600.436 High-Assurance
Systems
Fall 01/System Security Realization
55
Formal Correspondence
¨For those corresponding portions
of representations that are formally specified, the developer shall prove that correspondence.
¨For each adjacent pair of provided TSF representations, where portions of one
representation are semiformally specified and the other at least
semiformally specified, the
demonstration of correspondence between those portions of the representations shall be
semiformal.
¨For each adjacent pair of
provided TSF representations,
where portions of both representations are formally specified, the proof
of correspondence between those portions of the representations shall be formal.