Modeling Information Routing with Noninterference

To achieve the highest levels of assurance, systems based on the MILS architecture need to be formally analysed. In this, a key challenge is reasoning about the inter-domain flow of information on a finer scale than the domain level. In this paper, we extend Rushby's model of noninterference with explicit between-domain information transfer, as well as programs that determine domain behavior. These extensions enable the reasoning at an abstract level built on top of noninterference, at a much finer level than allowed by base noninterference. As an illustration of our approach, we formally model and analyze an example system inspired by the GWV Firewall.