2 research outputs found
Dynamic Intransitive Noninterference Revisited
The paper studies dynamic information flow security policies in an
automaton-based model. Two semantic interpretations of such policies are
developed, both of which generalize the notion of TA-security [van der Meyden
ESORICS 2007] for static intransitive noninterference policies. One of the
interpretations focuses on information flows permitted by policy edges, the
other focuses on prohibitions implied by absence of policy edges. In general,
the two interpretations differ, but necessary and sufficient conditions are
identified for the two interpretations to be equivalent. Sound and complete
proof techniques are developed for both interpretations. Two applications of
the theory are presented. The first is a general result showing that access
control mechanisms are able to enforce a dynamic information flow policy. The
second is a simple capability system motivated by the Flume operating system
On Reductions from Multi-Domain Noninterference to the Two-Level Case
The literature on information flow security with respect to transitive
policies has been concentrated largely on the case of policies with two
security domains, High and Low, because of a presumption that more general
policies can be reduced to this two-domain case. The details of the reduction
have not been the subject of careful study, however. Many works in the
literature use a reduction based on a quantification over "Low-down"
partitionings of domains into those below and those not below a given domain in
the information flow order. A few use "High-up" partitionings of domains into
those above and those not above a given domain. Our paper argues that more
general "cut" partitionings are also appropriate, and studies the relationships
between the resulting multi-domain notions of security when the basic notion
for the two-domain case to which we reduce is either Nondeducibility on Inputs
or Generalized Noninterference. The Low-down reduction is shown to be weaker
than the others, and while the High-up reduction is sometimes equivalent to the
cut reduction, both it and the Low-down reduction may have an undesirable
property of non-monotonicity with respect to a natural ordering on policies.
These results suggest that the cut-based partitioning yields a more robust
general approach for reduction to the two-domain case.Comment: changed title, abstract; reordered introduction; added some
clarifying figures; merged two main results into on