Security Architecture and Design

en.wikibooks.org
January 25, 2014

On the 28th of April 2012 the contents of the English as well as German Wikibooks and Wikipedia
projects were licensed under Creative Commons Attribution-ShareAlike 3.0 Unported license. A
URI to this license is given in the list of figures on page 25. If this document is a derived work from
the contents of one of these projects and the content was still licensed by the project under this
license at the time of derivation this document has to be licensed under the same, a similar or a
compatible license, as stated in section 4b of the license. The list of contributors is included in chapter
Contributors on page 23. The licenses GPL, LGPL and GFDL are included in chapter Licenses on
page 29, since this book and/or parts of it may or may not be licensed under one or more of these
licenses, and thus require inclusion of these licenses. The licenses of the figures are given in the list
of figures on page 25. This PDF was generated by the LATEX typesetting software. The LATEX source
code is included as an attachment (source.7z.txt) in this PDF file. To extract the source from
the PDF file, you can use the pdfdetach tool including in the poppler suite, or the http://www.
pdflabs.com/tools/pdftk-the-pdf-toolkit/ utility. Some PDF viewers may also let you save
the attachment to a file. After extracting it from the PDF file you have to rename it to source.7z.
To uncompress the resulting archive we recommend the use of http://www.7-zip.org/. The LATEX
source itself was generated by a program written by Dirk Hünniger, which is freely available under
an open source license from http://de.wikibooks.org/wiki/Benutzer:Dirk_Huenniger/wb2pdf.
Contents
0.1 Computer Systems Architecture . . . . . . . . . . . . . . . . . . . . . . 1
0.2 Systems Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . 7
0.3 Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
0.4 Security Product Evaluation Methods and Criteria . . . . . . . . . . 15

1 Contributors 23

List of Figures 25

2 Licenses 29
2.1 GNU GENERAL PUBLIC LICENSE . . . . . . . . . . . . . . . . . . . . . . 29
2.2 GNU Free Documentation License . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3 GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . 31

0.1 Computer Systems Architecture

A computer system consists of different types of components like hardware, soft-

ware,operating systems and firmware.
The most important and common components being
• Hardware Components like: CPU, Storage Devices, I/O Devices, Communication Devices
• Software Components like: Operating Systems, Application Programs
• Firmware

0.1.1 Central Processing Unit (CPU)

Overview
• CPU is the brain of the computer.
• It fetches the instructions from memory and executes them
• Each CPU type has its own instruction set and architecture
CPU Components
• Registers: are temporary storage locations that can store references to memory locations,
next instruction to be executed etc and also enable the CPU to keep its status information.
• Arithmetic Logic Unit(ALU): performs the actual execution of complex mathematical
functions and logical operations on data.
• Control Unit: manages and synchronizes the system while different applications code and
OS instructions are being executed. It fetches the code,interprets the code and oversees

1
Contents

the execution of the different instruction sets.It determines what application instructions
get processed and in what priority and time slice. It controls when instructions are
executed, and this execution enables applications to process data.
• General registers are used to hold variables and temporary results as the ALU works
through its execution steps.
• Special registers (dedicated registers) hold information such as the program counter, stack
pointer, and program status word (PSW)
• Program counter (PC) register contains the memory address of the next instruction
that needs to be fetched
• Program status word (PSW) holds different condition bits. One of the bits indicates
whether the CPU should be working in user mode (also called problem state) or priv-
ileged mode (also called kernel or supervisor mode).
• Stack pointerdirects the CPU where the next piece of data is located.
• Address bus, is a hardwired connection to the RAM chips in the system and the individual
(I/O) devices. It is used by the CPU to indicate the location of the instructions that
need to be processed.
• Data bus is used by the memory or I/O device in response to CPU request for sending
the data that resides at the requested location.

0.1.2 Storage

Overview
• A storage device is a hardware device capable of storing data.
• Storage devices can be classified into 3 categories
• Primary Storage or Memory: which are directly accessible to the CPU like Cache
Memory (L1,L2,L3),Main Memory (RAM)
• Secondary Storage: Which are permanent storage devices like Hard Disks, Floppy
Disks, CDs, DVDs, flash memory, ZIP drives etc.
• Tertiary Storage : Tapes
Random Access Memory
• RAM stores data and program instructions temporarily by the operating system and
application programs.
• It is described as volatile because if the computer’s power supply is terminated, then all
information within this type of memory is lost.
• RAM Types
• Dynamic RAM- uses capacitors which have to be refreshed periodically to hold the
data, slow.
• Synchronous DRAM (SDRAM)- timing of the CPU and the timing of the memory
activities are synchronized. can access only one block at a time.
• Extended data out DRAM (EDO DRAM)- can capture the next block of data
while the first block is being sent to the CPU for processing, faster than SDRAM.
• Burst EDO DRAM (BEDO DRAM)- Build on top of EDO DRAM.It reads and
sends up to four memory addresses in a small number of clock cycles.
• Double data rate SDRAM (DDR SDRAM)- Carries out read operations on the
rising and falling cycles of a clock pulse. speed is twice of SDRAM

2
 Computer Systems Architecture

• Static RAM- uses more transistors, faster than DRAM,expensive, used in cache.
Read Only Memory
• ROMs are non-volatile memories.the instructions stored in these memories are called as
firmware.
• ROM Types
• Programmable read-only memory (PROM)-can be programmed only one time after the
manufacturing.
• Erasable and programmable read-only memory (EPROM)- can be erased, modified,and
upgraded.
• Flash memory- a special type of memory that is used in digital cameras, BIOS chips,
memory cards for laptops, and video game consoles. It is used more as a type of hard
drive than memory.
Cache Memory
• The cache memory is a smaller, faster memory which stores copies of the data from the
most frequently used main memory locations.
• Cache Levels
• L1 Cache- located within the CPU
• L2 Cache- located between the CPU and the main memory (RAM)
• L3 Cache- can be an externally managed memory that has faster access time than
RAM.
• Cache Types
• Prefetch Cache(P-Cache)- used to store data that has been brought in as a result of a
prefetch operation
• W-Cache - acts as a holding station for stored data.
• Instruction Cache- used to store instructions.
• Data Cache- stores data
• Translation Look aside Buffer (TLB)- stores the translated addresses of virtual page
address to a valid physical address.
• Cache Organization- describes the organization of lines and the replacement policy
• Direct Mapping- The (virtual or physical) memory address of the incoming cache line
controls which cache location is going to be used.Suffers from thrashing.
• Fully Associative- based on LRU policy where the LRU line is replaced.
• Set Associative- uses several direct-mapped caches or set. A cache controller decides
which set the line will go into. Within the set, a direct-mapped scheme is used to
allocate a slot in the cache.
Virtual Memory
• Virtual memory is a logical memory that gives an application program the impression
that it has a contiguous working memory.
• A VM logically extends the capabilities of RAM by allocation a separate portion of the
hard disk space called swap space.
•

3
Contents

0.1.3 Operating Systems

Overview
• An operating system provides an environment for applications and users to work within.
• It is responsible for managing the underlying hardware components,memory management,
I/O operations, file system, process management, and providing system services
• OS Architectures
• Monolithic operating system architecture- mainly made up of various procedures that
can call upon each other in a haphazard manner, provides single layer security only.
For example, DOS.
• Layered operating system- separates system functionality into hierarchical lay-
ers,provide data hiding, provides multilayer security. For example, Unix.
• Layer 0 controlled access to the processor and provided multiprogramming function-
ality
• Layer 1 carried out memory management
• Layer 2 provided interprocess communication
• Layer 3 dealt with I/O devices and
• Layer 4 was where the applications resided
• Microkernel Based- The OS functions are divided into several different processes
that run in user mode, instead of kernel mode.The processes communicate in a C/S
model.The server processes are called as subsystems and provide services to user process
and other OS processes. For example, Windows 2000.
Process Management
• A process is a program in execution that is loaded and actuated by the OS.It contains a
set of the instructions and the assigned resources.
• When a process is created, the operating system assigns resources to it, such as a memory
segment, CPU time slot (interrupt), access to system application programming interfaces
(APIs), and files to interact with.
• Process States: A process can run in running state (CPU is executing its instructions and
data),ready state (waiting to send instructions to the CPU), or blocked state (waiting for
input data, such as keystrokes from a user).
• Process Table: A data structure that contains each individual process’s state, stack
pointer, memory allocation,program counter, and status of open files in use.
• Threads: A thread is a unit of program execution. conversely a process is a single thread
of execution.A thread is made up of individual instruction set and the data that needs to
be worked on by the CPU.All the threads of a process share the resources of the processes
that created them.
• Process Scheduling: governs the way different processes communication(or synchronize)
between each other in order to overcome deadlock conditions.
Memory Management
• The main objectives of memory management is to
• Provide an abstraction level for programmers
• Maximize performance with the limited amount of memory available
• Protect the operating system and applications loaded into memory
• The memory manager has five basic responsibilities:

4
 Computer Systems Architecture

• Relocation
• Swap contents from RAM to the hard drive as needed
• Provide pointers for applications if their instructions and memory segment have been
moved to a different location in main memory
• Protection
• Limit processes to interact only with the memory segments that are assigned to them
• Provide access control to memory segments
• Sharing
• Use complex controls to ensure integrity and confidentiality when processes need to
use the same shared memory segments
• Allow many users with different levels of access to interact with the same application
running in one memory segment
• Logical organization
• Allow for the sharing of specific software modules, such as dynamic link library (DLL)
procedures
• Physical organization
• Segment the physical memory space for application and operating system processes
I/O Device Management
• I/O devices are usually considered block or character devices.
• A block device works with data in fixed-size blocks, each block with its own unique
address. For example, disk drive .
• A character device, such as a printer, network interface card, or mouse, works with
streams of characters, without using any fixed sizes. This type of data is not addressable
• There are different ways that operating systems can manage software I/O procedures.
• Programmed I/O- the CPU sends data to an I/O device and polls the device to see if
it is ready to accept more data. If the device is not ready to accept more data, the
CPU wastes time by waiting for the device to become ready. very slow
• Interrupt-driven I/O- the CPU sends a character/block over to the device and then
goes and works on another process’s request. When the device is done with its job
it sends an interrupt to the CPU. The CPU stops what it is doing, sends the next
block/character and this continues until the entire job is processes by the device.lot of
interrupt handling overhead.
• I/O using DMA- A DMA controller feeds the characters from the memory to the device
without bothering the CPU. This method is sometimes referred to as unmapped I/O.
OS Protection Mechanisms
• CPU Modes
• CPU modes also called processor modes or CPU privilege levels,are operating modes
for the central processing unit of some computer architectures that place restrictions
on the operations that can be performed by the process currently running in the CPU.
This design allows the operating system to run at different privilege levels like kernel
mode, user mode, master mode etc.
• Protection Rings
• Protection Rings are concentric rings that provide strict boundaries and definitions for
what the processes that work within each ring can access and what operations they
can successfully execute.

5
Contents

• The processes that operate within the inner rings have more privileges than the pro-
cesses operating in the outer rings, because the inner rings only permit the most trusted
components and processes to operate within them.
• Protection rings support the availability, integrity, and confidentiality requirements of
multitasking operating systems.
• The most commonly used architecture provides four protection rings:
• Ring 0 Operating system kernel
• Ring 1 Remaining parts of the operating system
• Ring 2 I/O drivers and utilities
• Ring 3 Applications and user activity
• Memory Protection
• Limit processes to interact only with the memory segments that are assigned to them
• Provide access control to memory segments
• Process Isolation
• Ensures that processes do not “step on each other’s toes," negatively affect each other’s
productivity and thus communicate in an insecure manner.
• Methods for process isolation:
• Encapsulation of objects- no other process understands or interacts with the internal
programming code of a process.
• Time multiplexing of shared resources- allows processes to use the same resources on
a time sharing basis.
• Naming distinctions- different processes have their own name or identification value
called as PID
• Virtual mapping- Every process has its own virtual memory address space.
• Domains
• A domain is defined as a set of objects that a subject is able to access.
• The domain can be all the resources a user can access, all the files available to a
program, the memory segments available to a process, or the services and processes
available to an application.
• A process that resides in a privileged domain needs to be able to execute its instructions
and process its data with the assurance that programs in a different domain cannot
negatively affect its environment. This is referred to as an execution domain
• The higher the level of trust, the larger the number of available resources or objects

0.1.4 Firmware

Overview
• Firmware is a computer program that is embedded in a hardware device
• Like software, it is a computer program which is executed by a microprocessor or a
microcontroller. But it is also tightly linked to a piece of hardware, and has little meaning
outside of it.
BIOS
• BIOS refers to the firmware code run by a personal computer when first powered on.
• The primary function of the BIOS is to identify and initiate component hardware (such
as hard disk, floppy and optical disk drives). This is to prepare the machine so other

6
 Systems Security Architecture

software programs stored on various media can load, execute, and assume control of the
PC.This process is known as booting, or booting up, which is short for bootstrapping.
ROM image
• A ROM image, or simply ROM, is a computer file which contains a copy of the data from
a read-only memory chip, often from a video game cartridge, a computer's firmware, or
from an arcade game's main board.
• The term is frequently used in the context of emulation, whereby older games or computer
firmware are copied to ROM files on modern computers and can, using a piece of software
known as an emulator, be run on the newer computer.

0.1.5 Virtual Machines

Overview
• A virtual machine (VM) is a software implementation of a machine (computer) that
executes programs like a real machine
• An essential characteristic of a virtual machine is that the software running inside is
limited to the resources and abstractions provided by the virtual machine -- it cannot
break out of its virtual world
VM Categories
• Virtual machines are separated in two major categories, based on their use and degree of
correspondence to any real machine.
• system virtual machine provides a complete system platform which supports the exe-
cution of a complete operating system.
• process virtual machine is designed to run a single program, which means that it sup-
ports a single process.

0.2 Systems Security Architecture

The security architecture is one component of a product’s overall architecture and is devel-
oped to provide guidance during the design of the product. It outlines the level of assurance
that is required and potential impacts that this level of security could have during the de-
velopment stages and on the product overall.

0.2.1 Security Design Principles

Security is a system requirement just like performance, capability, cost, etc.Therefore, it

may be necessary to trade off certain security requirements to gain others.
Principles of Secure Design
• Design security in from the start
• Allow for future security enhancements
• Minimize and isolate security controls

7
Contents

• Employ least privilege

• Structure the security relevant features
• Make security friendly
• Don’t depend on secrecy for security
Principles for Software Security
• Secure the weakest link
• Practice defense in depth
• Fail securely- If your software has to fail, make sure it does it securely
• Follow the principle of least privilege
• Compartmentalize- Minimize the amount of damage that can be done by breaking the
system into units
• Keep it simple- Complex design is never easy to understand
• Promote privacy- Try not to do anything that compromises the privacy of the user
• Remember that hiding secrets is hard
• Be reluctant to trust- Instead of making assumptions that need to hold true, you should
be reluctant to extend trust
• Use your community resources- Public scrutiny promotes trust
Design Principles for Protection Mechanisms
• Least privilege- Should only have the rights necessary to complete your task.
• Economy of mechanism- Should be sufficiently small and as simple as to be verified and
implemented – e.g., security kernel. Complex mechanisms should be correctly Under-
stood, Modeled, Configured, Implemented and Used
• Complete mediation- Every access to every object must be checked
• Open design- Let the design be open. Security through obscurity is a bad idea
• Should be open for scrutiny by the community- Better to have a friend/colleague find an
error than a foe
• Separation of privilege- Access to objects should depend on more than one condition
being satisfied
• Least common mechanism- Minimize the amount of mechanism common to more than
one user and depended on by all users
• Psychological acceptability- User interface must be easy to use, so that users routinely
and automatically apply the mechanisms correctly. Otherwise, they will be bypassed
• Fail-safe defaults. Should be lack of access

0.2.2 Trusted Computing Base

Overview
• A Trusted Computing Base (TCB) is the whole combination of protection mechanisms
within a computer system.
• The TCB addresses all the security components of the hardware, software, and firmware
within the system.
• It does not address the level of security that a system provides, but rather the level of
trust that a system provides as because no computer system can be totally secure

8
 Systems Security Architecture

• If the TCB is enabled, then the system has a trusted path, a trusted shell, and system
integrity–checking capabilities
• A trusted path is a communication channel between the user, or program, and the
kernel. The TCB provides protection resources to ensure that this channel cannot be
compromised in any way
• A trusted shell means that someone who is working in that shell cannot “bust out of
it” and other processes cannot “bust into” it.
• The TCB contains components that directly enforce the security policy (is a set of rules
and practices that dictates how sensitive information and resources are managed, pro-
tected, and distributed.)
Basic Functions of a TCB
• Process Activation- deals with the activities that have to take place when a process is
going to have its instructions and data processed by the CPU.
• Execution Domain Switching- takes place when a process needs to call upon a process in
a higher protection ring.
• Memory protection and
• I/O operations
Evaluating the TCB
• Evaluating the trust level of a system includes identifying the architecture, security ser-
vices, and assurance mechanisms that make up the TCB.
• During the evaluation process, the tests must show how the TCB is protected from
accidental or intentional tampering and compromising activity.
• For systems to achieve a higher trust level rating, they must meet well-defined TCB
requirements,and the details of their operational states, developing stages, testing proce-
dures, and documentation will be reviewed with more granularity than systems that are
attempting to achieve a lower trust rating.
Reference Monitor and Security Kernel
• The reference monitor is an abstract machine that mediates all access subjects have to
objects, both to ensure that the subjects have the necessary access rights and to protect
the objects from unauthorized access and destructive modification.
• The security kernel is made up of hardware, software, and firmware components that fall
within the TCB and implements and enforces the reference monitor concept.
• The security kernel mediates all access and functions between subjects and objects. The
security kernel is the core of the TCB and is the most commonly used approach to building
trusted computing systems. There are three main requirements of the security kernel:
• It must provide isolation for the processes carrying out the reference monitor concept,
and the processes must be tamper-proof.
• It must be invoked for every access attempt and must be impossible to circumvent.
Thus, the security kernel must be implemented in a complete and foolproof way.
• It must be small enough to be able to be tested and verified in a complete and com-
prehensive manner.
Security Perimeter
• A security perimeter is a boundary that divides the trusted from the untrusted.

9
Contents

• For the system to stay in a secure and trusted state, precise communication standards
must be developed to ensure that when a component within the TCB needs to communi-
cate with a component outside the TCB, the communication cannot expose the system to
unexpected security compromises. This type of communication is handled and controlled
through interfaces.
The Relation
• The reference monitor is a concept in which an abstract machine mediates all access to
objects by subjects.
• The security kernel is the hardware, firmware, and software of a TCB that implements
this concept.
• The TCB is the totality of protection mechanisms within a computer system that work
together to enforce a security policy. The TCB contains the security kernel and all other
security protection mechanisms

0.2.3 Security Modes of Operation

Overview
• A system can operate in different modes depending on the sensitivity of the data being
processed, the clearance level of the users, and what those users are authorized to do.
• The mode of operation describes the security conditions under which the system actually
functions.
• Trust vs Assurance
• A trust is a level of confidence or belief that tells the customer how much protection
he can expect out of the system.
• In a trusted system, all protection mechanisms work together to process sensitive data
for many types of uses, and will provide the necessary level of protection per classifi-
cation level
• Assurance is an higher level of confidence that looks at the same issue but in more
depth and detail where the system is throughly inspected.
Dedicated Security Mode All users must have…
• Proper clearance for all information on the system
• Formal access approval for all information on the system
• Signed NDA for all information on the system
• Valid need to know for all information on the system
All users can access all data.
System High-Security Mode All users must have…
• Proper clearance for all information on the system
• Formal access approval for all information on the system
• Signed NDA for all information on the system
• Valid need to know for some information on the system
All users can access some data, based on their need to know.
Compartmented Security Mode All users must have…

10
 Security Models

• Proper clearance for the highest level of data classification on the system
• Formal access approval for all information they will access on the system
• Signed NDA for all information they will access on the system
• Valid need to know for some of the information on the system
All users can access some data, based on their need to know and formal access approval.
Multilevel Security Mode All users must have…
• Proper clearance for all information they will access on the system
• Formal access approval for all information they will access on the system
• Signed NDA for all information they will access on the system
• Valid need to know for some of the information on the system
All users can access some data, based on their need to know, clearance, and formal access
approval.

0.3 Security Models

• A security policy is a document that expresses clearly and concisely what the protection
mechanisms are to achieve. Its a statement of the security we expect the system to
enforce.
• A security model is a specification of a security policy:
• it describes the entities governed by the policy,
• it states the rules that constitute the policy.
• There are various types of security models:
• Models can capture policies for confidentiality (Bell-LaPadula) or for integrity (Biba,
Clark-Wilson).
• Some models apply to environments with static policies (Bell-LaPadula), others con-
sider dynamic changes of access rights (Chinese Wall).
• Security models can be informal (Clark-Wilson), semi-formal, or formal (Bell-LaPadula,
Harrison-Ruzzo-Ullman).
• Model vs Policy
• A security model maps the abstract goals of the policy to information system terms
by specifying explicit data structures and techniques that are necessary to enforce the
security policy. A security model is usually represented in mathematics and analyt-
ical ideas, which are then mapped to system specifications, and then developed by
programmers through programming code
• For Example, if a security policy states that subjects need to be authorized to access
objects, the security model would provide the mathematical relationships and formulas
explaining how x can access y only through the outlined specific methods
• A security policy outlines goals without regard to how they will be accomplished. A
model is a framework that gives the policy form and solves security access problems
for particular situations.

0.3.1 Lattice Models

• A lattice is a mathematical construct that is built upon the notion of a group.

11
Contents

• A lattice is a mathematical construction with:

• a set of elements
• a partial ordering relation
• the property that any two elements must have unique least upper bound and greatest
lower bound
• A security lattice model combines multilevel and multilateral security
• Lattice elements are security labels that consist of a security level and set of categories

0.3.2 State Machine Models

• In state machine model, the state of a machine is captured in order to verify the security
of a system.
• A given state consists of all current permissions and all current instances of subjects
accessing the objects. If the subject can access objects only by means that are concurrent
with the security policy, the system is secure.
• The model is used to describe the behavior of a system to different inputs. It provides
mathematical constructs that represents sets (subjects, objects) and sequences. When
an object accepts an input , this modifies a state variable thus transiting to a different
state.
• Implementation tips
• The developer must define what and where the state variables are.
• The developer must define a secure state for each state variable.
• Define and identify the allowable state transition functions.
• The state transition function should be tested to verify that the overall m/c state will
not compromise and the integrity of the system is maintained.

0.3.3 Noninterference Models

• The model ensures that any actions that take place at a higher security level do not affect,
or interfere with, actions that take place at a lower level.
• It is not concerned with the flow of data, but rather with what a subject knows about
the state of the system. So if an entity at a higher security level performs an action, it
can not change the state for the entity at the lower level.
• The model also addresses the inference attack that occurs when some one has access
to some type of information and can infer(guess) something that he does not have the
clearance level or authority to know.

0.3.4 Bell—LaPadula Confidentiality Model

• It was the first mathematical model with a multilevel security policy that is used to define
the concept of a secure state machine and models of access and outlined rules of access.
• It is a state m/c model that enforces the confidentiality aspects of access model.
• The model focuses on ensuring that the subjects with different clearances(top secret,
secret, confidential) are properly authenticated by having the necessary security clearance
, need to know , and formal access approval-before accessing an object that are under
different classification levels (top secret, secret, confidential).

12
 Security Models

• The rules of Bell-Lapadula model

• Simple security rule (no read up rule): It states that a subject at a given security level
can not read data that resides at a higher security level.
• Star property rule ( no write down rule): It states that a subject in a given security
level can not write information to a lower security levels.
• Strong star property rule: It states a subject that has read and write capabilities can only
perform those functions at the same security level , nothing higher and nothing lower.
• Tranquility principle : subjects and objects can not change their security levels once they
have been instantiated (created).
• All MAC systems are based on the Bell – Lapadula model because of it multilevel security.
• Designed US govt and mostly adopted by govt agencies

0.3.5 Biba Integrity Model

• It is developed after Bell – Lapadula model.

• It addresses integrity of data unlike Bell – Lapadula which addresses confidentiality.
• It uses a lattice of integrity levels unlike Bell – Lapadula which uses a lattice of security
levels.
• It is also an information flow model like the Bell – Lapadula because they are most
concerned about data flowing from one level to another.
• The rules of Biba model
• simple integrity rule(no read down) : it states that a subject can not read data from a
lower integrity level.
• star integrity rule(no write up) : it states that a subject can not write data to an object
at a higher integrity level.
• invocation property : it states that a subject can not invoke(call upon) a subject at a
higher integrity level.

0.3.6 Clark—Wilson Integrity Model

• It was developed after Biba and addresses the integrity of information.

• This model separates data into one subject that needs to be highly protected , referred
to as a constrained data item(CDI)and another subset that does not require high level of
protection , referred to as unconstrained data items(UDI).
• Components
• Subjects (users): are active agents.
• Transformation procedures (TPs): the s/w procedures such as read, write, modify that
perform the required operation on behalf of the subject (user).
• Constrained data items (CDI): data that can be modified only by Tp’s.
• Unconstrained data items (UDI): data that can be manipulated by subjects via primi-
tive read/write operations.
• Integrity verification procedure (IVP): programs that run periodically to check the
consistency of CDIs with external reality. These integrity rules are usually defined by
vendors.
• Integrity goals of Clark – Wilson model
• Prevent unauthorized users from making modification (addressed by Biba model).

13
Contents

• Separation of duties prevents authorized users from making improper modifications.

• Well formed transactions: maintain internal and external consistency i.e. it is a series
of operations that are carried out to transfer the data from one consistent state to the
other.

0.3.7 Access Control Matrix

• This model addressed in access control.

• Commonly used in OS and applications.

0.3.8 Information Flow Models

• In this model, data is thought of as being held in individual discrete compartments.

• Information is compartmentalized based on two factors.
• Classification and
• Need to know
• The subjects clearance has to dominate the objects classification and the subjects security
profile must contain the one of the categories listed in the object label, which enforces
need to know.
• For example:
• Bell – Lapadula which prevents information flowing from higher source level to lower
source level.
• Biba which prevents information flowing from lower integrity level to higher integrity
level
Covert channels
• A covert channel is a way for an entity to receive information in an unauthorized manner.
• It is an information flow that is not controlled by a security mechanism.
• It is an unauthorized communication path that is not protected by the system because it
was uncovered while developing the system.
• Types of covert channels
• Covert timing: in this channel, one process relays information to another by modulating
its use of system resources.
• Covert storage: in this channel, one process writes data to a storage location and
another process directly, or indirectly reads it.

0.3.9 Graham—Denning Model

• This model defines a set of basic rights in terms of commands that a specific subject can
execute on an object.
• It proposes the eight primitive protection rights, or rules of how these types of function-
alities should take place securely.
• How to securely create an object.
• How to securely create a subject.
• How to securely delete an object.
• How to securely delete a subject.

14
 Security Product Evaluation Methods and Criteria

• How to provide read access rights.

• How to provide grant access rights.
• How to provide delete access rights.
• How to provide transfer access rights.

0.3.10 Harrison—Ruzzo—Ullman Model

• The HRU security model (Harrison, Ruzzo, Ullman model) is an operating system level
computer security model which deals with the integrity of access rights in the system.
The system is based around the idea of a finite set of procedures being available to edit
the access rights of a subject s on an object o.
• The model also discussed the possibilities and limitations of proving safety of a system
using an algorithm.

0.3.11 Brewer—Nash (Chinese Wall)

• This model provides access controls that can change dynamically depending upon a user’s
previous actions.
• The main goal of this model is to protect against conflicts of interests by user’s access
attempts.
• It is based on the information flow model, where no information can flow between subjects
and objects in a way that would result in a conflict of interest.
• The model states that a subject can write to an object if, and only if, the subject can
not read another object that is in a different data set.

0.4 Security Product Evaluation Methods and Criteria

• A security evaluation examines the security-relevant parts of a system, meaning the TCB,
access control mechanisms, reference monitor, kernel, and protection mechanisms. The
relationship and interaction between these components are also evaluated.
• There are different methods of evaluating and assigning assurance levels to systems. Two
reasons explain why more than one type of assurance evaluation process exist:
• methods and ideologies have evolved over time, and
• various parts of the world look at computer security differently and rate some aspects
of security differently
• An evaluation program establishes a trust between the security product vendor and the
customer.
Evaluation Standards
• Information Technology Security Evaluation Criteria (ITSEC)- EU
• Trusted Computing Security Evaluation Criteria (TCSEC) -US
• Common Criteria- Hybrid of ITSEC and TCSEC

15
Contents

0.4.1 Rainbow Series

The Rainbow series was a series of books to cover all the areas of security like
• Red Books- Network Security
• Orange Books- Operating System Security
• Yellow- Security Risk Management
• Violet- Database Security

i Information
Originally only the orange book existed but the other books have evolved to cover all
the areas of security and thus the collection is names as Rainbow series

Orange Book or TCSEC

Overview
• TCSEC was developed by US DoD and was published in an Orange book and hence also
called as Orange Book
• It mainly addresses the confidentiality, but not integrity and mainly addresses government
and military requirements.
• It is used to evaluate whether a product contains the security properties the vendor claims
it does and whether the product is appropriate for a specific application or function.
• It is used to review the functionality, effectiveness,and assurance of a product during its
evaluation, and it uses classes that were devised to address typical patterns of security
requirements.
• TCSEC provides a classification system that is divided into different assurance levels with
A representing the highest and D the lowest.
• A: Verified protection
• B: Mandatory protection: Variants- B1<B2<B3
• C: Discretionary protection: Variants-C1<C2
• D: Minimal security
The levels are concentric.i.e if a product is assured at level B2, that implies it meets D,C1,C2
and B1
The Criteria
• Security policy- The policy must be explicit and well defined and enforced by the mech-
anisms within the system.
• Identification- Individual subjects must be uniquely identified.
• Labels Access- Control labels must be associated properly with objects.
• Documentation- Documentation must be provided, including test, design, and specifica-
tion documents, user guides, and manuals.
• Accountability- Audit data must be captured and protected to enforce accountability.
• Life cycle assurance- Software, hardware, and firmware must be able to be tested individ-
ually to ensure that each enforces the security policy in an effective manner throughout
their lifetimes.

16
 Security Product Evaluation Methods and Criteria

• Continuous protection- The security mechanisms and the system as a whole must perform
predictably and acceptably in different situations continuously.

i Information
Even though the evaluation is done independently based on the above categories, the
rating that is assigned at the end is a sum total of these items.

The Assurance Levels

• Division D: Minimal Protection- It is reserved for systems that have been evaluated but
fail to meet the criteria and requirements of the higher divisions.
• Division C: Discretionary Protection- The C rating category has two individual assurance
ratings within it.
• C1: Discretionary Security Protection
• Based on individuals and/or groups.
• It requires a separation of users and information, and identification and authentica-
tion of individual entities is provided.
• The type of environment that would require this rating is one in which users are
processing information at the same sensitivity level; thus, strict access control and
auditing measures are not required.
• It would be a trusted environment with low security concerns
• C2: Controlled Access Protection
• Users need to be identified individually to provide more precise access control and
auditing functionality.
• Logical access control mechanisms are used to enforce authentication and the unique-
ness of each individual’s identification
• The type of environment that would require systems with a C2 rating is one in which
users are trusted but a certain level of accountability is required.
• Overall, C2 is regarded to be the most reasonable class for commercial applications,
but the level of protection is still relatively weak
• Division B: Mandatory Protection- Mandatory access control is enforced by the use of
security labels. The architecture is based on the Bell-LaPadula security model, and
evidence of reference monitor enforcement must be available
• B1: Labeled Security
• Each data object must contain a classification label and each subject must have a
clearance label.
• When a subject attempts to access an object,the system must compare the subject’s
and object’s security labels to ensure that the requested actions are acceptable.
• Data leaving the system must also contain an accurate security label.
• The security policy is based on an informal statement, and the design specifications
are reviewed and verified.
• This security rating is intended for environments that require systems to handle
classified data.
• B2: Structured Protection
• The security policy is clearly defined and documented,and the system design and
implementation are subjected to more thorough review and testing procedures.

17
Contents

• This class requires more stringent authentication mechanisms and well-defined inter-
faces among layers.
• Subjects and devices require labels, and the system must not allow covert channels.
• The type of environment that would require B2 systems is one that processes sen-
sitive data that requires a higher degree of security and are relatively resistant to
penetration and compromise.
• B3: Security Domains
• In this class, more granularity is provided in each protection mechanism, and the
programming code that is not necessary to support the security policy is excluded.
• The reference monitor components must be small enough to test properly and be
tamper-proof
• The system must be able to recover from failures without its security level being
compromised.
• The type of environment that requires B3 systems is a highly secured environment
that processes very sensitive information and are highly resistant to penetration.
• Division A: Verified Protection- Formal methods are used to ensure that all subjects and
objects are controlled with the necessary discretionary and mandatory access controls.
The design, development, implementation, and documentation are looked at in a formal
and detailed way
• A1: Verified Design
• Formal techniques are used to prove the equivalence between the TCB specifications
and the security policy model.
• More stringent change configuration is put in place with the development of an A1
system, and the overall design can be verified
• The type of environment that would require A1 systems is the most secure of se-
cured environments. This type of environment deals with top-secret information
and cannot adequately trust anyone using the systems without strict authentication,
restrictions,and auditing.
TCSEC Myths
• It looks specifically at the operating system and not at other issues like networking,
databases, and so on.
• It focuses mainly on one attribute of security, confidentiality, and not at integrity and
availability.
• It works with government classifications and not the protection classifications that com-
mercial industries use.
• It has a relatively small number of ratings, which means many different aspects of security
are not evaluated and rated independently.

Red Book or TNI

Overview
• Red books also called Trusted Network Interpretation (TNI),addresses security evaluation
topics for networks and network components.

18
 Security Product Evaluation Methods and Criteria

• Like the Orange Book, the Red Book does not supply specific details about how to
implement security mechanisms; instead, it provides a framework for securing different
types of networks
• It rates the confidentiality of data and operations that happen within a network and the
network components and products.
Security Items addresses in the Orange Books
• Communication integrity
• Authentication Protects against masquerading and playback attacks. Mechanisms in-
clude digital signatures, encryption, timestamp, and passwords.
• Message integrity Protects the protocol header, routing information, and packet pay-
load from being modified. Mechanisms include message authentication and encryption.
• Non-repudiation Ensures that a sender cannot deny sending a message.Mechanisms
include encryption, digital signatures, and notarization.
• Denial-of-service prevention
• Continuity of operations Ensures that the network is available even if attacked. Mech-
anisms include fault tolerant and redundant systems and the capability to reconfigure
network parameters in case of an emergency.
• Network management Monitors network performance and identifies attacks and fail-
ures. Mechanisms include components that enable network administrators to monitor
and restrict resource access.
• Compromise protection
• Data confidentiality Protects data from being accessed in an unauthorized method
during transmission. Mechanisms include access controls, encryption,and physical pro-
tection of cables.
• Traffic flow confidentiality Ensures that unauthorized entities are not aware of routing
information or frequency of communication via traffic analysis. Mechanisms include
padding messages, sending noise, or sending false messages.
• Selective routing Routes messages in a way to avoid specific threats.Mechanisms include
network configuration and routing tables.

0.4.2 Information Technology Security Evaluation Criteria (ITSEC)

Overview
• As TCSEC was developed by US, ITSEC was developed by the EU to address all the
security evaluation issues.
• The ITSEC had two main evaluation attributes
• Functionality- When the functionality of a system’s protection mechanisms is being
evaluated, the services that are provided to the subjects like access control mechanisms,
auditing, authentication, and so on are examined and measured.
• Assurance- Assurance, is the degree of confidence in the protection mechanisms,and
their effectiveness and capability to perform consistently. Assurance is generally tested
by examining development practices, documentation, configuration management, and
testing mechanisms.
Evaluation Criteria

19
Contents

ITSEC had 10 classes F1 to F10 to evaluate the functional requirements and 7 classes E0
to E6 to evaluate the assurance requirements.
• Security functional requirements
• F00:Identification and authentication
• F01:Audit
• F02:Resource utilization
• F03:Trusted paths/channels
• F04:User data protection
• F05:Security management
• F06:Product access
• F07:Communications
• F08:Privacy
• F09:Protection of the product’s security functions
• F10:Cryptographic support
• Security assurance requirements
• E00:Guidance documents and manuals
• E01:Configuration management
• E02:Vulnerability assessment
• E03:Delivery and operation
• E04:Life-cycle support
• E05:Assurance maintenance
• E06:Development
• Testing
ITSEC Ratings
• The ratings are based on effectiveness and correctness.
• Effectiveness means that the TOE meets the security claims that the vendor has speci-
fied. This analysis looks at the construction and operational vulnerabilities and the ease
of use, to ensure that the proper security settings do not get in the way of productivity.-
rates functionality
• Correctness deals with how the TOE was built and implementation issues. This type
of analysis looks at the architectural design, how the security mechanisms enforce the
policy, and the operational documentation and environment.- rates assurance.
TCSEC vs ITSEC
• TCSEC bundles functionality and assurance into one rating, whereas ITSEC evaluates
these two attributes separately.
• ITSEC provides more flexibility than TCSEC.
• ITSEC addresses integrity, availability, and confidentiality whereas TCSEC addresses
only confidentiality.
• ITSEC also addresses networked systems, whereas TCSEC deals with stand-alone sys-
tems.

0.4.3 Common Criteria

Overview

20
 Security Product Evaluation Methods and Criteria

• Common criteria was the result of ISO's attempt to gather several organizations to come
together to combine and align existing and emerging evaluation criteria like TCSEC,
ITSEC, Canadian Trusted Computer Product Evaluation Criteria [CTCPEC], and the
Federal Criteria.
• It was developed through a collaboration among national security standards organiza-
tions within the United States, Canada, France, Germany, the United Kingdom, and the
Netherlands.
• Under the Common Criteria model, an evaluation is carried out on a product and is
assigned an Evaluation Assurance Level (EAL)
Benefits of the CC
• Helps consumers by reducing the complexity of the ratings and eliminating the need
to understand the definition and meaning of different ratings within various evaluation
schemes.
• Helps manufacturers because now they can build to one specific set of requirements if
they want to sell their products internationally, instead of having to meet several different
ratings with varying rules and requirements.
CC Assurance Levels
• The Common Criteria has seven assurance levels which ranges from EAL1(lowest), where
functionality testing takes place, through EAL7(highest), where thorough testing is per-
formed and the system design is verified.
• EAL 1 Functionally tested
• EAL 2 Structurally tested
• EAL 3 Methodically tested and checked
• EAL 4 Methodically designed, tested, and reviewed
• EAL 5 Semi-formally designed and tested
• EAL 6 Semi-formally verified design and tested
• EAL 7 Formally verified design and tested
Protection Profile
• A protection profile is a mechanism that is used by CC in its evaluation process to describe
a real-world need of a product that is not currently on the market.
• Protection Profile Characteristics
• Contains the set of security requirements, their meaning and reasoning, and the corre-
sponding EAL rating that the intended product will require.
• Describes the environmental assumptions, the objectives, and the functional and as-
surance level expectations. Each relevant threat is listed along with how it is to be
controlled by specific objectives.
• Justifies the assurance level and requirements for the strength of each protection mech-
anism.
• Provides a means for a consumer, or others, to identify specific security needs; this is
the security problem that is to be conquered
• Provide the necessary goals and protection mechanisms to achieve the necessary level
of security and a list of the things that can go wrong during the type of system devel-
opment.
• Protection Profile Sections

21
Contents

• Descriptive elements Provides the name of the profile and a description of the security
problem that is to be solved.
• Rationale Justifies the profile and gives a more detailed description of the real-world
problem to be solved. The environment, usage assumptions, and threats are illustrated
along with guidance on the security policies that can be supported by products and
systems that conform to this profile.
• Functional requirements Establishes a protection boundary, meaning the threats or
compromises that are within this boundary to be countered. The product or system
must enforce the boundary established in this section.
• Development assurance requirements Identifies the specific requirements that the prod-
uct or system must meet during the development phases, from design to implementa-
tion.
• Evaluation assurance requirements Establishes the type and intensity of the evaluation.
CC Components
• Protection profile- Description of needed security solution.
• Target of evaluation- Product proposed to provide needed security solution.
• Security target- Vendor’s written explanation of the security functionality and assurance
mechanisms that meet the needed security solution; in other words, “This is what our
product does and how it does it.”
• Packages—EALs- Functional and assurance requirements are bundled into packages for
reuse. This component describes what must be met to achieve specific EAL ratings.

0.4.4 Certification and Accreditation

Certification
• Certification is the comprehensive technical evaluation of the security components and
their compliance for the purpose of accreditation.
• A certification process may use safeguard evaluation, risk analysis, verification, testing,
and auditing techniques to assess the appropriateness of a specific system.
• The goal of a certification process is to ensure that a system, product, or network is right
for the customer’s purposes.
Accreditation
• Accreditation is the formal acceptance of the adequacy of a system’s overall security and
functionality by management.
• Certification is a technical review that assesses the security mechanisms and evaluates
their effectiveness. Accreditation is management’s official acceptance of the information
in the certification process findings.

22
1 Contributors

Edits User
1 Adrignola1
5 QuiteUnusual2

1 http://en.wikibooks.org/wiki/User:Adrignola
2 http://en.wikibooks.org/wiki/User:QuiteUnusual

23
List of Figures

• GFDL: Gnu Free Documentation License. http://www.gnu.org/licenses/fdl.

html
• cc-by-sa-3.0: Creative Commons Attribution ShareAlike 3.0 License. http://
creativecommons.org/licenses/by-sa/3.0/
• cc-by-sa-2.5: Creative Commons Attribution ShareAlike 2.5 License. http://
creativecommons.org/licenses/by-sa/2.5/
• cc-by-sa-2.0: Creative Commons Attribution ShareAlike 2.0 License. http://
creativecommons.org/licenses/by-sa/2.0/
• cc-by-sa-1.0: Creative Commons Attribution ShareAlike 1.0 License. http://
creativecommons.org/licenses/by-sa/1.0/
• cc-by-2.0: Creative Commons Attribution 2.0 License. http://creativecommons.
org/licenses/by/2.0/
• cc-by-2.0: Creative Commons Attribution 2.0 License. http://creativecommons.
org/licenses/by/2.0/deed.en
• cc-by-2.5: Creative Commons Attribution 2.5 License. http://creativecommons.
org/licenses/by/2.5/deed.en
• cc-by-3.0: Creative Commons Attribution 3.0 License. http://creativecommons.
org/licenses/by/3.0/deed.en
• GPL: GNU General Public License. http://www.gnu.org/licenses/gpl-2.0.txt
• LGPL: GNU Lesser General Public License. http://www.gnu.org/licenses/lgpl.
html
• PD: This image is in the public domain.
• ATTR: The copyright holder of this file allows anyone to use it for any purpose,
provided that the copyright holder is properly attributed. Redistribution, derivative
work, commercial use, and all other use is permitted.
• EURO: This is the common (reverse) face of a euro coin. The copyright on the design
of the common face of the euro coins belongs to the European Commission. Authorised
is reproduction in a format without relief (drawings, paintings, films) provided they
are not detrimental to the image of the euro.
• LFK: Lizenz Freie Kunst. http://artlibre.org/licence/lal/de
• CFR: Copyright free use.

25
List of Figures

• EPL: Eclipse Public License. http://www.eclipse.org/org/documents/epl-v10.

php
Copies of the GPL, the LGPL as well as a GFDL are included in chapter Licenses3 . Please
note that images in the public domain do not require attribution. You may click on the
image numbers in the following table to open the webpage of the images in your webbrower.

3 Chapter 2 on page 29

26
List of Figures

27
2 Licenses

2.1 GNU GENERAL PUBLIC LICENSE

Version 3, 29 June 2007 The “Corresponding Source” for a work in object code form means all different server (operated by you or a third party) that supports equiv- your license, and (b) permanently, if the copyright holder fails to no-
the source code needed to generate, install, and (for an executable alent copying facilities, provided you maintain clear directions next to tify you of the violation by some reasonable means prior to 60 days
Copyright © 2007 Free Software Foundation, Inc. <http://fsf.org/> work) run the object code and to modify the work, including scripts the object code saying where to find the Corresponding Source. Re- after the cessation.
to control those activities. However, it does not include the work's gardless of what server hosts the Corresponding Source, you remain
System Libraries, or general-purpose tools or generally available free obligated to ensure that it is available for as long as needed to satisfy Moreover, your license from a particular copyright holder is reinstated
Everyone is permitted to copy and distribute verbatim copies of this
programs which are used unmodified in performing those activities but these requirements. * e) Convey the object code using peer-to-peer permanently if the copyright holder notifies you of the violation by
license document, but changing it is not allowed. Preamble
which are not part of the work. For example, Corresponding Source transmission, provided you inform other peers where the object code some reasonable means, this is the first time you have received notice
includes interface definition files associated with source files for the and Corresponding Source of the work are being offered to the general of violation of this License (for any work) from that copyright holder,
The GNU General Public License is a free, copyleft license for software work, and the source code for shared libraries and dynamically linked public at no charge under subsection 6d. and you cure the violation prior to 30 days after your receipt of the
and other kinds of works. subprograms that the work is specifically designed to require, such as notice.
by intimate data communication or control flow between those sub- A separable portion of the object code, whose source code is excluded
The licenses for most software and other practical works are designed programs and other parts of the work. from the Corresponding Source as a System Library, need not be in- Termination of your rights under this section does not terminate the
to take away your freedom to share and change the works. By con- cluded in conveying the object code work. licenses of parties who have received copies or rights from you under
trast, the GNU General Public License is intended to guarantee your The Corresponding Source need not include anything that users can re- this License. If your rights have been terminated and not permanently
freedom to share and change all versions of a program--to make sure generate automatically from other parts of the Corresponding Source.
A “User Product” is either (1) a “consumer product”, which means any reinstated, you do not qualify to receive new licenses for the same
it remains free software for all its users. We, the Free Software Foun-
tangible personal property which is normally used for personal, family, material under section 10. 9. Acceptance Not Required for Having
dation, use the GNU General Public License for most of our software;
The Corresponding Source for a work in source code form is that same or household purposes, or (2) anything designed or sold for incorpora- Copies.
it applies also to any other work released this way by its authors. You
work. 2. Basic Permissions. tion into a dwelling. In determining whether a product is a consumer
can apply it to your programs, too.
product, doubtful cases shall be resolved in favor of coverage. For a You are not required to accept this License in order to receive or run
All rights granted under this License are granted for the term of copy- particular product received by a particular user, “normally used” refers a copy of the Program. Ancillary propagation of a covered work oc-
When we speak of free software, we are referring to freedom, not price.
right on the Program, and are irrevocable provided the stated con- to a typical or common use of that class of product, regardless of the curring solely as a consequence of using peer-to-peer transmission to
Our General Public Licenses are designed to make sure that you have
ditions are met. This License explicitly affirms your unlimited per- status of the particular user or of the way in which the particular receive a copy likewise does not require acceptance. However, nothing
the freedom to distribute copies of free software (and charge for them
mission to run the unmodified Program. The output from running a user actually uses, or expects or is expected to use, the product. A other than this License grants you permission to propagate or modify
if you wish), that you receive source code or can get it if you want
covered work is covered by this License only if the output, given its product is a consumer product regardless of whether the product has any covered work. These actions infringe copyright if you do not accept
it, that you can change the software or use pieces of it in new free
content, constitutes a covered work. This License acknowledges your substantial commercial, industrial or non-consumer uses, unless such this License. Therefore, by modifying or propagating a covered work,
programs, and that you know you can do these things.
rights of fair use or other equivalent, as provided by copyright law. uses represent the only significant mode of use of the product. you indicate your acceptance of this License to do so. 10. Automatic
Licensing of Downstream Recipients.
To protect your rights, we need to prevent others from denying you
You may make, run and propagate covered works that you do not con- “Installation Information” for a User Product means any methods, pro-
these rights or asking you to surrender the rights. Therefore, you have
vey, without conditions so long as your license otherwise remains in cedures, authorization keys, or other information required to install Each time you convey a covered work, the recipient automatically re-
certain responsibilities if you distribute copies of the software, or if you
force. You may convey covered works to others for the sole purpose and execute modified versions of a covered work in that User Product ceives a license from the original licensors, to run, modify and prop-
modify it: responsibilities to respect the freedom of others.
of having them make modifications exclusively for you, or provide you from a modified version of its Corresponding Source. The information agate that work, subject to this License. You are not responsible for
with facilities for running those works, provided that you comply with must suffice to ensure that the continued functioning of the modified enforcing compliance by third parties with this License.
For example, if you distribute copies of such a program, whether gratis the terms of this License in conveying all material for which you do not object code is in no case prevented or interfered with solely because
or for a fee, you must pass on to the recipients the same freedoms that control copyright. Those thus making or running the covered works modification has been made. An “entity transaction” is a transaction transferring control of an or-
you received. You must make sure that they, too, receive or can get for you must do so exclusively on your behalf, under your direction ganization, or substantially all assets of one, or subdividing an orga-
the source code. And you must show them these terms so they know and control, on terms that prohibit them from making any copies of
If you convey an object code work under this section in, or with, or nization, or merging organizations. If propagation of a covered work
their rights. your copyrighted material outside their relationship with you.
specifically for use in, a User Product, and the conveying occurs as results from an entity transaction, each party to that transaction who
part of a transaction in which the right of possession and use of the receives a copy of the work also receives whatever licenses to the work
Developers that use the GNU GPL protect your rights with two steps: Conveying under any other circumstances is permitted solely under the party's predecessor in interest had or could give under the previous
User Product is transferred to the recipient in perpetuity or for a fixed
(1) assert copyright on the software, and (2) offer you this License the conditions stated below. Sublicensing is not allowed; section 10 paragraph, plus a right to possession of the Corresponding Source of
term (regardless of how the transaction is characterized), the Corre-
giving you legal permission to copy, distribute and/or modify it. makes it unnecessary. 3. Protecting Users' Legal Rights From Anti- the work from the predecessor in interest, if the predecessor has it or
sponding Source conveyed under this section must be accompanied by
Circumvention Law. the Installation Information. But this requirement does not apply if can get it with reasonable efforts.
For the developers' and authors' protection, the GPL clearly explains neither you nor any third party retains the ability to install modi-
that there is no warranty for this free software. For both users' and No covered work shall be deemed part of an effective technological fied object code on the User Product (for example, the work has been You may not impose any further restrictions on the exercise of the
authors' sake, the GPL requires that modified versions be marked as measure under any applicable law fulfilling obligations under article installed in ROM). rights granted or affirmed under this License. For example, you may
changed, so that their problems will not be attributed erroneously to 11 of the WIPO copyright treaty adopted on 20 December 1996, or not impose a license fee, royalty, or other charge for exercise of rights
authors of previous versions. similar laws prohibiting or restricting circumvention of such measures. granted under this License, and you may not initiate litigation (in-
The requirement to provide Installation Information does not include
a requirement to continue to provide support service, warranty, or up- cluding a cross-claim or counterclaim in a lawsuit) alleging that any
Some devices are designed to deny users access to install or run mod- dates for a work that has been modified or installed by the recipient, patent claim is infringed by making, using, selling, offering for sale, or
When you convey a covered work, you waive any legal power to forbid
ified versions of the software inside them, although the manufacturer or for the User Product in which it has been modified or installed. importing the Program or any portion of it. 11. Patents.
circumvention of technological measures to the extent such circum-
can do so. This is fundamentally incompatible with the aim of protect- vention is effected by exercising rights under this License with respect Access to a network may be denied when the modification itself ma-
ing users' freedom to change the software. The systematic pattern of to the covered work, and you disclaim any intention to limit opera- terially and adversely affects the operation of the network or violates A “contributor” is a copyright holder who authorizes use under this
such abuse occurs in the area of products for individuals to use, which tion or modification of the work as a means of enforcing, against the the rules and protocols for communication across the network. License of the Program or a work on which the Program is based. The
is precisely where it is most unacceptable. Therefore, we have designed work's users, your or third parties' legal rights to forbid circumvention work thus licensed is called the contributor's “contributor version”.
this version of the GPL to prohibit the practice for those products. If of technological measures. 4. Conveying Verbatim Copies.
such problems arise substantially in other domains, we stand ready to Corresponding Source conveyed, and Installation Information pro-
vided, in accord with this section must be in a format that is publicly A contributor's “essential patent claims” are all patent claims owned
extend this provision to those domains in future versions of the GPL,
You may convey verbatim copies of the Program's source code as you documented (and with an implementation available to the public in or controlled by the contributor, whether already acquired or hereafter
as needed to protect the freedom of users.
receive it, in any medium, provided that you conspicuously and appro- source code form), and must require no special password or key for acquired, that would be infringed by some manner, permitted by this
priately publish on each copy an appropriate copyright notice; keep in- unpacking, reading or copying. 7. Additional Terms. License, of making, using, or selling its contributor version, but do
Finally, every program is threatened constantly by software patents. not include claims that would be infringed only as a consequence of
tact all notices stating that this License and any non-permissive terms
States should not allow patents to restrict development and use of soft- further modification of the contributor version. For purposes of this
added in accord with section 7 apply to the code; keep intact all no-
ware on general-purpose computers, but in those that do, we wish to “Additional permissions” are terms that supplement the terms of this definition, “control” includes the right to grant patent sublicenses in a
tices of the absence of any warranty; and give all recipients a copy of
avoid the special danger that patents applied to a free program could License by making exceptions from one or more of its conditions. Ad- manner consistent with the requirements of this License.
this License along with the Program.
make it effectively proprietary. To prevent this, the GPL assures that ditional permissions that are applicable to the entire Program shall be
patents cannot be used to render the program non-free. treated as though they were included in this License, to the extent that
You may charge any price or no price for each copy that you con- they are valid under applicable law. If additional permissions apply Each contributor grants you a non-exclusive, worldwide, royalty-free
vey, and you may offer support or warranty protection for a fee. 5. only to part of the Program, that part may be used separately under patent license under the contributor's essential patent claims, to make,
The precise terms and conditions for copying, distribution and modi- use, sell, offer for sale, import and otherwise run, modify and propa-
Conveying Modified Source Versions. those permissions, but the entire Program remains governed by this
fication follow. TERMS AND CONDITIONS 0. Definitions. gate the contents of its contributor version.
License without regard to the additional permissions.
You may convey a work based on the Program, or the modifications
“This License” refers to version 3 of the GNU General Public License. In the following three paragraphs, a “patent license” is any express
to produce it from the Program, in the form of source code under the When you convey a copy of a covered work, you may at your option
terms of section 4, provided that you also meet all of these conditions: agreement or commitment, however denominated, not to enforce a
remove any additional permissions from that copy, or from any part
“Copyright” also means copyright-like laws that apply to other kinds patent (such as an express permission to practice a patent or covenant
of it. (Additional permissions may be written to require their own
of works, such as semiconductor masks. not to sue for patent infringement). To “grant” such a patent license
* a) The work must carry prominent notices stating that you modified removal in certain cases when you modify the work.) You may place
to a party means to make such an agreement or commitment not to
it, and giving a relevant date. * b) The work must carry prominent additional permissions on material, added by you to a covered work,
“The Program” refers to any copyrightable work licensed under this Li- enforce a patent against the party.
notices stating that it is released under this License and any conditions for which you have or can give appropriate copyright permission.
cense. Each licensee is addressed as “you”. “Licensees” and “recipients” added under section 7. This requirement modifies the requirement in
may be individuals or organizations. section 4 to “keep intact all notices”. * c) You must license the entire If you convey a covered work, knowingly relying on a patent license,
Notwithstanding any other provision of this License, for material you and the Corresponding Source of the work is not available for anyone
work, as a whole, under this License to anyone who comes into pos-
add to a covered work, you may (if authorized by the copyright holders to copy, free of charge and under the terms of this License, through
To “modify” a work means to copy from or adapt all or part of the work session of a copy. This License will therefore apply, along with any
of that material) supplement the terms of this License with terms: a publicly available network server or other readily accessible means,
in a fashion requiring copyright permission, other than the making of applicable section 7 additional terms, to the whole of the work, and
an exact copy. The resulting work is called a “modified version” of the all its parts, regardless of how they are packaged. This License gives then you must either (1) cause the Corresponding Source to be so
earlier work or a work “based on” the earlier work. no permission to license the work in any other way, but it does not * a) Disclaiming warranty or limiting liability differently from the available, or (2) arrange to deprive yourself of the benefit of the patent
invalidate such permission if you have separately received it. * d) If terms of sections 15 and 16 of this License; or * b) Requiring preser- license for this particular work, or (3) arrange, in a manner consistent
the work has interactive user interfaces, each must display Appropriate vation of specified reasonable legal notices or author attributions in with the requirements of this License, to extend the patent license to
A “covered work” means either the unmodified Program or a work
Legal Notices; however, if the Program has interactive interfaces that that material or in the Appropriate Legal Notices displayed by works downstream recipients. “Knowingly relying” means you have actual
based on the Program.
do not display Appropriate Legal Notices, your work need not make containing it; or * c) Prohibiting misrepresentation of the origin of knowledge that, but for the patent license, your conveying the cov-
them do so. that material, or requiring that modified versions of such material be ered work in a country, or your recipient's use of the covered work
To “propagate” a work means to do anything with it that, without per- marked in reasonable ways as different from the original version; or * in a country, would infringe one or more identifiable patents in that
mission, would make you directly or secondarily liable for infringement d) Limiting the use for publicity purposes of names of licensors or au- country that you have reason to believe are valid.
under applicable copyright law, except executing it on a computer or A compilation of a covered work with other separate and independent
thors of the material; or * e) Declining to grant rights under trademark
modifying a private copy. Propagation includes copying, distribution works, which are not by their nature extensions of the covered work,
law for use of some trade names, trademarks, or service marks; or * If, pursuant to or in connection with a single transaction or arrange-
(with or without modification), making available to the public, and in and which are not combined with it such as to form a larger program,
f) Requiring indemnification of licensors and authors of that material ment, you convey, or propagate by procuring conveyance of, a covered
some countries other activities as well. in or on a volume of a storage or distribution medium, is called an
by anyone who conveys the material (or modified versions of it) with work, and grant a patent license to some of the parties receiving the
“aggregate” if the compilation and its resulting copyright are not used
contractual assumptions of liability to the recipient, for any liability covered work authorizing them to use, propagate, modify or convey a
to limit the access or legal rights of the compilation's users beyond
To “convey” a work means any kind of propagation that enables other that these contractual assumptions directly impose on those licensors specific copy of the covered work, then the patent license you grant is
what the individual works permit. Inclusion of a covered work in an
parties to make or receive copies. Mere interaction with a user through and authors. automatically extended to all recipients of the covered work and works
aggregate does not cause this License to apply to the other parts of
a computer network, with no transfer of a copy, is not conveying. based on it.
the aggregate. 6. Conveying Non-Source Forms.
All other non-permissive additional terms are considered “further re-
An interactive user interface displays “Appropriate Legal Notices” to strictions” within the meaning of section 10. If the Program as you A patent license is “discriminatory” if it does not include within the
You may convey a covered work in object code form under the terms of
the extent that it includes a convenient and prominently visible fea- received it, or any part of it, contains a notice stating that it is gov- scope of its coverage, prohibits the exercise of, or is conditioned on the
sections 4 and 5, provided that you also convey the machine-readable
ture that (1) displays an appropriate copyright notice, and (2) tells the erned by this License along with a term that is a further restriction, non-exercise of one or more of the rights that are specifically granted
Corresponding Source under the terms of this License, in one of these
user that there is no warranty for the work (except to the extent that you may remove that term. If a license document contains a further under this License. You may not convey a covered work if you are
ways:
warranties are provided), that licensees may convey the work under restriction but permits relicensing or conveying under this License, you a party to an arrangement with a third party that is in the business
this License, and how to view a copy of this License. If the inter- may add to a covered work material governed by the terms of that li- of distributing software, under which you make payment to the third
face presents a list of user commands or options, such as a menu, a * a) Convey the object code in, or embodied in, a physical product (in- cense document, provided that the further restriction does not survive party based on the extent of your activity of conveying the work, and
prominent item in the list meets this criterion. 1. Source Code. cluding a physical distribution medium), accompanied by the Corre- such relicensing or conveying. under which the third party grants, to any of the parties who would
sponding Source fixed on a durable physical medium customarily used
receive the covered work from you, a discriminatory patent license (a)
for software interchange. * b) Convey the object code in, or embodied
The “source code” for a work means the preferred form of the work for If you add terms to a covered work in accord with this section, you in connection with copies of the covered work conveyed by you (or
in, a physical product (including a physical distribution medium), ac-
making modifications to it. “Object code” means any non-source form must place, in the relevant source files, a statement of the additional copies made from those copies), or (b) primarily for and in connection
companied by a written offer, valid for at least three years and valid
of a work. terms that apply to those files, or a notice indicating where to find the with specific products or compilations that contain the covered work,
for as long as you offer spare parts or customer support for that prod-
applicable terms. unless you entered into that arrangement, or that patent license was
uct model, to give anyone who possesses the object code either (1) a
A “Standard Interface” means an interface that either is an official granted, prior to 28 March 2007.
copy of the Corresponding Source for all the software in the product
standard defined by a recognized standards body, or, in the case of that is covered by this License, on a durable physical medium cus- Additional terms, permissive or non-permissive, may be stated in the
interfaces specified for a particular programming language, one that is tomarily used for software interchange, for a price no more than your Nothing in this License shall be construed as excluding or limiting any
form of a separately written license, or stated as exceptions; the above
widely used among developers working in that language. reasonable cost of physically performing this conveying of source, or implied license or other defenses to infringement that may otherwise
requirements apply either way. 8. Termination.
(2) access to copy the Corresponding Source from a network server at be available to you under applicable patent law. 12. No Surrender of
The “System Libraries” of an executable work include anything, other no charge. * c) Convey individual copies of the object code with a Others' Freedom.
than the work as a whole, that (a) is included in the normal form of copy of the written offer to provide the Corresponding Source. This You may not propagate or modify a covered work except as expressly
packaging a Major Component, but which is not part of that Major alternative is allowed only occasionally and noncommercially, and only provided under this License. Any attempt otherwise to propagate or If conditions are imposed on you (whether by court order, agreement
Component, and (b) serves only to enable use of the work with that if you received the object code with such an offer, in accord with sub- modify it is void, and will automatically terminate your rights under or otherwise) that contradict the conditions of this License, they do
Major Component, or to implement a Standard Interface for which an section 6b. * d) Convey the object code by offering access from a this License (including any patent licenses granted under the third not excuse you from the conditions of this License. If you cannot con-
implementation is available to the public in source code form. A “Ma- designated place (gratis or for a charge), and offer equivalent access to paragraph of section 11). vey a covered work so as to satisfy simultaneously your obligations
jor Component”, in this context, means a major essential component the Corresponding Source in the same way through the same place at under this License and any other pertinent obligations, then as a con-
(kernel, window system, and so on) of the specific operating system (if no further charge. You need not require recipients to copy the Corre- However, if you cease all violation of this License, then your license sequence you may not convey it at all. For example, if you agree to
any) on which the executable work runs, or a compiler used to produce sponding Source along with the object code. If the place to copy the from a particular copyright holder is reinstated (a) provisionally, un- terms that obligate you to collect a royalty for further conveying from
the work, or an object code interpreter used to run it. object code is a network server, the Corresponding Source may be on a less and until the copyright holder explicitly and finally terminates those to whom you convey the Program, the only way you could satisfy
both those terms and this License would be to refrain entirely from Later license versions may give you additional or different permissions. If the disclaimer of warranty and limitation of liability provided above You should have received a copy of the GNU General Public License
conveying the Program. 13. Use with the GNU Affero General Public However, no additional obligations are imposed on any author or copy- cannot be given local legal effect according to their terms, reviewing along with this program. If not, see <http://www.gnu.org/licenses/>.
License. right holder as a result of your choosing to follow a later version. 15. courts shall apply local law that most closely approximates an abso-
Disclaimer of Warranty. lute waiver of all civil liability in connection with the Program, unless a
warranty or assumption of liability accompanies a copy of the Program Also add information on how to contact you by electronic and paper
Notwithstanding any other provision of this License, you have permis- in return for a fee. mail.
sion to link or combine any covered work with a work licensed under
version 3 of the GNU Affero General Public License into a single com- THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EX-
TENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN END OF TERMS AND CONDITIONS How to Apply These Terms If the program does terminal interaction, make it output a short notice
bined work, and to convey the resulting work. The terms of this Li-
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLD- to Your New Programs like this when it starts in an interactive mode:
cense will continue to apply to the part which is the covered work, but
the special requirements of the GNU Affero General Public License, ERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
section 13, concerning interaction through a network will apply to the “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EX- If you develop a new program, and you want it to be of the greatest <program> Copyright (C) <year> <name of author> This program
combination as such. 14. Revised Versions of this License. PRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, possible use to the public, the best way to achieve this is to make it comes with ABSOLUTELY NO WARRANTY; for details type `show
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND free software which everyone can redistribute and change under these w'. This is free software, and you are welcome to redistribute it under
FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK terms. certain conditions; type `show c' for details.
The Free Software Foundation may publish revised and/or new ver- AS TO THE QUALITY AND PERFORMANCE OF THE PRO-
sions of the GNU General Public License from time to time. Such new GRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DE-
To do so, attach the following notices to the program. It is safest to
versions will be similar in spirit to the present version, but may differ FECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SER- The hypothetical commands `show w' and `show c' should show the
attach them to the start of each source file to most effectively state the
in detail to address new problems or concerns. VICING, REPAIR OR CORRECTION. 16. Limitation of Liability. appropriate parts of the General Public License. Of course, your pro-
exclusion of warranty; and each file should have at least the “copyright”
line and a pointer to where the full notice is found. gram's commands might be different; for a GUI interface, you would
use an “about box”.
Each version is given a distinguishing version number. If the Program
specifies that a certain numbered version of the GNU General Pub- IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR
<one line to give the program's name and a brief idea of what it does.>
lic License “or any later version” applies to it, you have the option of AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, You should also get your employer (if you work as a programmer) or
Copyright (C) <year> <name of author>
following the terms and conditions either of that numbered version or OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS school, if any, to sign a “copyright disclaimer” for the program, if nec-
of any later version published by the Free Software Foundation. If THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU essary. For more information on this, and how to apply and follow the
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCI- This program is free software: you can redistribute it and/or modify
the Program does not specify a version number of the GNU General it under the terms of the GNU General Public License as published by GNU GPL, see <http://www.gnu.org/licenses/>.
Public License, you may choose any version ever published by the Free DENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF
THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING the Free Software Foundation, either version 3 of the License, or (at
Software Foundation. your option) any later version.
BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING REN- The GNU General Public License does not permit incorporating your
DERED INACCURATE OR LOSSES SUSTAINED BY YOU OR program into proprietary programs. If your program is a subroutine
If the Program specifies that a proxy can decide which future versions THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPER- This program is distributed in the hope that it will be useful, but library, you may consider it more useful to permit linking proprietary
of the GNU General Public License can be used, that proxy's public ATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER WITHOUT ANY WARRANTY; without even the implied warranty applications with the library. If this is what you want to do, use the
statement of acceptance of a version permanently authorizes you to OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY of MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR- GNU Lesser General Public License instead of this License. But first,
choose that version for the Program. OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. POSE. See the GNU General Public License for more details. please read <http://www.gnu.org/philosophy/why-not-lgpl.html>.

2.2 GNU Free Documentation License

Version 1.3, 3 November 2008 following text that translates XYZ in another language. (Here XYZ the Invariant Sections of the Document, unaltered in their text and Title (section 1) will typically require changing the actual title. 9.
stands for a specific section name mentioned below, such as "Acknowl- in their titles. Section numbers or the equivalent are not considered TERMINATION
Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, edgements", "Dedications", "Endorsements", or "History".) To "Pre- part of the section titles. * M. Delete any section Entitled "Endorse-
Inc. <http://fsf.org/> serve the Title" of such a section when you modify the Document ments". Such a section may not be included in the Modified Version. You may not copy, modify, sublicense, or distribute the Document
means that it remains a section "Entitled XYZ" according to this def- * N. Do not retitle any existing section to be Entitled "Endorsements" except as expressly provided under this License. Any attempt oth-
inition. or to conflict in title with any Invariant Section. * O. Preserve any erwise to copy, modify, sublicense, or distribute it is void, and will
Everyone is permitted to copy and distribute verbatim copies of this Warranty Disclaimers.
license document, but changing it is not allowed. 0. PREAMBLE automatically terminate your rights under this License.
The Document may include Warranty Disclaimers next to the notice
which states that this License applies to the Document. These War- If the Modified Version includes new front-matter sections or appen- However, if you cease all violation of this License, then your license
The purpose of this License is to make a manual, textbook, or other ranty Disclaimers are considered to be included by reference in this dices that qualify as Secondary Sections and contain no material copied
functional and useful document "free" in the sense of freedom: to as- from a particular copyright holder is reinstated (a) provisionally, un-
License, but only as regards disclaiming warranties: any other impli- from the Document, you may at your option designate some or all of less and until the copyright holder explicitly and finally terminates
sure everyone the effective freedom to copy and redistribute it, with or cation that these Warranty Disclaimers may have is void and has no these sections as invariant. To do this, add their titles to the list of
without modifying it, either commercially or noncommercially. Sec- your license, and (b) permanently, if the copyright holder fails to no-
effect on the meaning of this License. 2. VERBATIM COPYING Invariant Sections in the Modified Version's license notice. These titles tify you of the violation by some reasonable means prior to 60 days
ondarily, this License preserves for the author and publisher a way to must be distinct from any other section titles.
get credit for their work, while not being considered responsible for after the cessation.
modifications made by others. You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the You may add a section Entitled "Endorsements", provided it con-
Moreover, your license from a particular copyright holder is reinstated
copyright notices, and the license notice saying this License applies tains nothing but endorsements of your Modified Version by various
This License is a kind of "copyleft", which means that derivative works permanently if the copyright holder notifies you of the violation by
to the Document are reproduced in all copies, and that you add no parties—for example, statements of peer review or that the text has
of the document must themselves be free in the same sense. It com- some reasonable means, this is the first time you have received notice
other conditions whatsoever to those of this License. You may not use been approved by an organization as the authoritative definition of a
plements the GNU General Public License, which is a copyleft license of violation of this License (for any work) from that copyright holder,
technical measures to obstruct or control the reading or further copy- standard.
designed for free software. and you cure the violation prior to 30 days after your receipt of the
ing of the copies you make or distribute. However, you may accept notice.
compensation in exchange for copies. If you distribute a large enough You may add a passage of up to five words as a Front-Cover Text,
We have designed this License in order to use it for manuals for free number of copies you must also follow the conditions in section 3. and a passage of up to 25 words as a Back-Cover Text, to the end
software, because free software needs free documentation: a free pro- Termination of your rights under this section does not terminate the
of the list of Cover Texts in the Modified Version. Only one passage
gram should come with manuals providing the same freedoms that the licenses of parties who have received copies or rights from you under
You may also lend copies, under the same conditions stated above, and of Front-Cover Text and one of Back-Cover Text may be added by
software does. But this License is not limited to software manuals; this License. If your rights have been terminated and not permanently
you may publicly display copies. 3. COPYING IN QUANTITY (or through arrangements made by) any one entity. If the Document
it can be used for any textual work, regardless of subject matter or reinstated, receipt of a copy of some or all of the same material does
already includes a cover text for the same cover, previously added by
whether it is published as a printed book. We recommend this Li- not give you any rights to use it. 10. FUTURE REVISIONS OF THIS
If you publish printed copies (or copies in media that commonly have you or by arrangement made by the same entity you are acting on
cense principally for works whose purpose is instruction or reference. LICENSE
printed covers) of the Document, numbering more than 100, and the behalf of, you may not add another; but you may replace the old one,
1. APPLICABILITY AND DEFINITIONS on explicit permission from the previous publisher that added the old
Document's license notice requires Cover Texts, you must enclose the
one. The Free Software Foundation may publish new, revised versions
copies in covers that carry, clearly and legibly, all these Cover Texts:
This License applies to any manual or other work, in any medium, of the GNU Free Documentation License from time to time. Such
Front-Cover Texts on the front cover, and Back-Cover Texts on the
that contains a notice placed by the copyright holder saying it can new versions will be similar in spirit to the present version, but
back cover. Both covers must also clearly and legibly identify you as The author(s) and publisher(s) of the Document do not by this Li-
be distributed under the terms of this License. Such a notice grants a may differ in detail to address new problems or concerns. See
the publisher of these copies. The front cover must present the full title cense give permission to use their names for publicity for or to as-
world-wide, royalty-free license, unlimited in duration, to use that work http://www.gnu.org/copyleft/.
with all words of the title equally prominent and visible. You may add sert or imply endorsement of any Modified Version. 5. COMBINING
under the conditions stated herein. The "Document", below, refers to other material on the covers in addition. Copying with changes limited DOCUMENTS
any such manual or work. Any member of the public is a licensee, and to the covers, as long as they preserve the title of the Document and Each version of the License is given a distinguishing version number.
is addressed as "you". You accept the license if you copy, modify or satisfy these conditions, can be treated as verbatim copying in other If the Document specifies that a particular numbered version of this
You may combine the Document with other documents released under
distribute the work in a way requiring permission under copyright law. respects. License "or any later version" applies to it, you have the option of
this License, under the terms defined in section 4 above for modified
versions, provided that you include in the combination all of the In- following the terms and conditions either of that specified version or
A "Modified Version" of the Document means any work containing the variant Sections of all of the original documents, unmodified, and list of any later version that has been published (not as a draft) by the
If the required texts for either cover are too voluminous to fit legibly,
Document or a portion of it, either copied verbatim, or with modifica- them all as Invariant Sections of your combined work in its license Free Software Foundation. If the Document does not specify a version
you should put the first ones listed (as many as fit reasonably) on the
tions and/or translated into another language. notice, and that you preserve all their Warranty Disclaimers. number of this License, you may choose any version ever published
actual cover, and continue the rest onto adjacent pages.
(not as a draft) by the Free Software Foundation. If the Document
specifies that a proxy can decide which future versions of this License
A "Secondary Section" is a named appendix or a front-matter sec- If you publish or distribute Opaque copies of the Document numbering The combined work need only contain one copy of this License, and can be used, that proxy's public statement of acceptance of a version
tion of the Document that deals exclusively with the relationship of more than 100, you must either include a machine-readable Transpar- multiple identical Invariant Sections may be replaced with a single permanently authorizes you to choose that version for the Document.
the publishers or authors of the Document to the Document's overall ent copy along with each Opaque copy, or state in or with each Opaque copy. If there are multiple Invariant Sections with the same name 11. RELICENSING
subject (or to related matters) and contains nothing that could fall copy a computer-network location from which the general network- but different contents, make the title of each such section unique by
directly within that overall subject. (Thus, if the Document is in part using public has access to download using public-standard network adding at the end of it, in parentheses, the name of the original au-
a textbook of mathematics, a Secondary Section may not explain any protocols a complete Transparent copy of the Document, free of added thor or publisher of that section if known, or else a unique number. "Massive Multiauthor Collaboration Site" (or "MMC Site") means any
mathematics.) The relationship could be a matter of historical connec- material. If you use the latter option, you must take reasonably pru- Make the same adjustment to the section titles in the list of Invariant World Wide Web server that publishes copyrightable works and also
tion with the subject or with related matters, or of legal, commercial, dent steps, when you begin distribution of Opaque copies in quantity, Sections in the license notice of the combined work. provides prominent facilities for anybody to edit those works. A public
philosophical, ethical or political position regarding them. to ensure that this Transparent copy will remain thus accessible at the wiki that anybody can edit is an example of such a server. A "Massive
stated location until at least one year after the last time you distribute Multiauthor Collaboration" (or "MMC") contained in the site means
In the combination, you must combine any sections Entitled "History" any set of copyrightable works thus published on the MMC site.
The "Invariant Sections" are certain Secondary Sections whose titles an Opaque copy (directly or through your agents or retailers) of that in the various original documents, forming one section Entitled "His-
are designated, as being those of Invariant Sections, in the notice that edition to the public. tory"; likewise combine any sections Entitled "Acknowledgements",
says that the Document is released under this License. If a section does and any sections Entitled "Dedications". You must delete all sections "CC-BY-SA" means the Creative Commons Attribution-Share Alike
not fit the above definition of Secondary then it is not allowed to be It is requested, but not required, that you contact the authors of the Entitled "Endorsements". 6. COLLECTIONS OF DOCUMENTS 3.0 license published by Creative Commons Corporation, a not-for-
designated as Invariant. The Document may contain zero Invariant Document well before redistributing any large number of copies, to profit corporation with a principal place of business in San Francisco,
Sections. If the Document does not identify any Invariant Sections give them a chance to provide you with an updated version of the California, as well as future copyleft versions of that license published
You may make a collection consisting of the Document and other doc-
then there are none. Document. 4. MODIFICATIONS by that same organization.
uments released under this License, and replace the individual copies
of this License in the various documents with a single copy that is
The "Cover Texts" are certain short passages of text that are listed, You may copy and distribute a Modified Version of the Document un- included in the collection, provided that you follow the rules of this "Incorporate" means to publish or republish a Document, in whole or
as Front-Cover Texts or Back-Cover Texts, in the notice that says that der the conditions of sections 2 and 3 above, provided that you release License for verbatim copying of each of the documents in all other in part, as part of another Document.
the Document is released under this License. A Front-Cover Text may the Modified Version under precisely this License, with the Modified respects.
be at most 5 words, and a Back-Cover Text may be at most 25 words. Version filling the role of the Document, thus licensing distribution An MMC is "eligible for relicensing" if it is licensed under this License,
and modification of the Modified Version to whoever possesses a copy You may extract a single document from such a collection, and dis- and if all works that were first published under this License somewhere
A "Transparent" copy of the Document means a machine-readable of it. In addition, you must do these things in the Modified Version: tribute it individually under this License, provided you insert a copy other than this MMC, and subsequently incorporated in whole or in
copy, represented in a format whose specification is available to the of this License into the extracted document, and follow this License part into the MMC, (1) had no cover texts or invariant sections, and
general public, that is suitable for revising the document straightfor- * A. Use in the Title Page (and on the covers, if any) a title distinct in all other respects regarding verbatim copying of that document. 7. (2) were thus incorporated prior to November 1, 2008.
wardly with generic text editors or (for images composed of pixels) from that of the Document, and from those of previous versions (which AGGREGATION WITH INDEPENDENT WORKS
generic paint programs or (for drawings) some widely available drawing should, if there were any, be listed in the History section of the Docu- The operator of an MMC Site may republish an MMC contained in
editor, and that is suitable for input to text formatters or for automatic ment). You may use the same title as a previous version if the original A compilation of the Document or its derivatives with other separate the site under CC-BY-SA on the same site at any time before August
translation to a variety of formats suitable for input to text formatters. publisher of that version gives permission. * B. List on the Title Page, and independent documents or works, in or on a volume of a storage or 1, 2009, provided the MMC is eligible for relicensing. ADDENDUM:
A copy made in an otherwise Transparent file format whose markup, as authors, one or more persons or entities responsible for authorship distribution medium, is called an "aggregate" if the copyright resulting How to use this License for your documents
or absence of markup, has been arranged to thwart or discourage sub- of the modifications in the Modified Version, together with at least five from the compilation is not used to limit the legal rights of the com-
sequent modification by readers is not Transparent. An image format of the principal authors of the Document (all of its principal authors, pilation's users beyond what the individual works permit. When the
is not Transparent if used for any substantial amount of text. A copy To use this License in a document you have written, include a copy
if it has fewer than five), unless they release you from this require- Document is included in an aggregate, this License does not apply to of the License in the document and put the following copyright and
that is not "Transparent" is called "Opaque". ment. * C. State on the Title page the name of the publisher of the the other works in the aggregate which are not themselves derivative license notices just after the title page:
Modified Version, as the publisher. * D. Preserve all the copyright works of the Document.
Examples of suitable formats for Transparent copies include plain notices of the Document. * E. Add an appropriate copyright notice
ASCII without markup, Texinfo input format, LaTeX input for- for your modifications adjacent to the other copyright notices. * F. In- Copyright (C) YEAR YOUR NAME. Permission is granted to copy,
If the Cover Text requirement of section 3 is applicable to these copies distribute and/or modify this document under the terms of the GNU
mat, SGML or XML using a publicly available DTD, and standard- clude, immediately after the copyright notices, a license notice giving
of the Document, then if the Document is less than one half of the Free Documentation License, Version 1.3 or any later version pub-
conforming simple HTML, PostScript or PDF designed for human the public permission to use the Modified Version under the terms of
entire aggregate, the Document's Cover Texts may be placed on cov- lished by the Free Software Foundation; with no Invariant Sections,
modification. Examples of transparent image formats include PNG, this License, in the form shown in the Addendum below. * G. Preserve
ers that bracket the Document within the aggregate, or the electronic no Front-Cover Texts, and no Back-Cover Texts. A copy of the license
XCF and JPG. Opaque formats include proprietary formats that can in that license notice the full lists of Invariant Sections and required
equivalent of covers if the Document is in electronic form. Otherwise is included in the section entitled "GNU Free Documentation License".
be read and edited only by proprietary word processors, SGML or Cover Texts given in the Document's license notice. * H. Include an
they must appear on printed covers that bracket the whole aggregate.
XML for which the DTD and/or processing tools are not generally unaltered copy of this License. * I. Preserve the section Entitled "His-
8. TRANSLATION
available, and the machine-generated HTML, PostScript or PDF pro- tory", Preserve its Title, and add to it an item stating at least the title, If you have Invariant Sections, Front-Cover Texts and Back-Cover
duced by some word processors for output purposes only. year, new authors, and publisher of the Modified Version as given on Texts, replace the "with … Texts." line with this:
the Title Page. If there is no section Entitled "History" in the Docu- Translation is considered a kind of modification, so you may distribute
ment, create one stating the title, year, authors, and publisher of the translations of the Document under the terms of section 4. Replacing
The "Title Page" means, for a printed book, the title page itself, plus Invariant Sections with translations requires special permission from with the Invariant Sections being LIST THEIR TITLES, with the
such following pages as are needed to hold, legibly, the material this Document as given on its Title Page, then add an item describing the Front-Cover Texts being LIST, and with the Back-Cover Texts being
Modified Version as stated in the previous sentence. * J. Preserve the their copyright holders, but you may include translations of some or all
License requires to appear in the title page. For works in formats Invariant Sections in addition to the original versions of these Invari- LIST.
which do not have any title page as such, "Title Page" means the text network location, if any, given in the Document for public access to a
Transparent copy of the Document, and likewise the network locations ant Sections. You may include a translation of this License, and all the
near the most prominent appearance of the work's title, preceding the license notices in the Document, and any Warranty Disclaimers, pro- If you have Invariant Sections without Cover Texts, or some other
beginning of the body of the text. given in the Document for previous versions it was based on. These
may be placed in the "History" section. You may omit a network vided that you also include the original English version of this License combination of the three, merge those two alternatives to suit the sit-
location for a work that was published at least four years before the and the original versions of those notices and disclaimers. In case of a uation.
The "publisher" means any person or entity that distributes copies of Document itself, or if the original publisher of the version it refers to disagreement between the translation and the original version of this
the Document to the public. gives permission. * K. For any section Entitled "Acknowledgements" License or a notice or disclaimer, the original version will prevail. If your document contains nontrivial examples of program code, we
or "Dedications", Preserve the Title of the section, and preserve in recommend releasing these examples in parallel under your choice of
A section "Entitled XYZ" means a named subunit of the Document the section all the substance and tone of each of the contributor ac- If a section in the Document is Entitled "Acknowledgements", "Ded- free software license, such as the GNU General Public License, to per-
whose title either is precisely XYZ or contains XYZ in parentheses knowledgements and/or dedications given therein. * L. Preserve all ications", or "History", the requirement (section 4) to Preserve its mit their use in free software.
2.3 GNU Lesser General Public License
GNU LESSER GENERAL PUBLIC LICENSE The “Corresponding Application Code” for a Combined Work means You may convey a Combined Work under terms of your choice that, You may place library facilities that are a work based on the Library
the object code and/or source code for the Application, including any taken together, effectively do not restrict modification of the portions side by side in a single library together with other library facilities that
Version 3, 29 June 2007 data and utility programs needed for reproducing the Combined Work of the Library contained in the Combined Work and reverse engineer- are not Applications and are not covered by this License, and convey
from the Application, but excluding the System Libraries of the Com- ing for debugging such modifications, if you also do each of the follow- such a combined library under terms of your choice, if you do both of
bined Work. 1. Exception to Section 3 of the GNU GPL. ing: the following:
Copyright © 2007 Free Software Foundation, Inc. <http://fsf.org/>
You may convey a covered work under sections 3 and 4 of this License * a) Accompany the combined library with a copy of the same work
Everyone is permitted to copy and distribute verbatim copies of this without being bound by section 3 of the GNU GPL. 2. Conveying * a) Give prominent notice with each copy of the Combined Work
license document, but changing it is not allowed. that the Library is used in it and that the Library and its use are based on the Library, uncombined with any other library facilities,
Modified Versions. conveyed under the terms of this License. * b) Give prominent no-
covered by this License. * b) Accompany the Combined Work with a
copy of the GNU GPL and this license document. * c) For a Com- tice with the combined library that part of it is a work based on the
This version of the GNU Lesser General Public License incorporates If you modify a copy of the Library, and, in your modifications, a fa- Library, and explaining where to find the accompanying uncombined
the terms and conditions of version 3 of the GNU General Public Li- bined Work that displays copyright notices during execution, include
cility refers to a function or data to be supplied by an Application that the copyright notice for the Library among these notices, as well as a form of the same work.
cense, supplemented by the additional permissions listed below. 0. uses the facility (other than as an argument passed when the facility
Additional Definitions. reference directing the user to the copies of the GNU GPL and this
is invoked), then you may convey a copy of the modified version: license document. * d) Do one of the following: o 0) Convey the 6. Revised Versions of the GNU Lesser General Public License.
Minimal Corresponding Source under the terms of this License, and
As used herein, “this License” refers to version 3 of the GNU Lesser * a) under this License, provided that you make a good faith effort to the Corresponding Application Code in a form suitable for, and under
General Public License, and the “GNU GPL” refers to version 3 of the ensure that, in the event an Application does not supply the function terms that permit, the user to recombine or relink the Application The Free Software Foundation may publish revised and/or new ver-
GNU General Public License. or data, the facility still operates, and performs whatever part of its with a modified version of the Linked Version to produce a modified sions of the GNU Lesser General Public License from time to time.
purpose remains meaningful, or * b) under the GNU GPL, with none Combined Work, in the manner specified by section 6 of the GNU Such new versions will be similar in spirit to the present version, but
“The Library” refers to a covered work governed by this License, other of the additional permissions of this License applicable to that copy. GPL for conveying Corresponding Source. o 1) Use a suitable shared may differ in detail to address new problems or concerns.
than an Application or a Combined Work as defined below. library mechanism for linking with the Library. A suitable mechanism
3. Object Code Incorporating Material from Library Header Files. is one that (a) uses at run time a copy of the Library already present Each version is given a distinguishing version number. If the Library
An “Application” is any work that makes use of an interface provided on the user's computer system, and (b) will operate properly with a as you received it specifies that a certain numbered version of the GNU
by the Library, but which is not otherwise based on the Library. Defin- The object code form of an Application may incorporate material from modified version of the Library that is interface-compatible with the Lesser General Public License “or any later version” applies to it, you
ing a subclass of a class defined by the Library is deemed a mode of a header file that is part of the Library. You may convey such object Linked Version. * e) Provide Installation Information, but only if you have the option of following the terms and conditions either of that
using an interface provided by the Library. code under terms of your choice, provided that, if the incorporated ma- would otherwise be required to provide such information under section published version or of any later version published by the Free Software
terial is not limited to numerical parameters, data structure layouts 6 of the GNU GPL, and only to the extent that such information is Foundation. If the Library as you received it does not specify a version
and accessors, or small macros, inline functions and templates (ten or necessary to install and execute a modified version of the Combined number of the GNU Lesser General Public License, you may choose
A “Combined Work” is a work produced by combining or linking an Work produced by recombining or relinking the Application with a
Application with the Library. The particular version of the Library fewer lines in length), you do both of the following: any version of the GNU Lesser General Public License ever published
modified version of the Linked Version. (If you use option 4d0, the by the Free Software Foundation.
with which the Combined Work was made is also called the “Linked Installation Information must accompany the Minimal Corresponding
Version”. * a) Give prominent notice with each copy of the object code that the Source and Corresponding Application Code. If you use option 4d1,
Library is used in it and that the Library and its use are covered by you must provide the Installation Information in the manner specified If the Library as you received it specifies that a proxy can decide
The “Minimal Corresponding Source” for a Combined Work means the this License. * b) Accompany the object code with a copy of the GNU by section 6 of the GNU GPL for conveying Corresponding Source.) whether future versions of the GNU Lesser General Public License
Corresponding Source for the Combined Work, excluding any source GPL and this license document. shall apply, that proxy's public statement of acceptance of any ver-
code for portions of the Combined Work that, considered in isolation, sion is permanent authorization for you to choose that version for the
are based on the Application, and not on the Linked Version. 4. Combined Works. 5. Combined Libraries. Library.