Security Levels (Classes)
-
The most basic model is two-level policy, i.e., a variable is classified into one of two security levels:
- H, meaning high security, secret information
- L, meaning low security, public observable information
h = getPassword(); // h is high security
broadcast(l); // l is low security
-
Security levels can be modeled as lattice
Information Flow Policy
- Restricts how information flow between different security levels
- Noninterference policy
- Requries the information of high variables have no effect on (i.e., should not interfere with) the information of low variables
- Intuitively, you should not be able to conclude anything about high information by observing low variables
Confidentiality: Prevent secret information from being leaked. Information flow security from another perspective,
Integrity: Prevent untrusted information from corrupting (trusted) critical information.
x = readInput(); // untrusted
cmd = "..." + x;
execute(cmd); // critical (trusted)
Implicit Flows
- This kinds of information flow is called implicit flow, which may arise when the control flow is affected by secret information.
- Any differences in side effects under secret control encode information about the control, which may be publicly observable and leak secret information.