First page Back Continue Last page Overview Text
Must address integrity, least privilege, separation of duty. Complete control using all security-relevant information. No special "trusted subjects" that can violate the model. Bind privileges to code.
Ability to change model of security, or even to express different policies within a given model.
No changes to existing APIs and default behaviors for security-unaware applications.