that neither tokens nor capabilities lists provide.



               You’ll explore several security models in the following sections; all of
               them can shed light on how security enters into computer
               architectures and operating system design:


                    Trusted computing base

                    State machine model

                    Information flow model

                    Noninterference model

                    Take-Grant model

                    Access control matrix

                    Bell-LaPadula model

                    Biba model

                    Clark-Wilson model

                    Brewer and Nash model (also known as Chinese Wall)

                    Goguen-Meseguer model


                    Sutherland model

                    Graham-Denning model

               Although no system can be totally secure, it is possible to design and
               build reasonably secure systems. In fact, if a secured system complies
               with a specific set of security criteria, it can be said to exhibit a level of
               trust. Therefore, trust can be built into a system and then evaluated,
               certified, and accredited. But before we can discuss each security
               model, we have to establish a foundation on which most security

               models are built. This foundation is the trusted computing base.


               Trusted Computing Base

               An old U.S. Department of Defense standard known colloquially as the
               Orange Book/Trusted Computer System Evaluation Criteria (TCSEC)
               (DoD Standard 5200.28, covered in more detail later in this chapter in