Communicating sequential processes
Communicating sequential processes
Cryptographically-masked flows
Theoretical Computer Science
A Classification of Time and/or Probability Dependent Security Properties
Electronic Notes in Theoretical Computer Science (ENTCS)
Cryptographically-Masked flows
SAS'06 Proceedings of the 13th international conference on Static Analysis
The complexity of synchronous notions of information flow security
FOSSACS'10 Proceedings of the 13th international conference on Foundations of Software Science and Computational Structures
What, indeed, is intransitive noninterference?
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Information flow in systems with schedulers, Part I: Definitions
Theoretical Computer Science
Information flow in systems with schedulers, Part II: Refinement
Theoretical Computer Science
| Hi-index | 0.00 |
In this paper, I discuss the problem of composability of multi-level security properties, particularly the noninterference property and some of its generalizations. Through examples I attempt to show that some of these security properties do not compose--it is possible to connect two systems, both of which are judged to be secure, such that the composite system is not secure. Although the examples are "cooked up" to make a point, there is nothing especially tricky done; I make sure that outputs from one system become inputs to the other machine at the same security level, and use a standard notion of parallel composition of systems (see [Hoare 85]). The final property I introduce, which I call restrictiveness (formerly it was called "hook-up security"), is generally composable, so that two restrictive systems connected legally results in a new restrictive composite system. (For those interested in the proof, see (McC 881). A new feature in the brief discussion of restrictiveness is a state-machine version of the property.