Skip to main content
SpringerLink
Log in

Architectural refinement and notions of intransitive noninterference

  • Original Article
  • Published:
Formal Aspects of Computing

Abstract

This paper deals with architectural designs that specify components of a system and the permitted flows of information between them. In the process of systems development, one might refine such a design by viewing a component as being composed of subcomponents, and specifying permitted flows of information between these subcomponents and others in the design. The paper studies the soundness of such refinements with respect to a spectrum of different semantics for information flow policies, including Goguen and Meseguer’s purge-based definition, Haigh and Young’s intransitive purge-based definition, and some more recent notions TA-security, TO-security and ITO-security defined by van der Meyden. It is shown that all these definitions support the soundness of architectural refinement, for both a state- and an action-observed model of systems. A notion of systems refinement in which the information content of observations is reduced is also studied. It is also shown that refinement preserves weak access control structure, an implementation mechanism that ensures TA-security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alves-Foss J, Harrison WS, Oman P, Taylor C (2006) The MILS architecture for high-assurance embedded systems. Int J Embed Syst 2(3/4): 239–247

    Article  Google Scholar 

  2. Barbosa MA (2005) A refinement calculus for software components and architectures. ACM SIGSOFT Softw Eng Notes 30(5)

  3. Bossi A, Focardi R, Piazza C, Rossi S (2003) Refinement operators and information flow security. In: Proceedings of the international conference on software engineering and formal methods, pp 44–53

  4. Bibighaus D (2006) Applying the doubly labeled transition system to the refinement paradox. PhD thesis, Naval Postgraduate School, Monterey

  5. Bell DE, La Padula LJ (1976) Secure computer system: unified exposition and multics interpretation. Technical Report ESD-TR-75-306, Mitre Corporation, Bedford

  6. Graham-Cunning J, Sanders J (1991) On the refinement of noninterference. In: Proceedings of IEEE computer security foundations workshop, pp 35–42

  7. Goguen JA, Meseguer J (1982) Security policies and security models. In: Proceedings of the IEEE symposium on security and privacy, Oakland, pp 11–20

  8. Goguen JA, Meseguer J (1984) Unwinding and inference control. In: IEEE symposium on security and privacy

  9. Haigh JT, Young WD (1987) Extending the noninterference version of MLS for SAT. In: IEEE Trans Softw Eng SE-13(2):141–150

  10. Jacob J (1989) On the derivation of secure components. In: Proceedings of the IEEE symposium on security and privacy, pp 242–247

  11. Jürjens J (2005) Secure systems development with UML. Springer, New York

    MATH  Google Scholar 

  12. Mantel H (2001) Preserving information flow properties under refinement. In: Proceedings of the IEEE symposium on security and privacy, pp 78–91

  13. Morgan C (2009) The shadow knows: refinement and security in sequential programs. Sci Comput Program 74(8): 629–653

    Article  MATH  Google Scholar 

  14. Moriconi M, Qian X (1994) Correctness and composition of software architectures. In: Proceedings of the 2nd ACM SIGSOFT symposium on foundations of software engineering, pp 164–174

  15. Moriconi M, Qian X, Riemenschneider RA (1995) Correct architecture refinement. IEEE Trans Softw Eng 21(4): 356–372

    Article  Google Scholar 

  16. Moriconi M, Qian X, Riemenschneider RA, Gong L (1997) Secure software architectures. In: Proceedings of the IEEE symposium on security and privacy, pp 884–893

  17. O’Halloran C (1992) Refinement and confidentiality. In: Fifth refinement workshop. British Computer Society, pp 119–139

  18. Philipps J, Rumpe B (1997) Refinement of information flow architectures. In: Proceedings of the 1st IEEE international conference on formal engineering methods, pp 203–212

  19. Roscoe AW, Goldsmith MH (1999) What is intransitive noninterference? In: IEEE computer security foundations workshop, pp 228–238

  20. Roscoe AW (1995) CSP and determinism in security modelling. In: Proceedings of the IEEE symposium on security and privacy, pp 114–221

  21. Rushby JM, Randell R (1983) A distributed secure system. IEEE Comput 16(7): 55–67

    Article  Google Scholar 

  22. Rushby J (1992) Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI International

  23. Seehusen F, Stolen K (2006) Information flow property preserving transformation of UML interaction diagrams. In: Proceedings of the ACM symposium on access control models and technologies, pp 150–159

  24. van der Meyden R (2007) A comparison of semantic models of intransitive noninterference. http://www.cse.unsw.edu.au/~meyden (submitted).

  25. van der Meyden R (2008) What, indeed, is intransitive noninterference? http://www.cse.unsw.edu.au/~meyden (submitted, an extended abstract of this paper appears in Proc. ESORICS 2007)

  26. Vanfleet WM, Beckworth RW, Calloni B, Luke JA, Taylor C, Uchenick G (2005) MILS: architecture for high assurance embedded computing. Crosstalk J Defence Eng 18: 12–16

    Google Scholar 

  27. Zhou J, Alves-Foss J (2006) Architecture-based refinements for secure computer system design. In: Proceedings of policy, security and trust

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, The University of New South Wales, Sydney, Australia

    Ron van der Meyden

Authors
  1. Ron van der Meyden
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ron van der Meyden.

Additional information

Peter Höfner, Robert van Glabbeek and Ian Hayes

Work supported by Australian Research Council Discovery grants DP0451529 and DP0987769. An extended abstract of this work appeared in International Symposium on Engineering Secure Software and Systems, February 04-06, 2009 Leuven, Belgium, Springer LNCS No 5429, pp. 60–74. The present version adds proofs and the content of Sects. 6 and 7.

Rights and permissions

Reprints and permissions

About this article

Cite this article

van der Meyden, R. Architectural refinement and notions of intransitive noninterference. Form Asp Comp 24, 769–792 (2012). https://doi.org/10.1007/s00165-012-0247-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-012-0247-2

Keywords

Search

Navigation