## Noninterference, transitivity and channel-control security policies (1992)

### Cached

### Download Links

Citations: | 125 - 0 self |

### BibTeX

@TECHREPORT{Rushby92noninterference,transitivity,

author = {John Rushby},

title = {Noninterference, transitivity and channel-control security policies},

institution = {},

year = {1992}

}

### Years of Citing Articles

### OpenURL

### Abstract

We consider noninterference formulations of security policies [7] in which the “interferes ” relation is intransitive. Such policies provide a formal basis for several real security concerns, such as channel control [17, 18], and assured pipelines [4]. We show that the appropriate formulation of noninterference for the intransitive case is that developed by Haigh and Young for “multidomain security ” (MDS) [9, 10]. We construct an “unwinding theorem ” [8] for intransitive polices and show that it differs significantly from that of Haigh and Young. We argue that their theorem is incorrect. A companion report [22] presents a mechanically-checked formal specification and verification of our unwinding theorem. We consider the relationship between transitive and intransitive formulations of security. We show that the standard formulations of noninterference and unwinding [7, 8] correspond exactly to our intransitive formulations, specialized to the transitive case. We show that transitive

### Citations

133 | Design and Verification of Secure Systems
- Rushby
- 1981
(Show Context)
Citation Context ...interference formulations of security policies [7] in which the “interferes” relation is intransitive. Such policies provide a formal basis for several real security concerns, such as channel control =-=[17, 18]-=-, and assured pipelines [4]. We show that the appropriate formulation of noninterference for the intransitive case is that developed by Haigh and Young for “multidomain security” (MDS) [9, 10]. We con... |

46 |
Extending the noninterference version of MLS for SAT
- Haigh, Young
- 1987
(Show Context)
Citation Context ...ontrol [17, 18], and assured pipelines [4]. We show that the appropriate formulation of noninterference for the intransitive case is that developed by Haigh and Young for “multidomain security” (MDS) =-=[9, 10]-=-. We construct an “unwinding theorem” [8] for intransitive polices and show that it differs significantly from that of Haigh and Young. We argue that their theorem is incorrect. A companion report [22... |

32 |
A Comment on the ’Basic Security Theorem
- McLean
- 1985
(Show Context)
Citation Context ...ove inadequate. Second, it is easy to construct perverse interpretations of access control policies that satisfy the letter, but not the intent of the policy, to the point of being obviously unsecure =-=[13,14]-=-. The proponents of access control formulations counter that interpretations or implementations must be “faithful representations” of the model, but they provide no formal definition of that term. In ... |

31 |
Reasoning about Security Models
- McLean
- 1987
(Show Context)
Citation Context ...ove inadequate. Second, it is easy to construct perverse interpretations of access control policies that satisfy the letter, but not the intent of the policy, to the point of being obviously unsecure =-=[13,14]-=-. The proponents of access control formulations counter that interpretations or implementations must be “faithful representations” of the model, but they provide no formal definition of that term. In ... |

31 | Kernels for safety
- Rushby
- 1989
(Show Context)
Citation Context ...p effective methods for verifying mechanisms that enforce such policies. We also plan to explore the connection between intransitive noninterference policies and the class of properties, discussed in =-=[21]-=-, that can be enforced by kernelization. 41sBibliography [1] D.H. Barnes. The provision of security for user data on packet switched networks. In Proc. 1983 IEEE Symposium on Security and Privacy, pag... |

23 |
An introduction to formal specification and verification using EHDM
- Rushby, Henke, et al.
- 1991
(Show Context)
Citation Context ...rather formally and describe the proofs in detail. AnsappendixPart III of this report describes the formal verification of our main theorem using the Ehdm formal specification and verification system =-=[23]-=-. This reportpart of the report is organized as follows. In the next chapter we present a development of the standard noninterference formulation of security, and then consider the relationship betwee... |

16 |
A model for verification of data security in operating systems
- Popek, Farber
- 1978
(Show Context)
Citation Context ...ond of the Reference Monitor Assumptions specified in Definition 5 above. This problem of specifying what it means for an operation to “reference” a location has been studied before; Popek and Farber =-=[16]-=-, for example, construct the dual notion “NoRef ” as follows. First, for n ∈ N, define the equivalence relation n ∼ = by s n ∼ def = t = (∀m ∈ N : contents(s, m) = contents(t, m) ∨ m = n). That is, s ... |

16 |
Proof of Separability—A verification technique for a class of security kernels
- Rushby
- 1982
(Show Context)
Citation Context ...l-control policies and their ilk. An early attempt to provide a formal method for verifying, though not specifying, channel-control policies was based on a technique for verifying complete separation =-=[17,19]-=-. The idea was to remove the mechanisms that provided the intended 3s4 Chapter 1. Introduction channels, and then prove that the components of the resulting system were isolated. This approach has rec... |

13 |
A Separation Model for Virtual Machine Monitors. Research in Security and Privacy
- KELEM, R
- 1991
(Show Context)
Citation Context ... of the resulting system were isolated. This approach has recently been shown to be subtly flawed [11], although the method for establishing complete separation has survived fairly intensive scrutiny =-=[12, 24]-=- with only minor emendations. The success of noninterference formulations in explicating multilevel security policies naturally invites consideration of a noninterference foundation for channelcontrol... |

12 |
Comparison Paper between the Bell and LaPadula Model and the SRI Model
- Taylor
- 1984
(Show Context)
Citation Context ...lating them. Such actions are called “rules” by Bell and La Padula, who gave a representative set in their Multics interpretation [3]. Two of these rules are known to permit unsecure information flow =-=[15,25]-=-. The reason for this is that the access control “table” and other implementation-level state data of the reference monitor are not treated as objects in the Bell and La Padula model; although the mod... |

8 |
Extending the non-interference model of MLS for SAT
- Haigh, Young
- 1986
(Show Context)
Citation Context ...ontrol [17, 18], and assured pipelines [4]. We show that the appropriate formulation of noninterference for the intransitive case is that developed by Haigh and Young for “multidomain security” (MDS) =-=[9, 10]-=-. We construct an “unwinding theorem” [8] for intransitive polices and show that it differs significantly from that of Haigh and Young. We argue that their theorem is incorrect. A companion report [22... |

7 |
Computer security models
- Millen, Cerniglia
- 1983
(Show Context)
Citation Context ...lating them. Such actions are called “rules” by Bell and La Padula, who gave a representative set in their Multics interpretation [3]. Two of these rules are known to permit unsecure information flow =-=[15,25]-=-. The reason for this is that the access control “table” and other implementation-level state data of the reference monitor are not treated as objects in the Bell and La Padula model; although the mod... |

6 | The security model of Enhanced HDM
- Rushby
- 1984
(Show Context)
Citation Context ...sequent outputs seen by v. Noninterference has been quite successful in providing formal underpinnings for military multilevel security policies and for the methods of verifying their implementations =-=[8, 20]-=-. 1s2 Chapter 1. Introduction There are, however, a number of practical security problems that seem beyond the scope of noninterference formulations. One of these is “channel-control,” first formulate... |

1 |
A note on the use of separability for the detection of covert channels
- Jacob
- 1989
(Show Context)
Citation Context ...6. IEEE Computer Society. [10] J. Thomas Haigh and William D. Young. Extending the noninterference version of MLS for SAT. IEEE Transactions on Software Engineering, SE-13(2):141– 150, February 1987. =-=[11]-=- Jeremy Jacob. A note on the use of separability for the detection of covert channels. Cipher—The Newsletter of the IEEE Technical Committee on Security and Privacy, pages 25–33, Summer 1989. [12] Nan... |

1 |
Formal verification of the unwinding theorem for intransitive noninterference security policies
- Rushby
- 1991
(Show Context)
Citation Context ...10]. We construct an “unwinding theorem” [8] for intransitive polices and show that it differs significantly from that of Haigh and Young. We argue that their theorem is incorrect. A companion report =-=[22]-=- presents a mechanically-checked formal specification and verification of our unwinding theorem. We consider the relationship between transitive and intransitive formulations of security. We show that... |

1 |
Separability and security models
- Sennett, Macdonald
- 1987
(Show Context)
Citation Context ... of the resulting system were isolated. This approach has recently been shown to be subtly flawed [11], although the method for establishing complete separation has survived fairly intensive scrutiny =-=[12, 24]-=- with only minor emendations. The success of noninterference formulations in explicating multilevel security policies naturally invites consideration of a noninterference foundation for channelcontrol... |