Dynamic Intransitive Noninterference.pdfVIP

Dynamic Intransitive Noninterference Rebekah Leslie Portland State University Abstract— Existing noninterference frameworks for reasoning that transitive noninterference is a special case of intransitive about system security assume a fixed configuration of domains noninterference. governed by a security policy that does not change over time. A common characteristic of the existing formulations is that A static security policy, however, cannot express the domain interactions present in many modern system designs, which they assume the security policy does not change over time. allow users to configure the set of active domains at run- This assumption is incompatible with modern system designs, time. In this paper, we generalize Rushby’s framework for which rely on the ability to install and remove components of static noninterference to support reasoning about the security the system at run-time. A static security policy is incapable of of systems with a dynamic policy. In particular, we show that expressing the interactions between domains in such a setting. the security of a given dynamic policy system can be established by supplementing Rushby’s unwinding theorem with the new Even when the set of active domains does not change, a system notion of policy respect . administrator may wish to alter the policy during execution in response to changing security requirements. I. INTRODUCTION Consider the example of a simplified webserver in Figure Reasoning about computer systems is a persistent ch