Trusted System Properties

• Complete mediation – security rules enforced on every access

• Isolation – reference monitor and database are protected from unauthorized modification

• Verifiability – reference monitor’s correctness must be mathematically provable