IRAC Preface | 1 Introduction | 2 General Design Objectives | 3 General Syntax and Semantics of the Abstract Specification | 4 Object Management System | 5 Program Execution Facilities | 6 Input and Output | 7 Protection and Security | 8 Requirements for Tool Management and Services for Tools | 9 Ancillary Requirements | 10 Definitions | Submission of Comments

SECTION 10

DEFINITIONS

ABNORMAL TERMINATION
the termination of a process by itself or another process using the PCIS abnormal termination facility.

ACTIVATE
to create a PCIS process out of a program which is in a form suitable for execution. The activation of a program binds that program to its execution environment, consisting of the resources required to support the execution of a program. The activation of a program marks the earliest point in time at which the resulting process can be referenced within the PCIS environment.

ARCHIVE
a subset of the data represented in the OMS that has been relegated to a potentially less readily accessible storage medium while retaining the integrity, consistency and availability of all information in the object management system. The subset is capable of restoration to active use by a PCIS implementation.

ATTRIBUTE
property of an object. An object is said to be described by its attributes. An element of information pertaining to an object.

AUDIT
to record information about an invocation of some PCIS facility.

BACKUP
a redundant copy of some subset of the data represented in the OMS. The subset is capable of restoration to active use by a PCIS implementation, particularly in the event of a loss of completeness or integrity in the data in use by the implementation.

CLASS
a set of objects that share a common behavior. Defines the methods (operations), messages (requests for operations), and properties (attributes) of a similar group of objects. Classes may themselves be objects (entities). Classes usually are templates from which individual objects can be created.

COMPONENT
an object or relationship which is associated with the object of which it is a component.

COMPOSITE OBJECT
an object that can have components; it is possible that a composite object can have zero components, exactly one component, or more than one component.

CONFIDENTIALITY (see NON-DISCLOSURE).

CONSISTENCY
preservation of conformance of the structure and contents of data to rules established by: a particular IPSE as defined by the PCIS, implementation-defined PCIS values and parameters, IPSE administrators, and users.

DEACTIVATE
to remove a terminated process so that it may no longer be referenced within the PCIS environment.

DISCRETIONARY ACCESS CONTROL
a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject [NATO87], provided this is consistent with the security policy being operated within the environment.

DYNAMIC MAPPING
a mapping between a logical device and a physical device which is capable of being changed while the logical device is being used by a process.

ENTITY
a representation of a person, place, event or other thing.

ENVIRONMENT
a set of functions that support the system development and maintenance process. Includes information repositories, tools, a framework and will involve human intervention and human procedures.

EXACT IDENTITY
a designation of an object (or relationship) that is always associated with the object (or relationship) that it designates. This exact identity will always designate exactly the same object (or relationship), and it cannot be changed.

EXECUTION THREAD WAITING
delay of the execution of a thread within a process until a PCIS service requested by this thread has been performed. Other threads in the same process are not delayed.

EXPORT CHANNEL
an information transfer path leaving the control of a TCS.

FACILITY
an abstract function that may be mapped onto one or more subprograms.

FORMAL DEFINITION
a definition of semantics using an unambiguously defined notation (for example, a definition using VDM, Z, denotational semantics or axiomatic semantics).

FRAMEWORK
a set of mechanisms for linking two or more tools, providing them with an infrastructure for tool integration.

HISTORY
a recording of the manner in which objects, relationships and attribute values were produced and of information which was relevant in the production of those objects, relationships or attribute values.

IDENTIFICATION
the act of unambiguously specifying that to which a designated operation applies.

IMPORT CHANNEL
an information transfer path entering the control of a TCS.

INHERITANCE
a mechanism which allows a class to obtain part of its definition (of structure and behavior) from another class or set of classes. A way of sharing descriptions.

INTEGRITY
protection against corruption; in the Security context, protection against unauthorized change.

INTERFACE
a set of facilities which is provided for use by tools.

INTEROPERABILITY
the ability of environments to exchange database objects and relationships in forms usable by tools and user programs.

KEY ATTRIBUTE
a distinguished attribute of a relationship, useful in its unique identification.

LOCATOR INPUT
the input of a display location using a pointing device such as a mouse.

LOGICAL DEVICE
an abstraction of a set of physical devices with similar properties. A logical device has specified characteristics, and specified operations may be performed on it. For any particular operation on a logical device there may be an interpretation of the effect on a particular physical device.

LOGICAL DEVICE TYPE
the properties of a set of logical devices.

LOGICAL RESOURCES
computational resources, storage resources and logical devices.

MANDATORY ACCESS CONTROL
a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (that is, clearance) of subjects to access information of such sensitivity [NATO87].

MECHANISM
a realization of a requirement by, or as a part of, one or more coordinated facilities.

NESTED TRANSACTION
a transaction that is enclosed within another transaction. The nested transaction behaves as if it were a single operation within the enclosing transaction.

NETWORK
two or more computers, including workstations and machines of different capabilities, possibly at remote locations, linked together by data-communication channels to permit data exchange.

NON-DISCLOSURE
ensuring that access to information is controlled.

NORMAL TERMINATION
the self-determined termination of a process without the use of the PCIS abnormal termination facilities.

OBJECT
an entity that contains or receives information. Access to an object potentially implies access to the information it contains. Associated with each object is a type which defines the attributes and operations for the object.

PHYSICAL DEVICE
a particular piece of computer system hardware.

PROCESS
the execution of any program.

PROGRAM
a computer program; a set of compilation units, one of which is a subprogram called the "main program". Execution of the program consists of execution of the main program, which may invoke subprograms declared in the compilation units of the program.

RECOVERY
the resumption of operation after a system failure or other discontinuity. In a secure system trusted recovery must be possible without further compromise of the security policy.

RELATIONSHIP
an association among objects. A relationship among N objects (not necessarily distinct) is known as an "N-ary" relationship. A relationship is said to connect the objects that are associated by it.

RESOURCE
any capacity which must be scheduled, assigned, or controlled by the underlying implementation to assure consistent and non-conflicting usage by Processes. Examples of resources include: CPU time, memory space (actual and virtual), and shared facilities (variables, devices, spoolers, etc.).

RESUME
to continue a suspended process.

ROLE
a named set of privileges that can be assigned to a user in accordance with a task he or she has to perform.

SERVICE
that which is achieved by using a facility.

STATIC MAPPING
a mapping between a logical device and a physical device which cannot be changed while the logical device is being used by a process.

SUBJECT
[NATO87] states: "an active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state. Technically, a process/domain pair". "Entity" and "Process" used here should be understood in the context of [NATO87] and not in the sense that it is defined above.

SUSPEND
to stop a process such that it can be resumed. In the context of a program with multiple execution threads, this implies the suspension of all execution threads, and the prevention of the activation of any thread until the process is resumed.

TCB
Trusted Computing Base. The totality of protection mechanisms within a computer system - including hardware, firmware and software - the combination of which is responsible for enforcing a security policy. It creates a basic protection environment and provides additional user services required for a trusted computer system. The ability of a trusted computing base to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (for example, a user's clearance) related to the security policy [NATO87].

TCS
Trusted Computer System. A system that employs sufficient hardware and software integrity measures to allow its use for simultaneous secure processing of information having differing security classifications.

TERMINATE
to stop a process such that it cannot be resumed. In the context of a program with multiple execution threads, this implies the termination of all execution threads.

TOOL
a program. More specifically, a tool is any program which is not an application program, and which is part of or an extension to the environment, thus assisting in life-cycle support of application software.

TRANSACTION
an identified set of operations or transactions, which, when executed alone, constitutes an indivisible operation that transforms one consistent state of the OMS into a new consistent state. Either the whole set is applied (commit) or none of it (abort).

TRANSPORTABILITY
the ability to install a tool on a different PCIS implementation without changing its functionality. Transportability is measured in the degree to which this installation can be accomplished without reprogramming.

TYPING
a partitioning, according to designated type definitions, of objects, relationships and attributes into sets, called object types, relationship types and attribute types.

USER INTERFACE MANAGEMENT SYSTEM
a set of tool-independent facilities, which supports the structured presentation of output to a human user and the delivery of input in terms of the output presentation structure.