Yale Systems, Inc.
The consequences of security breaches due to system administrator errors can be catastrophic. Software systems in general, and OSes in particular, ultimately depend on a fully trusted administrator whom is granted super-user privileges that allow him to fully control the system. Consequently, an administrator acting negligently or unethically can easily compromise user data in irreversible ways by leaking, modifying, or deleting data. In this paper, the authors propose a new set of guiding principles for OS design that they call the broker security model. Their model aims to increase OS security without hindering manageability.