Abstract
The paper studies dynamic information flow security policies in an automaton-based model. Two semantic interpretations of such policies are developed, both of which generalize the notion of TA-security [van der Meyden ESORICS 2007] for static intransitive noninterference policies. One of the interpretations focuses on information flows permitted by policy edges, the other focuses on prohibitions implied by absence of policy edges. In general, the two interpretations differ, but necessary and sufficient conditions are identified for the two interpretations to be equivalent. Sound and complete proof techniques are developed for both interpretations. Two applications of the theory are presented. The first is a general result showing that access control mechanisms are able to enforce a dynamic information flow policy. The second is a simple capability system motivated by the Flume operating system.
Similar content being viewed by others
References
Askarov A, Chong S (2012) Learning is change in knowledge: knowledge-based security for dynamic policies. In: Chong S (ed) CSF. IEEE, pp 308–322
Askarov A, Sabelfeld A (2007) Localized delimited release: combining the what and where dimensions of information release. In: Proceedings of workshop on programming languages and analysis for security, pp 53–60
Boettcher C, DeLong R, Rushby J, Sifre W (2008) The MILS component integration approach to secure information sharing. In: Proceedings of 27th IEEE/AIAA digital avionics systems conference, pp 1.C.2–1–1.C.2–14, October 2008
Banerjee A, Naumann DA, Rosenberg S (2008) Expressive declassification policies and modular static enforcement. In: IEEE symposium on security and privacy. IEEE Computer Society, pp 339–353
Bytschkow D, Quilbeuf J, Igna G, Ruess H (2014) Distributed MILS architectural approach for secure smart grids. In: Smart grid security—second international workshop, SmartGridSec 2014, Munich, Germany, February 26, 2014, Revised Selected Papers, pp 16–29
Broberg N, Sands D (2006) Flow locks: towards a core calculus for dynamic flow policies. In: Sestoft P (ed) ESOP, volume 3924 of Lecture notes in computer science. Springer, pp 180–196
Broberg N, Sands D (2009) Flow-sensitive semantics for dynamic information flow policies. In: PLAS, pp 101–112
Broberg N, van Delft B, Sands D (2015) The anatomy and facets of dynamic policies. In: IEEE 28th computer security foundations symposium, CSF 2015, Verona, Italy, 13–17 July, 2015, pp 122–136
Clark D, Hunt S (2008) Non-interference for deterministic interactive programs. In: Formal aspects in security and trust, 5th international workshop, FAST 2008, Malaga, Spain, October 9–10, 2008, Revised Selected Papers, pp 50–66
Cheung L (2006) Reconciling nondetermistic and probabilistic choices. Ph.D. thesis, IPA, Radboud University, Nijmegen
Chong S, Myers AC (2004) Security policies for downgrading. In: Proceedings of the 11th ACM conference on computer and communications security, CCS 2004, Washington, DC, USA, October 25–29, 2004, pp 198–209
Cohen ES (1977) Information transmission in computational systems. In: SOSP, pp 133–139
Eggert S, Schnoor H, Wilke T (2013) Noninterference with local policies. In: Chatterjee K, Sgall J (ed) MFCS, volume 8087 of Lecture notes in computer science. Springer, pp 337–348
Eggert S, van der Meyden R, Schnoor H, Wilke T (2013) Complexity and unwinding for intransitive noninterference. CoRR. arXiv:1308.1204
Engelhardt K, van der Meyden R, Zhang C (2012) Intransitive noninterference in nondeterministic systems. In: ACM conference on computer and communications security, pp 869–880
Fagin R, Halpern JY, Moses Y, Vardi MY (1995) Reasoning about knowledge. MIT-Press, London
Goguen JA, Meseguer J (1982) Security policies and security models. In: IEEE symposium on security and privacy, pp 11–20
Goguen JA, Meseguer J (1984) Unwinding and inference control. In: IEEE symposium on security and privacy
Heitmeyer CL, Archer M, Leonard EI, McLean JD (2006) Formal specification and verification of data separation in a separation kernel for an embedded system. In: Proceedings of the 13th ACM conference on computer and communications security, CCS, pp 346–355
He J, Seidel K, McIver A (1997) Probabilistic models for the guarded command language. Sci Comput Program 28(2–3): 171–192
Hicks M, Tse S, Hicks B, Zdancewic S (2005) Dynamic updating of information-flow policies. In: Proceedings of foundations of computer security workshop (FCS)
Haigh JT, Young WD (1987) Extending the noninterference version of MLS for SAT. IEEE Trans Softw Eng SE-13(2): 141–150
Krohn M, Tromer E (2009) Noninterference for a practical DIFC-based operating system. In: IEEE symposium on security and privacy, pp 61–76
Leslie R (2006) Dynamic intransitive noninterference. In: Proceedings of IEEE international symposium on secure software engineering
Matos AA, Boudol G (2009) On declassification and the non-disclosure policy. J Comput Secur 17(5): 549–597
Myers AC, Liskov B (1997) A decentralized model for information flow control. In: Proceedings of the sixteenth ACM symposium on operating systems principles, SOSP ’97, pp 129–142, New York, NY, USA, 1997. ACM
Murray T, Matichuk D, Brassil M, Gammie P, Klein G (2012) Noninterference for operating system kernels. In: Hawblitzel C, Miller D (eds) Certified programs and proofs, volume 7679 of Lecture notes in computer science, pp 126–142. Springer, Berlin, Heidelberg
Morgan C (2009) The shadow knows: refinement and security in sequential programs. Sci Comput Program 74(8): 629–653
Mantel H, Sands D (2004) Controlled declassification based on intransitive noninterference. In: Proceedings of Asian symposioum on Programming Languages and Systems, volume 3302 of LNCS. Springer, November 2004, pp 129–145
Martin W, White P, Taylor FS, Goldberg A (2000) Formal construction of the mathematically analyzed separation kernel. In: IEEE Computer Society Press (ed) Proceedings of 15th IEEE conference on automated software engineering
Roscoe AW, Goldsmith MH (1999) What is intransitive noninterference? In: IEEE computer security foundations workshop, pp 228–238
Rushby J (1992) Noninterference, transitivity, and channel-control security policies. Technical report CSL-92-02, SRI International
Swamy N, Hicks M, Tse S, Zdancewic S (2006) Managing policy updates in security-typed languages. In: 19th IEEE computer security foundations workshop, (CSFW-19 2006), 5–7 July 2006, Venice, Italy, pp 202–216
Schellhorn G, Reif W, Schairer A, Karger PA, Austel V, Toll DC (2002) Verified formal security models for multiapplicative smart cards. J Comput Secur 10(4): 339–368
Sabelfeld A, Sands D (2009) Declassification: dimensions and principles. J Comput Secur 17(5): 517–548
Vanfleet WM, Beckworth RW, Calloni B, Luke JA, Taylor C, Uchenick G (2005) MILS: architecture for high assurance embedded computing. Crosstalk: J Defence Eng
van Delft B, Hunt S, Sands D (2015) Very static enforcement of dynamic policies. In: Proceedings of principles of security and Trust—4th international conference, POST, pp 32–52
van der Meyden R (2015) What, indeed, is intransitive noninterference? J Comput Secur 23(2):197–228, 2015. An earlier version of this work appeared in ESORICS’07
Vandebogart S, Efstathopoulos P, Kohler E, Krohn M, Frey C, Ziegler D, Kaashoek F, Morris R, Mazières D (2007) Labels and event processes in the Asbestos operating system. ACM Trans Comput Syst 25(4)
Zeldovich N, Boyd-Wickizer S, Kohler E, Mazières D (2006) Making information flow explicit in HiStar. In: 7th symposium on operating systems design and implementation (OSDI ’06), November 6–8, Seattle, WA, USA, pp 263–278
Author information
Authors and Affiliations
Corresponding author
Additional information
David Naumann
Rights and permissions
About this article
Cite this article
Eggert, S., van der Meyden, R. Dynamic intransitive noninterference revisited. Form Asp Comp 29, 1087–1120 (2017). https://doi.org/10.1007/s00165-017-0430-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-017-0430-6