Abstract
We formally compare two industrially relevant and popular models of noninterference, namely, the model defined by Rushby and the one defined by Greve, Wilding, and Vanfleet (GWV). We create a mapping between the objects and relations of the two models. We prove a number of theorems showing under which assumptions a system identified as “secure” in one model is also identified as “secure” in the other model. Using two examples, we illustrate and discuss some of these assumptions. Our main conclusion is that the GWV model is more discriminating than the Rushby model. All systems satisfying GWV’s Separation also satisfy Rushby’s noninterference. The other direction only holds if we additionally assume that GWV systems are such that every partition is assigned at most one memory segment. All of our proofs have been checked using the Isabelle/HOL proof assistant.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hardin, D.S. (ed.): Design and Verification of Microprocessor Systems for High-Assurance Applications (2010)
Alves-Foss, J., Taylor, C.: An analysis of the GWV security policy. In: Fifth International Workshop on ACL2 Prover and its Applications (2004)
Brygier, J., Fuchsen, R., Blasum, H.: PikeOS: Safe and secure virtualization in a separation microkernel. Technical report, SYSGO (2009)
Eggert, S., van der Meyden, R., Schnoor, H., Wilke, T.: Complexity and unwinding for intransitive noninterference. CoRR abs/1308.1204 (2013)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)
Greve, D., Wilding, M., Richards, R., Vanfleet, W.M.: Formalizing security policies for dynamic and distributed systems (September 2004) (unpublished), http://hokiepokie.org/docs/sstc05.pdf
Greve, D., Wilding, M., Vanfleet, W.M.: A separation kernel formal security policy. In: Fourth International Workshop on the ACL2 Theorem Prover and its Applications, ACL2 2003 (July 2003)
Greve, D.: Information security modeling and analysis. In: Hardin, D.S. (ed.) Design and Verification of Microprocessor Systems for High-Assurance Applications, pp. 249–299. Springer, US (2010), http://dx.doi.org/10.1007/978-1-4419-1539-9_9
Haigh, J.T., Young, W.D.: Extending the noninterference version of mls for sat. IEEE Trans. Software Eng. 13(2), 141–150 (1987)
Hardin, D.S. (ed.): Design and Verification of Microprocessor Systems for High-Assurance Applications. Springer (2010)
Kaiser, R., Wagner, S.: Evolution of the PikeOS microkernel. In: First International Workshop on Microkernels for Embedded Systems, p. 50 (2007)
Krohn, M., Tromer, E.: Noninterference for a practical DIFC-based operating system. In: IEEE Symp. Security & Privacy, pp. 61–76 (2009)
van der Meyden, R.: What, indeed, is intransitive noninterference? In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 235–250. Springer, Heidelberg (2007)
van der Meyden, R., Zhang, C.: A comparison of semantic models for noninterference. Theor. Comput. Sci. 411(47), 4123–4147 (2010)
Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002)
von Oheimb, D.: Information flow control revisited: Noninfluence = Noninterference + Nonleakage. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 225–243. Springer, Heidelberg (2004)
Richards, R.J.: Modeling and security analysis of a commercial real-time operating system kernel. In: Hardin (ed.) [10], pp. 301–322
Rushby, J.: Design and verification of secure systems. ACM SIGOPS Operating Systems Review 15, 12–21 (1981)
Rushby, J.: Noninterference, transitivity and channel-control security policies. Tech. rep., Computer Science Laboratory, SRI International (1992)
Ryan, P.Y.A., Schneider, S.A.: Process algebra and non-interference. Journal of Computer Security, 214–227 (1999)
Schellhorn, G., Reif, W., Schairer, A., Karger, P., Austel, V., Toll, D.: Verification of a formal security model for multiapplicative smart cards. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 17–36. Springer, Heidelberg (2000)
Wilding, M., Greve, D., Richards, R., Hardin, D.: Formal verification of partition management for the AAMP7G microprocessor. In: Hardin (ed.) [10], pp. 175–191
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Ramirez, A.G., Schmaltz, J., Verbeek, F., Langenstein, B., Blasum, H. (2014). On Two Models of Noninterference: Rushby and Greve, Wilding, and Vanfleet. In: Bondavalli, A., Di Giandomenico, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2014. Lecture Notes in Computer Science, vol 8666. Springer, Cham. https://doi.org/10.1007/978-3-319-10506-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-10506-2_17
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10505-5
Online ISBN: 978-3-319-10506-2
eBook Packages: Computer ScienceComputer Science (R0)