600.436
High-Assurance Systems
Fall 01/Introduction
20
Positive vs. Negative Policies:
¨Compare:
–Prevent disclosure to unauthorized users
–Ensure that disclosure occurs only to authorized users,
and only in a fashion consistent with the
security policy.
¨The second can be tested:
1.Show that there exists no communication path to any unauthorized user agent.
2.Show that the last link in each remaining path is
trusted software.
3.Verify that each piece of trusted software enforces the appropriate security policy.
–The first cannot!