A Lattice Model of Secure Information Flow This paper investigates mechanisms that guarantee secure information flow in a computer system. These mechanisms are examined within a mathematical framework suitable for formulating the requirements of secure information flow among security classes. The central component of the model is a lattice structure derived from the security classes and justified by the semantics of information flow. The lattice properties permit concise formulations of the security requirements of different existing systems and facilitate the construction of mechanisms that enforce security. The model provides a unifying view of all systems that restrict information flow, enables a classification of them according to security objectives, and suggests some new approaches. It also leads to the construction of automatic program certification mechanisms for verifying the secure flow of information through a program. CACM May, 1976 Denning, D. E. protection, security, information flow, security class, lattice, program certification 4.35 CA760501 JB January 4, 1978 4:10 PM 2436 4 2870 2626 4 2870 2868 4 2870 2868 4 2870 2870 4 2870 2870 4 2870 2870 4 2870 2876 4 2870 3105 4 2870 3144 4 2870 953 5 2870 2377 5 2870 2632 5 2870 2870 5 2870 2870 5 2870 2870 5 2870 2945 5 2870 3128 5 2870 1947 6 2870 2150 6 2870 2376 6 2870 2436 6 2870 2597 6 2870 2704 6 2870 2865 6 2870 2866 6 2870 2870 6 2870 2870 6 2870 2912 6 2870 3082 6 2870