On Reductions from Multi-Domain Noninterference to the Two-Level Case

  • Oliver WoizekowskiEmail author
  • Ron van der Meyden
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


The literature on information flow security with respect to transitive policies has been concentrated largely on the case of policies with two security domains, High and Low, because of a presumption that more general policies can be reduced to this two-domain case. The details of the reduction have not been the subject of careful study, however. Many works in the literature use a reduction based on a quantification over “Low-down” partitionings of domains into those below and those not below a given domain in the information flow order. A few use “High-up” partitionings of domains into those above and those not above a given domain. Our paper argues that more general “cut” partitionings are also appropriate, and studies the relationships between the resulting multi-domain notions of security when the basic notion for the two-domain case to which we reduce is either Nondeducibility on Inputs or Generalized Noninterference. The Low-down reduction is shown to be weaker than the others, and while the High-up reduction is sometimes equivalent to the cut reduction, both it and the Low-down reduction may have an undesirable property of non-monotonicity with respect to a natural ordering on policies. These results suggest that the cut-based partitioning yields a more robust general approach for reduction to the two-domain case.


Noninterference Nondeterminism Information flow Covert channels Policies 


  1. 1.
    Haigh, J.T., Young, W.D.: Extending the noninterference version of MLS for SAT. IEEE Trans. Softw. Eng. 13(2), 141 (1987)CrossRefGoogle Scholar
  2. 2.
    Rushby, J.: Noninterference, transitivity, and channel-control security policies. Technical report, SRI international, December 1992Google Scholar
  3. 3.
    van der Meyden, R.: What, indeed, is intransitive noninterference? J. Comput. Secur. 23(2), 197–228 (2015). Extended version of a paper in ESORICS 2007.
  4. 4.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 26–28 April, pp. 11–20 (1982)Google Scholar
  5. 5.
    Sutherland, D.: A model of information. In: Proceedings of the 9th National Computer Security Conference, DTIC Document, pp. 175–183 (1986)Google Scholar
  6. 6.
    McCullough, D.: Foundations of Ulysses: The theory of security. Technical report, DTIC Document (1988)Google Scholar
  7. 7.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proceedings of the 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 79–93. IEEE (1994)Google Scholar
  8. 8.
    Mantel, H.: Possibilistic definitions of security - an assembly kit. In: Proceedings of the 13th IEEE Computer Security Foundations Workshopp, CSFW-13, pp. 185–199. IEEE (2000)Google Scholar
  9. 9.
    Focardi, R., Gorrieri, R.: Classification of security properties. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, p. 331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Roscoe, A.W.: CSP and determinism in security modelling. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 114–221 (1995)Google Scholar
  11. 11.
    Ryan, P.Y.A.: Mathematical models of computer security. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Forster, R.: Non-interference properties for nondeterministic processes. Ph.D. thesis, Dissertation for transfer to D.Phil status, Oxford University Computing Laboratory (1997)Google Scholar
  13. 13.
    Mantel, H.: A uniform framework for the formal specification and verification of information flow security. Ph.D. thesis, Universität des Saarlandes (2003)Google Scholar
  14. 14.
    Millen, J.K.: Unwinding forward correctability. In: Proceedings of the IEEE Computer Security Foundations Workshop, pp. 2–10 (1994)Google Scholar
  15. 15.
    Roscoe, A.W., Woodcock, J., Wulf, L.: Non-interference through determinism. J. Comput. Secur. 4(1), 27–54 (1996)CrossRefGoogle Scholar
  16. 16.
    Sutherland, D.: A model of information. In: Proceedings of the National Computer Security Conference, pp. 175–183 (1986)Google Scholar
  17. 17.
    McCullough, D.: Noninterference and the composability of security properties. In: Proceedings of the 1988 IEEE Symposium on Security and Privacy, Oakland, California, USA, 18–21 April, pp. 177–186 (1988)Google Scholar
  18. 18.
    Eggert, S., van der Meyden, R.: Dynamic intransitive noninterference revisited. CoRR (2016) arXiv:1601.05187 [cs.CR]
  19. 19.
    Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Proceedings of the 1984 IEEE Symposium on Security and Privacy, Oakland, California, USA, 29 April–2 May, pp. 75–87 (1984)Google Scholar
  20. 20.
    van der Meyden, R., Zhang, C.: Algorithmic verification of noninterference properties. Electr. Notes Theor. Comput. Sci. 168, 61–75 (2007)CrossRefGoogle Scholar
  21. 21.
    Engelhardt, K., van der Meyden, R., Zhang, C.: Intransitive noninterference in nondeterministic systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 869–880. ACM (2012)Google Scholar
  22. 22.
    Woizekowski, O., van der Meyden, R.: On reductions from multi-domain noninterference to the two-level case. CoRR (2016). arXiv:1605.00474
  23. 23.
    Backes, M., Pfitzmann, B.: Intransitive non-interference for cryptographic purposes. In: IEEE Symposium on Security and Privacy, pp. 140–152 (2003)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceKiel UniversityKielGermany
  2. 2.School of Computer Science and EngineeringUNSW AustraliaSydneyAustralia

Personalised recommendations