A Complete Generative Label Model for Lattice-Based Access Control Models

  • N. V. Narendra Kumar
  • R. K. ShyamasundarEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10469)


Lattice-based access control models (LBAC) initiated by Bell-LaPadula (BLP)/Biba models, and consolidated by Denning have played a vital role in building secure systems via Information Flow Control (IFC). IFC systems typically label data and track labels, while allowing users to exercise appropriate access privileges. This is defined through a finite set of security classes over a lattice. Recently, IFC has also been playing a crucial role in formally establishing the security of operating systems/programs. Towards such a goal, researchers often use assertions to keep track of the flow of information from one subject/object to another object/subject. Specifying and realizing these assertions will be greatly benefitted, if the underlying labels of objects/subjects can be interpreted in terms of access permissions/rights of subjects/objects as well as subjects/objects that have influenced them; these would lead to automatic generation of proof obligations/assertions. Thus, if one can arrive at a label model for LBAC that satisfies properties like (i) intuitive and expressive labels, (ii) completeness w.r.t. Denning’s lattice model, and (iii) efficient computations on labels, then building/certifying secure systems using LBAC will be greatly benefitted.

In this paper, we arrive at such a semantic generative model (that tracks readers/writers of objects/subjects) for the Denning’s lattice model, and establish a strong correspondence between syntactic label policies and semantically labelled policies. Such a correspondence leads to the derivation of the recently proposed Readers-Writers Flow Model (RWFM). It may be noted that RWFM [11] also deals with declassification rules which is not discussed here as it is not relevant here. The relationship, further establishes that the RWFM  label model provides an application-independent concrete generative label model that is sound and complete wrt Denning’s Model. We define the semantics of information flow in this label model, and argue that reading and writing induce possibly different pre-orders on the set of subjects. Hence, the subject relations become explicit, making it possible to derive relations from the labels. We further define a notion of information dominance on subjects and show that the notion of principal hierarchy can be naturally defined that is consistent with the IFC model; this perhaps overcomes the adverse impact on the flow policy that is often experienced during the classical approach of defining the hierarchy orthogonally. This enables us to realize Role-Based Access Control (RBAC) structurally and enforce information flow security. Further, we demonstrate how the underlying label model succinctly subsumes various lattice-based control models like BLP, Biba, RBAC, Chinese wall model, etc.


MAC DAC LBAC RBAC Chinese wall 



The work was done as part of Information Security Research and Development Centre (ISRDC) at IIT Bombay, funded by MEITY, Government of India.


  1. 1.
    Bell, D., La Padula, L.: Secure computer systems: Unified exposition and multics interpretation. In: Technical Report ESD-TR-75-306, MTR-2997, MITRE, Bedford, Mass (1975)Google Scholar
  2. 2.
    Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE SP 1996, pp. 164–173. IEEE Computer Society (1996)Google Scholar
  3. 3.
    Brewer, D., Nash, M.: The Chinese wall security policy. In: 1989 Proceedings of the IEEE Symposium on Security and Privacy, pp. 206–214, May 1989Google Scholar
  4. 4.
    Crampton, J.: On permissions, inheritance and role hierarchies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS, pp. 85–92 (2003)Google Scholar
  5. 5.
    Denning, D.: A lattice model of secure informatiom flow. Commun. ACM 19(5), 236–243 (1976)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: RFC 2693: SPKI certificate theory. IETF RFC Publication, September 1999Google Scholar
  7. 7.
    Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  8. 8.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)CrossRefGoogle Scholar
  9. 9.
    Biba, K.: Integrity considerations for secure computer systems. In: Technical Report ESD-TR-76-372, MITRE, Bedford, Mass (1976)Google Scholar
  10. 10.
    Krishnan, P., Krishna, P.R., Parida, L. (eds.): Distributed Computing and Internet Technology. Lecture Notes in Computer Science, vol. 10109. Springer, Heidelberg (2017). doi: 10.1007/978-3-319-50472-8CrossRefGoogle Scholar
  11. 11.
    Kumar, N.V.N., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: 2014 IEEE Fourth International Conference on Big Data and Cloud Computing, BDCloud 2014, Sydney, Australia, 3–5 December 2014, pp. 753–760. IEEE Computer Society (2014).
  12. 12.
    Kumar, N.V.N., Shyamasundar, R.K.: Analyzing protocol security through information-flow control. In: Krishnan et al. [10], pp. 159–171.
  13. 13.
    Kumar, N.V.N., Shyamasundar, R.K.: Dynamic labelling to enforce conformance of cross domain security/privacy policies. In: Krishnan et al. [10], pp. 183–195.
  14. 14.
    Kumar, N.V.N., Shyamasundar, R.: Decentralized information flow securing method and system for multilevel security and privacy domains, 29 November 2016., US Patent 9,507,929
  15. 15.
    Nyanchama, M., Osborn, S.L.: The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur. 2(1), 3–33 (1999)CrossRefGoogle Scholar
  16. 16.
    Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000). Scholar
  17. 17.
    Sandhu, R.S.: Lattice-based enforcement of Chinese walls. Comput. Secur. 11(8), 753–763 (1992)CrossRefGoogle Scholar
  18. 18.
    Sandhu, R.S.: Lattice-based access control models. Computer 26(11), 9–19 (1993)CrossRefGoogle Scholar
  19. 19.
    Sandhu, R.S.: Role hierarchies and constraints for lattice-based access controls. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 65–79. Springer, Heidelberg (1996). doi: 10.1007/3-540-61770-1_28CrossRefGoogle Scholar
  20. 20.
    Tuval, N., Gudes, E.: Resolving information flow conflicts in RBAC systems. In: Damiani, E., Liu, P. (eds.) DBSec 2006. LNCS, vol. 4127, pp. 148–162. Springer, Heidelberg (2006). doi: 10.1007/11805588_11CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringIndian Institute of Technology BombayMumbaiIndia

Personalised recommendations