On Two Models of Noninterference: Rushby and Greve, Wilding, and Vanfleet

  • Adrian Garcia Ramirez
  • Julien Schmaltz
  • Freek Verbeek
  • Bruno Langenstein
  • Holger Blasum
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8666)


We formally compare two industrially relevant and popular models of noninterference, namely, the model defined by Rushby and the one defined by Greve, Wilding, and Vanfleet (GWV). We create a mapping between the objects and relations of the two models. We prove a number of theorems showing under which assumptions a system identified as “secure” in one model is also identified as “secure” in the other model. Using two examples, we illustrate and discuss some of these assumptions. Our main conclusion is that the GWV model is more discriminating than the Rushby model. All systems satisfying GWV’s Separation also satisfy Rushby’s noninterference. The other direction only holds if we additionally assume that GWV systems are such that every partition is assigned at most one memory segment. All of our proofs have been checked using the Isabelle/HOL proof assistant.


Noninterference information flow security formal models 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Hardin, D.S. (ed.): Design and Verification of Microprocessor Systems for High-Assurance Applications (2010)Google Scholar
  2. 2.
    Alves-Foss, J., Taylor, C.: An analysis of the GWV security policy. In: Fifth International Workshop on ACL2 Prover and its Applications (2004)Google Scholar
  3. 3.
    Brygier, J., Fuchsen, R., Blasum, H.: PikeOS: Safe and secure virtualization in a separation microkernel. Technical report, SYSGO (2009)Google Scholar
  4. 4.
    Eggert, S., van der Meyden, R., Schnoor, H., Wilke, T.: Complexity and unwinding for intransitive noninterference. CoRR abs/1308.1204 (2013)Google Scholar
  5. 5.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  6. 6.
    Greve, D., Wilding, M., Richards, R., Vanfleet, W.M.: Formalizing security policies for dynamic and distributed systems (September 2004) (unpublished),
  7. 7.
    Greve, D., Wilding, M., Vanfleet, W.M.: A separation kernel formal security policy. In: Fourth International Workshop on the ACL2 Theorem Prover and its Applications, ACL2 2003 (July 2003)Google Scholar
  8. 8.
    Greve, D.: Information security modeling and analysis. In: Hardin, D.S. (ed.) Design and Verification of Microprocessor Systems for High-Assurance Applications, pp. 249–299. Springer, US (2010), CrossRefGoogle Scholar
  9. 9.
    Haigh, J.T., Young, W.D.: Extending the noninterference version of mls for sat. IEEE Trans. Software Eng. 13(2), 141–150 (1987)CrossRefGoogle Scholar
  10. 10.
    Hardin, D.S. (ed.): Design and Verification of Microprocessor Systems for High-Assurance Applications. Springer (2010)Google Scholar
  11. 11.
    Kaiser, R., Wagner, S.: Evolution of the PikeOS microkernel. In: First International Workshop on Microkernels for Embedded Systems, p. 50 (2007)Google Scholar
  12. 12.
    Krohn, M., Tromer, E.: Noninterference for a practical DIFC-based operating system. In: IEEE Symp. Security & Privacy, pp. 61–76 (2009)Google Scholar
  13. 13.
    van der Meyden, R.: What, indeed, is intransitive noninterference? In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 235–250. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    van der Meyden, R., Zhang, C.: A comparison of semantic models for noninterference. Theor. Comput. Sci. 411(47), 4123–4147 (2010)CrossRefzbMATHGoogle Scholar
  15. 15.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002)Google Scholar
  16. 16.
    von Oheimb, D.: Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 225–243. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Richards, R.J.: Modeling and security analysis of a commercial real-time operating system kernel. In: Hardin (ed.) [10], pp. 301–322Google Scholar
  18. 18.
    Rushby, J.: Design and verification of secure systems. ACM SIGOPS Operating Systems Review 15, 12–21 (1981)CrossRefGoogle Scholar
  19. 19.
    Rushby, J.: Noninterference, transitivity and channel-control security policies. Tech. rep., Computer Science Laboratory, SRI International (1992)Google Scholar
  20. 20.
    Ryan, P.Y.A., Schneider, S.A.: Process algebra and non-interference. Journal of Computer Security, 214–227 (1999)Google Scholar
  21. 21.
    Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D.: Verification of a formal security model for multiapplicative smart cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 17–36. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Wilding, M., Greve, D., Richards, R., Hardin, D.: Formal verification of partition management for the AAMP7G microprocessor. In: Hardin (ed.) [10], pp. 175–191Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Adrian Garcia Ramirez
    • 1
  • Julien Schmaltz
    • 1
  • Freek Verbeek
    • 2
  • Bruno Langenstein
    • 3
  • Holger Blasum
    • 4
  1. 1.Department of Computer ScienceEindhoven University of TechnologyEindhovenThe Netherlands
  2. 2.School of Computer ScienceThe Open University of The NetherlandsHeerlenThe Netherlands
  3. 3.German Research Center for Artificial Intelligence (DFKI GmbH)SaarbrückenGermany
  4. 4.SYSGO AGKlein-WinternheimGermany

Personalised recommendations