Proving Protection Systems Safe

Theories of protection powerful enough to resolve security questions of computer systems are considered. Mo single theory of protection is adequate for proving whether the security afforded by an arbitrary protection system suffices to safeguard data from unauthorized access. When theories of protection are restricted' to computer systems which are bounded in size, adequate theories exist, but they are inherently intractable. The implications of these results are discussed. i Computer Science Department, Purdue University, W. Lafayette, IN *l?907. Research sponsored by the National Science Foundation MCS75-21100. ? Department of Mathematics, Dartmouth College, Hanover, NH 03755. Research sponsored by the Office of Naval Research Contract OMR >100014-75-0-051^ •^Computer Science Department, University of California, Berkeley, CA 9'1720. Research sponsored by the National Science Foundation MCS7^-07636-A01. ''current address: Department of Computer Science, University of Washington, Seattle, Washington 93195. Research supported by an IBÎ Pre-doctoral Fellowship.