Some designers of multilevel secure systems have been assuming that given two systems that individually have the deducibility security property, their composition has this property. McCullough presents a counterexample to this conjecture and introduces a significant new approach in the theory of multilevel security. He gives a valid but poorly presented counterexample showing two systems, each having the deducibility security property, whose composition does not have the deducibility security property.
As a replacement for deducibility security, the author introduces the concept of restrictiveness. He defines this concept in terms of a special class of input total state machines called restrictive state machines. The following theorem is stated and proven: “If state machines A and B are restrictive, then a composite machine formed from hooking them up is restrictive.” The proof contains several typographic errors, and at least one assumption is missing. The reader willing to accept the results at face value will find the counterexample and the definition of a restrictive state machine to be of value. For readers who wish to understand the basis for the results presented, the counterexample presentation may be frustrating and repairing the typographic errors in the proof will be a nuisance, but they should find the paper worthwhile. The paper would have benefitted greatly from a careful explanation of the counterexample, elimination of the typographic errors, and repair of the omissions in the proof.