Non-interference (security)

Non-interference (security)

Non-interference is a strict multilevel security policy model, first described by Goguen and Meseguer in 1982, and amplified further in 1984.

Contents

Introduction

In simple terms, a computer is modeled as a machine with inputs and outputs. Inputs and outputs are classified as either low (low sensitivity, not highly classified) or high (sensitive, not to be viewed by uncleared individuals). A computer has the non-interference property if and only if any sequence of low inputs will produce the same low outputs, regardless of what the high level inputs are.

That is, if a low (uncleared) user is working on the machine, it will respond in exactly the same manner (on the low outputs) whether or not a high (cleared) user is working with sensitive data. The low user will not be able to acquire any information about the activities (if any) of the high user.

Formal expression

Let M be a memory configuration, and let ML and MR be the projection of the memory M to the low and high parts, respectively. Let = L be the function that compares the low parts of the memory configurations, i.e., M\ {=_L}\ M^\prime iff M_{L} = M_{L}^\prime. Let (P,M) \rightarrow^* M^\prime be the execution of the program P starting with memory configuration M and terminating with the memory configuration M^\prime.

The definition of non-interference for a deterministic program P is the following [1]:

\begin{array}{rrl}\forall M_1, M_2 :\; & M_1\ {=_L}\ M_2 & \land\\
& (P,M_1) \rightarrow^* M_1^\prime & \land\\
&(P,M_2) \rightarrow^* M_2^\prime &\Rightarrow\\
&M_1^\prime\ {=_L}\ M_2^\prime\end{array}

Limitations

Strictness

This is a very strict policy, in that a computer system with covert channels may comply with, say, the Bell–LaPadula model, but will not comply with non-interference. The reverse could be true (under reasonable conditions, being that the system should have labelled files, etc.) except for the "No classified information at startup" exceptions noted below. However, non-interference has been shown to be stronger than non-deducibility.

This strictness comes with a price. It is very difficult to make a computer system with this property. There may be only one or two commercially available products that have been verified to comply with this policy, and these would essentially be as simple as switches and one-way information filters (although these could be arranged to provide useful behaviour).

No classified information at startup

If the computer has (at time=0) any high (i.e., classified) information within it, or low users create high information subsequent to time=0 (so-called "write-up," which is allowed by many computer security policies), then the computer can legally leak all that high information to the low user, and can still be said to comply with the non-interference policy. The low user will not be able to learn anything about high user activities, but can learn about any high information that was created through means other than the actions of high users.(von Oheimb 2004)

Computer systems that comply with the Bell-LaPadula Model do not suffer from this problem since they explicitly forbid "read-up." Consequently, a computer system that complies with non-interference will not necessarily comply with the Bell-LaPadula Model. Thus, the Bell–LaPadula model and the non-interference model are incomparable: the Bell-LaPadula Model is stricter regarding read-up, and the non-interference model is stricter with respect to covert channels.

No summarisation

Some legitimate multilevel security activities treat individual data records (e.g., personal details) as sensitive, but allow statistical functions of the data (e.g., the mean, the total number) to be released more widely. This cannot be achieved with a non-interference machine.

References

  1. ^ Smith, Geoffrey (2007). "Principles of Secure Information Flow Analysis". Advances in Information Security. 27. Springer US. pp. 291-307.

Further reading

  • McLean, John (1994). "Security Models". Encyclopedia of Software Engineering. 2. New York: John Wiley & Sons, Inc. pp. 1136–1145. 
  • von Oheimb, David (2004). "Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage". European Symposium on Research in Computer Security (ESORICS). Sophia Antipolis, France: LNCS, Springer-Verlag. pp. 225–243. 

Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Non-interference — may refer to: Noninterference (Buddhism), a Buddhist concept Noninterference (novel), a novel by Harry Turtledove Non interference (security), a security policy model This disambiguation page lists articles associated with the same title. If an …   Wikipedia

  • Non-Aligned Movement — Members ( …   Wikipedia

  • Computer security model — A computer security model is a scheme for specifying and enforcing security policies. A security model may be founded upon a formal model of access rights, a model of computation, a model of distributed computing, or no particular theoretical… …   Wikipedia

  • Non-intervention in the Spanish Civil War — …   Wikipedia

  • Multilevel security — or Multiple Levels of Security (abbreviated as MLS) is the application of a computer system to process information with different sensitivities (i.e., at different security levels), permit simultaneous access by users with different security… …   Wikipedia

  • A Few Words on Non-Intervention — is a short essay by the philosopher, politician and economist, John Stuart Mill. It was written in 1859 in the context of the construction of the Suez Canal and the recent Crimean War. The essay addresses the question of under what circumstances… …   Wikipedia

  • Australian Security Intelligence Organisation — Infobox Government agency agency name = Australian Security Intelligence Organisation logo width = 350px headquarters = Canberra, Australian Capital Territory, Australia formed = 16 March 1949 jurisdiction = Commonwealth of Australia employees =… …   Wikipedia

  • Airport security — refers to the techniques and methods used in protecting airports and aircraft from crime. Large numbers of people pass through airports. Such gatherings present a target for terrorism and other forms of crime due to the number of people located… …   Wikipedia

  • United States non-interventionism — United States This article is part of the series: Politics and government of the United States …   Wikipedia

  • Computer security — This article is about computer security through design and engineering. For computer security exploits and defenses, see computer insecurity. Computer security Secure operating systems Security architecture Security by design Secure coding …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”