CSP and determinism in security modelling

Abstract

We show how a variety of confidentiality properties can be expressed in terms of the abstraction mechanisms that CSP provides. We argue that determinism of the abstracted low-security viewpoint provides the best type of property. By changing the form of abstraction mechanism we are able to model different assumptions about how systems behave, including handling the distinction between input and output actions. A detailed analysis of the nature of nondeterminism shows why certain security properties have had the paradoxical property of not being preserved by refinement-a disadvantage not shared by the determinism-based conditions. Finally we give an efficient algorithm for testing the determinism properties on a model-checker.<>