44 ;;Quote: shared systems serving simultaneous functions with differing security properties; makes computers meeting places

44 ;;Quote: types of shared systems -- control-free, Unix processes, Unix access control, full virtual machine models, execution environments, and trusted operating systems

46 ;;Quote: a trusted operating system uses a global policy and security labels on processes and objects; labels hold classification data, type, and policy rules

47 ;;Quote: the jail model substitutes namespace limits for security labels; semi-permeable partitioning of files, processes, and network; no super-user privileges; simple and efficient

47 ;;Quote: an attacker's activities are constrained by the jail and fully visible to the administrator; the jail administrator can inspected anything in the jail

47 ;;Quote: system sharing by capabilities checks upon first access, providing a reference to an object for future access; e.g., a Unix file descriptor

48 ;;Quote: namespace limits prevent access to objects that cannot be named; simple implementation and user-comprehensible behavior

48 ;;Quote: a hierarchical namespace provides containers for protecting objects; mandatory and discretionary protection by endowing subdirectories with trust; better than flat namespace

50 ;;Quote: prefer policy over tunable settings for security and resource allocation; express in terms of goals; allows audit, avoids user error

50 ;;Quote: a shared system must be easy to monitor; policy implications must be clear and testable

50 ;;Quote: prefer object-orientation implementation for shared systems; encapsulates state in a class; avoids globals

50 ;;Quote: prefer component-oriented designs for shared systems; increased flexibility, can easily disable a subsystem

50 ;;Quote: hierarchical and protected namespaces permit trust to be assigned with low cost separation between namespace subsets

50 ;;Quote: provide primitives for easily expressing security policy in broad terms