Architectural refinement and notions of intransitive noninterference

This paper deals with architectural designs that specify components of a system and the permitted flows of information between them. In the process of systems development, one might refine such a design by viewing a component as being composed of subcomponents, and specifying permitted flows of information between these subcomponents and others in the design. The paper studies the soundness of such refinements with respect to a spectrum of different semantics for information flow policies, including Goguen and Meseguer’s purge-based definition, Haigh and Young’s intransitive purge-based definition, and some more recent notions TA-security, TO-security and ITO-security defined by van der Meyden. It is shown that all these definitions support the soundness of architectural refinement, for both a state- and an action-observed model of systems. A notion of systems refinement in which the information content of observations is reduced is also studied. It is also shown that refinement preserves weak access control structure, an implementation mechanism that ensures TA-security.

[1]  Xiaolei Qian,et al.  Correctness and composition of software architectures , 1994, SIGSOFT '94.

[2]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[3]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[4]  Carroll Morgan The Shadow Knows: Refinement and security in sequential programs , 2009, Sci. Comput. Program..

[5]  Jie Zhou,et al.  Architecture-based refinements for secure computer systems design , 2006, PST.

[6]  Ron van der Meyden,et al.  A comparison of semantic models for intransitive noninterference ⋆ , 2007 .

[7]  Colin O'Halloran,et al.  Refinement and Confidentiality , 1992, Refine.

[8]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[9]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[10]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[11]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[12]  W. Vanfleet,et al.  I Where We Have Been Where We Are Going Mils:architecture for High-assurance Embedded Computing , 2022 .

[13]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[14]  Riccardo Focardi,et al.  Refinement operators and information flow security , 2003, First International Conference onSoftware Engineering and Formal Methods, 2003.Proceedings..

[15]  Ron van der Meyden,et al.  A Comparison of Semantic Models for Noninterference , 2006, Formal Aspects in Security and Trust.

[16]  Ketil Stølen,et al.  Information flow property preserving transformation of UML interaction diagrams , 2006, SACMAT '06.

[17]  Marco Antonio Barbosa A refinement calculus for software components and architectures , 2005, ESEC/FSE-13.

[18]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[19]  Jeff W. Sanders,et al.  On the refinement of non-interference , 1991, Proceedings Computer Security Foundations Workshop IV.

[20]  Ron van der Meyden,et al.  What, indeed, is intransitive noninterference? , 2015, J. Comput. Secur..

[21]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[22]  J. Thomas Haigh,et al.  Extending theNoninterference Versionof MLS , 1987 .

[23]  Xiaolei Qian,et al.  Correct Architecture Refinement , 1995, IEEE Trans. Software Eng..

[24]  David L. Bibighaus,et al.  Applying Doubly Labeled Transition Systems to the Refinement Paradox , 2005 .

[25]  Li Gong,et al.  Secure software architectures , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[26]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[27]  Bernhard Rumpe,et al.  Refinement of information flow architectures , 1997, First IEEE International Conference on Formal Engineering Methods.