Security Levels (Classes)

• The most basic model is two-level policy, i.e., a variable is classified into one of two security levels:

  • H, meaning high security, secret information
  • L, meaning low security, public observable information

  h = getPassword();  // h is high security
  broadcast(l);       // l is low security
  

• Security levels can be modeled as lattice

  • L ≤ H

Information Flow Policy

• Restricts how information flow between different security levels
• Noninterference policy
  • Requries the information of high variables have no effect on (i.e., should not interfere with) the information of low variables
  • Intuitively, you should not be able to conclude anything about high information by observing low variables

Confidentiality: Prevent secret information from being leaked. Information flow security from another perspective,

Integrity: Prevent untrusted information from corrupting (trusted) critical information.

x = readInput();  // untrusted
cmd = "..." + x;  
execute(cmd);     // critical (trusted)

Implicit Flows

• This kinds of information flow is called implicit flow, which may arise when the control flow is affected by secret information.
• Any differences in side effects under secret control encode information about the control, which may be publicly observable and leak secret information.