%!PS
%%Version: 3.3.1
%%DocumentFonts: (atend)
%%Pages: (atend)
%%EndComments
%
% Version 3.3.1 prologue for troff files.
%

/#copies 1 store
/aspectratio 1 def
/formsperpage 1 def
/landscape false def
/linewidth .3 def
/magnification 1 def
/margin 0 def
/orientation 0 def
/resolution 720 def
/rotation 1 def
/xoffset 0 def
/yoffset 0 def

/roundpage true def
/useclippath true def
/pagebbox [0 0 612 792] def

/R  /Times-Roman def
/I  /Times-Italic def
/B  /Times-Bold def
/BI /Times-BoldItalic def
/H  /Helvetica def
/HI /Helvetica-Oblique def
/HB /Helvetica-Bold def
/HX /Helvetica-BoldOblique def
/CW /Courier def
/CO /Courier def
/CI /Courier-Oblique def
/CB /Courier-Bold def
/CX /Courier-BoldOblique def
/PA /Palatino-Roman def
/PI /Palatino-Italic def
/PB /Palatino-Bold def
/PX /Palatino-BoldItalic def
/Hr /Helvetica-Narrow def
/Hi /Helvetica-Narrow-Oblique def
/Hb /Helvetica-Narrow-Bold def
/Hx /Helvetica-Narrow-BoldOblique def
/KR /Bookman-Light def
/KI /Bookman-LightItalic def
/KB /Bookman-Demi def
/KX /Bookman-DemiItalic def
/AR /AvantGarde-Book def
/AI /AvantGarde-BookOblique def
/AB /AvantGarde-Demi def
/AX /AvantGarde-DemiOblique def
/NR /NewCenturySchlbk-Roman def
/NI /NewCenturySchlbk-Italic def
/NB /NewCenturySchlbk-Bold def
/NX /NewCenturySchlbk-BoldItalic def
/ZD /ZapfDingbats def
/ZI /ZapfChancery-MediumItalic def
/S  /S def
/S1 /S1 def
/GR /Symbol def

/inch {72 mul} bind def
/min {2 copy gt {exch} if pop} bind def

/setup {
	counttomark 2 idiv {def} repeat pop

	landscape {/orientation 90 orientation add def} if
	/scaling 72 resolution div def
	linewidth setlinewidth
	1 setlinecap

	pagedimensions
	xcenter ycenter translate
	orientation rotation mul rotate
	width 2 div neg height 2 div translate
	xoffset inch yoffset inch neg translate
	margin 2 div dup neg translate
	magnification dup aspectratio mul scale
	scaling scaling scale

	addmetrics
	0 0 moveto
} def

/pagedimensions {
	useclippath userdict /gotpagebbox known not and {
		/pagebbox [clippath pathbbox newpath] def
		roundpage currentdict /roundpagebbox known and {roundpagebbox} if
	} if
	pagebbox aload pop
	4 -1 roll exch 4 1 roll 4 copy
	landscape {4 2 roll} if
	sub /width exch def
	sub /height exch def
	add 2 div /xcenter exch def
	add 2 div /ycenter exch def
	userdict /gotpagebbox true put
} def

/addmetrics {
	/Symbol /S null Sdefs cf
	/Times-Roman /S1 StandardEncoding dup length array copy S1defs cf
} def

/pagesetup {
	/page exch def
	currentdict /pagedict known currentdict page known and {
		page load pagedict exch get cvx exec
	} if
} def

/decodingdefs [
	{counttomark 2 idiv {y moveto show} repeat}
	{neg /y exch def counttomark 2 idiv {y moveto show} repeat}
	{neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat}
	{neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat}
	{counttomark 2 idiv {y moveto show} repeat}
	{neg setfunnytext}
] def

/setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def

/w {neg moveto show} bind def
/m {neg dup /y exch def moveto} bind def
/done {/lastpage where {pop lastpage} if} def

/f {
	dup /font exch def findfont exch
	dup /ptsize exch def scaling div dup /size exch def scalefont setfont
	linewidth ptsize mul scaling 10 mul div setlinewidth
	/spacewidth ( ) stringwidth pop def
} bind def

/changefont {
	/fontheight exch def
	/fontslant exch def
	currentfont [
		1 0
		fontheight ptsize div fontslant sin mul fontslant cos div
		fontheight ptsize div
		0 0
	] makefont setfont
} bind def

/sf {f} bind def

/cf {
	dup length 2 idiv
	/entries exch def
	/chtab exch def
	/newencoding exch def
	/newfont exch def

	findfont dup length 1 add dict
	/newdict exch def
	{1 index /FID ne {newdict 3 1 roll put}{pop pop} ifelse} forall

	newencoding type /arraytype eq {newdict /Encoding newencoding put} if

	newdict /Metrics entries dict put
	newdict /Metrics get
	begin
		chtab aload pop
		1 1 entries {pop def} for
		newfont newdict definefont pop
	end
} bind def

%
% A few arrays used to adjust reference points and character widths in some
% of the printer resident fonts. If square roots are too high try changing
% the lines describing /radical and /radicalex to,
%
%	/radical	[0 -75 550 0]
%	/radicalex	[-50 -75 500 0]
%
% Move braceleftbt a bit - default PostScript character is off a bit.
%

/Sdefs [
	/bracketlefttp		[201 500]
	/bracketleftbt		[201 500]
	/bracketrighttp		[-81 380]
	/bracketrightbt		[-83 380]
	/braceleftbt		[203 490]
	/bracketrightex		[220 -125 500 0]
	/radical		[0 0 550 0]
	/radicalex		[-50 0 500 0]
	/parenleftex		[-20 -170 0 0]
	/integral		[100 -50 500 0]
	/infinity		[10 -75 730 0]
] def

/S1defs [
	/underscore		[0 80 500 0]
	/endash			[7 90 650 0]
] def
%
% Tries to round clipping path dimensions, as stored in array pagebbox, so they
% match one of the known sizes in the papersizes array. Lower left coordinates
% are always set to 0.
%

/roundpagebbox {
    7 dict begin
	/papersizes [8.5 inch 11 inch 14 inch 17 inch] def

	/mappapersize {
		/val exch def
		/slop .5 inch def
		/diff slop def
		/j 0 def
		0 1 papersizes length 1 sub {
			/i exch def
			papersizes i get val sub abs
			dup diff le {/diff exch def /j i def} {pop} ifelse
		} for
		diff slop lt {papersizes j get} {val} ifelse
	} def

	pagebbox 0 0 put
	pagebbox 1 0 put
	pagebbox dup 2 get mappapersize 2 exch put
	pagebbox dup 3 get mappapersize 3 exch put
    end
} bind def

%%EndProlog
%%BeginSetup
mark
/linewidth 0.5 def
/xoffset 0 def
/yoffset 0 def
/#copies 1 store
/magnification 1 def
%%FormsPerPage: 1
/formsperpage 1 def

/landscape false def
/resolution 720 def
setup
2 setdecoding
%%EndSetup
%%Page: 1 1
/saveobj save def
mark
1 pagesetup
12 B f
(GLOSSARY)2550 1220 w
10 R f
( glossary for the Unix Research System, 10th Edition,)8 2298( The)1 223( to IX.)2 294(This glossary de\256nes terms peculiar)4 1505 4 720 1630 t
( certain terms used here:)4 983(which is incorporated by reference, de\256nes)5 1732 2 720 1750 t
10 I f
(argument, executable \256le, \256le, groupid,)4 1578 1 3462 1750 t
(inode, kernel, permission, process, stream, superuser, system call, terminal, u-area, umask, userid, utility.)12 4241 1 720 1870 t
9 B f
(accept pex indicator)2 788 1 720 2132 t
9 R f
(a control, set with)3 668 1 1560 2132 t
9 I f
(privilege)2258 2132 w
9 R f
([1],)2608 2132 w
(on a stream to permit or deny)6 1087 1 765 2232 t
9 I f
(pexing)1878 2232 w
9 R f
(according as the)2 592 1 2144 2232 t
(stream is or is not)4 642 1 765 2332 t
9 I f
(trusted)1430 2332 w
9 R f
([3].)1703 2332 w
9 B f
(assured path)1 515 1 720 2479 t
9 R f
( comprising)1 451(a channel)1 365 2 1303 2479 t
9 I f
(trusted)2165 2479 w
9 R f
(streams)2461 2479 w
( information)1 460(and processes that is understood to pass)6 1511 2 765 2579 t
(faithfully without tampering or eavesdropping.)4 1690 1 765 2679 t
9 B f
(audit)720 2826 w
9 R f
( such as \256le)3 496(to record security-related events,)3 1251 2 989 2826 t
(accesses, process creation, and exercise of)5 1611 1 765 2926 t
9 I f
(privilege)2416 2926 w
9 R f
([1].)765 3026 w
9 B f
(audit mask)1 431 1 720 3173 t
9 R f
( with each process to)4 773(a bit vector associate)3 763 2 1200 3173 t
(specify the intensity of)3 824 1 765 3273 t
9 I f
(auditing.)1612 3273 w
9 B f
(bottom)720 3420 w
9 R f
(see)1041 3420 w
9 I f
(lattice label.)1 451 1 1179 3420 t
9 B f
(capability)720 3567 w
9 R f
( a process to exercise a)5 910( right of)2 321(1. actual)1 344 3 1161 3567 t
9 I f
(privilege)765 3667 w
9 R f
([2]; cf.)1 257 1 1119 3667 t
9 I f
(license.)1410 3667 w
9 R f
(Process capabilities, which)2 996 1 1740 3667 t
( at any time, are determined at)6 1228(can be relinquished)2 743 2 765 3767 t
9 I f
(exec)765 3867 w
9 R f
( by intersecting its licenses and the)6 1420(\(2\), either)1 384 2 932 3867 t
9 I f
(capabilities)765 3967 w
9 R f
( it is executing or by)5 810([2] of the \256le)3 513 2 1221 3967 t
9 I f
(self-)2581 3967 w
(licensing.)765 4067 w
9 R f
( \256le to)2 257( right of an executable)4 863(2. potential)1 443 3 1173 4067 t
(exercise privilege.)1 661 1 765 4167 t
9 B f
(ceiling)720 4314 w
9 R f
(a)1026 4314 w
9 I f
(label)1100 4314 w
9 R f
([1], which must dominate the label of)6 1422 1 1314 4314 t
( and)1 158( process)1 299( Every)1 267(any \256le involved in a system call.)6 1247 4 765 4414 t
(every \256le system has a ceiling.)5 1108 1 765 4514 t
9 B f
(constant)720 4661 w
9 R f
(see)1091 4661 w
9 I f
(\256xity.)1229 4661 w
9 B f
(covert channel)1 565 1 720 4808 t
9 R f
( path between untrusted)3 868(an information)1 535 2 1333 4808 t
(processes that does not obey the)5 1225 1 765 4908 t
9 I f
(mandatory security)1 710 1 2026 4908 t
(policy.)765 5008 w
9 R f
( channels)1 362(Always of low bandwidth, covert)4 1297 2 1077 5008 t
( error returns rather)3 764(usually involve inferences from)3 1207 2 765 5108 t
(than)765 5208 w
9 I f
(data \257ows.)1 391 1 943 5208 t
9 B f
(data \257ow)1 362 1 720 5355 t
9 R f
(explicit transfer of bits from place to place)7 1599 1 1137 5355 t
( places are processes, \256les,)4 1000( Pertinent)1 379(by system calls.)2 592 3 765 5455 t
( and u-area data,)3 684(directories, inodes, seek pointers,)3 1287 2 765 5555 t
(such as process)2 560 1 765 5655 t
9 I f
(ceiling,)1350 5655 w
9 R f
( and)1 154(exit status, umask, userid,)3 939 2 1643 5655 t
(groupid; cf.)1 421 1 765 5755 t
9 I f
(covert channel.)1 556 1 1209 5755 t
9 B f
(domination)720 5902 w
9 R f
( among)1 272(a relationship)1 491 2 1209 5902 t
9 I f
(labels)1999 5902 w
9 R f
([1]. A)1 243 1 2241 5902 t
9 I f
(lattice)2511 5902 w
(label)765 6002 w
9 R f
(is said to)2 351 1 983 6002 t
9 B f
(dominate)1372 6002 w
9 R f
( and only if the)4 603(another if)1 363 2 1770 6002 t
( the latter does.)3 558(former has one bits in all positions that)7 1413 2 765 6102 t
( value)1 238(A label with label \257ag)4 886 2 765 6202 t
9 I f
(yes)1932 6202 w
9 R f
(dominates and is)2 646 1 2090 6202 t
( label with)2 389( A)1 115(dominated by any label.)3 876 3 765 6302 t
9 I f
(label \257ag)1 342 1 2172 6302 t
9 R f
(value)2541 6302 w
9 I f
(no)765 6402 w
9 R f
(does not dominate and is not dominated by)7 1614 1 888 6402 t
9 B f
(no)2534 6402 w
9 R f
(or)2661 6402 w
(by any lattice label.)3 707 1 765 6502 t
9 B f
(downgrade)720 6649 w
9 R f
(to change, by use of)4 761 1 1205 6649 t
9 I f
(privilege,)1998 6649 w
9 R f
(the lattice)1 363 1 2373 6649 t
( to a lattice label that does not)7 1116(label of a \256le)3 492 2 765 6749 t
9 I f
(dominate)2401 6749 w
9 R f
(the previous value.)2 684 1 765 6849 t
9 B f
(drop)720 6996 w
9 R f
( change the value of a process)6 1113(1. to)1 189 2 955 6996 t
9 I f
(label)2285 6996 w
9 R f
(so that)1 243 1 2493 6996 t
( value does not)3 598(the new)1 302 2 765 7096 t
9 I f
(dominate)1706 7096 w
9 R f
( A)1 129(the old value.)2 525 2 2082 7096 t
(process label can drop only at)5 1125 1 765 7196 t
9 I f
(exec)1923 7196 w
9 R f
( no argu-)2 348(\(2\) with)1 298 2 2090 7196 t
( decrease the)2 482( to)1 124(ments. 2.)1 361 3 3069 2132 t
9 I f
(ceiling)4067 2132 w
9 R f
(of a process, as by)4 697 1 4343 2132 t
9 I f
(drop)3069 2232 w
9 R f
(\(1\).)3246 2232 w
9 B f
(extern)3024 2368 w
9 R f
(a)3327 2368 w
9 I f
(privilege)3402 2368 w
9 R f
([2] that allows the)3 693 1 3758 2368 t
9 I f
(label)4487 2368 w
9 R f
([1] of an)2 337 1 4703 2368 t
(open)3069 2468 w
9 I f
(external medium)1 613 1 3277 2468 t
9 R f
(to be set away from its quies-)6 1117 1 3923 2468 t
(cent value of)2 466 1 3069 2568 t
9 B f
(no)3558 2568 w
9 R f
(.)3653 2568 w
9 B f
(external medium)1 668 1 3024 2704 t
9 R f
( terminal or mag-)3 677(a \256le, such as a)4 610 2 3753 2704 t
( communicates with the outside world.)5 1428(netic tape, that)2 543 2 3069 2804 t
(Because the)1 442 1 3069 2904 t
9 I f
(mandatory security policy)2 961 1 3543 2904 t
9 R f
(cannnot auto-)1 503 1 4537 2904 t
( on external media,)3 722(matically be assured)2 758 2 3069 3004 t
9 I f
(privilege)4582 3004 w
9 R f
([2])4935 3004 w
(is required to initiate input/output thereon.)5 1528 1 3069 3104 t
9 B f
(\256xity)3024 3240 w
9 R f
(the degree to which a)4 800 1 3272 3240 t
9 I f
(label)4102 3240 w
9 R f
( \256le or pro-)3 433([1] on a)2 295 2 4312 3240 t
( values of \256xity are:)4 742( The)1 191(cess may be changed.)3 797 3 3069 3340 t
9 B f
(loose,)4827 3340 w
9 R f
(freely changeable to a dominating value;)5 1645 1 3069 3440 t
9 B f
(frozen,)4772 3440 w
9 R f
(changeable only explicitly by the owner;)5 1695 1 3069 3540 t
9 B f
(rigid,)4832 3540 w
9 R f
(changeable only with privilege; and)4 1404 1 3069 3640 t
9 B f
(constant,)4525 3640 w
9 R f
(not)4925 3640 w
(changeable.)3069 3740 w
9 B f
(\257oor)3024 3876 w
9 R f
(a conventional)1 552 1 3274 3876 t
9 I f
(lattice label)1 452 1 3873 3876 t
9 R f
( to a)2 206([1] assigned)1 462 2 4372 3876 t
( \257oor is the label of)5 735( The)1 192(user's shell process at login.)4 1044 3 3069 3976 t
(the \256le)1 248 1 3069 4076 t
9 CW f
(/etc/floor)3340 4076 w
9 R f
(.)3880 4076 w
9 B f
(frozen)3024 4212 w
9 R f
(see)3315 4212 w
9 I f
(\256xity.)3453 4212 w
9 B f
(label)3024 4348 w
9 R f
( of the)2 235( designation)1 439(1. a)1 155 3 3256 4348 t
9 I f
(mandatory security)1 700 1 4110 4348 t
9 R f
(status)4835 4348 w
( label)1 209( representation of a)3 730( 2. the)2 294(of a \256le or process.)4 738 4 3069 4448 t
([1], comprising:)1 592 1 3069 4548 t
9 I f
(label \257ag, \256xity, lattice label, capa-)5 1344 1 3696 4548 t
(bilities)3069 4648 w
9 R f
([2], and)1 281 1 3337 4648 t
9 I f
(licenses)3641 4648 w
9 R f
([2].)3949 4648 w
9 B f
(label \257ag)1 369 1 3024 4784 t
9 R f
(part of a)2 343 1 3460 4784 t
9 I f
(label)3847 4784 w
9 R f
( tells whether the)3 685([2] that)1 284 2 4071 4784 t
(label's value is a)3 640 1 3069 4884 t
9 I f
(lattice label,)1 462 1 3743 4884 t
9 R f
(or one of two special)4 801 1 4239 4884 t
(values,)3069 4984 w
9 I f
(yes)3359 4984 w
9 R f
( data,)1 211(for generally readable and writable)4 1318 2 3511 4984 t
(such as)1 272 1 3069 5084 t
9 CW f
(/dev/null)3373 5084 w
9 R f
(, or)1 130 1 3859 5084 t
9 I f
(no)4021 5084 w
9 R f
(for generally unreadable)2 897 1 4143 5084 t
(and unwritable data, such as)4 1020 1 3069 5184 t
9 I f
(external media.)1 561 1 4112 5184 t
9 B f
(lattice label)1 448 1 3024 5320 t
9 R f
(a designation of security level, the lattice)6 1517 1 3523 5320 t
( \257ow is permitted only)4 837( Data)1 221( 480 bits.)2 344(label comprises)1 569 4 3069 5420 t
( of the destination)3 658(if the lattice label)3 635 2 3069 5520 t
9 I f
(dominates)4388 5520 w
9 R f
(the lat-)1 256 1 4784 5520 t
( labels of all zeros and)5 820( Lattice)1 299(tice label of the source.)4 852 3 3069 5620 t
(all ones are called)3 649 1 3069 5720 t
9 B f
(bottom)3741 5720 w
9 R f
(and)4039 5720 w
9 B f
(top)4192 5720 w
9 R f
(respectively.)4340 5720 w
9 B f
(license)3024 5856 w
9 R f
( to exercise a)3 531( right of a process)4 719(1. potential)1 447 3 3343 5856 t
9 I f
(privilege)3069 5956 w
9 R f
( any)1 171( license can be relinquished at)5 1180([2]. A)1 258 3 3431 5956 t
( inherited across)2 611(time and is)2 414 2 3069 6056 t
9 I f
(exec)4127 6056 w
9 R f
( indicator)1 353(\(2\). 2. an)2 393 2 4294 6056 t
(of)3069 6156 w
9 I f
(self-licensing)3167 6156 w
9 R f
(of a \256le.)2 299 1 3670 6156 t
9 B f
(log)3024 6292 w
9 R f
(a)3194 6292 w
9 I f
(privilege)3267 6292 w
9 R f
([2] that allows querying and changing)5 1420 1 3620 6292 t
(the intensity of)2 541 1 3069 6392 t
9 I f
(auditing.)3633 6392 w
9 B f
(log \256le)1 260 1 3024 6528 t
9 R f
(a special \256le for)3 600 1 3337 6528 t
9 I f
(audit)3967 6528 w
9 R f
( log \256le)2 292(information. A)1 566 2 4182 6528 t
( written regardless of labels and can be read by)9 1733(can be)1 238 2 3069 6628 t
( \256les are associated with ordinary)5 1285( Audit)1 266(no process.)1 420 3 3069 6728 t
(\256les by)1 263 1 3069 6828 t
9 I f
(setlog)3355 6828 w
9 R f
(\(2\).)3577 6828 w
9 B f
(loose)3024 6964 w
9 R f
(see)3260 6964 w
9 I f
(\256xity.)3398 6964 w
9 B f
(mandatory security policy)2 1024 1 3024 7100 t
9 R f
(rules to govern)2 561 1 4103 7100 t
9 I f
(data \257ow)1 343 1 4697 7100 t
9 R f
( decisions about \256le)3 749(regardless of `discretionary' user)3 1222 2 3069 7200 t
cleartomark
showpage
saveobj restore
%%EndPage: 1 1
%%Page: 2 2
/saveobj save def
mark
2 pagesetup
9 R f
(- 2 -)2 151 1 2804 470 t
( certain actions of)3 653( on)1 115(permissions. Except)1 751 3 765 820 t
9 I f
(trusted)2310 820 w
9 R f
(pro-)2586 820 w
(cesses, a security)2 637 1 765 920 t
9 I f
(label)1434 920 w
9 R f
(of the destination of any data)5 1090 1 1646 920 t
(\257ow must)1 373 1 765 1020 t
9 I f
(dominate)1176 1020 w
9 R f
( Labels)1 302(the label of the source.)4 884 2 1550 1020 t
( every system call and are adjusted as)7 1377(are calculated at)2 594 2 765 1120 t
( cf.)1 150( dominance.)1 452(necessary to preserve)2 791 3 765 1220 t
9 I f
(covert channel)1 544 1 2192 1220 t
9 R f
(and)765 1320 w
9 I f
(TCB.)918 1320 w
9 B f
(no)720 1478 w
9 R f
(a non-)1 249 1 882 1478 t
9 I f
(lattice label)1 449 1 1131 1478 t
9 R f
( is)1 105(that neither dominates nor)3 1007 2 1624 1478 t
(dominated by any)2 650 1 765 1578 t
9 I f
(label)1440 1578 w
9 R f
( than)1 179([1] other)1 315 2 1645 1578 t
9 I f
(yes .)1 162 1 2163 1578 t
9 R f
(Because a)1 364 1 2372 1578 t
(\256le labeled)1 427 1 765 1678 t
9 I f
(no)1245 1678 w
9 R f
(cannot be read or written by any)6 1348 1 1388 1678 t
(un)765 1778 w
9 I f
(trusted)855 1778 w
9 R f
([2] process, it is safe to set a \256le label to)10 1463 1 1129 1778 t
9 B f
(no)2616 1778 w
9 R f
(;)2711 1778 w
(cf.)765 1878 w
9 I f
(extern.)881 1878 w
9 B f
(nochk)720 2036 w
9 R f
(a)1005 2036 w
9 I f
(privilege)1072 2036 w
9 R f
( to access a)3 424([2] that allows a process)4 893 2 1419 2036 t
(\256le regardless of)2 601 1 765 2136 t
9 I f
(domination.)1389 2136 w
9 B f
(pex)720 2294 w
9 R f
( pipe)1 180( A)1 113( access to a \256le.)4 578(to assert process-exclusive)2 963 4 902 2294 t
( if it is also pexed at)6 728(pexed at one end can be used only)7 1243 2 765 2394 t
(the other; see)2 481 1 765 2494 t
9 I f
(pex)1269 2494 w
9 R f
(\(4\).)1401 2494 w
9 B f
(poison class)1 465 1 720 2652 t
9 R f
(a \256le attribute, visible and settable only)6 1493 1 1243 2652 t
(with)765 2752 w
9 I f
(privilege)967 2752 w
9 R f
( auditing to at least a)5 840([1], that forces)2 567 2 1329 2752 t
(speci\256ed)765 2852 w
9 I f
(poison mask)1 456 1 1115 2852 t
9 R f
(level when a process mentions)4 1134 1 1602 2852 t
(the \256le.)1 271 1 765 2952 t
9 B f
(poison mask)1 488 1 720 3110 t
9 R f
( auxiliary bit vectors that)4 946(one of several)2 526 2 1264 3110 t
(can augemnt the)2 591 1 765 3210 t
9 I f
(audit mask.)1 416 1 1379 3210 t
9 B f
(privilege)720 3368 w
9 R f
( of)1 116(1. mechanism)1 542 2 1119 3368 t
9 I f
(capabilities)1818 3368 w
9 R f
(and)2279 3368 w
9 I f
(licenses)2451 3368 w
9 R f
(for controlling deviation from the basic)5 1535 1 765 3468 t
9 I f
(mandatory)2346 3468 w
(security policy)1 555 1 765 3568 t
9 R f
( 2.)1 142( privilege.)1 394(and for administering)2 830 3 1370 3568 t
( of privilege:)2 504(one of six distinct classes)4 997 2 765 3668 t
9 I f
(extern, log,)1 428 1 2308 3668 t
(nochk, setlic, setpriv,)2 765 1 765 3768 t
9 R f
(and)1553 3768 w
9 I f
(uarea;)1706 3768 w
9 R f
(cf.)1969 3768 w
9 I f
(trusted.)2085 3768 w
9 B f
(privilege server)1 611 1 720 3926 t
9 R f
(the utility)1 362 1 1390 3926 t
9 I f
(priv)1789 3926 w
9 R f
(\(1\), which, following)2 795 1 1941 3926 t
(rules in the \256le)3 554 1 765 4026 t
9 I f
(privs)1347 4026 w
9 R f
(\(5\), grants)1 376 1 1534 4026 t
9 I f
(licenses)1938 4026 w
9 R f
( to)1 97([1] needed)1 388 2 2251 4026 t
(exercise)765 4126 w
9 I f
(privilege.)1083 4126 w
9 B f
(rigid)720 4284 w
9 R f
(see)951 4284 w
9 I f
(\256xity.)1089 4284 w
9 B f
(self-license)720 4442 w
9 R f
( a)1 67(possession by a \256le of)4 809 2 1184 4442 t
9 I f
(capability)2087 4442 w
9 R f
([2] and)1 262 1 2474 4442 t
(a corresponding)1 591 1 765 4542 t
9 I f
(license)1392 4542 w
9 R f
( the)1 145( gives)1 226([2]. Self-licensing)1 687 3 1678 4542 t
(corresponding)765 4642 w
9 I f
(capability)1303 4642 w
9 R f
([1] to a process at)4 642 1 1686 4642 t
9 I f
(exec)2351 4642 w
9 R f
(\(2\).)2518 4642 w
9 B f
(session)3024 820 w
9 R f
( with special rights, usu-)4 905(an interval of running)3 796 2 3339 820 t
(ally evidenced by a distinct terminal)5 1320 1 3069 920 t
9 I f
(label)4414 920 w
9 R f
([1],)4619 920 w
9 I f
(ceiling,)4772 920 w
9 R f
(or)3069 1020 w
9 I f
(stream identi\256er;)1 623 1 3167 1020 t
9 R f
(see)3813 1020 w
9 I f
(session)3951 1020 w
9 R f
(\(1\).)4218 1020 w
9 B f
(setlic)3024 1156 w
9 R f
(a)3285 1156 w
9 I f
(privilege)3368 1156 w
9 R f
([2] that allows the)3 714 1 3731 1156 t
9 I f
(licenses)4488 1156 w
9 R f
([1] or)1 224 1 4816 1156 t
9 I f
(ceiling)3069 1256 w
9 R f
(of a process to be set arbitrarily.)6 1161 1 3337 1256 t
9 B f
(setpriv)3024 1392 w
9 R f
(a)3343 1392 w
9 I f
(privilege)3414 1392 w
9 R f
([2] that allows changing the)4 1039 1 3765 1392 t
9 I f
(capa-)4835 1392 w
(bilities)3069 1492 w
9 R f
([2] and)1 258 1 3337 1492 t
9 I f
(licenses)3618 1492 w
9 R f
([2] of \256les.)2 399 1 3926 1492 t
9 B f
(stream identi\256er)1 645 1 3024 1628 t
9 R f
(a string that is by exercise of)6 1086 1 3723 1628 t
9 I f
(privi-)4840 1628 w
(lege)3069 1728 w
9 R f
([1] attached to a stream to describe properties of)8 1792 1 3248 1728 t
(the stream and its destination; see)5 1335 1 3069 1828 t
9 B f
(FIOGSRC)4452 1828 w
9 R f
(and)4910 1828 w
9 B f
(FIOSSRC)3069 1928 w
9 R f
(in)3482 1928 w
9 I f
(stream)3575 1928 w
9 R f
(\(4\).)3827 1928 w
9 B f
(TCB, trusted computing base)3 1156 1 3024 2064 t
9 R f
(the kernel,)1 389 1 4234 2064 t
9 I f
(trusted)4654 2064 w
9 R f
([1])4935 2064 w
( data for these utilities, and utilities)6 1385(utilities, critical)1 586 2 3069 2164 t
( Faith-)1 271( \256les in the TCB.)4 660(that may be used to process)5 1040 3 3069 2264 t
(fulness to the)2 509 1 3069 2364 t
9 I f
( policy)1 256(mandatory security)1 712 2 3615 2364 t
9 R f
(depends on)1 421 1 4619 2364 t
(the correctness of the TCB.)4 990 1 3069 2464 t
9 B f
(top)3024 2600 w
9 R f
(see)3195 2600 w
9 I f
(lattice label.)1 451 1 3333 2600 t
9 B f
(trusted)3024 2736 w
9 R f
( some)1 214(1. having)1 360 2 3346 2736 t
9 I f
(capability)3944 2736 w
9 R f
(or)4328 2736 w
9 I f
(license;)4427 2736 w
9 R f
( a)1 65(said of)1 244 2 4731 2736 t
( only way a)3 482( The)1 207(\256le, especially an executable \256le.)4 1282 3 3069 2836 t
( to change its privileges)4 881(trusted \256le can be modi\256ed is)5 1090 2 3069 2936 t
(with capability)1 559 1 3069 3036 t
9 I f
(setpriv.)3671 3036 w
9 R f
( some capability;)2 656(2. having)1 379 2 4005 3036 t
( are not neces-)3 545( processes)1 374( Superuser)1 412(said of a process.)3 640 4 3069 3136 t
( immune to tamper-)3 714( to be)2 203( 3. understood)2 562(sarily trusted.)1 492 4 3069 3236 t
( stream associated with)3 848(ing or eavesdropping, said of a)5 1123 2 3069 3336 t
(an)3069 3436 w
9 I f
(external medium;)1 633 1 3177 3436 t
9 R f
(cf.)3833 3436 w
9 I f
(assured path.)1 486 1 3972 3436 t
9 B f
(trusted computing base)2 901 1 3024 3572 t
9 R f
(Same as)1 298 1 3971 3572 t
9 I f
(TCB.)4292 3572 w
9 B f
(uarea)3024 3708 w
9 R f
(a)3319 3708 w
9 I f
(privilege)3411 3708 w
9 R f
( userid,)1 296([2] that allows changing)3 961 2 3783 3708 t
( The)1 194( u-area.)1 279(groupid, and logname in the per-process)5 1498 3 3069 3808 t
( both read-)2 401(privilege is required lest these items, being)6 1570 2 3069 3908 t
( writable by untrusted processes, provide a)6 1649(able and)1 322 2 3069 4008 t
(means to violate the)3 754 1 3069 4108 t
9 I f
(mandatory security policy.)2 986 1 3857 4108 t
9 R f
(The)4900 4108 w
(permission mask \(umask\), and the process)5 1558 1 3069 4208 t
9 I f
(ceiling)4656 4208 w
9 R f
(are)4930 4208 w
(protected by other means; see)4 1072 1 3069 4308 t
9 I f
(exec)4164 4308 w
9 R f
(\(2\) and)1 258 1 4331 4308 t
9 I f
(setplab)4612 4308 w
9 R f
(\(2\).)4879 4308 w
9 B f
(yes)3024 4444 w
9 R f
(a non-)1 228 1 3190 4444 t
9 I f
(lattice label)1 428 1 3418 4444 t
9 R f
(that dominates and is dominated)4 1171 1 3869 4444 t
(by any)1 259 1 3069 4544 t
9 I f
(label)3367 4544 w
9 R f
( \256le labeled)2 451([1]. A)1 254 2 3585 4544 t
9 B f
(yes)4328 4544 w
9 R f
(can be read or)3 554 1 4486 4544 t
(written by any un)3 634 1 3069 4644 t
9 I f
(trusted)3703 4644 w
9 R f
([2] process.)1 421 1 3976 4644 t
cleartomark
showpage
saveobj restore
%%EndPage: 2 2
%%Trailer
done
%%Pages: 2
%%DocumentFonts: Courier Times-Bold Times-Italic Times-Roman