This paper by Dorothy E. Denning investigates mechanisms to ensure secure information flow in computer systems. The central component of the model is a lattice structure derived from security classes, which is justified by the semantics of information flow. The lattice properties facilitate concise formulations of security requirements and the construction of enforcement mechanisms. The model unifies various systems that restrict information flow, enables classification based on security objectives, and suggests new approaches. It also leads to automatic program certification mechanisms for verifying secure information flow through programs. The paper introduces an information flow model defined by a set of logical storage objects, processes, security classes, and operators for combining and flowing information. The model ensures security by preventing unauthorized information flows. The lattice structure is derived from the model's components, satisfying certain assumptions that ensure consistency and decidability of security requirements. The paper discusses mechanisms for enforcing security, including run-time and compile-time enforcement. Run-time mechanisms, such as access control and the Data Mark Machine, verify that information flows are secure. Compile-time certification mechanisms, like the one proposed by Denning, ensure security before program execution by analyzing the flow of data through the program. The paper also addresses dynamic binding mechanisms, which update the security classes of objects as information flows into them. It discusses the limitations of these mechanisms and proposes solutions to ensure security, such as restoring object classes after conditional structures. Finally, the paper concludes by highlighting the applications of the model and mechanisms, including confinement and database security. It acknowledges the contributions of several researchers and provides references for further reading.This paper by Dorothy E. Denning investigates mechanisms to ensure secure information flow in computer systems. The central component of the model is a lattice structure derived from security classes, which is justified by the semantics of information flow. The lattice properties facilitate concise formulations of security requirements and the construction of enforcement mechanisms. The model unifies various systems that restrict information flow, enables classification based on security objectives, and suggests new approaches. It also leads to automatic program certification mechanisms for verifying secure information flow through programs. The paper introduces an information flow model defined by a set of logical storage objects, processes, security classes, and operators for combining and flowing information. The model ensures security by preventing unauthorized information flows. The lattice structure is derived from the model's components, satisfying certain assumptions that ensure consistency and decidability of security requirements. The paper discusses mechanisms for enforcing security, including run-time and compile-time enforcement. Run-time mechanisms, such as access control and the Data Mark Machine, verify that information flows are secure. Compile-time certification mechanisms, like the one proposed by Denning, ensure security before program execution by analyzing the flow of data through the program. The paper also addresses dynamic binding mechanisms, which update the security classes of objects as information flows into them. It discusses the limitations of these mechanisms and proposes solutions to ensure security, such as restoring object classes after conditional structures. Finally, the paper concludes by highlighting the applications of the model and mechanisms, including confinement and database security. It acknowledges the contributions of several researchers and provides references for further reading.