{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T04:18:49Z","timestamp":1760242729684,"version":"build-2065373602"},"reference-count":36,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2016,4,26]],"date-time":"2016-04-26T00:00:00Z","timestamp":1461628800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>The most effective approach to evaluating the security of complex systems is to deliberately construct the systems using security patterns specifically designed to make them evaluable. Just such an integrated set of security patterns was created decades ago based on the Reference Monitor abstraction. An associated systematic security engineering and evaluation methodology was codified as an engineering standard in the Trusted Computer System Evaluation Criteria (TCSEC). This paper explains how the TCSEC and its Trusted Network Interpretation (TNI) constitute a set of security patterns for large, complex and distributed systems and how those patterns have been repeatedly and successfully used to create and evaluate some of the most secure government and commercial systems ever developed.<\/jats:p>","DOI":"10.3390\/info7020023","type":"journal-article","created":{"date-parts":[[2016,4,26]],"date-time":"2016-04-26T10:21:21Z","timestamp":1461666081000},"page":"23","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Using Proven Reference Monitor Patterns for Security Evaluation"],"prefix":"10.3390","volume":"7","author":[{"given":"Mark","family":"Heckman","sequence":"first","affiliation":[{"name":"Center for Cyber Security Engineering and Technology, University of San Diego, San Diego, CA 92110, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5331-1780","authenticated-orcid":false,"given":"Roger","family":"Schell","sequence":"additional","affiliation":[{"name":"Aesec Corporation, Palo Alto, CA 94301, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2016,4,26]]},"reference":[{"key":"ref_1","unstructured":"Ito, Y., Washizaki, H., Yoshizawa, M., Fukazawa, Y., Okubo, T., Kaiya, H., Hazeyama, A., Yoshioka, N., and Fernandez, E.B. (2015, January 24\u201326). Systematic Mapping of Security Patterns Research. Proceedings of the 22nd Conference on Pattern Languages of Programs Conference 2015 (PLoP 2015), Pittsburgh, PA, USA."},{"key":"ref_2","unstructured":"Kienzle, D.M., Elder, D.T., and Edwards-Hewitt, J. Security Patterns Template and Tutorial. Available online: http:\/\/citeseerx.ist.psu.edu\/viewdoc\/download?doi=10.1.1.131.2464&rep=rep1&type=pdf."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Anderson, J.P. (1972). Computer Security Technology Planning Study, USAF Electronics Systems Division.","DOI":"10.21236\/AD0772806"},{"key":"ref_4","unstructured":"Schumacher, M., Fernandez, E., Hybertson, D., and Buschmann, F. (2005). Security Patterns: Integrating Security and Systems Engineering, John Wiley & Sons."},{"key":"ref_5","unstructured":"(1987). National Computer Security Center. Available online: http:\/\/ftp.mirrorservice.org\/sites\/ftp.wiretapped.net\/pub\/security\/info\/reference\/ncsc-publications\/rainbow-books\/NCSC-TG-005.pdf."},{"key":"ref_6","unstructured":"(1985). United States National Computer Security Center. Available online: http:\/\/ftp.mirrorservice.org\/sites\/ftp.wiretapped.net\/pub\/security\/info\/reference\/ncsc-publications\/rainbow-books\/5200.28-STD.pdf."},{"key":"ref_7","unstructured":"USAF Electronics System Division (1975). Multilevel Security Issues and Answers: An Evaluation of the AFSC Program (MCI-75-8), Hanscom AFB. Unpublished work."},{"key":"ref_8","unstructured":"Schell, R.R. (2015, January 3\u20134). A University Education Cyber Security Paradigm Shift. Presented at the National Initiative for Cybersecurity Education (NICE), San Diego, CA, USA. Available online: https:\/\/www.fbcinc.com\/e\/nice\/ncec\/presentations\/Schell.pdf."},{"key":"ref_9","first-page":"51","article-title":"Subversion as a Threat in Information Warfare","volume":"3","author":"Anderson","year":"2004","journal-title":"J. Inf. Warf."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/MSP.2011.67","article-title":"Stuxnet: Dissecting a cyberwarfare weapon","volume":"9","author":"Langner","year":"2011","journal-title":"IEEE Secur. Priv."},{"key":"ref_11","unstructured":"Dijkstra, E.W. (1970). Notes on Structured Programming, Technische Hogeschool Enidhoven. Technical Report 70-WSK-03."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Bell, D.E., and LaPadula, L.J. (1975). Computer Security Model: Unified Exposition and Multics Interpretation (ESD-TR-75-306), Hanscom AFB.","DOI":"10.21236\/ADA023588"},{"key":"ref_13","unstructured":"Abrams, M.D., Jajodia, S., and Podell, H.J. (1995). Information Security: An Integrated Collection of Essays, IEEE Computer Society Press."},{"key":"ref_14","unstructured":"Common Criteria for Information Technology Security Evaluation, version 3.1 revision 4, 2012. Available online: https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R4.pdf."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1147","DOI":"10.1109\/32.106971","article-title":"A retrospective on the VAX VMM security kernel","volume":"17","author":"Karger","year":"1991","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_16","unstructured":"Brinkley, D.L., and Schell, R.R. (1995). Information Security: An Integrated Collection of Essays, IEEE Computer Society Press. Available online: http:\/\/www.acsa-admin.org\/secshelf\/book001\/02.pdf."},{"key":"ref_17","unstructured":"Bell, D.E. (2005, January 5\u20139). Looking Back at the Bell-La Padula Model. Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC\u201905), Tucson, AZ, USA."},{"key":"ref_18","unstructured":"Shockley, W.R., and Schell, R.R. (1987, January 7\u201311). TCB subsets for incremental evaluation. Proceedings of the Third Aerospace Computer Security Conference, Orlando, FL, USA."},{"key":"ref_19","unstructured":"Gasser, M. (1988). Building a Secure Computer System, Van Nostrand Reinhold Company."},{"key":"ref_20","unstructured":"Vetter, L., Smith, G., and Lunt, T.F. (1989, January 4\u20138). TCB subsets: The next step. Proceedings of the Fifth Annual Computer Security Applications Conference, Tucson, AZ, USA."},{"key":"ref_21","unstructured":"Schell, R., Tao, T.F., and Heckman, M. (October, January 30). Designing the GEMSOS security kernel for security and performance. Proceedings of the 8th National Computer Security Conference, Gaithersburg, MD, USA. Available online: http:\/\/www.mrheckman.com\/yahoo_site_admin\/assets\/docs\/DesigningTheGemsosSecurityKernel-OCR-120409-DRAFT.158131458.pdf."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1016\/0167-4048(88)90506-8","article-title":"Element-level classification with A1 assurance","volume":"7","author":"Lunt","year":"1988","journal-title":"Comput. Secur."},{"key":"ref_23","unstructured":"National Security Agency, Evaluated Products List, Trusted Oracle7, Class B1, United States National Computer Security Center, 5 April 1994. Available online: http:\/\/webapp1.dlib.indiana.edu\/virtual_disk_library\/index.cgi\/1347159\/FID1806\/epl\/entries\/csc-epl-94-004.html."},{"key":"ref_24","unstructured":"Final Evaluation Report, Honeywell Information Systems, Multics MR11.0, National Computer Security Center, CSC-EPL-85\/003, 1 June 1986. Available online: http:\/\/www.multicians.org\/multics-fer.pdf."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1145\/2822513","article-title":"Security assurance","volume":"58","author":"Lipner","year":"2015","journal-title":"Commun. ACM"},{"key":"ref_26","unstructured":"Site History: AFDSC. Available online: http:\/\/www.multicians.org\/site-afdsc.html."},{"key":"ref_27","unstructured":"Site History: DOCKMASTER. Available online: http:\/\/www.multicians.org\/site-dockmaster.html."},{"key":"ref_28","unstructured":"Karger, P.A., and Schell, R.R. (2002, January 9\u201313). Thirty years later: Lessons from the Multics security evaluation. Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, NV, USA."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Schiller, W.L. (1977). Design and Abstract Specification of a Multics Security Kernel, MITRE Corp.","DOI":"10.21236\/ADA048576"},{"key":"ref_30","unstructured":"Weissman, C. (1992, January 4\u20136). BLACKER: Security for the DDN examples of A1 security engineering trades. Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA."},{"key":"ref_31","unstructured":"Final Evaluation Report, Gemini Computers, Incorporated, Gemini Trusted Network Processor, Version 1.01, National Computer Security Center, NCSC-FER-94\/008, 28 June 1995. Available online: http:\/\/webapp1.dlib.indiana.edu\/virtual_disk_library\/index.cgi\/1347159\/FID1806\/library\/fers\/ncsc-fer-94-008.pdf."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Gambel, D., Walter, S., and Fordham, M. (1989, January 3\u20135). HSRP\u2014A1\u2019ing a large-scale management information system. Proceedings of the 7th Computers in Aerospace Conference, Monterey, CA, USA.","DOI":"10.2514\/6.1989-3109"},{"key":"ref_33","unstructured":"National Security Agency, Evaluated Products List, GTNP Version 1.01, Class A1, United States National Computer Security Center, 6 September 1994. Available online: http:\/\/webapp1.dlib.indiana.edu\/virtual_disk_library\/index.cgi\/1347159\/FID1806\/EPL\/ENTRIES\/CSC-EPL-94-008.HTML."},{"key":"ref_34","unstructured":"Irvine, C.E. (1995, January 8\u201310). A multilevel file system for high assurance. Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, USA."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Heckman, M.R., Schell, R.R., and Reed, E.E. (November, January 29). A high-assurance, virtual guard architecture. Proceedings of the 2012 IEEE Military Communications Conference, MILCOM 2012, Orlando, FL, USA.","DOI":"10.1109\/MILCOM.2012.6415677"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Heckman, M.R., Schell, R.R., and Reed, E.E. (2015, January 26\u201328). A multi-level secure file sharing server and its application to a multi-level secure cloud. Proceedings of the 2015 IEEE Military Communications Conference, MILCOM 2015, Tampa, FL, USA.","DOI":"10.1109\/MILCOM.2015.7357613"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/7\/2\/23\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T19:22:49Z","timestamp":1760210569000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/7\/2\/23"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,4,26]]},"references-count":36,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2016,6]]}},"alternative-id":["info7020023"],"URL":"https:\/\/doi.org\/10.3390\/info7020023","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2016,4,26]]}}}