One way to show that a system is not secure is to demonstrate that a malicious or mistake-prone user or program can break security by causing the system to reach a nonsecure state. A fundamental aspect of a security model is a proof that validates that every state reachable from a secure initial state is secure. A sequential security model assumes that every command that acts as a state transition executes sequentially, while a concurrent security model assumes that multiple commands execute concurrently. This paper presents a security model called the Centralized-Parallel-Distributed model (CPD model) that defines security for logically, or physically centralized, parallel, and distributed systems. The purpose of the CPD model is to define concurrency conditions that guarantee that a concurrent system cannot reach a state in which privileges are configured in a nonsecure manner. As an example, the conditions are used to construct a representation of a distributed system.
