Abstract :
A flaw in an operating system that had apparently been verified using the information flow technique indicates that the approach, as it has been practiced, is incomplete, The software tool that was used requires specifications to have a format prone to cause errors, so that a modification of the design of the tool is needed, Moreover, the verification process was logically incomplete, because flow analysis of a version of the specification free of errors yields formulas that can be proved only via invariant properties. This observation leads to an integration of two techniques for verifying security.
