D. Bell, Looking Back at the Bell-La Padula Model, 21st Annual Computer Security Applications Conference (ACSAC'05), pp.337-351, 2005.
DOI : 10.1109/CSAC.2005.37

D. Bell and L. Lapadula, Secure computer systems: A mathematical model The MITRE Corporation, 1973.

P. Bera, S. Ghosh, and P. Dasgupta, Policy Based Security Analysis in Enterprise Networks: A Formal Approach, IEEE Transactions on Network and Service Management, vol.7, issue.4, pp.231-243, 2010.
DOI : 10.1109/TNSM.2010.1012.0365

M. Bishop, What is computer security?, IEEE Security & Privacy Magazine, vol.1, issue.1, 2003.
DOI : 10.1109/MSECP.2003.1176998

M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. Mckeown et al., Ethane: taking control of the enterprise, Proceedings of the 2007 conference on Applications , technologies, architectures, and protocols for computer communications, pp.1-12, 2007.

R. Craven, J. Lobo, J. Ma, A. Russo, E. Lupu et al., Expressive policy analysis with enhanced system dynamicity, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS '09, pp.239-250, 2009.
DOI : 10.1145/1533057.1533091

N. Damianou, N. Dulay, E. Lupu, and M. Sloman, The Ponder Policy Specification Language, Policies for Distributed Systems and Networks, pp.18-38, 1995.
DOI : 10.1007/3-540-44569-2_2

D. Denning, A lattice model of secure information flow, Communications of the ACM, vol.19, issue.5, pp.236-243, 1976.
DOI : 10.1145/360051.360056

C. Diekmann, O. Hanka, S. A. Posselt, and M. Schlatt, Imaginary aircraft cabin data network (toy example), 2013.

C. Eckert, IT-Sicherheit: Konzepte-Verfahren-Protokolle, 2013.

L. Gong and X. Qian, The complexity and composability of secure interoperation, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pp.190-200, 1994.
DOI : 10.1109/RISP.1994.296581

N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado et al., NOX, ACM SIGCOMM Computer Communication Review, vol.38, issue.3, pp.105-110, 2008.
DOI : 10.1145/1384609.1384625

J. D. Guttman and A. L. Herzog, Rigorous automated network security management, International Journal of Information Security, vol.4, issue.1-2, pp.29-48, 2005.
DOI : 10.1007/s10207-004-0052-x

F. Haftmann and T. Nipkow, Code Generation via Higher-Order Rewrite Systems, Functional and Logic Programming, pp.103-117, 2010.
DOI : 10.1007/978-3-642-12251-4_9

H. Hamed and E. Al-shaer, Taxonomy of conflicts in network security policies, IEEE Communications Magazine, pp.134-141, 2006.
DOI : 10.1109/MCOM.2006.1607877

P. Kazemian, G. Varghese, and N. Mckeown, Header space analysis: static checking for networks, Networked Systems Design and Implementation. NSDI'12, USENIX Association, 2012.

D. Mccullough, A hookup theorem for multilevel security. Software Engineering, IEEE Transactions on, vol.16, issue.6, pp.563-568, 1990.

T. Nipkow, L. C. Paulson, and M. Wenzel, Isabelle/HOL: A Proof Assistant for Higher-Order Logic, Lecture Notes in Computer Science, vol.2283, 2002.
DOI : 10.1007/3-540-45949-9

E. Yuan and J. Tong, Attributed based access control (ABAC) for web services Definitions, Lemmata, and Theorems [i] all-security-requirements-fulfilled [ii] instantiation domainNameDept :: order [iii] validmodel-imp-no-offending [iv] remove-offending-flows-imp-model-valid [v] validempty-edges-iff-exists-offending-flows [vi] interpretation BLPbasic: NetworkModel [vii] interpretation BLPtrusted: NetworkModel [viii] interpretation DomainHierarchyNG: NetworkModel [ix] instantiation domainName :: lattice [x] interpretation SecurityGatewayExtended-simplified: NetworkModel [xi] monotonicity-eval-model- mono [xii] ENF-offending-set [xiii] ENFnr-offending-set, 2005.