Users and Rules

CR3     The allowed relations must meet the requirements imposed by the principle of separation of duty.

ER3     The system must authenticate each user attempting to execute a TP

–    Type of authentication undefined, and depends on the instantiation

–    Authentication not required before use of the system, but is required before manipulation of CDIs (requires using TPs)

Logging

CR4     All TPs must append enough information to reconstruct the operation to an append-only CDI.

–   This CDI is the log

–   Auditor needs to be able to determine what happened during reviews of transactions

Handling Untrusted Input

CR5     Any TP that takes as input a UDI may perform only valid transformations, or no transformations, for all possible values of the UDI. The transformation either rejects the UDI or transforms it into a CDI.

–    In bank, numbers entered at keyboard are UDIs, so cannot be input to TPs. TPs must validate numbers (to make them a CDI) before using them; if validation fails, TP rejects UDI

Separation of Duty In Model

ER4     Only the certifier of a TP may change the list of entities associated with that TP. No certifier of a TP, or of an entity associated with that TP, may ever have execute permission with respect to that entity.

Enforces separation of duty with respect to certified and allowed relations