John M. Rushby: Proof of separability: A verification technique for a class of a security kernels. Symposium on Programming 1982: 352-367