Using type enforcement to assure a configurable guard

“…Throughout the paper it has been necessary to treat a n.pay output as being on a trusted path, that is, any component generating n.pay has to be reliable. In practice, if we know that only one message can be output at the end of an assured pipeline (as in [9]), then we could regard the P3-make-payment program (Example 8) as a potentially unreliable filter or integrity verification procedure (IVP), whose failure cannot result in the generation of multiple n.pay outputs.…”

“…Failure of program P3 can result in multiple payments and therefore it is necessary to treat the payment program P3 as a reliable component. This is not an unreasonable assumption: for example, a typical guard pipeline regards that part that generates the output as trusted [9]. Thus, the infrastructure is modelled as …”

Evaluating system integrity

“…Throughout the paper it has been necessary to treat a n.pay output as being on a trusted path, that is, any component generating n.pay has to be reliable. In practice, if we know that only one message can be output at the end of an assured pipeline (as in [9]), then we could regard the P3-make-payment program (Example 8) as a potentially unreliable filter or integrity verification procedure (IVP), whose failure cannot result in the generation of multiple n.pay outputs.…”

“…Failure of program P3 can result in multiple payments and therefore it is necessary to treat the payment program P3 as a reliable component. This is not an unreasonable assumption: for example, a typical guard pipeline regards that part that generates the output as trusted [9]. Thus, the infrastructure is modelled as …”

Evaluating system integrity

Applications of Trusted Review to Information Security

A framework for multiple authorization types in a healthcare application system