On the Refinement Closure of Information-flow Properties

Information flow considers whether a High-level user in a multi-level system can pass information to a Low-level user. Many information flow properties suffer from the so called refinement paradox ; i.e. a property holds for a process but does not hold in one of its refinements. Therefore, it is often desirable to consider the refinement closure of an information flow property. The refinement closure of a property is true if, and only if, all refinements of a process satisfy the property. This appears to be tricky to test as it requires the tester to consider every possible refinement of a process. However, often it is possible to define a property which is equivalent to the refinement closure of another property, which depends only on the process in question rather than every possible refinement. One such case of this is Operational Non-Interference (ONI), which was proven by Lowe in [Low07b] to be equivalent to the refinement closure of Failures Non-Deducability on Compositions. In this dissertation we consider a number of properties that are based on ONI which are equivalent to the refinement closure of other properties. In this dissertation we make use of CSP. We consider a number of different information flow properties and define new properties that are equal to their refinement closures, but which are not quantified over all refinements of a process. We then compare the strengths of these refinement-closed properties. Lastly, for these refinement closed properties we detail refinement tests suitable for use within a model checker such as FDR.