Abstract
This paper investigates mechanisms that guarantee secure information flow in a computer system. These mechanisms are examined within a mathematical framework suitable for formulating the requirements of secure information flow among security classes. The central component of the model is a lattice structure derived from the security classes and justified by the semantics of information flow. The lattice properties permit concise formulations of the security requirements of different existing systems and facilitate the construction of mechanisms that enforce security. The model provides a unifying view of all systems that restrict information flow, enables a classification of them according to security objectives, and suggests some new approaches. It also leads to the construction of automatic program certification mechanisms for verifying the secure flow of information through a program.
- 1 Andrews, G.R. COPS-a protection mechanism for computer systems. Ph.D. Th., U. of Washington, July 1974. Google ScholarDigital Library
- 2 Bell, D.E., and LaPadula, L.J. Secure computer systems: mathematical foundations and model. M74-244, The MITRE Corp., Bedford, Mass., May 1973.Google Scholar
- 3 Birkhoff, G. Lattice Theory. Amer. Math. Soc. Col. Pub., XXV, 3rd. ed., 1967.Google Scholar
- 4 Denning, D.E. Secure information flow in computer systems. Ph.D. Th., Purdue U., CSD TR 145, May 1975. Google ScholarDigital Library
- 5 Denning, D.E., Denning, P.J., and Graham, G.S. Selectively confined subsystems. Proc. International Workshop on Protection in Operating Systems. IRIA, Aug. 1974, pp. 55-61.Google Scholar
- 6 Fenton, J.S. Information protection systems. Ph.D. Th., U. of Cambridge, 1973.Google Scholar
- 7 Fenton, J.S. Memoryless subsystems. Computer J. 17, 2 (May 1974), 143-147.Google ScholarCross Ref
- 8 Fenton, J.S. An abstract computer model demonstrating directional information flow. U. of Cambridge, 1974.Google Scholar
- 9 Gaines, R.S. An operating system based on the concept of a supervisory computer. Comm. ACM 15, 3 (March 1972), 150-156. Google ScholarDigital Library
- 10 Gat, I., and Saal, H.J. Memoryless execution: a programmer's viewpoint. IBM Tech. Rep. 025, IBM Israeli Scientific Center, March 1975.Google Scholar
- 11 Graham, G.S., and Denning, P.J. Protection-principles and practice. AFIPS Conf. Proc., Vol. 40, 1972 SJCC, AFIPS Press, Montvale, N.J., pp. 417-429.Google Scholar
- 12 Harrison, M.A., Ruzzo, W.L., and Ullman, J.D. On protection in operating systems. Proc. Fifth Symposium on Operating Systems Principles, The University of Texas at Austin, Nov. 1975, pp. 14-24. Google ScholarDigital Library
- 13 Jones, A.K. Protection in programmed systems. Ph.D. Th., Carnegie-Mellon U., June 1973. Google ScholarDigital Library
- 14 Jones, A.K., and Lipton, R.J. The enforcement of security policies for computation. Proc. Fifth Symposium on Operating Systems Principles, The University of Texas at Austin, Nov. 1975, pp. 197-206. Google ScholarDigital Library
- 15 Lampson, B.W. Protection. Proc. Fifth Princeton Symposium on Information Sciences and Systems, Princeton U., March 1971, pp. 437-443.Google Scholar
- 16 Lampson, B.W. A note on the confinement problem. Comm. ACM 16, 10 (Oct. 1973), 613-615. Google ScholarDigital Library
- 17 Minsky, M.L. Computation; Finite and Infinite Machines. Prentice-HaU, Engiewood Cliffs, N.J., 1967. Google ScholarDigital Library
- 18 Organick, E.I. The MULTICS System: An Examination of its Structure, MIT Press, 1972. Google ScholarDigital Library
- 19 Rotenberg, L.J. Making computers keep secrets. Ph.D. Th., MIT, MAC TR-115, Feb. 1974.Google Scholar
- 20 Schroeder, M.D., and Saltzer, J.H. A hardware architecture for implementing protection rings, Comm. ACM 15, 3 (March 1972), 157-170. Google ScholarDigital Library
- 21 Stone, H.S. Discrete Mathematical Structures and their Applications. SRI, Chicago 1973.Google Scholar
- 22 Walter, K.G., et al. Modeling the security interface. Rep. No. 1158, Jennings Computing Center, Case Western Reserve U., Aug. 1974.Google Scholar
- 23 Weissman, C. Security controls in the ADEPT-50 time-sharing system. AFIPS Conf. Proc., Vol. 35, 1969 FJCC, AFIPS Press, Montvale, N.J., pp. 417-429.Google ScholarDigital Library
- 24 Wulf, W., et al. HYDRA: The kernel of a multi-processor system. Comm. ACM 17, 6 (June 1974), 337-345. Google ScholarDigital Library
Index Terms
- A lattice model of secure information flow
Recommendations
Certification of programs for secure information flow
ertification mechanism for verifying the secure flow of information through a program. Because it exploits the properties of a lattice structure among security classes, the procedure is sufficiently simple that it can easily be included in the analysis ...
A Security Model Based on Lattice
ICECE '10: Proceedings of the 2010 International Conference on Electrical and Control EngineeringIn order to protect confidentiality and integrity of information in the computer information systems, in general, we need to follow some security polices to access and handle information. The BLP model only to resolve the confidentiality problem, and ...
An Application of the (max, +) Algebra to Information Flow Security
ICN '08: Proceedings of the Seventh International Conference on NetworkingConfidentiality is one of the most important topics in computer security research. In order to check and ensure confidentiality information flow models are widely used. These models support the specification of valid flows of information. Furthermore, ...
Comments