A Verified Information-Flow Architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators

Towards alignment of architectural domains in security policy specifications

Large organizations need to align the security architecture across three different domains: access control, network layout and physical infrastructure. Security policy specification formalisms are usually dedicated to only one or two of these domains. Consequently, more than one policy has to be maintained, leading to alignment problems. Approaches from the area of model-driven security enable creating graphical models that span all three domains, but these models do not scale well in real-world scenarios with hundreds of applications and thousands of user roles. In this paper, we demonstrate the feasibility of aligning all three domains in a single enforceable security policy expressed in a Prolog-based formalism by using the Law Governed Interaction (LGI) framework. Our approach alleviates the limitations of policy formalisms that are domain-specific while helping to reach scalability by automatic enforcement provided by LGI

Polycentrism and Flux in Spatialized Management: Evidence from Maine\u27s Lobster (Homarus americanus) Fishery

Spatial approaches to fisheries management hold great promise but require continued conceptual and policy development. Polycentrism and flux emerge as useful concepts, drawing lessons from more customary, informal resourceuse patterns to produce more innovative “spatialized” policies within existing governance architectures. Empirical evidence from Maine shows that pioneering efforts have been limited by the single-species focus of conventional management hierarchies. As entry limits have consolidated the fishing fleet and eliminated flexible, diversified, and adaptive business strategies, cross-species and habitat externalities have become problematic. State lobster (Homarus americanus Milne- Edwards, 1837) comanagement zones have achieved some successes, including trap limits and improved industry-management communications, but incur significant transaction costs and raise equity and stewardship concerns. Kindred proposals for spatial refinement of groundfish management and locally based area-management councils lack support from the state Department of Marine Resources, Atlantic States Marine Fisheries Commission, New England Fishery Management Council, and National Marine Fisheries Service. Broader and more transparent deliberation of explicitly spatial and ecosystem approaches might be advanced by citizen panels convened to foster polycentric decision structures and accommodate more integrative management strategies