Toward an Understanding of Extensible Architectures for Evaluated Trusted Computer System Products

It has been a tenet of the computer security research and development community that policy enforcement mechanisms must be designed into systems at the time of their conception rather than retrofitted on to existing systems. The paper examines what it means for an architecture to be extensible with respect to security. Results are shown of an examination of the Trusted Computer System Evaluation Criteria\´s requirements in order to try to make a clear distinction based on how "fundamental" each is to the design and implementation of systems in the individual evaluation classes. We note that, given strict hierarchical layering in a system, along with a strict integrity policy mechanism such as the ring mechanism, it should be possible to extend a system through the addition of new adjacent domains.