notation | | meaning |
S | | set of subjects s |
Σ | | set of states σ |
O | | set of outputs o |
Z | | set of commands z |
C | | set of state transition commands (s, z), where subject s executes command z |
C* | | set of possible sequences of commands c0, …, cni |
ν | | empty sequence |
cs | | sequence of commands |
T(c, σi) | | resulting state when command c is executed in state σi |
T*(cs, σi) | | resulting state when command sequence cs is executed in state σi |
P(c, σi) | | output when command c is executed in state σi |
P*(cs, σi) | | output when command sequence cs is executed in state σi |
proj(s, cs, σi) | | set of outputs in P*(cs, σi) that subject s is authorized to see |
πG,A(cs) | | subsequence of cs with all elements (s, z), s ∈ G and z ∈ A deleted |
dom(c) | | protection domain in which c is executed |
~dom(c) | | equivalence relation on system states |
π′d(cs) | | analogue to π above, but with protection domain and subject included |