A description is given of the relaxation lattice approach to specifying graceful degradation for a large class of systems. The method is applied to the security domain by identifying degraded systems behaviors with those that can result from security violations such as a user of one security class obtaining access rights associated with those of a higher class. The method can be used in two ways: (1) as a descriptive technique for specifying the behavior of existing systems in which breaches of security may inadvertently or unavoidably occur; and (2) as a formal design technique for specifying a range of behaviors, from ideal to undesired, of systems to be implemented.
展开▼