How hard is it to determine whether or not a given system satisfies a given security policy? What is the most general system that we can prove to be secure (or nonsecure)? This issue determines the level of abstraction at which we can analyze security. If we can prove that a broad class of systems is secure, then we can prove that a model of a system is secure by determining that it falls into that class. More concretely, we can characterize systems that we can prove to be secure.

In what follows, we use a generic security policy to determine under what conditions we can prove systems to be secure. The results are disappointing and incomplete, and current research focuses on tightening them, but this work lays the theoretical ...