operational environment to establish the extent to which the system meets a set of specified security requirements, performed to support operational system accreditation. skipjack => A classified 64-bit block encryption, or secret key encryption,algorithm. The algorithm uses 80-bit keys (compared with 56 for DES) and has 32 computational rounds or iterations (compared with 16 for DES)=2E Skipjack supports all DES modes of operation. Skipjack provides high-speed encryption en implemented in a key-escrow chip. software security => General purpose (executive, utility or software development tools) and applications programs or routines that protect data handled by a system. sponsor => the person or organisation that requests an evaluation. spoofing => An attempt to gain access to a system by posing as an authorized user. (Synonymous with impersonating, masquerading, and mimicking.) state delta verification system => A system designed to give high confidence regarding microcode performance by using formulas that represent isolated states of a computation to check proofs concerning the course of that computation. state variable => A variable that represents either the state of the system or the state of some system resource. state => Give required information with no attempted or implied requirement, to justify the information presented. storage object => An object that supports both read and write accesses. SAISS => Subcommittee on Automated Information Systems Security - authorizes and directs the establishment, under the NTISSC, of a permanent Subcommittee on Automated Information Systems Security. The SAISS is composed of one voting member from each organization represented on the NTISSC=2E subject => Active entity in an IT product or AIS, generally in the form of a process or device, that causes information to flow among objects or changes the system state. system => an assembly of computer and/or communications hardware, software, and firmware configured for the purpose of classifying, sorting, calculating, computing, summarizing, transmitting and receiving, storing and retrieving data with the purpose of supporting users. system entry => Mechanism by which an identified and authenticated user is provided access into the system. SSO => System Security Officer - the person responsible for the security of a system. The SSO is authorized to act in the "security administrator" role. Functions that the SSO is expected to perform include: auditing and changing security characteristics of a user. system integrity => The quality that a system has when it performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. tampering => An unauthorized modification that alters the proper functioning of an equipment or system in a manner that degrades the security or functionality it provides. TOE => Target of Evaluation - An IT system, product or component which is identified as requiring security evaluation. TCB => (trusted computing base) subset: A set of software, firmware, and hardware (where any of these three could be absent) that mediates the access of a set S of subjects to a set O of objects on the basis of a stated access control policy P and satisfies the properties: 1. M mediates every access to objects O by subjects in S, 2. M is tamper resistant, and <3. M is small enough to be subject to analysis and tests, the completeness of which can be assured. technical attack => An attack that can be perpetrated by circumventing or nullifying hardware and software protection mechanisms, rather than by subverting system personnel or other users. technical policy => (1) The set of rules regulating access of subjects to objects enforced by a TCB (trusted computing base) subset. (2) The set of rules regulating access of subjects to objects enforced by a computer system. technical vulnerability => A hardware, firmware, communication, or software flaw that leaves a computer processing system open for potential exploitation, either externally or internally, thereby resulting in risk for the owner, user, or manager of the system. TEMPEST => The study and control of spurious electronic signals emitted by electrical equipment. threat => Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. threat agent => A method used to exploit a vulnerability in a system, operation, or facility. threat monitoring => The analysis, assessment, and review of audit trails and other data collected for the purpose of searching out system events that may constitute violations or attempted violations of system security. ticket oriented => A computer protection system in which each subject maintainsa list of unforgeable bit patterns, called tickets, one for each object thesubject is authorized to access. Compare list-oriented. time dependent password => A password that is valid only at a certain time of day or during a specified interval of time. TSF => TOE Security Functions - All parts of the TOE which have to be relied upon for enforcement of the TOE Security Policy (TSP). tool => a product used in the construction and/or documentation of a target of evaluation. TLS => top-level specification - A nonprocedural description of system behavior at the most abstract level - typically, a functional specification that omits all implementation details. tranquility => A security model rule stating that the security level of an object cannot change while the object is being processed by an AIS. transaction => Set of subject actions and their associated data storage accesses. trap door => (1) Hidden software or hardware mechanism that can be triggered to permit protection mechanisms in an automated information system to be circumvented. Note: A trap door is usually activated in some innocent-appearing manner (for example, a special random key sequence at a terminal). Software developers often write trap doors in their code that enable them to reenter the system to perform certain functions. (2) A secret entry point to a cryptographic algorithm through which the developer or another entity can bypass security controls and decrypt messages. trojan horse => A computer program with an apparently or actually useful function that contains additional (hidden) functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security or integrity. trusted channel => a mechanism by which two NTCB partitions can communicate directly. This mechanism can be activated by either of the NTCB partitions, cannot be imitated by untrusted software, and maintains the integrity of information that is sent over it. A trusted channel may be needed for the correct operation of other security mechanisms. TCB => Trusted Computing Base - The totality of protection mechanisms within a computer system including hardware, firmware, and software the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance) related to the security policy. trusted path => A mechanism by which a person at a terminal can communicate directly with the Trusted Computing Base. This mechanism can only be activated by the person or the Trusted Computing Base and cannot be imitated by untrusted software. trusted subject => a subject that is part of the TCB. It has the ability to violate the security policy, but is trusted not to actually do so. For examplein the BellLaPadulla model a trusted subject is not constrained by the *-property and thus has the ability to write sensitive information into an object whose level is not dominated by the (maximum) level of the subject, but it is trusted to only write information into objects with a label appropriate for the actual level of the information. untrusted => A qualifier implying that no assumptions about correct behaviour need to be made in order to ensure the correct enforcement of the TSP. user => Any person who interacts directly with a computer system. user id => user Identifier - Unique symbol or character string that is used by an IT product to uniquely identify a specific user. validation => The process of assessing the usefullness of a system in relation to its intended use or purpose. view => That portion of the database that satisfies the conditions specified in a query. virus => (1) Malicious software, a form of Trojan horse, which reproduces itself in other executable code. (2) A self-propagating Trojan horse, composed of a mission component, a trigger component, and a self-propagating component. (3) Self-replicating malicious program segment that attaches itself to an application or other executable system component and leaves no external signs of its presence. vulnerability => Weakness in an information system or components (e.g., system security procedures, hardware design, internal controls) that could be exploited to produce an information-related misfortune. Vulnerability Assessment => an aspect of the assessment of the effectiveness of a Target of Evaluation, namely whether known vulnerabilities in that Target of Evaluation could in practice compromise its security as specified in the security target. wiretapping => The real-time collection of transmitted data, such as dialed digits, and the sending of that data in real time to a listening device. work factor => An estimate of the effort or time needed by a potential penetrator with specified expertise and resources to overcome a protective measure. write => A fundamental operation that results only in the flow of information from a subject to an object. write access => permission to write an object.