these predetermined secure states, integrity is maintained and

               interference is prohibited.
               A common example of the Sutherland model is its use to prevent a

               covert channel from being used to influence the outcome of a process
               or activity. (For a discussion of covert channels, see Chapter 9.)


               Graham-Denning Model

               The Graham-Denning model is focused on the secure creation and
               deletion of both subjects and objects. Graham-Denning is a collection

               of eight primary protection rules or actions that define the boundaries
               of certain secure actions:

                    Securely create an object.

                    Securely create a subject.

                    Securely delete an object.

                    Securely delete a subject.

                    Securely provide the read access right.

                    Securely provide the grant access right.

                    Securely provide the delete access right.


                    Securely provide the transfer access right.

               Usually the specific abilities or permissions of a subject over a set of
               objects is defined in an access matrix (aka access control matrix).