The current "trusted system" paradigm is built upon the notion of a Reference Monitor that assumes the existence of a well-defined security policy, a bounded system entity, and a centralized reference validation mechanism with knowledge of and control over the system entity. The "trusted system" paradigm is hierarchical: management defines the policy, the hardware and system software that comprise the trusted computing base enforce the policy, and applications must conform to the policy. This paradigm acknowledges that applications depend upon the hardware and operating system on which they run, and that assurance that they will execute safely is derivedfiom the strength of this "trusted computing base. "Several observations have prompted computer scientists to reexamine and question the relevance of this hierarchical "trusted system" paradigm: l Individuals, businesses, government, and social services are increasing their dependence upon computer systems and networks for both routine and critical functions, including electronic commerce, communications, education, medical collaboration, and entertainment. The information systems upon which society is becoming increasingly dependent (e.g., power grids, telephone, Internet) are highly complex and non-hierarchical, often lacking a clear boundary and a common set of security objectives.' l Attacks on networks and computer systems are becoming more frequent, virulent, global, and broadly publicized.