Contemporary open systems use components developed by different parties, linked together dynamically in unforeseen constellations. Code needs to live up to strict security requirements, and ensure the correct functioning of its objects even when they collaborate with external, potentially malicious, objects. In this paper we propose special specification predicates that model risk and trust in open systems. We specify Miller, Van Cutsem, and Tulloh’s escrow exchange example, and discuss the meaning of such a specification.
We propose a novel Hoare logic, based on four-tuples, including an invariant describing properties preserved by the execution of a statement as well as a post-condition describing the state after execution. We model specification and programing languages based on the Hoare logic, prove soundness, and prove the key steps of the Escrow protocol.