## Basic theorems about security (1992)

Venue: | Journal of Computer Security |

Citations: | 14 - 1 self |

### BibTeX

@ARTICLE{Jacob92basictheorems,

author = {Jeremy Jacob},

title = {Basic theorems about security},

journal = {Journal of Computer Security},

year = {1992},

volume = {1},

pages = {385--411}

}

### Years of Citing Articles

### OpenURL

### Abstract

We build a mathematical structure in which we can ask questions about the methods for achieving security properties, such as confidentiality and integrity, and functionality properties, such as safety and liveness. The structure allows us to consider many different choices for the meaning of “confidentiality” and “integrity ” and so on, and to compare and contrast security properties with functionality properties.

### Citations

3400 | Communicating Sequential Processes
- Hoare
- 1985
(Show Context)
Citation Context ... which refer to supersets of A. 3 Confidentiality The work in this section is adapted from [17, 18, 19]. The material reported in [17] is a detailed working through of [18] in the traces model of CSP =-=[15]-=-. Here we are as abstract as possible. 3.1 What is confidentiality? Again we are concerned with shared systems. Confidentiality is about limiting how much one user can infer about another user’s inter... |

1399 |
A Discipline of Programming
- Dijkstra
- 1976
(Show Context)
Citation Context ... an implementation refusing to do something is solved by using a model at least as detailed as the failures model.) Many texts deal with specifying and achieving functionality properties, for example =-=[5, 8, 13, 16, 24, 25, 29]-=-. Papers from a series of workshops on refinement may be found in [26, 31, 32]. 2.3 Structured environments The preorder ⊒ is appropriate when nothing is known about the environment, but it is too str... |

1104 |
The Z Notation: A reference manual
- Spivey
- 1992
(Show Context)
Citation Context ... a paper on formal methods. As such the paper is complete, and all the mathematical definitions used to build the main structures are given in full (any definitions not in this paper will be found in =-=[41]-=-). Note that some of the examples, however, are not presented formally. We need to choose a concrete syntax for the mathematics, and pick that of Z [41]. The Z notation is a concrete syntax for presen... |

724 |
Security policies and security models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ... relevant— example of this approach is Goguen and Meseguer’s unwinding theorem for noninterference, connecting a simple external characterisation of a property with the internal structure of a system =-=[9, 10]-=-. The overall structure is quite complex, but the factorisation helps us to understand it. A major separation of concerns in this paper is the separation of what from 2show. This paper proposes a defi... |

638 |
Systematic Software Development Using VDM
- Jones
- 1990
(Show Context)
Citation Context ... an implementation refusing to do something is solved by using a model at least as detailed as the failures model.) Many texts deal with specifying and achieving functionality properties, for example =-=[5, 8, 13, 16, 24, 25, 29]-=-. Papers from a series of workshops on refinement may be found in [26, 31, 32]. 2.3 Structured environments The preorder ⊒ is appropriate when nothing is known about the environment, but it is too str... |

569 |
Secure computer system: Unified exposition and multics interpretation,” MTR2997,Revision
- Bell, LaPadula
(Show Context)
Citation Context ...ity properties inter-relate? The last question we consider so fundamental that we name theorems on this topic basic theorems. To avoid confusion with an earlier use of this term by Bell and La Padula =-=[1]-=- we will avoid the name basic security theorem for the theorems presented in this paper and use instead basic confidentiality theorem, and so on. These theorems place security in its context in the wo... |

474 |
Programming from Specifications
- MORGAN
- 1990
(Show Context)
Citation Context ...p being shown to implement the previous one. Recently there has been much interest in calculating implementations. This includes, for example, Morgan’s work on sequential programming (see for example =-=[29, 30]-=-) and the Bird-Meertens Formalism (see for example [3]). Here each step of the development guarantees correctness, and the consequences of a design decision may be calculated. The proof obligation giv... |

473 |
Denotational Semantics: the Scott-Strachey Approach to Programming Languages Theory
- Stoy
- 1977
(Show Context)
Citation Context ...r, more properly, a statement) as a function from states to states. Such a function is just a set of input/output pairs, each of which represents a possible interaction with the program’s environment =-=[42]-=-. 2.2 Unstructured environments The usual symbol to represent better functionality is ⊒ . The relation is defined: ⊒ : Preorder Implementation ( ⊒ ) = interactions ⊕ ( ⊆ ) 5sA better implementation is... |

466 |
The Science of Programming
- Gries
- 1981
(Show Context)
Citation Context ... an implementation refusing to do something is solved by using a model at least as detailed as the failures model.) Many texts deal with specifying and achieving functionality properties, for example =-=[5, 8, 13, 16, 24, 25, 29]-=-. Papers from a series of workshops on refinement may be found in [26, 31, 32]. 2.3 Structured environments The preorder ⊒ is appropriate when nothing is known about the environment, but it is too str... |

180 |
Chandy and Jayadev Misra. Parallel Program Design
- Mani
- 1988
(Show Context)
Citation Context |

161 | An Introduction to Formal Specification and Z - Potter, Sinclair, et al. - 1991 |

156 | A timed model for communicating sequential processes
- Reed, Roscoe
- 1988
(Show Context)
Citation Context ...ng Sequential Processes (CSP) [16]. Some of the models for CSP are due to others, for example the failures model is due to Brooks, Hoare and Roscoe [4] and the timed models are due to Reed and Roscoe =-=[37, 38]-=-. We will break each preorder into a semantic function and a partial order. The level of detail is captured by a semantic function which gives the set of interactions which can be made with an impleme... |

153 |
Unwinding and inference control
- Goguen, Meseguer
- 1984
(Show Context)
Citation Context ... relevant— example of this approach is Goguen and Meseguer’s unwinding theorem for noninterference, connecting a simple external characterisation of a property with the internal structure of a system =-=[9, 10]-=-. The overall structure is quite complex, but the factorisation helps us to understand it. A major separation of concerns in this paper is the separation of what from 2show. This paper proposes a defi... |

130 | Specification Case Studies - Hayes - 1987 |

122 | The design and verification of secure systems
- RUSHBY
- 1981
(Show Context)
Citation Context ..., including the empty sequence. The picture (in the style of Figure 1) for m is a solid rectangle: it contains a bullet 14sin every position. The system m satisfies Rushby’s criterion of separability =-=[39]-=-. However, for n, an interaction by B that contains no writes and a read of a value other than zero tells B that A has written that value at least once; the interaction may contain more information ab... |

118 |
A model of information
- Sutherland
- 1986
(Show Context)
Citation Context ...to A. While flows in both directions must increase or decrease together they can change by different amounts. Theorem 6 extends a theorem on the symmetry of information flow first shown by Sutherland =-=[43]-=-; Sutherland showed that introducing some flow in one direction to a system with no flows also introduced flow in the opposite direction. Another immediate corollary of Theorem 5 is the relationship b... |

111 | Security models and information flow
- McLean
- 1990
(Show Context)
Citation Context ...iate. The choice of Interaction will probably depend on a risk analysis. John McLean has pointed out that theories such as the one discussed in this section are really theories of information sharing =-=[28]-=-. When we choose to work with interactions which encode a temporal ordering (such as traces or failures), the function inferA B ℓ measures how much information about B’s past is shared by A and B. The... |

104 |
D.M.: Information flow in nondeterministic systems
- Wittbold, Johnson
- 1990
(Show Context)
Citation Context ... Shannon’s Information Theory (see, for example, [44] for an introduction to this theory). Several authors have recently sought to base their work in security on information theory (see, for example, =-=[12, 33, 45]-=-). The ideas above may be applied to an information-theoretic notion of confidentiality. Let capacityA B be the function which measures the capacity of a channel from window A to window B. The relatio... |

92 |
Software development: a rigorous approach
- Jones
- 1980
(Show Context)
Citation Context |

80 |
Codes and Cryptography
- Welsh
- 1988
(Show Context)
Citation Context ...ory of confidentiality discussed above is based on the quality of inferences that can be made by one user about another. A different approach is to use Shannon’s Information Theory (see, for example, =-=[44]-=- for an introduction to this theory). Several authors have recently sought to base their work in security on information theory (see, for example, [12, 33, 45]). The ideas above may be applied to an i... |

46 |
On the derivation of secure components
- Jacob
- 1989
(Show Context)
Citation Context ...n. Theorem 3 justifies the extension of theorems below, which refer to CoopFA for a particular A, to versions which refer to supersets of A. 3 Confidentiality The work in this section is adapted from =-=[17, 18, 19]-=-. The material reported in [17] is a detailed working through of [18] in the traces model of CSP [15]. Here we are as abstract as possible. 3.1 What is confidentiality? Again we are concerned with sha... |

42 |
A calculus of functions for program derivation
- Bird
- 1990
(Show Context)
Citation Context ... has been much interest in calculating implementations. This includes, for example, Morgan’s work on sequential programming (see for example [29, 30]) and the Bird-Meertens Formalism (see for example =-=[3]-=-). Here each step of the development guarantees correctness, and the consequences of a design decision may be calculated. The proof obligation gives a semantics to a specification language. The viewpo... |

39 |
Data refinement by calculation
- Morgan, Gardiner
- 1990
(Show Context)
Citation Context ...p being shown to implement the previous one. Recently there has been much interest in calculating implementations. This includes, for example, Morgan’s work on sequential programming (see for example =-=[29, 30]-=-) and the Bird-Meertens Formalism (see for example [3]). Here each step of the development guarantees correctness, and the consequences of a design decision may be calculated. The proof obligation giv... |

22 |
A Mathematical Theory for Real-Time Distributed Computing
- Reed
- 1988
(Show Context)
Citation Context ...ng Sequential Processes (CSP) [16]. Some of the models for CSP are due to others, for example the failures model is due to Brooks, Hoare and Roscoe [4] and the timed models are due to Reed and Roscoe =-=[37, 38]-=-. We will break each preorder into a semantic function and a partial order. The level of detail is captured by a semantic function which gives the set of interactions which can be made with an impleme... |

19 | The Fuzz Manual - Spivey - 1992 |

18 |
An improved failures model for communicating sequential processes
- Brookes, Roscoe
(Show Context)
Citation Context ...w Olderog and Hoare’s proposals [35] for Communicating Sequential Processes (CSP) [16]. Some of the models for CSP are due to others, for example the failures model is due to Brooks, Hoare and Roscoe =-=[4]-=- and the timed models are due to Reed and Roscoe [37, 38]. We will break each preorder into a semantic function and a partial order. The level of detail is captured by a semantic function which gives ... |

17 |
On the refinement of non-interference
- Graham-Cumming, Sanders
- 1991
(Show Context)
Citation Context ...er for unformalised reasons, such as cost, or country of manufacture, and so on. Graham-Cumming and Sanders give a result related to Theorem 8 in the setting of data refinement by downward simulation =-=[11]-=-. The normal rules for downward simulation just guarantee a data refinement that enforces ⊒ . GrahamCumming and Sanders give sufficient, but not necessary, restrictions on a downwards simulation for i... |

16 |
Security specifications
- Jacob
- 1988
(Show Context)
Citation Context ...n. Theorem 3 justifies the extension of theorems below, which refer to CoopFA for a particular A, to versions which refer to supersets of A. 3 Confidentiality The work in this section is adapted from =-=[17, 18, 19]-=-. The material reported in [17] is a detailed working through of [18] in the traces model of CSP [15]. Here we are as abstract as possible. 3.1 What is confidentiality? Again we are concerned with sha... |

8 |
Concerning ‘Modeling’ of Computer Security
- Bell
(Show Context)
Citation Context ...d so on. It is beyond the scope of this paper to pass further comment on the meaning or utility of Bell and La Padula’s result; interested readers are referred to the comments of McLean [27] and Bell =-=[2]-=-. 1.2 The nature of a foundation To make it usable, a mathematical model must be as simple as possible. Not too simple, of course, but any unnecessary complexity compounds the job of investigating the... |

7 |
Variable noise effects upon a simple timing channel
- Moskowitz
- 1991
(Show Context)
Citation Context ... Shannon’s Information Theory (see, for example, [44] for an introduction to this theory). Several authors have recently sought to base their work in security on information theory (see, for example, =-=[12, 33, 45]-=-). The ideas above may be applied to an information-theoretic notion of confidentiality. Let capacityA B be the function which measures the capacity of a channel from window A to window B. The relatio... |

6 |
Refinement of shared systems
- Jacob
- 1989
(Show Context)
Citation Context ...ed by another m ′ when no single user can tell the difference. m ′ may allow different relative timings from m as long as there are no more interactions for each user. Such preorders are discussed in =-=[20]-=-, where two different preorders are discussed, cooperating refinement and independent refinement. Cooperating refinement is stronger than independent refinement but weaker than ⊒ . Cooperating refinem... |

6 |
The varieties of refinement
- Jacob
- 1991
(Show Context)
Citation Context ...n language. The viewpoint of this paper is that different properties are defined by different proof obligations. 3s1.4 Properties and pre-orders We are going to follow the framework proposed by Jacob =-=[21]-=-. This explains how properties such as safety, liveness, confidentiality and integrity can be captured by a relation which expresses at-least-as-good-as (or, equivalently, no-worse-than) for that prop... |

6 |
The Basic Integrity Theorem
- Jacob
(Show Context)
Citation Context ...applies to components of systems, when nothing can be assumed about the users of the component; the users will almost always be (unanalysed) code. 4 Integrity The work in this section is adapted from =-=[22]-=-. 19s4.1 What is integrity? Informally, by integrity we mean ensuring that data are altered only in an approved fashion. The ways of altering data that may be approved or forbidden are many. For examp... |

5 |
A uniform presentation of confidentiality properties
- Jacob
- 1991
(Show Context)
Citation Context ...how much information about B’s past is shared by A and B. The point that this is a theory of information sharing can be made by pictures. We give one example of a picture here, others can be found in =-=[23]-=-. Example 6 Figure 1 shows part of the behaviour of a one bit wide, single place buffer, which we shall call Buff . Bullets, “•” indicate pairs of consistent observations. The first two possible input... |

5 |
Specification Oriented Semantics for Communicating Sequential Processes
- Olderog, Hoare
- 1986
(Show Context)
Citation Context ...unctionality properties we define a preorder. In fact we will define a family of preorders, which describe functionality at different levels of detail. In this we follow Olderog and Hoare’s proposals =-=[35]-=- for Communicating Sequential Processes (CSP) [16]. Some of the models for CSP are due to others, for example the failures model is due to Brooks, Hoare and Roscoe [4] and the timed models are due to ... |

4 |
Toward a Mathematical Foundation for Computer Security
- Gray
- 1991
(Show Context)
Citation Context ... Shannon’s Information Theory (see, for example, [44] for an introduction to this theory). Several authors have recently sought to base their work in security on information theory (see, for example, =-=[12, 33, 45]-=-). The ideas above may be applied to an information-theoretic notion of confidentiality. Let capacityA B be the function which measures the capacity of a channel from window A to window B. The relatio... |

4 | A Comment on the 'Basic Security Theorem' of Bell and LaPadula
- McLean
- 1985
(Show Context)
Citation Context ..., integrity and so on. It is beyond the scope of this paper to pass further comment on the meaning or utility of Bell and La Padula’s result; interested readers are referred to the comments of McLean =-=[27]-=- and Bell [2]. 1.2 The nature of a foundation To make it usable, a mathematical model must be as simple as possible. Not too simple, of course, but any unnecessary complexity compounds the job of inve... |

3 | Category Theory and Information Flow Applied to Computer Security - O'Halloran - 1993 |

1 |
A security framework
- Jacob
- 1988
(Show Context)
Citation Context ...n. Theorem 3 justifies the extension of theorems below, which refer to CoopFA for a particular A, to versions which refer to supersets of A. 3 Confidentiality The work in this section is adapted from =-=[17, 18, 19]-=-. The material reported in [17] is a detailed working through of [18] in the traces model of CSP [15]. Here we are as abstract as possible. 3.1 What is confidentiality? Again we are concerned with sha... |