selected publications conference paper Lessons learned using alloy to formally specify MLS-PCA trusted security architecture. . 2004