Costich, O., J. D. McLean, and J. P. McDermott, "Confidentiality in a 
  Replicated Architecture Trusted Database System:  A Formal Model,"
  Proc. IEEE Computer Security Foundations Workshop VII, IEEE CS Press,
  IEEE Cat. 94TH0686-6, ISBN 0-8186-62340-1, June, 1994, pp. 60-65.
<a href="1994costich-foundations.ps">
 PostScript</a>

<blockquote> 
Unlike previous approaches to developing a trusted
database system, the replicated architecture approach provides access
control at a high level of assurance through replication of data and
operations.  We present a model of the SINTRA replicated architecture
trusted database system which shows how the logical (users') view of
the system and its security policy is translated into the physical
structure and operations of the SINTRA system.  We formalize the
intended security policy for replicated architecture and demonstrate
that a high level of assurance can be obtained solely from replication
with virtually no change to the sturcture of the underlying database
systems or the security kernel.
</blockquote>