• Publications
  • Influence
Implementing fault-tolerant services using the state machine approach: a tutorial
The state machine approach is a general method for implementing fault-tolerant services in distributed systems and protocols for two different failure models—Byzantine and fail stop are described.
Enforceable security policies
  • F. Schneider
  • Computer Science, Mathematics
    Foundations of Intrusion Tolerant Systems…
  • 1 February 2000
A precise characterization is given for the class of security policies enforceable with mechanisms that work by monitoring system execution, and automata are introduced for specifying exactly that
Defining Liveness
Refinement Calculus: A Systematic Introduction
The book addresses specific issues related to program refinement, such as implementing specification statements, making refinements in context, and transforming iterative structures in a correctness preserving way.
Chain Replication for Supporting High Throughput and Availability
Besides outlining the chain replication protocols themselves, simulation experiments explore the performance characteristics of a prototype implementation and several object-placement strategies (including schemes based on distributed hash table routing) are discussed.
Recognizing safety and liveness
A formal characterization for safety properties and liveness properties is given in terms of the structure of the Buchi automaton that specifies the property. The characterizations permit a property
A Theory of Graphs
The theory of graphs has broad and important applications, because so many things can be modeled by graphs, and various puzzles and games are solved easily if a little graph theory is applied.
A Logical Approach to Discrete Math
Here, the authors strive to change the way logic and discrete math are taught in computer science and mathematics: while many books treat logic simply as another topic of study, this one is unique in
IRM enforcement of Java stack inspection
Two implementations are given for Java's stack inspection access-control policy by generating an inlined reference monitor for a different formulation of the policy, demonstrating the power of the IRM approach for enforcing security policies.
Hyperproperties can express security policies, such as secure information flow, that properties cannot, and every hyperproperty is shown to be the intersection of a safety hyperproperty and a liveness hyperproperty.