Security models of control are used as a way of formalizing a security policy. They determine in one way or another how security will be implemented across a system or network, which subjects are permitted access to the system, and which objects they are allowed access to. These security models are typically put in place by enforcing confidentiality, integrity, or other controls. They serve as frameworks or guidelines for developers and system administrators.
One such framework is known as the non-interference model.
State Machine Models
State machine models monitor the condition of a system to prevent it from moving into an insecure state. Any system supporting a state machine model must at all times have the possible states of its processes examined to verify that they are controlled.
The value of a state machine model lies in its ability to establish the condition in which a system should always reside. So any system that starts up in a secure state and maintains the security of any transactions across it should always be in a secure state, under the criteria laid down by the model.
Information Flow Model
An extension of the state machine model concept, the information flow model consists of objects, state transitions, and lattice states which govern data flow policy. Its primary objective is to prevent the flow of unauthorized and insecure data in any direction across the system.
The information flow model can employ guards, which allow the interchange of data between various systems.
The Non-Interference Model
First laid out by Goguen and Meseguer in 1982 and updated in 1984, the non-interference model is an evolution of the information flow model designed to ensure that objects and subjects at different security levels don’t interfere with those at other levels. In terms of computer security modeling, objects in this sense may be documents, bits of data, processes, or programs, while subjects may be people (system users), networks, applications, or processes.
Under a non-interference provision, a computer is seen as a machine having inputs and outputs. These are categorized in terms of their sensitivity as low (not classified information, or having a low sensitivity) or high (sensitive, and not to be viewed by individuals or resources without the necessary clearance).
According to the conditions laid down by the model, any sequence of low sensitivity inputs will produce outputs which are correspondingly low, regardless of any high level inputs that may also exist. So if a user with a low or no security clearance is working on a system it will respond in exactly the same manner on low sensitivity inputs, irrespective of there being a high-level user with greater security clearance working with sensitive data on the same machine. The low sensitivity user won’t be able to glean any information about the high-level user’s activities.
So under the non-interference model, any activities that take place at a higher security level won’t have an effect on actions taking place at a lower level.
Objectives Of Non-Interference
A non-interference model aims at a strict separation of differing security levels to ensure that higher-level activities don’t determine what lower-level users can see or gain access to. By maintaining the separation of different security levels, the non-interference model minimizes leaks and breaches that might occur through covert channels.
Under the non-interference model, each data access attempt across a system is independent of all others – and data isn’t permitted to cross security boundaries. The model takes into account the impact of the actions of higher security level subjects on the state of the system itself, keeping these segregated from lower security levels. So covert channels can’t be created through shared resources or inference attacks.
A Strict Regime
The non-interference model creates a very strict security regime, excluding any computer system with covert channels of communication or data transfer (such as might comply with other models like Bell-LaPadula) from compliance with it.
As a consequence, it’s very difficult to construct a computer that completely meets all the demands of non-interference. In fact very few commercially available products have been verified as complying with the non-interference policy – and even these tend to be rudimentary components like switches and one-way information filters.
A Slight Loophole
There is a notable exception to non-interference policy rules which allows an exchange of data between security levels: The so-called “No classified information at startup” exception. Here, a computer having any high-level information on it at startup time, or on which low-level users create high outputs at a subsequent time (a condition permitted by many security policies), can legally pass (i.e., leak) that high-level data to the low-level user, and still be strictly in compliance with the non-interference regime.
Under these conditions, the low-level user won’t be able to learn anything about the activities of high-level users, but will be able to uncover details about any high-level information created by means other than high user activity.
Share this Post