Contract-based design is a promising methodology for taming the complexity of developing sophisticated systems. A formal contract distinguishes between assumptions, which are constraints that the designer of a component puts on the environments in which the component can be used safely, and guarantees, which are promises that the designer asks from the team that implements the component. A theory of formal contracts can be formalized as an interface theory, which supports the composition and refinement of both assumptions and guarantees. Although there is a rich landscape of contract-based design methods that address functional and extra-functional properties, we present the first interface theory that is designed for ensuring system-wide security properties, thus paving the way for a science of safety and security co-engineering. Our framework provides a refinement relation and a composition operation that support both incremental design and independent implementability. We develop our theory for both stateless and stateful interfaces. We illustrate the applicability of our framework with an example inspired from the automotive domain. Finally, we provide three plausible trace semantics to stateful information-flow interfaces and we show that only two correspond to temporal logics for specifying hyperproperties, while the third defines a new class of hyperproperties that lies between the other two classes.

中文翻译：

---

信息流接口

基于契约的设计是一种很有前途的方法，可以控制开发复杂系统的复杂性。正式合同区分假设（组件设计者对组件可以安全使用的环境施加的约束）和保证（设计人员向实现组件的团队提出的承诺）。正式合同的理论可以形式化为接口理论，它支持假设和保证的组合和细化。尽管有丰富的基于契约的设计方法来解决功能和功能外的属性，但我们提出了第一个旨在确保系统范围安全属性的接口理论，从而为安全和安保科学铺平了道路。 -工程。我们的框架提供了支持增量设计和独立可实现性的细化关系和组合操作。我们为无状态和有状态接口开发了我们的理论。我们用一个受汽车领域启发的例子来说明我们框架的适用性。最后，我们为有状态信息流接口提供了三个似是而非的跟踪语义，我们表明只有两个对应于指定超属性的时间逻辑，而第三个定义了位于其他两个类之间的新类超属性。我们用一个受汽车领域启发的例子来说明我们框架的适用性。最后，我们为有状态信息流接口提供了三个似是而非的跟踪语义，我们表明只有两个对应于指定超属性的时间逻辑，而第三个定义了位于其他两个类之间的新类超属性。我们用一个受汽车领域启发的例子来说明我们框架的适用性。最后，我们为有状态信息流接口提供了三个似是而非的跟踪语义，我们表明只有两个对应于指定超属性的时间逻辑，而第三个定义了位于其他两个类之间的新类超属性。