| Positive vs. Negative Policies: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ¨ | Compare: |
||||||||||||||
| – | Prevent
disclosure to unauthorized users |
||||||||||||||
| – | Ensure
that disclosure occurs only to authorized users, and only |
||||||||||||||
| in a
fashion consistent with the security policy. |
|||||||||||||||
| ¨ | The
second can be tested: |
||||||||||||||
| 1. | Show
that there exists no communication path to any |
||||||||||||||
| unauthorized
user agent. |
|||||||||||||||
| 2. | Show
that the last link in each remaining path is trusted |
||||||||||||||
| software. |
|||||||||||||||
| 3. | Verify
that each piece of trusted software enforces the |
||||||||||||||
| appropriate
security policy. |
|||||||||||||||
| – | The
first cannot! |
||||||||||||||
|
|
| 600.436 High- |
|
| Assurance
Systems |
|
| Fall
01/Introduction |
| 20 |