Proving multilevel security of a system design

R. J. Feiertag, K. N. Levitt, L. Robinson
1977 Proceedings of the sixth symposium on Operating systems principles - SOSP '77  
Two nearly equivalent models of multilevel security are presented. The use of multiple models permits the utilization of each model for purposes where that model is particularly advantageous. In this case, the more general model is simple and easily comprehensible, being more abstract, and is useful for exposition of the meaning of multilevel security. The less general model relates well to design specifications and permits straightforward proof of the security of a system design. The
more » ... ence between the two models is easily demonstrated. The two models when applied appropriately are more useful for defining and proving the multilevel security of systems than existing models. The utility of the two models and their relationship to existing models is discussed and the proof of the security of one particular system design is illustrated. The technique for accomplishing the security proof is straightforward and can be extensively automated.
doi:10.1145/800214.806547 dblp:conf/sosp/FeiertagLR77 fatcat:oi4qwkdmtrcq3o22j2fbqt3w5y