E. D. Bell, L. Padula, and J. L. , Secure computer system: Unified exposition and Multics interpretation, Tech. rep., MITRE Corp, 1976.

K. J. Biba, Integrity considerations for secure computer systems, Tech. rep., MITRE Corp, 1977.

D. D. Clark and D. R. Wilson, A Comparison of Commercial and Military Computer Security Policies, 1987 IEEE Symposium on Security and Privacy, 1987.
DOI : 10.1109/SP.1987.10001

P. Colp, M. Nanavati, J. Zhu, W. Aiello, G. Coker et al., Breaking up is hard to do, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, p.SOSP, 2011.
DOI : 10.1145/2043556.2043575

J. Hamilton, An Architecture for Modular Data Centers, p.CIDR, 2007.

H. Härtig, M. Hohmuth, N. Feske, C. Helmuth, A. Lackorzynski et al., The Nizza Secure-System Architecture, 2005 International Conference on Collaborative Computing: Networking, Applications and Worksharing, 2005.
DOI : 10.1109/COLCOM.2005.1651218

P. Kamp and R. N. Watson, Jails: Confining the omnipotent root, p.0, 2000.

M. Keeney, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Tech. rep., U.S. Secret Service and CMU, 2005.

T. Kim and N. Zeldovich, Making Linux Protection Mechanisms Egalitarian with UserFS, USENIX Security Symposium, p.10, 2010.

G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock et al., seL4, Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, p.SOSP, 2009.
DOI : 10.1145/1629575.1629596

E. Kowalski, Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector, Tech. rep., U.S. Secret Service and CMU, 2008.

M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek et al., Information Flow Control for Standard OS Abstractions, p.SOSP, 2007.
DOI : 10.1145/1323293.1294293
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.118.5684

J. M. Mccune, Y. Li, N. Qu, Z. Zhou, A. Datta et al., TrustVisor: Efficient TCB Reduction and Attestation, 2010 IEEE Symposium on Security and Privacy, 2010.
DOI : 10.1109/SP.2010.17

J. M. Mccune, B. Parno, A. Perrig, M. K. Reiter, and H. Isozaki, Flicker: An Execution Infrastructure for TCB Minimization, p.EuroSys, 2008.

D. G. Murray, G. Milos, and S. Hand, Improving Xen security through disaggregation, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments , VEE '08, p.VEE, 2008.
DOI : 10.1145/1346256.1346278
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.219.1641

A. C. Myers and B. Liskov, A Decentralized Model for Information Flow Control, p.SOSP, 1997.
DOI : 10.1145/269005.266669
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.31.8802

B. Parno, J. M. Mccune, and A. Perrig, http://www.nsa.gov/selinux 30, Bootstrapping Trust in Commodity Computers . In: IEEE Symposium on Security and Privacy, 2001.

N. Santos, R. Rodrigues, K. P. Gummadi, and S. Saroiu, Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services, 2012.

E. G. Sirer, W. De-bruijn, P. Reynold, A. Shieh, K. Walsh et al., Logical attestation, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, p.SOSP, 2011.
DOI : 10.1145/2043556.2043580

U. Steinberg and B. Kauer, NOVA, Proceedings of the 5th European conference on Computer systems, EuroSys '10, p.Eurosys, 2010.
DOI : 10.1145/1755913.1755935

L. Wirzenius, J. Oja, S. Stafford, and A. Weeks, The Linux System Administrator's Guide, 1993.

N. Zeldovich, S. Boyd-wickizer, E. Kohler, and D. Mazì-eres, Making information flow explicit in HiStar, Communications of the ACM, vol.54, issue.11, p.OSDI, 2006.
DOI : 10.1145/2018396.2018419
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.208.264

F. Zhang, J. Chen, H. Chen, and B. Zang, CloudVisor, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, p.SOSP, 2011.
DOI : 10.1145/2043556.2043576