@@ -218,19 +218,32 @@ FIXME more informative references
## 3.1 Terms
This section provides terms and definitions based on CEN/CLC JTC13 WG09's work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 and terms and definitions provided by CEN/CLC EN 18031 series.
This section provides terms and definitions based on CEN/CLC JTC13 WG09's work on terms and definitions, terms and definitions provided by ETSI EN 303 645/TS 103 701 and by CEN/CLC EN 18031 series, and informed by terms used in the Common Criteria and the NIAP Operating System Protection Plan guide.
For the purposes of the present document, the following terms apply:
1.**Operating System (OS)**: Software products with digital elements that provide an abstract interface of the underlying hardware and control the execution of software, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals. This category includes but is not limited to real-time operating systems, general-purpose and special-purpose operating systems.
1.**General Purpose Operating System**: A class of operating system designed to support a wide variety of workloads consisting of concurrent applications or services. Typical characteristics of this category include support for third-party applications, support for multiple users, and security separation between users and their respective resources. General Purpose Operating Systems lack the operational constraints which define Special Purpose Operating Systems and Real Time Operating System (RTOS) that are typically used in routers, switches, and embedded devices.
1.**Application Programming Interface (API)**: A specification of routines, data structures, object classes, and variables that allows an application to make use of services provided by another software component, such as a library. APIs are often provided for a set of libraries included with the platform.
1.**System Call Interface**: A specification for the API between the application layer and the kernel or system layer.
1.**Input/Output**: The process or function for passing data to or from a given process over a specific interface. Such I/O interfaces include, but are not limited to, serial ports, network ports, long-term storage devices including hard drives and flash drives, as well as human-interface ports such as display and audio devices.
1.**Common Criteria (CC)**: Common Criteria for Information Technology Security Evaluation (International Standard
ISO/IEC 15408).
1.**Administrator**: An administrator is responsible for management activities, including setting policies that are applied by the enterprise on the operating system. This administrator could be acting remotely through a management server, from which the system receives configuration policies. An administrator can enforce settings on the system which cannot be overridden by non-administrator users.
1.**User**: A user is subject to configuration policies applied to the operating system by administrators. On some systems under certain configurations, a normal user can temporarily elevate privileges to that of an administrator. At that time, such a user should be considered an administrator.
1.**Application**: Software that runs on a platform and performs tasks on behalf of the user or owner of the platform, as well as its supporting documentation.
1.**Credential**: Data that establishes the identity of a user, e.g. a cryptographic key or password.
1.**Personally Identifiable Information (PII)**: Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, government-issued identity numbers, date and place of birth, biometric records, etc., including any other personal information which is linked or linkable to an individual.
1.**Sensitive Data**: Sensitive data may include all user or enterprise data or may be specific application data such as PII, emails, messaging, documents, calendar items, and contacts. Sensitive data must minimally include credentials and keys.
1.**Data Execution Prevention**: An anti-exploitation feature of modern operating systems executing on modern computer hardware, which enforces a non-execute permission on pages of memory. This prevents pages of memory from containing both data and instructions, which makes it more difficult for an attacker to introduce and execute code.
1.**Credential**: Data that establishes the identity of a user, e.g. a cryptographic key or password.
1.**Address Space Layout Randomization (ASLR)**: An anti-exploitation feature which loads memory mappings into unpredictable locations. ASLR makes it more difficult for an attacker to redirect control to code that they have introduced into the address space of a process.
1.**Common Weakness Enumeration (CWE)**: A community-developed list of software and hardware weaknesses that can become vulnerabilities. https://cwe.mitre.org/
1.**Elevated Privilege**:
1.**Command Shell**:
1.**Process Isolation**:
1.
For the purposes of the present document, the [following] terms [given in ... and the following] apply:
