This paper argues that Haigh and Young’s definition of noninterference for intransitive security policies admits information flows that are not in accordance with the intuitions it seeks to formalize. Several alternative definitions are discussed, which are shown to be equivalent to the classical definition of noninterference with respect to transitive policies. Rushby’s unwinding conditions for intransitive noninterference are shown to be sound and complete for one of these definitions, TA-security. Access control systems compatible with a policy are shown to be TA-secure, and it is also shown that TA-security implies that the system can be interpreted as an access control system.
The term ‘noninterference’ is used in the computer security literature to refer to formal definitions of information flow or causality between security domains. The classical theory of noninterference [15] dealt with transitive policies, which are closely related to partially ordered security levels. This theory is unable to deal with certain systems requiring channel control and downgrading [34]. To overcome these limitations, Haigh and Young [19] proposed a variant of the classical definition for channel control applications, which was formalized by Rushby [35] for intransitive policies more generally. In particular, Rushby established soundness of a proof technique based on “unwinding relations”, and also shows that a design discipline based on a class of systems, with access control on objects satisfying a simple static condition on reading and writing, guarantees satisfaction of the definition. The latter result is significant in that it can be understood as giving semantic content to ideas implicit in the approach of Bell and LaPadula [4], resolving questions concerning the meaning of that model [29].
Rushby’s results are cast in the setting of two deterministic state-based semantic models, resembling deterministic Moore and Mealy machines, with each security domain associated to its observations and a subset of the input alphabet. A number of authors have subsequently proposed generalizations and alternative definitions of intransitive noninterference in richer semantic frameworks, dealing with aspects such as nondeterminism, process algebraic models, programming language models and cryptographic concerns [3,5–7,17,25,26,33,43].
Of increasing prominence in recent years is an approach to secure systems construction based on minimalist operating systems kernels, whose principal functionality is the enforcement of a policy that constrains the information flow architecture. This has led to a number of secure systems verification efforts [20,22,27,39] in which noninterference style security policies have been proven to hold. Frequently these applied works are based in ideas from the work of Rushby [35], including intransitive policies and their connection to access control models. It is therefore of some significance that the theoretical foundations of intransitive noninterference be well-understood.
In this paper, we argue that this is not the case, even in the original formulation [19,35] in the setting of deterministic state machines. This formulation is based on an “intransitive purge” function, that has often been applied in subsequent work. We call the associated definition of security “IP-security”. We argue that IP-security classifies as secure some systems that contain subtle flows of information that are inappropriate in a secure system. In response, we propose alternative definitions that prohibit these flows. Moreover, we show that these alternatives lead to some very satisfying improvements of Rushby’s results concerning proof methods and connections to access control implementation mechanisms, provided we also make some intuitively well justified modifications of Rushby’s definitions of access control system.
We begin by arguing that IP-security is too weak for the intuitions it seeks to capture. We present an example that shows that it allows information to flow to an agent, that could not have come from the agents from which it is permitted to acquire information. The information concerns distinctions about the ordering of past events, which the intransitive purge definition is unable to capture.
This leads us to consider alternative definitions. We show that there is in fact a spectrum of different notions of noninterference for possibly intransitive policies, all having some intuitive plausibility, and all equivalent to the classical definition of Goguen and Meseguer [15] in the case of transitive policies. Our approach to definitions of security is to state that an agent should not have more information than the maximal amount it is permitted to have. This maximal amount of information is modelled by viewing actions as transmitting information within a concrete operational model. The notions differ in the information that may be transmitted by an action. Our principal focus in this paper is an instance of this approach, TA-security, which takes the view that an agent’s actions may transmit any information that it is permitted to have about previous actions.
We then study this new definition from the point of view of proof techniques and the application to access control systems. We begin with a discussion of “unwinding conditions”, which provide a proof technique for noninterference, but can be taken as a definition of security in their own right. Rushby proved that the classical unwinding conditions of Goguen and Meseguer provide a complete proof technique for noninterference in the transitive case. He proposes a weakening of these conditions for intransitive policies (correcting an earlier proposal by Haigh and Young [19]). He establishes soundness of the weakened unwinding conditions, but not completeness. We give an explanation of this: Rushby’s conditions are not complete for IP-security. Instead, they are sound and complete for the stronger notion of TA-security. There is a somewhat surprising subtlety in this statement: for completeness, the weakened unwinding conditions must be applied to the appropriate bisimilar system, but the existence of the weak unwindings is not preserved under bisimulation.
We also follow Rushby in considering access control systems, the class of applications originally motivating the literature on noninterference. Rushby showed that access control systems satisfying a condition of structural consistency with a policy satisfy IP-security. We argue that Rushby’s definition of access control systems can be weakened, and that access control systems consistent with a policy satisfy the stronger notion of TA-security as well as Haigh and Young’s definition of security. Moreover, we also show that TA-security implies that there is a way to interpret the system as an access control system in the weakened sense. This shows that TA-security is, in some sense, equivalent to the existence of an access control implementation of the system.
These results provide strong evidence that TA-security, rather than IP-security, best fits the original objectives for the notion of intransitive noninterference. The fact that three quite different, but all intuitive, interpretations of the meaning of intransitive noninterference coincide lends support to each.
The definition of TA-security is an instantiation of a general approach to the definition of security that compares a simple operational model of maximal permitted information flow in a system with the actual information flow in that system. Other instantiations are reasonable: we also consider some possible variants that we show to fall on a spectrum of definitions of security of increasing strength. The notion of TA-security takes the liberal view that an agent may transmit any information that it is permitted to have, even if it has not directly observed that information. (We remark that IP-security also has this property.) We also consider a notion of TO-security, which states that an agent may transmit only information that it has directly observed. This notion may well be equally significant for practical purposes. As evidence of this, we prove that access control systems structurally consistent with a policy also satisfy the stronger notion of TO-security, provided we work with an appropriate notion of observation for such systems. For purposes of comparison to related literature, we also characterize the relationship of these notions to the classical purge-based definition of Goguen and Meseguer [15], as well as a variant of TO-security that we call ITO-security. These notions can be shown to be related to definitions of Roscoe and Goldsmith [33].
The structure of the paper is as follows. Section 2 recalls Rushby’s formulation of IP-security, and Section 3 presents the example that shows a weakness of the definition. In Section 4 we introduce a new definition of noninterference for intransitive noninterference, TA-security, that avoids this weakness, and which forms the most satisfying basis for Rushby’s results concerning proof methods and access control. We substantiate this by establishing the connection to unwinding conditions in Section 5. Connections to access control systems are presented in Section 6. Some other definitions based on the general approach adopted in TA-security, and some results concerning these variants, are presented in Section 7. Section 8 discusses related work. We close in Section 9 with some remarks concerning issues requiring further investigation.
Intransitive noninterference
The notion of noninterference was first proposed by Goguen and Meseguer [15]. Early work on this area was motivated by multi-level secure systems, and dealt with deterministic systems and partially ordered (hence transitive) information flow policies. A significant body of work has developed since then, with a particular focus on generalization to the case of nondeterministic systems [14,28,36,40,44] and intransitive policies [3,5,6,25,33,35,43]. We focus in this paper on intransitive policies in the deterministic case.
Several different types of semantic models have been used in the literature on noninterference. (See [42] for a comparison and a discussion of their relationships.) We work here with the state-observed machine model used by Rushby [35], but similar results can be obtained for other models.2
In a companion paper [41] we also treat Rushby’s action-observed model, and show that the corresponding definitions in that model are related to those in the state-observed model by means of a natural mapping from action observed systems to state-observed systems.
This model consists of deterministic machines of the form , where S is a set of states, is the initial state, A is a set of actions, associates each action to an element of the set D of security domains, is a deterministic transition function, and maps states to an observation in some set O, for each security domain. We may also refer to security domains more succinctly as “agents”. We write for the state reached by performing the sequence of actions from state s, defined inductively by , and for and . Here ε denotes the empty sequence.
Noninterference policies, as they are now usually presented,3
Goguen and Meseguer used a slightly richer notion.
are relations , with intuitively meaning that “actions of domain u are permitted to interfere with domain v”, or “information is permitted to flow from domain u to domain v”. Since, intuitively, a domain should be allowed to interfere with, or have information about, itself, this relation is assumed to be reflexive. In early work on noninterference, it is also assumed to be transitive.
Noninterference is given a formal semantics in the transitive case using a definition based on a “purge” function [15]. Given a set of domains and a sequence , we write for the subsequence of all actions a in α with . Given a policy ↣, we define the function by
(For clarity, we may use subscripting of agent arguments of functions, writing e.g., as .) The system M is said to be secure with respect to the transitive policy ↣ when for all and domains , we have . That is, each agent’s observations are as if only interfering actions had been performed. An equivalent formulation (which we state more generally for policies that are not necessarily transitive, in anticipation of later discussion) is the following definition.
A system M is P-secure with respect to a policy ↣ if for all sequences such that , we have .
This can be understood as saying that agent u’s observation depends only on the sequence of interfering actions that have been performed. Equivalence of the two definitions follows from the following simple proposition.
Suppose that p and o are two functions with domain a set X and p also has codomain X. If p is idempotent then the following are equivalent:(1)for all, and (2) for all , if then.
Assume (1). Then for all , if then . Thus (2) also holds. Conversely, suppose (2). Since p is idempotent, we have for all . Taking , we obtain from (2) that , as required for (1). □
To illustrate a typical application of the semantic model and the motivation for noninterference definitions of security, consider a highly simplified model for two processes , sharing a CPU or cache (which provides more rapid access to data for operations than would be possible if it were necessary to read and write from main memory).
The security policy requires that the two processes be completely isolated, so that there is no flow of information between them. Thus, we have and the policy is the identity relation . We take a memory value to consist of a single bit, and the only operations are bit complementation and writing a bit to an output device associated to the process.
We take the states S of the system to be the set of boolean assignments to the following variables: , , representing main memory data locations associated to , , respectively, c, representing the cache value, , representing the owner of the cache value (either 0 or 1 for , , respectively), and , , representing output lines for , , respectively. For the initial state, we take all variables to have value 0. We assume that the processes can observe only the value on their output device. Thus, in a state s, we take .
We have actions with . Here is, intuitively, the action of process complementing its bit, and is the action of process writing its memory value to its associated output line. State transitions associated to each of these actions are given by the following code (which runs atomically):
Note that the code prefers to use the fast memory c rather than the slow memory . The two processes share the fast memory c, so the implementation needs to take care to ensure that this sharing does not cause leakage of information from one process to another. This is done by carefully tracking, using the variable , which process’s information is currently in the cache, and ensuring that another process’s value is not written to an process’s output device when the cache line is used. When process performs an operation , and the other process’s value is in the cache, that other value is first written back to main memory, and then ’s value is loaded into the cache and complemented.
It is not difficult to see that this system is P-secure. Intuitively, the output values observed by process depend only on the actions that process has performed, and are independent of the actions performed by the other process. (We note that the assumption of asynchrony of the processes is critical to this conclusion: it is known that timing information can be responsible for covert channels in a shared cache [32].) The type of resource sharing illustrated by this example is extremely common, particularly in hardware designs, and a satisfactory account of security for such designs needs to accommodate it.
It was recognized already by Goguen and Meseguer [16] that transitive policies are insufficiently expressive to handle situations involving channel control or downgrading. The following example illustrates the issues in such settings.
A system involving a downgrader is given by the set of domains and policy and . Intuitively, H is a High level domain, L a Low level domain, and D represents the downgrader, which makes decisions concerning the release of information from H to L. Note that the policy is not transitive, since we do not have , which would follow from the above facts if the policy were transitive. The intuitive reading of this is that it is not permitted for H actions to have a direct effect on L, i.e., it should not be possible for H to pass information to L of its own accord. However, the policy does allow that H information may be transmitted to L, so long as such transmission is effected by D.
Consider the concrete system M with actions where and , and states S consisting of assignments to the boolean variables and . The initial state has both variables equal to 0. We assume that , and for all states s. The semantics of the actions is given by the code
One can understand these definitions as stating that the variable records whether or not there has been an occurrence of action h, and d transmits this information to the variable .
Intuitively, the system M is secure with respect to the policy ↣. The action h has no direct effect on the variable that is observed by L. The variable is affected by action d, but this action is consistent with the policy, because domain D is both permitted to receive information from H and transmit information to L.
On the other hand, note that , but . This means the system M is not P-secure with respect to the policy ↣. Intuitively, P-security permits L observations to depend only on the actions of D and L. This means that it prohibits D from transmitting H information to L, as the policy is intended to allow. This suggests that P-security is not the appropriate semantics to apply to intransitive policies.
In order to address such examples, Haigh and Young [19] generalized the definition of the purge function to intransitive policies as follows (we present the formalization of [35]). Intuitively, the intransitive purge of a sequence of actions with respect to a domain u is the largest subsequence of actions that could form part of a causal chain of effects (permitted by the policy) ending with an effect on domain u. More formally, the definition makes use of a function defined inductively by and
for and . Intuitively, is the set of domains v such that there exists a sequence of permitted interferences from v to u within α. The intransitive purge function is then defined inductively by and
for and . An alternative, equivalent formulation that we will find useful is the following: given a set , define inductively by and
Then is identical to . Haigh and Young’s definition of security uses the intransitive purge function in place of the purge function in Goguen and Meseguer’s definition: M is secure with respect to a policy ↣ if for all sequences , and , we have . Since the function on is idempotent, this definition, like the definition for the transitive case, can, by Proposition 1, be equivalently formulated as the following definition.
A system M is IP-secure with respect to a (possibly intransitive) policy ↣ if for all and all sequences with , we have .
It can be seen that when ↣ is transitive, so IP-security is in fact a generalization of the definition of security for transitive policies.
Reconsider the system of Example 2. This system can be shown to be IP-secure. For example, considering the particular sequences of actions d and discussed above, we have , so the fact that the observations made by L after these sequences of actions differ no longer implies that the definition of security fails.
It is worth noting that both P-security and IP-security have the property that reducing the amount of information in the observations of a system preserves security. To state this precisely, say that a system is an observation–abstraction of system M if these systems are identical, except for their respective observation functions and , respectively, for domains u, and there exist functions such that . Intuitively, a larger set of states is consistent with each observation in the system , so the observations in this system carry less information, i.e., the agents know less. Say that a notion of security is preserved under observation abstraction, if for all systems M and , if M is secure and is an observation abstraction of M, then is also secure. If we take the point of view that security is concerned with secrecy, and that a system is secure if no agent knows more than it is entitled to know, it seems like a reasonable requirement on a definition of security that it be preserved under observation abstraction. Since and are unaffected by observation abstraction, it is immediate from the definitions that both P-security and IP-security are preserved under observation abstraction.
Consider the system obtained from the system M of Example 2 by applying the abstraction functions where and are the identity functions on observations and is the function that maps every observation to ⊥. That is, the only change is to take for all states s in this example. In the system , the action d of agent D still causes information about H’s actions to flow to L, but D’s own observations now carry no information about the actions performed by H. This variant remains IP-secure. Intuitively, IP-security requires just that D was causally involved in all flows of information from H to L. It does not require that D explicitly observes or “knows” the information that its actions are causing to be transmitted to L.
It is reasonable to object that one expects a downgrader to be responsible and first inspect the information that it releases. We return to this point below, but, for the moment focus on the “causal” intuition for intransitive policies that the notion of IP-security attempts to formalize.
An example
We now present an example that points to a potential weakness of IP-security as the semantics of intransitive policies. Note that the intransitive purge preserves not just certain actions from the sequence α, but also their order. We claim that this allows u to “know” this order in situations where an intuitive reading of the policy would suggest that it ought not to know this order.
To give precise content to this claim, we introduce some notation from the literature on modal logics of knowledge [13]. Let be a set of atomic propositions. We define a propositional modal logic, with formulas defined as follows: if then p is formula, and if ϕ and ψ are formulas and is an agent and is a nonempty set of agents then , and and are formulas. We use standard boolean abbreviations such as for . Intuitively, the formula expresses that agent u knows ϕ, and expresses that ϕ is distributed knowledge to the group G, which means that the group G, collectively, knows ϕ.
We take the atomic propositions to be interpreted over sequences of actions of a system M with actions A, by means of an interpretation function . Formulas ϕ are then interpreted as being satisfied at a sequence of actions by means of a relation . For atomic propositions , this relation is defined by if .
The semantics of the operators for knowledge can be defined in a variety of ways, depending on questions such as the degree of recall and synchrony of the agents. It is appropriate in applications of the logic of knowledge to security to use a perfect recall interpretation of knowledge. An attacker with perfect memory is stronger than a forgetful attacker, so is the better assumption for security analysis. However, the semantics for noninterference are asynchronous. We therefore use an asynchronous model of the information available to the attacker. Concretely, this can be represented using the following notion of view. The definition uses an absorptive concatenation function ∘, defined over a set X by, for and , by if x is equal to the final element of s (if any), and (ordinary concatenation) otherwise.
Define the view of domain u with respect to a sequence using the function (where O is the set of observations in the system) defined by
and
That is, is the sequence of all observations and actions of domain u in the run generated by α, compressed by the elimination of stuttering observations. Intuitively, is the complete record of information available to agent u in the run generated by the sequence of actions α. The reason we apply the absorptive concatenation is to capture that the system is asynchronous, with agents not having access to a global clock. Thus, two periods of different length during which a particular observation obtains are not distinguishable to the agent.
Using the notion of view, we may define for each agent u an equivalence relation on sequences of actions by if . The semantics for the knowledge operators may then be given by
This is essentially the definition of knowledge used in the literature on reasoning about knowledge [13] for an agent with asynchronous perfect recall.
The semantics of distributed knowledge is defined in the literature as follows. First, define the relations on sequences of actions by if for all . The operators are then given semantics by the clause
Intuitively, this definition says that a fact is distributed knowledge to the set of agents G if it could be deduced after combining all the information that these agents have. While this semantics is satisfactory in synchronous settings, we will see below that a different notion of group knowledge is appropriate for our application. For a group , define the modal operator , with semantics given by
Note that already implies that α and contain the same actions for each of the members of the group G, but, because of asynchrony, these actions may be interleaved in different ways in the two sequences. The additional content of the statement is therefore that these actions are interleaved in the same way in the two sequences. Intuitively, captures that the group G would know ϕ if it were to combine all the information available to the members, with the additional information about how their actions were interleaved.
We may now present our example illustrating a weakness of IP-security. The essence of the example is that IP-security is consistent with an agent acquiring information that it could not have received from the agents from which it is permitted (by an intransitive policy) to acquire information.
An intransitive policy.
Consider the intransitive policy ↣ given by , , and . The policy is depicted in Fig. 1. Intuitively, , are two High security domains, , are two downgraders, and L is an aggregator of downgraded information. For this policy, channel control, one of the motivations for intransitive noninterference, requires that any information about and available to L must have reached L via the downgraders and . The policy disallows direct flows of information from or to L, but allows L to combine pieces of information it has received from and . A seemingly reasonable way to capture this requirement more formally is to interpret it as stating that if M is a system that is secure with respect to this policy and π interprets the atomic proposition p as expressing some property depending only on the behaviour of and , then we should have
for all . That is, if a fact about , is known to L, then it follows from combining information that is available to , . The process of combination is interpreted using the distributed knowledge operator. This suggests that if some information has been implicitly released, then the downgraders could, after combining their information, know that this is the case. Such an ability would be beneficial from the point of view of audit requirements on the system.
Some caveats on this interpretation of the informal requirement are in order, however. First, we might note that L is potentially allowed by the policy to have more information than the distributed knowledge of the downgraders. It may be possible for L to directly observe the occurrence of the downgrader actions, and consequently know how these actions are interleaved. For our asynchronous semantics for knowledge, this interleaving is not distributed knowledge to the downgraders. This suggests that the way the information known to the downgraders is aggregated, when it is transmitted to L, should be captured by the alternative distributed knowledge operator , which also takes into account the interleaving of actions that is potentially observable to L. This gives the refined requirement
for propositions p that are interpreted by π as depending only on .
Next, as we have already noted above in Example 4, IP-security does not require that information transmitted by a downgrader be explicitly observable to the downgrader. IP-security merely places an upper bound on the information content of the observations of the agents, and reducing the information content of an agent’s observations preserves IP-security. Since a downgrader’s knowledge is based on its observations, this means that it does not necessarily know what information it has caused to be transmitted, even if the system is secure. We may address this concern by concentrating on systems in which the agents make the maximally informative observations that are consistent with security. In the case of IP-security, this means that after sequence of actions α, we let agent u observe after sequence α. We may expect that in such a system, we have a more direct correspondence between information possessed by agents and information that they may transmit, so that the epistemic formulation (1) captures the intended requirement.
We now show that if security is interpreted as IP-security, and we work in a system where agents make their maximally informative observation, then condition (1) does not necessarily follow from security of the system, as we might expect.
Define the system M with actions with domains , , , and L, respectively. The set of states of M is the set of all strings in . The transition function is defined by concatenation, i.e. for a state and an action , . The observation functions are defined to be the maximally informative observations consistent with security: using the intransitive purge function associated to the above policy, we define . (Here we put brackets around the sequence of actions when it is interpreted as an observation, to distinguish such occurrences from the actions themselves as they occur in a view.)
An intuitive reading of this system is that it represents an operating system that maintains a log of all operations performed by users. In each state, the operating system permits each user to observe just that part of the log that IP-security permits the user to have information about.
It is plain that M is IP-secure. For, if then . We show that it does not satisfy condition (1).
Consider the sequences of actions and . Note that these differ in the order of the events , . Let the atomic proposition p be interpreted by π as asserting that there is an occurrence of before an occurrence of . That is, .
Then we have . Hence, for any sequence with , we have , so . Thus , i.e., in agent L knows the ordering of the events , . We demonstrate that is a witness showing that it is not the case that , i.e., we have and and . It is trivial that , and plainly .
For , note
i.e., . (Evidently, the view contains some information redundantly, but it naturally represents the information that agent may have collected over time by recording its own actions as well as the results of inspecting its observable part of the system log.) By symmetry, we also have , hence . This means that and do not have distributed knowledge of the ordering of the events , , even with respect to the asynchronous perfect recall interpretation of knowledge, in which they reason based on everything that they learn in the run.
Thus, L has acquired information that cannot have come from the two sources and that are supposed to be, according to the policy, its only sources of information.
Although the information flow identified in this example is troubling, it is not clear whether we have identified an exploitable avenue for attack. There are many questions raised. For one, is the appropriate model for the information that flows through a group of agents, and is it appropriate to apply this notion to the downgrading setting as we have done? Does it matter for security of the system if information about the ordering of events in independent domains leaks? Reliable transmission of information to L using the channel we have identified would seem to require and to collude, but since they are not permitted by the policy to communicate, it is unclear how they could do so. If they do collude, e.g., through a channel outside the scope of the system, does this require them to communicate using a synchronous mechanism, something that is not in the spirit of our asynchronous semantics? One might argue that it is unreasonable to expect that asynchronous defenders can secure a system against synchronous attackers. On the other hand, one potential reason for worrying about this is that there may be attacks in which an agent exploits side channels through the system scheduler.
At the very least, the example suggests that there is something troubling about the flows of information that are permitted by IP-security. We might just as well turn this around on the definition of IP-security itself. Historically, the definition was derived as a modification of the definition of P-security, motivated by problem with that definition identified in Example 2. The definition correctly handles that example, but beyond this, there does not seem to be a compelling explanation for why it is appropriate to take to be a representation of the maximal information that u is permitted to have after the sequence of actions α.
An alternative definition: TA-security
As a response to Example 5, we will consider several alternative definitions of security for intransitive policies. Like IP-security, each is based on a concrete model of the maximal amount of information that an agent may have after some sequence of actions has been performed, and states that an agent’s observation may not give it more than this maximal amount of information. Our definitions take the view that an agent increases its information either by performing an action or by receiving information transmitted by another agent. They differ in the choice of what information is permitted to be transmitted when an agent performs an action. In this section, we focus on one of these alternative definitions (the others are discussed in Section 7). The results of the following sections will show that this new definition proves to be more closely related than IP-security itself to the results that Rushby established about IP-security.
In our first definition, what is transmitted when an agent performs an action is information about the actions performed by other agents. The following definition expresses this in a weaker way than the function.
Given sets X and A, let be the smallest set containing X and such that if and then . Intuitively, the elements of are binary trees with leaves labelled from X and interior nodes labelled from A.
Given a policy ↣, define, for each agent , the function inductively by , and, for and ,
Intuitively, captures the maximal information that agent u may, consistently with the policy ↣, have about the past actions of other agents. (The nomenclature is intended to be suggestive of transmission of information about actions.) Initially, an agent has no information about what actions have been performed.
The recursive clause describes how the maximal information permitted to u after the performance of α changes when the next action a is performed. If a may not interfere with u, then there is no change to the information u is permitted to have. This is as one expects, since u is not permitted by the policy to know about events in domain , and in particular, is not permitted to know about the occurrence of the action a. Otherwise, if , then u is permitted to know about events in domain . In this case, we allow u’s information to increase as a result of the performance of action a. Intuitively, the action a in this case transmits new information to u, which is added to the information that u already had. In particular, we add the maximal information permitted to at the time a is performed (represented by ), as well the fact that a has been performed.
Thus, this definition captures the intuition that an agent may only transmit information that it is permitted to have, and then only to agents with which it is permitted to interfere. When an agent transmits information to another, it transmits everything that it knows, as well as the name of the action that it performs, which is responsible for the information transmission. We remark that the definition and intuitions for the functions are somewhat similar to the notion of full-information protocol [31] that is used in the distributed algorithms literature.
A system M is TA-secure with respect to a policy ↣ if for all agents u and all such that , we have .
Intuitively, this definition says that each agent’s observations provide the agent with no more information than the maximal amount that may have been transmitted to it, as expressed by the functions .
Note that the system of Example 5 is not TA-secure. For,
and
So , but . This illustrates that TA-security is in accordance with our intuitions about Example 5.
Plainly, the term grows rapidly in size as the sequence α becomes longer, and it also appears to contain a large amount of redundancy. One might wonder whether a more succinct representation is possible. We will not pursue this question here – similar questions arise in the use of the full information protocol methodology in the distributed algorithms literature, where one is interested in identifying data structures that more efficiently capture the information relevant to protocol goals. The solutions to such questions can be quite nontrivial [13]. What matters to us here is that the functions correspond to a very plausible representation of how information maximally flows around the system as agents that comply with the security policy transmit information to each other by performing actions.
Unwinding relations
In this section we relate TA-security to “unwinding conditions” that have been discussed in the literature as a way to prove noninterference [16]. We show that Rushby’s proposed unwinding conditions for intransitive noninterference are closely related to TA-security in that they provide a sound and complete proof method for this definition of security. We also show the somewhat surprising fact that Rushby’s unwinding conditions are not preserved under bisimulation.
We begin by recalling Rushby’s results on unwinding for intransitive noninterference. Suppose we have for each domain u an equivalence relation on the states of M. Rushby discusses the following “unwinding” conditions on such equivalence relations.
OC: If then . (Output consistency)
SC: If then . (Step consistency)
LR: If then . (Locally respects)
If these conditions are satisfied and ↣ is a transitive policy, then M is P-secure [16]. Conversely, consider the particular equivalence relations on states, defined by if for all strings α in we have . Rushby uses these equivalence relations to show completeness of the unwinding conditions for transitive noninterference:
Suppose M is P-secure with respect to the transitive policy ↣. Then the relations satisfy OC, SC and LR.
For intransitive noninterference he introduces the following condition:
WSC: If and then . (Weak step consistency)
Define a weak unwinding on a system M with respect to a policy ↣ to be a family of relations , for , satisfying OC, WSC and LR. It will be convenient to have the following alternate characterization of this notion. Given a system M and a policy ↣, let be the smallest family of equivalence relations (under the pointwise containment order) satisfying WSC and LR.
There exists a weak unwinding for M with respect to ↣ iff the relationssatisfy OC.
The implication from right to left is trivial. For the implication from left to right, suppose that is a weak unwinding for M with respect to ↣. It is immediate from the definition of and fact that the property of being an equivalence relation satisfying WSC and LR is defined by Horn formulas that . The fact that satisfies OC now implies that satisfies OC. □
Suppose that the relationson a system M satisfy OC, WSC and LR. Then M is IP-secure for ↣.
However, he does not establish completeness of these unwinding conditions for IP-security. The following result yields an explanation of this fact.
Suppose that there exists a weak unwinding for M with respect to ↣. Then M is TA-secure with respect to ↣.
Let the weak unwinding be . We show that for and , if then . By OC, it also follows that , which is what we need for TA-security. We proceed by induction on . The base case of is trivial. Supposing that the result holds for sequences of shorter combined length, consider sequences and , where and .
If , then . Hence, by induction, . Also, by LR, we have , Thus by transitivity of .
If , then , which implies that the action a also occurs in as the last action in a domain interfering with u. If there are any subsequent noninterfering actions, we may switch the role of and and apply the previous case. Hence, we may assume for some sequence of actions β, so . It follows from the equality that and . By the inductive hypothesis, we obtain and . It follows from this by WSC that . □
Since, by Example 6 and Theorem 3(4), TA-security is stronger than IP-security, this result implies that the existence of equivalence relations satisfying conditions OC, WSC and LR is not a necessary condition for IP-security, since if this were the case, then every IP-secure system would be TA-secure.
This raises the question of whether the existence of weak unwindings is equivalent to TA-security instead. We now show that this question can be answered in the positive, provided it is formulated appropriately. The existence of weak unwindings turns out to have a somewhat surprising dependency on the structure of the system.
Given a system with actions A, define the “unfolded” system with actions A having the same domains as in M, by , , , and , where is computed in M. Intuitively, this construction unfolds the graph of M into an infinite tree. Define the equivalence relations on the states of by iff . Then we have the following.
M is TA-secure with respect to ↣ iff there exists a weak unwinding onwith respect to ↣.
We first note that for the relations on , we have iff . For, the relations are equivalence relations and satisfy WSC and LR by definition of . Thus, we have by definition of . Conversely, we show that implies , by induction on . The case of is clear. Suppose . If , we have , so by the inductive hypothesis, we have . Since satisfies LR, we obtain and it follows that . For the case , where , we may assume without loss of generality that the final action in may interfere with u, and derive that where and . It follows by the inductive hypothesis that and , hence by the fact that satisfies WSC that , as required.
Suppose M is TA-secure with respect to ↣. Then WSC and LR for the relations are immediate from the definition of the functions , and OC follows directly from TA-security. Hence the family is a weak unwinding on . Conversely, suppose that there exists a weak unwinding on with respect to ↣. Then satisfies OC, hence M is TA-secure with respect to ↣. □
It is reasonable to give a definition of security on M by reference to since these systems are bisimilar under the obvious notion of bisimulation on the state-observed system model. Bisimilarity of two systems is usually taken to imply their equivalence on all properties of interest. One might therefore expect from Theorem 2 that TA-security implies the existence of a weak unwinding on the system M as well as on . It is the case that unwindings on M can be lifted to unwindings on .
If there exists a weak unwinding for ↣ on M then there exists a weak unwinding for ↣ on.
Suppose the relations are a weak unwinding for ↣ on M. Define on by if in M. It is easily checked that the relations are a weak unwinding on . □
However, what we need, given Theorem 2, to deduce the existence of an unwinding on M from TA-security is the converse of this result. The following example shows that the converse does not hold. The reader may obtain some intuition for this example by noting that whereas weak unwinding seems to be sensitive to information about past actions, bisimulation cares only about the future. The essence of the example is that not enough past information is encoded in the states of the system M itself.
An example showing TA-security does not imply existence of a weak unwinding.
Consider the system and policy depicted in Fig. 2. There are actions a, b, c of domains , , respectively, and is the initial state. For all domains u other than , we assume that the observation is the same on all states. TA-security therefore depends only on the behaviour of the system with respect to domain , where there are two possible observations o, as indicated. We show that there does not exist a weak unwinding for ↣ on M, but there does exist one on .
For the former, we consider the relation family on M. Note that since and we have by LR that . Similarly, since we have . Hence, by WSC, for the action a, we get . Since and , we have that does not satisfy OC. Since is the smallest family satisfying WSC and LR, there can exist no weak unwinding for ↣ on M.
For the unwinding on , consider . Since this family of equivalence relations satisfies WSC and LR, it suffices to consider the property OC, where we need consider only the domain , as already noted. Here, the only possible failure of OC is for states α, where , and . Now implies that contains either a b and a later a, or a c and a later a. View as a tree with nodes of the form representing a vertex labelled e with subtrees corresponding to x and y. Then this tree contains a path from a leaf to the root containing either b and later a, or c and later a. The same then applies to the identical tree for , which implies that α contains either a b and later a or a c and later a. But this means that , a contradiction. Hence the family satisfies OC.
Since and M are bisimilar, this example shows that bisimulation does not preserve existence of a weak unwinding. It is therefore necessary to either abandon the presumption that security properties are preserved under bisimulation, or adopt the stance that existence of a weak unwinding (on the system as presented) is not a sensible notion of security. We prefer the latter, but note that this does not hinder the utility of weak unwinding as a proof technique. The existence of a weak unwinding on some system bisimilar to the system as presented remains a sensible notion; we have shown that this is equivalent to TA-security.
Access control systems
As a particular application of the unwinding conditions, Rushby [35] discusses a notion of access control system that he formulates in order to give semantic content to the Bell-La Padula model [4] (which has been criticized for lacking semantics). He shows that every access control system satisfying a compatibility condition with respect to a noninterference policy is IP-secure. In this section, we formulate a weaker variant of Rushby’s definitions, and show that it implies the stronger notion of TA-security.
Moreover, we also show a converse to the result that access control systems are TA-secure, viz., that every system satisfying TA-security can be interpreted as an access control system. This proves the equivalence in some sense of access control and TA-security. We believe that these results, together with the example of Section 4 and the results of the previous section, provide strong evidence that TA-security, rather than IP-security, is the notion that best realizes the original objectives of the notion of intransitive noninterference.
According to Rushby, a system with structured state is a machine together with
a set N of names,
a set V of values, and functions,
, with interpreted as the value of object n in state s,
, with interpreted as the set of objects that domain u can observe, and
, with interpreted as the set of objects whose values domain u is permitted to alter.
For a system with structured state, when and s is a state, write for the function mapping to values, defined by for . Intuitively, captures all the content of the state s that is observable to u. Using this, we may define a binary relation of observable content equivalence on S for each domain , by if .
In order to capture the conditions under which the machine operates in accordance with the intuitive interpretations of this extra structure, Rushby defines the following three Reference Monitor Assumptions.
If then .
If and either or then .
If then .
The first of these says that an agent’s observation depends only on the values of the objects observable to the agent. The third says that if an action can change the value of an object, then the agent of that action is in fact permitted to alter that object. The condition RM2 is more subtle. The following provides a possibly more perspicuous formulation of this condition.
RM2 is equivalent to the following: For all states s, either
for all, we have , or
for all, we have .
That is, with the choice depending only on information observable to , the effect of the action is either to make no change to n or to assign a new value to n that depends only on information observable to .
In addition to the reference monitor assumptions, Rushby considers the condition:
If then .
Intuitively, this says that the ability to write to a value that an agent can observe counts as a way to interfere with that agent. Rushby shows the following proposition.
Suppose M is a system with structured state that satisfies RM1–RM3 and AOI. Then the family of relationson M is a weak unwinding with respect to ↣. Hence M is IP-secure for ↣.
By the results of the previous section, Rushby’s result in fact yields the stronger conclusion that access control systems consistent with a policy are TA-secure. We can further strengthen this result by weakening the precondition.
Note that the condition RM2 says that the next value of n produced on performing an action a depends only on the values of names observable to . If n is not observable to , this may be too strong. Consider, for example, the situation where n represents a block of memory, and the action a writes to a single location within this block. Here the successor value depends on the value written (which will typically depend on the values of names observable to ), but also on the previous value of n. Similarly, if the name n is an object in an object-oriented system, and the effect of the action is to call a method of this object, then the successor value will depend of the input parameters of the call (which will depend on values of names observable to ), but also on the value of n. Thus, the condition RM2 can plausibly be weakened to the following.4
A weakened condition resembling RM2′ has also been used in a slightly different context by Greve, Wilding and van Fleet [18]. A weakening has also been proposed by von Oheimb [43], who also shows that the definition of access control system consistent with a policy can be weakened while still implying the existence of unwinding conditions implying IP-security. He adds the conditions , and to the antecedant of RM2. We would argue that whether or not a system is an access control system should be independent of the policy that may be applied to it. The fact in the precondition is in any case derivable from and in the context of AOI and RM3, so can be omitted without loss of generality.
For all actions a, states s, t and names , if and we have .
That is, for , the value is a function of both and . Using Proposition 6 it can be seen that RM2 implies RM2′. The converse does not hold.
We now weaken Rushby’s notion of access control system by replacing RM2 by RM2′. We define a system with structured states to be a weak access control system if it satisfies conditions RM1, RM2′ and RM3. We say such a system is consistent with a policy ↣ if it satisfies AOI.
We also introduce a related notion on systems without structured states, that expresses that the system behaves as if it were an access control system. Say that a system M with states S admits a weak access control implementation consistent with ↣ if there exists a set of names N, a set of values V and functions , and , with respect to which M is a weak access control system satisfying the condition AOI.
The following shows that weak access control systems consistent with a policy satisfy Rushby’s unwinding conditions for intransitive noninterference:
Suppose M is a weak access control system consistent with ↣. Then the family of relations is a weak unwinding on M with respect to ↣.
OC is direct from RM1 and LR follows easily from RM3 and AOI. For WSC, suppose that and , i.e., . We need to show , which amounts to showing for all . We consider the two possibilities and :
If then we have by RM2′.
If , then using RM3 we have .
Thus, we have . □
We may also show a converse to this result, which leads to the conclusion that unwinding and weak access control systems are essentially equivalent.
Suppose that there exists a weak unwinding on M with respect to ↣. Then M admits a weak access control interpretation consistent with ↣.
Let the weak unwinding be . Write for the equivalence class of s under . We define the access control interpretation on M as follows:
,
,
,
.
Note that then iff iff iff .
RM1 is immediate from the fact that satisfies OC.
For RM2′, suppose that and and . Then , and from we get that . From we have that . Hence by WSC, we have , which is equivalent to .
For RM3, we prove the contrapositive. Suppose that . Then and . By LR, we have , which is equivalent to , as required.
Plainly, if and then and , so AOI also holds. □
Combining these results with those of the previous section, we see that there is a close correspondence between TA-security, weak access control interpretations, and weak unwindings.
The following are equivalent
M is TA-secure with respect to ↣,
admits a weak access control interpretation consistent with ↣,
there exists a weak unwinding onwith respect to ↣.
The equivalence of (1) and (3) is from Theorem 2, and that between (2) and (3) follows from Propositions 8 and 9. □
From Theorem 1 and Proposition 8, we also obtain the following corollary.
If M is a weak access control system consistent with ↣ then M is TA-secure for ↣.
This conclusion is a more general result than Proposition 7, in which we have both weakened the antecedent and strengthened the consequent.
Variants of TA-security
The definition of TA-security is based on the general idea of comparing the information that an agent obtains from its observations with the information that it would have in a concrete operational model of maximal permitted information transmission consistent with the policy. There are many ways that one could build such a definition: we give a few examples in this section that might also plausibly be taken as the semantics of intransitive policies.
We noted above in Example 4 that the definition of IP-security has one aspect that might reasonably be questioned: it classifies as secure situations in which an agent causes information to be transmitted to another that it has not actually observed. TA-security is similar in this regard.
The system of Example 4 is both IP-secure and TA-secure. In particular, let and , where and are the maximal suffixes of α and β in , respectively. Then it can be shown that iff iff . Moreover, implies that α contains an h before a d iff β does. TA-security and IP-security follow since if α contains an h before a d and otherwise.
In particular, when , agent L knows that there has been an h before a d. On the other hand, since always , agent D itself has no information about the sequence α. Thus, in this system, D can be viewed as causing information to be transmitted to L that it does not itself have.
Whether one considers this example to illustrate a violation of security depends on one’s attitude to forwarding of unobserved information. It is straightforward from the definition that TA-security, like IP-security, is preserved under observation abstraction. If one takes secrecy to be the main concern of security, then this is reasonable. There are certainly situations where it seems acceptable for a downgrader not to know all the information that flows as a result of its actions. Consider a key escrow agent that releases a private decryption key upon legitimate request from police. This causes the contents of messages encrypted with the corresponding public key to flow to the police, but it does not seem reasonable to require that the escrow agent know the content of those messages (which it might not even have observed in ciphertext). Similarly, under a policy that mandates all government cabinet documents to be declassified after 30 years, it is not necessary for the declassifier to know the complete contents of a document being declassified: it suffices that the declassifier knows that the document is in fact 30 years old.
On the other hand, it also seems reasonable to state a requirement that a declassifier have inspected documents being released, and know the contents thereof. It is possible to construct a definition that would consider Example 4 as insecure, by changing the definition of the function .
Given a policy ↣, for each domain , define the function by and
Intuitively, this definition takes the model of the maximal information that an action a may transmit after the sequence α to be the fact that a has occurred, together with the information that actually has, as represented by its view . By contrast, TA-security uses in place of this the maximal information that may have. (The nomenclature is intended to be suggestive of transmission of information about observations.) We may now base the definition of security on the function rather than .
The system M is TO-secure with respect to ↣ if for all domains and all with , we have .
The system of Example 4 is not TO-secure. Note that . However, .
On the other hand, these runs do not constitute a counter-example to the TO-security of the system M of Example 3. Here we have . Indeed, this system can be shown to be TO-secure.
This example demonstrates that, unlike all the previous definitions, TO-security is not preserved under observation abstraction. Note that the key difference is that the observations in the system occur in the term , so this is not invariant under observation abstraction, as is the case for , and .
For purposes of comparison to the related literature (viz. [33]), will also consider a slight variant of this definition. Given a policy ↣, for each domain , define the function by and
This definition is just like that of , with the difference that the information that may be transmitted to u by an action a such that but , includes the observation obtained in domain immediately after the occurrence of action a. Intuitively, the definition of security based on this notion will allow that the action a transmits not just the information observable to at the time that it is invoked, but also the new information that it computes and makes observable in . This information is not included in the value itself, since the definition of security will state that the new observation may depend only on this value. The nomenclature in this case is intended to be suggestive of immediate transmission of information about observations.
The following definition follows the pattern of the others, but based is on the functions .
The system M is ITO-secure with respect to ↣ if for all domains and all with , we have .
The following example illustrates a key difference between the notions of TO-security and ITO-security.
Consider another variant of Example 2, for the same policy . States are defined as assignments to the boolean variables , , , all initially 0. Observations are defined by , and . Actions are defined by
This example is not TO-secure, since , but . However, note that , which is distinct from . Thus, this pair of runs is not a violation of ITO-security, and indeed, the system can be shown to be ITO-secure. Intuitively, in this system D declassifies whether there has been an h action, but, at the first time it does so, it is not itself aware of whether this is the case. Only (immediately) after the declassification action has been performed does it learn whether it has declassified the occurrence of an h.
Intuitively, whereas TO-security requires that an agent know prior to performing an action what information that action may cause to be transmitted, ITO-security only requires that it have this knowledge immediately after the action has been performed. This weaker requirement may be appropriate in situations where it is only required for the agent to be able to audit, rather than control, the information flow consequences of its actions.
We now consider how all these definitions of security are related. We begin by noting that it is possible to give a flatter representation of the information in , that clarifies the relationship of this notion to P-security. Define the possibly transmitted view of domain u for a sequence of actions α to be the largest prefix of than ends in an action a with . (In case there is no such action a, we take .) Then we have the following result, which intuitively says that u’s observations depend only on (1) the parts of the views of other agents which are permitted to pass information to u, that they have actually acted to transmit, and (2) u’s knowledge of the ordering of its own actions and the actions of these other agents.
M is TO-secure with respect to a policy ↣ iff for all sequences, and domains , if andfor all domainssuch that, then .
We show that iff and for all domains such that .
For the proof from left to right, we proceed by induction on the combined length of α and . The base case is trivial.
Supposing the claim holds for strings of shorter combined length, consider strings and such that where and . Then , so by induction, we have that and for all domains such that . Since , we have . Similarly, we have that for any v such that , so for all domains such that , as required.
Alternately, suppose where . Then cannot be ε. If the last action of does not interfere with u then we may apply the previous case. Hence, without loss of generality, where , and from we obtain , , and .
From , we have by the induction hypothesis that and for all domains such that . It follows that . Further, it follows that for such that . The proof of this is in two cases: (1) if , then ; (2) if then .
Conversely, for the implication from right to left, we again proceed by induction on the combined length of α and . The base case of is trivial.
Consider the case where the RHS holds for and , where , and the implication from right to left holds for α, . Then from we obtain that . Similarly, for , , we have , so, since we cannot have in the present case, we obtain that . By the inductive hypothesis, it follows that , hence .
Consider the case where the RHS holds for and , where , and the implication from right to left holds for α, . Since , the sequence cannot be ε. We may assume without loss of generality that where , else we may apply the previous case. Thus, from it follows that and . We claim that moreover (1) and (2) , from which it follows that , which is the conclusion required.
We prove (2) first. Since , is one of the domains v for which we have . It follows that , which is (2). Moreover, it also follows from (2) that . For all other domains such that , we have , so in fact the second part of the antecedant of the induction hypothesis is satisfied. Since we already have the first part, i.e., , we obtain (1). □
We note the following property of these definitions.
Letand.
If M is TO-secure andthen.
If M is ITO-secure andthen.
If M is TA-secure andthen.
By induction on . We give the proof for (1), the proofs for (2) and (3) follow a similar structure. The base case of is trivial. Consider sequences of actions and , where , such that .
If , then we have . By the induction hypothesis we get that . Since , we get from TO-security that , which implies that . (Note that implies .) It follows that .
If , then implies that . Let b be the final action in , so that . If , then we may apply the previous case with the roles of and swapped, so we may assume that . It then follows from that and . By the inductive hypothesis we get that . From TO-security and we get that . It now follows in both the case that and the case that that , as required. □
The following result describes how these definitions are related. Like IP-security, the notions P-security, TO-security, ITO-security and TA-security are generalizations of the classical notion of noninterference in the transitive case.
If M is P-secure with respect to ↣ then M is TO-secure with respect to ↣.
If M is TO-secure with respect to ↣ then M is ITO-secure with respect to ↣.
If M is ITO-secure with respect to ↣ then M is TA-secure with respect to ↣.
If M is TA-secure with respect to ↣ then M is IP-secure with respect to ↣.
If ↣ is transitive then P-security, TO-security, ITO-security, TA-security and IP-security (all with respect to ↣) are equivalent.
Part (1) is immediate from Proposition 10. Part (5) follows from parts (1)–(4), using the fact that P-security and IP-security are equivalent with respect to transitive policies (Rushby [35, Theorem 9]).
For part (2), we claim that if then . Part (2) then follows trivially. To see that the claim holds, define the partial functions , for , defined inductively by and , where and , and when . Then it is easily shown that for all , from which the claim is immediate.
We now prove part (3). Assume that M is ITO-secure with respect to ↣. We claim that for all and , if then . The result is then immediate from the definition of TO-security. The proof of the claim is by induction on . The base case of is trivial. Supposing that the claim holds for strings of shorter combined length, suppose , where and . We consider two cases:
. Then , so by the inductive hypothesis we have . Since in this case, it is immediate that .
. We may assume without loss of generality that the last action in also interferes with u, else we may apply the previous case. So let with . Then , from which we get that and and . By induction, we have that and . From the latter, we obtain by ITO-security and Proposition 11 that . Together with this yields that , so by ITO-security, we have . Thus, we also have the stronger statement . It now follows, in both the case that and , that .
To show part (4), we claim that if then . In particular, . Note that this straightforwardly implies that if then , and so if M is TA-secure with respect to ↣ then M is IP-secure with respect to ↣. To prove the claim we proceed by induction. The case of is trivial. Assuming the claim holds for α, consider where . We consider two cases, depending on whether .
If , then . We consider two further subcases. Write if there exists such that .
. Then . Hence
. Then . Hence, from the induction hypothesis and the definitions,
If , then . Thus
This completes the proof of the claim. □
Proof theory for the variants
We showed above that weak unwinding and access control systems provide sound and complete approaches to showing that a system is TA-secure. We will not attempt here to develop a similar theory for the alternatives introduced in this section, but it is worth noting a few applications of the ideas above to the variants.
First, further evidence of the utility of weak unwinding is the following result, which shows that it can be used as a proof technique not just for TA-security, but also for TO-security, provided we work with a particular relation. Define the relations on states of a system M by if . Then we have the following sufficient condition for TO-security.
Suppose the relation familyis a weak unwinding on M with respect to ↣. Then M is TO-secure with respect to ↣.
We claim that implies . The result then follows immediately using OC. The proof of the claim is by induction on the combined length of the sequences α, . In case both are ε, the claim plainly holds. Suppose that it holds for sequences of shorter combined length, and consider the sequences and , where . We consider two cases, depending on whether .
If , then it follows from the definitions that , so by the inductive hypothesis, we have . By LR we moreover have , and we conclude .
If , then we may assume without loss of generality that where , else we may apply the previous case. It then follows from that and and . From the second of these facts, by the inductive hypothesis, we obtain . From the third, since the final observations of the two views must be identical, we also have . By WSC and we obtain , as required. □
Second, Corollary 2 shows that weak access control systems consistent with a policy are TA-secure for that policy. One might wonder if it is possible to strengthen the conclusion to any of the stronger semantics of this section. The following example shows that this is not the case: we cannot further strengthen the conclusion to ITO-security.
Consider the system for the policy with structured states for the set of names , , taking boolean values. Intuitively, these variables represent channels between the agents, so that and . Plainly this is consistent with AOI. We represent states as tuples with the obvious interpretation for . The initial state of the system is . Domain A has actions a with semantics and B has action b with semantics . The observation functions are defined on the state by and . It can be verified that this system satisfies RM1, RM2′, RM3. However, it does not satisfy ITO-security. To see this, consider the sequences b and . Here we have
but .
Notice that in this example, not all of the names observable to a domain have their contents visible in the observation of the domain. Say that a system with structured states is fully observable if in all states s we have . Note that this means that the relations and coincide. We now obtain the following from Propositions 8 and 12. This shows that, modulo the reasonable assumption of full observability, we can derive a result similar to Corollary 2, but with the yet stronger conclusion of TO-security.
If M is a fully observable weak access control system consistent with ↣ then M is TO-secure with respect to ↣.
A similar result does not hold with P-security in place of TO-security.
Note that if in Example 11 we change the definition of to , then the system continues to satisfy RM1, RM2′, RM3 and AOI, and not P-security. The modified system has for all states s. (So it also satisfies TO-security.)
Related work
A great deal of the recent literature on noninterference, has been based on process algebraic semantic models. Work pursuing this direction is surveyed in [14,37]. Process algebraic models are more expressive than the semantic model of the present paper, in a number of dimensions: by allowing actions to have nondeterministic effects and by dropping the assumption of input-enabledness, i.e., allowing that not all actions are enabled at a state. (On the other hand, particularly in CCS formulations, e.g. [33], this literature has often dropped the important distinction between actions and observations, modelling both as events.)
Much of that literature, has been concerned with how to generalize existing definitions of noninterference to the resulting richer semantic setting, for the simplest policy consisting of two domains High and Low, with information flow from High to Low prohibited. This part of the literature is largely orthogonal to our concerns in this paper, in that it does not take up our main themes of intransitive policies, unwinding-based proof theory for those policies, and access control systems as a concrete engineering discipline for the construction of systems satisfying such a policy. As we have argued, there are subtleties concerning these themes even in the simple setting of deterministic, action-enabled systems we have studied.
A few works subsequent to Rushy [35] also address the semantics of intransitive policies. Bevier and Young [5] also work in a state-based model, but accommodate nondeterminism. They consider a definition of security which generalizes IP-security (and therefore suffers from the problem identified in Example 5). They also consider an unwinding-based proof technique, but work with a fixed relation derived from observations rather than allowing a general relation. There are some differences in their model (e.g., transitions are labelled not by actions but by agents) but, in a deterministic setting, their definition of unwinding amounts essentially to the statement that the family is a weak unwinding. Since we showed that this relation is sound for TO-security, which is stronger than IP-security, their unwinding technique is also not complete for their definition of security, even in deterministic systems.
Roscoe and Goldsmith [33] have also argued that IP-security is not the correct definition for intransitive policies. They present a number of concrete examples to make this case, including a policy , intended to represent that D is a “downgrader” process that decides which of the High (H) secrets may safely be revealed to a Low process L. The key point of their argument is that the definition has the effect that a downgrader D’s action permits all information about preceding H actions to become known to L, even if the intent of the downgrading action was to release only some specific information about the preceding H actions. That is, this definition does not enable the intent of specific downgrading actions to be specified. This point has been considered debatable: it might be countered that intransitive noninterference was not intended to make such fine grained distinctions, but only to express some coarse architectural constraints on information flow. Subsequent work (e.g. [7–9]) has taken the approach of enriching the expressiveness of policies in order to capture such finer grained specifications of the downgrader.
Roscoe and Goldsmith propose two alternative semantics for intransitive noninterference, based on the notion of Low-determinism in the context of the process algebra CSP. (This is often misunderstood in the literature as implying that their theory applies only to deterministic systems. In fact, their definitions amount to saying that the possible Low nondeterminism at each step in a particular system is a function of the Low trace, but not of non-deterministic environment events.) The question of how exactly our definitions relate to RG’s definitions requires a treatment of mappings between state machine models and CSP, for which there are a number of plausible candidates. We deal with this topic in another paper [41], where we show that one transformation yields that RG’s definition is equivalent to P-security, but on another transformation, another of RG’s definitions that generalizes the first turns out to be equivalent to ITO-security.
Von Oheimb [43] generalizes Rushby’s definitions to the setting of state-observed systems with nondeterministic actions, and develops a matching generalization of unwinding relations that provides a sound proof technique for the new definition. His semantics is equivalent to IP-security when restricted to deterministic systems, so suffers from the same problems as we have identified in this paper. A discussion of access control systems is included in an appendix, where it is shown that these systems satisfy von Oheimb’s definition of intransitive noninterference. However, the result proved is for a variant of deterministic access control systems, so amounts essentially to a re-presentation of Rushby’s result using von Oheimb’s definition of intransitive noninterference. (The result could presumably also have been proved by noting that von Oheimb’s definition is equivalent to Rushby’s in the deterministic case, and applying Rushbys result.)
Mantel [25] proposes an approach to intransitive policies for nondeterministic systems. He uses a trace-based semantics: a system is represented as a set of possible sequences of events, each associated to a domain. The relationship between Mantel’s approach and the state-based model we have considered in this paper is unclear, even in the deterministic case, for a number of reasons. Mantel introduces a richer notion of policy with three types of binary relations on domains: visibility, confidentiality and “non-confidentiality”. However, he gives very little intuitive explanation of these relations, so it is not immediately apparent how one would represent an equivalence result. In particular, Mantel’s examples suggest that a domain in our model should be decomposed into two domains, for inputs and output events, so the policy writer is required to deal with three types of relations over double the number of domains.
The formal semantics associated with Mantel’s richer policy model is based on an extension of Mantel’s basic security properties [24], which describe closure conditions on the set of traces. Two particular such properties are considered, which allow for deletion and insertion of “confidential” events with respect to a given domain u. (The definitions are similar to the notion of forward correctability [21].) To accommodate intransitive policies, he requires consideration of a generalization of these conditions to certain groups of domains transitively related to u via the visibility relations. Because of these complications, establishing a formal relation between Mantel’s and other approaches would require some effort. (Mantel provides no results to this effect.) However, it appears that since only insertions and deletions of events are covered by Mantel’s semantics, the effect resembles that of the function, so we expect that this approach will behave similarly to IP-security on an appropriately formulated representation of our Example 5, and therefore be distinct from the definitions we have proposed.
Backes and Pfitzmann [3] have stated a number of distinct definitions of intransitive noninterference in a cryptographic setting: their systems model encompasses probabilistic behaviour and notions of distinguishability based on computational complexity. All their definitions take the approach of checking for each pair of domains u and v with that if u is given a bit b at the start of a run, then (subject to conditions that depend on the policy and definition) v has no better than probability of correctly guessing the value of b. This focus on transmission of information about an initial bit suggests that their definitions are not sensitive to the issues of ordering of actions that distinguish our definitions from IP-security.
We have been concerned in this paper with the general class of intransitive policies. These policies are able to express quite general architectures for information flow. A number of papers have addressed a very specific case of such policies, viz., the downgrader policy with and but not . (We note that issues that we raised in Example 5 do not arise for this single downgrader policy.) Mullins [30] states a definition for a nondeterministic labelled transition system model, based on the idea that H actions after the last D action should not impact the possible L traces after that point. Bossi et al. [6] work in the context of a CCS process algebraic semantics. They develop generalizations for the downgrader policy of a range of definitions for the two domain policy , that consider the impact of composition of a system with H processes. Gorrieri and Vernali [17] consider such definitions in the context of a Petri net semantic model.
Another context where downgrading has been studied is the setting of language-based security, where the system is represented as a program, rather than the reactive automaton-based model we have considered. Often the program constructs (other than scheduling of concurrent threads) are deterministic in this setting. The focus is generally on what information flows about a nondeterministically chosen initial state of the system, rather than what actions have been nondeterministically selected over time, as in our models, although this gap can be bridged by representing these actions using an input stream variable [10]. Mantel and Sands [26] have proposed to introduce a programming annotation for downgrading, enabling the programmer to explicitly mark regions of code that are permitted to violate a transitive policy. The approach is synchronous, and does not separate policy from implementation. A similar, but more expressive, approach to downgrading policies is pursued by Chong and Myers [7], who propose a flexible language that attaches downgrading conditions to data items, and then state a security definition that requires that the view of a domain (defined similarly to asynchronous perfect recall) should not be able to distinguish different initial values for a variable, provided the conditions for its declassification are not met. In general, many different dimensions (e.g., who, what, where, when) can be constrained in declassification policies. Sabelfeld and Sands [38] lay out some general principles and directions for research in this area. Frequently, work in this area concentrates on the two-domain setting rather than a general set of domains with an intransitively structured policy. Definitions of security used include both bisimulation/unwinding style definitions (e.g. [26]) as well as definitions based on L knowledge of H initial values [2].
Some definitions of noninterference quantify over agent strategies, to capture additional deductive capacity that the attacker may have based on knowing the behaviour of some agents in the system. One example is nondeducibility on strategies [44], which says that a Low level observer should not be able to distinguish between High level agent strategies. Another is robust declassification [45], which allows downgrading of information, but says that what information is downgraded should not depend on attacker behavior: here the quantification is over Low level strategies. Only a few papers to date [3,6,17] have considered the strategic dimension in the context of intransitive noninterference policies.
A different direction of generalization that has been considered is to allow the policy to change over time. How to define semantics for such dynamic policies has been studied both in the state-machine setting using extensions of IP-security [11,23], as well as in a language-based framework [1].
Conclusion
Our results have left open a number of technical questions. We have shown that weak unwindings provide a complete proof technique for TA-security, but have not provided a complete technique for TO-security. The reason for this is that there is inherently no tractable set of conditions on the states of the system that characterizes TO-security. We treat this topic in a followup paper [12] which deals with the complexity of the notions of security discussed in this paper.
Our discussion has concentrated on a semantic model in which observations are associated to states. Rushby [35] also formulates a notion of IP-security on a model where instead of state observations, actions produce outputs, and proves similar results concerning unwinding and access control systems for this model. We treat the relationship between the two models in a companion paper [41], where we formulate a set of security notions for the action-observed model and show how these are related to the state-observed model under a transformations from the former to the latter. We also consider mappings to CSP processes there, and relate the definitions discussed in this paper to Roscoe and Goldsmith’s definitions on CSP processes.
How to accommodate quantification over strategies with our new definitions is at present unclear. Another area requiring investigation is the generalization of our definitions to nondeterministic systems and systems that are not input-enabled, as has been studied for IP-security by von Oheimb [43]. More generally, one could consider extensions to the richer semantic framework of process algebra.
Both the fact, as argued by RG, that the notion of (intransitive) noninterference on its own falls short of expressing the correctness properties of downgraders that they sought to capture, and the fact, as we have shown, that there are several plausible notions of noninterference for intransitive policies, suggests that the notion of noninterference policy expressed by a relation ↣ on domains lacks expressiveness that will be required in applications. We believe further work on richer formats for the expression of causality and information flow policies is warranted. The approach we have followed in this paper, of comparing an agent’s actual information to an intuitive concrete operational model of the maximal information that an agent is permitted to have and transmit, could well be useful in this enterprise. Some steps in this direction are taken in [8,9].
It would also be of interest to develop connections between language-based approach and the automaton based formulations of security. One possible point of connection is to use language-based techniques to verify the reference monitor conditions of access control models. Another is to use our semantic approach as a basis for language-based analyses of reactive systems described in a programming notation.
Footnotes
Acknowledgments
Thanks to the Courant Institute, New York University, for hosting a sabbatical visit during which this research was conducted. Work of the author supported by an Australian Research Council Discovery grant.
References
1.
A.Askarov and S.Chong, Learning is change in knowledge: knowledge-based security for dynamic policies, in: Proc. IEEE Computer Security Foundations Symposium, 2012, pp. 308–322.
2.
A.Askarov and A.Sabelfeld, Gradual release: unifying declassification, encryption and key release policies, in: Proc. IEEE Symposium Security and Privacy, 2007, pp. 207–221.
3.
M.Backes and B.Pfitzmann, Intransitive non-interference for cryptographic purposes, in: Proc. IEEE Symp. Security and Privacy, 2003, pp. 140–152.
4.
D.E.Bell and L.J.La Padula, Secure computer system: unified exposition and multics interpretation, Technical Report ESD-TR-75-306, Mitre Corporation, Bedford, MA, March 1976.
5.
W.R.Bevier and W.D.Young, A state-based approach to noninterference, in: Proc. IEEE Computer Security Foundations Workshop, 1994, pp. 11–21.
6.
A.Bossi, C.Piazza and S.Rossi, Modelling downgrading in information flow security, in: Proc. IEEE Computer Security Foundations Workshop, 2004, pp. 187–201.
7.
S.Chong and A.C.Myers, Security policies for downgrading, in: 11th ACM Conf. Computer and Communications Security (CCS), October 2004, 2004.
8.
S.Chong and R.van der Meyden, Deriving epistemic conclusions from agent architecture, in: Proc. Conf. Theoretical Aspects of Knowledge and Rationality, ACM Digital Library, 2009, pp. 61–70.
9.
S.Chong and R.van der Meyden, Using architecture to reason about information security, in: Proc. Layered Assurance Workshop, 2012, pp. 1–12, available at: http://www.acsac.org/2012/workshops/law/.
10.
D.Clark and S.Hunt, Non-interference for deterministic interactive programs, in: Proc. Workshop on Formal Aspects in Security and Trust, FAST’08, LNCS, Vol. 5491, Springer, 2009, pp. 50–66.
11.
S.Eggert, H.Schnoor and T.Wilke, Noninterference with local policies, in: MFCS, LNCS, Vol. 8087, Springer, 2013, pp. 337–348.
12.
S.Eggert, R.van der Meyden, H.Schnoor and T.Wilke, The complexity of intransitive noninterference, in: Proc. IEEE Symposium on Security and Privacy, 2011, pp. 196–211.
13.
R.Fagin, J.Y.Halpern, Y.Moses and M.Y.Vardi, Reasoning About Knowledge, MIT Press, 1995.
14.
R.Focardi and R.Gorrieri, Classification of security properties (Part I: information flow), in: Foundations of Security Analysis and Design, FOSAD 2000, Bertinoro, Italy, September 2000, R.Focardi and R.Gorrieri, eds, LNCS, Vol. 2171, Springer, 2001, pp. 331–396.
15.
J.A.Goguen and J.Meseguer, Security policies and security models, in: Proc. IEEE Symp. on Security and Privacy, Oakland, 1982, pp. 11–20.
16.
J.A.Goguen and J.Meseguer, Unwinding and inference control, in: IEEE Symp. on Security and Privacy, 1984, pp. 75–87.
17.
R.Gorrieri and M.Vernali, On intransitive non-interference in some models of concurrency, in: Foundations of Security Analysis and Design VI – FOSAD Tutorial Lectures, LNCS, Vol. 6858, Springer, 2011, pp. 125–151.
18.
D.Greve, M.Wilding and M.Vanfleet, A separation kernel formal security policy, in: Proc. Fourth International Workshop on the ACL2 Theorem Prover and Its Applications, 2003, Paper and associated proof scripts available at: http://www.cs.utexas.edu/users/moore/acl2/workshop-2003/.
19.
J.T.Haigh and W.D.Young,
Extending the noninterference version of MLS for SAT, IEEE Trans. on Software EngineeringSE-13(2) (1987), 141–150.
20.
C.L.Heitmeyer, M.Archer, E.I.Leonard and J.D.McLean, Formal specification and verification of data separation in a separation kernel for an embedded system, in: Proc. ACM Conf. on Computer and Communications Security, 2006, pp. 346–355.
21.
D.M.Johnson and F.J.Thayer, Security and the composition of machines, in: Proc. IEEE Security Foundations Workshop, 1988, pp. 72–89.
22.
M.N.Krohn and E.Tromer, Noninterference for a practical DIFC-based operating system, in: IEEE Symp. on Security and Privacy, 2009, pp. 61–76.
23.
R.Leslie, Dynamic intransitive noninterference, in: Proc. IEEE Int. Symp. on Secure Software Engineering, 2006.
24.
H.Mantel, Possibilistic definitions of security – an assembly kit, in: Proc. IEEE Computer Security Foundations Workshop, 2000, pp. 185–199.
25.
H.Mantel, Information flow control and applications – bridging a gap, in: FME 2001: Formal Methods for Increasing Software Productivity, Proc. Int. Symp. of Formal Methods Europe, LNCS, Vol. 2021, Springer, 2001, pp. 153–172.
26.
H.Mantel and D.Sands, Controlled declassification based on intransitive noninterference, in: Proc. Asian Symp. on Programming Languages and Systems, LNCS, Vol. 3302, Springer-Verlag, 2004, pp. 129–145.
27.
W.B.Martin, P.White, A.Goldberg and F.S.Taylor, Formal construction of the mathematically analyzed separation kernel, in: Proc. 15th IEEE Int. Conf. on Automated Software Engineering, 2000, pp. 133–141.
28.
D.McCullough, Noninterference and the composability of security properties, in: Proc. IEEE Symp. on Security and Privacy, 1988, pp. 177–186.
29.
J.McLean, Reasoning about security models, in: Proc. IEEE Conf. on Security and Privacy, 1987, pp. 123–131.
M.C.Pease, R.E.Shostak and L.Lamport,
Reaching agreement in the presence of faults, J. ACM27(2) (1980), 228–234.
32.
C.Percival, Cache missing for fun and profit, available at: http://www.daemonology.net/papers/htt.pdf.
33.
A.W.Roscoe and M.H.Goldsmith, What is intransitive noninterference? in: IEEE Computer Security Foundations Workshop, 1999, pp. 228–238.
34.
J.Rushby,
Design and verification of secure systems, ACM Operating Systems Review15(1) (1981), 12–21.
35.
J.Rushby, Noninterference, transitivity, and channel-control security policies, Technical Report CSL-92-02, SRI International, December 1992.
36.
P.Y.Ryan, Mathematical models of computer security, in: Foundations of Security Analysis and Design, FOSAD 2000, Bertinoro, Italy, September 2000, R.Focardi and R.Gorrieri, eds, LNCS, Vol. 2171, Springer, 2001, pp. 1–62.
37.
P.Y.A.Ryan and S.A.Schneider,
Process algebra and non-interference, Journal of Computer Security9(1,2) (2001), 75–103.
38.
A.Sabelfeld and D.Sands, Dimensions and principles of declassification, in: Proceedings of the 18th IEEE Computer Security Foundations Workshop, IEEE Computer Society Press, 2005, pp. 255–269.
39.
G.Schellhorn, W.Reif, A.Schairer, P.A.Karger, V.Austel and D.C.Toll,
Verified formal security models for multiapplicative smart cards, Journal of Computer Security10(4) (2002), 339–368.
40.
D.Sutherland, A model of information, in: Proc. 9th National Computer Security Conf., 1986, pp. 175–183.
41.
R.van der Meyden, A comparison of semantic models of intransitive noninterference, December 2007, Unpublished manuscript, available at: http://www.cse.unsw.edu.au/~meyden.
42.
R.van der Meyden and C.Zhang,
A comparison of semantic models for noninterference, Theoretical Computer Science411(47) (2010), 4123–4147.
43.
D.von Oheimb, Information flow control revisited: Noninfluence = Noninterference + Nonleakage, in: Computer Security – ESORICS 2004, LNCS, Vol. 3193, Springer, 2004, pp. 225–243.
44.
J.T.Wittbold and D.M.Johnson, Information flow in nondeterministic systems, in: Proc. IEEE Symp. on Security and Privacy, 1990, pp. 144–161.
45.
S.Zdancewic and A.C.Myers, Robust declassification, in: Proc. IEEE Computer Security Foundations Workshop, 2001.