2255 792(N)N 1 f 12 s 2339 945(\(1)N 2 f 9 f 2424(-)X 2 f 2477(Prob)X 9 s 2697 964(assurance)N 3047(loss)X 1 f 12 s 3179 945(\()N 2 f 3211(C)X 9 s 3280 964(G)N 6 s 978(i)Y 1 f 12 s 9 f 3409 945(|)N 2 f 3471(DOC)X 9 s 3690 964(C)N 6 s 978(i)Y 1 f 12 s 3772 945(\)\))N 835 1149(where)N 1135(the)X 2 f 1307(C)X 9 s 1376 1168(G)N 6 s 1182(i)Y 1 f 12 s 1490 1149(and)N 2 f 1685(DOC)X 9 s 1904 1168(C)N 6 s 1182(i)Y 1 f 12 s 2014 1149(are,)N 2213(respectively,)X 2797(the)X 2969(implicit)X 3337(guarantee)X 3816(of)X 3924(continu-)X 835 1270(ing)N 1029(validity)X 1420(at)X 1564(level)X 2 f 1825(i)X 1 f 1857(,)X 1937(and)X 2157(the)X 2354(submitted)X 2856(documentation)X 3570(supporting)X 4105(that)X 835 1378(implicit)N 1202(guarantee)X 1680(at)X 1797(level)X 2 f 2031(i)X 1 f 2063(.)X 1035 1534(Several)N 1403(possibilities)X 1964(are)X 2143(diagrammed)X 2736(in)X 2860(\256gure)X 3155(4.3.)X 3377(In)X 3510(each,)X 3776(the)X 3956(vertical)X 835 1642(direction)N 1257(represents)X 1757(different)X 2170(speci\256cation)X 2749(levels,)X 3057(from)X 3294(Policy)X 3588(Objective)X 4029(at)X 4147(the)X 835 1750(top)N 1005(\(level)X 1274(1\))X 1389(to)X 1504(Implementation)X 2247(at)X 2367(the)X 2541(bottom)X 2880(\(level)X 3150(5\).)X 3320(The)X 3522(horizontal)X 4006(axis)X 4216(is)X 835 1858(an)N 982(attempt)X 1369(to)X 1488(represent)X 1948(``speci\256cation)X 2572(space'',)X 2917(such)X 3157(that)X 3377(one)X 3566(point)X 3829(beside)X 4142(but)X 835 1966(separated)N 1307(from)X 1550(another)X 1932(represents)X 2438(a)X 2526(distinct)X 2898(speci\256cation)X 3484(at)X 3610(the)X 3790(same)X 4057(level.)X 835 2074(The)N 1072(heavy)X 1400(points)X 1740(are)X 1950(the)X 2160(speci\256cations)X 2821(at)X 2976(\256ve)X 3199(levels,)X 3543(and)X 3775(the)X 3984(arrows)X 835 2182(represent)N 1328(the)X 1539(inter-level)X 2062(guarantees.)X 2679(These)X 3011(arrows)X 3386(are)X 3598(drawn)X 3951(upward)X 10 f 835 2386(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1 f 1046 4643(Original)N 971 4751(Guarantees)N 2 f 1258 3085(G)N 1 f 9 s 1345 3104(1)N 12 s 1245 3008 MXY -14 -57 Dl 1216 3008 MXY 14 -57 Dl 1231 2950 MXY 0 230 Dl 2 f 1258 3373(G)N 1 f 9 s 1345 3392(2)N 12 s 1245 3296 MXY -14 -57 Dl 1216 3296 MXY 14 -57 Dl 1231 3238 MXY 0 230 Dl 2 f 1258 3661(G)N 1 f 9 s 1345 3680(3)N 12 s 1245 3584 MXY -14 -57 Dl 1216 3584 MXY 14 -57 Dl 1231 3526 MXY 0 230 Dl 2 f 1258 3949(G)N 1 f 9 s 1345 3968(4)N 12 s 1245 3872 MXY -14 -57 Dl 1216 3872 MXY 14 -57 Dl 1231 3814 MXY 0 230 Dl 2 f 1912 4643(G)N 1 f 9 s 1999 4662(1)N 12 s 1816 4751(Failure)N 2 f 2064 3085(G)N 1 f 9 f 2147(\242)X 9 s 1 f 2171 3104(1)N 12 s 2076 3007 MXY 8 -58 Dl 2049 2996 MXY 34 -48 Dl 2084 MX -93 234 Dl 2 f 2006 3373(G)N 1 f 9 s 2093 3392(2)N 12 s 1994 3296 MXY -14 -57 Dl 1965 3296 MXY 14 -57 Dl 3238 MY 0 230 Dl 2 f 2006 3661(G)N 1 f 9 s 2093 3680(3)N 12 s 1994 3584 MXY -14 -57 Dl 1965 3584 MXY 14 -57 Dl 3526 MY 0 230 Dl 2 f 2006 3949(G)N 1 f 9 s 2093 3968(4)N 12 s 1994 3872 MXY -14 -57 Dl 1965 3872 MXY 14 -57 Dl 3814 MY 0 230 Dl 1994 3008 MXY -14 -57 Dl 1965 3008 MXY 14 -57 Dl 9 s 1970 2952(.)N 1970 2981(.)N 1970 3010(.)N 1970 3039(.)N 1970 3068(.)N 1970 3096(.)N 1970 3125(.)N 1970 3154(.)N 1970 3183(.)N 12 s 1951 2922 MXY 57 Dc 2 f 2834 4643(G)N 1 f 9 s 2921 4662(4)N 12 s 2738 4751(Failure)N 2698 3085(?)N 2685 3008 MXY -14 -57 Dl 2656 3008 MXY 14 -57 Dl 2671 2950 MXY 0 230 Dl 2698 3373(?)N 2685 3296 MXY -14 -57 Dl 2656 3296 MXY 14 -57 Dl 2671 3238 MXY 0 230 Dl 2698 3661(?)N 2685 3584 MXY -14 -57 Dl 2656 3584 MXY 14 -57 Dl 2671 3526 MXY 0 230 Dl 2 f 2604 3949(G)N 1 f 9 f 2687(\242)X 9 s 1 f 2711 3968(4)N 12 s 2736 3844 MXY -47 -35 Dl 2713 3862 MXY -24 -54 Dl 2688 MX 194 243 Dl 2915 3872 MXY -14 -57 Dl 2887 3872 MXY 14 -57 Dl 9 s 2892 3816(.)N 2892 3845(.)N 2892 3874(.)N 2892 3903(.)N 2892 3932(.)N 2892 3960(.)N 2892 3989(.)N 2892 4018(.)N 2892 4047(.)N 12 s 2872 3786 MXY 57 Dc 2915 3584 MXY -14 -57 Dl 2887 3584 MXY 14 -57 Dl 9 s 2892 3528(.)N 2892 3557(.)N 2892 3586(.)N 2892 3615(.)N 2892 3644(.)N 2892 3672(.)N 2892 3701(.)N 2892 3730(.)N 2892 3759(.)N 12 s 2872 3498 MXY 57 Dc 2915 3296 MXY -14 -57 Dl 2887 3296 MXY 14 -57 Dl 9 s 2892 3240(.)N 2892 3269(.)N 2892 3298(.)N 2892 3327(.)N 2892 3356(.)N 2892 3384(.)N 2892 3413(.)N 2892 3442(.)N 2892 3471(.)N 12 s 2872 3210 MXY 57 Dc 2915 3008 MXY -14 -57 Dl 2887 3008 MXY 14 -57 Dl 9 s 2892 2952(.)N 2892 2981(.)N 2892 3010(.)N 2892 3039(.)N 2892 3068(.)N 2892 3096(.)N 2892 3125(.)N 2892 3154(.)N 2892 3183(.)N 12 s 2872 2922 MXY 57 Dc 3216 4589(Compensating)N 3349 4697(Failures)N 3219 4805(At)N 3352(Two)X 3566(Levels)X 3378 3085(?)N 3502 3003 MXY 17 -57 Dl 3477 2988 MXY 42 -42 Dl 3520 MX -143 238 Dl 3292 3373(?)N 3376 3296 MXY -14 -57 Dl 3347 3296 MXY 14 -57 Dl 3362 3238 MXY 0 230 Dl 2 f 3266 3661(G)N 1 f 9 f 3349(\242)X 9 s 1 f 3373 3680(3)N 12 s 3419 3564 MXY -42 -42 Dl 3394 3579 MXY -17 -57 Dl 143 238 Dl 2 f 3562 3949(G)N 1 f 9 s 3649 3968(4)N 12 s 3549 3872 MXY -14 -57 Dl 3520 3872 MXY 14 -57 Dl 3535 3814 MXY 0 230 Dl 3549 3008 MXY -14 -57 Dl 3520 3008 MXY 14 -57 Dl 9 s 3526 2952(.)N 3526 2981(.)N 3526 3010(.)N 3526 3039(.)N 3526 3068(.)N 3526 3096(.)N 3526 3125(.)N 3526 3154(.)N 3526 3183(.)N 12 s 3506 3210 MXY 57 Dc 3549 3296 MXY -14 -57 Dl 3520 3296 MXY 14 -57 Dl 9 s 3526 3240(.)N 3526 3269(.)N 3526 3298(.)N 3526 3327(.)N 3526 3356(.)N 3526 3384(.)N 3526 3413(.)N 3526 3442(.)N 3526 3471(.)N 12 s 3506 3498 MXY 57 Dc 3549 3584 MXY -14 -57 Dl 3520 3584 MXY 14 -57 Dl 9 s 3526 3528(.)N 3526 3557(.)N 3526 3586(.)N 3526 3615(.)N 3526 3644(.)N 3526 3672(.)N 3526 3701(.)N 3526 3730(.)N 3526 3759(.)N 12 s 1228 2922 MXY 5 Dc 1225 MX 11 Dc 1222 MX 17 Dc 1219 MX 23 Dc 1216 MX 28 Dc 1213 MX 34 Dc 1210 MX 40 Dc 1207 MX 46 Dc 1205 MX 51 Dc 1202 MX 57 Dc 1228 3210 MXY 5 Dc 1225 MX 11 Dc 1222 MX 17 Dc 1219 MX 23 Dc 1216 MX 28 Dc 1213 MX 34 Dc 1210 MX 40 Dc 1207 MX 46 Dc 1205 MX 51 Dc 1202 MX 57 Dc 1228 3498 MXY 5 Dc 1225 MX 11 Dc 1222 MX 17 Dc 1219 MX 23 Dc 1216 MX 28 Dc 1213 MX 34 Dc 1210 MX 40 Dc 1207 MX 46 Dc 1205 MX 51 Dc 1202 MX 57 Dc 1228 3786 MXY 5 Dc 1225 MX 11 Dc 1222 MX 17 Dc 1219 MX 23 Dc 1216 MX 28 Dc 1213 MX 34 Dc 1210 MX 40 Dc 1207 MX 46 Dc 1205 MX 51 Dc 1202 MX 57 Dc 1228 4074 MXY 5 Dc 1225 MX 11 Dc 1222 MX 17 Dc 1219 MX 23 Dc 1216 MX 28 Dc 1213 MX 34 Dc 1210 MX 40 Dc 1207 MX 46 Dc 1205 MX 51 Dc 1202 MX 57 Dc 2092 2922 MXY 5 Dc 2089 MX 11 Dc 2086 MX 17 Dc 2083 MX 23 Dc 2080 MX 28 Dc 2077 MX 34 Dc 2074 MX 40 Dc 2071 MX 46 Dc 2069 MX 51 Dc 2066 MX 57 Dc 1976 3210 MXY 5 Dc 1974 MX 11 Dc 1971 MX 17 Dc 1968 MX 23 Dc 1965 MX 28 Dc 1962 MX 34 Dc 1959 MX 40 Dc 1956 MX 46 Dc 1953 MX 51 Dc 1951 MX 57 Dc 1976 3498 MXY 5 Dc 1974 MX 11 Dc 1971 MX 17 Dc 1968 MX 23 Dc 1965 MX 28 Dc 1962 MX 34 Dc 1959 MX 40 Dc 1956 MX 46 Dc 1953 MX 51 Dc 1951 MX 57 Dc 1976 3786 MXY 5 Dc 1974 MX 11 Dc 1971 MX 17 Dc 1968 MX 23 Dc 1965 MX 28 Dc 1962 MX 34 Dc 1959 MX 40 Dc 1956 MX 46 Dc 1953 MX 51 Dc 1951 MX 57 Dc 1976 4074 MXY 5 Dc 1974 MX 11 Dc 1971 MX 17 Dc 1968 MX 23 Dc 1965 MX 28 Dc 1962 MX 34 Dc 1959 MX 40 Dc 1956 MX 46 Dc 1953 MX 51 Dc 1951 MX 57 Dc 2668 2922 MXY 5 Dc 2665 MX 11 Dc 2662 MX 17 Dc 2659 MX 23 Dc 2656 MX 28 Dc 2653 MX 34 Dc 2650 MX 40 Dc 2647 MX 46 Dc 2645 MX 51 Dc 2642 MX 57 Dc 2668 3210 MXY 5 Dc 2665 MX 11 Dc 2662 MX 17 Dc 2659 MX 23 Dc 2656 MX 28 Dc 2653 MX 34 Dc 2650 MX 40 Dc 2647 MX 46 Dc 2645 MX 51 Dc 2642 MX 57 Dc 2668 3498 MXY 5 Dc 2665 MX 11 Dc 2662 MX 17 Dc 2659 MX 23 Dc 2656 MX 28 Dc 2653 MX 34 Dc 2650 MX 40 Dc 2647 MX 46 Dc 2645 MX 51 Dc 2642 MX 57 Dc 2668 3786 MXY 5 Dc 2665 MX 11 Dc 2662 MX 17 Dc 2659 MX 23 Dc 2656 MX 28 Dc 2653 MX 34 Dc 2650 MX 40 Dc 2647 MX 46 Dc 2645 MX 51 Dc 2642 MX 57 Dc 2898 4074 MXY 5 Dc 2895 MX 11 Dc 2892 MX 17 Dc 2889 MX 23 Dc 2887 MX 28 Dc 2884 MX 34 Dc 2881 MX 40 Dc 2878 MX 46 Dc 2875 MX 51 Dc 2872 MX 57 Dc 3532 2922 MXY 5 Dc 3529 MX 11 Dc 3526 MX 17 Dc 3523 MX 23 Dc 3520 MX 28 Dc 3517 MX 34 Dc 3514 MX 40 Dc 3511 MX 46 Dc 3509 MX 51 Dc 3506 MX 57 Dc 3359 3210 MXY 5 Dc 3356 MX 11 Dc 3353 MX 17 Dc 3350 MX 23 Dc 3347 MX 28 Dc 3344 MX 34 Dc 3342 MX 40 Dc 3339 MX 46 Dc 3336 MX 51 Dc 3333 MX 57 Dc 3359 3498 MXY 5 Dc 3356 MX 11 Dc 3353 MX 17 Dc 3350 MX 23 Dc 3347 MX 28 Dc 3344 MX 34 Dc 3342 MX 40 Dc 3339 MX 46 Dc 3336 MX 51 Dc 3333 MX 57 Dc 3532 3786 MXY 5 Dc 3529 MX 11 Dc 3526 MX 17 Dc 3523 MX 23 Dc 3520 MX 28 Dc 3517 MX 34 Dc 3514 MX 40 Dc 3511 MX 46 Dc 3509 MX 51 Dc 3506 MX 57 Dc 3532 4074 MXY 5 Dc 3529 MX 11 Dc 3526 MX 17 Dc 3523 MX 23 Dc 3520 MX 28 Dc 3517 MX 34 Dc 3514 MX 40 Dc 3511 MX 46 Dc 3509 MX 51 Dc 3506 MX 57 Dc 3991 2653(Level)N 4085 2941(1)N 4085 3229(2)N 4085 3517(3)N 4085 3805(4)N 4085 4093(5)N 1188 5038(Figure)N 1510(4.3:)X 1697(Perturbations)X 2343(of)X 2450(Vertically)X 2911(Composed)X 3391(Guarantees.)X 10 f 835 5254(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 92 p %%Page: 92 24 12 s 0 xH 0 xS 10 f 3 f 547 396(-)N 606(92)X 743(-)X 1788(4.)X 1897(Assurance)X 2442(Measurement)X 3151(and)X 3367 0.3313(Composition)AX 1 f 547 684(because)N 928(the)X 1104(guarantees)X 1632(represent)X 2090(linkages)X 2495(from)X 2735(a)X 2820(lower-level)X 3335(speci\256cation)X 3918(to)X 547 792(its)N 686(immediate)X 1184(superior.)X 747 948(The)N 951(leftmost)X 1346(example)X 1749(is)X 1857(the)X 2034(base)X 2266(case,)X 2515(where)X 2821(the)X 2998(overall)X 3334(guarantee)X 2 f 3819(G)X 1 f 3928(is)X 547 1056(a)N 629(combination)X 1203(of)X 1312(the)X 1485(unperturbed)X 2073(guarantees)X 2597(at)X 2715(levels)X 2995(1,)X 3103(2,)X 3211(3,)X 3319(and)X 3514(4.)X 3649(For)X 3832(this)X 547 1164(case,)N 790(we)X 940(can)X 1122(determine)X 1602(the)X 1773(appropriate)X 2320(probability,)X 2 f 947 1320(CumProb)N 9 s 1380 1339(initial)N 1606(violation)X 1 f 12 s 1905 1320(\()N 2 f 1937(G)X 1 f 2012(,)X 2 f 2047(G)X 1 f 2122(,)X 2 f 2157(e)X 1 f 9 f 2251(|)X 2 f 2313(DOC)X 9 s 2532 1339(I)N 1 f 12 s 2569 1320(\))N 2 f 9 f 1583 1581(=)N 1 f 1690(1)X 2 f 9 f 1743(-)X 9 s 2 f 1796 1648(i)N 9 f 1826(=)X 1 f 1866(1)X 16 s 9 f 1801 1581(P)N 2 f 9 s 1821 1428(N)N 1 f 12 s 1905 1581(\(1)N 2 f 9 f 1990(-)X 2 f 2043(Prob)X 9 s 2263 1600(initial)N 2489(violation)X 1 f 12 s 2788 1581(\()N 2 f 2820(G)X 9 s 2895 1600(i)N 1 f 12 s 2927 1581(,)N 2 f 2962(G)X 9 s 3037 1600(i)N 1 f 12 s 3069 1581(,)N 2 f 3104(e)X 1 f 9 f 3198(|)X 2 f 3260(DOC)X 9 s 3479 1600(I)N 6 s 3508 1614(i)N 1 f 12 s 3538 1581(\)\))N 547 1785(using)N 825(the)X 1003(unperturbed)X 1596(assurance)X 2078(measures)X 2538(\(i.e.,)X 2763(those)X 3035(in)X 3159(which)X 2 f 3460(G)X 1 f 9 f 3543(\242)X 2 f 9 s 3567 1804(i)N 1 f 12 s 2 f 9 f 3626 1785(=)N 1 f 2 f 3706(G)X 9 s 3781 1804(i)N 1 f 12 s 3813 1785(\))N 3880(for)X 547 1893(each)N 777(component)X 1286(guarantee.)X 747 2049(In)N 889(the)X 1077(second)X 1419(example,)X 1861(we)X 2029(have)X 2285(postulated)X 2797(a)X 2895(faulty)X 3202(level)X 3454(1)X 3552(guarantee)X 547 2157(component)N 1067(which,)X 1398(instead)X 1763(of)X 1880(establishing)X 2457(the)X 2638(desired)X 2999(Policy)X 3302(Objective,)X 3779(actu-)X 547 2265(ally)N 751(satis\256es)X 1153(a)X 1246(slightly)X 1619(different)X 2044(one.)X 2294(Its)X 2456(perturbed)X 2938(guarantee,)X 2 f 3457(G)X 1 f 9 f 3540(\242)X 9 s 1 f 3564 2284(1)N 12 s 3612 2265(,)N 3680(re\257ects)X 547 2373(this)N 753(by)X 892(being)X 1168(``de\257ected'')X 1676(off)X 1823(target)X 2127(in)X 2251(the)X 2430(speci\256cation)X 3015(space.)X 3348(This)X 3580(perturba-)X 547 2481(tion)N 750(is)X 854(one)X 1038(that)X 1254(was)X 1457(provided)X 1872(for)X 2025(in)X 2144(the)X 2318(level)X 2555(1)X 2638(assurance)X 3116(determination.)X 3832(The)X 547 2589(probabilities)N 1159(of)X 1296(failure)X 1648(contemplated)X 2303(there)X 2595(were)X 2866(predicated)X 3389(on)X 3552(guarantee)X 547 2697(failures)N 922(of)X 1037(exactly)X 1386(this)X 1593(form,)X 1864(with)X 2101(the)X 2281(lower-level)X 2800(speci\256cation)X 3386(implementing)X 547 2805(a)N 634(higher-level)X 1197(policy)X 1488(that)X 1708(differs)X 2027(from)X 2269(the)X 2447(one)X 2636(desired.)X 3048(We)X 3224(can)X 3412(therefore)X 3851(use)X 547 2913(the)N 718(level)X 952(1)X 1032(initial)X 1328(assurance)X 1803(results)X 2137(to)X 2249(calculate)X 2672(the)X 2843(probability)X 3354(of)X 3462(initial)X 3759(viola-)X 547 3021(tion)N 758(of)X 2 f 875(G)X 1 f 9 s 962 3040(1)N 12 s 1047 3021(failing)N 1369(as)X 2 f 1504(G)X 1 f 9 f 1587(\242)X 9 s 1 f 1611 3040(1)N 12 s 1659 3021(,)N 1723(then)X 1963(combine)X 2366(it)X 2470(with)X 2707(the)X 2887(no-violation)X 3448(probabilities)X 547 3129(for)N 697(the)X 868(rest)X 1068(of)X 1175(the)X 1346(levels,)X 1652(and)X 1846(compute)X 2248(an)X 2387(overall)X 2717(assurance)X 3192(value)X 3460(for)X 2 f 1432 3285(CumProb)N 9 s 1865 3304(initial)N 2091(violation)X 1 f 12 s 2390 3285(\()N 2 f 2422(G)X 1 f 2497(,)X 2 f 2532(G)X 1 f 9 f 2615(\242)X 1 f 2639(,)X 2 f 2674(e)X 1 f 9 f 2768(|)X 2 f 2830(DOC)X 9 s 3049 3304(I)N 1 f 12 s 3086 3285(\))N 747 3489(However,)N 1208(the)X 1393(third)X 1658(case)X 1888(shown)X 2216(does)X 2454(not)X 2640(share)X 2930(this)X 3143(good)X 3387(behaviour.)X 3927(It)X 547 3597(contains)N 977(a)X 1086(guarantee)X 1593(violation)X 2034(at)X 2179(the)X 2378(lowest)X 2716(level,)X 3005(between)X 3428(the)X 3627(Detailed)X 547 3705(Design)N 900(and)X 1112(Implementation)X 1870(levels.)X 2221(Its)X 2387(implementation,)X 3164(instead)X 3537(of)X 3663(being)X 3950(a)X 547 3813(faithful)N 917(re\256nement)X 1441(of)X 1558(the)X 1739(correct)X 2081(target)X 2387(speci\256cation)X 2974(at)X 3101(the)X 3282(Detailed)X 3695(Design)X 547 3921(level,)N 813(corresponds)X 1377(to)X 1494(a)X 1580(different)X 1997(Detailed)X 2406(Design.)X 2801(Now,)X 3062(although)X 3491(that)X 3710(partic-)X 547 4029(ular)N 775(link)X 994(in)X 1126(the)X 1313(guarantee)X 1807(chain)X 2093(does)X 2331(\256t)X 2469(within)X 2801(the)X 2987(range)X 3283(of)X 3405(contemplated)X 547 4137(failures,)N 941(the)X 1112(links)X 1360(above)X 1640(it)X 1734(do)X 1864(not.)X 747 4293(Remember)N 1255(that,)X 1497(when)X 1767(de\256ning)X 2157(assurance)X 2634(measures)X 3089(for)X 3242(individual)X 3724(levels,)X 547 4401(it)N 643(was)X 845(assumed)X 1264(that)X 1479(the)X 1652(``bottom)X 2029(end'')X 2260(of)X 2369(the)X 2542(guarantee)X 3022(arrow)X 3313(remained)X 3763(\256xed.)X 547 4509(Thus,)N 846(the)X 1035(level)X 1287(3)X 1385(assurance)X 1878(measures)X 2349(that)X 2580(are)X 2769(presumed)X 3252(available)X 3698(in)X 3832(this)X 547 4617(case)N 767(all)X 911(assume)X 1277(that)X 1494(the)X 1669(level)X 1907(4)X 1991(speci\256cation)X 2571(is)X 2676(the)X 2850(designed-for)X 3426(speci\256cation.)X 547 4725(But,)N 780(since)X 1046(the)X 1231(level)X 1479(4)X 1573(guarantee)X 2065(has)X 2263(been)X 2512(perturbed,)X 3022(the)X 3208(level)X 3457(3)X 3552(guarantee)X 547 4833(arrow)N 843(no)X 984(longer)X 1297(has)X 1488(that)X 1707(speci\256cation)X 2290(as)X 2421(its)X 2566(origin.)X 2914(Hence,)X 3252(we)X 3408(cannot)X 3740(deter-)X 547 4941(mine)N 813(the)X 1001(probability)X 1528(of)X 1653(this)X 1869(particular)X 2360(cumulative)X 2900(guarantee)X 3396(by)X 3545(combining)X 547 5049(those)N 811(assurance)X 1286(measures)X 1739(evaluated)X 2200(for)X 2350(appropriate)X 2897(perturbations.)X 747 5205(It)N 856(appears)X 1241(that)X 1461(the)X 1639(most)X 1888(that)X 2108(can)X 2297(be)X 2432(accomplished,)X 3087(by)X 3225(combining)X 3717(in)X 3840(any)X 547 5313(straightforward)N 1294(way)X 1516(the)X 1703(available)X 2147(per-level)X 2575(assurance)X 3066(measures,)X 3561(is)X 3678(to)X 3805(do)X 3950(a)X 547 5421(binary)N 867(calculation)X 1383(of)X 1494(the)X 1669(probability)X 2183(of)X 2294(success)X 2653(versus)X 2975(that)X 3192(of)X 3304(failure,)X 3658(without)X 547 5529(attempting)N 1068(to)X 1182(quantify)X 1585(the)X 1758(degree)X 2080(of)X 2189(failure.)X 2567(We)X 2738(can)X 2922(calculate)X 3347(the)X 3520(probability)X 547 5637(of)N 655(success)X 1011(if)X 1101(we)X 1252(assume)X 1615(it)X 1710(is)X 1813(equal)X 2084(to)X 2197(the)X 2369(probability)X 2880(of)X 2988(the)X 3160(\256rst)X 3372(case)X 3590(in)X 3708(Figure)X 93 p %%Page: 93 25 12 s 0 xH 0 xS 1 f 3 f 835 396(4.3.)N 1026(Composing)X 1612(Assurance)X 4063(-)X 4122(93)X 4259(-)X 1 f 835 684(4.3;)N 1035(this)X 1246(is)X 1361(not)X 1545(precisely)X 1978(the)X 2162(correct)X 2507(value,)X 2815(since)X 3080(it)X 3186(does)X 3421(not)X 3604(account)X 3985(for)X 4147(the)X 835 792(case,)N 1083(shown)X 1401(in)X 1522(the)X 1698(fourth)X 2009(diagram)X 2412(of)X 2525(the)X 2702(\256gure,)X 3022(where)X 3328(compensating)X 3974(pertur-)X 835 900(bations)N 1205(at)X 1340(two)X 1545(levels)X 1842(cancel)X 2163(one)X 2363(another.)X 2809(Neglecting)X 3328(this)X 3543(case)X 3776(amounts)X 4206(to)X 835 1008(assuming)N 1289(that)X 1502(the)X 1673(frequency)X 2136(of)X 2243(such)X 2476(fortuitous)X 2941(multiple)X 3342(errors)X 3639(is)X 3741(negligible.)X 3 f 835 1404(4.3.2.)N 1135(Structural)X 1686(Assurance)X 2231 0.3313(Composition)AX 1 f 1035 1560(The)N 1237(second)X 1566(form)X 1805(of)X 1916(assurance)X 2395(composition)X 2954(that)X 3171(must)X 3428(be)X 3561(addressed)X 4040(is)X 4147(the)X 835 1668(derivation)N 1337(of)X 1465(a)X 1566(suitable)X 1969(assurance)X 2465(measure)X 2894(for)X 3064(the)X 3255(guarantee)X 3753(of)X 3880(a)X 3980(system)X 835 1776(composed)N 1295(as)X 1426(discussed)X 1884(elsewhere)X 2361(in)X 2484(this)X 2689(report.)X 3051(We)X 3227(will)X 3426(assume)X 3795(in)X 3918(this)X 4123(sec-)X 835 1884(tion)N 1041(that)X 1259(the)X 1435(composite)X 1906(guarantee)X 2389(was)X 2594(determined)X 3134(by)X 3269(restricting)X 3766(the)X 3941(scope)X 4211(of)X 835 1992(the)N 1012(problem)X 1407(to)X 1526(a)X 1613(suitably)X 2005(well-behaved)X 2621(range)X 2909(of)X 3023(properties,)X 3536(components,)X 4124(and)X 835 2100(compositions.)N 1035 2256(If)N 1141(the)X 1320(composition)X 1883(is)X 1993(of)X 2109(the)X 2289(simplest)X 2700(sort,)X 2936(in)X 3061(which)X 3363(the)X 3543(properties)X 4031(of)X 4147(the)X 835 2364(composite)N 1307(are)X 1484(simply)X 1813(some)X 2071(collection)X 2519(of)X 2631(properties)X 3115(of)X 3227(the)X 3403(components,)X 3989(then)X 4224(it)X 835 2472(is)N 937(possible)X 1318(that)X 1531(the)X 1702(assurance)X 2177(will)X 2369(compose)X 2768(in)X 2884(a)X 2964(similarly)X 3388(simple)X 3708(manner.)X 4136(For)X 835 2580(this)N 1037(to)X 1153(occur,)X 1447(it)X 1545(is)X 1650(necessary)X 2115(that)X 2331(the)X 2505(perturbations)X 3145(of)X 3255(the)X 3429(component)X 3941(guaran-)X 835 2688(tees)N 1040(be)X 1168(benign)X 1495(enough)X 1846(that)X 2059(the)X 2230(components)X 2784(remain)X 3129(functionally)X 3687(independent.)X 1035 2844(Examples)N 1515(of)X 1639(how)X 1865(this)X 2081(can)X 2281(fail)X 2471(to)X 2601(happen)X 2975(abound,)X 3374(as)X 3517(for)X 3685(instance)X 4104(in)X 4238(a)X 835 2952(mechanical)N 1381(system)X 1735(where)X 2051(one)X 2249(component)X 2773(gets)X 2996(suf\256ciently)X 3531(out)X 3717(of)X 3839(alignment)X 835 3060(that)N 1050(it)X 1146(begins)X 1461(to)X 1575(interfere)X 1992(with)X 2222(the)X 2395(motion)X 2732(of)X 2842(another,)X 3246(or)X 3367(in)X 3486(a)X 3569(software)X 3980(system)X 835 3168(where)N 1135(a)X 1215(wild)X 1432(array)X 1702(reference)X 2141(corrupts)X 2541(data)X 2766(belonging)X 3222(to)X 3334(another)X 3708(module.)X 1035 3324(It)N 1140(cannot)X 1468(be)X 1598(expected,)X 2039(in)X 2157(general,)X 2545(that)X 2760(the)X 2933(magnitude)X 3439(of)X 3549(a)X 3632(guarantee)X 4113(per-)X 835 3432(turbation)N 1289(can)X 1479(be)X 1615(used)X 1857(as)X 1990(a)X 2077(reliable)X 2446(indicator)X 2878(of)X 2992(the)X 3170(likelihood)X 3639(of)X 3753(interference)X 835 3540(of)N 963(this)X 1182(kind.)X 1485(The)X 1704(guarantee)X 2203(relates)X 2556(to)X 2690(the)X 2883(overall)X 3235(functionality)X 3852(of)X 3981(a)X 4083(com-)X 835 3648(ponent,)N 1197(while)X 1468(the)X 1641(interference)X 2207(depends)X 2600(on)X 2735(the)X 2907(speci\256c)X 3258(modes)X 3567(of)X 3675(failure)X 3998(which,)X 835 3756(considered)N 1344(in)X 1469(terms)X 1763(of)X 1879(their)X 2132(effect)X 2408(on)X 2551(guarantee,)X 3065(may)X 3290(not)X 3470(be)X 3607(distinguishable)X 835 3864(from)N 1086(other)X 1364(less)X 1575(virulent)X 1975(failures.)X 2412(The)X 2626(mechanical)X 3171(component,)X 3722(if)X 3826(differently)X 835 3972(misaligned,)N 1401(might)X 1716(display)X 2088(a)X 2195(similar)X 2565(functional)X 3069(discrepancy)X 3648(but)X 3851(no)X 4012(longer)X 835 4080(interfere)N 1271(with)X 1520(its)X 1679(neighbour.)X 2230(The)X 2448(wild)X 2685(array)X 2975(reference)X 3434(may)X 3670(have)X 3928(a)X 4028(catas-)X 835 4188(trophic,)N 1212(mild,)X 1475(or)X 1602(barely)X 1916(noticeable)X 2401(effect)X 2677(on)X 2820(the)X 3000(operation)X 3457(of)X 3573(its)X 3721(own)X 3939(module,)X 835 4296(arbitrarily)N 1328(combined)X 1776(with)X 2004(a)X 2084(similar)X 2427(range)X 2708(of)X 2815(effects)X 3127(on)X 3261(its)X 3400(neighbour.)X 1035 4452(Rather)N 1380(than)X 1624(trying)X 1931(to)X 2053(predict)X 2401(these)X 2675(effects,)X 3024(a)X 3114(more)X 3375(sensible)X 3770(approach)X 4216(is)X 835 4560(to)N 976(construct)X 1446(the)X 1646(components,)X 2256(or)X 2402(to)X 2542(compose)X 2969(them,)X 3280(such)X 3541(that)X 3782(the)X 3981(risk)X 4211(of)X 835 4668(interference)N 1434(is)X 1570(lessened.)X 2063(This)X 2322(may)X 2572(be)X 2734(accomplished)X 3389(by,)X 3581(in)X 3731(some)X 4019(sense,)X 835 4776(increasing)N 1340(the)X 1528(``distance'')X 2022(between)X 2434(components,)X 3032(or)X 3167(equivalently)X 3760(by)X 3908(isolating)X 835 4884(them)N 1106(with)X 1349(barriers)X 1750(that)X 1979(prevent)X 2363(unplanned)X 2883(interactions.)X 3512(These)X 3819(efforts)X 4147(are)X 835 4992(re\257ected)N 1261(in)X 1395(the)X 1584(speci\256cation)X 2179(if)X 2285(it)X 2396(is)X 2515(complete,)X 2980(and)X 3191(hence)X 3492(in)X 3625(the)X 3813(guarantee,)X 835 5100(since)N 1117(a)X 1227(full)X 1435(speci\256cation)X 2042(indicates)X 2499(the)X 2700(environmental)X 3408(assumptions)X 4027(under)X 835 5208(which)N 1129(it)X 1224(is)X 1327(valid,)X 1601(and)X 1796(the)X 1967(provision)X 2403(of)X 2510(barriers)X 2895(renders)X 3263(the)X 3434(component)X 3943(insensi-)X 835 5316(tive)N 1028(to)X 1140(most)X 1382(environmental)X 2059(effects.)X 1035 5472(Once)N 1290(interference)X 1858(has)X 2045(been)X 2283(effectively)X 2763(ruled)X 3028(out,)X 3229(the)X 3403(exact)X 3666(form)X 3905(in)X 4025(which)X 835 5580(the)N 1030(assurance)X 1528(elements)X 1978(are)X 2172(composed)X 2649(depends)X 3064(on)X 3221(the)X 3415(statistical)X 3905(indepen-)X 835 5688(dence)N 1151(of)X 1294(the)X 1501(individual)X 2016(guarantee)X 2530(perturbations.)X 3257(This,)X 3545(however,)X 4008(is)X 4147(not)X 94 p %%Page: 94 26 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(94)X 743(-)X 1788(4.)X 1897(Assurance)X 2442(Measurement)X 3151(and)X 3367 0.3313(Composition)AX 1 f 547 684(necessarily)N 1083(evident)X 1451(from)X 1699(their)X 1956(assurances,)X 2516(since)X 2781(it)X 2888(depends)X 3293(on)X 3440(the)X 3624(mechan-)X 547 792(isms)N 794(responsible)X 1340(for)X 1505(the)X 1691(perturbations.)X 2397(Consider)X 2836(a)X 2931(system)X 3284(built)X 3535(out)X 3721(of)X 3843(two)X 547 900(identical)N 968(components.)X 1585(Failures)X 1993(due)X 2191(to)X 2312(systemic)X 2732(error,)X 3020(such)X 3262(as)X 3396(design)X 3720(faults,)X 547 1008(will)N 741(track)X 1003(exactly)X 1345(on)X 1481(the)X 1654(two)X 1843(subsystems,)X 2412(so)X 2534(that)X 2749(the)X 2922(probability)X 3434(of)X 3543(initial)X 3842(vio-)X 547 1116(lation)N 834(in)X 953(the)X 1127(composite)X 1596(due)X 1788(to)X 1903(a)X 1986(cause)X 2264(of)X 2374(this)X 2575(kind)X 2806(will)X 3001(equal)X 3274(the)X 3448(probabilities)X 547 1224(of)N 654(the)X 825(same)X 1083(violation)X 1496(for)X 1646(a)X 1726(single)X 2016(component.)X 747 1380(However,)N 1209(it)X 1318(may)X 1549(well)X 1774(be)X 1917(the)X 2103(case)X 2334(that)X 2562(a)X 2657(functionally)X 3230(indistinguishable)X 547 1488(fault)N 794(may)X 1019(occur)X 1291(as)X 1425(a)X 1514(result)X 1812(of)X 1927(hardware)X 2391(failure,)X 2748(which)X 3049(may)X 3273(be)X 3409(considered)X 3918(to)X 547 1596(occur)N 819(independently)X 1489(in)X 1615(the)X 1796(two)X 1993(components.)X 2611(In)X 2746(that)X 2969(case,)X 3222(the)X 3403(probability)X 3923(of)X 547 1704(partial)N 892(system)X 1247(failure)X 1586(is)X 1705(equal)X 1991(to)X 2119(that)X 2348(of)X 2471(single)X 2777(component)X 3302(failure,)X 3667(but)X 3859(the)X 547 1812(probability)N 1057(of)X 1164(total)X 1396(system)X 1734(failure)X 2056(is)X 2158(much)X 2431(less.)X 747 1968(The)N 964(next)X 1205(simplest)X 1626(situation,)X 2098(after)X 2358(independent)X 2958(components,)X 3559(is)X 3681(that)X 3914(in)X 547 2076(which)N 846(there)X 1114(are)X 1291(preplanned)X 1829(interdependencies)X 2672(among)X 3001(the)X 3177(components.)X 3790(That)X 547 2184(is,)N 682(cases)X 949(where)X 1255(the)X 1432(components)X 1992(are)X 2170(given)X 2443(conditional)X 2969(guarantees)X 3499(that)X 3719(antici-)X 547 2292(pate)N 776(the)X 956(function)X 1359(of)X 1475(the)X 1654(components)X 2216(they)X 2446(are)X 2625(to)X 2745(be)X 2881(composed)X 3343(with.)X 3633(In)X 3766(these)X 547 2400(situations,)N 1056(the)X 1239(interference)X 1816(problems)X 2262(are)X 2445(augmented)X 2979(by)X 3122(uncertainties)X 3753(about)X 547 2508(the)N 718(sensitivity)X 1208(of)X 1315(the)X 1486(dependent)X 1977(components.)X 747 2664(A)N 846(minor)X 1142(irregularity)X 1691(in)X 1811(the)X 1986(output)X 2312(of)X 2423(one)X 2609(component)X 3122(may)X 3342(cause)X 3621(a)X 3705(second)X 547 2772(dependent)N 1045(one)X 1234(to)X 1353(fail)X 1532(catastrophically,)X 2303(depending)X 2797(on)X 2937(how)X 3152(sensitive)X 3578(the)X 3755(latter)X 547 2880(is)N 653(to)X 769(variations)X 1249(in)X 1369(the)X 1544(input)X 1815(it)X 1914(receives)X 2302(from)X 2542(the)X 2718(former.)X 3103(A)X 3204(data)X 3434(channel)X 3817(that)X 547 2988(occasionally)N 1109(\257ips)X 1327(a)X 1409(bit,)X 1585(if)X 1676(the)X 1848(data)X 2074(it)X 2169(carries)X 2502(is)X 2605(suf\256ciently)X 3126(critical,)X 3490(may)X 3707(render)X 547 3096(the)N 722(entire)X 1018(system)X 1360(unusable.)X 1851(Or,)X 2027(if)X 2120(an)X 2263(interdependency)X 3032(loop)X 3245(exists)X 3533(in)X 3654(the)X 3830(sys-)X 547 3204(tem,)N 778(positive)X 1156(feedback)X 1578(may)X 1800(escalate)X 2190(a)X 2276(harmless)X 2717(deviation)X 3161(into)X 3368(a)X 3454(total)X 3692(system)X 547 3312(failure.)N 747 3468(One)N 966(approach)X 1412(is,)X 1551(again,)X 1861(to)X 1983(design)X 2308(for)X 2469(the)X 2651(contingency)X 3217(as)X 3353(was)X 3564(suggested)X 547 3576(for)N 711(dealing)X 1078(with)X 1320(interference.)X 1952(Here,)X 2238(it)X 2345(means)X 2675(equipping)X 3155(the)X 3339(critical)X 3688(user)X 3923(of)X 547 3684(the)N 749(bit-\257ipping)X 1298(data)X 1554(channel)X 1963(with)X 2222(integrity)X 2666(checking)X 3114(functions,)X 3611(so)X 3762(as)X 3918(to)X 547 3792(minimize)N 987(its)X 1126(sensitivity)X 1616(to)X 1728(the)X 1899(channel's)X 2342(errors.)X 747 3948(Sensitivity)N 1267(analysis)X 1675(is)X 1792(another)X 2181(possible)X 2577(means)X 2909(of)X 3031(addressing)X 3558(this)X 3772(prob-)X 547 4056(lem.)N 796(An)X 956(estimating)X 1463(form)X 1703(of)X 1815(this)X 2018(is)X 2125(fault)X 2368(simulation,)X 2903(similar)X 3250(to)X 3366(that)X 3583(employed)X 547 4164(in)N 668(IC)X 808(design,)X 1155(in)X 1276(which)X 1574(speci\256c)X 1930(component)X 2445(defects)X 2786(are)X 2963(assumed)X 3386(and)X 3586(the)X 3763(effect)X 547 4272(on)N 704(overall)X 1057(system)X 1418(performance)X 2025(is)X 2150(derived.)X 2584(A)X 2702(number)X 3098(of)X 3227(such)X 3482(simulations)X 547 4380(could)N 818(give)X 1034(some)X 1296(con\256dence)X 1794(in)X 1919(an)X 2067(estimate)X 2486(of)X 2603(the)X 2784(fault)X 3032(sensitivity)X 3532(of)X 3649(the)X 3830(sys-)X 547 4488(tem.)N 801(Effectively,)X 1329(this)X 1530(approach)X 1969(involves)X 2361(applying)X 2775(a)X 2857(new)X 3068(set)X 3227(of)X 3336(assurance)X 3813(gen-)X 547 4596(erating)N 922(procedures)X 1463(to)X 1602(the)X 1800(composed)X 2281(system,)X 2673(in)X 2816(addition)X 3238(to)X 3378(those)X 3670(already)X 547 4704(applied)N 910(to)X 1032(the)X 1213(components,)X 1804(so)X 1934(is)X 2046(not)X 2227(simply)X 2560(a)X 2650(matter)X 2990(of)X 3107(combining)X 3602(available)X 547 4812(component)N 1070(assurances.)X 1658(It)X 1775(also)X 1992(requires)X 2403(the)X 2 f 2589(signi\256cant)X 3098(manipulation)X 3745(of)X 3867(the)X 547 4920(speci\256cations)N 1 f 1165(that)X 1380(we)X 1531(wished)X 1871(to)X 1984(rule)X 2192(out.)X 2418(On)X 2580(either)X 2873(of)X 2981(these)X 3246(grounds,)X 3661(it)X 3756(is)X 3859(not)X 547 5028(the)N 722(kind)X 954(of)X 1065(approach)X 1505(that)X 1722(this)X 1925(work)X 2180(is)X 2287(striving)X 2665(to)X 2782(develop,)X 3176(but)X 3357(nevertheless)X 3950(a)X 547 5136(variation)N 988(of)X 1105(it)X 1209(may)X 1435(be)X 1573(the)X 1754(most)X 2006(effective)X 2412(means)X 2738(of)X 2854(establishing)X 3430(assurance)X 3914(in)X 547 5244(the)N 718(composed)X 1172(system.)X 747 5400(Perhaps)N 1147(a)X 1234(more)X 1492(acceptable,)X 2016(though)X 2363(not)X 2541(fundamentally)X 3226(different,)X 3671(method)X 547 5508(would)N 864(involve)X 1231(rede\256ning)X 1733(the)X 1927(component)X 2459(assurance)X 2956(measures)X 3431(so)X 3573(that)X 3808(they)X 547 5616(included)N 976(an)X 1138(input)X 1428(sensitivity)X 1941(function,)X 2386(that)X 2623(would)X 2941(map)X 3185(differences)X 3719(in)X 3859(the)X 95 p %%Page: 95 27 12 s 0 xH 0 xS 1 f 3 f 835 396(4.4.)N 1026(Quality)X 1428(Assurance)X 1973(Program)X 2443(Standards)X 4063(-)X 4122(95)X 4259(-)X 1 f 835 684(environmental)N 1524(assumptions)X 2124(into)X 2337(corresponding)X 3002(guarantee)X 3491(perturbations.)X 4193(In)X 835 792(the)N 1026(absence)X 1422(of)X 1549(feedback,)X 2012(these)X 2296(sensitivities)X 2878(could)X 3160(then)X 3410(be)X 3559(used)X 3814(in)X 3951(a)X 4052(fairly)X 835 900(straightforward)N 1606(fashion)X 1998(to)X 2149(combine)X 2581(the)X 2791(component)X 3339(assurances.)X 3952(This)X 4216(is)X 835 1008(described)N 1290(as)X 1423(``not)X 1642(fundamentally)X 2328(different'')X 2787(because)X 3171(it)X 3274(still)X 3482(involves)X 3880(the)X 4060(same)X 835 1116(manipulation)N 1480(of)X 1607(the)X 1798(speci\256cations)X 2440(as)X 2585(before,)X 2931(but)X 3127(now)X 3355(this)X 3572(manipulation)X 4216(is)X 835 1224(performed)N 1330(once)X 1566(when)X 1845(the)X 2027(component)X 2548(assurance)X 3035(measure)X 3455(is)X 3569(being)X 3849(generated)X 835 1332(rather)N 1145(than)X 1380(at)X 1497(each)X 1727(composition.)X 1035 1488(Finally,)N 1410(the)X 1585(case)X 1805(of)X 1916(full)X 2098(emergent)X 2548(properties)X 3031(is)X 3137(not)X 3312(addressed.)X 3845(Since)X 4117(it)X 4216(is)X 835 1596(not)N 1018(possible)X 1411(to)X 1535(even)X 1780(generate)X 2206(the)X 2389(composite)X 2867(guarantee)X 3357(in)X 3485(this)X 3695(case,)X 3950(at)X 4078(least)X 835 1704(not)N 1008(without)X 1382(opening)X 1761(up)X 1905(the)X 2079(detailed)X 2465(component)X 2977(speci\256cations,)X 3629(it)X 3726(is)X 3831(felt)X 4008(that)X 4224(it)X 835 1812(would)N 1152(be)X 1303(unnecessary)X 1906(to)X 2041(attend)X 2380(to)X 2515(the)X 2709(question)X 3137(of)X 3266(assurance)X 3763(composition)X 835 1920(under)N 1126(these)X 1390(circumstances.)X 3 f 835 2424(4.4.)N 1053(QUALITY)X 1563(ASSURANCE)X 2250(PROGRAM)X 2833(STANDARDS)X 1 f 1035 2580(The)N 1237(following)X 1671(documents)X 2181(are)X 2356(quality)X 2700(assurance)X 3179(standards)X 3655(from)X 3894(a)X 3978(variety)X 835 2688(of)N 942(sources)X 1300(world-wide,)X 1845(and)X 2039(with)X 2267(a)X 2347(wide)X 2582(variety)X 2922(of)X 3029(scopes.)X 1035 2844(Some)N 1303(are)X 1474(applicable)X 1951(to)X 2063(very)X 2283(narrowly)X 2712(de\256ned)X 3063(subjects,)X 3475(or)X 3593(to)X 3706(limited)X 4049(areas)X 835 2952(within)N 1205(design,)X 1599(manufacturing,)X 2368(operations,)X 2940(or)X 3110(maintenance.)X 3817(The)X 4067(more)X 835 3060(detailed)N 1231(ones)X 1471(may)X 1700(even)X 1946(go)X 2085(to)X 2210(the)X 2394(level)X 2641(of)X 2762(specifying)X 3247(the)X 3432(schedules)X 3905(and)X 4113(pro-)X 835 3168(cedures)N 1207(for)X 1361(the)X 1536(calibration)X 2046(of)X 2157(test)X 2355(equipment.)X 2914(Others)X 3252(are)X 3427(much)X 3704(more)X 3959(general)X 835 3276(and)N 1048(encompassing,)X 1743(and)X 1957(impose)X 2315(requirements)X 2960(on)X 3114(such)X 3367(things)X 3695(as)X 3840(the)X 4031(upper)X 835 3384(management)N 1440(structure)X 1881(of)X 1988(a)X 2068(compliant)X 2535(organization.)X 1035 3540(All)N 1206(are)X 1393(representative)X 2081(of)X 2204(some)X 2473(authority's)X 2998(view)X 3245(of)X 3368(which)X 3677(activities)X 4124(and)X 835 3648(pieces)N 1132(of)X 1239(evidence)X 1648(contribute)X 2132(to)X 2244(quality)X 2584(assurance.)X 3113(A)X 3209(comprehensive)X 3898(theory)X 4211(of)X 835 3756(assurance)N 1319(should)X 1651(be)X 1788(able)X 2008(to)X 2129(deal)X 2351(with)X 2588(the)X 2768(issues)X 3076(they)X 3308(raise)X 3564(as)X 3699(well)X 3919(as)X 4054(those)X 835 3864(contained)N 1294(in)X 1410(or)X 1528(implied)X 1888(by)X 2019(national)X 2415(criteria)X 2769(for)X 2919(trusted)X 3270(product)X 3637(evaluation.)X 3 f 835 4188(Canadian)N 1346(Standards)X 1888(Association)X 2493(\(CSA\))X 1 f 835 4404(CAN3-N286.0)N 1987(Quality)X 2414(Assurance)X 2971(Program)X 3451(Requirements)X 4168(for)X 1987 4512(Nuclear)N 2368(Power)X 2673(Plants.)X 2 f 1123 4728(The)N 1328(following)X 1774(four)X 1993(entries)X 2327(represent)X 2770(a)X 2862(set)X 3019(of)X 3136 0.3011(successively)AX 3695(less)X 3893(stringent)X 1123 4836(quality)N 1512(assurance)X 2031(requirements.)X 2741(They)X 3033(are)X 3250(accompanied)X 3903(by)X 4080(their)X 1123 4944(descriptions)N 1684(from)X 1919(the)X 2082(companion)X 2593(overview)X 3004(document.)X 1 f 835 5100(CAN3-Z299.1)N 1987(Quality)X 2349(Assurance)X 2840(Program)X 3254(\320)X 3377(Category)X 3804(1)X 2 f 1123 5262(The)N 1335(Standard)X 1807(aims)X 2066(at)X 2200(preventing)X 2714(the)X 3 f 2895(occurrence)X 2 f 3500(of)X 3625(nonconforming)X 1123 5370(products)N 1546(or)X 1675(services.)X 2107(This)X 2345(is)X 2458(achieved)X 2880(by)X 3019(thorough)X 3458(planning)X 3898(and)X 4109(con-)X 1123 5478(trols)N 1355(which)X 1655(extend)X 1973(to)X 2087(identifying)X 2600(and)X 2806(correcting)X 3278(weaknesses)X 3811(in)X 3935(the)X 4104(Pro-)X 1123 5586(gram.)N 1450(The)X 1657(Standard)X 2124(is)X 2238(suitable)X 2628(for)X 2789 0.2042(custom-designed,)AX 3587(high)X 3826(technology)X 1123 5694(products)N 1551(and)X 1768(services.)X 2207(They)X 2468(tend)X 2708(to)X 2835(require)X 3196(many)X 3488(complex)X 3887(processes)X 96 p %%Page: 96 28 12 s 0 xH 0 xS 2 f 3 f 547 396(-)N 606(96)X 743(-)X 1788(4.)X 1897(Assurance)X 2442(Measurement)X 3151(and)X 3367 0.3313(Composition)AX 2 f 835 684(and)N 1053(extensive)X 1493(design)X 1825(effort)X 2102(by)X 2248(either)X 2547(customers)X 3033(or)X 3169(suppliers,)X 3646(or)X 3782(both.)X 835 792(Failure)N 1200(in)X 1328(service)X 1663(could)X 1942(result)X 2234(in)X 2363(extreme)X 2740(cost)X 2946(or)X 3075(undue)X 3392(risk)X 3601(to)X 3721(health)X 835 900(and)N 1035(safety,)X 1344(or)X 1462(both.)X 1 f 547 1062(CAN3-Z299.2)N 1699(Quality)X 2061(Assurance)X 2552(Program)X 2966(\320)X 3089(Category)X 3516(2)X 2 f 835 1224(This)N 1072(standard)X 1516(aims)X 1768(at)X 1894(reacting)X 2291(to)X 2410(nonconforming)X 3113(products)X 3534(or)X 3663(services)X 835 1332(to)N 958(prevent)X 1326(their)X 3 f 1577(recurrence)X 2 f 2130(.)X 2224(This)X 2464(is)X 2579(achieved)X 3003(by)X 3144(specifying)X 3622(feedback)X 835 1440(control)N 1185(to)X 1310(correct)X 1650(causes)X 1979(of)X 2103 0.2167(nonconformances.)AX 2968(This)X 3212(Standard)X 3684(is)X 3803(suit-)X 835 1548(able)N 1061(for)X 1227(relatively)X 1681(high)X 1924(technology)X 2431(products)X 2857(or)X 2990(services.)X 3426(They)X 3684(tend)X 3921(to)X 835 1656(require)N 1219(design)X 1574(veri\256cation)X 2141(and)X 2383(production)X 2932(planning,)X 3430(and)X 3672(have)X 3948(a)X 835 1764(signi\256cant)N 1331(number)X 1702(of)X 1811(complex)X 2194(processes.)X 2680(Failure)X 3036(in)X 3155(service)X 3480(could)X 3749(result)X 835 1872(in)N 953(serious)X 1291(cost)X 1486(or)X 1604(signi\256cant)X 2098(risk)X 2296(to)X 2405(health)X 2714(and)X 2914(safety,)X 3223(or)X 3341(both.)X 1 f 547 2034(CAN3-Z299.3)N 1699(Quality)X 2061(Assurance)X 2552(Program)X 2966(\320)X 3089(Category)X 3516(3)X 2 f 835 2196(This)N 1071(Standard)X 1535(requires)X 1931(suppliers)X 2373(to)X 2492(plan)X 2730(and)X 2940(establish)X 3371(a)X 3463(program)X 3880(for)X 835 2304(verifying)N 1268(the)X 1447(conformance)X 2048(of)X 2170(products)X 2596(or)X 2729(services)X 3111(throughout)X 3647(the)X 3825(pro-)X 835 2412(cess.)N 1091(The)X 1289(program)X 1699(is)X 1804(documented)X 2366(but)X 2543(in)X 2665(a)X 2751(limited)X 3099(manner.)X 3528(This)X 3759(Stan-)X 835 2520(dard)N 1118(is)X 1260(suitable)X 1678(for)X 1868(products)X 2319(or)X 2477(services)X 2883(requiring)X 3364(some)X 3649(complex)X 835 2628(processes.)N 1337(They)X 1597(may)X 1830(be)X 1971(high)X 2217(volume)X 2579(services)X 2964(or)X 3100(mass)X 3371(produced)X 3825(pro-)X 835 2736(ducts.)N 1159(Failure)X 1519(in)X 1642(service)X 1971(could)X 2243(result)X 2528(in)X 2650(signi\256cant)X 3148(cost)X 3347(or)X 3469(some)X 3719(risk)X 3921(to)X 835 2844(health)N 1144(and)X 1344(safety,)X 1653(or)X 1771(both.)X 1 f 547 3006(CAN3-Z299.4)N 1699(Quality)X 2061(Assurance)X 2552(Program)X 2966(\320)X 3089(Category)X 3516(4)X 2 f 835 3168(This)N 1071(Standard)X 1535(requires)X 1931(suppliers)X 2373(to)X 2492(plan)X 2730(and)X 2940(establish)X 3371(a)X 3463(program)X 3880(for)X 835 3276(sorting)N 1185(the)X 1360(good)X 1605(from)X 1852(the)X 2027(bad.)X 2287(The)X 2494(program)X 2913(need)X 3156(not)X 3336(be)X 3471(documented)X 835 3384(unless)N 1160(speci\256ed)X 1584(in)X 1722(the)X 1905(contract.)X 2365(This)X 2612(Standard)X 3087(is)X 3209(suitable)X 3607(for)X 3777(mass)X 835 3492(produced)N 1280(products)X 1700(or)X 1827(for)X 1986(high)X 2223(volume)X 2576(services)X 2952(designed)X 3377(to)X 3494(commercial)X 835 3600(technical)N 1267(standards)X 1749(or)X 1872(for)X 2028(simple)X 2351(processes)X 2788(such)X 3025(as)X 3156(custom)X 3501(machining,)X 835 3708(assembly,)N 1291(and)X 1491(installation)X 3 f 547 4032(Canadian)N 1058(Department)X 1689(of)X 1812(National)X 2273(Defence)X 2701(\(DND\))X 1 f 547 4248 -0.2118(D-02-001-002/SF-001)AN 1699(Quality)X 2076(Program)X 2506(Requirements)X 3173(for)X 3339(Contractors)X 3907(\320)X 1699 4356(DND)N 1954(1015)X 547 4518(DND)N 802(1016)X 1699(Contractor's)X 2271(Inspection)X 2761(System)X 3114(Requirements)X 547 4680(DND)N 802(1017)X 1699(Basic)X 1966(Inspection)X 2456(Requirements)X 3107(for)X 3257(Contractors)X 2 f 835 4842(Note:)N 1092(DND)X 1347(now)X 1556(speci\256es)X 1944(NATO)X 2258(AQAP)X 2560(Standards.)X 3 f 547 5166(NATO)N 876(Allied)X 1199(Quality)X 1601(Assurance)X 2146(Publications)X 1 f 547 5382(AQAP-1)N 1699(Quality)X 2061(Control)X 2422(System)X 2775(Requirements)X 3426(for)X 3576(Industry)X 97 p %%Page: 97 29 12 s 0 xH 0 xS 1 f 3 f 835 396(4.4.)N 1026(Quality)X 1428(Assurance)X 1973(Program)X 2443(Standards)X 4063(-)X 4122(97)X 4259(-)X 1 f 835 684(AQAP-4)N 1987(Inspection)X 2477(System)X 2830(Requirements)X 3481(for)X 3631(Industry)X 835 846(AQAP-9)N 1987(Basic)X 2254(Inspection)X 2744(Requirements)X 3395(for)X 3545(Industry)X 3 f 835 1170 0.2708(International)AN 1537(Organization)X 2226(for)X 2399(Standardization)X 3241(\(ISO\))X 1 f 835 1386(ISO)N 1036(6215)X 1987(Nuclear)X 2368(Power)X 2673(Plants)X 2988(\320)X 3111(Quality)X 3473(Assurance)X 835 1548(ISO)N 1039(9001)X 1990(Quality)X 2355(Systems)X 2757(\320)X 2884(Model)X 3187(for)X 3341(Quality)X 3707(Assurance)X 4202(in)X 1987 1656(Design/Development,)N 2986(Production,)X 3552(Installation)X 4124(and)X 1987 1764(Servicing.)N 2 f 1123 1904(Corresponds)N 1703(approximately)X 2363(to)X 2472(CAN3-Z299.1)X 1 f 835 2066(ISO)N 1039(9002)X 1990(Quality)X 2355(Systems)X 2757(\320)X 2884(Model)X 3187(for)X 3341(Quality)X 3707(Assurance)X 4202(in)X 1987 2174(Production)N 2500(and)X 2694(Installation.)X 2 f 1123 2314(Corresponds)N 1703(approximately)X 2363(to)X 2472(CAN3-Z299.2)X 1 f 835 2476(ISO)N 1039(9003)X 1990(Quality)X 2355(Systems)X 2757(\320)X 2884(Model)X 3187(for)X 3341(Quality)X 3707(Assurance)X 4202(in)X 1987 2584(Final)N 2250(Inspection)X 2740(and)X 2934(Test.)X 2 f 1123 2724(Falls)N 1376(somewhere)X 1885(between)X 2262(CAN3-Z299.3)X 2892(and)X 3092(CAN3-Z299.4)X 1 f 835 2886(ISO)N 1036(10011-1)X 1987(Guidelines)X 2493(for)X 2643(Auditing)X 3060(Quality)X 3422(Systems)X 3 f 835 3210 0.2708(International)AN 1537(Atomic)X 1919(Energy)X 2308(Agency)X 2700(\(IAEA\))X 1 f 835 3426(50-C-QA)N 1987(Quality)X 2385(Assurance)X 2912(for)X 3098(Safety)X 3442(in)X 3595(Nuclear)X 4013(Power)X 1987 3534(Plants)N 3 f 835 3858(United)N 1204(States)X 1539(Department)X 2170(of)X 2293(Defense)X 2716(\(DOD\))X 1 f 835 4074(MIL-Q-9858A)N 1987(Quality)X 2349(Program)X 2763(Requirements)X 835 4236(MIL-I-45208A)N 1987(Inspection)X 2477(System)X 2830(Requirements)X 3 f 835 4560(British)N 1214(Standards)X 1756(Institution)X 2326(\(BSI\))X 1 f 835 4776(BS)N 992(5750)X 1233(Part)X 1459(1)X 1992(Speci\256cation)X 2586(for)X 2738(Design,)X 3102(Manufacturing)X 3800(and)X 3996(Instal-)X 1987 4884(lation)N 835 5046(BS)N 991(5750)X 1230(Part)X 1454(2)X 1987(Speci\256cation)X 2579(for)X 2729(Manufacture)X 3333(and)X 3527(Installation)X 835 5208(BS)N 991(5750)X 1230(Part)X 1454(3)X 1987(Speci\256cation)X 2579(for)X 2729(Final)X 2992(Inspection)X 3482(and)X 3676(Test)X 98 p %%Page: 98 30 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(98)X 743(-)X 1788(4.)X 1897(Assurance)X 2442(Measurement)X 3151(and)X 3367 0.3313(Composition)AX 547 684(American)N 1059(National)X 1520(Standards)X 2062(Institute)X 2526(\(ANSI\))X 1 f 547 900(NQA-1)N 1699(Quality)X 2126(Assurance)X 2683(Program)X 3163(Requirements)X 3880(for)X 1699 1008(Nuclear)N 2080(Power)X 2385(Plants)X 3 f 547 1332(American)N 1059(Society)X 1453(for)X 1626(Quality)X 2028(Control)X 2439(\(ASQC\))X 1 f 547 1548(ASQC)N 847(C-1)X 1699(General)X 2082(Requirements)X 2733(for)X 2883(a)X 2963(Quality)X 3325(Program.)X 3 f 547 1872(United)N 916(States)X 1251(Nuclear)X 1675(Regulatory)X 2262 0.3819(Commission)AX 2902(\(NRC\))X 1 f 547 2088(10)N 680(CFR)X 909(50)X 1699(Quality)X 2061(Assurance)X 2552(Criteria)X 2932(for)X 3082(Nuclear)X 3463(Power)X 1699 2196(Appendix)N 2148(B:)X 2271(Plants)X 2586(and)X 2780(Fuel)X 3008(Reprocessing)X 3619(Plants.)X 3 f 547 2520(American)N 1059(Society)X 1453(of)X 1576(Mechanical)X 2178(Engineers)X 2713(\(ASME\))X 2 f 835 2736(The)N 1030(following)X 1466(citations)X 1873(are)X 2041(from)X 2276(the)X 2439(Boiler)X 2733(and)X 2933(Pressure)X 3341(Vessel)X 3640(Code)X 1 f 547 2898(Sect.)N 789(1-A300)X 1699(Power)X 2004(Boilers:)X 2371(Quality)X 2733(Control)X 3094(System)X 547 3060(Sect.)N 789(3-NCA3800)X 1699(Nuclear)X 2174(Power)X 2574(Plant)X 2939(Components:)X 3641(Metallic)X 1699 3168(Material)N 2144(Manufacturer's)X 2888(and)X 3114(Material)X 3558(Supplier's)X 1699 3276(Quality)N 2061(System)X 2414(Program)X 547 3438(Sect.)N 789(3-NCA4000)X 1699(Nuclear)X 2181(Power)X 2587(Plant)X 2959(Components:)X 3668(Quality)X 1699 3546(Assurance)N 547 3708(Sect.)N 789(4-App.)X 1107(F)X 1699(Heating)X 2084(Boilers:)X 2451(Quality)X 2813(Control)X 3174(System)X 547 3870(Sect.)N 789(8-App.)X 1107(X)X 1699(Pressure)X 2121(Vessels:)X 2505(Quality)X 2867(Control)X 3228(System)X 30 p %%Trailer xt xs %!PS-Adobe-1.0 %%Creator: hub:peter (& Boulton,CSRI,SF2002C,5034,2318367,A,petergrp R) %%Title: stdin (ditroff) %%CreationDate: Fri Jan 29 16:43:10 1993 %%EndComments % Start of psdit.pro -- prolog for ditroff translator % Copyright (c) 1985,1987 Adobe Systems Incorporated. All Rights Reserved. % GOVERNMENT END USERS: See Notice file in TranScript library directory % -- probably /usr/lib/ps/Notice % RCS: $Header: psdit.pro,v 1.2 88/10/29 07:37:27 moraes Exp $ /$DITroff 140 dict def $DITroff begin %% Psfig additions /DocumentInitState [ matrix currentmatrix currentlinewidth currentlinecap currentlinejoin currentdash currentgray currentmiterlimit ] cvx def /startFig { /SavedState save def userdict maxlength dict begin currentpoint transform DocumentInitState setmiterlimit setgray setdash setlinejoin setlinecap setlinewidth setmatrix itransform moveto /ury exch def /urx exch def /lly exch def /llx exch def /y exch 72 mul resolution div def /x exch 72 mul resolution div def currentpoint /cy exch def /cx exch def /sx x urx llx sub div def % scaling for x /sy y ury lly sub div def % scaling for y sx sy scale % scale by (sx,sy) cx sx div llx sub cy sy div ury sub translate /DefFigCTM matrix currentmatrix def /initmatrix { DefFigCTM setmatrix } def /defaultmatrix { DefFigCTM exch copy } def /initgraphics { DocumentInitState setmiterlimit setgray setdash setlinejoin setlinecap setlinewidth setmatrix DefFigCTM setmatrix } def /showpage { initgraphics } def } def % Args are llx lly urx ury (in figure coordinates) /clipFig { currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll exch lineto exch lineto exch lineto closepath clip newpath moveto } def % doclip, if called, will always be just after a `startfig' /doclip { llx lly urx ury clipFig } def /endFig { end SavedState restore } def /globalstart { % Push details about the enviornment on the stack. fontnum fontsize fontslant fontheight firstpage mh my resolution slotno currentpoint pagesave restore gsave } def /globalend { grestore moveto /slotno exch def /resolution exch def /my exch def /mh exch def /firstpage exch def /fontheight exch def /fontslant exch def /fontsize exch def /fontnum exch def F /pagesave save def } def %% end Psfig additions /fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def /xi {0 72 11 mul translate 72 resolution div dup neg scale 0 0 moveto /fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def F /pagesave save def}def /PB{save /psv exch def currentpoint translate resolution 72 div dup neg scale 0 0 moveto}def /PE{psv restore}def /m1 matrix def /m2 matrix def /m3 matrix def /oldmat matrix def /tan{dup sin exch cos div}bind def /point{resolution 72 div mul}bind def /dround {transform round exch round exch itransform}bind def /xT{/devname exch def}def /xr{/mh exch def /my exch def /resolution exch def}def /xp{}def /xs{docsave restore end}def /xt{}def /xf{/fontname exch def /slotno exch def fontnames slotno get fontname eq not {fonts slotno fontname findfont put fontnames slotno fontname put}if}def /xH{/fontheight exch def F}bind def /xS{/fontslant exch def F}bind def /s{/fontsize exch def /fontheight fontsize def F}bind def /f{/fontnum exch def F}bind def /F{fontheight 0 le {/fontheight fontsize def}if fonts fontnum get fontsize point 0 0 fontheight point neg 0 0 m1 astore fontslant 0 ne{1 0 fontslant tan 1 0 0 m2 astore m3 concatmatrix}if makefont setfont .04 fontsize point mul 0 dround pop setlinewidth}bind def /X{exch currentpoint exch pop moveto show}bind def /N{3 1 roll moveto show}bind def /Y{exch currentpoint pop exch moveto show}bind def /S /show load def /ditpush{}def/ditpop{}def /AX{3 -1 roll currentpoint exch pop moveto 0 exch ashow}bind def /AN{4 2 roll moveto 0 exch ashow}bind def /AY{3 -1 roll currentpoint pop exch moveto 0 exch ashow}bind def /AS{0 exch ashow}bind def /MX{currentpoint exch pop moveto}bind def /MY{currentpoint pop exch moveto}bind def /MXY /moveto load def /cb{pop}def % action on unknown char -- nothing for now /n{}def/w{}def /p{pop showpage pagesave restore /pagesave save def}def /abspoint{currentpoint exch pop add exch currentpoint pop add exch}def /dstroke{currentpoint stroke moveto}bind def /Dl{2 copy gsave rlineto stroke grestore rmoveto}bind def /arcellipse{oldmat currentmatrix pop currentpoint translate 1 diamv diamh div scale /rad diamh 2 div def rad 0 rad -180 180 arc oldmat setmatrix}def /Dc{gsave dup /diamv exch def /diamh exch def arcellipse dstroke grestore diamh 0 rmoveto}def /De{gsave /diamv exch def /diamh exch def arcellipse dstroke grestore diamh 0 rmoveto}def /Da{currentpoint /by exch def /bx exch def /fy exch def /fx exch def /cy exch def /cx exch def /rad cx cx mul cy cy mul add sqrt def /ang1 cy neg cx neg atan def /ang2 fy fx atan def cx bx add cy by add 2 copy rad ang1 ang2 arcn stroke exch fx add exch fy add moveto}def /Barray 200 array def % 200 values in a wiggle /D~{mark}def /D~~{counttomark Barray exch 0 exch getinterval astore /Bcontrol exch def pop /Blen Bcontrol length def Blen 4 ge Blen 2 mod 0 eq and {Bcontrol 0 get Bcontrol 1 get abspoint /Ycont exch def /Xcont exch def Bcontrol 0 2 copy get 2 mul put Bcontrol 1 2 copy get 2 mul put Bcontrol Blen 2 sub 2 copy get 2 mul put Bcontrol Blen 1 sub 2 copy get 2 mul put /Ybi /Xbi currentpoint 3 1 roll def def 0 2 Blen 4 sub {/i exch def Bcontrol i get 3 div Bcontrol i 1 add get 3 div Bcontrol i get 3 mul Bcontrol i 2 add get add 6 div Bcontrol i 1 add get 3 mul Bcontrol i 3 add get add 6 div /Xbi Xcont Bcontrol i 2 add get 2 div add def /Ybi Ycont Bcontrol i 3 add get 2 div add def /Xcont Xcont Bcontrol i 2 add get add def /Ycont Ycont Bcontrol i 3 add get add def Xbi currentpoint pop sub Ybi currentpoint exch pop sub rcurveto }for dstroke}if}def end /ditstart{$DITroff begin /nfonts 60 def % NFONTS makedev/ditroff dependent! /fonts[nfonts{0}repeat]def /fontnames[nfonts{()}repeat]def /docsave save def }def % character outcalls /oc {/pswid exch def /cc exch def /name exch def /ditwid pswid fontsize mul resolution mul 72000 div def /ditsiz fontsize resolution mul 72 div def ocprocs name known{ocprocs name get exec}{name cb} ifelse}def /fractm [.65 0 0 .6 0 0] def /fraction {/fden exch def /fnum exch def gsave /cf currentfont def cf fractm makefont setfont 0 .3 dm 2 copy neg rmoveto fnum show rmoveto currentfont cf setfont(\244)show setfont fden show grestore ditwid 0 rmoveto} def /oce {grestore ditwid 0 rmoveto}def /dm {ditsiz mul}def /ocprocs 50 dict def ocprocs begin (14){(1)(4)fraction}def (12){(1)(2)fraction}def (34){(3)(4)fraction}def (13){(1)(3)fraction}def (23){(2)(3)fraction}def (18){(1)(8)fraction}def (38){(3)(8)fraction}def (58){(5)(8)fraction}def (78){(7)(8)fraction}def (sr){gsave .05 dm .16 dm rmoveto(\326)show oce}def (is){gsave 0 .15 dm rmoveto(\362)show oce}def (->){gsave 0 .02 dm rmoveto(\256)show oce}def (<-){gsave 0 .02 dm rmoveto(\254)show oce}def (==){gsave 0 .05 dm rmoveto(\272)show oce}def end % DIThacks fonts for some special chars 50 dict dup begin /FontType 3 def /FontName /DIThacks def /FontMatrix [.001 0.0 0.0 .001 0.0 0.0] def /FontBBox [-220 -280 900 900] def% a lie but ... /Encoding 256 array def 0 1 255{Encoding exch /.notdef put}for Encoding dup 8#040/space put %space dup 8#110/rc put %right ceil dup 8#111/lt put %left top curl dup 8#112/bv put %bold vert dup 8#113/lk put %left mid curl dup 8#114/lb put %left bot curl dup 8#115/rt put %right top curl dup 8#116/rk put %right mid curl dup 8#117/rb put %right bot curl dup 8#120/rf put %right floor dup 8#121/lf put %left floor dup 8#122/lc put %left ceil dup 8#140/sq put %square dup 8#141/bx put %box dup 8#142/ci put %circle dup 8#143/br put %box rule dup 8#144/rn put %root extender dup 8#145/vr put %vertical rule dup 8#146/ob put %outline bullet dup 8#147/bu put %bullet dup 8#150/ru put %rule dup 8#151/ul put %underline pop /DITfd 100 dict def /BuildChar{0 begin /cc exch def /fd exch def /charname fd /Encoding get cc get def /charwid fd /Metrics get charname get def /charproc fd /CharProcs get charname get def charwid 0 fd /FontBBox get aload pop setcachedevice 40 setlinewidth newpath 0 0 moveto gsave charproc grestore end}def /BuildChar load 0 DITfd put %/UniqueID 5 def /CharProcs 50 dict def CharProcs begin /space{}def /.notdef{}def /ru{500 0 rls}def /rn{0 750 moveto 500 0 rls}def /vr{20 800 moveto 0 -770 rls}def /bv{20 800 moveto 0 -1000 rls}def /br{20 770 moveto 0 -1040 rls}def /ul{0 -250 moveto 500 0 rls}def /ob{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath stroke}def /bu{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath fill}def /sq{80 0 rmoveto currentpoint dround newpath moveto 640 0 rlineto 0 640 rlineto -640 0 rlineto closepath stroke}def /bx{80 0 rmoveto currentpoint dround newpath moveto 640 0 rlineto 0 640 rlineto -640 0 rlineto closepath fill}def /ci{355 333 rmoveto currentpoint newpath 333 0 360 arc 50 setlinewidth stroke}def /lt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 add exch s4 a4p stroke}def /lb{20 800 moveto 0 -550 rlineto currx -200 2cx s4 add exch s4 a4p stroke}def /rt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 sub exch s4 a4p stroke}def /rb{20 800 moveto 0 -500 rlineto currx -200 2cx s4 sub exch s4 a4p stroke}def /lk{20 800 moveto 20 300 -280 300 s4 arcto pop pop 1000 sub currentpoint stroke moveto 20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def /rk{20 800 moveto 20 300 320 300 s4 arcto pop pop 1000 sub currentpoint stroke moveto 20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def /lf{20 800 moveto 0 -1000 rlineto s4 0 rls}def /rf{20 800 moveto 0 -1000 rlineto s4 neg 0 rls}def /lc{20 -200 moveto 0 1000 rlineto s4 0 rls}def /rc{20 -200 moveto 0 1000 rlineto s4 neg 0 rls}def end /Metrics 50 dict def Metrics begin /.notdef 0 def /space 500 def /ru 500 def /br 0 def /lt 250 def /lb 250 def /rt 250 def /rb 250 def /lk 250 def /rk 250 def /rc 250 def /lc 250 def /rf 250 def /lf 250 def /bv 250 def /ob 350 def /bu 350 def /ci 750 def /bx 750 def /sq 750 def /rn 500 def /ul 500 def /vr 0 def end DITfd begin /s2 500 def /s4 250 def /s3 333 def /a4p{arcto pop pop pop pop}def /2cx{2 copy exch}def /rls{rlineto stroke}def /currx{currentpoint pop}def /dround{transform round exch round exch itransform} def end end /DIThacks exch definefont pop ditstart (psc)xT 576 1 1 xr 1(NewCenturySchlbk-Roman)xf 1 f 2(NewCenturySchlbk-Italic)xf 2 f 3(NewCenturySchlbk-Bold)xf 3 f 4(NewCenturySchlbk-BoldItalic)xf 4 f 5(Helvetica)xf 5 f 6(Helvetica-Bold)xf 6 f 7(Courier)xf 7 f 8(Courier-Bold)xf 8 f 9(Symbol)xf 9 f 10(DIThacks)xf 10 f 10 s 1 f xi %%EndProlog %%Page: 1 1 10 s 0 xH 0 xS 1 f 99 p %%Page: 99 2 10 s 0 xH 0 xS 1 f 12 s 3 f 1 f 24 s 1399 1281(S)N 1520(U)X 1676(R)X 1814(V)X 1952(E)X 2090(Y)X 12 s 18 s 1399 1473(O)N 1511(F)X 12 s 24 s 1399 1665(F)N 1527(O)X 1677(R)X 1815(M)X 1996(A)X 2134(L)X 12 s 100 s 835 1569(5)N 24 s 1399 1857(M)N 1580(O)X 1730(D)X 1880(E)X 2018(L)X 2146(S)X 9 s 2556 2163(Turn)N 2744(the)X 2872(pages)X 3081(of)X 3161(your)X 3332(Greek)X 3555(models)X 3808(night)X 4006(and)X 4151(day.)X 6 s 4121 2217(Horace,)N 3798 2271(Book)N 3923(III)X 3993(\(Ars)X 4100(Poetica\),)X 4168 2325(8)N 4208(BC.)X 9 s 1419 2514(What)N 1622(we)X 1734(experience)X 2109(in)X 2196(nature)X 2440(is)X 2516(in)X 2603(models,)X 2876(and)X 3021(all)X 3127(of)X 3207(nature's)X 3499(models)X 3752(are)X 3880(so)X 3969(beautiful.)X 6 s 3842 2568(Buckminster)N 4142(Fuller,)X 3699 2622(Pro\256le)N 3857(in)X 3914(The)X 4012(New)X 4125(Yorker,)X 4170 2676(1966.)N 3 f 12 s 835 3072(5.1.)N 1053(INTRODUCTION)X 1 f 1035 3228(In)N 1180(this)X 1398(chapter,)X 1810(we)X 1980(review)X 2322(the)X 2514(existing)X 2913(formal)X 3252(approaches)X 3802(to)X 3935(security)X 835 3336(modelling,)N 1325(and)X 1519(in)X 1635(particular)X 2108(the)X 2279(issue)X 2533(of)X 2640(the)X 2811(composability)X 3446(of)X 3553(models.)X 1035 3492(Widespread)N 1629(interest)X 2044(in)X 2201(security)X 2625(composition)X 3221(was)X 3463(generated)X 3974(by)X 4147(the)X 835 3600(appearance)N 1375(of)X 1485(a)X 1567(1987)X 1808(paper)X 2091(by)X 2224(Darryl)X 2548(McCullough)X 3116(entitled)X 3489(``Speci\256cations)X 4168(for)X 835 3708(Multi-Level)N 1382(Security)X 1780(and)X 1974(a)X 2054(Hook-Up)X 2479(Property'',)X 2962(in)X 3079(the)X 2 f 3251(Proceedings)X 3807(of)X 3915(the)X 4079(1987)X 835 3816(IEEE)N 1112(Symposium)X 1662(on)X 1800(Security)X 2197(and)X 2401(Privacy)X 1 f 2736(.)X 2821(He)X 2980(made)X 3252(the)X 3427(surprising)X 3918(observa-)X 835 3924(tion)N 1096(that)X 1369(subsystems,)X 1996(secure)X 2370(by)X 2562(a)X 2703(popular)X 3134(theoretical)X 3698(de\256nition)X 4211(of)X 835 4032(con\256dentiality,)N 1541(and)X 1748(interconnected)X 2445(in)X 2573(a)X 2665(straightforward)X 3408(and)X 3614(intuitively)X 4115(rea-)X 835 4140(sonable)N 1209(way,)X 1453(might)X 1753(interact)X 2141(such)X 2385(that)X 2610(the)X 2793(resulting)X 3234(system)X 3584(would)X 3890(not)X 4073(meet)X 835 4248(the)N 1006(given)X 1272(security)X 1655(condition.)X 1035 4404(Since)N 1304(then,)X 1563(other)X 1828(authors)X 2202(have)X 2443(continued)X 2911(and)X 3108(extended)X 3539(the)X 3713(investigation)X 835 4512(of)N 955(these)X 1232(``hook-up'')X 1710(phenomena.)X 2317(Since)X 2596(the)X 2779(body)X 3025(of)X 3144(pre-existing)X 3712(work)X 3974(on)X 4120(this)X 835 4620(topic)N 1081(is)X 1189(small,)X 1492(it)X 1592(must)X 1851(be)X 1985(studied)X 2347(in)X 2469(detail)X 2755(to)X 2873(yield)X 3120(the)X 3297(insights)X 3686(that)X 3906(will)X 4105(lead)X 835 4728(to)N 954(further)X 1309(advances)X 1750(in)X 1873(the)X 2050(area.)X 2334(This)X 2565(chapter)X 2936(contains)X 3343(in-depth)X 3751(reviews)X 4124(and)X 835 4836(criticisms)N 1294(of)X 1402(the)X 1574(most)X 1817(salient)X 2147(of)X 2255(this)X 2454(existing)X 2833(work.)X 3138(It)X 3242(will)X 3436(be)X 3566(seen)X 3795(to)X 3909(evidence)X 835 4944(a)N 915(profound)X 1341(comprehension)X 2038(that)X 2251(will)X 2443(form)X 2678(a)X 2758(\256rm)X 2972(foundation)X 3479(for)X 3629(future)X 3934(work.)X 3 f 835 5340(5.2.)N 1053(McCULLOUGH'S)X 1931(COMPOSABILITY)X 1 f 1035 5496(In)N 1183(a)X 1286(paper)X 1590(presented)X 2079(at)X 2220(the)X 2415(1987)X 2678(IEEE)X 2975(Symposium)X 3544(on)X 3702(Security)X 4124(and)X 835 5604(Privacy,)N 1239(McCullough)X 1820(introduces)X 2329(the)X 2515(concept)X 2890(of)X 2 f 3012(hook-up)X 3407(security)X 1 f 3793(as)X 3932(a)X 4026(viable)X 3 f 2449 5952(-)N 2508(99)X 2645(-)X 100 p %%Page: 100 3 12 s 0 xH 0 xS 3 f 547 396(-)N 606(100)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 547 684(approach)N 983(to)X 1095(building)X 2 f 1489(composable)X 2021(trusted)X 2363(systems)X 1 f 2702(.)X 3 f 547 1080(5.2.1.)N 847(Multi-Level)X 1449(Security)X 1900(and)X 2116(a)X 2202(Hook-Up)X 2671(Property)X 1 f 747 1236(McCullough)N 1313(proposes)X 1727(the)X 1898(following)X 2328(circular)X 2699(de\256nition:)X 867 1377(A)N 976(system)X 1328(is)X 1444(hook-up)X 1843(secure)X 2170(if)X 2273(it)X 2381(is)X 2497(deducibility)X 3059(secure)X 3386(and)X 3594(if,)X 867 1485(when)N 1138(it)X 1235(is)X 1340(hooked)X 1685(up)X 1829(with)X 2060(a)X 2143(second)X 2470(hook-up)X 2857(secure)X 3172(system,)X 3539(the)X 867 1593(result)N 1156(is)X 1258(a)X 1338(hook-up)X 1723(secure)X 2036(composite)X 2502(system.)X 547 1782(This)N 806(is)X 943(the)X 1149(desired)X 1535(\(security\))X 2017(functionality)X 2647(of)X 2789(a)X 2904(composite)X 3405(system.)X 3832(The)X 547 1890(de\256nition)N 1009(implies)X 1369(that)X 1592(deducibility)X 2150(security)X 2543(is)X 2655(at)X 2782(least)X 3032(a)X 3122(necessary)X 3594(condition)X 547 1998(for)N 709(hook-up)X 1106(security.)X 1555(In)X 1693(another)X 2080(paragraph,)X 2612(McCullough)X 3191(states)X 3496(that,)X 3749(based)X 547 2106(on)N 711(attempts)X 1164(at)X 1310(proving)X 1703(the)X 1903(security)X 2315(of)X 2451(systems)X 2863(composed)X 3346(of)X 3482(deducibility)X 547 2214(secure)N 860(systems,)X 1270(it)X 1364(is)X 1466(not)X 1637(a)X 1717(suf\256cient)X 2156(condition.)X 747 2370(The)N 945(remainder)X 1436(of)X 1543(the)X 1714(paper)X 1995(is)X 2097(devoted)X 2466(to)X 2578(\256nding)X 2919(a)X 3000(requirement)X 3581(on)X 3716(indivi-)X 547 2478(dual)N 799(systems)X 1210(that)X 1451(guarantees)X 2002(the)X 2201(desired)X 2580(functionality)X 3203(is)X 3333(maintained)X 3896(on)X 547 2586(hook-up.)N 747 2742(Three)N 1045(models)X 1392(of)X 1509(multi-level)X 2026(security)X 2419(are)X 2600(discussed:)X 3089(Bell)X 3303(and)X 3507(LaPadula's)X 547 2850(access)N 857(controls)X 1243([Bell74],)X 1650(Sutherland's)X 2251(deducibility)X 2805(model)X 3104([Sutherland86],)X 3836(and)X 547 2958(Goguen)N 914(and)X 1108(Meseguer's)X 1633(non-interference)X 2396(requirement.)X 3003([Goguen82])X 747 3114(The)N 949(major)X 1237(dif\256culty)X 1664(with)X 1896(using)X 2171(the)X 2346(Bell-LaPadula)X 3018(model)X 3316(as)X 3446(the)X 3622(basis)X 3880(for)X 547 3222(hook-up)N 936(security)X 1323(is)X 1429(that)X 1646(it)X 1743(de\256nes)X 2087(a)X 2170(system's)X 2 f 2576 0.3080(trustworthiness)AX 1 f 3298(only)X 3516(in)X 3635(terms)X 3923(of)X 547 3330(its)N 713(attention)X 1175(to)X 1315(labels)X 1629(placed)X 1968(on)X 2130(users)X 2425(and)X 2647(data.)X 2954(Systems)X 3380(that)X 3621(must)X 3902(be)X 547 3438(trusted)N 913(to)X 1040(handle)X 1386(multi-level)X 1908(data)X 2148(in)X 2279(a)X 2374(general)X 2748(way)X 2969(must)X 3237(be)X 3380(authorized)X 3899(by)X 547 3546(some)N 804(mechanism)X 1342(not)X 1517(included)X 1928(in)X 2049(the)X 2225(Bell-LaPadula)X 2897(model,)X 3222(and)X 3421(thus)X 3653(it)X 3752(is)X 3859(not)X 547 3654(adequate)N 980(as)X 1105(a)X 1185(basis)X 1438(for)X 1588(the)X 1759(hook-up)X 2144(security)X 2527(requirement.)X 3 f 547 4050(5.2.2.)N 847(Deducibility)X 1 f 747 4206(McCullough)N 1334(describes)X 1792(deducibility)X 2361(in)X 2498(terms)X 2804(of)X 2932(the)X 2 f 3124(traces)X 1 f 3434(of)X 3563(a)X 3665(system,)X 547 4314(which)N 855(are)X 1041(the)X 1227(possible)X 1623(sequences)X 2113(of)X 2235(inputs)X 2561(and)X 2769(outputs)X 3150(which)X 3457(characterize)X 547 4422(the)N 749(system's)X 1183(operation.)X 1716(To)X 1886(simplify)X 2302(the)X 2505(discussion,)X 3050(a)X 3162(two)X 3381(level)X 3647(security)X 547 4530(scheme)N 902(is)X 1004(assumed.)X 747 4686(The)N 951(fundamental)X 1555(notion)X 1870(of)X 1984(deducibility)X 2539(is)X 2648(that)X 2868(a)X 2 f 2955(low-level)X 1 f 3376(user,)X 3632(who)X 3848(can)X 547 4794(be)N 683(assumed)X 1108(to)X 1228(know)X 1501(the)X 1679(system's)X 2089(operating)X 2547(principles,)X 3046(and)X 3247(who)X 3463(can)X 3652(view)X 3890(all)X 547 4902(low-level)N 982(inputs)X 1310(and)X 1520(outputs,)X 1930(should)X 2270(be)X 2415(prevented)X 2903(from)X 2 f 3155(deducing)X 1 f 3604(anything)X 547 5010(about)N 824(the)X 995(inputs)X 1307(made)X 1575(by)X 2 f 1706(high-level)X 1 f 2166(users.)X 747 5166(The)N 946(set)X 2 f 1104(T)X 1 f 1198(is)X 1301(the)X 1473(set)X 1631(of)X 1739(all)X 1880(traces)X 9 f 2177(t)X 1 f 2247(achievable)X 2743(by)X 2875(the)X 3047(system.)X 3441(These)X 3734(traces)X 547 5274(are)N 721(the)X 895(interleaved)X 1427(sequences)X 1905(of)X 2015(all)X 2158(low-level)X 2580(and)X 2776(high-level)X 3243(input)X 3512(and)X 3708(output)X 547 5382(events.)N 929(No)X 1096(absolute)X 1510(timing)X 1843(information)X 2408(is)X 2524(preserved)X 3001(by)X 3146(this)X 3358(system)X 3710(model;)X 547 5490(only)N 785(the)X 978(relative)X 1367(temporal)X 1815(ordering)X 2241(of)X 2370(events.)X 2761(Events)X 3119(themselves)X 3664(may)X 3902(be)X 547 5598(arbitrarily)N 1040(complex,)X 1454(from)X 1689(binary)X 2005(signals)X 2345(to)X 2457(messages)X 2904(over)X 3121(a)X 3202(network)X 3597(to)X 3710(graph-)X 547 5706(ical)N 730(displays,)X 1148(but)X 1324(are)X 1495(unidirectional)X 2146(input)X 2413(or)X 2531(output)X 2853(transactions.)X 101 p %%Page: 101 4 12 s 0 xH 0 xS 1 f 3 f 835 396(5.2.)N 1026(McCullough's)X 1730 0.2865(Composability)AX 4008(-)X 4067(101)X 4259(-)X 1 f 1035 684(For)N 1226(each)X 1465(trace)X 9 f 1725(t)X 2 f 9 f 1767(\316)X 2 f 1836(T)X 1 f 1902(,)X 1965(a)X 2054(trace)X 9 f 2314(t)X 2 f 9 s 2356 703(low)N 1 f 12 s 2516 684(can)N 2707(be)X 2844(formed,)X 3219(which)X 3522(is)X 9 f 3634(t)X 1 f 3713(purged)X 4061(of)X 4178(all)X 835 792(high-level)N 1300(events.)X 1669(The)X 1867(set)X 2024(of)X 2131(all)X 9 f 2271(t)X 2 f 9 s 2313 811(low)N 1 f 12 s 2464 792(for)N 2614(a)X 2694(given)X 2 f 2960(T)X 1 f 3053(is)X 2 f 3155(L)X 1 f 3219(.)X 1035 948(Similarly,)N 1520(for)X 1689(each)X 1938(trace)X 9 f 2209(t)X 2 f 9 f 2251(\316)X 2 f 2320(T)X 1 f 2386(,)X 2460(a)X 2560(trace)X 9 f 2831(t)X 2 f 9 s 2873 967(high)N 1 f 12 s 3079 948(can)N 3281(be)X 3429(formed,)X 3814(which)X 4127(is)X 9 f 4249(t)X 1 f 835 1056(purged)N 1173(of)X 1280(all)X 1420(low-level)X 1839(events,)X 2181(and)X 2375(the)X 2546(set)X 2703(of)X 2810(all)X 9 f 2950(t)X 2 f 9 s 2992 1075(high)N 1 f 12 s 3178 1056(for)N 3328(a)X 3408(given)X 2 f 3674(T)X 1 f 3767(is)X 2 f 3869(H)X 1 f 3949(.)X 1035 1212(A)N 1138(low-level)X 1564(user)X 1793(can)X 1983(see,)X 2186(during)X 2518(one)X 2708(session)X 3063(with)X 3299(the)X 3478(system,)X 3851(a)X 3939(particu-)X 835 1320(lar)N 9 f 990(t)X 2 f 9 s 1032 1339(low)N 1 f 12 s 1156 1320(.)N 1239(In)X 1365(the)X 1537(worst)X 1813(case,)X 2057(the)X 2229(low-level)X 2649(user)X 2872(knows)X 2 f 3184(T)X 1 f 3250(,)X 3305(and)X 3500(can)X 3683(thus)X 3911(form)X 4147(the)X 835 1428(set)N 2 f 1007(T)X 9 f 1081(\242)X 1 f 1105(,)X 1174(which)X 1482(is)X 1599(the)X 1785(subset)X 2114(of)X 2 f 2236(T)X 1 f 2344(which)X 2652(is)X 2769(consistent)X 3262(with)X 9 f 3505(t)X 2 f 9 s 3547 1447(low)N 1 f 12 s 3671 1428(.)N 3767(That)X 4023(is,)X 4168(for)X 835 1536(each)N 1065(member)X 1454(of)X 2 f 1561(T)X 9 f 1635(\242)X 1 f 1659(,)X 1713(purging)X 2088(all)X 2228(high-level)X 2693(events)X 3008(leaves)X 3310(exactly)X 9 f 3650(t)X 2 f 9 s 3692 1555(low)N 1 f 12 s 3816 1536(.)N 1035 1692(With)N 1293(this)X 1502(information,)X 2092(the)X 2275(low-level)X 2706(user)X 2940(can)X 3134(form)X 3381(the)X 3564(set)X 2 f 3733(H)X 9 f 3821(\242)X 1 f 3845(,)X 3911(which)X 4216(is)X 835 1800(the)N 1016(subset)X 1339(of)X 2 f 1455(H)X 1 f 1571(consistent)X 2058(with)X 2 f 2295(T)X 9 f 2369(\242)X 1 f 2393(.)X 2483(That)X 2732(is,)X 2870(for)X 3029(each)X 3268(member)X 3666(of)X 2 f 3782(T)X 9 f 3856(\242)X 1 f 3880(,)X 3943(purging)X 835 1908(all)N 975(low-level)X 1394(events)X 1709(leaves)X 2011(one)X 2193(member)X 2582(of)X 2 f 2689(H)X 9 f 2777(\242)X 1 f 2801(.)X 1035 2064(Deducibility)N 1603(can)X 1785(now)X 1994(be)X 2122(succinctly)X 2589(de\256ned)X 2940(in)X 3056(terms)X 3341(of)X 3448(traces)X 3744(as:)X 1155 2205(A)N 1294(system)X 1676(is)X 2 f 1822(deducibility)X 2419(secure)X 1 f 2764(if,)X 2924(for)X 3118(every)X 9 f 3430(t)X 2 f 9 s 3472 2224(low)N 12 s 9 f 3596 2205(\316)N 2 f 3665(L)X 1 f 3729(,)X 3827(the)X 1155 2313(corresponding)N 1809(set)X 2 f 1966(H)X 9 f 2054(\242)X 1 f 2105(is)X 2207(equal)X 2477(to)X 2 f 2589(H)X 1 f 2669(.)X 1035 2502(Thus,)N 1351(deducibility)X 1934(security)X 2352(means)X 2705(that)X 2954(all)X 3130(possible)X 3547(high-level)X 4048(event)X 835 2610(sequences)N 1310(must)X 1563(be)X 1691(consistent)X 2169(with)X 2397(every)X 2665(possible)X 3046(low-level)X 3465(event)X 3735(sequence.)X 1035 2766(A)N 1140(major)X 1433(dif\256culty)X 1865(with)X 2102(deducibility)X 2659(is)X 2770(that)X 2992(it)X 3095(fails)X 3322(to)X 3444(provide)X 3811(reasonable)X 835 2874(security)N 1273(in)X 1444(the)X 1670(presence)X 2141(of)X 2303(non-deterministic)X 3173(behaviour.)X 3752(McCullough)X 835 2982(attempts)N 1262(to)X 1377(demonstrate)X 1965(this)X 2166(with)X 2397(an)X 2539(example)X 2939(of)X 3049(a)X 3132(system)X 3473(which)X 3770(is)X 3876(obviously)X 835 3090(not)N 1033(secure)X 1373(in)X 1516(an)X 1682(intuitive)X 2117(sense,)X 2443(yet)X 2633(which)X 2953(is)X 3081(claimed)X 3478(to)X 3616(be)X 3770(deducibility)X 835 3198(secure.)N 1035 3354(The)N 1240(example)X 1644(system)X 1989(has)X 2180(a)X 2267(high-level)X 2739(user)X 2968(entering)X 3377(text,)X 3611(and)X 3812(a)X 3899(low-level)X 835 3462(user)N 1060(running)X 1450(a)X 1532(program)X 1939(which,)X 2261(upon)X 2511(receiving)X 2943(a)X 3025(number)X 2 f 3401(n)X 1 f 3489(from)X 3726(the)X 3899(low-level)X 835 3570(user,)N 1084(sends)X 1363(to)X 1475(the)X 1646(low-level)X 2065(user)X 2287(either:)X 10 f 1118 3726(g)N 1 f 1205(the)X 2 f 1376(n)X 9 s 1447 3688(th)N 1 f 12 s 1551 3726(character)N 2000(of)X 2107(the)X 2278(high-level)X 2743(user's)X 3030(text,)X 3257(if)X 3346(it)X 3440(exists,)X 3750(or)X 10 f 1118 3834(g)N 1 f 1205(a)X 1285(random)X 1655(character,)X 2131(otherwise.)X 1035 3990(Intuitively,)N 1573(this)X 1784(system)X 2135(is)X 2250(insecure,)X 2692(since,)X 2984(for)X 3148(example,)X 3586(by)X 3731(entering)X 4147(the)X 835 4098(numbers)N 1254(1,)X 1342(2,)X 1430(3,)X 1545 4070(.)N 1599(.)X 1653(.)X 1707 4098(,)N 1761(the)X 1932(low-level)X 2351(user)X 2573(will)X 2765(receive)X 3103(either)X 3395(the)X 3566(high-level)X 4031(user's)X 835 4206(text)N 1043(or)X 1170(a)X 1259(random)X 1638(string)X 1939(of)X 2055(characters.)X 2612(Depending)X 3128(on)X 3271(the)X 3451(circumstances,)X 4147(the)X 835 4314(low-level)N 1259(user)X 1486(may)X 1707(easily)X 1996(be)X 2129(able)X 2345(to)X 2462(differentiate)X 3046(one)X 3233(from)X 3473(the)X 3649(other.)X 3970(Receiv-)X 835 4422(ing)N 1010(an)X 1157(English)X 1535(sentence,)X 1984(for)X 2142(example,)X 2574(is)X 2684(a)X 2772(good)X 3009(indication)X 3488(that)X 3710(it)X 3813(is)X 3924(not)X 4104(ran-)X 835 4530(domly)N 1145(generated.)X 1682(Receiving)X 2152(gibberish,)X 2632(on)X 2780(the)X 2965(other)X 3241(hand,)X 3535(is)X 3651(not)X 3835(conclusive)X 835 4638(evidence,)N 1271(since)X 1523(the)X 1694(high-level)X 2159(user)X 2381(may)X 2597(be)X 2725(using)X 2996(an)X 3135(enciphering)X 3687(code.)X 1035 4794(However,)N 1522(the)X 1733(system)X 2111(is)X 2253(not)X 2464(deducibility)X 3052(secure)X 3405(as)X 3570(claimed.)X 4036(If,)X 4202(in)X 835 4902(response)N 1273(to)X 1405(the)X 1596(number)X 1990(7,)X 2117(the)X 2308(letter)X 7 f 2629(J)X 1 f 2734(is)X 2856(received,)X 3296(then,)X 3573(by)X 3724(the)X 3915(system's)X 835 5010(method)N 1199(of)X 1311(operation,)X 1791(which)X 2089(is)X 2196(known)X 2526(to)X 2643(all)X 2788(users,)X 3087(either)X 3384(the)X 3560(high-level)X 4031(user's)X 835 5118(text)N 1038(has)X 1225(no)X 1362(7)X 2 f 9 s 1415 5080(th)N 1 f 12 s 1522 5118(letter,)N 1822(or)X 1943(that)X 2159(letter)X 2432(is)X 2537(a)X 7 f 2651(J)X 1 f 2709(.)X 2793(In)X 2921(the)X 3095(terms)X 3383(of)X 3493(the)X 3666(de\256nition,)X 4147(the)X 835 5226(set)N 1021(of)X 1158(high-level)X 1653(input)X 1950(sequences)X 2455(consistent)X 2963(with)X 3221(the)X 3422(low-level)X 3871(events)X 4216(is)X 835 5334(smaller)N 1196(than)X 1431(the)X 1602(set)X 1759(of)X 2 f 1866(all)X 2012(possible)X 1 f 2388(high-level)X 2853(input)X 3120(sequences.)X 1035 5490(Though)N 1405(the)X 1579(example)X 1979(is)X 2084(\257awed,)X 2431(it)X 2528(has)X 2715(been)X 2953(shown)X 3269(elsewhere[Thomson88])X 835 5598(that)N 1065(deducibility,)X 1657(as)X 1798(generally)X 2254(understood,)X 2821(cannot)X 3163(be)X 3307(adequately)X 3837(applied)X 4206(to)X 835 5706(non-deterministic)N 1650(systems.)X 102 p %%Page: 102 5 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(102)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 547 684(5.2.3.)N 847(Non-Interference)X 1 f 747 840(McCullough)N 1359(next)X 1627(turns)X 1943(to)X 2101(Goguen)X 2514(and)X 2755(Meseguer's)X 3327(work)X 3624(on)X 3805(non-)X 547 948(interference,)N 1139(and)X 1333(again)X 1606(casts)X 1856(the)X 2027(de\256nition)X 2479(in)X 2595(terms)X 2880(of)X 2987(traces.)X 747 1104(Fundamentally,)N 1502(non-interference)X 2283(requires)X 2697(that)X 2928(no)X 3080(high-level)X 3563(input)X 3848(can)X 547 1212(have)N 814(an)X 982(effect)X 1278(on)X 1441(low-level)X 1888(events.)X 2285(This)X 2538(is)X 2668(a)X 2776(stronger)X 3205(\(more)X 3516(restrictive\))X 547 1320(requirement)N 1149(than)X 1407(deducibility,)X 2005(which)X 2321(allowed)X 2710(interference,)X 3325(as)X 3473(long)X 3711(as)X 3859(the)X 547 1428(nature)N 873(of)X 980(the)X 1151(high-level)X 1616(inputs)X 1928(was)X 2128(not)X 2299(revealed.)X 747 1584(Given)N 1060(a)X 1164(trace)X 9 f 1439(t)X 1 f 1481(,)X 1559(modifying)X 2051(it)X 2169(by)X 2324(adding)X 2678(or)X 2820(deleting)X 3229(high-level)X 3718(inputs)X 547 1692(results)N 884(in)X 1003(a)X 1086(sequence)X 9 f 1519(s)X 1 f 1577(,)X 1634(which)X 1930(is)X 2035(not)X 2209(necessarily)X 2733(a)X 2815(valid)X 3063(trace.)X 3370(It)X 3475(may)X 3693(be)X 3823(pos-)X 547 1800(sible)N 785(to)X 902(construct)X 1348(a)X 1433(valid)X 1684(trace)X 9 f 1940(t)X 2 f 9 f 1982(\242)X 1 f 2038(from)X 9 f 2278(s)X 1 f 2368(by)X 2505(adding)X 2841(or)X 2965(deleting)X 3356(high-level)X 3827(out-)X 547 1908(puts)N 781(after)X 1032(its)X 1182(\256rst)X 1404(modi\256ed)X 1822(input.)X 2154(Non-interference)X 2947(can)X 3140(be)X 3279(de\256ned)X 3640(in)X 3766(these)X 547 2016(terms)N 832(as:)X 867 2157(A)N 974(system)X 1324(is)X 2 f 1438 0.3000(non-interference)AX 2192(secure)X 1 f 2505(if,)X 2633(for)X 2795(every)X 9 f 3075(t)X 1 f 3117(,)X 3183(for)X 3345(every)X 9 f 3625(s)X 1 f 867 2265(which)N 1160(can)X 1342(be)X 1470(formed)X 1808(from)X 2043(it,)X 2164(at)X 2281(least)X 2521(one)X 9 f 2703(t)X 2 f 9 f 2745(\242)X 1 f 2796(exists.)X 747 2454(This)N 981(de\256nition,)X 1469(in)X 1594(contrast)X 1995(with)X 2232(that)X 2454(used)X 2697(by)X 2837(previous)X 3252(authors,)X 3660(extends)X 547 2562(the)N 745(non-interference)X 1535(concept)X 1922(to)X 2061(non-deterministic)X 2903(systems.)X 3366(The)X 3590(operative)X 547 2670(phrase)N 885(in)X 1009(this)X 1215(regard)X 1543(is)X 1653(``at)X 1818(least)X 2067(one'',)X 2325(which)X 2627(implies)X 2986(that)X 3208(systems)X 3600(may)X 3825(pro-)X 547 2778(duce)N 819(multiple)X 1260(distinct)X 1663(output)X 2025(sequences)X 2540(when)X 2847(presented)X 3351(with)X 3618(identical)X 547 2886(inputs.)N 747 3042(An)N 915(example)X 1326(of)X 1447(a)X 1541(composite)X 2021(system)X 2373(is)X 2489(then)X 2733(presented,)X 3239(which)X 3546(illustrates)X 547 3150(that)N 778(hooking)X 1175(up)X 1334(non-interference)X 2115(secure)X 2446(systems)X 2847(may)X 3081(not)X 3269(result)X 3575(in)X 3708(a)X 3805(non-)X 547 3258(interference)N 1112(secure)X 1425(composite)X 1891(system.)X 747 3414(Machine)N 2 f 1175(A)X 1 f 1288(has)X 1490(one)X 1690(high-level)X 2173(input)X 2 f 2459(in)X 1 f 2550(,)X 2623(and)X 2836(one)X 3037(high-level)X 3521(output)X 2 f 3862(out)X 1 f 547 3522(which)N 842(is)X 946(a)X 1027(reply)X 1282(to)X 1395(the)X 2 f 1567(in)X 1 f 1686(following)X 2117(some)X 2371(processing.)X 2920(There)X 3210(is)X 3313(a)X 3394(low-level)X 2 f 3814(can-)X 547 3630(cel)N 1 f 707(input,)X 1016(which)X 1324(cancels)X 1687(any)X 1892(high-level)X 2372(processing)X 2881(that)X 3109(is)X 3227(underway,)X 3740(and)X 3950(a)X 547 3738(low-level)N 2 f 984(ack)X 1 f 1180(output)X 1519(which)X 1829(acknowledges)X 2485(the)X 2 f 2673(cancel)X 1 f 2992(input)X 3276(after)X 3533(some)X 3803(time)X 547 3846(interval.)N 993(If)X 1105(there)X 1381(is)X 1497(high-level)X 1976(processing)X 2484(at)X 2615(the)X 2800(time)X 3041(of)X 3163(the)X 2 f 3349(ack)X 1 f 3500(,)X 3569(that)X 3797(is,)X 3941(if)X 547 3954(there)N 834(has)X 1043(been)X 1303(no)X 2 f 1462(out)X 1 f 1655(since)X 1932(the)X 2128(last)X 2 f 2345(in)X 1 f 2436(,)X 2515(the)X 2710(high-level)X 3199(processing)X 3717(is)X 3843(ter-)X 547 4062(minated,)N 971(and)X 1168(no)X 2 f 1305(out)X 1 f 1476(will)X 1671(occur)X 1937(until)X 2182(after)X 2425(the)X 2600(next)X 2826(uncancelled)X 2 f 3384(in)X 1 f 3475(.)X 3560(If)X 3662(there)X 3928(is)X 547 4170(no)N 689(high-level)X 1162(processing)X 1664(at)X 1788(the)X 1966(time)X 2200(of)X 2314(the)X 2 f 2492(ack)X 1 f 2643(,)X 2704(then)X 2941(a)X 3028(low-level)X 2 f 3454(error)X 1 f 3708(output)X 547 4278(may)N 765(be)X 895(produced)X 1330(at)X 1449(some)X 1705(time)X 1935(following)X 2368(the)X 2 f 2542(ack)X 1 f 2693(;)X 2750(however,)X 3179(the)X 2 f 3353(error)X 1 f 3603(output)X 3928(is)X 547 4386(not)N 718(guaranteed)X 1251(to)X 1363(occur.)X 747 4542(Machine)N 2 f 1167(B)X 1 f 1273(is)X 1385(similar)X 1738(to)X 2 f 1860(A)X 1 f 1928(,)X 1992(but)X 2178(does)X 2411(not)X 2593(have)X 2842(an)X 2 f 2992(ack)X 1 f 3181(output.)X 3568(It)X 3682(cancels)X 547 4650(high-level)N 1015(processing,)X 1539(if)X 1631(any,)X 1851(at)X 1970(the)X 2143(moment)X 2534(the)X 2 f 2707(cancel)X 1 f 3011(is)X 3115(received.)X 3564(If)X 3664(there)X 3928(is)X 547 4758(no)N 687(high-level)X 1158(processing)X 1659(at)X 1783(the)X 1961(time)X 2195(of)X 2309(the)X 2 f 2487(cancel)X 1 f 2762(,)X 2823(then)X 3060(a)X 3147(low-level)X 2 f 3573(error)X 1 f 3827(out-)X 547 4866(put)N 739(may)X 968(be)X 1109(produced)X 1555(at)X 1685(some)X 1951(time)X 2191(following)X 2634(the)X 2 f 2818(cancel)X 1 f 3093(;)X 3160(however,)X 3599(the)X 2 f 3783(error)X 1 f 547 4974(output)N 869(is)X 971(not)X 1142(guaranteed)X 1675(to)X 1787(occur.)X 747 5130(McCullough)N 1323(does)X 1556(not)X 1737(describe)X 2139(how)X 2358(the)X 2540(machines)X 3000(behave)X 3350(when)X 3629(multiple)X 547 5238(inputs)N 867(are)X 1046(made)X 1322(without)X 1702(waiting)X 2072(for)X 2230(a)X 2318(response.)X 2798(Let)X 2982(us)X 3121(state)X 3375(the)X 3553(additional)X 547 5346(requirement)N 1131(that)X 1348(inputs)X 1664(that)X 1881(have)X 2123(not)X 2298(been)X 2537(fully)X 2770(processed)X 3231(\(or)X 3386(cancelled\))X 3859(are)X 547 5454(ignored.)N 975(Thus,)X 1268(any)X 2 f 1470(in)X 1 f 1600(is)X 1714(ignored)X 2087(that)X 2312(arrives)X 2664(while)X 2945(high-level)X 3422(processing)X 3928(is)X 547 5562(occurring.)N 1056(Likewise,)X 1516(any)X 2 f 1715(cancel)X 1 f 2026(input)X 2302(to)X 2423(machine)X 2 f 2836(A)X 1 f 2940(is)X 3051(ignored)X 3421(until)X 3672(the)X 2 f 3852(ack)X 1 f 547 5670(has)N 738(been)X 980(produced.)X 1473(Also,)X 1725(to)X 1843(keep)X 2084(the)X 2261(number)X 2641(of)X 2754(possible)X 3141(traces)X 3443(manageable,)X 103 p %%Page: 103 6 12 s 0 xH 0 xS 1 f 3 f 835 396(5.2.)N 1026(McCullough's)X 1730 0.2865(Composability)AX 4008(-)X 4067(103)X 4259(-)X 1 f 835 684(if)N 935(a)X 2 f 1026(cancel)X 1 f 1339(to)X 1462(either)X 1765(machine)X 2180(produces)X 2614(an)X 2 f 2764(error)X 1 f 2984(,)X 3049(any)X 3250(additional)X 2 f 3738(cancel)X 1 f 4051(input)X 835 792(before)N 1134(the)X 2 f 1305(error)X 1 f 1552(is)X 1654(ignored.)X 1035 948(Then)N 1298(the)X 1475(set)X 1638(of)X 1751(permissible)X 2297(traces)X 2600(for)X 2757(each)X 2994(machine)X 3405(can)X 3594(be)X 3729(enumerated,)X 835 1056(as)N 988(has)X 1200(been)X 1463(done)X 1728(in)X 1872(schematic)X 2370(form)X 2633(in)X 2777(\256gures)X 3137(5.1)X 3325(and)X 3547(5.2.)X 3789(Each)X 4067(trace)X 835 1164(diagram)N 1254(consists)X 1655(of)X 1784(a)X 1886(time)X 2135(line,)X 2378(running)X 2787(vertically,)X 3279(and)X 3495(events,)X 3859(drawn)X 4193(as)X 835 1272(labelled)N 1232(arrows)X 1589(along)X 1880(the)X 2074(time)X 2324(line.)X 2595(Time)X 2872(\257ows)X 2 f 3148(up)X 1 f 3311(the)X 3504(time)X 3753(line;)X 3996(earlier)X 835 1380(events)N 1161(are)X 1343(nearer)X 1675(the)X 1857(bottom)X 2203(of)X 2321(the)X 2504(time)X 2743(line.)X 3003(Dashed)X 3377(arrows)X 3723(signify)X 4060(high-)X 835 1488(level)N 1075(events,)X 1423(and)X 1623(solid)X 1864(arrows)X 2204(are)X 2381(low-level)X 2806(events.)X 3180(An)X 3340(arrow)X 3634(directed)X 4025(at)X 4147(the)X 835 1596(time)N 1068(line)X 1268(is)X 1376(an)X 1521(input)X 1795(event,)X 2099(while)X 2375(an)X 2521(arrow)X 2817(directed)X 3210(away)X 3476(denotes)X 3850(an)X 3996(output)X 835 1704(event.)N 1035 1860(Figure)N 1367(5.1.a)X 1618(shows)X 1928(the)X 2 f 2110(null)X 1 f 2330(trace)X 2592(for)X 2753(machine)X 2 f 3168(A)X 1 f 3236(,)X 3301(that)X 3525(is,)X 3665(the)X 3847(trace)X 4109(con-)X 835 1968(sisting)N 1168(of)X 1284(no)X 1427(events.)X 1805(Figure)X 2136(5.1.b)X 2385(is)X 2496(the)X 2676(trace)X 2936(consisting)X 3419(of)X 3535(one)X 3726(high-level)X 2 f 4200(in)X 1 f 835 2076(input)N 1120(followed,)X 1558(some)X 1829(time)X 2074(later,)X 2358(by)X 2508(an)X 2 f 2666(out)X 1 f 2807(.)X 2907(Figure)X 3248(5.1.c)X 3497(introduces)X 4010(a)X 4109(new)X 835 2184(symbol)N 9 f 1177(\253)X 1 f 1307(that)X 1522(denotes)X 1891(``zero)X 2145(or)X 2265(more)X 2518 0.3187(occurrences)AX 3069(of)X 3178(the)X 3351(trace)X 3604(in)X 3722(\256gure)X 4011(5.1.b.'')X 835 2292(This)N 1061(trace)X 1313(shows)X 1613(that)X 1828(a)X 2 f 1910(cancel)X 1 f 2214(will)X 2408(eventually)X 2903(be)X 3033(followed)X 3428(by)X 3561(an)X 2 f 3702(ack)X 1 f 3853(,)X 3909(and)X 4105(that)X 835 2400(if)N 2 f 940(in)X 1 f 1074(was)X 1290(not)X 1477(the)X 1664(last)X 1872(high-level)X 2352(event)X 2637(before)X 2951(the)X 2 f 3137(ack)X 1 f 3288(,)X 3357(an)X 2 f 3511(error)X 1 f 3773(can)X 3970(be)X 4113(pro-)X 835 2508(duced.)N 1185(Figure)X 1517(5.1.h)X 1773(shows)X 2082(that)X 2305(the)X 2 f 2486(error)X 1 f 2743(response)X 3171(is)X 3283(not)X 3464(guaranteed.)X 4061(More)X 835 2616(traces)N 1131(can)X 1313(be)X 1441(formed)X 1779(by)X 1910(concatenating)X 2557(these)X 2821(traces)X 3117(together.)X 1035 2772(The)N 1246(traces)X 1555(in)X 1684(\256gure)X 1984(5.1.a)X 2237(through)X 2634(\256gure)X 2935(5.1.g)X 3187(form)X 3436(the)X 3621(``deterministic'')X 835 2880(traces)N 1132(for)X 1283(machine)X 2 f 1687(A)X 1 f 1755(.)X 1836(Figure)X 2158(5.1.h)X 2404(and)X 2598(\256gure)X 2885(5.1.i)X 3102(demonstrate)X 3687(that)X 3900(the)X 2 f 4071(error)X 1 f 835 2988(output)N 1161(may)X 1381(or)X 1503(may)X 1724(not)X 1900(occur,)X 2195(given)X 2466(identical)X 2883(inputs.)X 3254(Similarly,)X 3725(the)X 3901(traces)X 4202(in)X 835 3096(\256gure)N 1124(5.2.a)X 1366(through)X 1751(\256gure)X 2039(5.2.d)X 2282(describe)X 2675(a)X 2756(``deterministic'')X 3454(version)X 3806(of)X 3914(machine)X 2 f 835 3204(B)N 1 f 904(.)X 10 f 835 3556(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1087 4524 MXY 0 -720 Dl 1 f 1061 4687(a)N 1447 4524 MXY 0 -720 Dl 1421 4687(b)N 7 s 1493 4309(in)N 12 s 1591 4344 MXY -28 0 Dl 1533 MX -28 0 Dl 1475 MX -28 0 Dl 1504 4329 MXY -57 14 Dl 1504 4358 MXY -57 -14 Dl 7 s 1477 4218(out)N 12 s 1447 4253 MXY 28 0 Dl 1504 MX 28 0 Dl 1562 MX 28 0 Dl 1533 4268 MXY 57 -14 Dl 1533 4239 MXY 57 14 Dl 1807 4524 MXY 0 -720 Dl 1786 4687(c)N 7 s 1655 4399(cancel)N 12 s 1663 4434 MXY 144 0 Dl 1749 4448 MXY 57 -14 Dl 1749 4419 MXY 57 14 Dl 7 s 1835 4218(ack)N 12 s 1807 4253 MXY 144 0 Dl 1893 4268 MXY 57 -14 Dl 1893 4239 MXY 57 14 Dl 7 s 1670 4039(error)N 12 s 1807 4074 MXY -144 0 Dl 1720 4059 MXY -57 14 Dl 1720 4088 MXY -57 -14 Dl 9 f 1829 4327(\253)N 1829 4146(\253)N 2167 4524 MXY 0 -720 Dl 1 f 2140 4687(d)N 7 s 2015 4399(cancel)N 12 s 2023 4434 MXY 144 0 Dl 2109 4448 MXY 57 -14 Dl 2109 4419 MXY 57 14 Dl 7 s 2213 4218(in)N 12 s 2311 4253 MXY -28 0 Dl 2253 MX -28 0 Dl 2195 MX -28 0 Dl 2224 4239 MXY -57 14 Dl 2224 4268 MXY -57 -14 Dl 7 s 2195 4129(ack)N 12 s 2167 4164 MXY 144 0 Dl 2253 4178 MXY 57 -14 Dl 2253 4149 MXY 57 14 Dl 9 f 2189 4327(\253)N 2527 4524 MXY 0 -720 Dl 1 f 2503 4687(e)N 7 s 2573 4399(in)N 12 s 2671 4434 MXY -28 0 Dl 2613 MX -28 0 Dl 2555 MX -28 0 Dl 2584 4419 MXY -57 14 Dl 2584 4448 MXY -57 -14 Dl 7 s 2375 4309(cancel)N 12 s 2383 4344 MXY 144 0 Dl 2469 4358 MXY 57 -14 Dl 2469 4329 MXY 57 14 Dl 7 s 2555 4218(ack)N 12 s 2527 4253 MXY 144 0 Dl 2613 4268 MXY 57 -14 Dl 2613 4239 MXY 57 14 Dl 2887 4524 MXY 0 -720 Dl 2871 4687(f)N 7 s 2933 4399(in)N 12 s 3031 4434 MXY -28 0 Dl 2973 MX -28 0 Dl 2915 MX -28 0 Dl 2944 4419 MXY -57 14 Dl 2944 4448 MXY -57 -14 Dl 7 s 2735 4309(cancel)N 12 s 2743 4344 MXY 144 0 Dl 2829 4358 MXY 57 -14 Dl 2829 4329 MXY 57 14 Dl 7 s 2917 4218(out)N 12 s 2887 4253 MXY 28 0 Dl 2944 MX 28 0 Dl 3002 MX 28 0 Dl 2973 4268 MXY 57 -14 Dl 2973 4239 MXY 57 14 Dl 7 s 2915 4039(ack)N 12 s 2887 4074 MXY 144 0 Dl 2973 4088 MXY 57 -14 Dl 2973 4059 MXY 57 14 Dl 7 s 2750 3858(error)N 12 s 2887 3893 MXY -144 0 Dl 2800 3879 MXY -57 14 Dl 2800 3908 MXY -57 -14 Dl 9 f 2909 4146(\253)N 2909 3967(\253)N 3247 4524 MXY 0 -720 Dl 1 f 3222 4687(g)N 7 s 3293 4399(in)N 12 s 3391 4434 MXY -28 0 Dl 3333 MX -28 0 Dl 3275 MX -28 0 Dl 3304 4419 MXY -57 14 Dl 3304 4448 MXY -57 -14 Dl 7 s 3095 4309(cancel)N 12 s 3103 4344 MXY 144 0 Dl 3189 4358 MXY 57 -14 Dl 3189 4329 MXY 57 14 Dl 7 s 3277 4218(out)N 12 s 3247 4253 MXY 28 0 Dl 3304 MX 28 0 Dl 3362 MX 28 0 Dl 3333 4268 MXY 57 -14 Dl 3333 4239 MXY 57 14 Dl 7 s 3293 4039(in)N 12 s 3391 4074 MXY -28 0 Dl 3333 MX -28 0 Dl 3275 MX -28 0 Dl 3304 4059 MXY -57 14 Dl 3304 4088 MXY -57 -14 Dl 7 s 3275 3948(ack)N 12 s 3247 3983 MXY 144 0 Dl 3333 3998 MXY 57 -14 Dl 3333 3969 MXY 57 14 Dl 9 f 3269 4146(\253)N 3607 4524 MXY 0 -720 Dl 1 f 3578 4687(h)N 7 s 3455 4399(cancel)N 12 s 3463 4434 MXY 144 0 Dl 3549 4448 MXY 57 -14 Dl 3549 4419 MXY 57 14 Dl 7 s 3635 4218(ack)N 12 s 3607 4253 MXY 144 0 Dl 3693 4268 MXY 57 -14 Dl 3693 4239 MXY 57 14 Dl 9 f 3629 4327(\253)N 3967 4524 MXY 0 -720 Dl 1 f 3952 4687(i)N 7 s 4013 4399(in)N 12 s 4111 4434 MXY -28 0 Dl 4053 MX -28 0 Dl 3995 MX -28 0 Dl 4024 4419 MXY -57 14 Dl 4024 4448 MXY -57 -14 Dl 7 s 3815 4309(cancel)N 12 s 3823 4344 MXY 144 0 Dl 3909 4358 MXY 57 -14 Dl 3909 4329 MXY 57 14 Dl 7 s 3997 4218(out)N 12 s 3967 4253 MXY 28 0 Dl 4024 MX 28 0 Dl 4082 MX 28 0 Dl 4053 4268 MXY 57 -14 Dl 4053 4239 MXY 57 14 Dl 7 s 3995 4039(ack)N 12 s 3967 4074 MXY 144 0 Dl 4053 4088 MXY 57 -14 Dl 4053 4059 MXY 57 14 Dl 9 f 3989 4146(\253)N 1 f 1545 5028(Figure)N 1867(5.1:)X 2054(Permissible)X 2602(Traces)X 2925(for)X 3075(Machine)X 3485(A.)X 10 f 835 5244(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 104 p %%Page: 104 7 12 s 0 xH 0 xS 10 f 3 f 547 396(-)N 606(104)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 10 f 547 780(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1555 1388 MXY 0 -360 Dl 1 f 1529 1551(a)N 1915 1388 MXY 0 -360 Dl 1889 1551(b)N 7 s 1817 1172(in)N 12 s 1771 1207 MXY 28 0 Dl 1828 MX 28 0 Dl 1886 MX 28 0 Dl 1857 1222 MXY 57 -14 Dl 1857 1193 MXY 57 14 Dl 7 s 1801 1082(out)N 12 s 1915 1117 MXY -28 0 Dl 1857 MX -28 0 Dl 1799 MX -28 0 Dl 1828 1103 MXY -57 14 Dl 1828 1132 MXY -57 -14 Dl 2275 1388 MXY 0 -360 Dl 2254 1551(c)N 7 s 2123 1263(cancel)N 12 s 2131 1298 MXY 144 0 Dl 2217 1312 MXY 57 -14 Dl 2217 1283 MXY 57 14 Dl 7 s 2282 1082(error)N 12 s 2275 1117 MXY 144 0 Dl 2361 1132 MXY 57 -14 Dl 2361 1103 MXY 57 14 Dl 9 f 2153 1191(\253)N 2635 1388 MXY 0 -360 Dl 1 f 2608 1551(d)N 7 s 2537 1263(in)N 12 s 2491 1298 MXY 28 0 Dl 2548 MX 28 0 Dl 2606 MX 28 0 Dl 2577 1312 MXY 57 -14 Dl 2577 1283 MXY 57 14 Dl 7 s 2483 1172(cancel)N 12 s 2491 1207 MXY 144 0 Dl 2577 1222 MXY 57 -14 Dl 2577 1193 MXY 57 14 Dl 2995 1388 MXY 0 -360 Dl 2971 1551(e)N 7 s 2843 1263(cancel)N 12 s 2851 1298 MXY 144 0 Dl 2937 1312 MXY 57 -14 Dl 2937 1283 MXY 57 14 Dl 1257 1892(Figure)N 1579(5.2:)X 1766(Permissible)X 2314(Traces)X 2637(for)X 2787(Machine)X 3197(B.)X 10 f 547 2108(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1 f 747 2420(One)N 957(can)X 1140(directly)X 1505(apply)X 1777(the)X 1949(de\256nition)X 2402(of)X 2510(non-interference)X 3274(to)X 3388(show)X 3644(that)X 3859(the)X 547 2528(``non-deterministic'')N 1455(traces)X 1763(are)X 1946(necessary)X 2420(for)X 2 f 2582(A)X 1 f 2689(and)X 2 f 2895(B)X 1 f 3003(to)X 3127(be)X 3267(non-interference)X 547 2636(secure.)N 918(For)X 1104(example,)X 1532(by)X 1667(removing)X 2113(the)X 2 f 2288(in)X 1 f 2410(event)X 2684(from)X 2923(the)X 3099(trace)X 3355(in)X 3476(\256gure)X 3768(5.1.e,)X 547 2744(a)N 635(sequence)X 1073(results)X 1414(that)X 1634(cannot)X 1967(be)X 2102(converted)X 2568(into)X 2776(a)X 2863(combination)X 3442(of)X 3556(the)X 3734(traces)X 547 2852(in)N 672(\256gure)X 969(5.1.a)X 1219(through)X 1612(\256gure)X 1909(5.1.g)X 2157(by)X 2298(adding)X 2638(or)X 2766(deleting)X 3161(high-level)X 3636(outputs.)X 547 2960(However,)N 995(the)X 1166(sequence)X 1596(is)X 1698(equivalent)X 2193(to)X 2305(the)X 2476(trace)X 2727(in)X 2843(\256gure)X 3130(5.1.h,)X 3403(and)X 3597(therefore)X 547 3068(the)N 720(de\256nition)X 1174(has)X 1360(been)X 1597(complied)X 2020(with)X 2250(in)X 2368(this)X 2568(case.)X 2840(Showing)X 3251(that)X 2 f 3466(A)X 1 f 3563(and)X 2 f 3760(B)X 1 f 3859(are)X 547 3176(non-interference)N 1311(secure)X 1625(requires)X 2022(demonstrating)X 2700(that)X 2914(every)X 3183(possible)X 3565(high-level)X 547 3284(input)N 828(addition)X 1237(to,)X 1391(or)X 1524(deletion)X 1921(from,)X 2198(every)X 2481(trace)X 2747(can)X 2944(be)X 3087(converted)X 3561(into)X 3777(some)X 547 3392(trace)N 813(by)X 959(adding)X 1303(or)X 1435(deleting)X 1834(some)X 2101(high-level)X 2580(outputs.)X 3015(Clearly,)X 3407(applying)X 3832(this)X 547 3500(de\256nition)N 1018(in)X 1153(practice)X 1551(to)X 1683(any)X 1893(machine)X 2317(more)X 2588(complex)X 2995(than)X 2 f 3250(A)X 1 f 3365(would)X 3679(require)X 547 3608(automated)N 1049(assistance.)X 747 3764(To)N 888(hook)X 1129(up)X 1272(two)X 1461(systems,)X 1873(some)X 2128(of)X 2237(the)X 2410(outputs)X 2779(of)X 2889(one)X 3074(become)X 3429(inputs)X 3744(to)X 3859(the)X 547 3872(other)N 811(as)X 938(well.)X 1204(Clearly,)X 1584(high-level)X 2051(outputs)X 2420(can)X 2604(only)X 2820(be)X 2949(fed)X 3112(to)X 3225(high-level)X 3691(inputs,)X 547 3980(and)N 745(both)X 973(systems)X 1360(must)X 1617(agree)X 1891(on)X 2029(the)X 2204(levels)X 2487(of)X 2598(users)X 2869(and)X 3068(data.)X 3352(Outputs)X 3751(fed)X 3918(to)X 547 4088(inputs)N 890(become)X 1273(internal)X 1689(events)X 2034(of)X 2171(the)X 2372(composite)X 2868(machine,)X 3329(and)X 3553(effectively)X 547 4196(disappear)N 1011(from)X 1246(its)X 1385(trace.)X 747 4352(McCullough)N 1324(hooks)X 1619(up)X 2 f 1771(A)X 1 f 1877(and)X 2 f 2082(B)X 1 f 2189(as)X 2325(follows:)X 2 f 2698(A)X 1 f 2766('s)X 2 f 2869(ack)X 1 f 3058(output)X 3391(feeds)X 3657(into)X 2 f 3869(B)X 1 f 3938('s)X 2 f 547 4460(cancel)N 1 f 856(input,)X 2 f 1157(A)X 1 f 1225('s)X 2 f 1324(out)X 1 f 1499(feeds)X 1760(into)X 2 f 1967(B)X 1 f 2036('s)X 2 f 2134(in)X 1 f 2225(,)X 2285(and)X 2 f 2485(B)X 1 f 2554('s)X 2 f 2652(out)X 1 f 2826(feeds)X 3087(into)X 2 f 3294(A)X 1 f 3362('s)X 2 f 3460(in)X 1 f 3551(.)X 2 f 3638(A)X 1 f 3706('s)X 2 f 3804(in)X 1 f 3928(is)X 547 4568(also)N 750(available)X 1178(as)X 1303(an)X 1442(external)X 1838(input,)X 2132(besides)X 2483(receiving)X 2 f 2913(B)X 1 f 2982('s)X 2 f 3074(out)X 1 f 3215(.)X 747 4724(Thus)N 1001(the)X 1172(composite)X 1638(system)X 1976(has)X 2160(one)X 2342(low-level)X 2761(input,)X 3055(the)X 2 f 3226(cancel)X 1 f 3528(input)X 3795(to)X 2 f 3908(A)X 1 f 3976(,)X 547 4832(and)N 753(two)X 952(low-level)X 1383(outputs,)X 1789(the)X 2 f 1971(error)X 1 f 2229(outputs)X 2607(from)X 2 f 2853(A)X 1 f 2959(and)X 2 f 3164(B)X 1 f 3233(.)X 3325(It)X 3439(also)X 3653(has)X 3848(one)X 547 4940(high-level)N 1012(input,)X 2 f 1306(A)X 1 f 1374('s)X 2 f 1466(in)X 1 f 1557(,)X 1611(but)X 1787(no)X 1921(high-level)X 2386(outputs.)X 747 5096(Figure)N 1085(5.3)X 1261(shows)X 1576(several)X 1937(permissible)X 2492(traces)X 2804(of)X 2928(the)X 3116(composite)X 3599(machine.)X 547 5204(Internal)N 945(events)X 1262(are)X 1435(shown)X 1750(for)X 1902(reference,)X 2370(but)X 2548(are)X 2721(not)X 2894(properly)X 3296(part)X 3513(of)X 3622(the)X 3795(com-)X 547 5312(posite)N 837(machine's)X 1306(trace.)X 747 5468(The)N 950(trace)X 1206(in)X 1327(\256gure)X 1619(5.3.a)X 1864(is)X 1972(one)X 2160(trace)X 2417(\(the)X 2626(others)X 2939(are)X 3116(missing)X 3494(one)X 3682(or)X 3806(both)X 2 f 547 5576(error)N 1 f 767(s\))X 892(achievable)X 1407(in)X 1543(the)X 1734(case)X 1970(where)X 2290(no)X 2 f 2444(in)X 1 f 2582(precedes)X 3014(the)X 3205(internal)X 3611(low-level)X 547 5684(event.)N 880(The)X 1087(other)X 1358(traces)X 1663(in)X 1789(\256gure)X 2086(5.3)X 2256(are)X 2437(two)X 2634(of)X 2751(the)X 2932(many)X 3217(possible)X 3608(traces)X 3914(in)X 105 p %%Page: 105 8 12 s 0 xH 0 xS 1 f 3 f 835 396(5.2.)N 1026(McCullough's)X 1730 0.2865(Composability)AX 4008(-)X 4067(105)X 4259(-)X 1 f 10 f 835 780(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1771 1658 MXY 0 -630 Dl 1915 1658 MXY 0 -630 Dl 1 f 1817 1821(a)N 7 s 1619 1533(cancel)N 12 s 1627 1568 MXY 144 0 Dl 1713 1582 MXY 57 -14 Dl 1713 1553 MXY 57 14 Dl 1771 1477 MXY 144 0 Dl 1857 1492 MXY 57 -14 Dl 1857 1463 MXY 57 14 Dl 7 s 1634 1353(error)N 12 s 1771 1388 MXY -144 0 Dl 1684 1373 MXY -57 14 Dl 1684 1402 MXY -57 -14 Dl 7 s 1922 1263(error)N 12 s 1915 1298 MXY 144 0 Dl 2001 1312 MXY 57 -14 Dl 2001 1283 MXY 57 14 Dl 2491 1658 MXY 0 -630 Dl 2635 1658 MXY 0 -630 Dl 2537 1821(b)N 7 s 2339 1533(cancel)N 12 s 2347 1568 MXY 144 0 Dl 2433 1582 MXY 57 -14 Dl 2433 1553 MXY 57 14 Dl 7 s 2393 1442(in)N 12 s 2347 1477 MXY 28 0 Dl 2404 MX 28 0 Dl 2462 MX 28 0 Dl 2433 1492 MXY 57 -14 Dl 2433 1463 MXY 57 14 Dl 2491 1298 MXY 144 0 Dl 2577 1312 MXY 57 -14 Dl 2577 1283 MXY 57 14 Dl 7 s 2642 1172(error)N 12 s 2635 1207 MXY 144 0 Dl 2721 1222 MXY 57 -14 Dl 2721 1193 MXY 57 14 Dl 9 f 2513 1370(\253)N 3211 1658 MXY 0 -630 Dl 3355 1658 MXY 0 -630 Dl 1 f 3262 1821(c)N 7 s 3113 1533(in)N 12 s 3067 1568 MXY 28 0 Dl 3124 MX 28 0 Dl 3182 MX 28 0 Dl 3153 1582 MXY 57 -14 Dl 3153 1553 MXY 57 14 Dl 7 s 3059 1442(cancel)N 12 s 3067 1477 MXY 144 0 Dl 3153 1492 MXY 57 -14 Dl 3153 1463 MXY 57 14 Dl 3211 1388 MXY 28 0 Dl 3268 MX 28 0 Dl 3326 MX 28 0 Dl 3297 1402 MXY 57 -14 Dl 3297 1373 MXY 57 14 Dl 3211 1207 MXY 144 0 Dl 3297 1222 MXY 57 -14 Dl 3297 1193 MXY 57 14 Dl 7 s 3074 1082(error)N 12 s 3211 1117 MXY -144 0 Dl 3124 1103 MXY -57 14 Dl 3124 1132 MXY -57 -14 Dl 9 f 3233 1280(\253)N 1 f 1508 2162(Figure)N 1830(5.3:)X 2017(Some)X 2285(Traces)X 2608(of)X 2715(Composite)X 3207(Machine.)X 10 f 835 2378(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1 f 835 2690(which)N 1128(the)X 2 f 1299(in)X 1 f 1417(does)X 1640(occur.)X 1035 2846(Though)N 1406(all)X 1550(possible)X 1935(traces)X 2236(of)X 2348(the)X 2524(composite)X 2995(machine)X 3404(are)X 3580(not)X 3756(enumerated)X 835 2954(here,)N 1096(it)X 1199(is)X 1310(straightforward)X 2050(to)X 2171(determine)X 2659(that,)X 2907(if)X 2 f 3004(in)X 1 f 3130(occurs)X 3446(before)X 3753(the)X 3932(internal)X 835 3062(low-level)N 1275(event,)X 1593(the)X 1785(two)X 2 f 1993(error)X 1 f 2261(outputs)X 2650(cannot)X 2998(both)X 3244(be)X 3394(produced.)X 3903(Thus,)X 4206(to)X 835 3170(demonstrate)N 1422(that)X 1636(the)X 1808(composite)X 2275(machine)X 2680(is)X 2783(not)X 2955(non-interference)X 3719(secure,)X 4060(an)X 2 f 4200(in)X 1 f 835 3278(may)N 1083(be)X 1243(added)X 1568(to)X 1713(the)X 1917(bottom)X 2285(of)X 2425(the)X 2629(trace)X 2913(in)X 3062(\256gure)X 3382(5.3.a.)X 3709(Clearly,)X 4120(this)X 835 3386(sequence)N 1287(is)X 1411(not)X 1604(a)X 1706(permissible)X 2267(trace,)X 2567(and)X 2783(cannot)X 3131(be)X 3281(converted)X 3762(into)X 3984(one)X 4187(by)X 835 3494(adding)N 1169(or)X 1291(deleting)X 1680(high-level)X 2149(outputs,)X 2547(since)X 2804(the)X 2980(composite)X 3451(machine)X 3860(has)X 4049(none!)X 835 3602(According)N 1309(to)X 1427(the)X 1604(de\256nition,)X 2089(then,)X 2352(the)X 2529(composite)X 3000(machine,)X 3436(although)X 3864(composed)X 835 3710(of)N 979(non-interference)X 1779(secure)X 2129(components,)X 2748(and)X 2980(hooked)X 3360(up)X 3539(in)X 3693(a)X 3811(reasonable)X 835 3818(fashion,)N 1215(is)X 1317(not)X 1488(itself)X 1737(non-interference)X 2500(secure.)X 3 f 835 4214(5.2.4.)N 1135(Hook-Up)X 1604(Security)X 1 f 1035 4370(McCullough)N 1640(attempts)X 2103(to)X 2254(remedy)X 2651(the)X 2862(non-composability)X 3735(of)X 3882(the)X 4093(non-)X 835 4478(interference)N 1428(notion)X 1764(by)X 1923(making)X 2313(a)X 2421(slight)X 2728(alteration)X 3221(to)X 3361(the)X 3560(de\256nition.)X 4093(This)X 835 4586(modi\256cation)N 1409(is)X 1511(intended)X 1929(to)X 2041(``slow)X 2306(down'')X 2610(the)X 2781(movement)X 3270(of)X 3378(high-level)X 3844(messages,)X 835 4694(whose)N 1148(bouncing)X 1588(from)X 1834(machine)X 2249(to)X 2372(machine)X 2786(in)X 2912(the)X 3093(last)X 3295(example)X 3702(seemed)X 4068(to)X 4190(be)X 835 4802(problematic.)N 1489(The)X 1735(de\256nition,)X 2262(in)X 2426(terms)X 2759(very)X 3028(similar)X 3420(to)X 3581(those)X 3894(for)X 4093(non-)X 835 4910(interference,)N 1427(is)X 1529(as)X 1654(follows.)X 1035 5066(Given)N 1348(a)X 1452(trace)X 9 f 1727(t)X 1 f 1769(,)X 1847(modifying)X 2339(it)X 2457(by)X 2612(adding)X 2966(or)X 3108(deleting)X 3517(high-level)X 4006(inputs)X 835 5174(results)N 1172(in)X 1291(a)X 1374(sequence)X 9 f 1807(s)X 1 f 1865(,)X 1922(which)X 2218(is)X 2323(not)X 2497(necessarily)X 3021(a)X 3103(valid)X 3351(trace.)X 3658(It)X 3763(may)X 3981(be)X 4111(pos-)X 835 5282(sible)N 1071(to)X 1186(construct)X 1630(a)X 1713(valid)X 1962(trace)X 9 f 2217(t)X 2 f 9 f 2259(\242\242)X 1 f 2338(from)X 9 f 2577(s)X 1 f 2666(by)X 2801(adding)X 3135(or)X 3257(deleting)X 3646(high-level)X 4115(out-)X 835 5390(puts)N 1081(after)X 1344(the)X 1538(last)X 1753(input)X 2043(in,)X 2209(or)X 2349(immediately)X 2950(following,)X 3429(the)X 3622(modi\256ed)X 4051(input)X 835 5498(sequence.)N 1319(Hook-up)X 1725(security)X 2108(can)X 2290(be)X 2418(de\256ned)X 2769(in)X 2885(these)X 3149(terms)X 3434(as:)X 106 p %%Page: 106 9 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(106)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 10 f 547 780(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1987 1748 MXY 0 -720 Dl 1 f 1961 1911(a)N 7 s 2076 1569(in)N 12 s 2217 1604 MXY -28 0 Dl 2167 MX -28 0 Dl 2117 MX -28 0 Dl 2066 MX -28 0 Dl 2016 MX -28 0 Dl 2045 1589 MXY -57 14 Dl 2045 1618 MXY -57 -14 Dl 7 s 1792 1425(cancel)N 12 s 1757 1460 MXY 230 0 Dl 1929 1474 MXY 57 -14 Dl 1929 1445 MXY 57 14 Dl 7 s 2058 1281(ack)N 12 s 1987 1316 MXY 230 0 Dl 2160 1330 MXY 57 -14 Dl 2160 1301 MXY 57 14 Dl 7 s 1807 1137(error)N 12 s 1987 1172 MXY -230 0 Dl 1814 1157 MXY -57 14 Dl 1814 1186 MXY -57 -14 Dl 2563 1748 MXY 0 -576 Dl 2537 1911(b)N 7 s 2422 1569(in)N 12 s 2333 1604 MXY 28 0 Dl 2400 MX 28 0 Dl 2467 MX 28 0 Dl 2534 MX 28 0 Dl 2505 1618 MXY 57 -14 Dl 2505 1589 MXY 57 14 Dl 7 s 2368 1425(cancel)N 12 s 2333 1460 MXY 230 0 Dl 2505 1474 MXY 57 -14 Dl 2505 1445 MXY 57 14 Dl 7 s 2634 1281(ack)N 12 s 2563 1316 MXY 230 0 Dl 2736 1330 MXY 57 -14 Dl 2736 1301 MXY 57 14 Dl 1374 2252(Figure)N 1696(5.4:)X 1883(Non-Hook-Up)X 2525(Secure)X 2853(Traces.)X 10 f 547 2468(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1 f 867 2780(A)N 964(system)X 1303(is)X 2 f 1406(hook-up)X 1788(secure)X 1 f 2090(if,)X 2207(for)X 2358(every)X 9 f 2627(t)X 1 f 2669(,)X 2724(for)X 2876(every)X 9 f 3146(s)X 1 f 3233(which)X 3528(can)X 867 2888(be)N 995(formed)X 1333(from)X 1568(it,)X 1689(at)X 1806(least)X 2046(one)X 9 f 2228(t)X 2 f 9 f 2270(\242\242)X 1 f 2345(exists.)X 747 3077(This)N 984(is)X 1098(non-interference)X 1873(with)X 2113(the)X 2296(added)X 2601(stipulation)X 3123(that)X 3349(high-level)X 3827(out-)X 547 3185(puts)N 790(cannot)X 1136(be)X 1284(\256xed)X 1544(up)X 1705(arbitrarily)X 2218(soon)X 2465(after)X 2725(a)X 2825(modi\256ed)X 3252(high-level)X 3736(input.)X 547 3293(High-level)N 1051(output)X 1391(``\256xing'')X 1766(must)X 2037(wait)X 2277(until)X 2537(after)X 2795(any)X 3003(immediately)X 3600(following)X 547 3401(inputs.)N 747 3557(Clearly,)N 1149(since)X 1425(the)X 1620(composite)X 2110(machine)X 2539(from)X 2799(the)X 2995(last)X 3212(example)X 3634(was)X 3859(not)X 547 3665(non-interference)N 1328(secure,)X 1686(it)X 1798(cannot)X 2142(be)X 2288(hook-up)X 2690(secure.)X 3074(This)X 3316(implies)X 3683(that)X 3913(at)X 547 3773(least)N 787(one)X 969(of)X 1076(the)X 1247(components)X 1801(themselves)X 2325(was)X 2526(not)X 2698(hook-up)X 3084(secure,)X 3425(which)X 3719(can)X 3902(be)X 547 3881(veri\256ed)N 908(by)X 1039(referring)X 1463(to)X 1575(\256gure)X 1862(5.4.)X 747 4037(Figure)N 1091(5.4.a)X 1353(shows)X 1674(a)X 1776(trace)X 2049(of)X 2178(machine)X 2 f 2604(A)X 1 f 2721(to)X 2855(which)X 3170(has)X 3376(been)X 3634(added)X 3950(a)X 547 4145(high-level)N 1020(input.)X 1349(There)X 1646(is)X 1756(only)X 1979(one)X 2169(way)X 2383(to)X 2503(convert)X 2867(this)X 3073(into)X 3282(a)X 3369(valid)X 3622(trace)X 3880(for)X 2 f 547 4253(A)N 1 f 615(,)X 669(and)X 863(that)X 1076(is)X 1178(to)X 1290(add)X 1480(a)X 1560(high-level)X 2025(output)X 2347(between)X 2742(the)X 2 f 2914(cancel)X 1 f 3217(input)X 3485(and)X 3680(the)X 2 f 3852(ack)X 1 f 547 4361(output.)N 932(This)X 1166(\256x)X 1311(obeys)X 1591(the)X 1770(hook-up)X 2163(security)X 2554(criterion,)X 2997(and)X 3199(in)X 3323(fact)X 3523(machine)X 2 f 3935(A)X 1 f 547 4469(is)N 649(hook-up)X 1034(secure.)X 747 4625(Similarly,)N 1216(\256gure)X 1506(5.4.b)X 1749(illustrates)X 2236(a)X 2320(trace)X 2575(of)X 2686(machine)X 2 f 3094(B)X 1 f 3194(to)X 3310(which)X 3607(has)X 3795(been)X 547 4733(added)N 850(a)X 940(high-level)X 1415(input.)X 1746(There)X 2045(is)X 2157(only)X 2382(one)X 2574(way)X 2790(to)X 2912(convert)X 3278(this)X 3485(into)X 3695(a)X 3784(valid)X 547 4841(trace)N 813(for)X 2 f 978(B)X 1 f 1047(,)X 1116(and)X 1325(that)X 1553(is)X 1670(to)X 1797(add)X 2002(a)X 2097(high-level)X 2578(output)X 2916(before)X 3231(the)X 2 f 3418(cancel)X 1 f 3736(input.)X 547 4949(However,)N 998(this)X 1200(\256x)X 1341(violates)X 1714(the)X 1888(hook-up)X 2276(security)X 2662(criterion,)X 3100(and)X 3297(thus)X 3527(machine)X 2 f 3934(B)X 1 f 547 5057(is)N 649(not)X 820(hook-up)X 1205(secure.)X 747 5213(The)N 945(following)X 1375(theorem)X 1770(wraps)X 2068(up)X 2209(the)X 2380(paper:)X 867 5354(If)N 983(a)X 1081(system)X 1437(is)X 1557(hook-up)X 1961(secure,)X 2320(then)X 2569(it)X 2682(is)X 2803(deducibility)X 3370(secure,)X 867 5462(and)N 1072(it)X 1177(has)X 1372(the)X 1554(non-interference)X 2328(property.)X 2800(If)X 2909(systems)X 2 f 3303(A)X 1 f 3409(and)X 2 f 3614(B)X 1 f 867 5570(are)N 1041(both)X 1268(hook-up)X 1656(secure,)X 1999(then)X 2232(any)X 2425(composite)X 2895(system)X 3237(formed)X 3579(by)X 867 5678(identifying)N 1380(outputs)X 1751(of)X 2 f 1862(A)X 1 f 1961(with)X 2193(inputs)X 2508(of)X 2 f 2618(B)X 1 f 2717(with)X 2948(the)X 3122(same)X 3383(securi-)X 107 p %%Page: 107 10 12 s 0 xH 0 xS 1 f 3 f 835 396(5.3.)N 1026(Noninterference)X 1877(and)X 2093 0.2865(Composability)AX 4008(-)X 4067(107)X 4259(-)X 1 f 1155 684(ty)N 1270(level,)X 1531(and)X 1725(vice-versa,)X 2223(is)X 2325(hook-up)X 2710(secure.)X 1035 873(This)N 1271(satis\256es)X 1672(the)X 1855(circular)X 2238(de\256nition)X 2702(stated)X 3016(in)X 3144(the)X 3327(introduction,)X 3941(and)X 4147(the)X 835 981(proof)N 1105(appears)X 1501(in)X 1634(the)X 1822(1988)X 2077(paper)X 2374(``The)X 2628(Theory)X 2984(of)X 3107(Security'')X 3561([McCullogh88a].)X 835 1089(This)N 1061(is)X 1164(a)X 1245(lengthy)X 1608(and)X 1803(dif\256cult)X 2176(proof)X 2430(which)X 2724(we)X 2875(will)X 3068(not)X 3240(discuss)X 3590(here.)X 3871(However,)X 835 1197(we)N 994(later)X 1241(present)X 1612(a)X 1700(proof)X 1961(from)X 2204(Johnson)X 2610(and)X 2812(Thayer's)X 3230(``Security)X 3676(and)X 3878(the)X 4057(Com-)X 835 1305(position)N 1244(of)X 1381(Machines'')X 1906([Johnson88])X 2504(which)X 2827(is)X 2959(based)X 3270(on)X 3435(McCullough's,)X 4124(and)X 835 1413(which)N 1128(proves)X 1445(a)X 1525(very)X 1745(similar)X 2088(property.)X 3 f 835 1809(5.3.)N 1053(NONINTERFERENCE)X 2184(AND)X 2444(COMPOSABILITY)X 1 f 1035 1965(McCullough's)N 1686(paper)X 1987(from)X 2242(the)X 2433(1988)X 2692(IEEE)X 2985(Symposium)X 3550(on)X 3705(Security)X 4124(and)X 835 2073(Privacy[McCullough88c])N 1958(is)X 2069(mostly)X 2401(a)X 2490(reiteration)X 3002(of)X 3118(the)X 3298(concepts)X 3711(he)X 3853(presented)X 835 2181(a)N 921(year)X 1149(earlier.)X 1531(It)X 1640(does)X 1869(contain,)X 2258(however,)X 2690(an)X 2835(interesting)X 3355(discussion)X 3847(of)X 3960(the)X 4138(ori-)X 835 2289(gins)N 1058(and)X 1263(consequences)X 1899(of)X 2017(non-determinism,)X 2845(as)X 2981(well)X 3202(as)X 3338(a)X 3429(new)X 3649(formulation)X 4211(of)X 835 2397(hook-up)N 1220(security.)X 3 f 835 2793(5.3.1.)N 1135 0.2321(Non-Determinism)AX 1 f 1035 2949(The)N 1238(essential)X 1666(meaning)X 2084(of)X 2197(non-determinism)X 2993(is)X 3101(that)X 3320(the)X 3497(input)X 3770(sequence)X 4206(to)X 835 3057(a)N 966(non-deterministic)X 1831(machine)X 2285(does)X 2558(not)X 2779(uniquely)X 3245(determine)X 3775(the)X 3996(output)X 835 3165(sequence.)N 1325(This)X 1556(is)X 1664(a)X 1750(problem)X 2145(because)X 2527(it)X 2627(renders)X 3001(otherwise)X 3468(satisfying)X 3935(security)X 835 3273(formalisms,)N 1390(such)X 1628(as)X 1758(Goguen)X 2129(and)X 2327(Meseguer's)X 2856(original)X 3231(non-interference)X 3998(model,)X 835 3381(unusable.)N 1035 3537(Even)N 1303(when)X 1585(a)X 1679(machine)X 2097(is)X 2213(said)X 2437(to)X 2563(be)X 2706(deterministic,)X 3365(this)X 3578(is)X 3695(often)X 3961(not)X 4147(the)X 835 3645(case,)N 1078(due)X 1267(to)X 1379(the)X 1550(subtle)X 1849(effects)X 2161(of)X 2268(certain)X 2608(implementation-related)X 3685(mechanisms.)X 1035 3801(One)N 1253(type)X 1480(of)X 1596(problem)X 1994(arises)X 2294(from)X 2538(the)X 2718(fact)X 2919(that)X 3141(time)X 3377(is)X 3488(not)X 3668(explicitly)X 4109(con-)X 835 3909(sidered)N 1188(in)X 1306(the)X 1479(trace)X 1732(model.)X 2081(Running)X 2496(a)X 2578(program)X 2985(on)X 3121(a)X 3203(faster)X 3490(machine)X 3896(may)X 4113(pro-)X 835 4017(duce)N 1067(different)X 1478(results.)X 1035 4173(Similarly,)N 1531(the)X 1732(details)X 2087(of)X 2224(processor)X 2700(scheduling)X 3237(are)X 3439(usually)X 3824(abstracted)X 835 4281(away)N 1098(in)X 1218(the)X 1393(course)X 1709(of)X 1819(security)X 2205(modelling,)X 2698(resulting)X 3130(in)X 3249(behaviour)X 3723(that)X 3939(appears)X 835 4389(non-deterministic)N 1660(to)X 1783(the)X 1965(user.)X 2252(For)X 2445(example,)X 2880(an)X 3030(interactive)X 3547(program)X 3963(may)X 4190(be)X 835 4497(rendered)N 1261(unusable)X 1694(on)X 1828(a)X 1908(heavily)X 2257(loaded)X 2573(machine.)X 1035 4653(A)N 1139(related)X 1488(sort)X 1696(of)X 1811(dif\256culty)X 2242(arises)X 2541(when)X 2818(systems)X 3210(are)X 3390(composed)X 3853(in)X 3978(certain)X 835 4761(ways.)N 1143(If)X 1244(multiple)X 1648(processes)X 2098(have)X 2339(their)X 2586(outputs)X 2956(merged)X 3316(onto)X 3538(a)X 3621(single)X 3913(channel,)X 835 4869(the)N 1016(resulting)X 1455(composite)X 1931(output)X 2263(stream)X 2611(will)X 2814(depend)X 3172(on)X 3317(the)X 3499(relative)X 3877(speeds)X 4211(of)X 835 4977(the)N 1025(processes.)X 1545(Thus)X 1818(the)X 2008(output)X 2349(sequence)X 2798(is)X 2918(not)X 3107(wholly)X 3445(determined)X 3998(by)X 4147(the)X 835 5085(input)N 1102(sequence)X 1532(to)X 1644(the)X 1815(composite)X 2281(machine.)X 1035 5241(Another)N 1429(problem)X 1822(resulting)X 2255(from)X 2494(the)X 2669(composition)X 3229(of)X 3341(systems)X 3729(is)X 3836(due)X 4030(to)X 4147(the)X 835 5349(requirement)N 1423(of)X 1538(buffering)X 1979(between)X 2381(processes.)X 2889(Since)X 3163(all)X 3310(input)X 3584(buffers)X 3930(must)X 4190(be)X 835 5457(\256nite)N 1105(in)X 1231(capacity,)X 1660(some)X 1923(policy)X 2217(must)X 2480(be)X 2618(followed)X 3021(when)X 3299(an)X 3448(input)X 3726(arrives)X 4077(for)X 4238(a)X 835 5565(full)N 1014(buffer.)X 1363(Two)X 1578(alternatives)X 2140(are)X 2312(available:)X 2768(either)X 3060(the)X 3231(new)X 3440(input)X 3707(\(or)X 3857(the)X 4028(oldest)X 835 5673(unprocessed)N 1427(input,)X 1738(or)X 1874(some)X 2145(random)X 2533(input)X 2818(in)X 2952(the)X 3141(buffer\))X 3485(is)X 3605(ignored,)X 4011(or)X 4147(the)X 108 p %%Page: 108 11 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(108)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 547 684(sending)N 937(process)X 1307(is)X 1425(blocked)X 1802(until)X 2060(the)X 2247(buffer)X 2557(is)X 2675(no)X 2825(longer)X 3146(full.)X 3393(Both)X 3648(alterna-)X 547 792(tives,)N 812(unfortunately,)X 1481(lead)X 1694(to)X 1806(dif\256culties.)X 747 948(If)N 869(the)X 1064(new)X 1298(input)X 1590(is)X 2 f 1717(dropped)X 1 f 2079(,)X 2158(the)X 2354(output)X 2701(sequence)X 3156(from)X 3416(the)X 3612(intended)X 547 1056(receiver)N 932(will)X 1128(be)X 1260(dependent)X 1755(on)X 1893(the)X 2068(size)X 2268(of)X 2379(the)X 2554(buffer)X 2852(and)X 3050(the)X 3225(relative)X 3596(speeds)X 3923(of)X 547 1164(the)N 719(processes.)X 1221(Buffer)X 1532(sizes)X 1774(could)X 2037(be)X 2167(modelled)X 2595(\(though)X 2969(such)X 3204(``low-level'')X 3705(details)X 547 1272(are)N 720(usually)X 1075(ignored\),)X 1496(but)X 1673(the)X 1845(trace)X 2097(model)X 2391(cannot)X 2718(adequately)X 3233(deal)X 3447(with)X 3676(process)X 547 1380(speeds,)N 899(especially)X 1362(since)X 1617(these)X 1884(are)X 2058(highly)X 2368(dependent)X 2862(on)X 2999(the)X 3173(detailed)X 3559(behaviour)X 547 1488(of)N 654(hardware)X 1110(devices.)X 747 1644(If)N 863(the)X 1052(sending)X 1444(process)X 1816(is)X 1936(blocked,)X 2342(a)X 2440(potential)X 2882(covert)X 3197(channel)X 3593(has)X 3795(been)X 547 1752(introduced:)N 1088(a)X 1178(low-level)X 1607(sender)X 1941(can)X 2132(receive)X 2479(information)X 3039(by)X 3179(sending)X 3562(to)X 3683(a)X 3772(high-)X 547 1860(level)N 786(process.)X 1200(This)X 1431(information)X 1988(may)X 2210(seem)X 2469(harmless,)X 2937(since)X 3195(an)X 3340(unblocked)X 3825(pro-)X 547 1968(cess)N 766(does)X 1000(not)X 1182(receive)X 1531(noti\256cation)X 2072(that)X 2296(it)X 2401(was)X 2612(blocked,)X 3011(and)X 3215(a)X 3305(blocked)X 3676(process)X 547 2076(cannot)N 879(do)X 1015(anything.)X 1501(However,)X 1954(McCullough)X 2527(presents)X 2941(an)X 3087(example)X 3491(of)X 3605(a)X 3692(compo-)X 547 2184(site)N 756(system)X 1116(with)X 1366(two)X 1575(sending)X 1970(processes)X 2438(that)X 2672(gives)X 2945(rise)X 3159(to)X 3292(a)X 3393(very)X 3634(effective)X 547 2292(covert)N 856(channel.)X 1300(What)X 1582(he)X 1728(does)X 1963(not)X 2146(mention)X 2552(is)X 2667(that)X 2893(a)X 2986(single)X 3289(sending)X 3676(process)X 547 2400(can)N 743(also)X 960(detect)X 1269(whether)X 1679(or)X 1811(not)X 1996(it)X 2104(was)X 2318(blocked,)X 2720(by)X 2865(simply)X 3202(consulting)X 3704(a)X 3797(real-)X 547 2508(time)N 787(clock)X 1048(before)X 1360(and)X 1567(after)X 1820(every)X 2101(send.)X 2402(The)X 2613(elapsed)X 2987(time)X 3227(is)X 3342(not)X 3526(a)X 3619(foolproof)X 547 2616(indicator,)N 1006(but)X 1189(in)X 1312(many)X 1594(cases)X 1862(the)X 2040(resulting)X 2476(error)X 2735(rate)X 2949(over)X 3172(the)X 3349(covert)X 3652(channel)X 547 2724(will)N 739(be)X 867(quite)X 1121(low.)X 747 2880(McCullough's)N 1385(example)X 1789(has)X 1980(several)X 2332(errors)X 2636(which)X 2936(are)X 3115(corrected)X 3558(in)X 3682(the)X 3861(fol-)X 547 2988(lowing)N 888(presentation.)X 1552(Two)X 1786(low-level)X 2225(processes)X 2 f 2692(A)X 1 f 2807(and)X 2 f 3021(B)X 1 f 3137(write)X 3417(to)X 3549(an)X 3708(output)X 547 3096(buffer)N 2 f 843(BU)X 1 f 1019(visible)X 1335(to)X 1449(low-level)X 1870(users,)X 2166(and)X 2363(one)X 2548(high-level)X 3016(process,)X 2 f 3400(S)X 1 f 3464(,)X 3521(reads)X 3795(from)X 547 3204(one)N 731(high-level)X 1198(input)X 1467(buffer)X 2 f 1763(BS)X 1 f 1896(.)X 1979(One)X 2190(of)X 2299(the)X 2472(three)X 2736(internal)X 3123(buffers,)X 2 f 3490(BC)X 1 f 3628(,)X 3683(is)X 3786(writ-)X 547 3312(ten)N 723(by)X 859(both)X 2 f 1088(A)X 1 f 1188(and)X 2 f 1387(B)X 1 f 1456(,)X 1515(and)X 1714(read)X 1945(by)X 2 f 2081(S)X 1 f 2145(.)X 2232(The)X 2436(other)X 2704(internal)X 3096(buffers,)X 2 f 3468(BA)X 1 f 3638(and)X 2 f 3838(BB)X 1 f 3976(,)X 547 3420(are)N 722(written)X 1082(only)X 1301(by)X 2 f 1436(A)X 1 f 1535(or)X 2 f 1657(B)X 1 f 1726(,)X 1784(respectively,)X 2371(and)X 2569(are)X 2744(read)X 2974(by)X 2 f 3109(S)X 1 f 3173(.)X 2 f 3258(BA)X 1 f 3426(and)X 2 f 3624(BB)X 1 f 3792(have)X 547 3528(length)N 865(one)X 1054(and)X 1255(block)X 1520(the)X 1698(sender)X 2030(when)X 2305(full.)X 2544(The)X 2749(other)X 3018(buffers)X 3365(may)X 3589(be)X 3725(of)X 3840(any)X 547 3636(length.)N 912(The)X 1110(system)X 1448(is)X 1550(illustrated)X 2044(in)X 2160(\256gure)X 2447(5.5.)X 747 3792(Processes)N 2 f 1206(A)X 1 f 1304(and)X 2 f 1501(B)X 1 f 1600(each)X 1833(repeatedly)X 2331(execute)X 2696(four)X 2909(sends.)X 2 f 3246(A)X 1 f 3345(\256rst)X 3560(sends)X 3843(two)X 547 3900(messages)N 1003(to)X 2 f 1124(BA)X 1 f 1261(,)X 1324(then)X 1562(sends)X 1849(a)X 1937(0)X 2025(to)X 2 f 2145(BU)X 1 f 2292(,)X 2354(and)X 2556(then)X 2794(sends)X 3081(to)X 2 f 3201(BC)X 1 f 3339(.)X 2 f 3428(B)X 1 f 3532(\256rst)X 3751(sends)X 547 4008(two)N 734(messages)X 1181(to)X 2 f 1293(BB)X 1 f 1431(,)X 1485(then)X 1715(sends)X 1994(a)X 2074(1)X 2154(to)X 2 f 2266(BU)X 1 f 2413(,)X 2467(and)X 2661(then)X 2891(sends)X 3170(to)X 2 f 3282(BC)X 1 f 3420(.)X 747 4164(Process)N 2 f 1126(S)X 1 f 1233(repeatedly)X 1744(executes)X 2166(four)X 2391(receives.)X 2844(It)X 2963(\256rst)X 3191(receives)X 3591(from)X 2 f 3843(BS)X 1 f 3976(,)X 547 4272(then)N 779(receives)X 1164(twice)X 1426(from)X 1663(either)X 2 f 1957(BA)X 1 f 2123(or)X 2 f 2243(BB)X 1 f 2381(,)X 2437(depending)X 2926(on)X 3062(whether)X 3460(it)X 3556(received)X 3950(a)X 547 4380(0)N 627(or)X 745(a)X 825(1)X 905(from)X 2 f 1140(BS)X 1 f 1273(,)X 1327(respectively,)X 1910(and)X 2104(then)X 2334(receives)X 2717(from)X 2 f 2952(BC)X 1 f 3090(.)X 747 4536(In)N 878(operation,)X 2 f 1359(A)X 1 f 1461(and)X 2 f 1662(B)X 1 f 1765(\256ll)X 1918(up)X 2 f 2066(BA)X 1 f 2237(and)X 2 f 2438(BB)X 1 f 2610(and)X 2811(then)X 3048(block)X 3313(on)X 3454(their)X 3705(second)X 547 4644(sends.)N 2 f 891(S)X 1 f 993(reads)X 1275(a)X 1366(high-level)X 1842(bit)X 2000(from)X 2 f 2246(BS)X 1 f 2379(,)X 2444(unblocks)X 2875(one)X 3067(of)X 2 f 3184(A)X 1 f 3289(or)X 2 f 3417(B)X 1 f 3523(by)X 3664(reading)X 547 4752(from)N 2 f 791(BA)X 1 f 964(or)X 2 f 1091(BB)X 1 f 1229(,)X 1292(clears)X 1590(that)X 1812(buffer)X 2115(by)X 2255(reading)X 2630(again,)X 2939(and)X 3142(then)X 3381(blocks)X 3694(on)X 2 f 3838(BC)X 1 f 3976(,)X 547 4860(waiting)N 934(for)X 1109(the)X 1305(unblocked)X 1809(low-level)X 2253(process)X 2632(to)X 2768(send)X 3026(to)X 3162(it.)X 3334(This)X 3583(gives)X 3859(the)X 547 4968(unblocked)N 1028(low-level)X 1449(process)X 1805(time)X 2034(to)X 2148(send)X 2384(its)X 2525(bit)X 2674(to)X 2 f 2788(BU)X 1 f 2935(,)X 2991(and)X 3187(it)X 3283(then)X 3515(allows)X 2 f 3825(S)X 1 f 3918(to)X 547 5076(continue)N 957(by)X 1088(sending)X 1462(to)X 2 f 1574(BC)X 1 f 1712(.)X 747 5232(The)N 956(effect)X 1234(of)X 1352(this)X 1562(behaviour)X 2045(is)X 2159(that)X 2 f 2384(BU)X 1 f 2570(receives)X 2965(a)X 3057(bit-by-bit)X 3504(copy)X 3740(of)X 3859(the)X 547 5340(input)N 821(to)X 2 f 940(BS)X 1 f 1073(,)X 1134(clearly)X 1466(as)X 1598(a)X 1685(result)X 1981(of)X 2095(the)X 2273(blocking)X 2678(nature)X 3011(of)X 3125(the)X 3303(\256nite)X 3569(buffers)X 3914(in)X 547 5448(the)N 725(system.)X 1124(Each)X 1382(individual)X 1868(process)X 2229(is)X 2338(secure)X 2658(from)X 2901(any)X 3099(standpoint;)X 3639(the)X 3818(low-)X 547 5556(level)N 788(processes)X 1242(never)X 2 f 1524(read)X 1 f 1724(,)X 1784(and)X 1984(the)X 2161(high-level)X 2632(process)X 2992(never)X 2 f 3274(writes)X 1 f 3544(!)X 3632(Yet)X 3818(low-)X 547 5664(level)N 781(users)X 1048(see)X 1216(a)X 1296(faithful)X 1655(reproduction)X 2250(of)X 2357(a)X 2437(high-level)X 2902(input)X 3169(sequence.)X 109 p %%Page: 109 12 12 s 0 xH 0 xS 1 f 3 f 835 396(5.3.)N 1026(Noninterference)X 1877(and)X 2093 0.2865(Composability)AX 4008(-)X 4067(109)X 4259(-)X 1 f 10 f 835 812(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 892 1581 MXY -57 14 Dl 892 1610 MXY -57 -14 Dl 1595 MY 288 0 Dl 1 f 1169 1614(BU)N 1123 1715 MXY 0 -240 Dl 1476 MY 240 0 Dl 0 240 Dl 1715 MY -240 0 Dl 1393 1504 MXY -30 50 Dl 1413 1525 MXY -50 30 Dl 1556 MY 288 -288 Dl 1722 1233(Process)N 1856 1341(A)N 1651 1268 MXY 479 Dc 1413 1666 MXY -50 -30 Dl 1393 1686 MXY -30 -50 Dl 288 288 Dl 1722 1889(Process)N 1856 1997(B)N 1651 1924 MXY 479 Dc 2131 1268 MXY 360 0 Dl 2433 1282 MXY 57 -14 Dl 2433 1253 MXY 57 14 Dl 2541 1287(BA)N 2491 1388 MXY 0 -240 Dl 1147 MY 240 0 Dl 0 240 Dl 1388 MY -240 0 Dl 2131 1924 MXY 360 0 Dl 2433 1938 MXY 57 -14 Dl 2433 1909 MXY 57 14 Dl 2541 1943(BB)N 2491 2044 MXY 0 -240 Dl 1803 MY 240 0 Dl 0 240 Dl 2044 MY -240 0 Dl 2541 1614(BC)N 2491 1715 MXY 0 -240 Dl 1476 MY 240 0 Dl 0 240 Dl 1715 MY -240 0 Dl 2107 1371 MXY 383 184 Dl 2432 1544 MXY 58 12 Dl 2445 1518 MXY 45 38 Dl 2107 1820 MXY 383 -184 Dl 2445 1673 MXY 45 -38 Dl 2432 1647 MXY 58 -12 Dl 2731 1595 MXY 288 0 Dl 2961 1610 MXY 57 -14 Dl 2961 1581 MXY 57 14 Dl 3090 1560(Process)N 3228 1668(S)N 3019 1595 MXY 479 Dc 3556 1581 MXY -57 14 Dl 3556 1610 MXY -57 -14 Dl 1595 MY 288 0 Dl 3842 1614(BS)N 3787 1715 MXY 0 -240 Dl 1476 MY 240 0 Dl 0 240 Dl 1715 MY -240 0 Dl 4084 1581 MXY -57 14 Dl 4084 1610 MXY -57 -14 Dl 1595 MY 288 0 Dl 2731 1268 MXY 324 201 Dl 2998 1451 MXY 56 18 Dl 3014 1426 MXY 41 42 Dl 2731 1924 MXY 324 -201 Dl 3014 1765 MXY 41 -42 Dl 2998 1741 MXY 56 -18 Dl 1569 2379(Figure)N 1891(5.5:)X 2078(Covert)X 2401(Channel)X 2805(due)X 2994(to)X 3106(Buffering.)X 10 f 835 2595(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1 f 1035 2907(The)N 1243(remedy)X 1610(for)X 1770(this)X 1978(situation)X 2413(is)X 2525(to)X 2647(require)X 3008(buffers)X 3357(that)X 3580(are)X 3761(``effectively'')X 835 3015(in\256nite)N 1203(in)X 1338(capacity.)X 1802(If)X 1918(the)X 2107(probability)X 2635(of)X 2760(\256lling)X 3064(a)X 3162(buffer)X 3474(is)X 3594(very)X 3832(small,)X 4147(the)X 835 3123(amount)N 1215(of)X 1334(information)X 1897(leakable)X 2308(through)X 2703(this)X 2913(type)X 3143(of)X 3262(covert)X 3571(channel)X 3961(may)X 4190(be)X 835 3231(acceptable.)N 1380(This)X 1606(is)X 1709(treading)X 2113(on)X 2248(thin)X 2461(ice,)X 2637(however,)X 3064(for)X 3215(it)X 3310(is)X 3413(relying)X 3752(on)X 3886(details)X 4211(of)X 835 3339(the)N 1006(implementation)X 1737(to)X 1849(preserve)X 2257(security.)X 3 f 835 3735(5.3.2.)N 1135(Generalized)X 1767(Noninterference)X 1 f 1035 3891(Goguen)N 1414(and)X 1620(Meseguer's)X 2157(non-interference)X 2932(property)X 3351(is)X 3465(directly)X 3841(applicable)X 835 3999(only)N 1052(to)X 1166(deterministic)X 1785(systems.)X 2224(Since)X 2493(it)X 2589(has)X 2775(just)X 2972(been)X 3208(shown)X 3522(that)X 3736(this)X 3935(require-)X 835 4107(ment)N 1105(is)X 1221(very)X 1455(restrictive)X 1951(\(if)X 2086(not)X 2271(impossible)X 2781(to)X 2908(meet\))X 3200(in)X 3331(practice,)X 3752(McCullough)X 835 4215(presents)N 1272(a)X 1382(generalization)X 2074(of)X 2211(Goguen)X 2608(and)X 2832(Meseguer's)X 3386(model.)X 3762(This)X 4016(is)X 4147(the)X 835 4323(de\256nition)N 1287(of)X 1394(non-interference)X 2157(in)X 2273(terms)X 2558(of)X 2665(traces)X 2961(that)X 3174(was)X 3374(discussed)X 3826(in)X 3943(the)X 4115(ear-)X 835 4431(lier)N 1013(paper.)X 1035 4587(It)N 1154(was)X 1370(shown)X 1699(in)X 1831(that)X 2060(paper)X 2357(that)X 2586(this)X 2801(``generalized)X 3396(non-interference'')X 4216(is)X 835 4695(not)N 1031(a)X 1136(composable)X 1696(property.)X 2182(However,)X 2654(it)X 2773(is)X 2899(claimed)X 3294(that)X 3531(generalized)X 4093(non-)X 835 4803(interference)N 1416(is)X 1534(composable)X 2085(if)X 2190(there)X 2468(is)X 2587(no)X 2738(feedback)X 3171(between)X 3583(systems.)X 4037(Thus,)X 835 4911(systems)N 1220(with)X 1449(the)X 1621(generalized)X 2160(non-interference)X 2924(property)X 3332(can)X 3515(be)X 3644(connected)X 4112(as)X 4238(a)X 835 5019(directed,)N 1254(acyclic)X 1580(graph)X 1874(with)X 2108(in\256nite)X 2463(internal)X 2855(buffers)X 3200(to)X 3318(form)X 3559(a)X 3645(composite)X 4118(sys-)X 835 5127(tem)N 1034(with)X 1264(the)X 1437(generalized)X 1976(non-interference)X 2740(property.)X 3202(This)X 3428(result)X 3718(is)X 3821(clearly)X 4147(not)X 835 5235(as)N 960(general)X 1319(as)X 1444(we)X 1594(would)X 1888(like.)X 110 p %%Page: 110 13 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(110)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 547 684(5.3.3.)N 847(Deducibility)X 1 f 747 840(Sutherland's)N 1345(deducibility)X 1897(property)X 2308(is)X 2414(applicable)X 2895(to)X 3011(non-deterministic)X 3830(sys-)X 547 948(tems)N 810(in)X 947(its)X 1107(original)X 1499(form,)X 1782(but)X 1978(it)X 2092(is)X 2214(even)X 2467(less)X 2682(composable)X 3237(than)X 3492(generalized)X 547 1056(non-interference,)N 1340(according)X 1796(to)X 1912(McCullough.)X 2536(However,)X 2987(if)X 3080(a)X 3164(deducibility-secure)X 547 1164(system)N 907(makes)X 1243(no)X 1398(high-level)X 1884(output)X 2227(unsolicited)X 2759(by)X 2911(a)X 3012(high-level)X 3498(input,)X 3813(it)X 3928(is)X 547 1272(composable.)N 747 1428(Unfortunately,)N 1442(the)X 2 f 1621(unsolicited)X 2140(write-up)X 1 f 2548(requirement)X 3136(is)X 3246(probably)X 3667(too)X 3835(res-)X 547 1536(trictive)N 894(in)X 1011(practice,)X 1418(since)X 1671(this)X 1870(forbids)X 2204(systems)X 2588(that)X 2802(simply)X 3126(upgrade)X 3518(the)X 3689(level)X 3923(of)X 547 1644(inputs.)N 922(McCullough)X 1497(also)X 1709(claims,)X 2058(as)X 2192(in)X 2317(the)X 2497(earlier)X 2829(paper,)X 3147(that)X 3370(deducibility)X 3928(is)X 547 1752(not)N 741(an)X 903(adequate)X 1359(security)X 1765(property)X 2194(when)X 2484(applied)X 2859(to)X 2993(non-deterministic)X 3830(sys-)X 547 1860(tems,)N 824(but)X 1008(does)X 1239(so)X 1367(by)X 1506(way)X 1720(of)X 1835(an)X 1982(example)X 2387(that)X 2608(is)X 2718(nearly)X 3037(identical)X 3457(with)X 3693(that)X 3914(in)X 547 1968(the)N 731(earlier)X 1066(paper.)X 1414(Again,)X 1743(this)X 1953(claim)X 2233(is)X 2347(well)X 2569(founded,)X 2991(but)X 3179(the)X 3362(inappropriate-)X 547 2076(ness)N 776(of)X 888(his)X 1054(examples)X 1501(re\257ects)X 1857(what)X 2114(appears)X 2499(to)X 2617(be)X 2751(an)X 2896(imperfect)X 3350(understanding)X 547 2184(of)N 654(the)X 825(deducibility)X 1373(notion.)X 3 f 547 2580(5.3.4.)N 847(Restrictiveness)X 1 f 747 2736(Clearly,)N 1230(neither)X 1686(generalized)X 2330(non-interference)X 3199(nor)X 3482(deducibility)X 547 2844(strengthened)N 1170(with)X 1405(the)X 1583(unsolicited)X 2101(write-up)X 2514(requirement)X 3101(is)X 3210(an)X 3356(adequate)X 3795(com-)X 547 2952(posable)N 906(security)X 1289(property)X 1696(in)X 1812(the)X 1983(presence)X 2399(of)X 2506(non-determinism.)X 747 3108(To)N 900(remedy)X 1271(this,)X 1510(McCullough)X 2090(had)X 2298(earlier)X 2634(introduced)X 3152(the)X 3337(``hook-up)X 3776(secu-)X 547 3216(rity'')N 790(property)X 1212(as)X 1352(a)X 1447(requirement)X 2041(on)X 2189(the)X 2374(allowable)X 2835(traces)X 3145(of)X 3266(a)X 3360(machine.)X 3832(The)X 547 3324(closing)N 888(paragraph)X 1388(of)X 1503(his)X 1672(1987)X 1919(paper)X 2208(states)X 2508(that)X 2729(a)X 2817(property)X 3232(on)X 3374(traces)X 3678(may)X 3902(be)X 547 3432(more)N 851(suitable)X 1286(than)X 1574(one)X 1808(de\256ned)X 2211(for)X 2413(state)X 2712(machines,)X 3240(as)X 3417(Goguen)X 3836(and)X 547 3540(Meseguer's)N 1081(work)X 1340(had)X 1543(been.)X 1841(It)X 1953(is)X 2064(interesting,)X 2614(then,)X 2880(to)X 3001(\256nd)X 3210(his)X 3381(hook-up)X 3776(secu-)X 547 3648(rity)N 756(property)X 1184(presented)X 1670(in)X 1806(1988)X 2065(as)X 2210 0.1809(``restrictiveness'',)AX 3016(a)X 3116(property)X 3543(de\256ned)X 3914(in)X 547 3756(terms)N 832(of)X 939(state)X 1186(machines.)X 747 3912(That)N 1009(he)X 1165(would)X 1481(do)X 1633(so)X 1775(is,)X 1927(however,)X 2376(understandable,)X 3150(since)X 3425(applying)X 3859(the)X 547 4020(trace)N 799(model)X 1093(becomes)X 1491(unwieldy)X 1926(for)X 2077(even)X 2311(the)X 2482(simplest)X 2884(real-world)X 3368(systems.)X 3805(This)X 547 4128(can)N 749(easily)X 1053(be)X 1201(seen)X 1448(by)X 1599(applying)X 2031(the)X 2223(non-interference)X 3007(de\256nition)X 3480(in)X 3617(terms)X 3923(of)X 547 4236(traces)N 843(to)X 955(any)X 1145(of)X 1252(the)X 1423(examples)X 1865(from)X 2100(the)X 2271(two)X 2458(papers.)X 747 4392(A)N 857(potential)X 1295(problem)X 1698(with)X 1940(de\256ning)X 2342(security)X 2739(properties)X 3232(in)X 3362(terms)X 3661(of)X 3783(state)X 547 4500(machines,)N 1057(though,)X 1458(is)X 1594(that)X 1841(some)X 2127(generality)X 2637(may)X 2886(be)X 3047(lost.)X 3321(However,)X 3801(it)X 3928(is)X 547 4608(claimed)N 924(that,)X 1171(for)X 1328(any)X 1525(set)X 1689(of)X 2 f 1803(restrictive)X 2277(traces)X 1 f 2572(\(that)X 2824(is,)X 2960(a)X 3047(hook-up)X 3439(secure)X 3759(set)X 3923(of)X 547 4716(traces\),)N 915(there)X 1190(is)X 1305(some)X 2 f 1571(restrictive)X 2051(state)X 2300(machine)X 1 f 2716(that)X 2942(gives)X 3207(rise)X 3413(to)X 3538(only)X 3766(those)X 547 4824(traces.)N 921(Conversely,)X 1491(all)X 1655(restrictive)X 2161(state)X 2432(machines)X 2905(produce)X 3308(only)X 3548(restrictive)X 547 4932(traces.)N 747 5088(The)N 953(transitions)X 1474(in)X 1598(McCullough's)X 2237(state)X 2492(machines)X 2949(are)X 3128(taken)X 3417(on)X 3560(input)X 3836(and)X 547 5196(output)N 885(events.)X 1270(The)X 1483(set)X 1655(of)X 1777(possible)X 2173(traces)X 2484(for)X 2649(a)X 2744(machine)X 3163(is)X 3280(the)X 3466(set)X 3638(of)X 3760(event)X 547 5304(sequences)N 1022(produced)X 1455(by)X 1586(successive)X 2070(transitions)X 2583(starting)X 2965(from)X 3200(the)X 3371(initial)X 3667(state.)X 747 5460(Two)N 965(states)X 1261(are)X 1436(said)X 1650(to)X 1766(be)X 2 f 1898(equivalent)X 1 f 2389(if)X 2482(it)X 2580(is)X 2686(impossible)X 3186(for)X 3340(low-level)X 3763(users)X 547 5568(to)N 677(distinguish)X 1222(between)X 1635(them.)X 1963(States)X 2288(which)X 2599(are)X 2788(equivalent)X 3300(can)X 3499(be)X 3644(grouped)X 547 5676(into)N 2 f 750(equivalence)X 1292(classes)X 1 f 1594(;)X 1651(all)X 1794(states)X 2089(in)X 2208(an)X 2350(equivalence)X 2902(class)X 3148(can)X 3333(be)X 3464(said)X 3677(to)X 3792(have)X 111 p %%Page: 111 14 12 s 0 xH 0 xS 1 f 3 f 835 396(5.3.)N 1026(Noninterference)X 1877(and)X 2093 0.2865(Composability)AX 4008(-)X 4067(111)X 4259(-)X 1 f 835 684(the)N 1006(same)X 2 f 1264(low-level)X 1678(state)X 1 f 1887(.)X 1035 840(For)N 1217(such)X 1450(a)X 1530(state)X 1777(machine)X 2181(to)X 2293(be)X 2421(restrictive,)X 2930(it)X 3024(must)X 3277(satisfy)X 3597(four)X 3806(conditions:)X 10 f 1118 996(g)N 1 f 1205(The)X 1411(machine)X 1823(must)X 2084(be)X 2 f 2220(input)X 2495(total)X 1 f 2698(,)X 2761(which)X 3063(means)X 3389(that)X 3611(it)X 3714(must)X 3976(be)X 4113(per-)X 1205 1104(missible)N 1603(for)X 1758(any)X 1952(input)X 2223(to)X 2339(occur)X 2606(at)X 2727(any)X 2921(time.)X 3206(That)X 3450(is,)X 3583(there)X 3849(must)X 4106(be)X 4238(a)X 1205 1212(transition)N 1678(from)X 1918(every)X 2191(state)X 2444(for)X 2600(all)X 2746(possible)X 3133(input)X 3406(events.)X 3781(In)X 3912(practice,)X 1205 1320(this)N 1405(means)X 1724(that)X 1939(inputs)X 2253(must)X 2508(never)X 2786(be)X 2916(blocked;)X 3305(buffers)X 3645(will)X 3838(have)X 4077(to)X 4190(be)X 1205 1428(large)N 1463(enough)X 1820(to)X 1938(cope)X 2165(with)X 2399(worst-case)X 2901(combinations)X 3524(of)X 3638(input)X 3912(and)X 4113(pro-)X 1205 1536(cessing)N 1553(rates,)X 1833(or)X 1951(inputs)X 2263(to)X 2375(full)X 2553(buffers)X 2892(will)X 3084(have)X 3322(to)X 3434(be)X 3562(silently)X 3919(ignored.)X 10 f 1118 1644(g)N 1 f 1205(All)X 1395(states)X 1721(belonging)X 2211(to)X 2357(one)X 2573(equivalence)X 3156(class)X 3433(must)X 3720(go)X 3880(to)X 4026(states)X 1205 1752(belonging)N 1673(to)X 1797(another)X 2183(equivalence)X 2744(class)X 2998(on)X 3143(the)X 3325(same)X 3594(low-level)X 4024(input.)X 1205 1860(In)N 1340(other)X 1612(words,)X 1942(states)X 2244(with)X 2482(the)X 2663(same)X 2932(low-level)X 3362(portion)X 3720(must)X 3984(appear)X 1205 1968(to)N 1317(respond)X 1697(identically)X 2190(to)X 2302(a)X 2382(low-level)X 2801(input.)X 10 f 1118 2076(g)N 1 f 1205(Transitions)X 1773(due)X 1990(to)X 2130(high-level)X 2623(inputs)X 2963(must)X 3244(go)X 3399(between)X 3823(equivalent)X 1205 2184(states.)N 1554(This)X 1782(means)X 2102(that)X 2318(high-level)X 2785(inputs)X 3099(cannot)X 3427(directly)X 3793(affect)X 4067(what)X 1205 2292(is)N 1307(visible)X 1621(to)X 1733(low-level)X 2152(users.)X 10 f 1118 2400(g)N 1 f 1205(All)X 1395(states)X 1721(belonging)X 2211(to)X 2357(one)X 2573(equivalence)X 3156(class)X 3433(must)X 3720(go)X 3880(to)X 4026(states)X 1205 2508(belonging)N 1695(to)X 1841(another)X 2249(equivalence)X 2832(class)X 3108(on)X 3275(any)X 3498(high-level)X 3996(output)X 1205 2616(sequence,)N 1693(possibly)X 2108(with)X 2367(an)X 2537(embedded)X 3042(low-level)X 3492(output.)X 3899(In)X 4056(other)X 1205 2724(words,)N 1529(states)X 1825(with)X 2057(the)X 2232(same)X 2494(low-level)X 2917(portion)X 3268(must)X 3525(appear)X 3863(to)X 3979(behave)X 1205 2832(the)N 1390(same)X 1662(regardless)X 2165(of)X 2287(the)X 2473(high-level)X 2953(outputs)X 3335(being)X 3618(produced.)X 4120(The)X 1205 2940(nature)N 1545(of)X 1666(high-level)X 2145(outputs)X 2526(should)X 2863(not)X 3047(be)X 3188(evident)X 3556(from)X 3804(changes)X 4202(in)X 1205 3048(the)N 1376(low-level)X 1795(state.)X 1035 3204(Hooking)N 1457(up)X 1620(two)X 1829(state)X 2098(machines)X 2 f 2569(A)X 1 f 2686(and)X 2 f 2902(B)X 1 f 3020(forms)X 3322(a)X 3425(composite)X 3914(machine)X 835 3312(whose)N 1164(states)X 1483(are)X 1681(pairs)X 1960(of)X 2093(the)X 2290(states)X 2608(of)X 2 f 2741(A)X 1 f 2862(and)X 2 f 3082(B)X 1 f 3151(.)X 3258(The)X 3482(state)X 2 f 3755()N 1 f 4216(is)X 835 3420(equivalent)N 1357(to)X 2 f 1496()N 1 f 1958(if)X 2074(and)X 2295(only)X 2537(if)X 2 f 2653(A)X 1 f 9 s 2733 3439(1)N 12 s 2835 3420(is)N 2964(equivalent)X 3487(to)X 2 f 3627(B)X 1 f 9 s 3708 3439(1)N 12 s 3811 3420(and)N 2 f 4033(A)X 1 f 9 s 4113 3439(2)N 12 s 4216 3420(is)N 835 3528(equivalent)N 1331(to)X 2 f 1444(B)X 1 f 9 s 1525 3547(2)N 12 s 1573 3528(.)N 1655(Allowable)X 2119(transitions)X 2633(between)X 3029(composite)X 3495(states)X 3787(occur)X 4050(when)X 835 3636(either)N 1139(machine)X 1555(has)X 1751(a)X 1843(non-shared)X 2383(input)X 2662(or)X 2792(output)X 3126(event)X 3408(\(in)X 3568(which)X 3874(case)X 4103(only)X 835 3744(one)N 1024(of)X 1138(the)X 1316(states)X 1615(in)X 1738(the)X 1916(composite)X 2389(pair)X 2604(changes\),)X 3054(or)X 3178(when)X 3452(one)X 3640(machine's)X 4115(out-)X 835 3852(put)N 1013(is)X 1115(the)X 1286(other's)X 1613(input)X 1880(\(in)X 2028(which)X 2321(case)X 2537(both)X 2761(states)X 3053(in)X 3169(the)X 3340(pair)X 3548(change\).)X 1035 4008(It)N 1145(can)X 1334(be)X 1469(shown)X 1789(that)X 2009(this)X 2214(composite)X 2687(machine)X 3098(is)X 3207(restrictive)X 3696(\(and)X 3929(satis\256es)X 835 4116(the)N 1030(above)X 1334(four)X 1567(restrictiveness)X 2270(conditions\))X 2807(if)X 2920(the)X 3115(component)X 3648(machines)X 4120(are.)X 835 4224(The)N 1033(proof)X 1286(appears)X 1665(in)X 1781(``The)X 2019(Theory)X 2359(of)X 2466(Security''.)X 3 f 835 4620(5.4.)N 1053(SECURITY)X 1631(AND)X 1891(MACHINE)X 2440(COMPOSITION)X 1 f 1035 4776(We)N 1205(will)X 1398(now)X 1608(consider)X 2007(two)X 2195(contributions)X 2814(to)X 2927(the)X 3099(theory)X 3413(of)X 3521(security)X 3905(composi-)X 835 4884(tion)N 1054(which)X 1365(were)X 1624(published)X 2103(in)X 2237(the)X 2426(Proceedings)X 3005(of)X 3130(the)X 3319(Security)X 3734(Foundations)X 835 4992(Workshop)N 1311(in)X 1427(1988.)X 1035 5148(The)N 1245(\256rst)X 1469(paper,)X 2 f 1790(Security)X 2196(and)X 2409(the)X 2585(Composition)X 3178(of)X 3298(Machines)X 1 f 3723([Johnson88],)X 835 5256(by)N 972(Dale)X 1211(M.)X 1362(Johnson)X 1766(and)X 1965(F.)X 2088(Javier)X 2398(Thayer,)X 2775(builds)X 3079(on)X 3218(the)X 3394(foundation)X 3906(provided)X 835 5364(by)N 987(Darryl)X 1330(McCullough,)X 1945(whose)X 2269(work)X 2541(is)X 2665(discussed)X 3139(elsewhere)X 3632(in)X 3770(this)X 3990(report.)X 835 5472(Johnson)N 1264(and)X 1489(Thayer)X 1865(present)X 2258(a)X 2369(new)X 2608(security)X 3021(property)X 3458(that)X 3701(is)X 3833(similar)X 4206(to)X 835 5580(McCullough's,)N 1493(and)X 1687(has)X 1872(the)X 2044(same)X 2303(desirable)X 2736(quality)X 3077(of)X 3185(composability,)X 3848(but)X 4025(which)X 835 5688(is)N 937(demonstrably)X 1571(weaker)X 1922(\(i.e.,)X 2140(less)X 2335(restrictive\).)X 112 p %%Page: 112 15 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(112)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 747 684(The)N 955(second)X 1291(paper,)X 2 f 1610(What)X 1885(Needs)X 2189(Securing?)X 1 f 2626([Guttman88],)X 3266(by)X 3408(Joshua)X 3763(Gutt-)X 547 792(man)N 773(and)X 969(Mark)X 1242(E.)X 1367(Nadel,)X 1687(uses)X 1913(a)X 1995(different)X 2408(approach)X 2845(to)X 2958(the)X 3130(composability)X 3766(ques-)X 547 900(tion,)N 778(while)X 1051(continuing)X 1557(to)X 1673(characterize)X 2250(systems)X 2637(by)X 2772(their)X 3020(sets)X 3226(of)X 3337(possible)X 3722(execu-)X 547 1008(tion)N 753(traces.)X 1108(As)X 1254(may)X 1475(be)X 1608(expected)X 2025(from)X 2265(the)X 2441(title)X 2655(of)X 2767(this)X 2970(paper,)X 3282(it)X 3380(also)X 3587(considers)X 547 1116(the)N 768(contentious)X 1359(issue)X 1664(of)X 1822(how)X 2082(con\256dentiality)X 2799(itself)X 3099(should)X 3473(be)X 3652(de\256ned.)X 547 1224(Although)N 988(this)X 1188(latter)X 1465(question)X 1873(is)X 1977(not)X 2150(directly)X 2516(related)X 2859(to)X 2973(composability,)X 3637(it)X 3733(is)X 3837(cer-)X 547 1332(tainly)N 841(of)X 955(vital)X 1190(interest)X 1571(that)X 1791(the)X 1969(security)X 2359(condition)X 2802(met)X 3006(by)X 3144(a)X 3231(composed)X 3692(system)X 547 1440(be)N 681(an)X 826(effective)X 1228(and)X 1428(practical)X 1848(one,)X 2063(and)X 2262(so)X 2387(we)X 2542(shall)X 2791(consider)X 3194(this)X 3397(issue)X 3656(in)X 3777(some)X 547 1548(depth)N 828(as)X 953(well.)X 747 1704(It)N 867(is)X 986(undoubtedly)X 1584(fair)X 1787(to)X 1917(say)X 2111(that)X 2342(McCullough's)X 2991(work)X 3259(was)X 3477(an)X 3634(effective)X 547 1812(catalyst)N 928(in)X 1049(the)X 1225(creation)X 1618(of)X 1730(both)X 1959(these)X 2227(papers.)X 2611(McCullough,)X 3208(in)X 3328(turn,)X 3584(based)X 3869(his)X 547 1920(essential)N 978(con\256dentiality)X 1653(condition)X 2098(on)X 2241(the)X 2421(non-deducibility)X 3177(de\256nition)X 3639(of)X 3756(Suth-)X 547 2028(erland.)N 918(In)X 1045(recognition)X 1570(of)X 1679(their)X 1925(progenity,)X 2403(we)X 2555(will)X 2749(refer)X 2992(often)X 3244(to)X 3357(these)X 3622(works)X 3918(to)X 547 2136(show)N 805(both)X 1033(their)X 1281(similarities)X 1818(to)X 1934(and)X 2132(diversity)X 2553(from)X 2792(the)X 2967(papers)X 3297(under)X 3592(examina-)X 547 2244(tion.)N 3 f 547 2640(5.4.1.)N 847(Johnson)X 1300(and)X 1516(Thayer)X 1 f 747 2796(No)N 901(better)X 1195(introduction)X 1772(to)X 1886(this)X 2086(paper)X 2369(can)X 2553(be)X 2683(made)X 2953(than)X 3190(the)X 3363(following)X 3795(from)X 547 2904(its)N 686(abstract:)X 11 s 835 3036(This)N 1051(paper)X 1320(examines)X 1740(de\256nitions)X 2207(of)X 2315(security)X 2676(with)X 2896(respect)X 3223(to)X 3336(inputs)X 3633(in)X 835 3135(the)N 994(context)X 1317(of)X 1416(abstract)X 1776(machines)X 2189(de\256ned)X 2513(by)X 2635(means)X 2927(of)X 3026(concurrent)X 3492(event)X 835 3234(systems,)N 1230(and)X 1428(it)X 1535(identi\256es)X 1958(this)X 2160(area)X 2386(of)X 2504(security)X 2875(under)X 3162(the)X 3339(notion)X 3642(of)X 2 f 835 3333(correctability)N 1 f 1367(.)X 12 s 747 3522(The)N 950(\256rst)X 1166(part)X 1386(of)X 1498(the)X 1674(paper)X 1961(introduces)X 2461(the)X 2 f 2638(event)X 2900(system)X 1 f 3229(formalism)X 3713(within)X 547 3630(which)N 846(the)X 1023(balance)X 1395(of)X 1508(the)X 1685(paper)X 1972(is)X 2080(conducted.)X 2614(This)X 2845(is)X 2952(an)X 3096(abstract)X 3492(representa-)X 547 3738(tion)N 753(of)X 865(a)X 950(system)X 1293(employing)X 1782(a)X 1867(black)X 2135(box)X 2319(approach.)X 2814(Operation)X 3294(of)X 3407(the)X 3584(system)X 3928(is)X 547 3846(modelled)N 975(as)X 1101(a)X 1182(sequence)X 1613(of)X 2 f 1721(events)X 1 f 1993(,)X 2048(which)X 2342(include)X 2694(input)X 2962(and)X 3157(output)X 3480(events,)X 3823(pos-)X 547 3954(sibly)N 785(in)X 903(addition)X 1299(to)X 1413(other)X 1678(strictly)X 2024(internal)X 2413(events.)X 2785(Each)X 3039(possible,)X 3450(legal)X 3692(system)X 547 4062(execution)N 1003(sequence)X 1439(is)X 1547(called)X 1839(a)X 2 f 1925(trace)X 1 f 2143(,)X 2203(and)X 2403(the)X 2580(system)X 2924(is)X 3032(fully)X 3266(characterized)X 3899(by)X 547 4170(its)N 686(set)X 843(of)X 950(possible)X 1331(events)X 1646(and)X 1840(its)X 1979(set)X 2136(of)X 2243(valid)X 2489(execution)X 2939(traces.)X 747 4326(This)N 993(approach)X 1450(is)X 1573(attractive)X 2053(from)X 2309(a)X 2410(theoretical)X 2934(viewpoint)X 3415(because)X 3812(it)X 3928(is)X 547 4434(capable)N 916(of)X 1030(describing)X 1520(a)X 1606(system)X 1950(using)X 2227(only)X 2448(its)X 2593(externally)X 3076(visible)X 3396(behaviour.)X 3927(It)X 547 4542(is)N 651(not)X 824(necessary)X 1288(to)X 1402(make)X 1674(any)X 1866(assumptions)X 2456(about)X 2735(the)X 2909(internal)X 3298(operation)X 3749(of)X 3859(the)X 547 4650(system)N 894(in)X 1019(order)X 1292(to)X 1413(model)X 1715(it.)X 1872(Contrast)X 2299(this)X 2506(with)X 2743(a)X 2832(modelling)X 3304(approach)X 3749(based)X 547 4758(on)N 686(state)X 938(machines,)X 1419(where)X 1724(the)X 1900(model)X 2199(is)X 2307(required)X 2719(to)X 2837(incorporate)X 3377(some)X 3636(approxi-)X 547 4866(mation)N 897(to)X 1020(the)X 1202(internal)X 1599(operation)X 2058(of)X 2176(the)X 2358(modelled)X 2795(system.)X 3198(This)X 3433(is)X 3545(less)X 3750(desir-)X 547 4974(able)N 758(because)X 10 f 804 5130(g)N 1 f 937(It)X 1074(represents)X 1606(unnecessary)X 2220(implementation-related)X 3331(detail.)X 3699(In)X 3859(the)X 937 5238(abstract)N 1354(model)X 1673(we)X 1849(are)X 2046(really)X 2354(interested)X 2857(in)X 2999(a)X 3104(system's)X 3532(behaviour,)X 937 5346(rather)N 1247(than)X 1482(in)X 1598(the)X 1769(details)X 2094(of)X 2201(its)X 2340(construction.)X 113 p %%Page: 113 16 12 s 0 xH 0 xS 1 f 3 f 835 396(5.4.)N 1026(Security)X 1477(and)X 1693(Machine)X 2149 0.3313(Composition)AX 4008(-)X 4067(113)X 4259(-)X 1 f 10 f 1092 684(g)N 1 f 1225(The)X 1429(state)X 1682(machine)X 2092(formulation)X 2649(may)X 2871(implicitly)X 3325(constrain)X 3775(some)X 4034(of)X 4147(the)X 1225 792(behaviour)N 1699(of)X 1809(the)X 1983(model,)X 2306(and)X 2503(our)X 2683(subsequent)X 3219(analysis)X 3615(may)X 3834(depend)X 4184(on)X 1225 900(these)N 1489(constraints)X 2015(without)X 2387(our)X 2564(noticing)X 2948(it.)X 1035 1056(On)N 1209(the)X 1393(other)X 1669(hand,)X 1963(the)X 2148(trace)X 2413(characterisation)X 3178(has)X 3376(the)X 3561(major)X 3859(drawback)X 835 1164(that)N 1050(it)X 1146(is)X 1250(virtually)X 1663(impossible)X 2161(to)X 2275(work)X 2527(with)X 2756(in)X 2873(any)X 3064(concrete)X 3461(sense.)X 3788(An)X 3944(exhaus-)X 835 1272(tive)N 1040(list)X 1221(of)X 1340(all)X 1493(possible)X 1887(execution)X 2350(traces)X 2659(is)X 2774(not)X 2958(feasible)X 3337(for)X 3500(any)X 3703(but)X 3892(the)X 4076(most)X 835 1380(trivial)N 1164(systems,)X 1602(so)X 1750(some)X 2031(\256nite)X 2318(form)X 2580(of)X 2714(representation)X 3421(is)X 3550(necessary.)X 4093(This)X 835 1488(might)N 1140(take)X 1378(the)X 1565(form)X 1816(of)X 1939(either)X 2248(a)X 2345(decision)X 2747(procedure)X 3233(\(predicate\))X 3753(that)X 3983(lets)X 4187(us)X 835 1596(decide)N 1143(which)X 1438(event)X 1710(sequences)X 2187(are)X 2360(valid)X 2608(traces,)X 2932(or)X 3051(a)X 3132(state)X 3380(machine)X 3785(whose)X 4088(han-)X 835 1704(dle)N 999(can)X 1185(be)X 1317(turned)X 1649(to)X 1765(generate)X 2183(valid)X 2433(traces.)X 2787(Since)X 3059(actual)X 3366(implementations)X 4147(are)X 835 1812(usually)N 1191(based)X 1474(on)X 1610(state)X 1859(machines,)X 2337(concrete)X 2735(and)X 2931(application-speci\256c)X 3808(models)X 4147(are)X 835 1920(quite)N 1101(appropriately)X 1741(constructed)X 2297(using)X 2580(them.)X 2902(However,)X 3361(at)X 3490(the)X 3673(most)X 3927(abstract)X 835 2028(modelling)N 1298(level,)X 1559(we)X 1709(prefer)X 2005(the)X 2176(event)X 2446(trace)X 2697(formalism.)X 1035 2184(It)N 1140(should)X 1465(be)X 1596(noted)X 1873(that,)X 2116(as)X 2244(in)X 2363(the)X 2537(case)X 2756(of)X 2866(most)X 3111(formal)X 3432(treatments)X 3954(of)X 4064(secu-)X 835 2292(rity,)N 1058(the)X 1237(scope)X 1511(of)X 1626(this)X 1832(paper)X 2121(is)X 2231(limited)X 2581(to)X 2700(relatively)X 3155(static)X 3434(versions)X 3837(of)X 3951(conven-)X 835 2400(tional)N 1135(\(i.e.)X 1342(national)X 1754(security\))X 2185(con\256dentiality)X 2868(policies.)X 3295(It)X 3415(deals)X 3690(with)X 3935(systems)X 835 2508(each)N 1067(of)X 1176(whose)X 1480(inputs)X 1794(are)X 1967(marked)X 2337(with)X 2567(a)X 2 f 2648(classi\256cation)X 1 f 3226(,)X 3281(and)X 3476(whose)X 3779(outputs)X 4147(are)X 835 2616(similarly)N 1264(marked)X 1637(each)X 1872(with)X 2105(the)X 2 f 2281(clearance)X 1 f 2729(level)X 2968(of)X 3080(observers)X 3536(able)X 3752(to)X 3869(view)X 4105(that)X 835 2724(output.)N 1217(However,)X 1670(these)X 1940(inputs)X 2258(and)X 2458(outputs)X 2831(are)X 3008(not)X 3185(speci\256c)X 3541(channels)X 3970(or)X 4094(phy-)X 835 2832(sical)N 1063(ports,)X 1345(but)X 1521(are)X 1692(the)X 1863(\(abstract\))X 2318(I/O)X 2486(events)X 2801(experienced)X 3356(by)X 3487(the)X 3658(system.)X 1035 2988(Each)N 1312(event)X 1608(is)X 1736(individually)X 2323(rated)X 2613(as)X 2765(to)X 2904(its)X 3070(classi\256cation)X 3699(or)X 3844(clearance,)X 835 3096(allowing)N 1258(any)X 1467(distinguishable)X 2197(pair)X 2424(of)X 2550(events)X 2884(to)X 3015(have)X 3272(different)X 3702(ratings.)X 4120(The)X 835 3204(internal)N 1229(structure)X 1678(of)X 1793(these)X 2066(abstract)X 2466(events)X 2790(is)X 2901(not)X 3081(addressed)X 3564(in)X 3689(the)X 3869(model,)X 4198(so)X 835 3312(events)N 1158(may)X 1382(be)X 1518(distinguished)X 2156(by)X 2295(any)X 2493(combination)X 3073(of)X 3188(characteristics)X 3875(including)X 835 3420(physical)N 1236(I/O)X 1412(port,)X 1657(the)X 1836(user)X 2066(on)X 2208(whose)X 2518(behalf)X 2828(the)X 3007(event)X 3285(occurs,)X 3628(or)X 3754(perhaps)X 4147(the)X 835 3528(particular)N 1308(data)X 1533(encapsulated)X 2145(in)X 2261(the)X 2432(event.)X 1035 3684(For)N 1228(this)X 1437(reason,)X 1798(it)X 1904(is)X 2018(not)X 2201(a)X 2293(strict)X 2567(requirement)X 3159(of)X 3278(this)X 3488(modelling)X 3963(scheme)X 835 3792(that)N 1054(the)X 1231(physical)X 1630(I/O)X 1804(channels)X 2233(of)X 2346(a)X 2432(system)X 2775(be)X 2908(single-level.)X 3496(It)X 3604(would)X 3903(be)X 4036(possi-)X 835 3900(ble)N 1007(to)X 1133(apply)X 1419(the)X 1605(results)X 1954(obtained)X 2379(here,)X 2646(or)X 2779(in)X 2910(any)X 3115(similar)X 3473(model,)X 3808(to)X 3935(systems)X 835 4008(with)N 1067(multi-level)X 1577(interconnections.)X 2397(The)X 2598(danger)X 2937(in)X 3056(doing)X 3329(this)X 3530(is)X 3635(that)X 3851(the)X 4025(model)X 835 4116(would)N 1155(have)X 1419(to)X 1558(treat)X 1830(such)X 2090(a)X 2197(connection)X 2725(as)X 2877(a)X 2984(collection)X 3454(of)X 3588(isolated)X 3988(virtual)X 835 4224(single-level)N 1370(connections.)X 1976(The)X 2180(mechanisms)X 2765(that)X 2984(maintain)X 3423(separation)X 3927(of)X 4039(levels)X 835 4332(could)N 1097(not)X 1268(be)X 1396(represented)X 1952(in)X 2068(the)X 2239(model.)X 1035 4488(This)N 1266(is)X 1374(not)X 1551(a)X 1637(problem)X 2032(that)X 2251(is)X 2359(peculiar)X 2753(to)X 2871(this)X 3075(modelling)X 3544(scheme.)X 3959(It)X 4068(does,)X 835 4596(however,)N 1279(illustrate)X 1736(that)X 1967(an)X 2124(abstract)X 2533(security)X 2933(model)X 3243(cannot)X 3586(stand)X 3879(alone.)X 4215(It)X 835 4704(will)N 1033(always)X 1373(embody)X 1746(assumptions)X 2340(about)X 2623(detailed)X 3012(function)X 3412(that)X 3631(must)X 3891(be)X 4026(recog-)X 835 4812(nized)N 1100(and)X 1294(veri\256ed)X 1655(by)X 1786(more)X 2037(detailed)X 2420(analysis.)X 1035 4968(The)N 1244(authors)X 1626(next)X 1859(restrict)X 2223(the)X 2405(set)X 2573(of)X 2691(systems)X 3085(they)X 3318(will)X 3521(consider)X 3930(to)X 4054(those)X 835 5076(that)N 1059(satisfy)X 1390(two)X 1588(properties.)X 2131(They)X 2390(must)X 2653(have)X 2901(sets)X 3113(of)X 3230(traces)X 3536(which)X 3839(are)X 2 f 4020(input-)X 835 5184(extensible)N 1 f 1308(and)X 2 f 1518(pre\256x-closed)X 1 f 2066(.)X 2163(Input)X 2455(extensibility)X 3047(is,)X 3192(as)X 3333(the)X 3520(authors)X 3907(admit,)X 4238(a)X 835 5292(strong)N 1150(requirement.)X 1789(The)X 1992(system)X 2335(must)X 2593(be)X 2726(capable)X 3092(of)X 3203(accepting)X 3653(an)X 3796(unbounded)X 835 5400(string)N 1128(of)X 1236(inputs)X 1549(at)X 1667(the)X 1839(end)X 2030(of)X 2139(any)X 2331(given)X 2599(trace,)X 2879(before)X 3180(producing)X 3652(any)X 3844(output)X 4168(\(or)X 835 5508(internal\))N 1253(events.)X 114 p %%Page: 114 17 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(114)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 747 684(Pre\256x-closedness)N 1570(is)X 1705(a)X 1818(property)X 2258(that)X 2504(is)X 2639(consistent)X 3150(with)X 3411(our)X 3622(intuitive)X 547 792(interpretation)N 1218(of)X 1342(an)X 1497(event)X 1783(sequence)X 2229(as)X 2370(a)X 2466(temporal)X 2908(ordering)X 3328(of)X 3451(events.)X 3836(If)X 3950(a)X 547 900(system)N 885(is)X 987(able)X 1198(to)X 1310(execute)X 1671(a)X 1751(trace)X 9 f 2003(t)X 1 f 2073(by)X 2205(a)X 2286(particular)X 2760(time,)X 3015(it)X 3110(makes)X 3426(sense)X 3699(that)X 3913(at)X 547 1008(some)N 806(earlier)X 1134(time)X 1367(it)X 1466(would)X 1765(have)X 2008(only)X 2228(executed)X 2649(some)X 2907(pre\256x)X 3195(of)X 9 f 3307(t)X 1 f 3349(.)X 3435(Despite)X 3805(this,)X 547 1116(it)N 649(is)X 759(not)X 938(as)X 1071(trivial)X 1380(a)X 1468(restriction)X 1966(as)X 2099(it)X 2201(seems.)X 2561(If)X 2667(all)X 2815(initial)X 3120(segments)X 3574(of)X 3690(a)X 3779(trace)X 547 1224(are)N 718(to)X 830(be)X 958(valid)X 1204(traces,)X 1527(then)X 1757(no)X 1891(trace)X 2142(may)X 2358(contain)X 2714(events)X 3029(that)X 3242(are)X 3413(inseparable.)X 747 1380(The)N 945(combination)X 1517(of)X 1624(input-extensibility)X 2472(and)X 2666(pre\256x-closedness)X 3447(leads)X 3705(us)X 3837(to)X 3950(a)X 547 1488(dilemma.)N 1015(On)X 1177(the)X 1349(one)X 1532(hand,)X 1813(no)X 1947(two)X 2134(consecutive)X 2672(events)X 2987(may)X 3203(be)X 3331(bound)X 3632(together)X 547 1596(so)N 672(closely)X 999(as)X 1129(to)X 1246(be)X 1379(inseparable.)X 1983(This)X 2214(might)X 2509(be)X 2643(interpreted)X 3179(as)X 3310(ruling)X 3615(out)X 3792(arbi-)X 547 1704(trarily)N 862(rapid)X 1126(input)X 1394(sequences,)X 1897(so)X 2018(that)X 2232(there)X 2495(must)X 2749(be)X 2878(some)X 3132(limit)X 3372(to)X 3485(the)X 3656(number)X 547 1812(of)N 665(events)X 991(that)X 1215(can)X 1408(occur)X 1682(in)X 1809(any)X 2010(\256nite)X 2281(span)X 2531(of)X 2649(time.)X 2941(On)X 3113(the)X 3295(other)X 3568(hand,)X 3859(the)X 547 1920(system)N 895(must)X 1158(be)X 1296(capable)X 1668(of)X 1785(accepting)X 2241(a)X 2331(string)X 2633(of)X 2750(inputs)X 3072(of)X 3188(unbounded)X 3719(length)X 547 2028(before)N 859(producing)X 1342(any)X 1545(outputs.)X 1979(It)X 2095(appears)X 2487(that)X 2713(the)X 2897(only)X 3126(way)X 3346(to)X 3472(satisfy)X 3806(both)X 547 2136(these)N 820(properties)X 1308(at)X 1434(once)X 1668(is)X 1779(to)X 1900(require)X 2259(that)X 2480(the)X 2659(system)X 3005(be)X 3141(capable)X 3511(of)X 3626(delaying)X 547 2244(outputs)N 914(an)X 1053(unbounded)X 1575(amount)X 1943(of)X 2050(time.)X 747 2400(This)N 982(is)X 1094(not)X 1275(a)X 1365(benign)X 1702(statement,)X 2215(as)X 2350(it)X 2454(might)X 2753(be)X 2891(if)X 2990(it)X 3094(were)X 3345(in)X 3471(an)X 3621(ordinary)X 547 2508(functional)N 1038(speci\256cation.)X 1683(A)X 1793(designer)X 2213(might)X 2516(be)X 2658(quite)X 2926(comfortable)X 3487(with)X 3728(a)X 3821(con-)X 547 2616(ventional)N 1001(speci\256cation)X 1590(that)X 1815(does)X 2050(not)X 2233(bound)X 2546(response)X 2976(time,)X 3242(because)X 3630(it)X 3736(would)X 547 2724(ordinarily)N 1022(be)X 1156(interpreted)X 1692(as)X 1822(a)X 1907(lack)X 2122(of)X 2234(a)X 2319(requirement,)X 2931(or)X 3054(as)X 3184(permission)X 3704(for)X 3859(the)X 547 2832(implementation)N 1283(to)X 1400(not)X 1576(meet)X 1826(any)X 2021(particular)X 2499(response)X 2922(time)X 3154(limit.)X 3452(In)X 3583(this)X 3787(case,)X 547 2940(however,)N 987(it)X 1095(is)X 1211(a)X 1304(positive)X 1688(requirement,)X 2308(and)X 2515(any)X 2718(implementation)X 3462(that)X 3688(fails)X 3918(to)X 547 3048(occasionally)N 1115(delay)X 1387(outputs)X 1762(for)X 1920(very)X 2148(long)X 2371(periods)X 2730(could)X 3000(not)X 3179(be)X 3315(considered)X 3825(pro-)X 547 3156(ven)N 740(secure)X 1061(using)X 1340(this)X 1546(theory.)X 1921(McCullough's)X 2560(Hook-Up)X 2993(property)X 3408(has)X 3600(a)X 3687(similar)X 547 3264(dif\256culty.)N 747 3420(A)N 854(curious)X 1219(consequence)X 1810(of)X 1928(these)X 2203(requirements)X 2839(is)X 2952(that)X 3176(a)X 3268(simple)X 3600(length)X 3923(of)X 547 3528(wire,)N 804(carrying)X 1211(high-level)X 1683(messages)X 2137(with)X 2372(a)X 2459(\256xed)X 2706(propagation)X 3272(delay,)X 3570(cannot)X 3902(be)X 547 3636(a)N 643(component)X 1168(of)X 1291(a)X 1387(composite)X 1869(system)X 2224(modelled)X 2667(using)X 2955(either)X 3264(McCullough's)X 3912(or)X 547 3763(Johnson)N 946(and)X 1141(Thayer's)X 1552(formalism)X 9 s 2003 3725(1)N 12 s 2043 3763(.)N 2125(And,)X 2364(we)X 2516(cannot)X 2844(safely)X 3132(gloss)X 3380(over)X 3599(the)X 3772(prob-)X 547 3871(lem,)N 779(claiming)X 1202(some)X 1470(particular)X 1958(system)X 2311(is)X 2427(``pretty)X 2779(close'')X 3074(to)X 3200(conformance)X 3802(with)X 547 3979(this)N 755(type)X 983(of)X 1100(requirement,)X 1717(because)X 2103(the)X 2284(formal)X 2612(proof)X 2875(of)X 2992(security)X 3385(may)X 3611(hinge)X 3896(on)X 547 4087(one)N 734(of)X 846(these)X 1115(properties.)X 1653(We)X 1827(would)X 2126(prefer)X 2427(a)X 2512(formalism)X 2995(that)X 3213(managed)X 3649(to)X 3766(avoid)X 547 4195(these)N 811(dif\256culties)X 1306(entirely.)X 747 4351(This)N 990(particular)X 1481(concern)X 1869(is)X 1989(related)X 2348(to)X 2478(the)X 2667(larger)X 2980(question)X 3404(of)X 3529(how)X 3757(much)X 547 4459(trust)N 815(may)X 1051(be)X 1199(comfortably)X 1769(placed)X 2100(in)X 2236(formal)X 2574(security)X 2976(de\256nitions.)X 3546(Too)X 3752(often,)X 547 4567(they)N 788(seem)X 1061(to)X 1193(rely)X 1412(on)X 1566(theoretical)X 2089(approximations)X 2828(that)X 3061(ignore)X 3387(practical)X 3821(con-)X 547 4675(siderations)N 1086(such)X 1338(as)X 1482(the)X 1672(relative)X 2057(probabilities)X 2657(of)X 2782(different)X 3211(events.)X 3598(Proofs)X 3923(of)X 547 4783(security,)N 959(on)X 1095(close)X 1338(examination,)X 1947(may)X 2165(hinge)X 2442(on)X 2579(the)X 2753(occurrence)X 3260(of)X 3370(circumstances)X 547 4891(that)N 775(are)X 961(possible)X 1356(but)X 1546(very)X 1780(unlikely.)X 2239(Development)X 2864(of)X 2985(the)X 3170(model)X 3477(in)X 3607(the)X 3792(TNA)X 10 s 10 f 547 5197(h)N 579(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 719 5290(1)N 10 s 779 5322(Components)N 1269(may)X 1456(contain)X 1759(wires)X 1988(\320)X 2097(one)X 2255(presumes)X 2641(they)X 2834(interconnect)X 3326(somehow)X 3695(\320)X 3805(but)X 3959(a)X 547 5412(wire)N 732(may)X 912(not)X 1054(by)X 1163(itself)X 1370(be)X 1476(a)X 1542(separate)X 1882(component.)X 115 p %%Page: 115 18 10 s 0 xH 0 xS 1 f 12 s 3 f 835 396(5.4.)N 1026(Security)X 1477(and)X 1693(Machine)X 2149 0.3313(Composition)AX 4008(-)X 4067(115)X 4259(-)X 1 f 835 703(report)N 1136(was)X 1336(pursued)X 1727(with)X 1955(a)X 2035(view)X 2266(to)X 2378(alleviating)X 2877(these)X 3141(concerns)X 9 s 3529 665(2)N 12 s 3569 703(.)N 835 1099(5.4.1.1.)N 1209(Formal)X 1559(Security)X 1957(Framework)X 1035 1255(More)N 1294(for)X 1446(the)X 1620(sake)X 1853(of)X 1963(de\256niteness)X 2526(than)X 2764(any)X 2957(other)X 3222(reason,)X 3575(the)X 3749(authors)X 4123(res-)X 835 1363(trict)N 1054(their)X 1300(notion)X 1610(of)X 1719(con\256dentiality)X 2387(to)X 2501(one)X 2685(which)X 2980(prevents)X 3395(low-level)X 3815(users)X 4083(from)X 835 1471(deducing)N 1271(anything)X 1706(about)X 1992(high-level)X 2466(inputs.)X 2841(As)X 2991(they)X 3222(remark,)X 3614(the)X 3795(question)X 4211(of)X 835 1579(whether)N 1247(this)X 2 f 1461(input)X 1743(security)X 1 f 2131(is)X 2248(the)X 2434(``right'')X 2776(de\256nition)X 3243(is)X 3360(not)X 3546(yet)X 3724(settled.)X 4093(This)X 835 1687(issue)N 1093(is)X 1199(addressed)X 1677(more)X 1932(thoroughly)X 2448(in)X 2568(the)X 2743(paper)X 3029(by)X 3165(Guttman)X 3602(and)X 3801(Nadel,)X 4124(and)X 835 1795(we)N 985(will)X 1177(postpone)X 1599(further)X 1947(discussion)X 2433(until)X 2675(we)X 2825(deal)X 3038(with)X 3266(it.)X 1035 1951(The)N 1260(paper)X 1568(essentially)X 2098(uses)X 2350(the)X 2549(notation)X 2975(of)X 3110(McCullough,)X 3731(de\256ning)X 4147(the)X 2 f 835 2059(event)N 1091(trace)X 1336(system)X 2244 2215(S)N 9 f 2343(=)X 2423(\341)X 2 f 2471(E)X 1 f 2540(,)X 2 f 2575(I)X 1 f 2614(,)X 2 f 2649(O)X 1 f 2724(,)X 2 f 2759(T)X 9 f 2849(\361)X 1 f 835 2371(where)N 2 f 995 2527(E)N 1 f 1091(is)X 1193(the)X 1364(set)X 1521(of)X 1628(events)X 2 f 995 2683(I)N 1 f 1034(,)X 1088(the)X 1259(input)X 1526(events,)X 1868(is)X 1970(a)X 2050(subset)X 2364(of)X 2 f 2471(E)X 995 2839(O)N 1 f 1097(is)X 1199(a)X 1279(subset)X 1593(of)X 2 f 1700(E)X 1 f 1796(disjoint)X 2155(from)X 2 f 2390(I)X 1 f 2429(,)X 2483(and)X 2677(is)X 2779(the)X 2950(set)X 3107(of)X 3214(output)X 3536(events)X 2 f 995 2995(T)N 1 f 2 f 10 s 9 f 1096(\315)X 1 f 12 s 2 f 1180(E)X 1 f 11 s 1261 2975(*)N 12 s 1340 2995(is)N 1442(the)X 1613(set)X 1770(of)X 1877(traces)X 1035 3151(The)N 1233(set)X 1390(of)X 1497(events)X 2 f 1813(E)X 1 f 1910(is)X 2013(also)X 2217(divided)X 2569(into)X 2771(the)X 2943(disjoint)X 3303(subsets)X 2 f 3663(L)X 1 f 3755(and)X 2 f 3950(H)X 1 f 4030(,)X 4085(such)X 835 3259(that)N 1053(every)X 1326(event)X 1601(is)X 1708(in)X 1829(exactly)X 2174(one)X 2361(of)X 2 f 2473(L)X 1 f 2569(or)X 2 f 2692(H)X 1 f 2772(.)X 2857(These)X 3152(are,)X 3354(respectively,)X 3941(the)X 4116(sets)X 835 3367(of)N 945(low-)X 1160(and)X 1357(high-level)X 1826(events.)X 2199(Assuming)X 2673(two)X 2864(comparable)X 3406(levels)X 3689(simpli\256es)X 4147(the)X 835 3475(discussion)N 1336(without)X 1723(any)X 1928(signi\256cant)X 2436(loss)X 2646(\261)X 2741(the)X 2927(generalization)X 3604(to)X 3731(an)X 3885(arbitrary)X 835 3583(lattice)N 1140(of)X 1247(levels)X 1526(is)X 1628(straightforward)X 2359(but)X 2535(a)X 2615(little)X 2854(messy.)X 1035 3739(A)N 1149(more)X 1418(serious)X 1781(shortcoming)X 2374(is)X 2495(that)X 2727(the)X 2917(simple)X 3256(classi\256cation)X 3877(of)X 4003(events)X 835 3847(used)N 1070(here)X 1296(assumes)X 1704(that)X 1918(events)X 2234(are)X 2406(entirely)X 2780(input)X 3048(or)X 3167(output)X 3490(oriented.)X 3940(In)X 4065(prac-)X 835 3955(tical)N 1073(systems)X 1474(this)X 1690(is)X 1810(rarely)X 2124(the)X 2314(case.)X 2603(Input)X 2898(and)X 3111(output)X 3452(operations)X 3964(usually)X 835 4063(include)N 1202(some)X 1471(reverse-\257owing)X 2194(acknowledgment)X 2985(or)X 3118(handshaking)X 3740(information.)X 835 4171(The)N 1036(ability)X 1350(to)X 1466(handle)X 1801(composite)X 2271(input-output)X 2869(actions)X 3215(was)X 3419(present)X 3785(in)X 3905(the)X 4080(TNA)X 835 4298(model)N 9 s 1101 4260(3)N 12 s 1141 4298(.)N 1035 4454(Throughout)N 1589(the)X 1760(rest)X 1960(of)X 2068(the)X 2240(paper)X 2522(these)X 2787(symbols)X 3172(are)X 3344(combined)X 3793(using)X 4065(stan-)X 835 4562(dard)N 1070(set)X 1229(operations,)X 1750(yielding)X 2132(such)X 2366(combinations)X 2984(as)X 3110(the)X 3282(intersection)X 2 f 3837(H)X 1 f 2 f 9 f 3952(\307)X 1 f 2 f 4053(I)X 1 f 4092(,)X 4147(the)X 835 4670(set)N 1008(of)X 1131(high-level)X 1612(input)X 1895(events,)X 2253(and)X 2 f 2463(L)X 1 f 2 f 9 f 2562(\310)X 1 f 2663(\()X 2 f 2711(H)X 1 f 2 f 2826(\\)X 1 f 2 f 2911(I)X 1 f 2974(\),)X 3076(the)X 3263(set)X 3436(containing)X 3949(all)X 4106(low-)X 835 4778(level)N 1075(events)X 1396(plus)X 1618(all)X 1763(high-level)X 2233(non-input)X 2703(events.)X 3077(Also)X 3301(introduced)X 3810(here)X 4040(is)X 4147(the)X 835 4886(notation)N 9 f 1242(a)X 2 f 10 f 1318(e)X 2 f 1334(L)X 1 f 1434(which)X 1736(is)X 1847(the)X 2027(subsequence)X 2623(of)X 2739(sequence)X 9 f 3178(a)X 1 f 3274(containing)X 3779(only)X 4003(events)X 835 4994(in)N 2 f 951(L)X 1 f 1015(.)X 10 s 10 f 835 5252(h)N 867(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 1007 5345(2)N 10 s 1060 5377([Thomson88],)N 1585(p.)X 1675(135.)X 7 s 1007 5470(3)N 10 s 1060 5502([Thomson88],)N 1585(pp.)X 1721(152-153.)X 116 p %%Page: 116 19 10 s 0 xH 0 xS 1 f 12 s 3 f 547 396(-)N 606(116)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 547 684(5.4.1.2.)N 921(Correctability)X 747 840(The)N 953(\256rst)X 1172(important)X 1654(concept,)X 2049(that)X 2270(of)X 2 f 2385(correctability)X 1 f 2968(,)X 3030(is)X 3140(introduced)X 3653(on)X 3796(page)X 547 948(75.)N 734(It)X 837(is)X 939(restated)X 1332(here)X 1557(in)X 1673(a)X 1753(slightly)X 2113(paraphrased)X 2702(form:)X 707 1123(An)N 874(event)X 1156(system)X 1506(is)X 2 f 1620(correctable)X 1 f 2139(if)X 2241(and)X 2448(only)X 2676(if)X 9 s 2738 1085(4)N 12 s 2818 1123(for)N 2981(every)X 3262(trace)X 9 f 3526(a)X 2 f 10 s 9 f 3613(\316)X 1 f 12 s 2 f 3697(T)X 1 f 707 1231(and)N 936(every)X 1238(sequence)X 9 f 1702(b)X 2 f 10 s 9 f 1782(\316)X 1 f 12 s 1866(\()X 2 f 1898(L)X 9 f 1986(\310)X 1 f 2076(\()X 2 f 2108(H)X 9 f 2212(\307)X 2 f 2302(I)X 1 f 2349(\)\))X 11 s 2413 1211(*)N 12 s 2526 1231(satisfying)N 9 f 3020(b)X 2 f 10 f 3089(e)X 2 f 3105(L)X 1 f 2 f 9 f 3204(=)X 1 f 9 f 3284(a)X 2 f 10 f 3360(e)X 2 f 3376(L)X 1 f 3440(,)X 3528(there)X 707 1339(exists)N 990(a)X 1070(trace)X 9 f 1321(b\242)X 1 f 1425(such)X 1658(that)X 9 f 1871(b\242)X 2 f 10 f 1964(e)X 1 f 1980(\()X 2 f 2012(L)X 9 f 2100(\310)X 1 f 2190(\()X 2 f 2222(H)X 9 f 2326(\307)X 2 f 2416(I)X 1 f 2463(\)\))X 2 f 9 f 2554(=)X 1 f 9 f 2634(b)X 1 f 2687(.)X 747 1495(In)N 918(this)X 1162(de\256nition,)X 9 f 1687(b)X 1 f 1813(is)X 1961(an)X 2146(arbitrary)X 2626(interleaving)X 3239(of)X 3393(the)X 3611(low-level)X 547 1603(behaviour)N 1028(of)X 1145(trace)X 9 f 1406(a)X 1 f 1503(together)X 1911(with)X 2149(any)X 2348(sequence)X 2787(of)X 2903(high-level)X 3377(inputs.)X 3752(If)X 3859(the)X 547 1711(system)N 891(is)X 999(correctable,)X 1548(there)X 1816(will)X 2014(exist)X 2258(a)X 2344(valid)X 2597(trace)X 9 f 2855(b\242)X 1 f 2966(that)X 3186(contains)X 3594(the)X 3772(same)X 547 1819(interleaving.)N 1201(It)X 1338(will)X 1564(probably)X 2011(also)X 2248(contain)X 2638(high-level)X 3137(internal)X 3557(or)X 3708(output)X 547 1927(events,)N 896(but)X 1080(these)X 1352(are)X 1531(not)X 1710(signi\256cant)X 2211(when)X 2487(con\256dentiality)X 3161(is)X 3271(de\256ned)X 3630(as)X 3763(input)X 547 2035(security.)N 747 2191(An)N 911(alternative)X 1436(equivalent)X 1940(de\256nition)X 2402(is)X 2514(provided)X 2936(in)X 3062(the)X 3243(paper.)X 3588(A)X 2 f 3694(pertur-)X 547 2299(bation)N 1 f 872(of)X 996(a)X 1093(trace)X 1361(is)X 1480(a)X 1577(sequence)X 2024(formed)X 2379(by)X 2527(inserting,)X 3000(modifying,)X 3511(or)X 3645(deleting)X 547 2407(high-level)N 1019(inputs)X 1338(in)X 1461(the)X 1639(trace.)X 1951(A)X 2 f 2054(correction)X 1 f 2524(of)X 2638(a)X 2725(sequence)X 3163(is)X 3273(a)X 3361(trace)X 3620(obtained)X 547 2515(by)N 706(inserting,)X 1190(modifying,)X 1713(or)X 1859(deleting)X 2271(high-level)X 2763(non-inputs)X 3300(\(i.e.)X 3518(outputs)X 3912(or)X 547 2623(internal)N 943(events\))X 1301(in)X 1428(the)X 1610(sequence.)X 2105(A)X 2212(system)X 2561(is)X 2674(correctable)X 3201(if)X 3301(every)X 3580(perturba-)X 547 2731(tion)N 748(has)X 932(a)X 1012(correction.)X 547 3127(5.4.1.3.)N 921(Comparison)X 1483(with)X 1711(Deducibility)X 2279(Security)X 747 3283(Correctability)N 1396(is)X 1505(similar)X 1855(to)X 1974(Sutherland's)X 2576(deducibility)X 3131(security,)X 3548(yet)X 3718(differs)X 547 3391(from)N 790(it)X 892(in)X 1016(important)X 1497(ways.)X 1809(To)X 1955(see)X 2130(this)X 2335(more)X 2593(clearly,)X 2952(we)X 3109(state)X 3363(a)X 3450(deducibility-)X 547 3499(security)N 930(condition)X 1366(\(for)X 1548(input)X 1815(security\))X 2230(using)X 2501(the)X 2672(same)X 2930(terminology:)X 707 3655(An)N 869(event)X 1146(system)X 1491(is)X 2 f 1601 0.2361(deducibility-secure)AX 1 f 2468(iff)X 2597(for)X 2755(any)X 2953(two)X 3148(traces)X 9 f 3452(a)X 1 f 3512(,)X 9 f 3547(g)X 2 f 10 s 9 f 3613(\316)X 1 f 12 s 2 f 3697(T)X 1 f 707 3763(there)N 1071(exists)X 1455(a)X 1636(trace)X 9 f 1988(l)X 2 f 10 s 9 f 2068(\316)X 1 f 12 s 2 f 2152(T)X 1 f 2346(such)X 2680(that)X 9 f 2994(l)X 2 f 10 f 3063(e)X 2 f 3079(L)X 1 f 2 f 9 f 3205(=)X 1 f 9 f 3312(a)X 2 f 10 f 3388(e)X 2 f 3404(L)X 1 f 3596(and)X 9 f 707 3871(l)N 2 f 10 f 776(e)X 1 f 792(\()X 2 f 824(H)X 9 f 928(\307)X 2 f 1018(I)X 1 f 1065(\))X 2 f 9 f 1151(=)X 1 f 9 f 1258(g)X 2 f 10 f 1313(e)X 1 f 1329(\()X 2 f 1361(H)X 9 f 1465(\307)X 2 f 1555(I)X 1 f 1602(\).)X 747 4027(The)N 950(third)X 1207(trace)X 9 f 1464(l)X 1 f 1550(exhibits)X 1936(the)X 2113(low-level)X 2538(behaviour)X 3015(of)X 9 f 3128(a)X 1 f 3221(together)X 3625(with)X 3859(the)X 547 4135(high-level-input)N 1284(behaviour)X 1755(of)X 9 f 1862(b)X 1 f 1915(.)X 747 4291(The)N 947(paper)X 1231(goes)X 1453(on)X 1590(to)X 1705(show)X 1962(that)X 2178(correctability)X 2797(is)X 2902(implied)X 3265(by)X 3399(McCullough's)X 547 4399(hook-up)N 942(security)X 1335(property.)X 1806(We)X 1985(\256nd)X 2195(it)X 2299(more)X 2560(instructive)X 3079(to)X 3201(compare)X 3613(correcta-)X 547 4507(bility)N 830(with)X 1083(non-deducibility.)X 1908(It)X 2036(is)X 2164(apparent)X 2620(that)X 2859(correctability)X 3501(is)X 3629(stronger)X 547 4615(than)N 782(non-deducibility)X 1528(on)X 1662(two)X 1849(grounds:)X 547 4771(1\))N 707(Correctability)X 1353(provides)X 1759(that)X 1976(all)X 2120(sequences)X 2599(of)X 2710(high)X 2940(inputs)X 3256(are)X 3431(legal)X 3674(in)X 3795(com-)X 707 4879(bination)N 1119(with)X 1363(any)X 1569(observable)X 2084(low)X 2280(behaviour.)X 2821(Deducibility,)X 3432(on)X 3582(the)X 3768(other)X 707 4987(hand,)N 1006(only)X 1240(requires)X 1655(this)X 1872(if)X 1980(the)X 2170(high)X 2416(input)X 2703(sequence)X 3153(is)X 3275(already)X 3655(legal)X 3914(in)X 707 5095(some)N 979(other)X 1260(trace.)X 1584(Note,)X 1868(however,)X 2313(that)X 2545(this)X 2762(difference)X 3246(disappears)X 3773(if)X 3880(we)X 10 s 10 f 547 5185(h)N 579(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 719 5278(4)N 10 s 778 5310(The)N 948(original)X 1264(omitted)X 1577(the)X 1726(``only)X 1944(if''.)X 2101(They)X 2315(could)X 2540(do)X 2655(this)X 2826(because)X 3145(they)X 3337(only)X 3523(attempted)X 3932(to)X 547 5400(prove)N 775(that)X 953(correctability)X 1467(was)X 1632(implied)X 1932(by)X 2041(other)X 2259(things,)X 2537(not)X 2679(that)X 2856(correctability)X 3370(implied)X 3670(anything)X 547 5490(else.)N 755(In)X 858(any)X 1016(case,)X 1217(it)X 1295(was)X 1460(probably)X 1804(a)X 1870(typo.)X 117 p %%Page: 117 20 10 s 0 xH 0 xS 1 f 12 s 3 f 835 396(5.4.)N 1026(Security)X 1477(and)X 1693(Machine)X 2149 0.3313(Composition)AX 4008(-)X 4067(117)X 4259(-)X 1 f 995 684(further)N 1351(specify)X 1691(input-extensibility)X 2548(and)X 2751(the)X 2931(input)X 3207(pre\256x)X 3499(property,)X 3942(because)X 995 792(then)N 1237(we)X 1399(can)X 1593(always)X 1939(construct)X 2392(a)X 2484(legal)X 2735(empty)X 3050(trace)X 3313(then)X 3555(legally)X 3887(extend)X 4224(it)X 995 900(with)N 1223(any)X 1413(desired)X 1764(sequence)X 2194(of)X 2301(high)X 2527(inputs.)X 835 1056(2\))N 995(Correctability)X 1666(requires)X 2091(that)X 2333(all)X 2 f 2502(interleavings)X 1 f 3134(of)X 3270(low)X 3479(activity)X 3868(and)X 4092(high)X 995 1164(inputs)N 1310(be)X 1441(possible.)X 1879(Deducibility)X 2450(security)X 2836(only)X 3054(promises)X 3483(that)X 3699(a)X 3782(trace)X 4035(exists)X 995 1272(with)N 1226(the)X 1400(desired)X 1754(subsequences,)X 2416(it)X 2514(does)X 2741(not)X 2916(guarantee)X 3398(anything)X 3828(about)X 4109(how)X 995 1380(they)N 1217(are)X 1388(interleaved.)X 1035 1536(The)N 1247(latter)X 1536(is)X 1652(the)X 1837(more)X 2103(signi\256cant)X 2611(difference.)X 3145(Whether)X 3575(or)X 3708(not)X 3894(it)X 4003(makes)X 835 1644(correctability)N 1458(better)X 1758(than)X 2000(non-deducibility)X 2753(as)X 2885(a)X 2972(de\256nition)X 3431(of)X 3544(con\256dentiality)X 4216(is)X 835 1752(a)N 917(dif\256cult)X 1291(question.)X 1753(It)X 1858(might)X 2149(be)X 2279(considered)X 2783(better)X 3079(if)X 3171(we)X 3324(take)X 3549(the)X 3723(position)X 4105(that)X 835 1860(input)N 1119(security)X 1519(is)X 1638(not)X 1825(suf\256cient,)X 2307(and)X 2517(that)X 2746(the)X 2933(interleaving)X 3515(is)X 3633(itself)X 3898(sensitive)X 835 1968(information)N 1394(worthy)X 1743(of)X 1859(protection.)X 2397(This)X 2631(view)X 2871(is)X 2982(propounded)X 3543(by)X 3683(Guttman)X 4124(and)X 835 2076(Nadel,)N 1153(and)X 1347(we)X 1497(will)X 1689(consider)X 2087(it)X 2181(later)X 2419(in)X 2535(the)X 2706(discussion)X 3192(of)X 3299(their)X 3543(paper.)X 1035 2232(The)N 1235(other)X 1499(possibility)X 1982(is)X 2086(that,)X 2328(even)X 2563(without)X 2937(regard)X 3259(to)X 3373(the)X 3546(sensitivity)X 4038(of)X 4147(the)X 835 2340(interleaving,)N 1435(correctability)X 2058(may)X 2281(yield)X 2528(a)X 2614(more)X 2871(satisfying)X 3337(de\256nition)X 3795(of)X 3908(security.)X 835 2448(Consider)N 1266(a)X 1353(system)X 1698(with)X 1933(the)X 2111(following)X 2548(property:)X 2989(Once)X 3248(it)X 3349(has)X 3540(received)X 3940(a)X 4028(single)X 835 2556(high-level)N 1326(input,)X 1646(it)X 1766(enters)X 2099(an)X 2263(operating)X 2739(mode)X 3027(where)X 3352(each)X 3607(low-level)X 4051(input)X 835 2664(evokes)N 1172(a)X 1265(low-level)X 1698(response)X 2130(containing)X 2640(a)X 2734(copy)X 2972(of)X 3093(the)X 3278(most)X 3534(recent)X 3853(high-level)X 835 2772(input.)N 1164(Queries)X 1547(occurring)X 2001(before)X 2308(the)X 2487(\256rst)X 2706(high-level)X 3178(input)X 3452(are)X 3630(answered)X 4090(with)X 835 2880(randomly)N 1286(generated)X 1755(data.)X 1035 3036(This)N 1302(system)X 1682(is)X 1826(plainly)X 2203(capable)X 2607(of)X 2756(exhibiting)X 3273(any)X 3505(desired)X 3899(low-level)X 835 3144(behaviour)N 1311(when)X 1584(there)X 1851(are)X 2027(no)X 2166(high-level)X 2636(inputs.)X 3006(It)X 3113(follows)X 3452(that)X 3669(arbitrary)X 4106(low-)X 835 3252(level)N 1079(behaviour)X 1560(can)X 1752(be)X 1890(achieved)X 2314(in)X 2441(conjunction)X 2992(with)X 3231(any)X 3432(speci\256ed)X 3853(high-level)X 835 3360(input)N 1108(sequence,)X 1571(by)X 1708(simply)X 2036(requiring)X 2484(that)X 2702(all)X 2847(the)X 3023(high-level)X 3493(inputs)X 3810(occur)X 4078(after)X 835 3468(the)N 1012(last)X 1210(low-level)X 1635(input.)X 1962(We)X 2137(must)X 2396(conclude)X 2814(that)X 3033(this)X 3237(system)X 3581(is)X 3689(secure)X 4009(by)X 4147(the)X 835 3576(non-deducibility)N 1584(de\256nition,)X 2066(since)X 2321(non-deducibility)X 3070(does)X 3296(permit)X 3624(us)X 3757(to)X 3871(pick)X 4085(such)X 835 3684(a)N 915(``peculiar'')X 1383(interleaving)X 1949(in)X 2065(the)X 2236(composite)X 2702(trace.)X 1035 3840(Now,)N 1307(if)X 1413(we)X 1580(evaluate)X 2003(this)X 2219(system)X 2575(against)X 2948(the)X 3137(correctability)X 3771(criterion,)X 4224(it)X 835 3948(will)N 1049(be)X 1199(judged)X 1544(insecure.)X 2021(Correctability)X 2684(requires)X 3101(that)X 3335(the)X 3527(desired)X 3899(low-level)X 835 4056(behaviour)N 1309(be)X 1440(maintained)X 1979(across)X 2286(all)X 2429(interleavings)X 3043(of)X 3153(high-level)X 3621(inputs.)X 3991(In)X 4120(this)X 835 4164(instance,)N 1275(at)X 1404(least,)X 1682(correctability)X 2309(seems)X 2618(to)X 2741(agree)X 3022(more)X 3284(closely)X 3617(with)X 3856(our)X 4044(intui-)X 835 4272(tion)N 1036(than)X 1271(does)X 1494(deducibility.)X 1035 4428(Still,)N 1280(the)X 1456(subject)X 1801(is)X 1908(not)X 2084(necessarily)X 2611(closed)X 2912(with)X 3145(this)X 3348(observation.)X 3949(Deduci-)X 835 4536(bility)N 1102(is)X 1213(known)X 1547(to)X 1667(have)X 1913(problems)X 2355(dealing)X 2716(with)X 2952(non-deterministic)X 3775(systems,)X 4193(as)X 835 4663(discussed)N 1314(at)X 1458(some)X 1738(length)X 2076(in)X 2219(the)X 2417(TNA)X 2682(report)X 9 s 2956 4625(5)N 12 s 2996 4663(.)N 3105(Although)X 3572(correctability)X 4216(is)X 835 4771(suf\256cient)N 1290(to)X 1418(handle)X 1765(our)X 1957(current)X 2331(example,)X 2770(other)X 3047(non-deterministic)X 3877(scenarios)X 835 4898(exist)N 1076(in)X 1195(which)X 1491(correctability)X 2110(is)X 2216(no)X 2354(better)X 2651(than)X 2890(straight)X 3276(non-deducibility)X 9 s 3995 4860(6)N 12 s 4035 4898(.)N 4120(The)X 835 5006(solution)N 1263(recommended)X 1952(in)X 2112(the)X 2327(TNA)X 2609(work)X 2903(was)X 3147(elimination)X 3727(of)X 3878(the)X 4093(non-)X 835 5114(determinism)N 1430(in)X 1550(the)X 1725(system's)X 2132(behaviour.)X 2661(If)X 2763(we)X 2917(assume)X 3283(this)X 3485(to)X 3601(be)X 3733(done)X 3974(in)X 4094(both)X 10 s 10 f 835 5204(h)N 867(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 1007 5297(5)N 10 s 1060 5329([Thomson88],)N 1585(pp.)X 1721(93-109.)X 7 s 1007 5422(6)N 10 s 1060 5454(Eg.)N 1205(the)X 1347(example)X 1678(on)X 1789(p.)X 1879(93)X 1989(of)X 2078([Thomson88].)X 118 p %%Page: 118 21 10 s 0 xH 0 xS 1 f 12 s 3 f 547 396(-)N 606(118)X 798(-)X 2646(5.)X 2755(Survey)X 3135(of)X 3258(Formal)X 3649(Models)X 1 f 547 684(cases,)N 835(the)X 1006(question)X 1412(that)X 1625(remains)X 2015(is)X 2117(whether)X 2514(there)X 2777(is)X 2880(any)X 3071(signi\256cant)X 3565(difference)X 547 792(between)N 954(correctability)X 1582(and)X 1787(non-deducibility)X 2544(when)X 2823(restricted)X 3290(to)X 3413(deterministic)X 547 900(systems.)N 747 1075(We)N 916(present)X 1278(here)X 1503(a)X 1583(non-rigorous)X 9 s 2148 1037(7)N 12 s 2215 1075(\256rst)N 2427(cut)X 2594(at)X 2712(arguing)X 3086(this)X 3285(question.)X 3746(Begin)X 547 1183(by)N 693(assuming)X 1162(the)X 1348(existence)X 1799(of)X 1921(a)X 2016(deterministic)X 2648(system)X 2 f 3001(S)X 1 f 3107(that)X 3334(is)X 3450(deducibility-)X 547 1291(secure)N 869(but)X 1054(not)X 1234(correctable.)X 2 f 1813(S)X 1 f 1913(must)X 2175(have)X 2422(a)X 2511(trace)X 9 f 2771(a)X 1 f 2867(such)X 3109(that)X 3331(for)X 3491(some)X 3754(inter-)X 547 1399(leaving)N 9 f 899(b)X 1 f 982(of)X 9 f 1092(a)X 2 f 10 f 1168(e)X 2 f 1184(L)X 1 f 1278(with)X 1509(a)X 1592(high-level)X 2060(input)X 2330(sequence,)X 2790(there)X 3055(does)X 3281(not)X 3455(exist)X 3696(a)X 3779(trace)X 9 f 547 1507(b\242)N 1 f 651(satisfying)X 9 f 1111(b\242)X 2 f 10 f 1204(e)X 1 f 1220(\()X 2 f 1252(L)X 9 f 1340(\310)X 1 f 1430(\()X 2 f 1462(H)X 9 f 1566(\307)X 2 f 1656(I)X 1 f 1703(\)\))X 2 f 9 f 1794(=)X 1 f 9 f 1874(b)X 1 f 1927(.)X 747 1682(Input-extensibility)N 1623(is)X 1744(incompatible)X 2361(with)X 2608(determinism)X 9 s 3173 1644(8)N 12 s 3259 1682(so)N 3399(we)X 3569(make)X 3859(the)X 547 1790(weaker)N 902(assumption)X 1449(that)X 1665(for)X 1818(any)X 2011(input-only)X 2501(sequence)X 2934(there)X 3199(exists)X 3485(at)X 3605(least)X 3848(one)X 547 1898(trace)N 810(containing)X 1318(those)X 1594(inputs.)X 1973(Let)X 9 f 2162(q)X 1 f 2252(be)X 2393(such)X 2639(a)X 2732(trace)X 2996(with)X 3237(inputs)X 9 f 3562(q)X 2 f 10 f 3628(e)X 2 f 3644(I)X 1 f 2 f 9 f 3745(=)X 1 f 9 f 3852(b)X 2 f 10 f 3921(e)X 2 f 3937(I)X 1 f 3976(.)X 547 2006(Therefore,)N 9 f 1034(q)X 2 f 10 f 1100(e)X 1 f 1116(\()X 2 f 1148(L)X 9 f 1236(\307)X 2 f 1326(I)X 1 f 1373(\))X 2 f 9 f 1432(=)X 1 f 9 f 1512(a)X 2 f 10 f 1588(e)X 1 f 1604(\()X 2 f 1636(L)X 9 f 1724(\307)X 2 f 1814(I)X 1 f 1861(\).)X 747 2162(Now,)N 1003(if)X 1093(we)X 1244(apply)X 1516(the)X 1688(non-deducibility)X 2435(property)X 2843(\(with)X 9 f 3104(g)X 1 f 3171(equal)X 3442(to)X 3555(the)X 3727(empty)X 547 2270(trace\),)N 858(we)X 1009(\256nd)X 1210(that)X 1424(there)X 1687(must)X 1941(exist)X 2180(high-input-free)X 2882(traces)X 9 f 3178(a\242)X 1 f 3289(and)X 9 f 3483(q\242)X 1 f 3584(such)X 3817(that)X 9 f 547 2378(a\242)N 2 f 10 f 647(e)X 2 f 663(L)X 1 f 2 f 9 f 789(=)X 1 f 9 f 896(a)X 2 f 10 f 972(e)X 2 f 988(L)X 1 f 1082(and)X 9 f 1279(q\242)X 2 f 10 f 1369(e)X 2 f 1385(L)X 1 f 2 f 9 f 1511(=)X 1 f 9 f 1618(q)X 2 f 10 f 1684(e)X 2 f 1700(L)X 1 f 1764(.)X 1848(But)X 2043(then,)X 2303(because)X 2682(of)X 2792(the)X 2966(way)X 9 f 3175(q)X 1 f 3255(was)X 3459(constructed,)X 9 f 547 2486(q\242)N 1 f 652(and)X 9 f 850(a\242)X 1 f 965(must)X 1222(have)X 1464(the)X 1639(same)X 1901(low)X 2085(inputs.)X 2455(Since)X 2726(the)X 2900(system)X 3241(is)X 3346(strongly)X 3740(deter-)X 547 2594(ministic,)N 962(they)X 1186(must)X 1441(then)X 1673(be)X 1803(the)X 1976(same)X 2236(trace)X 9 f 2489(a\242)X 2 f 9 f 2600(=)X 1 f 9 f 2680(q\242)X 1 f 2754(.)X 2837(This,)X 3091(in)X 3209(turn,)X 3464(implies)X 3817(that)X 9 f 547 2702(a)N 2 f 10 f 623(e)X 2 f 639(L)X 1 f 2 f 9 f 738(=)X 1 f 9 f 818(q)X 2 f 10 f 884(e)X 2 f 900(L)X 1 f 964(,)X 1018(and)X 1212(it)X 1306(then)X 1536(follows)X 1871(that)X 9 f 2084(q)X 2 f 10 f 2150(e)X 2 f 2166(L)X 1 f 2 f 9 f 2265(=)X 1 f 9 f 2345(b)X 2 f 10 f 2414(e)X 2 f 2430(L)X 1 f 2494(.)X 747 2858(Restating)N 1203(what)X 1454(we)X 1604(have)X 1842(so)X 1962(far:)X 9 f 937 3014(q)N 2 f 10 s 9 f 1014(\316)X 12 s 2 f 1098(T)X 1 f 9 f 937 3170(q)N 2 f 10 f 1003(e)X 1 f 1019(\()X 2 f 1051(L)X 9 f 1139(\307)X 2 f 1229(I)X 1 f 1276(\))X 2 f 9 f 1324(\310)X 1 f 1414(\()X 2 f 1446(L)X 9 f 1534(\307)X 2 f 1624(O)X 1 f 1707(\))X 2 f 9 f 1766(=)X 1 f 9 f 1846(b)X 2 f 10 f 1915(e)X 1 f 1931(\()X 2 f 1963(L)X 9 f 2051(\307)X 2 f 2141(I)X 1 f 2188(\))X 2 f 9 f 2236(\310)X 1 f 2326(\()X 2 f 2358(L)X 9 f 2446(\307)X 2 f 2536(O)X 1 f 2619(\))X 9 f 937 3326(q)N 2 f 10 f 1003(e)X 1 f 1019(\()X 2 f 1051(L)X 9 f 1139(\307)X 2 f 1229(I)X 1 f 1276(\))X 2 f 9 f 1324(\310)X 1 f 1414(\()X 2 f 1446(H)X 9 f 1550(\307)X 2 f 1640(I)X 1 f 1687(\))X 2 f 9 f 1746(=)X 1 f 9 f 1826(b)X 2 f 10 f 1895(e)X 1 f 1911(\()X 2 f 1943(L)X 9 f 2031(\307)X 2 f 2121(I)X 1 f 2168(\))X 2 f 9 f 2216(\310)X 1 f 2306(\()X 2 f 2338(H)X 9 f 2442(\307)X 2 f 2532(I)X 1 f 2579(\))X 9 f 937 3482(q)N 2 f 10 f 1003(e)X 1 f 1019(\()X 2 f 1051(L)X 9 f 1139(\307)X 2 f 1229(I)X 1 f 1276(\))X 2 f 9 f 1324(\310)X 1 f 1414(\()X 2 f 1446(L)X 9 f 1534(\307)X 2 f 1624(O)X 1 f 1707(\))X 2 f 9 f 1755(\310)X 1 f 1845(\()X 2 f 1877(H)X 9 f 1981(\307)X 2 f 2071(I)X 1 f 2118(\)\))X 9 f 2209(\271)X 2289(b)X 2 f 10 f 2358(e)X 1 f 2374(\()X 2 f 2406(L)X 9 f 2494(\307)X 2 f 2584(I)X 1 f 2631(\))X 2 f 9 f 2679(\310)X 1 f 2769(\()X 2 f 2801(L)X 9 f 2889(\307)X 2 f 2979(O)X 1 f 3062(\))X 2 f 9 f 3110(\310)X 1 f 3200(\()X 2 f 3232(H)X 9 f 3336(\307)X 2 f 3426(I)X 1 f 3473(\))X 2 f 3586(.)X 1 f 747 3686(The)N 947(remaining)X 1435(difference)X 1903(must)X 2159(be)X 2290(in)X 2409(the)X 2583(relative)X 2953(ordering)X 3360(of)X 3470(the)X 3644(low)X 3827(out-)X 547 3794(puts)N 770(and)X 964(high)X 1190(inputs.)X 1556(Further)X 1936(exploration)X 2465(of)X 2572(this)X 2770(difference)X 3235(is)X 3337(deferred.)X 547 4190(5.4.1.4.)N 921(Composition)X 747 4346(Beginning)N 1233(on)X 1370(page)X 1607(77,)X 1770(the)X 1944(authors)X 2318(introduce)X 2770(the)X 2944(notion)X 3255(of)X 3365(composition)X 3923(of)X 547 4454(event)N 847(systems.)X 1314(Composition)X 1925(is)X 2057(formalized)X 2584(using)X 2884(the)X 3084(notation)X 3511(devised)X 3899(by)X 547 4562(McCullough.)N 1167(The)X 1365(de\256nition)X 1817(is)X 1919(reproduced)X 2443(here:)X 10 s 10 f 547 4802(h)N 579(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 719 4895(7)N 10 s 774 4927(Here)N 981(we)X 1108(use)X 1259(the)X 1404(strong)X 1665(de\256nition)X 2044(of)X 2136(determinism)X 2632(that)X 2812(appeared)X 3179(in)X 3278(the)X 3423(TNA)X 3624(report.)X 3922(In)X 547 5017(fact,)N 737(the)X 887(de\256nition)X 1271(is)X 1363(too)X 1504(strong,)X 1792(and)X 1961(a)X 2035(weaker)X 2335(one)X 2494(such)X 2695(as)X 2806(that)X 2991(used)X 3193(by)X 3310(McCullough)X 3789(in)X 3892(his)X 2 f 547 5107(Theory)N 825(of)X 914(Security)X 1 f 1241(should)X 1509(be)X 1615(more)X 1824(useful.)X 7 s 719 5200(8)N 10 s 777 5232(Input)N 1011(extensibility)X 1496(implies)X 1792(that)X 1974(all)X 2096(sequences)X 2496(consisting)X 2896(only)X 3081(of)X 3176(input)X 3404(events)X 3672(are)X 3820(valid)X 547 5322(traces.)N 839(Thus,)X 1073(for)X 1200(any)X 1360(trace)X 9 f 1571(a)X 1 f 1621(,)X 9 f 1667(b)X 2 f 9 f 1755(=)X 1 f 9 f 1843(a)X 2 f 10 f 1906(e)X 2 f 1919(I)X 1 f 1974(is)X 2059(also)X 2228(a)X 2295(trace.)X 2549(But)X