Abstract:The trusted subject supports of the existing multi-level security models are reviewed and a new model called DLS (discrete label sequence) is proposed. It decomposes the lifecycle of a trusted subject into a sequence of untrusted states (US). Each untrusted state is associated with a certain current security label, and only the predefined trusted request events (TRE) can trigger the transition from one US to the other. Thus, the current security level of a trusted subject is dynamically changed according to its application’s logic. Definitions of secure states and rules to preserve security are also presented. Compared with the trusted subject implemented by security level range, this model gives a better support of least privilege and achieves the support within the MLS policy framework.