The successful design and implementation of secure systems must occur from the beginning. A component that must process data at multiple security levels is very critical and must go through additional evaluation to ensure the processing is secure. It is common practice to isolate and separate the processing of data at different levels into different components. In this paper we present architecture-based refinement techniques for the design of multilevel secure systems. We discuss what security requirements must be satisfied through the refinement process, including when separation works and when it does not. The process oriented approach will lead to verified engineering techniques for secure systems, which should greatly reduce the cost of certification of those systems.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	J. Alves-Foss, W. S. Harrison, P. Oman, and C. Taylor. The mils architecture for high-assurance embedded systems. International Journal of Embedded Systems, 1(1), January 2005.
	2	Vincenzo Ambriola , Alina Kmiecik, Architectural transformations, Proceedings of the 14th international conference on Software engineering and knowledge engineering, July 15-19, 2002, Ischia, Italy  [doi>10.1145/568760.568809]
	3	J. P. Anderson. Computer security technology planning study. Technical report, Fort Washing, PA, 1972.
	4	Somo Banerjee , Chris A. Mattmann , Nenad Medvidovic , Leana Golubchik, Leveraging architectural models to inject trust into software systems, Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications, p.1-7, May 15-16, 2005, St. Louis, Missouri  [doi>10.1145/1083200.1083213]
	5	K. Suzanne Barber , Tom Graser , Jim Holt, Enabling Iterative Software Architecture Derivation Using Early Non-Functional Property Evaluation, Proceedings of the 17th IEEE international conference on Automated software engineering, p.172, September 23-27, 2002
	6	D. E. Bell and L. LaPadula. Secure computer systems: Unified exposition and multics interpretation. MITRE technical report, MITRE Corporation, Bedford Massachusetts, 2997:ref A023 588, 1976.
	7	Lawrence Chung , Brian A. Nixon , Eric Yu, An approach to building quality into software architecture, Proceedings of the 1995 conference of the Centre for Advanced Studies on Collaborative research, p.13, November 07-09, 1995, Toronto, Ontario, Canada
	8	Non-Functional Refinement of Computer Based Systems Architecture, Proceedings of the 11th IEEE International Conference and Workshop on Engineering of Computer-Based Systems, p.168, May 24-27, 2004
	9	Yi Deng , Jiacun Wang , Jeffrey J. P. Tsai , Konstantin Beznosov, An Approach for Modeling and Analysis of Security System Architectures, IEEE Transactions on Knowledge and Data Engineering, v.15 n.5, p.1099-1119, September 2003  [doi>10.1109/TKDE.2003.1232267]
	10	Xavier Franch , Pere Botella, Putting non-functional requirements into software architecture, Proceedings of the 9th international workshop on Software specification and design, p.60, April 16-18, 1998
	11	David Garlan, Style-based refinement for software architecture, Joint proceedings of the second international software architecture workshop (ISAW-2) and international workshop on multiple perspectives in software development (Viewpoints '96) on SIGSOFT '96 workshops, p.72-75, October 16-18, 1996, San Francisco, California, United States  [doi>10.1145/243327.243607]
	12	D. McCullough. Noninterference and the composability of security properties. In Proc. IEEE symposium on security and privacy, pages 177--187, 1988.
	13	John McLean, A General Theory of Composition for a Class of "Possibilistic" Properties, IEEE Transactions on Software Engineering, v.22 n.1, p.53-67, January 1996  [doi>10.1109/32.481534]
	14	Nenad Medvidovic , Richard N. Taylor, A Classification and Comparison Framework for Software Architecture Description Languages, IEEE Transactions on Software Engineering, v.26 n.1, p.70-93, January 2000  [doi>10.1109/32.825767]
	15	Mark Moriconi , Xiaolei Qian , R. A. Riemenschneider, Correct Architecture Refinement, IEEE Transactions on Software Engineering, v.21 n.4, p.356-3, April 1995  [doi>10.1109/32.385972]
	16	M. Moriconi , Xiaolei Qian , R. A. Riemenschneider , Li Gong, Secure software architectures, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.84, May 04-07, 1997
	17	Jan Philipps , Bernhard Rumpe, Refinement of Pipe-and-Filter Architectures, Proceedings of the Wold Congress on Formal Methods in the Development of Computing Systems-Volume I, p.96-115, September 20-24, 1999
	18	Nelson S. Rosa , George R. R. Justo , P. R. F. Cunha, Incorporating Non-functional Requirements into Software Architectures, Proceedings of the 15 IPDPS 2000 Workshops on Parallel and Distributed Processing, p.1009-1018, May 01-05, 2000
	19	Nelson S. Rosa , George R. R. Justo , Paulo R. F. Cunha, A framework for building non-functional software architectures, Proceedings of the 2001 ACM symposium on Applied computing, p.141-147, March 2001, Las Vegas, Nevada, United States  [doi>10.1145/372202.372299]
	20	Aris Zakinthinos , E. S. Lee, On the composition of security properties, University of Toronto, Toronto, Ont., Canada, 1997