Secure dependencies with dynamic level assignments

Abstract

Most security models explicitly (or implicitly) include the tranquillity principle which prohibits changing the security level of a given piece of information. Yet in practical systems, classification of objects may evolve due to declassification and subject current level may evolve according to subject requests. The authors previously proposed a modal logic definition of security whose counterpart is a constraint on the system traces that they called causality. In this paper, they give a generalization of causality which avoids the tranquillity principle. They give an interpretation of their model in the case of a multilevel security policy when the levels can be assigned dynamically. Then they provide efficient conditions to control the dynamic assignment of both the object classification and the subject current level. They propose a comparison of their approach with the nondeducibility generalization. Finally they give several examples of systems where security levels are dynamically assigned.<>