| COVERN: A Logic for Compositional Verification of Information Flow Control | 4 | 0.37 | 2018 |
| A Better Composition Operator For Quantitative Information Flow Analyses | 1 | 0.35 | 2017 |
| Relaxing Safely: Verified On-the-Fly Garbage Collection for x86-TSO. | 11 | 0.52 | 2015 |
| Intransitive noninterference in nondeterministic systems | 6 | 0.47 | 2012 |
| seL4: formal verification of an operating-system kernel | 84 | 5.86 | 2010 |
| Causing Communication Closure: Safe Program Composition with Reliable Non-FIFO Channels | 0 | 0.34 | 2009 |
| seL4: formal verification of an OS kernel | 584 | 19.89 | 2009 |
| Single-bit messages are insufficient for data link over duplicating channels | 0 | 0.34 | 2008 |
| Model Checking Knowledge and Linear Time: PSPACE Cases | 6 | 0.47 | 2007 |
| Causing communication closure: safe program composition with Non-FIFO channels | 2 | 0.38 | 2005 |
| Safe composition of distributed programs communicating over order-preserving imperfect channels | 4 | 0.47 | 2005 |
| Single-Bit messages are insufficient in the presence of duplication | 4 | 0.42 | 2005 |
| Modal Logics with a Linear Hierarchy of Local Propositional Quantifiers | 5 | 0.57 | 2002 |
| Towards a refinement theory that supports reasoning about knowledge and time for multiple agents | 1 | 0.37 | 2002 |
| A Refinement Theory that Supports Reasoning About Knowledge and Time | 6 | 0.48 | 2001 |
| A Program Refinement Framework Supporting Reasoning about Knowledge and Time | 7 | 0.52 | 2000 |
| Knowledge and the logic of local propositions | 31 | 2.62 | 1998 |
| Simulation of Specification Statements in Hoare Logic | 2 | 0.42 | 1996 |
| Towards a practitioners' approach to Abadi and Lamport's method | 1 | 0.34 | 1995 |
| Generalizing Abadi & Lamport's Method to Solve a Problem Posed by A. Pnueli | 3 | 0.42 | 1993 |
