Unwinding Conditional Noninterference

Unwinding Conditional Noninterfe rence Chenyi Zhang F aculty of Scien ces, T echnology and Commun ication, University of Luxembo ur g 6, rue Richar d Coudenhove-Kalergi, L-1359 Luxemb our g Abstract —Noninterference prov ides a control over in for - mation ﬂow in a system for ensuring conﬁd entiality and integrity pro perties. I n the literatur e this notion has been well studied as transitive noninterference and intransitive noninterference. In this p aper we deﬁn e a framework on the notion of conditional n oninterference, whi ch allows t o specify informa tion ﬂow policies based on the semantics of action channels. Our new poli cies subsume the policies of both transitive and intransitive n oninterference, and support dynamic requirements such as upgrading and downgrading. W e also p resent unwinding rela tions that are both sound and complete f or the new policies. Key words -Inf ormation Flow; Noninterference; U nwindin g; I . I N T R O D U C T I O N Inform ation ﬂow security policies are concern ed with both conﬁdentiality and integrity requiremen ts o f a system. The seminal work by Go guen and Meseguer intro duces a way of deﬁnin g infor mation ﬂo w secur ity policies by a set o f noninterference assertions [17]. Each assertion speciﬁes that a given set of actions are not a llowed to interfere with a security domain . The follow-up work s often interpret a noninter ference policy as a r elation over a set of security domains indicatin g permitted ﬂow o f infor mation. If a policy relation is transitive, it has a n atural corr esponden ce to the classical multile vel secur ity policies of Bell and La- Padula [3], [4] . The refore, until rece ntly , most work in th is area deﬁnes a policy on how to allow inf ormation to ﬂow among security domains, instead of how to d isallow such ﬂow as explored in the orig inal paper . The transitive noninterfere nce policies are sometimes con- sidered as too strong i n many situations, because they require that information ﬂow is totally blocked from one security domain to ano ther at any time. A weakened version of noninter ference is to allow a policy relation to be intran si- ti ve [32], [31], [42], [3 8]. This makes it possible to specify a more ﬂexible ﬂow policy . For example, one may deﬁne a policy ⊆ { A, B , C } × { A, B , C } for a system with three security do mains, such that domain A is allo wed to send informa tion to domain B by A B (i.e., ( A, B ) ∈ ), an d that do main B is allowed to send inform ation to domain C by B C (i.e., ( B , C ) ∈ ). Howe ver , do main A is not allowed to directly send info rmation to C if ( A, C ) is not in the policy relation . In th is case B ma y be regarded as a chan nel that co ntrols inform ation ﬂo wing fr om A to C , which is not expressible by the o riginal (transiti ve) noninter ference policies [3 2]. T he notions of transitive and intransitive noninterferenc e h av e been applied in different ar - eas such as o perating system veriﬁcation [1 9], [26], security protoco l veriﬁcation [1], [15], and prog ramming lan guage analysis [3 3], [34]. Howe ver , it is also in th e paper of Gogu en an d Meseguer [17] that anoth er weakene d form called cond i- tional nonin terfer ence was prop osed. Con ditional nonin- terference associates ea ch non interferen ce assertion with a constraint, in the way of A 6 u [ [ φ ] ] , su ch that the n oninter- ference assertion takes effect ( i.e., A beco mes invisible to u , as for co nﬁden tiality , o r A is not allowed to change u , as for inte grity ) whenev er the constraint φ is satisﬁed. In o ther words, A 6 u is conditio nal to φ . Althou gh this notion is not followed in subsequen t works in the informatio n ﬂow literature (to ou r knowledge), it p ropo ses an insight that it is also viable to place a control bef ore informatio n ﬂow is allowed to h appen. Note that intran siti ve noninterf erence only spec iﬁes h ow to allow info rmation pro pagation after an action of inte nded ﬂow occurs. In this paper, we p resent a po licy framework for condi- tional no ninterfer ence to inco rporate both intran siti ve nonin- terference [21] and th e notion of the same n ame as pre sented by Gogu en an d Meseguer [17]. ( W e overload this term because we believe it carr ies the ap prop riate meaning.) W e are goin g to sho w that th e noninterfe rence assertion s with the addition al co nditions can be used to express no t only the ch annel con trol policies, but a lso some other useful security req uiremen ts, including a certain class of policies for dy namic contro l. From the persp ectiv e of channel con- trol, our frame work turns out more ge neral than in transitive noninter ference in different w ays. Unwinding theo r ems [18], [ 32], [ 42] are usefu l techniqu es to verify noninter ference- based pr operties. Given a set of noninter ference co nstraints, it is possible to deﬁne a set o f unwinding r elations fo r each user (or secu rity d omain), so that if the relatio ns satisfy a nu mber of constraints, then it is sufﬁcient to say that a system is secu re. Unwind ing is a very desirable techniqu e since it reduces veriﬁca tion of n oninterf erence properties into co nditions that are easily provable by existing tools, with available examples ap plying theorem provers PVS [10] and Isab elle/HOL [42]. The un - winding theorem for deterministic s tate based systems is also complete if the underlyin g security policy on interfer e nce (i.e., the indu ced binary relation on the set of user s) is transitiv e [32]. However , the (weak ) unwind ing relations in the literature [32], [ 42] are n ot necessary conditions for intransitive nonin terference even if the sy stem is determin- istic. In fact, the weak u nwinding relation for intran siti ve noninter ference rather corresponds more or less to a no tion that is strictly stron ger than th e intran siti ve noninterf erence proper ties [38]. In this p aper, we deﬁne u nwinding rela- tions for more gener al classes of noninter ference p roperties which subsume intransiti ve n oninterf erence. Nevertheless, we prove that the existence of such un winding relations are both sound and complete fo r a system to be secure with respect to th e prope rties deﬁned in this p aper . The main contributions of this paper are as follows. (1) W e apply conditional noninterf erence to express a variety of security requ irements, such as u pgradin g, downgrading, and c hannel control. (2) W e ide ntify two subclasses of condition al noninterferenc e proper ties, and for each sub- class we design a new unwin ding techniqu e which is both sound an d co mplete to the proper ties in this class in a very ge neral way . (3) As a byp roduc t, we show that a subclass of our properties can be reduced to safety properties by a dou bling construction . The outline o f the pape r is as follows. I n Sect. II we deﬁne the system model and rephrase the classical noninterfer ence d eﬁnition. Sect. III presents c ondition al noninter ference and shows h ow it can be used to e xpress many interesting security requirements. In Sect. IV we d eﬁne unwindin g tec hniques to char acterize the condition al no ninterfer ence proper ties, and for a particular class of policies, we reduce their veriﬁcation pr oblems to safety proper ties. Sect. V discusses related work. Sect. VI conclud es the paper and sugg ests possible f uture research directions. I I . N O N I N T E R F E R E N C E W e d eﬁne a state m achine m odel similar to those that one can ﬁn d in the literature [17], [3 2]. W e assume a (ﬁnite) set of users (o r security do mains ) U , a set of actions A , and a function dom : A → U that m aps each action to a user wh o perfor ms it. In o ur model, each action is assoc iated with a unique security d omain, since in pra ctice if there is an a ction that is av ailable to mo re than one users, we ad d distinct user- names as sub scripts to p roduce d ifferent actions. The tuple ( A , U, dom ) is called a signature , based o n which we wr ite A u as th e set { a ∈ A | dom ( a ) = u } for u ∈ U . W e write a , b , a 1 , . . . to ran ge over A . A machine for a gi ven signatu re ( A , U, dom ) is a tuple of the form M = h S, s 0 , s tep, o bs, O i where • S is a set of states, • s 0 ∈ S the initial state, • s tep : S × A → S th e transition fu nction, • o bs : U × S → O the observation fun ction, • O is a set of ou tputs. The fun ction s te p describes the system transition , such that s tep ( s, a ) is the unique next state when a ction a is applied on state s . The function o bs gives an observation mad e in each state b y a user . For read ability , we ‘curry ’ the fun ction o bs b y o bs u of type S → O giv en u ∈ U . No te that such a machine is always input enabled by the deﬁnition of function s tep , so that ev ery input action is ena bled on every state. Also, a ma chine is always deterministic in th e sense that giv en a state s and sequence of action s α ∈ A ∗ , a run of state sequ ence can be uniquely d etermined . T o d enote the ﬁnal state a fter the execution of a sequence of actions, deﬁne the operation • : S × A ∗ → S , by s • ǫ = s , and s • ( α · a ) = s tep ( s • α, a ) for s ∈ S , a ∈ A and α ∈ A ∗ . W e assume every state in a mach ine is reachable. In th is m odel we deﬁne observation on states, which is d ifferent from the deﬁnition s of Rushby [3 2] wher e observations are a ssociated with actions. This distinction is not essential fo r many security notions [39], including noninter ference. I n literature the state-obser ved mach ines have also be en used by a nu mber of autho rs, such as Gogu en and Meseguer [17] and Bevier and Y oun g [5]. Our choice on mod elling o f a mach ine is arbitrar y . The security po licy we ar e to deﬁne assumes a partition on the set of a ctions. Given a signature ( A , U, dom ) , d eﬁne a par tition Part over A satisfyin g th e fo llowing conditions. 1) For all P ∈ Part , th ere exists u ∈ U such that P ⊆ A u , 2) S Part = A , 3) P 1 ∩ P 2 = ∅ for all distinct P 1 , P 2 ∈ P art . W e d eﬁne a function p art : A → Part that assigns each action a u nique partition . Obviou sly p art reﬁnes dom . A no ninterfer ence assertion T is of th e fo rm h P 6 u i for u ∈ U and P ∈ Part , r eferring to a secur ity requir ement that an actio n partition P is no t a llowed to interfere with a user u . 1 (W ith respect to integrity , this assertion could also be in terpreted as that ac tions in P are n ot allowed to ‘to uch’ u , wh ere u may represent a real entity , e.g., a device or a ﬁle rather than a u ser .) In this case we say T contr ols P and is associated with u . This deﬁnition is intuitiv ely ﬁner than what is pre sented by Rushby [ 32] who deﬁnes interferen ce (the c omplemen t o f n oninterf erence) as a r elation over th e set of users. W e choo se this structu re for non interferen ce assertions n ot on ly b ecause it is seemingly ﬁne r and more general, but also it seems more reasonab le. When noninte r- ference is used to express c omplex security cond itions, this structure som etimes p rovides a more rea sonable co ntrol. For example, a user in charge of d owngrading can av oid un nec- essary downgrad ing of in formatio n by cho osing action s not 1 A similar form can be found in [17] where u | B 6 v is used to denot e that u is not allowe d to interfere wit h v via the actions in B . W e simpliﬁed the presentat ion by explic itly deﬁning action partitions to be associated with unique security domains. in the p artition o f downgrading action s. 2 A non interferen ce security policy is a set of noninterferenc e assertions, for which we u se symbo ls such as Π , Π ′ . Giv en a security policy Π and an action sequence α ∈ A ∗ a functio n p ur g e Π : A ∗ × U → A ∗ is intro duced ( as in [17]) to clear away from α the actions that are not allo wed to interfer e with a security domain u , which is inductively deﬁned by p u rg e Π ( ǫ, u ) = ǫ , an d p ur g e Π ( a · α, u ) =  p ur g e Π ( α, u ) if p art ( a ) 6 u a · p ur g e Π ( α, u ) otherwise. A system satisﬁes no ninterfer ence, if for all u ∈ U an d α ∈ A ∗ , o b s u ( s 0 • α ) = o bs u ( s 0 • p ur g e Π ( α, u )) . Plainly , this requires that removing all the action s no t allowed to interfer e with a user is not noticeable by that user, since it gives the same v iew to that user as the ac tion sequence in which no actions are removed. From the set of no ninterfer ence assertions Π , a relation ⊆ U × U of interferen ce is uniquely determined . Write u v if there exists a nonemp ty set of actions B ⊆ A u such that for all n oninter ference assertions in the form o f h P 6 v i , we have P ∩ B = ∅ . W e say that the no ninterfer ence policy is transitiv e if th e in duced relation is transitive on U . Most of the policies studied in liter ature are transitive. For example, MultiLevel Security of Bell and LaPadula [ 3] deﬁnes a partial o rder of security dom ains. 3 Later Den ning introdu ced a lattice structu re o f security classes to reason about information ﬂo w [12]. Noninter ference can be u sed to analy ze transitive inform ation ﬂow policies, but it is not necessarily transitive by na ture. T o be exp licit, the relation induc ed by a po licy Π is no t inh erently tra nsiti ve accordin g to the deﬁn ition o f fun ction p ur g e . W e sketch it in the fo llowing example. (0 , 0) (0 , 1) (1 , 0) (1 , 1) a v a v a u a u Figure 1. The machine of e xample 1, where a state s is labelled ( o bs v ( s ) , o bs w ( s )) , and we omit the self-transit ions by a w . 2 As in the case of a channel contro l policy [21], [32] w here u v and v w , it seems more realistic to let only a subset of A v act as a channe l passing informati on from u to w . This m ay also be partially used to defend critici sms against the purge-based channel control policies such as those from Roscoe and Goldsmith [31]. 3 More precisel y , it is deﬁned as a combinati on of a totally ordered set of security labels L such as top secret (TS), secret (S), conﬁdentia l (C), unclassiﬁe d (U), where T S > S > C > U and a set of cate gorie s C , such as Navy , Army and Air Force, which are pairwise incomparab le, so that ( l 1 , c 1 ) ≤ ( l 2 , c 2 ) with l 1 , l 2 ∈ L and c 1 , c 2 ∈ C iff l 1 ≤ l 2 and c 1 = c 2 . Example 1: Let U = { u, v , w } , and a ﬂo w policy satisfying u v and v w , i.e., the set of no ninterfer ence assertions is Π = {hA v 6 u i , hA w 6 v i , hA w 6 u i , hA u 6 w i} , where A u = { a u } , A v = { a v } and A w = { a w } . Let S = { 0 , 1 } × { 0 , 1 } with s 0 = (0 , 0) , o bs u (( x, y )) = ∅ , o bs v (( x, y )) = x and o bs w (( x, y )) = y for all x, y ∈ { 0 , 1 } . The transition function is deﬁned as s tep ( s, a w ) = s fo r all s , s tep (( x, y ) , a u ) = ( x ⊗ 1 , y ) and s tep (( x, y ) , a v ) = ( x, y ⊗ 1 ) for all x, y ∈ { 0 , 1 } , where ⊗ den otes ‘exclusive or’. The m achine is d epicted in Fig. 1 . One m ay o bserve that u d etermines v ’ s observation and v determ ines w ’ s observation in every state. Every non- interferen ce assertion can be veriﬁed v ia the pur ge f unc- tion. For in stance for the ass ertion hA u 6 w i , we have o bs w ( s 0 · α ) = o bs w ( s 0 · pur g e Π ( α, w )) for all α ∈ A ∗ . Note tha t the relation is n ot tran siti ve, since ( u, w ) 6∈ , although we have u v and v w .  W e claim that Gogu en an d Meseguer’ s n oninterf erence policy is not necessarily transitive, and more over , it can be used to encode security pro perties str onger than th ose that are k nown as intransiti ve noninter ference o r channe l control p olicies [21], [32]. In the above example v can pass info rmation from u to w o nly af ter he indee d receives and knows the info rmation. Fu rthermo re, v is allowed to intentionally blo ck inf ormation from u to w , althoug h in for- mation is fr ee to ﬂow fr om u to v and fr om v to w . This example provides a view on the notio n of no ninterfere nce of Goguen and Meseguer that it also gi ves a channel-like control which works differently from that of intran siti ve noninter ference. Note that in intran siti ve nonin terferen ce policies, it is possible that a chann el is allowed to f orward informa tion withou t k nowing what is bein g fo rwarded [38]. I I I . C O N D I T I O N A L N O N I N T E R F E R E N C E Conditional non interferen ce w as introd uced to supp ort dynamic po licies [ 17], where the conditio ns were predicates on a sequences of actions before reaching a state. In this section the notion is extend ed also to the other direction (similar to intra nsiti ve n oninter ference), so that condition al noninter ference decides whether an actio n is allowed to interfere with a user giv en a p ath of actions lead ing to the current sy stem state a s well as the possible futu re actions to be perfo rmed. W e d eﬁne co nditiona l n oninterference assertion to be of the form h P 6 u [ [ φ ] ] i , where the con dition φ is a fu nction of ty pe A ∗ × A × A ∗ → { tr ue, f alse } . Gi ven a seq uence of actions α ∈ A ∗ , a single action a ∈ A , and anoth er sequence of actions α ′ ∈ A ∗ to be executed in the fu ture, φ ( α, a, α ′ ) answers wh ether th e cur rent a ction a is allowed to in terfere with user u , i.e., whether it n eeds to b e ‘purged’ . The sequence α can be understoo d as the pre-co nditional par t of the wh ole seq uence α · a · α ′ for φ , so th at a decision is made based on history . Th e sequence α ′ represents the actions yet to be perf ormed. This part enables us to d eﬁne a policy that permits information ﬂo w only after it is c hecked b y other users, w hich has been alread y explored in th e form of intransitive n oninterfe rence or channe l control p olicies [2 1], [32]. W e regard α ′ as th e post-co nditiona l p art of α · a · α ′ for φ o n action a . If φ is always evaluated tru e in assertion T = h P 6 u [ [ φ ] ] i , then T is a strict assertion, and it is equiv alent to what is deﬁned in the p revious sectio n. T o this poin t we re vise the no tion of security policy to be a set of conditional noninterfer ence assertions. W e h av e the following deﬁnitio n fo r the n ew p ur g e function . Deﬁnition 1: G i ven a policy Π , th e fu nction p ur g e Π : A ∗ × U → A ∗ is d eﬁned as for all α ∈ A ∗ in th e form of a 1 a 2 . . . a n , p u rg e Π ( α, u ) = a ′ 1 a ′ 2 . . . a ′ n , such that for ev ery i ∈ { 1 , . . . , n } , a ′ i =    ǫ if ther e exists h p art ( a i ) 6 u [ [ φ ] ] i ∈ Π and φ ( α − i , a i , α + i ) , a i otherwise. where α − i = a 1 . . . a i − 1 , α + i = a i +1 . . . a n , and ǫ denotes the emp ty sequ ence o f actio ns. A system is secure with respect to a policy Π , if f or all u ∈ U and α ∈ A ∗ , o bs u ( s 0 • α ) = o bs u ( s 0 • p ur g e Π ( α, u )) . This req uires that every u ser u ∈ U is u nable to distinguish trace α and p ur g e Π ( α, u ) b y his ob servations. In the rest o f the sectio n, we r estrict our attention to two subclasses of con ditional nonin terferen ce assertions. For each class of assertion s, we deﬁne its cor respond ing p ur g e function s. W e will also show how the se assertions can b e applied to expr ess a few existing policies of interest. A. Pre- a nd P ost-Conditional Assertions W e deﬁne two sub classes of c ondition al assertions. A p re- condition al assertion p rovides a co ntrol whe n a decision on permitted info rmation ﬂow need s to be mad e ahead of time. For e xample, in a system with discretionary access control, if a user wishes to receive inform ation from a different user , he may simply create a ﬁle which h e can read , an d d elegate the ‘write’ access of this ﬁle to that particular user . He may a lso rev oke this access in the fu ture. A po st-condition al assertion controls ﬂow of inform ation after an action with intended ﬂow is perfo rmed. An example for this po licy is that a secr et message m ust be f ollowed b y an encr ypting action befo re it is allowed to b e sent ou t. Note that in many cir cumstances, such decisions on permissions of informatio n passage ca n only be m ade by a super-user or an administrator . W e start w ith a simple langu age Φ − for expre ssing the pre-con ditional and post-cond itional assertion s as shown in Fig. 2. The superscrip ts ‘ pr e ’ and ‘ post ’ den ote wh ether a constraint is deﬁn ed in a pre-con ditional o r po st-conditio nal assertion, and the ar rows ‘ ր ’ and ‘ ց ’ den ote upgr ading channels an d downgrading ch annels, respec ti vely . A post- condition al assertion only asserts a cond ition under which an already -taken action is allowed to produc e effect. For example, the assertion h P 6 u [ [[ P 1 P 2 ] pre ց ] ] i d isallows partition P to interfere with u u nless it is immed iately φ pre := [ ← C 1 ∪ ← C 2 ∪ · · · ∪ ← C n ] pre ր | [ ← C 1 ∪ ← C 2 ∪ · · · ∪ ← C n ] pre ց φ post := [ → C 1 ∪ → C 2 ∪ · · · ∪ → C n ] post → ← C := C | C ♦ | ← C C | ← C C ♦ C := P | P ∪ C → C := C | ♦ C | C → C | ♦ C → C P := P 1 | P 2 | . . . | P n where P i ∈ Part for 1 ≤ i ≤ n for some n Figure 2. syntax of the constraint s in Φ − preceded by an action in P 1 followed by an action in P 2 , and the assertion h P 6 u [ [[ ♦ ( P 1 ∪ P 2 )] post → ] ] i allows action s from P to be detectab le by u on ly if some where in the future an action in P 1 ∪ P 2 is perfo rmed. In this case, th e symb ol ‘ ♦ ’ resembles its u sage in tempo ral logics, in th e sense that the actions in the next partition (or u nion of partition s) are not n ecessarily to happen immediately after , but within a ﬁnite distance in the action sequenc e. W e deﬁn e the post- condition al assertions in the way of controlled relea se o f informa tion, and su ch release is regarded as irre versible . 4 For t he semantics of Φ − , e very channel inside an assertion is interpreted as a regular expression. Let [ [ . ] ] be a function from Φ − to regular expression s. F or a channel con straint ← C i = W 1 W 2 . . . W n (or → C i for the post-co nditional ca se) where W i ∈ { ♦ } ∪P ( A ) , deﬁne [ [ ← C i ] ] as the regular language represented by W ′ 1 W ′ 2 . . . W ′ n where W ′ i = A ∗ if W i = ♦ and W ′ i = W i otherwise. Gi ven φ = ← C 1 ∪ ← C 2 ∪ . . . ← C n , we have [ [ φ ] ] = [ [ ← C 1 ] ] ∪ [ [ ← C 2 ] ] ∪ . . . [ [ ← C n ] ] , i.e. , the union o f the language s of all the chann els . The semantics for post- condition al c onstraints are deﬁn ed in a similar way . Given an assertion h P 6 u [ [ φ ] ] i , α, α ′ ∈ A ∗ and a ∈ A , - if φ is in the f orm of [ φ ′ ] pre ր , then φ ( α, a, α ′ ) = tr ue iff α ∈ A ∗ [ [ φ ′ ] ] , - if φ is in the form o f [ φ ′ ] pre ց , then φ ( α, a, α ′ ) = f alse iff α ∈ A ∗ [ [ φ ′ ] ] , - if φ is in the for m o f [ φ ′ ] post → , then φ ( α, a, α ′ ) = f alse iff α ′ ∈ [ [ φ ′ ] ] A ∗ . Note that the f ormal interpretation over the u pgrad ing channels an d downgrading channe ls are different. For an upgrad ing assertion h P 6 u [ [[ φ ] pre ր ] ] i , if a pr e-cond itional sequence α matches the pattern, i.e ., α ∈ A ∗ [ [ φ ] ] , the fol- lowing action (if in P ) m ust be purged. Howe ver in the case of downgrading that action must not be purged. The post- condition al assertions on ly act as downgrading chann els. The usage of the terms ‘upgradin g’ and ‘downgrading’ are intuitive fo r bo th conﬁd entiality and integrity speciﬁcations. An up grading assertion h P 6 u [ [[ φ ] pre ր ] ] i allows actions in P to interfere with u (fo r co nﬁdentiality) or u is ch angeable 4 On the other hand, pre-condi tional assertions are allo wed to re vok e a “permission” to cause ﬂow as lon g as the acti ons under control are not yet performed. by P (for integrity) as d efault, u ntil a patter n in [ [ φ ] ] occ urs, after which the policy becomes more strict. An interpretation for downgrading assertions cou ld be mad e in a similar way . Plainly , e very condition al assertion is weaker than its correspo nding strict assertion tha t is genera ted by rem oving its con ditional pa rt. B. Exa mples W e sketch two examples to show that co nditiona l po licies can b e used to express several useful secu rity req uiremen ts related to information ﬂow . Example 2: (book-keepin g) W e present a simple example of well-fo rmed tra nsactions to ensure data in tegrity by Clark and Wilson [9]. Assume th ere is a company with a nu mber of employees. A shared data-base B i s in the company’ s IntraNet fro m which every u ser is allowed to retr iev e in- formation . A user can modify B , but this is only allowed immediately after he has registered (or auth enticated) him - self into the system. This is a basic in tegrity req uirement. Database B is mod elled as a u ser with no actio ns, and its observation on the system is just its contents. For a user E , his action set A E can be partitioned into the set of reading operation s A r E , the set of writing opera tions A w E and the book- keeping action { a bk E } . The information ﬂo w constraints with respect to the security r equirem ent thu s can be stated as follows fo r each user E . (1) E ’ s read ing action s are not allowed to change B , which is the assertio n hA r E 6 B i (2) E ’ s writing action s a re allowed to modify B o nly if that action occurs imm ediately after a book -keeping action. An assertion for th is rule is hA w E 6 B [ [[ { a bk E } ] pre ց ] ] i (3) Finally , the action a bk E also needs to be con strained. If it is no t immediately followed by a write oper ation, it should not affect any p art of the database. So we have h{ a bk E } 6 B [ [[ A w E ] post → ] ] i  The ab ove example illustra tes how action s need to be bun- dled to gether in ord er to b ecome a well-formed transaction. The boo k-keeping op eration serves as a downgrading action on the integrity level of B , afte r which the employee E is allowed to m odify B . The next example presen ts an upgrad ing policy . Example 3: (conﬂict of inter est) I n a sma ll town two sales compan ies u and v , which compete with each oth er , are seeking help s on their business strategies. Ther e is only one consulting comp any avail able in that town. If both u and v connect themselves to the consulting company , it raises the requirem ent th at fo r each individual co nsultant c , once h e contacts one comp any of u and v , he will n ot be allowed to consult the othe r , so that he cannot play two-sides. This requirem ent resembles th e Chinese W all secu rity policy [7]. 5 W e r egard both u and v as users with action sets A u and A v . For eac h consultant c , w e a ssume the set of actions he can d o is ﬁxed as A c , which can furth er be split into d isjoint sets A u c and A v c which are suppo sed to be used to exch ange messages with u and v , respectively . (1) Initially , it is requir ed th at th e compan ies u and v are not a llowed to leak info rmation to each other, wh ich ca n be sketched as hA u 6 v i and hA v 6 u i . (2) The actions f or c to communicate with u are not supposed to have any effect on v , so th at v ’ s view over the system should n ot be chan ged by action s in A u c . Similarly , A v c is no t allowed to alter u ’ s view . Theref ore we have the following assertions. hA u c 6 v i and hA v c 6 u i . (3) Once c starts con sulting u (or tries to ac cess u ), he should b e immed iately disallowed to commun icate with v . This is d eﬁned over th e a ction p artition A u c to company v . For the effect from par tition A v c on com pany u , we deﬁne the same assertion . hA u c 6 u [ [[ A v c ♦ ] pre ր ] ] i and hA v c 6 v [ [[ A u c ♦ ] pre ր ] ] i (4) Howe ver , it is also possible th at c listens to u befo re he starts to commu nictate with v , so that he can p ass informa tion f rom u to v in an u ndesired way . Th erefore we disallow actio ns by u to reveal inf ormation to c bef ore c shows his intention to consult u . This can be sketched by the fo llowing assertion s. hA u 6 c [ [[ A u c ♦ ] pre ց ] ] i and hA v 6 c [ [[ A v c ♦ ] pre ց ] ] i In this example the a ctions in A u c upgrad e the inf ormation ﬂow po licy on A v c to v , i.e., o nce an action in A u c is perfor med, the policy becomes more strict o n the action s in A v c , an d v ice versa. A r easonable co nsequen ce of this p olicy is that once a consultan t tries to commu nicate with both compan ies, he will be forb idden to consult bo th compan ies thereafter .  5 A Chinese W all policy is concerne d with the information ﬂow among all the consultants and consulting companie s. It has two basic rules: (1) Each consultant is allo wed to access at most one company’ s ﬁles in each conﬂict of interest class, which is known as simple security property . (2) Each consultant can write to a company’ s ﬁles only if he has nev er accessed any other company’ s ﬁle, which is kno wn as ⋆ -pro perty . Here we focus on ho w to prev ent information ﬂow between the companies with respect to a particul ar consultant . W e do not prev ent an indi vidual consultant from reading one compan y’ s ﬁle after he has read the other’ s , as long as this actio n does not cause information ﬂow between the two companies, in which sense our policy is weaker than the Chinese W all polic y . C. Mo r e on Pr e-Conditio nal Assertions The conditional n oninterfe rence assertions based on the constraints deﬁned b y Φ − in Fig. 2 are easy to un derstand and use, but it migh t n ot be general enou gh to catch more complicated security require ments. For example, it is not possible to have a n assertion by Φ − to allow an action to act as b oth downgrading a nd upg rading in the way o f a power switch. In this sectio n, fo r p re-cond itional assertions, we deﬁne a more gen eral policy lang uage to achieve better expressiv eness. Th e policy langu age Φ is deﬁn ed as regular expressions on Part . φ := ∅ | P | φ ∪ φ | φ · φ | φ ∗ where P ∈ Part . W e u se A \ P to deno te S { P ′ ∈ Part | P ′ 6 = P } . A pr e- condition al noninter ference assertion is thus in the f orm of h P 6 u [ [ φ pre ] ] i , wh ere P ∈ Par t , u ∈ U and φ ∈ Φ . The function φ pre : A ∗ × A × A ∗ → { tr ue, f al se } is d eﬁned as φ pre ( α, a, α ′ ) = true iff α ∈ L ( φ ) . When it is applied to purge an ac tion seq uence, th e co nstraint φ pre removes every action a in par tition P from α · a · α ′ , when ev er α is in the regular lang uage L ( φ ) expressed by φ in the pre- condition al assertion h P 6 u [ [ φ pre ] ] i . In p articular, the constrain t ∅ does not purge any actions, and A ∗ purges everything, if they a ppear within an assertion. Giv en a user u ∈ U , we deﬁne a p artial order relatio n ≤ u on the set of con ditional assertions associated with u . Say an action sequence a 1 a 2 . . . a n is contained in another sequence α if th ere exists α 0 , α 1 , . . . α n ∈ A ∗ such th at α 0 · a 1 · α 1 · a 2 · α 2 . . . a n · α n = α . Let T 1 and T 2 be two assertions associated with u , T 1 ≤ u T 2 if p u rg e { T 2 } ( α, u ) is containe d in p u rg e { T 1 } ( α, u ) fo r all α ∈ A ∗ . Intu iti vely , this mean s assertion T 2 is stro nger than assertion T 1 , i.e. , the language accepted by the con straint in T 2 is a superset of the language acce pted by the constraint in T 1 . Lemma 1: F or the general pre-con ditional assertions, h P 6 u [ [ φ pre 1 ] ] i ≤ u h P 6 u [ [ φ pre 2 ] ] i imp lies L ( φ 1 ) ⊆ L ( φ 2 ) . This furthe r induces an orderin g o n th e set o f policies, such that given two policies Π 1 and Π 2 , Π 1 ≤ u Π 2 if for all u ∈ U , and T 1 ∈ Π 1 , there exists T 2 ∈ Π 2 such that T 1 ≤ u T 2 . Proposition 1: For every pre-co nditiona l assertio n T 1 = h P 6 u [ [ φ pre ] ] i with φ ∈ Φ − , there exists a constraint ψ ∈ Φ , such that the assertion T 2 = h P 6 u [ [ ψ pre ] ] i satisﬁes T 1 ≤ u T 2 and T 2 ≤ u T 1 . Pr o of: Tri vial, since ev ery p re-cond itional con straint in Φ − expresses a regular expr ession. Note this implies that the distinction between d owngrading and up grading assertion s in Φ − no long er exists in Φ . Since the r egular langu age is closed under complementation , 6 if R ∈ Φ expresses a do wngradin g channel [ φ ] pre ց , there always 6 The author is not sure if it makes sense to have a more general polic y languag e which m ight not hav e such good closure properties, e.g., CFL. exists a nother expression R − ∈ Φ expressing [ φ ] pre ր , such that R ∩ R − = ∅ a nd R ∪ R − = A ∗ . The other direction of Prop. 1 does not hold. Follo wing the claim we m ade at the beginning o f the sectio n, the assertion h P 6 u [ [(( A \ Q ) ∗ ( Q ( A \ Q ) ∗ Q ( A \ Q ) ∗ ) ∗ ) pre ] ] i allows the actions in Q to act as a switch. Even occu rrences of action s in Q disallows P to interfere with u , while an odd n umber of actions in Q allows P . T his is a n assertion that expr esses a po licy mixed with upgradin g an d downgrading , which is not expressible by Φ − . D. A voiding Inconsistencie s Assertion co nﬂict happen s when two assertions associated with the same user and contr olling the same par tition d is- agree on whether an action n eeds to b e purged. T o resolve this pr oblem, we may take a m ore secure ch oice (as stated in Def. 1) by insisting that an action need s to be purged fro m a sequence if there exists an assertion that returns true . Never - theless this may cause a policy to be potentially stronger than what is expected by a (careless) policy speciﬁer . Formally , two assertion s T 1 = h P 6 u [ [ φ 1 ] ] i and T 2 = h P 6 u [ [ φ 2 ] ] i are in conﬂict in a policy , if there exists α, α ′ ∈ A ∗ and a ∈ P , such that φ 1 ( α, a, α ′ ) 6 = φ 2 ( α, a, α ′ ) . Say a policy is simp le , if for every P ∈ Part an d u ∈ U , there is at most on e assertion that co ntrols P an d is associated with u . In this pa per we o nly d iscuss simple policies. Nev ertheless, two conditional assertions may conﬂict each other acco rding to our intuition of permitted infor mation ﬂow ev en in a simple po licy . For example, let a post- condition al assertion T 1 = h P 1 6 u [ [[ ♦ P 2 ] post → ] ] i be an assertion that allows P 1 to interfere with u only via a channel provided by P 2 . This assertion is intuitively conﬂicting the assertion T 2 = h P 2 6 u i which disallo ws P 2 to in terfere with u in all circumstances. Since P 2 is allowed to con trol informa tion from P 1 to u in T 1 , the info rmation pa ssed from P 1 to u ca rries a ‘p ermission’ fr om P 2 , which seems undesirab le. W e pr opose the fo llowing condition s to mon itor this type o f inconsistencies fr om a policy . Deﬁnition 2: G i ven a signature ( A , U, dom ) an d a p artition Part , - a policy Π is left-consistent if f or all u ∈ U and for all α, α ′ ∈ A ∗ , p ur g e Π ( p urg e Π ( α, u ) · α ′ , u ) = p ur g e Π ( α · α ′ , u ) , - a p olicy Π is right-consistent if fo r all u ∈ U and for all α, α ′ ∈ A ∗ , p ur g e Π ( α · p urg e Π ( α ′ , u ) , u ) = p ur g e Π ( α · α ′ , u ) . Intuitively , supp ose the effect o f action a dep ends on th e existence of ac tion b , then the cond itions tha t d etermine the effect of b shou ld b e c onsistent with the conditions that determine the effect of a . A policy being left-consistent (right-co nsistent) r equires that the existence o f every action in a purged seque nce is consistent with the e xistence of ev ery other action ap pearing to the left (righ t) of that action in the sequence. Obviously , a simple policy consisting of only strict assertions is b oth left-co nsistent and right-con sistent. E. En coding I ntransitive Non interfer ence Intransitive noninter ference [21], [32] deﬁnes an informa tion ﬂow policy as a (reﬂexive) bin ary relation over the set o f security domains U , where u v indicates that u is allowed to interfere with v , an d is n ot necessarily transitiv e o n U . T he ipur ge fun ction of type A ∗ × U → A ∗ can be deﬁned as f ollows. 7 Giv en u ∈ U an d α ∈ A ∗ in the form of a 1 a 2 . . . a n , ipur ge ( α, u ) = a ′ 1 a ′ 2 . . . a ′ n , such that fo r every i ∈ { 1 , . . . , n } , a ′ i =  a i if a i +1 a i +2 . . . a n contains an interference chain , ǫ otherwise. where an in terference chain is a subsequence b 1 b 2 . . . b m that is contained in a i +1 a i +2 . . . a n , satisfyin g that dom ( a i ) dom ( b 1 ) , dom ( b j ) dom ( b j +1 ) for all 1 ≤ j ≤ m − 1 , and dom ( b m ) u . A system is secure with resp ect to intransitive noninterf erence (of policy ), if for all u ∈ U an d α ∈ A ∗ , we have o bs u ( s, α ) = o bs u ( s, ipur ge ( α, u )) . W e show that the conditional noninte rference policies sub- sume the intran siti ve noninter ference policies b y using only post-cond itional assertions. Given a signature ( A , U, dom ) and an intran siti ve noninte rference p olicy ⊆ U × U , we construct a policy Π( ) as f ollows. First we let Part = {A u | u ∈ U } . For e very pa ir of users u, v ∈ U , we construct the set Interf ( u, v ) = { v 1 v 2 . . . v n ∈ U ∗ | u v 1 v 2 . . . v n v } . In this set we enumera te all po ssible interfer ence chains f rom user u to user v . (Th is set could be inﬁnite.) Deﬁne a co ndense operator C ond : 2 A ∗ → 2 A ∗ by C ond ( T S et ) = { α ∈ T S e t | ∀ α ′ ∈ T S e t : α contains α ′ ⇒ α = α ′ } . This operator is to remove all redund ant and cyclic c hains in a set Interf ( u, v ) , so that the remaining cond ensed set is minimal. F or exam ple if u v , then n either the chain u w v nor the ch ain u w u v will provide any addition al inform ation o n purging action s in A u with respec t to u ser v . Mor eover , suc h a condensed set will always be ﬁnite provided that U is ﬁnite. W e deﬁn e Π( ) as a set consisting of the following assertion s. For a ll distinct u, v ∈ U , 1) if Interf ( u, v ) = ∅ , then hA u 6 v i is an assertion in Π( ) , 2) if Interf ( u, v ) 6 = ∅ and C ond ( Interf ( u, v )) 6 = { ǫ } , then hA u 6 v [ [[ λ 1 ∪ λ 2 ∪ · · · ∪ λ n ] post → ] ] i is an assertio n in Π( ) , wh ere { λ 1 , λ 2 , . . . , λ n } = C ond ( Interf ( u, v )) . The corr ectness of the above con struction of Π( ) is b y the fo llowing result, with its p roof sketch in th e a ppendix . 7 The i pur ge functi on in the original paper of Haigh and Y oung [21] is deﬁned in a differe nt way , but semantica lly equiv alent to the deﬁniti on here. Proposition 2: Gi ven an in transitiv e noninterf erence po l- icy , for all u ∈ U an d α ∈ A ∗ , ipur ge ( α, u ) = p ur g e Π( ) ( α, u ) . Next we show that intran siti ve non interferen ce policies are always right- consistent. 8 The pro of o f right-co nsistency requires the following lemm as, which basically show that the ipur ge functions a re id empotent and they preserve all the inter ference ch ains in the r esults. Lemma 2: F or all α ∈ A ∗ and u, v ∈ U , the sequ ence α contains an interferen ce chain from u to v if f ipur ge ( α, v ) contains an inter ference chain f rom u to v . Lemma 3: ip ur ge ( ipur ge ( α, u ) , u ) = ipur ge ( α, u ) for all α ∈ A ∗ and u ∈ U . Proposition 3: Every in transitive no ninterfer ence policy is right-co nsistent. Pr o of: Given a p olicy , u ∈ U and α, α ′ ∈ A ∗ , we show ipur ge ( α ′ · α, u ) = ipur ge ( α ′ · ipur ge ( α, u ) , u ) . W e prove b y indu ction o n length of α ′ . Base case: ipur ge ( ǫ · ipur ge ( α, u ) , u ) = ipur ge ( ǫ · α, u ) is b y Lem. 3. Suppose ipur ge ( γ · ipur ge ( α, u ) , u ) = ipur ge ( γ · α, u ) for some γ ∈ A ∗ , we show the case fo r a · γ . • If ipur ge ( a · γ · α, u ) = a · ipur ge ( γ · α, u ) , th en there exists an inter ference c hain in γ · α from dom ( a ) to u . W .l.o.g , we write a 1 a 2 . . . a i a i +1 . . . a n to be the chain where a 1 a 2 . . . a i is contained in γ , and a i +1 . . . a n is contained in α . Then a i +1 . . . a n is an interf erence chain from dom ( a i ) to u by deﬁnition. Then there is also an in terference chain η from dom ( a i ) to u in ip ur ge ( α, u ) by Lem. 2, so a 1 a 2 . . . a n · η is an interferen ce chain from dom ( a ) to u in γ · ipur ge ( α, u ) . Therefo re ipur ge ( a · γ · ipur ge ( α, u ) , u ) = a · ipur ge ( γ · ipur ge ( α, u ) , u ) . T hen we hav e ipur ge ( a · γ · α, u ) = ipur ge ( a · γ · ipur ge ( α, u ) , u ) b y pre-p ending action a on both sid es of the in duction hyp othesis. • If ipur ge ( a · γ · α, u ) = ipur ge ( γ · α, u ) , then th ere d oes not exist an interfer ence chain in γ · α fro m dom ( a ) to u . Theref ore there doe s no t exist an interfer ence chain in γ · ipur ge ( α, u ) which is a shorter sequ ence. Th en we have ipur ge ( a · γ · ipur ge ( α, u ) , u ) = ipur ge ( γ · ipur ge ( α, u ) , u ) . Th en w e have the r esult by indu ction hypoth esis. Since the effect o f ipur ge on the policy is the same as that of p u rg e Π( ) , ev ery policy Π( ) encodin g an intransitive no ninterfer ence policy is right-co nsistent. T ogether with the u nwindin g cha racterization for policies of p ost-conditio nal assertions in Sect. IV, this result makes it po ssible to reason about security with r espect to in tran- siti ve n oninterf erence by unwind ing theor ems that are bo th 8 Note that intransiti ve noninterferenc e polici es are not necessaril y left- consisten t, since a preﬁx of a s equenc e does not necessaril y conta in an interfe rence chain ev en if the whole sequence does. Howe ver , intuiti vely , left-c onsistenc y is not important for intransiti ve policies which only place control s after an action is performed. sufﬁcient and necessary . This allows us to verify security proper ties th at are r elated to intra nsitiv e inform ation ﬂow in a variety of area s (such as operating system and security protoco l veriﬁcation) in a more precise way . Moreover , our policy language on post-cond itional as- sertions is strictly more expressive th an the policies of intransitive noninterfe rence, e ven in the case of Part = {A u | u ∈ U } . An exam ple could be a four-user system with U = { H , D 1 , D 2 , L } , on which we have a policy with a single assertion hA H 6 L [ [[ ♦ A D 1 ♦ A D 2 ] post → ] ] i , but neither A D 1 nor A D 2 is restricted from interferin g with L . Th is policy asserts that an action fro m H must be approved by both D 1 and D 2 in the p articular or der before bein g passed on to L , an d D 1 is allowed to pass inform ation to L in a way indep endent to th e action s from D 2 . This po licy is no t expressible by intr ansitiv e nonin terference . Moreover it is not hard to show that such policy is still right- consistent. I V . U N W I N D I N G R E L A T I O N S Unwinding pr ovides a veriﬁcation techn ique on noninter- ference- related security requir ements. An unwin ding theo- rem redu ces the veriﬁcation of an infor mation ﬂow secu rity problem into the existence o f a set of relations satisfying certain prope rties, which is thus easier to be formalized and veriﬁed by existing to ols such as p roof assistants an d model ch eckers. 9 In this section we p resent g eneral fo rms o f unwindin g theore ms for the two classes of con ditional non- interferen ce assertions in troduced in the p revious sections. The use of unwind ing relatio ns on th e pro of of n oninter- ference h as been discussed in the literature [18], [32] which is based on the assumptio n that the relation ⊆ U × U is transitive. First we show that this result is still valid for the class of po licies that consist of strict a ssertions. (Note here the relation as determined by the set o f assertions is not necessarily tran siti ve.) Giv en a machine M = h S, s 0 , s tep, o bs, O i and a policy Π co nsisting of only strict assertions, a set of un winding relation s {∼ u } u ∈ U are deﬁned as follows. For ea ch user u ∈ U , ∼ u ⊆ S × S is an equ iv alence rela tion satisfying the conditio ns output consistency (O C), step consistency (SC), and lo cal respect (LR). OC s ∼ u t implies o bs u ( s ) = o bs u ( t ) . SC s ∼ u t and a ∈ A implies s tep ( s, a ) ∼ u s tep ( t, a ) . LR s ∼ u s tep ( s, a ) if h p art ( a ) 6 u i ∈ Π . The existence of a set o f relatio ns {∼ u } u ∈ U that satisfy the above three p roperties is both sufﬁcient and nec essary for a system to be secure . The p roof method is exactly the same 9 Although noninterfe rence are trace-based prop erties and unwinding are bisimulat ion-based techniques, the unwindi ng charact erizati ons in thi s paper are tight partiall y becau se for determin istic s ystems trace semantics and bisimulat ion semantics coincide [41]. Extending unwinding as a complete charac terizat ion for trace-base d information ﬂ o w properties in nondete r- ministic systems will be challengi ng, and we lea ve it as a future work. as wh at was presen ted in [ 32]. Deﬁn e a relation u ∼⊆ S × S for each u ∈ U by s u ∼ t if o bs u ( s ) = o bs u ( t ) . Theorem 1: Given a policy Π , a system M is secure w ith respect to Π iff ther e exist un winding r elations {∼ u } u ∈ U . Pr o of: The ‘ if ’ direction can be p roved by induction on th e leng th of the input actions in th e sam e style of [32]. For th e ‘only if ’ directio n, if the M is secure, we ca n show that the relation s u ≈ deﬁn ed b y s u ≈ t if s • α u ∼ t • α for all α ∈ A ∗ satisﬁes OC, SC and LR. A. Unwind ing for Pre-conditional Assertions W e present an unwin ding techniq ue which is sound for policies co nsisting o f pre-con ditional assertions deﬁn ed b y the policy lang uage Φ . This techniq ue is co mplete fo r policies that are left-consistent. Since the p olicy lan guage produ ces a regular set of sequences, f or each assertion T of the form h P 6 u [ [ φ pre ] ] i , we write A ( φ ) P,u for the ﬁnite automato n accepting L ( φ ) , and regard A ( φ ) P,u as the assertion autom aton o f T . W e deﬁne an additio nal rule for the unwind ing r elations on p re-con ditional assertions. Gi ven a machine M in the form of h S, s 0 , s tep, o bs, O i and a policy Π , a set of unwind- ing r elations {∼ u } u ∈ U are eq uiv alence relation s satisfying OC, SC, LR, an d the new condition LR ≤ which is speciﬁed as follows. LR ≤ s ∼ u s tep ( s, a ) if h p art ( a ) 6 u [ [ φ pre ] ] i ∈ Π an d there exists α ∈ L ( φ ) such that s = s 0 • α . As LR en sures a partition to follow a strict assertion, the condition LR ≤ ensures the satisf action of p re-con ditional assertions in ge neral. Intuitively , if a state is reachable by an action sequ ence within the langua ge d eﬁned by an assertion, an action that is contro lled by that assertion must be purged . W e show that this characterization is sufﬁcient for a system to be secure with respect to a po licy c onsisting of o nly pre- condition al assertion s. (As a strict assertion can also be trea ted as a p re-con ditional assertion by th e regular expression A ∗ .) Theorem 2: Given a system M and a policy Π co nsisting of only pre-c ondition al assertions, M is secure if there exists a set of eq uiv alence relatio ns {∼ u } u ∈ U satisfying OC, SC, LR and LR ≤ . If a g i ven policy is left- consistent, then this chara cteriza- tion is also co mplete. Theorem 3: Given a system M and a policy Π co nsisting of only pre-cond itional assertio ns, if M is secu re and Π is left-consistent, th en there exist a set of equiv alence r elations {∼ u } u ∈ U satisfying OC, SC, LR and LR ≤ . The regularity of the assertion lang uage Φ allows to apply assertion auto mata for pre -conditio nal assertions to m ark the states where LR ≤ needs to b e applied to pu rge an action. This co uld be d one b y a par allel compo sition of the mac hine M with the A ( φ ) P,u for every h P 6 u [ [ φ pre ] ] i ∈ Π , which could be automated in a model checker . Since assertion automata usually do no t con tain a lot o f states, a local mod el checking algorithm is able to detect violations of security on-the- ﬂy when a system is very large (even p ossibly of inﬁnite states). W e ha ve the following r eduction fro m noninter ference security properties with policies con sisting of pre-c ondition al a ssertions to safety properties. For a n assertion T = h P 6 u [ [ φ pre ] ] i ∈ Π , we assume th at an assertion automaton A ( φ ) T = h S T , s ( T , 0) , → , F T i is determin istic, and a ccepts the languag e L ( φ ) . W e assume Π is denum erable as { T 1 , T 2 , . . . } . Given a machine M = h S, s 0 , s tep, o bs, O i , fo r each u ∈ U , we deﬁn e a mac hine M Π u = h S u , s u 0 , s tep u , o bs u , dom i to be the system with identical actions an d domain s, with states S u = S × S × S T 1 × S T 2 × . . . , initial state s u 0 = ( s 0 , s 0 , s ( T 1 , 0) , s ( T 2 , 0) , . . . ) , and the observa- tion fun ction o bs u : S u → ( O × O ) is deﬁned as o bs u ( s 1 , s 2 , t 1 , t 2 , . . . ) = ( o bs u ( s 1 ) , o b s u ( s 2 )) fo r s 1 , s 2 ∈ S , and transition fu nction s tep u : S u × A → S u is g i ven b y s tep u (( s 1 , s 2 , t 1 , t 2 , . . . ) , a ) = ( s ′ 1 , s tep ( s 2 , a ) , t ′ 1 , t ′ 2 , . . . ) with a ∈ A a nd t i a − → t ′ i for all i , and s ′ 1 =    s 1 if there is T i = h p art ( a ) 6 u [ [ φ pre ] ] i and t i ∈ F T i , s tep ( s 1 , a ) otherwise . Intuitively , in e very transition , an actio n a is not allowed to app ly on the left pa rt of a state p air , if the assertion automaton contr olling p art ( a ) and associated with u is in its ﬁnal state. A p roof by in duction shows that for e very sequence of actions α ∈ A ∗ , if s u 0 • α = ( s, t, . . . ) in M Π u , then in M we have s = s 0 • p ur g e Π ( α, u ) an d t = s 0 • α . W e theref ore obtain the f ollowing. Proposition 4: A m achine M is secu re with respect to a left-consistent policy Π iff for a ll u ∈ U and for all states s in M Π u reachable fro m s u 0 , we have that obs u ( s ) = ( o, o ′ ) implies o = o ′ . B. Unwind ing for P ost-cond itional Assertions In this section we stud y the unwind ing r elations for policies co nsisting of post-con ditional assertions d eﬁned by Φ − as given in Fig. 2. The design of un winding for this class of policies is rather inv olved. Our solution allows possibly more than one eq uiv alence rela tions fo r each u ser . The underly ing intuition is as follo ws. If an action a is allowed to interfere with user u only if it is fo llowed by another action b , then f or each state s , we need to h av e s and s tep ( s, a ) indistinguishab le by u af ter any sequence of actions that does not con tain b . Based on that, we deﬁne a bin ary relation [ b ] ∼ u ⊆ S × S and let s [ b ] ∼ u s tep ( s, a ) to rep resent th e e ffect that state s and state s tep ( s, a ) are not distingu ishable b y u as long as b is no t perfo rmed. (i.e., s [ b ] ∼ u t implies s tep ( s, c ) [ b ] ∼ u s tep ( t, c ) if c 6 = b ) In tuitiv ely , su ch a relation must b e an equ ivalence r elation. For readability we move some of the proofs in th is section into appendix and only provide explana tions abo ut the proo fs instead. Let Π be a policy of post-con ditional assertion s. For a user u ∈ U , write the set of assertions a ssociated with u as a subpolicy Π u ⊆ Π . Le t Q = P ( Part ) ∪ { ♦ C | C ⊆ Part } . Deﬁne the set of terms which ar e sufﬁxes of th e given constraints in Π u as ∆ Π u = { λ ∈ Q ∗ | ∃ λ ′ ∈ Q ∗ , h P 6 u [ [[ C 1 ∪ C 2 ∪ · · · ∪ C n ] post → ] ] i ∈ Π u : λ ′ · λ = C i ∧ i ∈ [1 . . . n ] } . Intuitively , th is is the sufﬁx clo sure of the set o f post-conditional chann els that allo w to downgrade informa tion f rom some partition to u . Th e set of u nwindin g relations for a u ser u ∈ U is { δ ∼ u | δ ⊆ ∆ Π u } , which are the equiv alence relation s satisfy ing the following rules. OC s δ ∼ u t im plies s u ∼ t for all δ ⊆ ∆ Π u with δ ∩ { ǫ } = ∅ . SC + If s δ ∼ u t and a ∈ A , then s tep ( s, a ) sc ( δ,a ) ∼ u s tep ( s, a ) . LR h p art ( a ) 6 u i ∈ Π im plies s ∅ ∼ u s tep ( s, a ) . LR ≥ h p art ( a ) 6 u [ [[ λ 1 ∪ λ 2 ∪ . . . λ n ] post → ] ] i ∈ Π implies s { λ 1 ,λ 2 ,...λ n } ∼ u s tep ( s, a ) . SUB For all δ 1 , δ 2 ∈ P (∆ Π u ) , δ 1 ⊆ δ 2 implies δ 1 ∼⊆ δ 2 ∼ . The fun ction s c : P (∆ Π u ) × A → P (∆ Π u ) is deﬁn ed as sc ( δ ) = S λ ∈ δ cut ( λ, a ) , where the cut fu nction is deﬁned as follows. Given P ∈ P ( Part ) and λ ∈ Q ∗ , • cut ( ǫ , a ) = { ǫ } for all a ∈ A , • cut ( P · λ, a ) = { λ } if a ∈ P , • cut ( P · λ, a ) = ∅ if a 6∈ P , • cut ( ♦ P · λ, a ) = { λ } if a ∈ P , • cut ( ♦ P · λ, a ) = { ♦ P · λ } if a 6∈ P . The condition OC asserts that all such relatio ns containing unﬁnished d owngrading ch annels to u (with ǫ ∈ δ ) must be contained in u ∼ , i. e., th ey shall no t cur rently be disting uished by u . The deﬁnition of the SC + rule follows the m echanism of pattern matching which simulates the process of purging. For examp le, if s { ♦ P λ } ∼ u t , then af ter an action a ∈ P is perfor med, s tep ( s, a ) and s tep ( t, a ) need s to b e related by the relation { λ } ∼ u , indicating that an action in P has been perfor med an d th at the rest of the downgrading c hannel is λ . Th e states can be related by two downgrading ch annels, e.g. s { λ,λ ′ } ∼ u t , indicating the two possibilities to effect the vie w (or to relax the indistinguishability relation) of u . When tw o states are related by a set with a c ompleted channel, e.g. , s δ ∼ u t with ǫ ∈ δ , then s an d t need n ot be indistingu ishable to u any more. Plainly δ ∼ u = S × S if ǫ ∈ δ , where S is the state space of a machine. I nforma lly , condition SUB ind icates that the more chann els a relation carries, the weaker policies that relation represents. As ∅ ∼ u is the smallest such r elation fo r user u ∈ U , it represents strict noninterfer ence, so that u can never d istinguish two states that are related b y his o wn future behaviours. For a sufﬁx constrain t λ in th e f orm of C λ ′ or ♦ C λ ′ , write I ( λ ) for C wh ich is the ﬁrst set of action s to check in λ . W e have the fo llowing pr operty for f unction sc . Lemma 4: F or all λ ∈ sc ( δ, a ) , we have at least one of the following con ditions h old. 1) λ = ǫ and λ ∈ δ , 2) λ ∈ δ with a 6∈ I ( λ ) , 3) C λ ∈ δ with a ∈ C , 4) ♦ C λ ∈ δ with a ∈ C . Lemma 5: F or all δ 1 , δ 2 ∈ P (∆ Π u ) and u ∈ U , s δ 1 ∼ u t a nd t δ 2 ∼ u r implies s δ 1 ∪ δ 2 ∼ u r . Pr o of: By the rule SUB we hav e δ 1 ∼⊆ δ 1 ∪ δ 2 ∼ and δ 2 ∼⊆ δ 1 ∪ δ 2 ∼ , theref ore s δ 1 ∪ δ 2 ∼ u t and t δ 1 ∪ δ 2 ∼ u r . Th en s δ 1 ∪ δ 2 ∼ u r by tran siti vity of th e relation δ 1 ∪ δ 2 ∼ u . Similar to the pre-co nditional co nstraints, every post- condition al constraint can be r egarded as a pattern in r egular expression, such that an action mu st not be pu rged if it is followed by a seq uence of action s within the p attern characterized b y the constrain t. Deﬁne an interpretatio n operator [ . ] : Φ − → ( P ( A )) ∗ , by [ ǫ ] = A ∗ , [ C λ ] = C [ λ ] , and [ ♦ C λ ] = ( A \ C ) ∗ C [ λ ] for C ⊆ A , where λ ∈ ( P ( A )) ∗ . Lemma 6: Gi ven a system M , a user u ∈ U , an d a po licy Π with only po st-condition al assertions, if there exists a set of re lations { δ ∼ u } δ ⊆ ∆ Π u ,u ∈ U satisfying OC, LR, LR ≥ , SC + and SUB, then for all s, t ∈ S and α ∈ A ∗ \ S λ ∈ δ [ λ ] with s δ ∼ t and δ ⊆ ∆ Π u satisfying δ ∩ { ǫ } = ∅ , we ha ve s • α u ∼ t • p u rg e Π ( α, u ) . The pro of of this lemma is by in duction on the leng th of an action sequence on states that a re related by all po ssible sets of in complete chan nels. From Lem . 6 one can obtain the soun dness r esult. Theorem 4: Given a system M , a user u ∈ U , and a policy Π with only po st-condition al assertions, if there exists a set of relation s { δ ∼ u } δ ⊆ ∆ Π u ,u ∈ U satisfying OC, L R, LR ≥ , SC and SUB, the n M is secure with resp ect to Π . Pr o of: W e need to show for a ll u ∈ U and α ∈ A ∗ , we have s 0 • α u ∼ s 0 • p ur g e Π ( α, u ) . Since ∅ ∼ u is reﬂexiv e we have s 0 ∅ ∼ u s 0 , then the result directly fo llows by L em. 6. Note S λ ∈∅ [ λ ] = ∅ . T o establish a completen ess r esult, we study the set o f relations { δ ≈ u } δ ∈ ∆ Π u speciﬁed as follo ws. Deﬁne δ ≈ u ⊆ S × S , such that s δ ≈ u t if for all α ∈ A ∗ satisfying α 6∈ [ λ ] for all λ ∈ δ , s • α u ∼ t • α . W e regard { δ ≈ u } δ ∈ ∆ Π u as the relations that characterize information ﬂow security fo r post-cond itional assertions, with some nice properties that are guara nteed b y Lem. 7. Lemma 7: F or each user u ∈ U in system M , the set of relations { δ ≈ u } δ ∈ ∆ Π u satisﬁes OC, SC + and SUB. Finally we are ab le to prove that the existence o f such unwindin g re lations is also necessary fo r a system to be secure, provided that the given policy con sisting of post- condition al a ssertions is rig ht-consistent. The method ology on proving Thm . 5 is that OC, SC + and SUB c ondition s determine a set o f the largest bisimulation- like relations { δ ≈ u } δ ⊆ ∆ Π u on th e state space fo r eac h u , then LR and LR ≥ condition s assert that nonin terfering actions do not m ake transitions that go beyond each equiv alent class. W e leave the detailed pr oof in the ap pendix . Theorem 5: Given a system M with a r ight-con sistent policy Π consisting of post-con ditional assertions, if M is secure with respect to Π , then th ere exists a set of relation s { δ ∼ u } δ ⊆ ∆ Π u satisfying O C, LR, LR ≥ , SC + and SUB fo r all u ∈ U . C. A Case Stud y on Unwinding W e take the p olicy as introd uced in examp le 2 and show how to construc t u nwinding relatio ns in this simple system to ensure integrity of data-base operations. Suppose there are a ﬁnite n umber of emp loyees E = { E 1 , E 2 . . . E m } working with a datab ase B with ﬁnite entrie s X = { x 1 , x 2 , . . . x n } each of which stores a na tural number . The action set av ailable to E i is A r E i ∪ A w E i ∪ { a bk E i } , where A r E i = { r ( i, x ) | x ∈ X } and A w E i = { w ( i, x, v ) | x ∈ X } . The state space is S = ( { succ, den y , r eady , ⊥} ∪ N ) E × N X , so that a state s = ( o 1 , o 2 , . . . o m , d 1 , d 2 , . . . d n ) is a snapshot o f all employee’ s obser vations as w ell as the c ontents in database B . I n th is case we wr ite s ( i ) for E i ’ s observation and s ( x j ) for the j - th en try of B in s . Th e ob servation func tion f or B (as a user) is thus o b s B ( s ) = ( s ( x 1 ) , s ( x 2 ) , . . . s ( x n )) , and o bs E i ( s ) = s ( i ) . Write s [ t 7→ v ] for a state identical to s except that s [ t 7→ v ]( t ) = v . The initial state s 0 is d eﬁned as s 0 ( i ) = ⊥ fo r all i ∈ 1 . . . m , and s 0 ( x j ) = 0 for all x j ∈ X . The tr ansition fun ction is deﬁned a s f ollows. For all i ∈ 1 . . . m and x k ∈ X , • s tep ( s, r ( i , x k )) = s [ s ( i ) 7→ s ( x k )][ ∀ j 6 = i : s ( j ) 7→ ⊥ ] , • s tep ( s, w ( i , x k , v )) = s [ s ( i ) 7→ deny ][ ∀ j 6 = i : s ( j ) 7→ ⊥ ] if s [ i ] 6 = r eady , and s tep ( s, w ( i, x k , v )) = s [ s ( i ) 7→ succ ][ s ( x k ) = v ][ ∀ i : s ( i ) 7→ ⊥ ] oth erwise, • s tep ( s, a bk E i ) = s [ s ( i ) 7→ r eady ][ ∀ j 6 = i : s ( j ) 7→ ⊥ ] . where [ ∀ j 6 = i : s ( i ) 7→ ⊥ ] is sho rt fo r [ s (1) 7→ ⊥ ] . . . [ s ( i − 1) 7→ ⊥ ][ s ( i + 1) 7→ ⊥ ] . . . [ s ( m ) 7→ ⊥ ] , which sets all users except i ’ s obser vation to ⊥ . Informally , a bk E i acquires a u nique write-permission for E i by setting i ’ s ob servation to r eady and simultaneou sly re moving all other em ployees’ ability to wr ite. Recalling the security policy of examp le 2, we have the following th ree rules to ensure integrity of B . For all E i , (1) readin g actions do not modif y B : hA r E i 6 B i , (2) writing actions take effect only by immed iately fol- lowing a book- keeping a ction: hA w E i 6 B [ [[ a bk E i ] pre ց ] ] i , and (3) book -keeping do es not have side ef fects: h{ a bk E i } 6 B [ [[ A w E i ] post → ] ] i . W e treat (1) and ( 2) as pre- condition al ass ertions, by deﬁning an eq uiv alence relation ∼ B as f ollows. 10 Let s ∼ B t if o bs B ( s ) = o bs B ( t ) an d fo r all 1 ≤ i ≤ m , either s ( i ) = t ( i ) = r eady , or s ( i ) 6 = r eady and t ( i ) 6 = r eady . 10 Since the polic y is not designed to protect the employees, we only study the unwinding relati ons for B . W e show tha t ∼ B is an un winding relation for assertio ns (1) and (2) . • OC is trivial. • For SC, if s ∼ B t , then for all 1 ≤ i ≤ m , (1) s te p ( s, r ( i, x )) ∼ B s tep ( t, r ( i, x )) , b ecause r ( i, x ) only sets E i ’ s observation to s ( x ) wh ich is the sam e as t ( x ) b y deﬁnition , an d (2) s tep ( s, w ( i, x, v )) ∼ B s tep ( t, w ( i, x, v )) , since the writing action either changes both item x to v , o r fails to change both, and (3) s tep ( s, a bk E i ) ∼ B s tep ( t, a bk E i ) , since th e bo ok- keeping action o nly sets both states as re ady f or E i to write, and resets all other ob servations to ⊥ . • For LR, it is obvious tha t s ∼ B s tep ( s, r ( i, x )) for all i and x . • For LR ≤ , the langu age L ([ a bk E i ] pre ց ) is expressed as A ∗ ( A \ { a bk E i } ) . Then we h av e that f or all α ∈ A ∗ ( A \ { a bk E i } ) and action a in the form o f w ( i, x, v ) , s tep ( s 0 • α, a ) ∼ B s 0 • α (Since n o one is ready in s 0 • α and no on e is ready in s tep ( s 0 • α, a ) ). Assertion ( 3) is po st-condition al, f or which we establish the following relation s. - { ǫ } ∼ B = { A w E i ,ǫ } ∼ = S × S fo r all i . - s { A w E i } ∼ B t if o bs B ( s ) = o bs B ( t ) , and for all j 6 = i , either s ( j ) = t ( j ) = r eady , or s ( j ) 6 = re ady and t ( j ) 6 = r eady . (i.e ., only E i ’ s o bservation is relaxed from the co nstraints imposed on ∼ B .) - ∅ ∼ B is de ﬁned as ∼ B . W e show th is set of relations are unwin ding relations for assertion (3). • OC an d SUB ar e trivial. • For SC + , the case for δ ∼ B with ǫ ∈ δ is trivial, since in this ca se δ ∼ B = S × S . Let s { A w E i } ∼ B t , then for all a ∈ A \ A w E i , we need to show s te p ( s, a ) ∅ ∼ B s tep ( t, a ) . This is straigh tforward b ecause the only possibility to prevent s to be related to t by ∅ ∼ B is tha t th ey disagree on E i ’ s o bservation, an d every action a ∈ A \ A w E i will set E i ’ s o bservation to the same value in s tep ( s, a ) a nd s tep ( t, a ) without m odifying B ’ s contents. • For LR ≥ , for all s ∈ S , on ly E i ’ s view is c hanged to rea dy in s tep ( s, a bk E i ) , thu s s { A w E i } ∼ B s tep ( s, a bk E i ) by deﬁnition. By establishing the u nwinding relations, Thm . 2 and Thm. 4 guarantee that the system is secure with respect to the giv en policy . Mor eover , one can still prove that the existence of such u nwindin g relations is complete for this particular policy in this example, by applying the techniq ues used in the proo fs of Thm. 3 and Thm. 5. As th e policy discussed in this example is n either left-co nsistent nor righ t-consistent (which can be shown fr om th e p u rg e function derived fr om the policy) 11 , this ser ves as an example showing that left- and rig ht-consistencies are not always nece ssary for a po licy to be comp letely chara cterizable by the u nwinding relations deﬁned in th is paper . V . R E L A T E D W O R K Conditional noninterfer ence was ﬁrst proposed by Goguen and Meseguer [17]. Our work extends their deﬁnition to a more g eneral fo rm, such that th e con trol of inform ation ﬂow can be p laced either bef ore or after the actions with in tended ﬂow . Th e notion of intransiti ve non interfere nce was ﬁrst propo sed by Haigh and Y oung [2 1], and later r evised by Rushby [32]. Our policy deﬁned by post-cond itional asser- tions are strictly mo re expressive tha n that o f intr ansitiv e noninter ference, w hich has bee n sketched in Sect. I II-E. Nev ertheless, the un winding theorems pr esented f or this more general po licy is both soun d an d co mplete in a very general sense (we b eliev e that action- based c hannel contro l policies ar e usually supposed to b e con sistent), while th e weak unwin ding r elation [32] fails to be com plete f or intransitive n oninterfe rence in th e literatur e. The un winding technique of Mantel [23] is sound for a spectru m of trace- based properties [22], but it is also not complete. A few other works extend Rushby ’ s weak un winding in no ndeterm inistic languag e-based settings [25], [24]. The r esult in th is paper is ba sed on systems w ith deterministic tran sition func tions, but it will be straightfor ward to extend the deﬁnitions of our po licies for b oth pre-conditional a ssertions and post- condition al assertions in n ondeter ministic systems, p ossibly by revising the un winding ru le SC (o r SC + ) in th e way of bisimulation [27] 12 . Bossi et al. e xtended the unwinding-b ased cha racterization for the secu rity prop erties in SP A [14], [16] to supp ort downgrading [6]. Th ey d escribed a policy for three secu rity lev els inclu ding H (High level user), D (Downgrader ) and L ( low level user) by applyin g unwind ing to disallow informa tion ﬂo w from H to L witho ut putting any con straint on D . Th eir approach is basically Gog uen an d Meseguer’ s strict noninterfer ence p olicies [17] (as we sketched in ex- ample 1) in a nond eterministic environmen t with silent system moves. W ith respect to persistency [ 16], o ur policies by post-co nditional assertio ns are inherently persistent, i. e., if a system is secure with respect to such policies then it is secure if every reachable state is a possible in itial state. Howe ver , our policies by pre-co nditiona l assertions are not necessarily persistent by deﬁn ition. 13 Roscoe and Goldsmith [31] gen eralized the determ inism based notion 11 Ne verth eless, it is obvious tha t the pre-condition al part of the polic y is left-c onsistent, and the post-co nditiona l part of th e polic y is right-consi stent, which helps to establi sh a proof for complete ness. 12 Ho wev er , achie ving comple teness m ight be very nontri vial for unwin d- ing in nondetermini stic systems for trace-based properties. 13 In this case, we claim that it is sufﬁci ent to verify the persistent version of a pre-conditio nal assertion φ by e xamining a policy automaton accepting the language L ( φ ) ′ = { α · α ′ | α ∈ A ∗ ∧ α ′ ∈ L ( φ ) } . of non interferen ce [30] to intran siti ve n oninterf erence with three secu rity levels in process algebra CSP . Their pro perty is po tentially stro nger tha n most o f the existing in transitiv e noninter ference pro perties in literature [36]. V an der Meyden d ev eloped a new set of intransitive noninter ference p roperties to r eason a bout info rmation ﬂow epistemically [38]. As it was identiﬁed tha t Haigh and Y oung’ s intransitive ﬂow property [ 21] may allow a d own- grader to pa ss information from high level to low le vel without knowing w hat is to be downgraded, a nu mber of new intransitive non interfere nce p roperties are introduced to catch the idea that a downgrader’ s kn owledge abou t the secret inform ation should be n o less than what the low lev el user is able to get. Th e new p roper ties deﬁned by van der Meyde n are stro nger th an intran siti ve nonin terfer- ence [21], [3 2] and weaker than (strict) no ninterfere nce [17]. Our f ramework lies in a dif ferent d imension, in that we extend th e fram ew ork of [17], [32] to suppo rt more ﬂexible policies without m uch conc ern on a u ser’ s knowledge. The metho dologies f or declassiﬁcation o f secret in forma- tion h av e be en surveyed by Sab elfeld and Sands [34], in which all related works are class iﬁed into four different dimensions: (1) who releases infor mation, (2) what infor- mation is released (3 ) where in the system in formation is released and (4) when info rmation can be released. Althoug h most of the surveyed works are in the languag e-based setting, the classiﬁcation seem s to make sense in the state- based mod els as we ll. Our policy d esign suppo rts the who dimension, b y assigning a partition of a p articular user in a policy to con trol in formation ﬂo w to a user , and also the where an d when dime nsions, b y contr olling inform ation release o nly after a downgrad ing channel is fully establishe d (such as allowed by post-con ditional assertion s). In term s of ﬂexibility , as this fram ew ork doe s not assume a central- ized security p olicy , it is po ssible to expre ss in te grity for decentralized ﬂow control [28], by ass igning users privileged actions to switch on and o ff wr iting perm its to the ﬁles they own. Howev er as our po licy is action -based, it might not be conv enient to expr ess dec entralized conﬁden tiality policies. More recently , Cho ng a nd My ers [8] de ﬁne dec lassiﬁcation and erasure policies that specify conditions un der which informa tion m ay be downgraded , or mu st be erased . Instead of bind ing po licies o n infor mation, o ur pre-co nditional p oli- cies focu s on th e con trol over the sour ce and d estination o f informa tion ﬂow , by adding an d removing per mits from an action partitio n of a user v ia c ontrolling action s. Hadj-Alouan e et al. studied veriﬁcation o f intr ansitiv e noninter ference prop erty in ﬁnite state systems [2 0]. In order to verify the pr operty , they red uce a system into an automaton accepting the reversed langu age, wh ich poten- tially consume s space expon ential to the size of the system. Pinsky also propo sed an algo rithm to verify non interferen ce proper ties [29]. Howe ver that algorithm only works f or transitiv e p olicies, but fails when the un derlying in formation ﬂow re lation is intransitive. A new alg orithm fo r in transitive noninter ference is proposed by van der M eyden [37] which has a co mplexity bo und p olynom ial to th e size of a ma chine but exp onential to the number of users. V eriﬁcation on our un winding relation s for po st-condition al assertions can be d one in-place, th erefore it is also polyn omial time to the size of a system, b ut it co uld be expone ntial to the size of a p olicy (as sho wn in the subset constru ction o n the set o f p ost-conditio nal assertions wh en c onstructing unwindin g relatio ns). Nevertheless, o ur policies are strictly more gen eral than intran siti ve noninterferen ce policies, as shown in Sect. III-E. It will also b e interesting to investigate algorithm ic veriﬁcation metho ds on generating u nwinding relations in mo re general systems ( i.e., systems that are not necessarily ﬁnite state) , as it has b een shown that veriﬁcation of Mantel’ s BSPs [22] in push-down systems is u ndecidab le [ 13]. Th e me thodolo gies on red ucing in for- mation ﬂow pro perties to safety by self-composition ha ve been discu ssed in the litera ture [2], [35], [ 11], [ 40], f or a variety of system mo dels. V I . C O N C L U S I O N A N D F U T U R E W O R K This work introd uces a framework o f inf ormation ﬂow policies by n oninter ference assertions wh ich gener alizes existing work of both transitiv e and intr ansitiv e no ninter- ference. Altho ugh non interferen ce is in gene ral deﬁned as a static secu rity notio n, we applied o ur policy language to express a numb er of dyn amic security requ irements including upgrad ing, downgrading and chann el control. Our u nwinding theorems o n bo th p re-cond itional an d p ost- condition al assertions ar e novel, and they are mor e p recise and more gener al than the existing results in th e literature, to ou r kn owledge. There is a possible fu ture dire ction to extend ou r policy by allowing clock tick s to act as up grading or d owngrading channels. T his will make it p ossible to express time-b ased contr ol in r eal-time systems, which migh t be an interesting future work to explore bo th up gradin g an d downgrading in the when d imension of [3 4]. There are p lenty of extensions of no ninterfer ence in no n- deterministic and probab ilistic systems, and this will be an interesting fu ture work for conditio nal non interferen ce. Al so we believe th at it will b e of interest to ﬁnd r eal cases where our unwind ing theorems (or any su itable extensions) can b e applied to verify their correspo nding secu rity requiremen ts in more gener al sy stems. Furthermo re, it is also p ossible to enrich our policy by incorp orating state info rmation into the policy language in a concr ete system v eriﬁcation. Again, this will be of m ore interest in a sensible c ase study in the f uture. V I I . A C K N O W L E D G E M E N T The author thank s Peter Ryan for h is useful comm ents o n an earlier draft o f the p aper . R E F E R E N C E S [1] M. Backes and B. P ﬁtzmann. I ntransitiv e non-interference f or cryptographic purpose. In Proc . IEEE Symposium on Security and P rivacy , pages 140–152, 2003. [2] G. Barthe, P . R. D’Argenio, and T . Rezk. Secure information ﬂow by self-composition. In Proc . IE EE Computer Security F oundations W orkshop , pages 100–114, 2004. [3] D. E . Bell and L. J. LaPadula. Secure computer sys- tem: V ol.i—mathematical foundations, vol.ii—a mathemati- cal model, vol.iii—a reﬁnement of the mathematical model. T echnical Report MTR-2547 (three volum es), The MITR E Corporation, Bedford, MA 01730, March-December 1973. [4] D. E. Bell and L. J. LaPadula. Secure computer system: Uniﬁed exposition and multics interpretation. T echnical Report MTR-2997 R e v . 1, The MITRE Corporation, Bedford, MA 01730, March 1976. [5] W . R. Bevier and W . D. Y oung. A state-based approac h to noninterference. In Pr oc. IEEE Computer Security F ounda- tions W orkshop , pages 11–21, 1994. [6] A. Bossi, C. Piazza, and S. Rossi. Modelling downg rading in information ﬂow security . In Pr oc. IEEE Computer Security F oundations W orkshop , pages 187–201, July 2004. [7] D. F . C. Br e wer and M. J. Nash. The chinese wall security policy . In P r oc. IEE E Symposium on Security and Privacy , pages 206–214, 1989. [8] S . Chong an d A. C. Myers. End-to-end enforcement of erasure and d eclassiﬁcation. In Pr oc. IEEE Comp uter Security F oundations Symposium , pages 98–111, 2008. [9] D. Clark and D. W ilson. A comparison of commercial and military comp uter security policies. In Pr oc. IEEE Sympo sium on Security and Privacy , 1987. [10] J. Crow , S. Owre, J. Rushby , N. Shankar , and M. Sriv as. A t utorial introduction to PVS. In W orkshop on Industrial- Str ength F ormal Speciﬁcation T echniqu es , April 1995. [11] A. Darv as, R. H ¨ ahnle, and D. Sands. A t heorem pro ving approach to analysis of secure information ﬂo w . In Pr oc. 2nd International Confer ence on Security in P ervasive Computing, LNCS 3450 , pages 193–20 9, 2005. [12] D. E. Denning. A lattice model of secure information ﬂow . In Communications of the ACM , volume 19, pages 236–243, Ne w Y ork, NY , USA , 1976. ACM Press. [13] D. D’S ouza, R. Holla, J. Kulkarni, R. K. Ramesh, and B. Sprick. On the decidability of model-checking informa- tion ﬂow properties. In Pr oc. International Confer ence on Information Systems Security , pages 26–40, 2008. [14] R. Focardi and R. Gorrieri. A classiﬁcation of security properties for process algebras. I n Journa l of Computer Security , 1, pages 5–33. IOS Press, 1995. [15] R. Focardi, R. Gorrieri, and F . Martinelli. Classiﬁcation of security properties (part ii: Network security). In FOSAD 2004, L NCS 2946 , pages 139–185, 2004. [16] R. Focardi and S. Rossi. Information ﬂo w security in dynamic contex ts. In Pr oc. IEE E Computer Secu rity F oundations W orkshop , pages 307–319, 2002. [17] J. A. Goguen and J. Mesegue r . Security policies and security models. In Pr oc. IEEE Symposium on Security and Privacy , pages 11–20, 1982. [18] J. A. Gogue n and J. Meseguer . Unwinding and inference control. I n Pr oc. IEEE Symposium on Security and Privacy , page 75, 1984. [19] D. Gr e ve, M. W ilding, and W . M. va n Fleet. A separation kernel formal security policy . In ACL2 W orkshop , 2003. http://www.cs .utexas.edu/u sers/moore/acl2/ workshop-2003 . [20] N. B. Hadj-Alouane, S. Lafrance, F . Lin, J. Mullins, and M. Y eddes. On the v eriﬁcation of intransitiv e noninterference in mulitle vel security . In IEEE T ransactions on Systems, Man and C ybernetics , volume 35, pages 948–958. Oct. 2005. [21] J. T . Haigh and W . D. Y oung. Extending the noninterference version of MLS for SA T. IEEE T ransaction s on Softwar e Engineering , 13(2):141–150, 1987. [22] H. Mantel. P ossiblistic deﬁnitions of security – an assembly kit. In Pr oc. IEE E Computer Security F oundation s W orksho p , pages 185–199, 2000. [23] H. Mantel. Unwinding security properties. In Pr oc. Eur opean Symposium on Resear ch in Computer Security , LNCS 1895 , pages 238–254, 2000. [24] H. Mantel and A. Reinhard. Co ntrolling the what and where of declassiﬁcation in languag e-based security . In P r oc. Eur opean Symposium on Pro gra mming (ESOP) , vo lume 4421 of L NCS , pages 141–156 . Springer , 2007. [25] H. Mantel and D. Sands. Controlled declassiﬁcation based on intransiti ve noninterferen ce. In Pr oc. Asian Symposiu m on Pr ogr amming Langua ges and Systems (A PLAS 2004) , pages 129–14 5, 2004. [26] W . Martin, P . White, F . T aylor , and A. Goldberg. Formal construction of the mathematically analyzed separation ker- nel. In Pr oc. 15th IEE E Int. Conf. on Automated Softwar e Engineering (ASE’00) , 2000. [27] R. Milner . Communication and Concurr ency . Prentice-Hall, 1989. [28] A. Myers and B. Liskov . A decentralized model for infor- mation ﬂ o w control. I n P r oc. ACM Sympos ium on Operating System Principles , pages 129–142 , 1997. [29] S. Pinsky . Absorbing cov ers and intransiti ve non-interference. In Proc . IEEE Symposium on Security and Privacy , pages 102–11 3, 1995. [30] A. W . Roscoe. CSP and determinism in security modelling. In Proc . IEEE Symposium on Security and Privacy , pages 114–22 1, 1995. [31] A. W . Roscoe and M. H. Goldsmith. What i s intransitive non- interference ? In Pr oc. IEEE Computer Security F oundations W orkshop , pages 228–238, 1999. [32] J. Rushby . Non interference, transitivity , and channel-control security policies. T echnical report, SRI international, Dec 1992. [33] A. Sabelfeld and A. Myers. L anguage-ba sed information-ﬂo w security . In IEEE Jou rnal on Selected Area s in Communica- tions , volume 21, pages 1–15. 2003. [34] A. Sabelfeld and D. Sands. Dimensions and principles of de- classiﬁcation. In Pr oc. I EEE Computer Security F oundations W orkshop , pages 255–269, 2005. [35] T . T erauchi and A. Aiken. Secure i nformation ﬂow as a safety problem . In Pr oc. the 12th International Static Analysis Symposium , pages 352–367, 2005. [36] R. van der Meyden. A comparison of semantic models for intransitiv e noninterference, 2007. unpublishe d manuscript. [37] R. van der Meyden. The complexity of notions of intransitive noninterference, 2007. unpublished manuscript. [38] R. v an der Meyden. What, indeed, i s intransitiv e noninterfer- ence? ( extend ed abstract). In Pro c. Eur opean Symposium on Resear ch in Computer Security (LNCS 4734) , pages 235–250. Springer , 2007. [39] R. v an der Meyden and C. Zhang. A comparison of semantic models for noninterference. In 4th Internationa l W orkshop on F ormal Aspect in Security and T rust (LN CS 4691) , pages 235–24 9, 2006. [40] R. v an der Meyden and C. Zhang. Algorithmic veriﬁcation on noninterference properties. I n E NTCS , volume 168, pages 61–75. Elsevier , 2007. [41] R. J. van Glabbeek. The linear time – branching time spectrum. In Handbo ok of Pr ocess Al gebr a, Chapter 1 , pages 3–99. E lsev ier , 2001. [42] D. von Oheimb. Information ﬂow control revisited: Nonin- ﬂuence = Noninterference + Nonleakage. In Proc . E ur opean Symposium on Resear ch in Computer Security (LNCS 3193) , pages 225–243, 2004. A P P E N D I X This app endix contains the proofs of some r esults pre - sented in th e article. Pr o of: (of Prop. 2) W e prove by ind uction on the length of an a ction seq uence. Base case: ip ur ge ( ǫ, u ) = p ur g e Π( ) ( ǫ, u ) = ǫ . Suppose ipur ge ( α, u ) = p u rg e Π( ) ( α, u ) f or som e α ∈ A ∗ , we show the case for a · α with a ∈ A . If α conta ins an in terferenc e ch ain from dom ( a ) to u , then ipur ge ( a · α, u ) = a · ipur ge ( α, u ) . Also p ur g e Π( ) ( a · α, u ) = a · p ur g e Π( ) ( α, u ) , sinc e the pu rging of the actions in α does not d epend o n a , and Π( ) contains a conde nsed interf erence cha in from dom ( a ) to u by def- inition. If α does not contain an interferen ce chain fro m dom ( a ) to u , then ipur ge ( a · α, u ) = ipur ge ( α, u ) an d p ur g e Π( ) ( a · α, u ) = p ur g e Π( ) ( α, u ) . In both cases we have ipur ge ( a · α, u ) = p ur g e Π( ) ( a · α, u ) . Pr o of: (of Lem. 2) The ‘if ’ directio n is trivial, sinc e ipur ge ( α, v ) is contained in α . For the ‘ only if ’ directio n, suppose α ′ = a 1 a 2 . . . a n is an interf erence ch ain fr om u to v in α , it can be shown by induction on every sufﬁx of α ′ that all actions in α ′ will stay in the sequen ce ipur ge ( α, v ) . Pr o of: (o f Lem . 3) By in duction o n len gth o f α . Base case is trivial. Suppose ipur ge ( ipur ge ( α, u ) , u ) = ipur ge ( α, u ) , we show the case for a · α . • If α contains an in terference chain fro m dom ( a ) to u , th en ipur ge ( α, u ) also contains an inter- ference chain f rom dom ( a ) to u b y Lem. 2. Therefo re we have ipur ge ( ipur ge ( a · α, u ) , u ) = ipur ge ( a · ipur ge ( α, u ) , u ) = a · ipur ge ( ipur ge ( α, u ) , u ) and ipur ge ( a · α, u ) = a · ipur ge ( α, u ) . Since ipur ge ( α, u ) = ipur ge ( ipur ge ( α, u ) , u ) , we get ipur ge ( a · α, u ) = ipur ge ( ipur ge ( a · α, u ) , u ) by in- duction hyp othesis. • If α d oes not con tain an interferen ce chain fr om dom ( a ) to u , then ipur ge ( α, u ) also does not c on- tain an interfer ence chain from dom ( a ) to u by Lem. 2. Ther efore ipur ge ( ipur ge ( a · α, u ) , u ) = ipur ge ( ipur ge ( α, u ) , u ) and ipur ge ( a · α, u ) = ipur ge ( α, u ) . Th en we h av e ipur ge ( a · α, u ) = ipur ge ( ipur ge ( a · α, u ) , u ) by indu ction h ypothe sis. Pr o of: ( of Thm . 2) W e show that if there exist relatio ns {∼ u } u ∈ U satisfying OC, SC, LR and LR ≤ , then fo r all u ∈ U , α ∈ A ∗ , s 0 • α ∼ u s 0 • p ur g e Π ( α, u ) , then by OC we will have s 0 • α u ∼ s 0 • p ur g e Π ( α, u ) . we prove this by induction on the length of the actio n sequ ences. For α = ǫ , p ur g e Π ( α ) = α = ǫ , we have s 0 ∼ u s 0 by th e fact th at ∼ u is reﬂexive. Suppo se fo r some α ∈ A ∗ we have s 0 • α ∼ u s 0 • p ur g e Π ( α, u ) , we sh ow the ca se for α · a . • If p ur g e Π ( α · a, u ) = p u rg e Π ( α, u ) , we have the following tw o cases: (1 ) h p art ( a ) 6 u i ∈ Π , (2 ) h p art ( a ) 6 u [ [ φ pre ] ] i ∈ Π and α ∈ L ( φ ) . In both cases we have s 0 • α ∼ u s 0 • ( α · a ) by LR (or LR ≤ ). W ith the indu ction hyp othesis s 0 • α ∼ u s 0 • p ur g e Π ( α · a, u ) , by tran siti vity of ∼ u , we have s 0 • ( α · a ) ∼ u s 0 • p ur g e Π ( α · a, u ) . • Other wise, we have p ur g e Π ( α · a, u ) = p ur g e Π ( α, u ) · a . Then by the induction h ypothe sis and SC, we hav e s 0 • ( α · a ) ∼ u s 0 • ( p ur g e Π ( α, u ) · a ) , th erefore s 0 • ( α · a ) ∼ u s 0 • p ur g e Π ( α · a, u ) . Pr o of: (of T hm. 3) Supp ose M is secure, we show that the relatio ns {∼ u } u ∈ U deﬁned by s ∼ u t if for all α ∈ A ∗ , s • α u ∼ t • α satisfy OC, SC, LR and LR ≤ . • For OC, let α = ǫ , then we h av e s ∼ u t implies s u ∼ t . • For SC, let s ∼ u t and a ∈ A , if s te p ( s, a ) 6∼ u s tep ( t, a ) , then there exists α ∈ A ∗ such that s tep ( s, a ) • α 6 u ∼ s tep ( t, a ) • α , th en s • ( a · α ) 6 u ∼ t • ( a · α ) which contradicts s ∼ u t . Therefore s te p ( s, a ) ∼ u s tep ( t, a ) . • For LR ≤ , let h P 6 u [ [ φ pre ] ] i ∈ Π . If there exists a ∈ P and s ∈ S such that s 0 • α , α ∈ L ( φ ) and s 6∼ u s tep ( s, a ) , then there exists α ′ ∈ A ∗ such that s 0 • α • α ′ 6 u ∼ s tep ( s 0 • α, a ) • α ′ , which is equiv alent to that s 0 • ( α · α ′ ) 6 u ∼ s 0 • ( α · a · α ′ ) . Howe ver , since policy Π is lef t-consistent, we ha ve p ur g e Π ( α · α ′ , u ) = p ur g e Π ( p urg e Π ( α, u ) · α ′ , u ) , an d p ur g e Π ( α · a · α ′ , u ) = p ur g e Π ( p urg e Π ( α · a, u ) · α ′ , u ) . Then p ur g e Π ( α · α ′ , u ) = p ur g e Π ( α · a · α ′ , u ) by p ur g e Π ( α, u ) = p ur g e Π ( α · a, u ) , i.e., α · α ′ and α · a · α ′ have th e same purged result with respect to u . Therefore we have eith er s 0 • ( α · α ′ ) 6 u ∼ s 0 • p ur g e Π ( α · α ′ , u ) , or s 0 • ( α · a · α ′ ) 6 u ∼ s 0 • p ur g e Π ( α · a · α ′ , u ) , co ntradicting the assumption th at M is secu re. • The c ase of LR is similar to LR ≤ . Pr o of: ( of Lem. 6 ) W e prove by ind uction on length o f α . Base case: α = ǫ , then p ur g e Π ( ǫ, u ) = ǫ , we have s δ ∼ u t implies s u ∼ t b y OC fo r every δ ∩ { ǫ } = ∅ . Supp ose this holds for an action sequ ence α on all states s, t , δ ⊆ ∆ Π u with δ ∩{ ǫ } = ∅ , such that s δ ∼ u t with α ∈ A ∗ \ S λ ∈ δ [ λ ] , we show the case f or a · α . Let s δ ∼ u t with a · α ∈ A ∗ \ S λ ∈ δ [ λ ] and δ ∩ { ǫ } = ∅ . • If p ur g e Π ( a · α, u ) = a · p u rg e Π ( α, u ) , th en we have s tep ( s, a ) sc ( δ,a ) ∼ u s tep ( t, a ) . First we show that ǫ 6∈ sc ( δ, a ) . Because if ǫ ∈ sc ( δ, a ) , the n by Lem. 4, either (1) ǫ ∈ δ , or (2) there is C or ♦ C in δ such tha t a ∈ [ C ] or a ∈ [ ♦ C ] , which imp lies a · α ∈ [ C ] or a · α ∈ [ ♦ C ] . Case (1) c ontradicts the assumption that δ ∩ { ǫ } = ∅ , and case (2) con tradicts the assumption that a · α ∈ A ∗ \ S λ ∈ δ [ λ ] . Next we sh ow fo r all λ ∈ sc ( δ, a ) , α 6∈ [ λ ] . Because if there were λ ∈ sc ( δ, a ) such tha t α ∈ [ λ ] , by Lem. 4, we would h av e the following cases: (1) if λ ∈ δ with a 6∈ I ( λ ) , then a · α ∈ [ λ ] ; (2) if C λ ∈ δ or ♦ C λ ∈ δ with a ∈ C , then a · α ∈ [ C λ ] or a · α ∈ [ ♦ C λ ] . Both cases contradict the assumption that a · α ∈ A ∗ \ S λ ∈ δ [ λ ] . T herefor e for all λ ∈ sc ( δ, a ) , α 6∈ [ λ ] , i.e., α ∈ A ∗ \ S λ ∈ sc ( δ,a ) [ λ ] . Th en b y in duction hyp othesis, we have s tep ( s, a ) • α u ∼ s tep ( t, a ) • p ur g e Π ( α, u ) . Therefo re s • ( a · α ) u ∼ t • p u rg e Π ( a · α, u ) . • If p ur g e Π ( a · α, u ) = p u rg e Π ( α, u ) , we have the following two cases. – If h part ( a ) 6 u i ∈ Π , then by LR, we ha ve s ∅ ∼ s tep ( s, a ) , then s tep ( s, a ) δ ∼ t by Lem. 5. By induction hy pothesis, we h av e s tep ( s, a ) • α δ ∼ t • p u rg e Π ( α, u ) , then we have s • ( a · α ) u ∼ t • p ur g e Π ( a · α, u ) . – If h par t ( a ) 6 u [ [[ λ 1 ∪ λ 2 ∪ · · · ∪ λ n ] post → ] ] i ∈ Π and α 6∈ [ λ i ] f or all i ∈ [1 . . . n ] . By LR ≥ , we have s tep ( s, a ) { λ 1 ,λ 2 ,...λ n } ∼ u s . The n we have s tep ( s, a ) δ ∪ { λ 1 ,λ 2 ,...λ n } ∼ t b y Lem. 5. Since α 6∈ λ ′ for all λ ′ ∈ δ , and α 6∈ [ λ i ] for all i by assump tion, we have α ∈ A ∗ \ S λ ′ ∈ δ ∪{ λ 1 ,λ 2 ,...λ n } [ λ ′ ] . Then by inductio n hypothesis, we get s tep ( s, a ) • α u ∼ t • ( p ur g e Π ( α, u )) , th erefore s • ( a · α ) u ∼ t • p ur g e Π ( a · α, u ) . Pr o of: (of Lem . 7) • For O C, let δ ⊆ ∆ Π u be a set that doe s n ot co ntain ǫ and s δ ≈ u t . Since ǫ 6∈ [ λ ] for all λ ∈ ∆ Π u \ { ǫ } , we have s • ǫ u ∼ t • ǫ . Therefo re s u ∼ t . • For SUB, let s δ ≈ u t an d δ ⊆ δ ′ ⊆ ∆ Π u , we need to sho w s δ ′ ≈ t . Since δ ⊆ δ ′ , we have S λ ∈ δ [ λ ] ⊆ S λ ∈ δ ′ [ λ ] , so A ∗ \ S λ ∈ δ ′ [ λ ] ⊆ A ∗ \ S λ ∈ δ [ λ ] . By s δ ≈ u t , we h av e s • α u ∼ t • α fo r all α ∈ A ∗ \ S λ ∈ δ [ λ ] , so s • α u ∼ t • α for all α ∈ A ∗ \ S λ ∈ δ ′ [ λ ] . Then we hav e s δ ′ ≈ t by deﬁnition. • For SC + , let s δ ≈ u t and a ∈ A , we study the following cases o n the relation s which may relate s tep ( s, a ) and s tep ( t, a ) . – If ǫ ∈ δ , th en b y de ﬁnition { ǫ } ≈ u = S × S , theref ore s tep ( s, a ) { ǫ } ≈ u s tep ( t, a ) . – If P λ ∈ δ and a ∈ P , then f or a ll α ∈ A ∗ \ [ λ ] , s tep ( s, a ) • α u ∼ s tep ( t, a ) • α , becau se if not, then we would h av e s • ( a · α ) 6 u ∼ t • ( a · α ) such that a · α 6∈ [ P λ ] . T herefor e s tep ( s, a ) { λ } ≈ u s tep ( t, a ) . – If P λ ∈ δ a nd a 6∈ P , then we have s tep ( s, a ) • α u ∼ s tep ( t, a ) • α for all α ∈ A ∗ , because if no t, then we would have s • ( a · α ) 6 u ∼ t • ( a · α ) such that a · α 6∈ [ P λ ] . T herefor e s tep ( s, a ) ∅ ≈ u s tep ( t, a ) . – If ♦ P λ ∈ δ and a ∈ P , then we h av e s tep ( s, a ) • α u ∼ s tep ( t, a ) • α for a ll α ∈ A ∗ \ [ λ ] , which is similar to the case of P λ ∈ δ . Theref ore s tep ( s, a ) { λ } ≈ u s tep ( t, a ) . – If ♦ P λ ∈ δ and a 6∈ P , then we h av e s tep ( s, a ) • α u ∼ s tep ( t, a ) • α f or all α ∈ A ∗ \ [ ♦ P λ ] , because if not, then we would have s • ( a · α ) 6 u ∼ t • ( a · α ) with a · α 6∈ [ ♦ P λ ] . Theref ore s tep ( s, a ) { ♦ P λ } ≈ u s tep ( t, a ) . The above cases give u s c ut ( λ, a ) f or e very membe r λ ∈ δ . By SUB we take th e union of all the single- ton and empty sets to get ( s tep ( s, a ) , s tep ( t, a )) ∈ S λ ∈ δ cut ( λ, a ) . Therefore s tep ( s, a ) sc ( δ,a ) ∼ s tep ( t, a ) by deﬁnition . Pr o of: (of Thm. 5) Sup pose M is secu re with respect to Π , then for each u ∈ U the relation { δ ≈ u } δ ⊆ ∆ Π u satisfy OC, SC + and SUB by Lem. 7. Then we on ly need to show they a lso satisfy LR and LR ≥ in the fo llowing cases. • Sup pose the relation s d o no t satisfy LR for som e u ∈ U , then there exists a r eachable state s an d a n assertio n h p art ( a ) 6 u i ∈ Π such that s tep ( s, a ) 6 ∅ ≈ u s . There- fore there exists so me α ∈ A ∗ such that s tep ( s, a ) 6 u ∼ s . Since s is rea chable we have s = s 0 • α ′ for some α ′ ∈ A ∗ . Then we have s 0 • ( α ′ · a · α ) 6 u ∼ s 0 • ( α ′ · α ) . However p ur g e Π ( α ′ · a · α, u ) = p urg e Π ( α ′ · p u rg e Π ( a · α, u ) , u ) , and p ur g e Π ( α ′ · α, u ) = p ur g e Π ( α ′ · p ur g e Π ( α, u ) , u ) by right-consistency of Π . Since p ur g e Π ( a · α, u ) = p ur g e Π ( α, u ) by h p art ( a ) 6 u i ∈ Π , we h av e p ur g e Π ( α ′ · a · α, u ) = p urg e Π ( α ′ · α, u ) . By the assumption that M is secu re, we have s 0 • ( α ′ · a · α ) u ∼ s 0 • p ur g e Π ( α ′ · a · α, u ) and s 0 • ( α ′ · α, u ) u ∼ s 0 • ( α ′ · α ) . Then we have s 0 • ( α ′ · a · α ) u ∼ s 0 • ( α ′ · α ) , which is co ntradiction . T herefor e we have th e relations { δ ≈ u } δ ⊆ ∆ Π u satisfying LR fo r all u ∈ U . • Sup pose th e relations d o n ot satisfy LR ≥ , then there exists a reachable state s and an assertion h p art ( a ) 6 u [ [[ λ ] post → ] ] i such tha t s tep ( s, a ) 6 { λ } ≈ u s . So th ere exists α ∈ A ∗ \ [ λ ] , such that s • ( a · α ) 6 u ∼ s • α . Since s is reachable, there exists α ′ ∈ A ∗ such that s 0 • α ′ = s . Therefo re we h av e s 0 • ( α ′ · a · α ) 6 u ∼ s 0 • ( α ′ · α ) . Also since α ∈ A ∗ \ [ λ ] , b y deﬁnition p u rg e Π ( a · α, u ) = p ur g e Π ( α, u ) . Then we hav e p ur g e Π ( α ′ · a · α, u ) = p ur g e ( α ′ · α, u ) . The rest o f the pro of is similar to the above case.

Unwinding Conditional Noninterference

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment