Information Flow

Information Flow Policy Any confidentiality and integrity model embodies an information flow policy There is thus the need for assurance that information flow doesn't violate the constraints of such a policy. Access control can constrain the rights of a user, but not the flow of information between subjects or objects There is thus the need for mechanisms that control the flow of information in addition to access control

Example In the Bell-LaPadula model, information can flow from one object to another if and only if the second object dominates the first Definition of Information Flow Components o Object x o Object y o Sequence of commands S Definition Information flows from object x to object y if, after the execution of the sequence of commands S, the value in object y allows one to deduce (figure out) the value in object x Notation o y x o x is called the source of the information flow o y is called the target of the information flow Security Constraints on Information Flow The Bell-LaPadula model y x is secure if and only if the security level of y dominates that of x Notations o x: security level of x o : dominate o : dominated by

y x requires that yx(or xy)

Types of Information Flow Strong information flow y x according to the definition Value of x directly/explicitly affects the value of y o y = f(x) f( ) is an arithmetic expression Weak information flow y x according to the definition Value of x indirectly/implicitly affects the value of y o If (f1(x)) then y = f2 (a) else B = f3(b) f1( ), f2( ) and f3( ) are arithmetic expressions a and b are objects. Information Flow in Programs Program statements o Assignment statement o Compound statement o Conditional statement o Iterative statement o Goto statement o Procedure call o Function call o Input/output statement Assignment Statement Statement y = f(x1, x2, , xn) Information flows o Strong information flows y x1 y x2 y xn o Weak information flows None Security requirement

lub(x1, x2, xn) y