On the derivation of secure components

Abstract

The author discusses the problems in deriving a system from its specification when that specification includes simple trace-based information-flow security properties as well as safety properties. He presents two fundamental theorems of information-flow security which describe the inherent difficulties of deriving secure implementations and considers the implications of these results. It is concluded that it is dangerous to extrapolate from success in the case of two to the case of many. Results proved about systems with just low- and high-access users may not extend easily to full lattices.<>