BIB-VERSION:: CS-TR-v2.0
           ID:: STAN//CSL-TR-97-728
        ENTRY:: July 16, 1997
 ORGANIZATION:: Stanford University, Computer Systems Laboratory
        TITLE:: Defining a Security Reference Architecture
         TYPE:: Technical Report
       AUTHOR:: Meldal, Sigurd
       AUTHOR:: Luckham, David
         DATE:: june 1997
        PAGES:: 26
     ABSTRACT:: This report discusses the definition and modeling of
                reference architectures that specify the security aspects of
                distributed systems. NSA's MISSI (Multilevel Information
                System Security Initiative) security reference architecture
                is used as an illustrative example. We show how one would
                define such a reference architecture, and how one could use
                such a definition to model as well as check implementations
                for compliance with the reference.
 
                We demonstrate that an ADL should have not only the
                capability to specify interfaces, connections and operational
                constraints, but also to specify how it is related to other
                architectures or to implementations.
 
                A reference architecture such as MISSI is defined in Rapide
                [10] as a set of hierarchical interface connection
                architectures [9]. Each Rapide interface connection
                architecture is a reference architecture - an abstract
                architecture that allows a number of different
                implementations, but which enforces common structure and
                communication rules. The hierarchical reference architecture
                defines the MISSI policies at different levels - at the level
                of enclaves communicating through a network, at the level of
                each enclave being a local area network with firewalls and
                workstations and at the level of the individual workstations.
                The reference architecture defines standard components,
                communication patterns and policies common to MISSI compliant
                networks of computer systems. A network of computers may be
                checked for conformance against the reference architecture.
 
                The report also shows how one can generate architecture
                scenarios of networks of communicating computers. The
                scenarios are constructed as Rapide executable models, and
                the behaviors of the models can be checked for conformance
                with the reference architecture in these scenarios. The
                executable models demonstrate how the structure and security
                policies in the reference architecture may apply to networks
                of computers.
 
                Key Words and Phrases: Software architectures, security,
                reference architecture, software engineering, specification,
                testing, conformance.
        NOTES:: [Adminitrivia V1/Prg/19970716]
          END:: STAN//CSL-TR-97-728