Limited transitivity systems are considered hopeful, but it is shown that precise implementation is intractable, and imprecise policies are shown in general to lead to less and less usable systems with time.
The problem of precisely marking information flow within a system [Fenton73] has been shown to be NP-complete.
The use of guards for the passing of untrustworthy information [Woodward79] between users has been examined, but in general depends on the ability to prove program correctness which is well known to be NP-complete.
Even some quite simple protection systems cannot be proven 'safe' [Harrison76].
Protection from denial of services requires the detection of halting programs which is well known to be undecidable [Garey79].