AbstractÐThis paper investigates the problem of inference channels that occur when database constraints are combined with nonsensitive data to obtain sensitive information. We present an integrated security mechanism, called the Disclosure Monitor, which guarantees data confidentiality by extending the standard mandatory access control mechanism with a Disclosure Inference Engine. The Disclosure Inference Engine generates all the information that can be disclosed to a user based on the user's past and present queries and the database and metadata constraints. The Disclosure Inference Engine operates in two modes: data-dependent mode, when disclosure is established based on the actual data items, and data-independent mode, when only queries are utilized to generate the disclosed information. The disclosure inference algorithms for both modes are characterized by the properties of soundness (i.e., everything that is generated by the algorithm is disclosed) and completeness (i.e., everything that can be disclosed is produced by the algorithm). The technical core of this paper concentrates on the development of sound and complete algorithms for both datadependent and data-independent disclosures. Index TermsÐMultilevel security, data confidentiality, inference problem, constraints, data-dependent disclosure, data-independent disclosure, inference algorithms, soundness, completeness, decidability. 1

In the proposed mandatory access control model, arbitrary label changing policies can be expressed. The relatively simple model can capture a wide variety of security policies, including high-water marks, downgrading, separation of duties, and Chinese Walls. The model forms the basis for a tiered approach to the formal development of secure systems, whereby security verification can be spread across whatmakes up the reference monitor and the security requirement specification. The advantage of this approach is that once a trusted computing base (TCB) is in place, reconfiguring it for different security requirements requires verification of just the new requirements. We illustrate the approach with a number of examples, including one policy that permits high-level subjects to make relabeling requests on low-level objects; the policy is multilevel secure. 1. Introduction Information-flow policy models that support dynamic labeling, where information labels can change in time, have been ...

This paper proposes a notation that can be used to describe information flow policies that may have transitivity, aggregation and separation (of duty) exceptions. Operators for comparing, composing and abstracting these policies are described. These allow complex policies to be built from simpler policies. A formal semantics is given based on the notion of noninterference for deterministic systems. An unwinding of this definition is developed that can be used for any policy that does not contain a separation exception.

... In this paper we address the problem of classifying information by enforcing explicit data classification as well as inference and association constraints. We formulate the problem of determining a classification that ensures satisfaction of the constraints, while at the same time guaranteeing that information will not be overclassified. We present an approach to the solution of this problem and give an algorithm implementing it which is linear in simple cases, and quadratic in the general case. We also analyze a variant of the problem that is NP-complete.

Although mandatory access control in database systems has been extensively studied in recent years, and several models and systems have been proposed, capabilities for enforcement of mandatory constraints remain limited. Lack of support for expressing and combating inference channels that improperly leak protected information remains a major limitation in today’s multilevel systems. Moreover, the working assumption that data are classified at insertion time makes previous approaches inapplicable to the classification of existing, possibly historical, data repositories that need to be classified for release. Such a capability would be of great benefit to, and appears to be in demand by, governmental, public, and private institutions. We address the problem of classifying existing data

Survivable systems are modelled abstractly as collections of services supported by any of a set of configurations of components. Reconfiguration to restore services as a result of component failure is viewed as a kind of "flow" analogous to information flow. We apply Meadows' theorem on datset aggregates to characterize the maximum safe flow policy. For reconfiguration, safety means that services are preserved and that that reconfiguration rules may be stated and applied locally, with respect to just the failed components. 1. Introduction System survivability is concerned with the ability (of a distributed computer system) to continue to make resources available, despite adverse circumstances including hardware malfunctions, software flaws, malicious user activities, and environmental hazards such as electronic interference ( [9], p. 97). It is a higher-level property that includes computer and network security, fault tolerance, and assurance [10]. Survivability can be investigated fr...

Using classical automata theory we show how noninterference can be viewed as a relatively simple phenomenon. We also give direction for future work concerning probabilistic security problems using classical automata theory. 1 Introduction Many models have been proposed to model a secure computer system. Some of the representative early models are by Harrison et al [10], Denning [4], and the often mentioned Bell-LaPadula model [3]. Depending on how one interprets concepts such as "subject/user" and "object" it is not clear whether or not covert channels are taken into consideration in these models. Noninterference [6, 7] was a concrete approach at preventing improper information flow in a deterministic system. Nondeducibility [21] was a more abstract attempt at looking at possible non-secure information flow in a secure system, i.e., a covert channel. Restrictiveness [12, 13] was ostensibly developed as a nondeterministic analog of noninterference to repair purported problems involved...

This paper describes an algebraic approach to the security engineering of lattice policies. The approach extends earlier lattice and algebraic work [13, 20, 24], and has two main goals. First, it seeks to model access control policies with anti-symmetry, reflexivity and transitivity exceptions using a lattice, and to propose an information flow security definition for the resulting set (POL) of policies. Second, it supports a constructive approach to policy specification through an algebraic structure (POL, AND, OR, NOT, j, ). This structure is homomorphic to Boolean algebra. The approach 's goals and design decisions are influenced by the context in which it is being used: a library of reusable security components with tools to facilitate their reuse for securing application systems. Key Words: Security engineering, lattice policy modeling, information flow security. 1. Introduction 1.1. Context The context of this paper is systems in which application security policies are repres...

Reflexive flow policies provide abstract characterizations of certain multilevel confidentiality requirements. This paper describes how reflexive flow policies can be used to construct and reason about large/complex multilevel policies. In particular, we describe how reflexive policies can be used to develop and reason about security policies for multilevel relational databases. Our approach facilitates a study of the relationship between security policy design and database design. 1 Introduction Multilevel security is often associated with the military style classification ordering unclass ! secret ! topsec. However, multilevel or lattice based orderings have a wider application than simple military oriented policies. For example, lattices can be used to describe commercial Chinese wall policies[7, 14, 18] and a range of other general confidentiality policies[8, 15, 18]. We believe there are a number of potential problems when developing such large/complex lattice based confidential...

Abstract Storage-area networks are a popular and efficient way of building large storage systems both in an enterprise environment and for multi-domain storage service providers. In both environments the network and the storage has to be configured to ensure that the data is maintained securely and can be delivered efficiently. In this paper we describe a model of mandatory security for multi-domain storage services that is flexible enough to reflect the data requirements, tractable for the administrator, and implementable as part of an automatic configuration system. We describe the model abstractly, its implementation as part of a prototype SAN configuration system written in OPL, and illustrate its operation on a set of sample configurations.