A nonfunctional approach to system integrity

Systems provide integrity protection by ensuring that there is no unauthorized modification of information. Traditional models of protection tend to define integrity in terms of ad hoc authorization techniques whose effectiveness is justified more on the basis of experience and "best practice," rather than on any common theoretical foundation. A formal definition of integrity is proposed that is independent of any particular implementation mechanism. A series of simple examples is used to demonstrate that existing integrity mechanisms such as separation of duties, well-formed transactions, and so forth, can be regarded as implementation techniques for achieving integrity. The proposed characterization of integrity is nonfunctional, that is, it falls into the same category of properties as noninterference and its relatives. As a consequence, validating that a system has integrity can be expected to be as challenging as validating that a system upholds noninterference.