Trusted programs may be used to implement or interact with
applications. Examples include:
secure Web and Gopher servers designed to provide secure versions of commonly used services,
[Cohen97]
trusted mail guards used to permit information flow that
would be in violation of policy in a Bell-LaPadula-based system if not
implemented by a trusted program, and
most device drivers written for secure operating systems.
Complexity: Trust is often given but rarely fully deserved - in programs
that is. The complexity of writing and verifying a trusted program is at
least NP-complete. In practice, only a few hundred useful programs have
ever been proven to meet their specifications and still fewer have had
specifications that included desirable security properties.
fc@red.a.net
