background image
Tech Note #110: Concept for a Secure Network Computer
2000 Bionic Buffalo Corporation; All Rights Reserved.
         Tuesday, 11 January 2000
Page 15 of 18
special attention to security engineering and management (which involves special
knowledge, much of which must be studied and learned)
The architecture of the SNC allows relatively easy use of redundancy to improve the
trustworthiness of the system. If the two SM CPUs, for example, are designed and programmed
by separate teams, then it is difficult for either team, deliberately or accidentally, to compromise
the security of the software.
Overall Architecture
This section presents a simplified entity-relationship diagram, which describes some of the
components already discussed. It combines these components into a single diagram. Role
annotation is omitted to make the drawing more compact.
Some major items have been omitted. For instance, the operating system for the two SM CPUs
are not listed, and some relationships are also not included. However, the simplified drawing
serves to illustrate an important reason to create such combined diagrams. With a diagram
which gives an overall picture of the architecture, it is easier to do failure analysis on the design.
For instance, the combined diagram shows that any software path between the two SM CPUs
must pass through either of two software components: the interior boundary controller or the
memory clearing conduit. An analysis of the concept can focus on (a) the accuracy of the
diagram, and (b) any possible security breaches in those two software components.