Many representations of secure systems rely on implicit assumptions about the desired behavior of the environment. We introduce a means of explicitly representing and evaluating these assumptions within a system specification. This is based on the identification of the safeguards to protect the system by implementing or enforcing these assumptions. These assumptions correspond to vulnerabilities that can be exploited by changes to the environment, including those caused by the interconnection, or composition, of systems. We therefore introduce a“constrained” composition principle that allows us to explicitly evaluate the reasonableness of these assumptions for a proposed composite system.
展开▼