Noninterference and the composability of security properties
暂无分享,去创建一个
The problem of composability of multilevel security properties, particularly the noninterference property and some of its generalizations, is discussed. Examples are used to show that some of these security properties do not compose; it is possible to connect two systems, both of which are judged to be secure, so that the composite system is not secure. A property called restrictiveness is introduced that is generally composable, so that two restrictive systems connected legally result in a new restrictive composite system. A novel feature in the brief discussion of restrictiveness is a state-machine version of the property.<<ETX>>
[1] José Meseguer,et al. Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.
[2] Daryl McCullough,et al. Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.
[3] C. A. R. Hoare,et al. Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.