IEEE Transactions on Automatic Control, Vol.54, No.8, 1961-1966, 2009
Modifying Security Policies for the Satisfaction of Intransitive Non-Interference
The property of intransitive non-interference (INI) is widely used in the formal verification of security in computer systems and protocols. In our previous work, we derived conditions and algorithms for checking INI. If INI is not satisfied, then the behavior of the system must be modified in order to ensure its security. How to best modify a system's behavior is the subject of the current technical note. Two strategies are proposed: The first consists of enlarging the system's behavior (thus giving it more possibilities), and the second consists of reducing it (thus restricting the system's behavior). In both cases, however, we would like to modify the behavior as little as possible. For the first strategy that enlarges the behavior, we show that the solution is unique, that is, there is one smallest language that satisfies INI and contains the original language (called super-language). For the second strategy that reduces the behavior, the solution is not unique, that is, there may exist more than one maximal language that satisfies INI and is contained in the original language (called sub-language). We derive formulas and algorithms to perform these two types of modifications. We also illustrate our results by an example.
Keywords:Formal verification;infimal super-language;intransitive non-interference;maximal sub-language;observability;security policies