NAS - TR - 0042 - 2006 Understanding Equivalance in High - Level and Information Flow Policy

Information flow policies (labels and lattices) are not stated in terms that administrators and developers articulate security goals (natural language). This raises an important question central to the proposed investigation, “how do you translate higher level policies into information flow implementation?” Our approach is to develop models and algorithms that enable this translation. Consider the following simple access control policy: Any principal of the group ifPlayers can read a sensitive account balance from a local file owned by them. We assert that principal Alice is authenticated by password and is a member of the group ifPlayers. One possible implementation of this policy using information flow would proceed using delegation; that is, ifPlayers delegates to Alice (and the other members) through the principal hierarchy. To enforce the access rights, the program implements an openLocalFile function whose input is labeled (can only be called with data of equal or higher sensitivity than) ifPlayers and returns a file object labeled with the calling principal. The high-level policy is implemented by the information flow enforcement. The principal hierarchy ensures the group rights are enforced; no one other than the group members can call the function that reads the local file because they cannot produce input data of the correct label. The returned balance object is labeled with the sensitivity of the calling principal. Jif guarantees that no principal other than the caller (and the principals it delegates to) can access the object, and thus nobody can else read it (even other members of the group). The compilation of the code is a formal witness to this isolation. Such information flow policy enforcement is not a panacea; it cannot combat poor operational practices, bad cryptography, or bad policy. However, as in this case, it can prove that the code written to implement that policy does implement that policy. What remains is discovering how to formalize and automate the mapping from high-level policies to low-level policy implementations.