A model for secure information flow

Abstract

A model that characterizes systems that restrict information flow is proposed. The model, called the confinement model, provides greater flexibility in the binding of entities to their security classes than the current static case. A consequence of the nature of security class binding in the confinement model is its ability to enforce nontransitive information-flow policies. A framework of information-flow policies is defined which forms a distributive lattice under operations for policy ordering and combination. It is shown that a state-based MAC (mandatory access) version of the confinement model is the same as a traditional Bell and LaPadula MAC model, except that the confinement model includes a special rule on dynamic class change.<>