Security models and information flow

Abstract

A theory of information flow is developed that differs from that of nondeducibility, which is seen to be a theory of information sharing. The theory is used to develop a flow-based security model (FM) and to show that the proper treatment of security-relevant causal factors in such a framework is very tricky. Using FM as a standard for comparison, an examination is made of interference, generalized noninterference, and extensions to noninterference designed to protect high-level output, and it is seen that the proper treatment of causal factors in such models requires programs to be considered as explicit input to systems. This gives a new perspective on security levels. The model of D.E. Bell and L.J. LaPadula (1973), on the other hand, more successfully models security-relevant causal information, although this success is bought at the expense of the model being vague about its primitives. This vagueness is examined with respect to the claim that the Bell-LaPadula model and noninterference are equivalent.