well-defined, specific interfaces to provide necessary security. All

               inbound requests from outer (less-sensitive) layers are subject to
               stringent authentication and authorization checks before they’re
               allowed to proceed (or denied, if they fail such checks). Using layering
               for security is similar to using security domains and lattice-based
               security models in that security and access controls over certain
               subjects and objects are associated with specific layers and privileges
               and that access increases as you move from outer to inner layers.


               In fact, separate layers can communicate only with one another
               through specific interfaces designed to maintain a system’s security
               and integrity. Even though less secure outer layers depend on services
               and data from more secure inner layers, they know only how to
               interface with those layers and are not privy to those inner layers’
               internal structure, characteristics, or other details. So that layer
               integrity is maintained, inner layers neither know about nor depend
               on outer layers. No matter what kind of security relationship may exist

               between any pair of layers, neither can tamper with the other (so that
               each layer is protected from tampering by any other layer). Finally,
               outer layers cannot violate or override any security policy enforced by
               an inner layer.


               Abstraction

               Abstraction is one of the fundamental principles behind the field
               known as object-oriented programming. It is the “black-box” doctrine

               that says that users of an object (or operating system component)
               don’t necessarily need to know the details of how the object works;
               they need to know just the proper syntax for using the object and the
               type of data that will be returned as a result (that is, how to send input
               and receive output). This is very much what’s involved in mediated
               access to data or services, such as when user mode applications use

               system calls to request administrator mode services or data (and
               where such requests may be granted or denied depending on the
               requester’s credentials and permissions) rather than obtaining direct,
               unmediated access.

               Another way in which abstraction applies to security is in the
               introduction of object groups, sometimes called classes, where access