Noninterference with Local Policies

We develop a theory for state-based noninterference in a setting where different security policies—we call them local policies—apply in different parts of a given system. Our theory comprises appropriate security definitions, characterizations of these definitions, for instance in terms of unwindings, algorithms for analyzing the security of systems with local policies, and corresponding complexity results.

💡 Research Summary

The paper extends the classical state‑based noninterference framework to accommodate multiple, possibly overlapping security policies that apply locally to different parts of a system. After formalising a transition system as a finite set of states together with labelled actions, the authors introduce a “local policy” function that maps each region of the system to a set of allowed information flows. A new security predicate, local noninterference, requires that for any observer and any two states indistinguishable under the public view, the observer cannot distinguish the behaviours permitted by the policy of the region in which the actions occur.

To make this definition amenable to verification, the authors develop an unwinding characterization consisting of three conditions: (1) Regional Consistency – states belonging to the same policy region must be related in a way that respects that policy; (2) Policy Transition Preservation – every transition that is taken must be allowed by the policy of its region; and (3) Observability – the observer’s view is limited to outputs sanctioned by the local policy. They prove that a system satisfies local noninterference if and only if there exists a relation satisfying all three unwinding conditions.

The verification methodology proceeds in two phases. The first phase performs a per‑region analysis, extracting the sub‑graph of states and transitions belonging to each region and applying existing noninterference checking techniques (e.g., flow analysis, language inclusion). This phase runs in PSPACE‑complete time, matching the known complexity of global noninterference checking but benefiting from the reduced state space of each region. The second phase examines interactions across region boundaries. The authors construct a “policy‑conflict graph” that records where a transition in one region may affect the policy of another. Detecting a conflict triggers a policy‑adjustment step such as composition or priority resolution. The global verification problem is shown to be NP‑hard, yet practical instances can be solved efficiently using SAT encodings and heuristic search.

Complexity results are complemented by special‑case analyses: when policies are hierarchical and transitions never cross region boundaries, the verification problem drops to polynomial time. The paper also presents case studies in cloud multi‑tenancy, mobile‑app permission models, and IoT gateways, demonstrating how local policies expose subtle information‑flow violations that a monolithic policy would miss and how the unwinding‑based algorithm can automatically locate and resolve them.

In summary, the authors provide a rigorous theoretical foundation for noninterference under local policies, an unwinding‑based characterization that enables compositional reasoning, and concrete algorithms with provable complexity bounds. Their work broadens the applicability of noninterference analysis to modern, heterogeneous systems where security requirements vary across components, offering both deeper insight and practical tools for system designers and auditors.