IRAC Preface |
1 Introduction |
2 General Design Objectives |
3 General Syntax and Semantics of the Abstract Specification |
4 Object Management System |
5 Program Execution Facilities |
6 Input and Output |
7 Protection and Security |
8 Requirements for Tool Management and Services for Tools |
9 Ancillary Requirements |
10 Definitions |
Submission of Comments
- ABNORMAL TERMINATION
- the termination of a process by itself or another process using the
PCIS abnormal termination facility.
- to create a PCIS process out of a program which is in a
form suitable for execution. The activation of a program binds that
program to its execution environment, consisting of the resources
required to support the execution of a program. The activation of a
program marks the earliest point in time at which the resulting process
can be referenced within the PCIS environment.
- a subset of the data represented in the OMS that has been
relegated to a potentially less readily accessible storage medium while
retaining the integrity, consistency and availability of all
information in the object management system. The subset is capable of
restoration to active use by a PCIS implementation.
- property of an object. An object is said to be
described by its attributes. An element of information pertaining to an
- to record information about an invocation of some PCIS
- a redundant copy of some subset of the data represented in the
OMS. The subset is capable of restoration to active use by a PCIS
implementation, particularly in the event of a loss of completeness or
integrity in the data in use by the implementation.
- a set of objects that share a common behavior. Defines the
methods (operations), messages (requests for operations), and
properties (attributes) of a similar group of objects. Classes may
themselves be objects (entities). Classes usually are templates from
which individual objects can be created.
- an object or relationship which is associated with the
object of which it is a component.
- COMPOSITE OBJECT
- an object that can have components; it is possible that a composite
object can have zero components, exactly one component, or more than
- preservation of conformance of the structure and
contents of data to rules established by: a particular IPSE as defined
by the PCIS, implementation-defined PCIS values and parameters, IPSE
administrators, and users.
- to remove a terminated process so that it may no longer
be referenced within the PCIS environment.
- DISCRETIONARY ACCESS CONTROL
- a means of restricting access to objects based on the identity of
subjects and/or groups to which they belong. The controls are
discretionary in the sense that a subject with a certain access
permission is capable of passing that permission (perhaps indirectly)
on to any other subject [NATO87], provided this is consistent with the
security policy being operated within the environment.
- DYNAMIC MAPPING
- a mapping between a logical device and a physical
device which is capable of being changed while the logical device is
being used by a process.
- a representation of a person, place, event or other thing.
- a set of functions that support the system development
and maintenance process. Includes information repositories, tools, a
framework and will involve human intervention and human procedures.
- EXACT IDENTITY
- a designation of an object (or relationship) that is
always associated with the object (or relationship) that it designates.
This exact identity will always designate exactly the same object (or
relationship), and it cannot be changed.
- EXECUTION THREAD WAITING
- delay of the execution of a thread within a process until a PCIS
service requested by this thread has been performed. Other threads in
the same process are not delayed.
- EXPORT CHANNEL
- an information transfer path leaving the control of a
- an abstract function that may be mapped onto one or
- FORMAL DEFINITION
- a definition of semantics using an unambiguously defined notation (for
example, a definition using VDM, Z, denotational semantics or axiomatic
- a set of mechanisms for linking two or more tools,
providing them with an infrastructure for tool integration.
- a recording of the manner in which objects, relationships and
attribute values were produced and of information which was relevant in
the production of those objects, relationships or attribute values.
- the act of unambiguously specifying that to which a
designated operation applies.
- IMPORT CHANNEL
- an information transfer path entering the control of a
- a mechanism which allows a class to obtain part of its
definition (of structure and behavior) from another class or set of
classes. A way of sharing descriptions.
- protection against corruption; in the Security context,
protection against unauthorized change.
- a set of facilities which is provided for use by
- the ability of environments to exchange
database objects and relationships in forms usable by tools and user
- KEY ATTRIBUTE
- a distinguished attribute of a relationship, useful in
its unique identification.
- LOCATOR INPUT
- the input of a display location using a pointing device
such as a mouse.
- LOGICAL DEVICE
- an abstraction of a set of physical devices with
similar properties. A logical device has specified characteristics, and
specified operations may be performed on it. For any particular
operation on a logical device there may be an interpretation of the
effect on a particular physical device.
- LOGICAL DEVICE TYPE
- the properties of a set of logical devices.
- LOGICAL RESOURCES
- computational resources, storage resources and logical devices.
- MANDATORY ACCESS CONTROL
- a means of restricting access to objects based on the sensitivity (as
represented by a label) of the information contained in the objects and
the formal authorization (that is, clearance) of subjects to access
information of such sensitivity [NATO87].
- a realization of a requirement by, or as a part of, one
or more coordinated facilities.
- NESTED TRANSACTION
- a transaction that is enclosed within another transaction. The nested
transaction behaves as if it were a single operation within the
- two or more computers, including workstations and machines of
different capabilities, possibly at remote locations, linked together
by data-communication channels to permit data exchange.
- ensuring that access to information is controlled.
- NORMAL TERMINATION
- the self-determined termination of a process without the use of the
PCIS abnormal termination facilities.
- an entity that contains or receives information. Access to an
object potentially implies access to the information it contains.
Associated with each object is a type which defines the attributes and
operations for the object.
- PHYSICAL DEVICE
- a particular piece of computer system hardware.
- the execution of any program.
- a computer program; a set of compilation units, one of which is
a subprogram called the "main program". Execution of the program
consists of execution of the main program, which may invoke subprograms
declared in the compilation units of the program.
- the resumption of operation after a system failure or
other discontinuity. In a secure system trusted recovery must be
possible without further compromise of the security policy.
- an association among objects. A relationship among N
objects (not necessarily distinct) is known as an "N-ary" relationship.
A relationship is said to connect the objects that are associated by
- any capacity which must be scheduled, assigned, or
controlled by the underlying implementation to assure consistent and
non-conflicting usage by Processes. Examples of resources include: CPU
time, memory space (actual and virtual), and shared facilities
(variables, devices, spoolers, etc.).
- to continue a suspended process.
- a named set of privileges that can be assigned to a user in
accordance with a task he or she has to perform.
- that which is achieved by using a facility.
- STATIC MAPPING
- a mapping between a logical device and a physical
device which cannot be changed while the logical device is being used
by a process.
- [NATO87] states: "an active entity, generally in the form of a
person, process, or device that causes information to flow among
objects or changes the system state. Technically, a process/domain
pair". "Entity" and "Process" used here should be understood in the
context of [NATO87] and not in the sense that it is defined above.
- to stop a process such that it can be resumed. In the context
of a program with multiple execution threads, this implies the
suspension of all execution threads, and the prevention of the
activation of any thread until the process is resumed.
- Trusted Computing Base. The totality of protection mechanisms
within a computer system - including hardware, firmware and software -
the combination of which is responsible for enforcing a security
policy. It creates a basic protection environment and provides
additional user services required for a trusted computer system. The
ability of a trusted computing base to correctly enforce a security
policy depends solely on the mechanisms within the TCB and on the
correct input by system administrative personnel of parameters (for
example, a user's clearance) related to the security policy [NATO87].
- Trusted Computer System. A system that employs sufficient
hardware and software integrity measures to allow its use for
simultaneous secure processing of information having differing security
- to stop a process such that it cannot be resumed. In
the context of a program with multiple execution threads, this implies
the termination of all execution threads.
- a program. More specifically, a tool is any program which is
not an application program, and which is part of or an extension to the
environment, thus assisting in life-cycle support of application
- an identified set of operations or transactions, which,
when executed alone, constitutes an indivisible operation that
transforms one consistent state of the OMS into a new consistent state.
Either the whole set is applied (commit) or none of it (abort).
- the ability to install a tool on a different PCIS implementation
without changing its functionality. Transportability is measured in the
degree to which this installation can be accomplished without
- a partitioning, according to designated type definitions, of
objects, relationships and attributes into sets, called object types,
relationship types and attribute types.
- USER INTERFACE MANAGEMENT SYSTEM
- a set of tool-independent facilities, which supports the structured
presentation of output to a human user and the delivery of input in
terms of the output presentation structure.