Skip to main content
SpringerLink
Log in

Dynamic intransitive noninterference revisited

  • Original Article
  • Published:
Formal Aspects of Computing

Abstract

The paper studies dynamic information flow security policies in an automaton-based model. Two semantic interpretations of such policies are developed, both of which generalize the notion of TA-security [van der Meyden ESORICS 2007] for static intransitive noninterference policies. One of the interpretations focuses on information flows permitted by policy edges, the other focuses on prohibitions implied by absence of policy edges. In general, the two interpretations differ, but necessary and sufficient conditions are identified for the two interpretations to be equivalent. Sound and complete proof techniques are developed for both interpretations. Two applications of the theory are presented. The first is a general result showing that access control mechanisms are able to enforce a dynamic information flow policy. The second is a simple capability system motivated by the Flume operating system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Askarov A, Chong S (2012) Learning is change in knowledge: knowledge-based security for dynamic policies. In: Chong S (ed) CSF. IEEE, pp 308–322

  2. Askarov A, Sabelfeld A (2007) Localized delimited release: combining the what and where dimensions of information release. In: Proceedings of workshop on programming languages and analysis for security, pp 53–60

  3. Boettcher C, DeLong R, Rushby J, Sifre W (2008) The MILS component integration approach to secure information sharing. In: Proceedings of 27th IEEE/AIAA digital avionics systems conference, pp 1.C.2–1–1.C.2–14, October 2008

  4. Banerjee A, Naumann DA, Rosenberg S (2008) Expressive declassification policies and modular static enforcement. In: IEEE symposium on security and privacy. IEEE Computer Society, pp 339–353

  5. Bytschkow D, Quilbeuf J, Igna G, Ruess H (2014) Distributed MILS architectural approach for secure smart grids. In: Smart grid security—second international workshop, SmartGridSec 2014, Munich, Germany, February 26, 2014, Revised Selected Papers, pp 16–29

  6. Broberg N, Sands D (2006) Flow locks: towards a core calculus for dynamic flow policies. In: Sestoft P (ed) ESOP, volume 3924 of Lecture notes in computer science. Springer, pp 180–196

  7. Broberg N, Sands D (2009) Flow-sensitive semantics for dynamic information flow policies. In: PLAS, pp 101–112

  8. Broberg N, van Delft B, Sands D (2015) The anatomy and facets of dynamic policies. In: IEEE 28th computer security foundations symposium, CSF 2015, Verona, Italy, 13–17 July, 2015, pp 122–136

  9. Clark D, Hunt S (2008) Non-interference for deterministic interactive programs. In: Formal aspects in security and trust, 5th international workshop, FAST 2008, Malaga, Spain, October 9–10, 2008, Revised Selected Papers, pp 50–66

  10. Cheung L (2006) Reconciling nondetermistic and probabilistic choices. Ph.D. thesis, IPA, Radboud University, Nijmegen

  11. Chong S, Myers AC (2004) Security policies for downgrading. In: Proceedings of the 11th ACM conference on computer and communications security, CCS 2004, Washington, DC, USA, October 25–29, 2004, pp 198–209

  12. Cohen ES (1977) Information transmission in computational systems. In: SOSP, pp 133–139

  13. Eggert S, Schnoor H, Wilke T (2013) Noninterference with local policies. In: Chatterjee K, Sgall J (ed) MFCS, volume 8087 of Lecture notes in computer science. Springer, pp 337–348

  14. Eggert S, van der Meyden R, Schnoor H, Wilke T (2013) Complexity and unwinding for intransitive noninterference. CoRR. arXiv:1308.1204

  15. Engelhardt K, van der Meyden R, Zhang C (2012) Intransitive noninterference in nondeterministic systems. In: ACM conference on computer and communications security, pp 869–880

  16. Fagin R, Halpern JY, Moses Y, Vardi MY (1995) Reasoning about knowledge. MIT-Press, London

  17. Goguen JA, Meseguer J (1982) Security policies and security models. In: IEEE symposium on security and privacy, pp 11–20

  18. Goguen JA, Meseguer J (1984) Unwinding and inference control. In: IEEE symposium on security and privacy

  19. Heitmeyer CL, Archer M, Leonard EI, McLean JD (2006) Formal specification and verification of data separation in a separation kernel for an embedded system. In: Proceedings of the 13th ACM conference on computer and communications security, CCS, pp 346–355

  20. He J, Seidel K, McIver A (1997) Probabilistic models for the guarded command language. Sci Comput Program 28(2–3): 171–192

    MATH  MathSciNet  Google Scholar 

  21. Hicks M, Tse S, Hicks B, Zdancewic S (2005) Dynamic updating of information-flow policies. In: Proceedings of foundations of computer security workshop (FCS)

  22. Haigh JT, Young WD (1987) Extending the noninterference version of MLS for SAT. IEEE Trans Softw Eng SE-13(2): 141–150

    Article  Google Scholar 

  23. Krohn M, Tromer E (2009) Noninterference for a practical DIFC-based operating system. In: IEEE symposium on security and privacy, pp 61–76

  24. Leslie R (2006) Dynamic intransitive noninterference. In: Proceedings of IEEE international symposium on secure software engineering

  25. Matos AA, Boudol G (2009) On declassification and the non-disclosure policy. J Comput Secur 17(5): 549–597

    Article  Google Scholar 

  26. Myers AC, Liskov B (1997) A decentralized model for information flow control. In: Proceedings of the sixteenth ACM symposium on operating systems principles, SOSP ’97, pp 129–142, New York, NY, USA, 1997. ACM

  27. Murray T, Matichuk D, Brassil M, Gammie P, Klein G (2012) Noninterference for operating system kernels. In: Hawblitzel C, Miller D (eds) Certified programs and proofs, volume 7679 of Lecture notes in computer science, pp 126–142. Springer, Berlin, Heidelberg

  28. Morgan C (2009) The shadow knows: refinement and security in sequential programs. Sci Comput Program 74(8): 629–653

    Article  MATH  MathSciNet  Google Scholar 

  29. Mantel H, Sands D (2004) Controlled declassification based on intransitive noninterference. In: Proceedings of Asian symposioum on Programming Languages and Systems, volume 3302 of LNCS. Springer, November 2004, pp 129–145

  30. Martin W, White P, Taylor FS, Goldberg A (2000) Formal construction of the mathematically analyzed separation kernel. In: IEEE Computer Society Press (ed) Proceedings of 15th IEEE conference on automated software engineering

  31. Roscoe AW, Goldsmith MH (1999) What is intransitive noninterference? In: IEEE computer security foundations workshop, pp 228–238

  32. Rushby J (1992) Noninterference, transitivity, and channel-control security policies. Technical report CSL-92-02, SRI International

  33. Swamy N, Hicks M, Tse S, Zdancewic S (2006) Managing policy updates in security-typed languages. In: 19th IEEE computer security foundations workshop, (CSFW-19 2006), 5–7 July 2006, Venice, Italy, pp 202–216

  34. Schellhorn G, Reif W, Schairer A, Karger PA, Austel V, Toll DC (2002) Verified formal security models for multiapplicative smart cards. J Comput Secur 10(4): 339–368

    Article  Google Scholar 

  35. Sabelfeld A, Sands D (2009) Declassification: dimensions and principles. J Comput Secur 17(5): 517–548

    Article  Google Scholar 

  36. Vanfleet WM, Beckworth RW, Calloni B, Luke JA, Taylor C, Uchenick G (2005) MILS: architecture for high assurance embedded computing. Crosstalk: J Defence Eng

  37. van Delft B, Hunt S, Sands D (2015) Very static enforcement of dynamic policies. In: Proceedings of principles of security and Trust—4th international conference, POST, pp 32–52

  38. van der Meyden R (2015) What, indeed, is intransitive noninterference? J Comput Secur 23(2):197–228, 2015. An earlier version of this work appeared in ESORICS’07

  39. Vandebogart S, Efstathopoulos P, Kohler E, Krohn M, Frey C, Ziegler D, Kaashoek F, Morris R, Mazières D (2007) Labels and event processes in the Asbestos operating system. ACM Trans Comput Syst 25(4)

  40. Zeldovich N, Boyd-Wickizer S, Kohler E, Mazières D (2006) Making information flow explicit in HiStar. In: 7th symposium on operating systems design and implementation (OSDI ’06), November 6–8, Seattle, WA, USA, pp 263–278

Download references

Author information

Authors and Affiliations

  1. Institut für Informatik, Kiel University, Kiel, Germany

    Sebastian Eggert

  2. School of Computer Science and Engineering, UNSW Australia, Sydney, NSW, 2052, Australia

    Ron van der Meyden

Authors
  1. Sebastian Eggert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ron van der Meyden
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ron van der Meyden.

Additional information

David Naumann

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Eggert, S., van der Meyden, R. Dynamic intransitive noninterference revisited. Form Asp Comp 29, 1087–1120 (2017). https://doi.org/10.1007/s00165-017-0430-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-017-0430-6

Keywords

Search

Navigation