The Complexity of Intransitive Noninterference

Eggert, Sebastian; Meyden, Ron van der; Schnoor, Henning; Wilke, Thomas

doi:10.1109/sp.2011.30

Cited by 11 publications

(5 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since automatic analysis of information-flow security is still restricted by the size of state space ( [43], [44]), it is difficult to deal with operating system kernels so far. Automatic analysis techniques (e.g.…”

Section: Methods Overviewmentioning

confidence: 99%

Refinement-Based Specification and Security Analysis of Separation Kernels

Zhao

Sanán

Zhang

et al. 2019

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Assurance of information-flow security by formal methods is mandated in security certification of separation kernels. As an industrial standard for improving safety, ARINC 653 has been complied with by mainstream separation kernels. Due to the new trend of integrating safe and secure functionalities into one separation kernel, security analysis of ARINC 653 as well as a formal specification with security proofs are thus significant for the development and certification of ARINC 653 compliant Separation Kernels (ARINC SKs). This paper presents a specification development and security analysis method for ARINC SKs based on refinement. We propose a generic security model and a stepwise refinement framework. Two levels of functional specification are developed by the refinement. A major part of separation kernel requirements in ARINC 653 are modeled, such as kernel initialization, two-level scheduling, partition and process management, and inter-partition communication. The formal specification and its security proofs are carried out in the Isabelle/HOL theorem prover. We have reviewed the source code of one industrial and two open-source ARINC SK implementations, i.e. VxWorks 653, XtratuM, and POK, in accordance with the formal specification. During the verification and code review, six security flaws, which can cause information leakage, are found in the ARINC 653 standard and the implementations.

show abstract

Section: Methods Overviewmentioning

confidence: 99%

Refinement-Based Specification and Security Analysis of Separation Kernels

Zhao

Sanán

Zhang

et al. 2019

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…(See [34] for an example that demonstrates that, already for static policies, we do not obtain completeness if we require that the unwinding be defined over the states of the system M itself. A more complex type of unwinding on the system M itself is shown to be complete for TA-security of static policies in [12]. It would be interesting to develop a generalization of this to the dynamic case, but we leave this for future work.)…”

Section: Proof Technique For Ta -Securitymentioning

confidence: 99%

Dynamic intransitive noninterference revisited

Eggert

Meyden

2017

Form. Asp. Comput.

Self Cite

View full text Add to dashboard Cite

The paper studies dynamic information flow security policies in an automaton-based model. Two semantic interpretations of such policies are developed, both of which generalize the notion of TA-security [van der Meyden ESORICS 2007] for static intransitive noninterference policies. One of the interpretations focuses on information flows permitted by policy edges, the other focuses on prohibitions implied by absence of policy edges. In general, the two interpretations differ, but necessary and sufficient conditions are identified for the two interpretations to be equivalent. Sound and complete proof techniques are developed for both interpretations. Two applications of the theory are presented. The first is a general result showing that access control mechanisms are able to enforce a dynamic information flow policy. The second is a simple capability system motivated by the Flume operating system.

show abstract

“…We focus in this paper on intransitive policies in the concurrent system in which the actions are disordered. The complexity of intransitive noninterference was well discussed in [24] and [25]. Now we will give a table to compare the definition of information flow security for transitive and intransitive policies.…”

Section: Related Workmentioning

confidence: 99%

“…Paper [10] shows how to automate the resulting timed noninterference check within the context of the recent extension of FDR [12] to analyze a discrete version of Timed CSP [13] and how an extended theory of digitization has the potential both to create more accurate specifications and to infer when processes are non-interfering in the more usual continuous-time semantics. A theory was developed for state-based noninterference in a setting where different security policies-we call them local policies-apply in different parts of a given system [25].…”

Section: Introductionmentioning

confidence: 99%