@@ -275,9 +275,13 @@ For the purposes of the present document, the following terms apply:
**Common Criteria (CC):** Common Criteria for Information Technology Security Evaluation (International Standard
ISO/IEC 15408).
**Administrator:** An administrator is responsible for management activities, including setting policies that are applied by the enterprise on the operating system. This administrator could be acting remotely through a management server, from which the system receives configuration policies. An administrator can enforce settings on the system which cannot be overridden by non-administrator users.
**Administrator:** An entity that is responsible for management activities, including setting policies that are applied by the enterprise on the operating system. This administrator could be acting remotely through a management server, from which the system receives configuration policies. An administrator can enforce settings on the system which cannot be overridden by non-administrator users.
**User:** A user is subject to configuration policies applied to the operating system by administrators. On some systems under certain configurations, a normal user can temporarily elevate privileges to that of an administrator. At that time, such a user should be considered an administrator.
**User:** An entity that is subject to configuration policies applied to the operating system by administrators. On some systems under certain configurations, a normal user can temporarily elevate privileges to that of an administrator. At that time, such a user should be considered an administrator.
**User Account:** An identity created in an operating system with associated access controls and privileges. Users may have multiple user accounts and user accounts may have multiple users.
**Threat Agent:** An entity that can adversely act on an asset.
**Application:** Software that runs on a platform and performs tasks on behalf of the user or owner of the platform, as well as its supporting documentation.
@@ -289,13 +293,7 @@ ISO/IEC 15408).
**Data Execution Prevention:** An anti-exploitation feature of modern operating systems executing on modern computer hardware, which enforces a non-execute permission on pages of memory that are not code. This prevents pages of memory from containing both data and instructions, which makes it more difficult for an attacker to introduce and execute code.
FIXME add "non-writable executable memory" i.e. W^X
FIXME add "Attack Surface" i.e. reduce the attack surface of the system call interface...
FIXME add "Principle of Least Privilege"
FIXME add "Threat Actor"
**Non-writable Executable Memory:** An anti-exploitation feature of modern operating systems executing on modern computer hardware, which enforces a non-write permission on pages of memory that are code. This prevents modifying the instructions of running programs, which makes it more difficult for an attacker to introduce and execute code.
**Credential:** Data that establishes the identity of a user, e.g. a cryptographic key or password.
@@ -309,6 +307,10 @@ FIXME add "Threat Actor"
**Process Isolation:** Techniques to prevent processes from accessing or changing each other's state.
**Attack Surface:** User interfaces, target protocol interfaces and reachable data paths that can be attacked within the system.
FIXME add "Principle of Least Privilege"
## 3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
