A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

Yuan, Zhanhui; Li, Wenfa; Yang, Zhi; Sun, Lei; Du, Xuehui; Zhang, Hongqi

doi:https://doi.org/10.1155/2021/2481818

Security and Communication Networks

On this page

Abstract Introduction Related Work Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Conference Issue: Safety and Adaptivity in Mobile Wireless Middleware, Operating Systems, and Applications

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 2481818 | https://doi.org/10.1155/2021/2481818

A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

Zhanhui Yuan,¹Wenfa Li,²Zhi Yang,¹Lei Sun,¹Xuehui Du,¹and Hongqi Zhang¹

Academic Editor: Joni Zhong

Received30 Apr 2021

Accepted07 Aug 2021

Published25 Aug 2021

Abstract

Mobile operating systems such as Android are facing serious security risk. First, they have a large number of users and store a large number of users’ private data, which have become major targets of network attack; second, their openness leads to high security risks; third, their coarse-grained static permission control mechanism leads to a large number of privacy leaks. Recent decentralized information flow control (DIFC) operating systems such as Asbestos, HiStar, and Flume dynamically adjust the label of each process. Asbestos contains inherent covert channels due to this implicit label adjustment. The others close these covert channels through the use of explicit label change, but this impedes communication and increases performance overhead. We present an enhanced implicit label change model (EILCM) for mobile operating systems that can close the known covert channel in these models with implicit label change and supports dynamic constraints on tags for separation of duty. We also formally analyze the reasons why EILCM can close the known covert channels and prove that abstract EILCM systems have the security property of noninterference with declassification by virtue of the model checker tool FDR. We also prove that the problem of EILCM policy verification is NP-complete and propose a backtrack-based search algorithm to solve the problem. Experiments are presented to show that the algorithm is effective.

1. Introduction

At present, mobile operating systems have a large number of users and are key targets of network attack. Their privacy security problem is very serious. In 2020, China Internet Security Center intercepted 332000 new malicious app samples related to privacy theft on mobile operating systems and monitored 1.12 billion malicious attacks with an average of 3.06 million attacks per day. The openness of the mobile operating system leads to high security risks. The characteristics of mobile system interacting with the outside from multiple channels make their vulnerabilities easier to be exposed and utilized. The quality and security of apps in online app stores (such as Google play) are uneven, and it is difficult to ensure that there are no Trojans and viruses implanted by hackers. Hackers can steal data by embedding spy programs into normal applications to obtain illegitimate benefits [1]. Mobile operating systems are facing more severe privacy and security challenges than traditional PC operating systems [2–4]. Most mobile systems adopt discretionary access control (DAC) as the security model, but the DAC policy cannot effectively express the information flow control [5], which makes it difficult to effectively prevent Trojan stealing secret data. Mobile operating systems need to implement mandatory access control [6]. The essence of mandatory access control is to prevent information in a secret domain from leaking out of the domain. However, for the mobile operating systems with diversified and dynamic interaction with the outside world, the static isolation and blocking method cannot effectively balance availability and security [7].

Decentralized information flow control (DIFC) [8] addresses the weaknesses of earlier approaches to the protection of secrecy and integrity in an operating system containing applications with potential exploits or third-party components [9], even in situations of mutual distrust [7]. DIFC allows processes to control the flow of their information without imposing the rigid constraints of a traditional multilevel security system [10]. DIFC allows programs to craft their own MAC security schemes. Each user has the power to declassify his own data, but declassification does not leak other users’ data. Even if a process is compromised, it will not endanger the data security of others [11]. DIFC has been widely applied to the protection of operating systems [12–18], databases [19], programming languages [6, 20, 21], web applications [22], etc.

Asbestos [16], HiStar [17], and Flume [18] are classical DIFC operating systems. Asbestos adopts a “taint-propagation” policy, wherein each process P has two labels, a send label P_S and a receive label P_R. P_S represents the process’s current contamination, while P_R represents the maximum contamination it is able to accept from others. P may send to Q if P_S is not more than Q_R, once communication is tainted by P. Q_s is the least upper bound on the two send labels.

Despite its benefits, the Asbestos design contains inherent covert channels. Consider a contaminated process A attempting to communicate a bit of sensitive information to an uncontaminated process C. An attacker might construct two uncontaminated processes. These processes, B₀ and B₁, both repeatedly send heartbeat messages to C. If it wants to communicate the value i to C, A will send a message to the B_i. If B_i tries to receive it, it will be contaminated and become a tainted process. If C does not receive a heartbeat message from B_i in the next time slot, it knows that A has sent value i to it. Now C has the sensitive information, copied bit-for-bit from A. There are many deformations of the covert channel, and if this mechanism is used for integrity protection, this covert channel still exists. Such channels are inherent to any system in which a contaminated process can change the labels of a less contaminated process implicitly. Because Asbestos’s event process abstraction makes forking very fast, this channel on Asbestos can leak kilobits of data per second [18].

HiStar is a successor system to Asbestos. It avoids these channels by requiring the processes to contaminate themselves.The HiStar thread actively changes its label before reading the contaminated data. Flume later adopted a similar strategy, but within a streamlined label system. However, compared with implicit label changes, explicit label changes mean that the processes become more involved in information flow control, which will result in poor communication if these processes cannot adjust their label in a timely manner. Moreover, this also introduces performance overhead due to the system calls relative to it.

This paper presents a model for information flow control at the operating system level, called enhanced implicit label change model (EILCM), to solve the contradiction. This model uses Flume labels and capabilities in terms of their set operations based on type tags, a well-understood formalism to express the dynamic processes isolation which can effectively prevent Trojans and spyware attacks. Our model has the following characteristics: firstly, it allows implicit label change but tries to close the known covert channels; secondly, it solves the contradictions between users’ sharing of common software and authorization constraints for separation of duty or least privilege through mutually exclusive tag constraints; and thirdly, its rule covers more information flow types such as file operation and program execution in addition to inter-process communication (IPC). We do not introduce privilege transfer or delegation of authority, considering that it is difficult for most commercial DIFC programs to predict their future runtime environment or to know in what situation it does or does not transfer privilege. In that case, policy management tasks will be ultimately passed on from the DIFC program to the system administrators and users. In contrast, delegation of authority adds more uncontrollable factors.

In order to prove that there are no covert channels in an EILCM system, we adopt an approach similar to that of Krohn et al. [18]. We describe the model specification using the communicating sequential processes (CSP) to clarify the formal semantics of information flow control behaviors of the EILCM system; then we prove that an abstract EILCM system has the security property of noninterference based on CSP formulas. Our methods and that of [18] have the following differences. (1) Our definition of noninterference with declassification uses a standard CSP-oriented specification. Therefore, our proof uses both automated and manual analysis, while Krohn and Tromer’s definition [18] is property-oriented specification, so its proof is completely manual. (2) Our model adopts the centralized control of information flow and captures more information flow types, while the Flume model of [18] adopts distributed control and concentrates on IPC control, resulting in distinct differences in their formal semantics.

Another problem studied in this paper is the verification of EILCM policies. Because of the richness and complexity of label management, whether the label configurations completely and consistently express the high-level policies and goals is an important problem to verify. In the traditional one-way information flow model, policy verification is quite simple. However, in some flexible systems to control information flow, such as Vista, Asbestos, Flume, etc., policy verification problems are complex [23, 24] due to their introduction of declassification functions or transfer privilege functions. These functions diffuse the individual policies and obscure their combined effect. Misconfigurations may make processes lose due privileges or obtain unduly privileges via a privilege exploit attack. Policy analysis and verification are especially necessary for the large systems that have hundreds of processes or users and tens of thousands of resources.

In sum, the novel contributions of this paper are as follows:(i)In Section 2, we present an enhanced implicit label change model (EILCM) that can close the known covert channels in the existing implicit label change models for information flow control at the operating system level. Moreover, the EILCM introduces mutually exclusive tag constraints to solve the contradictions between users’ sharing of common software and authorization constraints for separation of duty or least privilege. Based on the ISO general access control framework, we also use the CSP language to describe the formal semantics of information flow control behaviors of EILCM systems, which lays the foundation for noninterference proofs.(ii)In Section 3, we formally analyze the reason that EILCM can close the known covert channels. Further, through the model checker tool FDR, we prove that an abstract EILCM system has the security property of noninterference with declassification.(iii)In Section 4, we prove that the problem of EILCM policy verification is an NP-complete problem. This conclusion reflects, to some extent, the computational complexity of the problem of Flume policy verification, due to their partial similarity. We also present a backtrack-based search algorithm to solve the problem. Experiments are presented to show that the algorithm is effective.

We discuss related work in Section 5 and conclude in Section 6.

2. EILCM Descriptions

2.1. Informal Descriptions of EILCM

In an EILCM protection system, let be the set of all objects (e.g., files) and be the set of all subjects (e.g., processes). Let be the set of secrecy (export) protection tags, with each tag denoting a secrecy domain type. It is with its secrecy level containing the same tag x that a requestor can observe the information in an x-type secrecy domain. Correspondingly, let be the set of integrity (import) protection tags, with each tag denoting an integrity domain type. A requestor whose integrity level does not contain the same y cannot alter the information in a y-type integrity domain.

Definition 1. (label). For each object or subject , its label is a triple , where denotes its secrecy level, denotes its integrity level, and denotes its management capability for its own label.
Secrecy levels and integrity levels, respectively, form a lattice under the partial order of the set relation , such that if and only if , and if and only if . In EILCM, information can flow from low secrecy-level and high integrity-level objects or subjects to high secrecy-level and low integrity-level objects or subjects.
A subject with can add a tag to its own if or to its own if , while with , it can remove from its own or . Generally speaking, for a secrecy tag , an untrustworthy process with and can read a secret file with by raising its own to without the ability to reveal it. If , the system conservatively assumes that has declassification ability and it does not propagate ’s data. If there are multiple tags in , then requires independent consent for each tag before reading . Similarly, for a integrity tag , a system-level process with and can receive network data by reducing its own to ; however, once it reads this unsafe data, it loses the ability to modify the system configurations. If , the system conservatively assumes has decontamination ability and it can still modify the system configurations.
The subject’s capability is derived from the properties of the executable object where it was born, which is set by the authority administrator. We define , , which means that an object cannot change its level itself.
To simplify notation, a subject ’s “add-tag” capability is given by , and its “remove-tag” capability is given by . The notation represents ’s dual-privilege capability.

Definition 2. (constraints). is a set of mutually exclusive tag constraints with the property that for each , the secrecy/integrity level of any object or subject satisfies , which we call “ .”
We introduce mutually exclusive tag constraints to solve the contradictions between users’ sharing of common software and authorization constraints for separation of duty or least privilege.

Example 1. (secrecy/least privilege). Alice and Bob share the word-processing program to, respectively, edit their private documents with their secrecy levels and . Then, ’s capability should involve and in order to read these documents. Assume that Alice executes to generate a new process with using her shell process, and inherits ’s capability. In order to prevent Alice from reading Bob’s document by means of , should be deprived of capability at that time, which means that the process should run with as few privileges as possible. We can solve this problem by defining constraint .

Example 2. (integrity/separation of duty). General information systems emphasize the separation of powers and do not allow any individual to have sufficient authority within the system to single handedly perpetrate fraud. The normal division of authority is into security management, system configurations, and audit management. Assume these management domains are denoted, respectively, by integrity tags of , , and , and the domain administrators are used to using same program to modify their domain information, which requires that ’s capability should contain , , and together. However, we need be assured that when it is created by some domain administrator and derived from , the new process has no chance of modifying other domain information although it inherits ’s capability. We can solve this problem by defining the constraint .
In order to prevent any subject from implicitly bypassing these constraints, EILCM does not entitle any subject to delete those tags that exist in R from its level.
Further, we introduce the relation for Definition 3. Given an object or subject in an EILCM system, we say if and only if , .
Before defining the information flow rule, we reconsider the example of covert channels mentioned in Section 1. The former models assume that if tries to receive a message from A when A does not send anything, should not be contaminated. However, no transmitting data actually should be regarded as a kind of implicit communication without formal sending and receiving behavior if planned by adversaries. Therefore, in the EILCM, if it can be contaminated within its capability and tries to receive a message from A, will be contaminated automatically whether or not A sends a message to it. In addition, HiStar and Flume introduce the explicit change label method, in which each process must make a decision itself about whether to adjust its level if it wants to communicate with other process successfully. We will formally analyze the reason why these methods can close the known covert channels in Section 3.1. Compared with our method, the explicit change label method increases the process’s interventions, which results in unsmooth communication and introduces overhead for system calls.

Definition 3. (secure information flow and implicit change label). The information flow from to is safe iffWhen the flow is finished, ’s level is implicitly changed, that is:Definition 3 demands that secure information flow is from low secrecy-level and high integrity-level objects or subjects to high secrecy-level and low integrity-level objects or subjects, where both party’s capabilities of adjusting their own level are considered adequate. For different types of concrete operations, its operational semantics are as follows:(i)Subject can receive message from subject , iff(a)(b) exists(c)(d) (e) has sent message to . When triggers the related receive system call, ’s level will be adjusted according to If (a)–(e) hold, then If (a) holds and (b) or (c) or (d) does not hold, then Otherwise, ’s level will remain unchanged.(ii)Subject can write/delete object , iff(a) exists(b)(iii)Subject can read/load object , iff(a)(b) exists(c)(d) When triggers the related read/load system call, ’s level will be adjusted according to If (a)–(d) hold, then If (a) holds and (b) or (c) or (d) does not hold, then Otherwise, ’s level will remain unchanged.(iv)Subject can create object with its secrecy/integrity levels being , iff(a) does not exist(b)(v)Subject can execute object , and create a new subject, iff(a)(b) exists(c)(d)(e),where is the id that the system allocates for the new subject and ’s capability is derived from the properties of .
When triggers the execute system call, ’s level will be adjusted according to
If (a)–(e) hold, thenIf (a) holds and (b) or (c) or (d) or (e) does not hold, thenOtherwise, ’s level will remain unchanged.
When is born, its level will be set according toand its capability will be set according toThis process can be broken down into the process of “reading” and of “writing” . In the former process, can know, at least, whether exists. In the latter process, the parameters are the information p directly tells if p starts with parameters. Without parameters, p starting is just the sensitive information that p tells if only p can start .

Definition 4. (secure explicit change label). For a subject , let be or and let be the new value that requests about . The change from to is safe if and only ifCorrespondingly, for an object and a subject , let be or and let be the new value that requests about . The change from to is safe iffThe subject can adjust their own level within their capacity. For example, a word-processing process can produce the first confidential documents in the system by raising its own secrecy level, and PGP software can reduce its own secrecy level in order to send the encrypted document. The explicit label change is an effective supplement to implicit label change. Now, the condition of secure information flow can be relaxed and becomes and .
The requirement for a subject adjusting an object’s level is consistent with that of the subject adjusting its own level and Definition 3. In the same condition, a subject can finish adjusting an object ’s level through the following process: reads the contents of ⟶ s writes content to a temp file ⟶ deletes ⟶ creates o with level being ⟶ reads ⟶ writes ⟶ deletes . We specify this requirement to simplify the system processes.
Based on the above definition, the next section gives the precise semantics of the model.

2.2. Formal Specifications of EILCM

In order to formally analyze the security of EILCM and the known covert channels, we describe EILCM’s formal specifications using communicating sequential processes (CSP) [25]. CSP can capture effectively the required or expected behaviors of a concurrency system or component, and this is suitable for analyzing the security properties of the information flow model [26]. These specifications involve file operation, program execution, inter-process communication, etc. Since they are primary, a real EILCM system might not be constructed from them. For example, the specifications do not capture how to reliably obtain the object label but assume that all object labels have been stored in the object manager; the specifications do not capture the reliable communication but simply make the new message cover the old message that has not be taken away when the message buffer is full; the specifications do not capture the fairness scheduling of processes but permit any interleaving of processes. However, our specification is fundamental. It expresses the essential safety requirements of EILCM and is easy to expand, refine, and adjust in its nonsecurity aspects.

Figure 1 depicts the composition and control principles of EILCM. We refer to the ISO general access control framework, which isolates access control policy decisions and enforcement to provide flexibility in access control. Our framework mainly consists of Access Control Enforcement Function (AEF), Access Control Decision Function (ADF), and Object Management (OM). Each subject calls the system service via channel , which is captured by AEF. AEF will get a variety of Access Decision Information (ADI) about this system call from OM via the channel and then sends ADI to ADF via the channel . Based on ADI and information flow rules, ADF makes a decision and returns it to ADF. Finally, AEF enforces this decision. The AEF and OM constitute the security kernel. The security kernel should be small enough to ensure efficiency and facilitate security analysis.

2.2.1. User Processes

In general, the user processes access system resources through system calls. There is no direct interaction between them, so we use the interleaving operator to express their relations. The notation denotes the user process . The behaviors of all user processes are specified as follows:where denotes the set of all process identifiers and denotes the first process with at the system startup, which can execute any object to create a new process for the startup needs. There is no deriving operator in CSP, but the actual systems usually restrict the maximum size of a process; thus, we can prebuild all the possible user processes. Any processes will be in an idle state before they receive the signal. The signal born makes it transition into the live state, and the exit signal makes it return to the idle state again. The behaviors of a single user process are specified as follows:

In the live state, can issue a system call:

The subprocess describes sending a message to user process :

The subprocess describes receiving a message from , where is the receive buffer and returns the success/failure result of this system call.

The subprocess describes executing an object , where allocates randomly the PID of the new process.

The subprocess describes process’s state transition from live to idle.

The subprocesses , , , , and have similar behaviors, and we omit the description of their behaviors.

2.2.2. AEF

receives and processes concurrently system calls from different users, each subprocess listening to the corresponding ’s calls via channel and controlling access to the system. The process guarantees the state consistency of the security kernel when more than two system calls involve the same subject or object simultaneously.

Each system call gets its own dedicated subprocess, and consists of these subprocesses through the choice operator.

The process implements the “mutex” lock by virtue of the parallel operator in order to serialize the access to the same subject or object. In order to prevent deadlock in locking the multiple subject or object involved in a system call, the priority of locking is set by subject first, and from small id to large id.

The alphabet of process is .

The subject-access-synchronism process is , where .

Similarly, the object-access-synchronism process is , where , and is the set of all possible object ids.

We set the buffer to cache and forward the messages in process communication. If wants to send to , will first set the level in terms of the current level of and store it in the message slot , whose specifications are given in the following descriptions of . Subsequently, if tries to obtain the, will collect the related and send it to for control policy. Only when a request is permitted by , will return to . Moreover, might adjust ’s level in terms of ’s requirements.where and = .

When has permission to access object , expresses the related object operation using the event in channel , e.g.,

If requests creating a new subject, will first request the new from and will select the new randomly from the set of available process identifiers. Then will adjust the levels of and and give off the born signal to activate the process .

When a subject exits, will clear its label information in and update the set of available subject identifiers. In addition, it clears its send buffer.

The system calls for changing level are mainly used to update the label information in .

2.2.3. OM

The process manages the system states information, i.e., the labels and existence of all the subjects and objects, the set of available process identifiers, and the messages in process communication.

We have introduced its subprocesses one by one. provides the query and modification service for the label and existence of all the subjects, where denotes the process id, , , and , respectively, denote ’s secrecy level, integrity level, and capabilities, and denotes whether the subject exists.

is an interleaving of all the . We assume that the with is the only live user process at system startup. Therefore, we can set up any initial state of the system, for any type of process and object can be created by .

Similarly, provides the query and set service about the label and existence of all the objects, and is an interleaving of all the . The “capability” attributes of the object are set by authority administrator, and we model it as a random event in the channel .

provides the management of available process identifiers via channel , which allocates a new id when a new process is created and reclaims the id when a process exits. In our specifications, access to channel is mutually exclusive.

describes the behaviors of the message buffer in process communication, which caches and forwards the message. For simplicity, a message slot is set for each pair of sender and receiver.

The process specifies the behavior of the process communication buffers.

The message slot provides the storage and removal of information. We specify simply that the new message will cover the old message that has not been taken away when the message buffer is full. The stored information also includes the current level of the sender. Its transition is as follows:

Finally, the OM is an interleaving of these service subprocesses:

2.2.4. ADF

also concurrently deals with the request of each of the subprocesses of . According to the ADI and the rules, returns its decision and requirements for state transition. Its behaviors are specified as follows:

The process communication is controlled when the receiver tries to receive the message. For the request of , will determine whether to permit it and develop the policy of adjusting the ’s level in terms of Definition 3. Since the system will clear the corresponding buffer when any subject exits, the message existing in the buffer must be fresh to guarantee the data consistency.

The decision process for a request to read/write/create/delete/execute an object is similar to mentioned above. The “capability” attributes of new object are set by authority administrator, and we model it as a random event in the channel . We omit the unnecessary details.

stores the mutually exclusive tag constraints and provides the service to verify whether a given label is or .

2.2.5. Abstract EILCM System

Based on the components above, the security kernel can be described as the concurrent implementation of , , and .

The overall system is the concurrent implementation of security kernel and user processes.where .

We use the hide operator in to hide the inner transitions, e.g., the communication between and . In fact, the inner implementation of the system is a black box to user, and the user can at most see other user’s behaviors, other than the inner traces [18].

2.3. Application of EILCM

The application case is a desktop system, as shown in Figure 2. Typically, the system includes an instant messaging tool IM, a map navigation software MN, a data encryption and transmission software EMail, an antivirus tool Killer, a web browser UC, and a Shell Explorer.

The user’s chat information is stored in IM data. The daily operations of a user include communicating with contacts via IM, sending encrypted important IM files or MN data to his/her colleagues via EMail, and assisting driving via MN. The important configuration information of this system is stored in OS config file. Killer can detect and kill viruses, but it needs to update its own virus database online regularly. The security requirements of this system are as follows:(1)IM and MN are untrusted. They are forbidden to read each other’s data.(2)Killer is allowed to read IM data, MN data, and OS config file in order to detect and kill potential viruses in time. However, it is forbidden to disclose these private data when updating the virus database.(3)Secret IM data and MN data can be encrypted and sent out by EMail. Since a program can make an aggregation analysis of IM data and MN data and thus obtain more privacy information of users, the system requires privilege constraint about simultaneous reading of IM data and MN data.(4)Explorer can no longer modify OS config files after it loads the insecure libraries that are downloaded from network by UC.(5)The updated OS packages that are downloaded from network by UC cannot modify the configuration files unless they have been already checked by Killer.(6)IM sets the label of IM data. MN sets the label of MN data.

The label and capability scheme for building EILCM is as follows. In order to protect the secrecy of IM data and MN data, secrecy tags and are created, respectively, to track and control the propagation flow of these secret information. In order to protect the important data integrity of the operating system, an integrity label is established. The network is considered to have the lowest integrity level and secrecy level. Establish secrecy/least privilege rule: {, } ε R. The initial settings of each label are shown in Table 1.

In Table 1, since IM process is the owner of IM data, and its ability is set to , indicating that it can manage these data. Similarly, the ability of MN process is set to . The ability of EMail process is set to , so that it can read IM and MN data and encrypt them before sending. The ability of Killer is set to , which means that it can read any secret information, but it does not have the ability to release secret information to network. Killer can lower the integrity level to scan any entity or add tags to itself or the data that are considered safe after scanning. The ability of UC process and Explorer process is set to . They are not given the ability to add integrity tag , so they cannot destroy the integrity of system data even if they are infected. It can be seen that EILCM system can better meet these security requirements. At the same time, because it belongs to the taint propagation model and supports the implicit change of tags, the system can reasonably automatically adjust the subject and object tags according to the access requirements. In addition, it also supports the explicit change of labels, which makes the system more flexible and improves the availability.

3. Noninterference Analysis for EILCM

We will analyze the security properties of in this section. Goguen and Meseguer [27] took an important step towards a formal specification and analysis of information flow with the concept of noninterference. Intuitively, user A not interfering with user B means that that A’s behavior has no effect on what B can observe, that is, B’s view of the system is independent of A’s behavior. It is usually assumed that a system satisfying noninterference security has no covert channels.

Many variants of Goguen and Meseguer’s definition [27] of noninterference were proposed with finite-state automaton [28], relational Hoare-type theory [29], Petri nets [30], game theory [26], etc. Ryan and Schneider [26] redefined the noninterference concept using CSP verification model [31] based on process equivalence. Bossi et al. [32] and Krohn and Tromer [18] partitioned the space of symbols into three sets: high, low, and declassify, and we also adopt similar idea. Krohn and Tromer and Bossi et al. [18, 32] presented the formula of noninterference with declassification in CSP property-oriented specifications, which lacks the effective support of CSP tools for automated analysis when compared with standard CSP process-oriented specification [31]. In this section, we first use the definition of noninterference from [26] to formally detect the known covert channels and analyze the reasons why EILCM can close them; secondly, we propose our definition of noninterference with declassification and prove that the abstract fulfills the noninterference.

3.1. Analysis of Covert Channel in EILCM System

We used Ryan and Schneider’s definition [26] of noninterference to detect the known cover channels above. We called their definition basic noninterference. In this section, we used the concept of CSP model and equivalence [31].

Definition 5. (basic noninterference). Assume that high-level users interact with the system via the events () and low-level users do so via the events (). Further assume that these two types of events partition the full range of events (alphabet) of . Then, the high-level user is said to be noninterfering with the low-level user via S if and only ifThat is, after being advanced by and , the two processes must accept all of the same traces (projected to low) and refuse all of the same refusal sets (projected to low) [18].The definition above is a property-oriented specification. In order to avoid the need to explicitly quantify over traces, Ryan and Schneider expressed a characterization directly as a standard CSP equivalence:Nevertheless, equation (40) is strictly stronger than equation (41) [26] because the latter does not consider the divergences in terms of semantics of the stable failure model. An alternative is not to hide the events but to camouflage them [26]:Obviously, this will greatly increase the state space for verification. In our view, when selecting the equivalence semantics from traces, failures, and divergences, we should consider safety, efficiency, and the characteristics of the actual verified system simultaneously. In general, based on the restriction of these models, we order these models from weak to strong and the complexity from low to high as follows: trace model, stable failure model, and failures/divergences. The trace model checks all the possible traces of process. This is appropriate for verifying safety properties [31], which are generally of the form “something bad will not happen.” However, it cannot verify liveliness properties, generally in the form of “something good will happen.” This is because the internal and external choice operators have the same trace semantics. The stable failure model solves the problem through increasing the failure check, but it does not capture the divergence behaviors. In general, adding the hide operator to a process expression might result in process divergence behaviors for the process. The failure/divergence model will check both failure and divergences, which are usually taken as the standard model. Of course, it can add some considerable overhead to the state space exploration. We think that if not for the existing divergence behavior of the actual system but for the virtual system , a divergence attack does not exist and thus we need not require the equivalence of divergences.
According to Definition 5, for each event, we need to know the current levels of its sponsors and its properties in order to analyze the noninterference of the system. While the levels of all subjects and objects are stored in , the events themselves have no state information. Therefore, we explicitly label each system call with the caller’s current levels and capability. Now these system calls have the form , where S, I, and C denote, respectively, its secrecy level, integrity level, and the caller’s capability. The user process gets its label once born:In an EILCM system, the system calls that might cause the changing of caller’s levels include , , and . Our implicit labeling for the system calls should reflect these changes in time. We introduce the virtual system call and its kernel response to know the latest state of caller. The involved user subprocesses include , , , and . We take as an example.Other subprocesses need not update their label state; we take as an example.The modified is notated . Evidently, the label query call cannot change the secure states and state transitions, and the used for ’s decision is still derived from . The explicit label for system calls only aids in the verification, and the implementation of need not consider it. is equivalent to in security properties.
We use Krohn and Tromer’s definition [18] to classify the user-level events in terms of their labels.

Definition 6. (high event/low event). Given a system , for each secrecy protection tag , define the and alphabets as follows.
The high events areThe low events are the complement sets:Next, we can analyze the known covert channels mentioned in Section 1 by virtue of Definitions 5 and 6.

Example 3. Detecting the known covert channels: let the attack instance mentioned in Section 1 run in based on our EILCM specifications. Firstly, assume that the implements the information flow rules similar to Asbestos’s, rather than rules of EILCM. For secrecy protection, a contaminated process is a process and the other uncontaminated processes are processes.
Let denote . Assume is not contaminated in its initial state. If it is permitted for a contaminated process to change the labels of a less contaminated process implicitly, consider the trace , and the trace , where each event is labeled with the sponsor’s secrecy level. It is easy to conclude that , , and . When the event is triggered, we have and , which fails to satisfy equation (41), that is, the event interferes with the process. Thus, we find a covert channel.
Secondly, assume that the implements the rules of EILCM and continues to analyze the attack. When the event is triggered, we have and , which means that the trace will not occur in and . Thus, we do not find a covert channel in EILCM system.
Thirdly, assume denies implicit label change but permits explicit label change. Since the event does not exist in trace and , will not be raised to the level, then both and do not involve the trace ; in addition, if and , we have , which make unable to receive the message from , that is, both and involve . Therefore, there is no difference in this case and we do not find a covert channel in the situation of explicit label change.

3.2. Proof of Noninterference Property of EILCM

Definition 5 strictly prohibits the events from interfering with the processes, but this might not reflect the actual secure requirement, e.g., the conditional downgrading. Many information flow models permit conditional information flows from processes to processes.For example, these flows are required to be carried out through trusted agents. EILCM permits these flows traversing the appropriate declassifiers. For a secrecy tag d, the declassifiers are the processes owning the ability to delete d from its secrecy level itself. Nevertheless, declassification makes the permitted information flow in EILCM system violate basic noninterference. For instance, consider a process with , , a process with , , and a process with , . Comparing the case where has called with the case where has not, we find that if it calls , the process will obtain the information in the former case and will not obtain it in the latter case; similarly, comparing the case where has triggered the event sequence with the case where has not, we find that if it calls , the process will obtain the information in the former case and will not obtain it in the latter case. Therefore, we need a reasonable explanation and definition of noninterference for these cases. The new definition should permit the declassifier and processes to interfere with any other processes and also permit the processes to interfere with the other processes but prohibit the processes interfering with the processes. This is called intransitive noninterference [33] or noninterference with declassification [18, 29, 30, 34].

Some works analyzed formally Android programs [35], Java programs [36], and microkernel [37] with noninterference theory, while their analyses are not automated. Egger et al. [38] proved that the verification of intransitive noninterference can be solved in polynomial time. We will use a model checker tool FDR to make an automated analysis.

Before we analyze the ’s property of noninterference with declassification, we need to specify the declassifying event, also called the event.

Definition 7. (mid event). Given a system , for each secrecy protection tag , define the alphabets as follows:Definition 7 permits the intersection between and (or ) not to be empty. In fact, includes all the events the declassifiers can trigger whether they are in state or in state. The might include events irrelevant to declassification, e.g., the declassifier sending a message to a process or receiving a message from a process. It is easy to conclude that these events neither change the current security state of the system nor interfere with the process.
Now, we propose our definition of noninterference with declassification based on CSP equivalence.

Definition 8. (noninterference with declassification). Given a system , we say that is secure for noninterference with declassification if and only if for each secrecy protection tag , the following equation holds:where , , , and denotes an appropriate process equivalence.
Our definition of noninterference with declassification demands that the original system permitting all kinds of events to happen and the derived system prohibiting the events in to happen are equivalent if they all hide the events in . That is, the set of events has the same influence on the processes with ; put differently, the processes cannot interfere with what the processes do via the declassifiers; likewise, the processes cannot interfere with the processes via the declassifiers. Note that this extended definition is equivalent to basic noninterference if , where no declassifiers exist.
Next, we can review the declassification example mentioned at the beginning of Section 1 in light of Definitions 7 and 8. The events of , , and are not only but also . They can occur in . Therefore, both and involve the trace , permitting or to interfere with . That is, can deduce the behaviors of the declassifiers and , but it cannot interfere with the behaviors of high processes.
The security property of noninterference with declassification requires that there is no explicit and implicit information flow from a domain to outside, excluding all the information flows produced by subjects with declassification abilities to write entities outside the domain. The property of noninterference with declassification is weaker than that of basic noninterference, since the latter requires that in any case there is no information flow from a domain to outside. Therefore, there are limitations of the security property of noninterference with declassification because it needs to assume that a subject with declassification ability of a certain domain will not leak the information of this domain. When it is untrusted and sends the information in the domain to the outside of the domain, the secret information is leaked, and the confidentiality is damaged.

Theorem 1. is secure for noninterference with declassification.

Proof. According to Definition 8, we need prove that for each secrecy protection tag , the claim holds. Since the internal operator is not used in the specifications of , the trace model and the stable failures model have the same equivalence semantics; in addition, the secure kernel just triggers the related inner event for the user’s system call. There are no inner loop processes; moreover, the priority of locking is set to prevent deadlock in terms of conventional methods. Therefore, will not consecutively and infinitely execute the inner event, that is, will not be divergent. Taking all the factors above into account, we use the trace model to verify process equivalence.
In , given a secrecy tag , firstly consider , that is, is not mutually exclusive to any other tag. In this case, according to different combinations of a subject’s levels and capability, the subjects have eight states with respect to protecting the secrecy domain . These states are as follows: , , , , , , , , where each state is a 2-tuple , with representing the subject’ secrecy level and representing the subject’s capability. During the system state transitions, consider two subjects and that have the same state at some moment. We have the following knowledge. Firstly, it is easy to know that and have the same influence on the other subjects and objects, that is, can do anything does, and vice versa. Secondly, the influence of other parts of systems on and is also the same, that is, whether or not it is permitted that any other part’s operation sequence on A is the same as that on B. Thirdly, since both of them are contaminated or uncontaminated subjects simultaneously, their own interaction will not change their level. Finally, the subject’s capability remains unchangeable. On the other hand, as for the object’s states, since the label of a new subject has a reference to the levels and “capability” attribute of the object from whom it is derived, the objects have eight states in this case. If two objects have the same state, any traces related to them can happen when they are replaced by each other.
In , let be the set of all subject identifiers and let be the set of all object identifiers. Assume = 8 and = 8. Assume that in the initial state of the system there is only a subject with its capabilities being , so it can create any type of object and further any type of subject; therefore, during the system state transitions, it is legal that there are eight subjects with different subject states. Assuming the claim holds on the condition that = 8 and = 8, we analyze whether the claim holds when = 9 and = 8. If it does not hold on this condition, the interference must appear at some point after nine subjects start existing simultaneously and be relevant to the behavior of the ninth-born subject because the claim holds on condition that = 8.
Meanwhile, the ninth-born subject’s state must be the same as one of the top-eight-born subjects because all subjects have at most eight states. Nevertheless, according to the analysis in the previous paragraph, two subjects that have the same states have the same influence on systems, and the influence of other parts on them is also the same, and their own interaction does not change the system state. So, we get the following paradox: given two subjects with the same state, one subject causes the occurrence of interference, while the other does not.
Therefore, the assumption that the claim does not hold at = 9 and = 8 is wrong. So, if it holds on the condition that = 8 and = 8, then the claims must hold at = 9 and = 8. Moreover, we can deduce that if it holds on condition that = 9 and = 8, then the claim must hold on the condition that > 9 and = 8, and so on. We can use the same method to analyze the situation of = 8, = 9. If there are nine objects existing together, it must mean that two subjects among them must have same states, which means that any other part’s operation sequence on them has the same result, i.e., permission or rejection. So, if it holds at = 8 and = 8, then the claim must hold on condition that = 8 and = 9, and so on.
Therefore, if we can prove that the claim holds on the condition that = 8, = 8, and there is a subject with its capabilities in the system initial state, inductively, we can prove that the claim holds on the condition that > 8, > 8, , with the initial state of system being arbitrary. Thus, we prove that it holds on the condition that 0, 0, , with the initial state of system being arbitrary. Actually, the eight states of the subjects can be divided into five categories, and the states of each categoryare equivalent: (1) . (2) . (3) . (4) . (5) . For instance, each subject whose state is in class (3) can freely adjust its own level between and and its behavior consisting of events entirely. So, we only need to analyze whether the claim holds on the condition that = 5, = 5, and there is a subject with its capabilities .
We use FDR2 to verify the claim on the condition that = 5, = 5, , and there is a subject with the capabilities in the system initial state. FDR is a model-checking tool for state machines, with foundations in the theory of concurrency-based CSP. It can establish whether a property holds for a refined transition system. FDR2 improves verification efficiency through compressing the states. It is easy to conclude that the trace collection of is a subset of .
We need to verify whether or not the latter is a subset of the former. The verification problem can be expressed in FDR2 using the following assertion:The previous section considered the case that . As for the case that , we know that no subject has the ability to delete tag from its own level in terms of our EILCM. In this case, the subjects have eight states with respect to protecting the secrecy domain . Having been compressed, these states are as follows: , , , , , , , where each state is a 2-tuple , represents the subject’s secrecy level, represents the subject’s capability, and represents some tag mutually exclusive to tag . In this case, we use FDR2 to verify the claim on the condition that = 10, = 1, , and there is a subject with its capabilities in the system initial state.
The experiments were performed using FDR2.83 on Ubuntu 9.10 with an Intel P4 2.8 G CPU and 2 GB of memory. Both of the results of verification for the two cases above are true. The runtime verification time is 1680 seconds in the case of and 2580 seconds in the case of .
Taking into account all of the results of the analysis and automatic verification, we conclude that is secure for noninterference with declassification.
Though our noninterference of was deduced from secrecy protection, the same argument holds for integrity protection. For integrity tag , the events are the events with integrity level involving the tag , the events are the events with its integrity level not involving the tag , the contaminated subjects are regarded as subjects, and the uncontaminated subjects are regarded as processes. We can use the same methods to prove that the contaminated subjects do not interfere with uncontaminated subjects.
The covert channel mentioned in the paper can also be found by using Definition 8 as a property. Our modeling of the system in the proof process has depicted the possible utilization behavior of the covert channel, and there are subjects with different labels and capabilities in the initial state of the system, so whether this covert channel can occur has been verified by the FDR tool. The participating entities of this covert channel do not contain declassifiers, so Definitions 8 and 5 are equivalent for detecting this covert channel. In order to explain more clearly, the noninterference analysis of this covert channel is also analyzed by using basic noninterference in Definition 5.

4. Policy Verification for EILCM System

4.1. Problem Definition and Complexity

The purpose of noninterference analysis is to verify whether the EILCM system implements the information flow control according to the information flow policies and whether there are covert channels in which there are information flows that violate the security policy, including explicit and implicit information flows. If the system is secure without interference, it means that the implementation of the system strictly adheres to the security policy and there is no covert channels.

The purpose of policy verification is to verify the information flow reachability problem under a given tag and capability allocation scheme. The EILCM model is highly flexible, often with thousands of entities whose capabilities and tags are varied. Also, the EILCM model is dynamic, and its information flow accessibility is complicated. Then, the burden on administrators is large, which can easily lead to policy mismatches and mismatches. Automated policy verification can assist administrators in managing policies and thus is required.

In EILCM, although the subject’s capabilities for deleting secrecy tags or adding integrity tags from its own levels have good semantics, these capabilities complicate the information flow analysis. We need to verify whether information can flow from one subject/object to another subject/object in the system state transitions. For instance, a subject with , , and cannot send messages directly to a subject with , , and , but can indirectly achieve its goals through forwarding a subject with , , and .

In our model, the secrecy submodel is the dual of the integrity submodel. Their problems of policy analysis are equivalent and can be transformed into each other. A conversion method is as follows: given an integrity tag , for each subject/object , we use the notation : denoting its integrity level on , where , denotes whether ’s level involves , denotes whether has the capability of adding to its own integrity level, and denotes whether has the capability of deleting from its own integrity level. We can give its dual form of secrecy level on : . Similarly, if we let : be ’s integrity level on , then we have : as ’s secrecy level on . By enumerating all possible cases, we can determine that the integrity constraint of and and the secrecy constraint of and have the same effect on communication. Therefore, in order to simplify the analysis, we only consider the constraints of secrecy protection on the information flow.

Moreover, there are two aspects that can simplify the analysis. Firstly, it is easy to determine that the remaining part of a legal path after deleting all the object-type nodes is still a legal path because the object’s capability is empty. For instance, if a path is legal, where are subjects and is an object, then is legal. So, we need not consider objects being nodes in a legal path. Secondly, in terms of Definition 3, the new-born subject’s capabilities are the subset of its parent subject’s capabilities, while its secrecy/integrity levels are lower than its parent’s. That is, any legal path remains legal if we replace some subject node with the subject’s parent. So we need not consider generating subjects.

To facilitate its description, an EILCM system instance is a 9-tuple , where denotes the set of all the users, denotes the set of all the objects, denotes the set of all the secrecy(export) protection tags, denotes the set of integrity(import) protection tags. Let ; then, maps the each subject/object onto secrecy levels, maps the each subject/object onto integrity levels, maps each subject/object onto capabilities, is the set of mutually exclusive tags constraints, and maps each object onto “capability” attributes. According to the analysis of the object’s influence, our policy verifications ignore new process generation, any objects occurring in the path, and integrity protection. Therefore, can be simplified as . Next, we can define the problem of policy verifications of EILCM systems.

Definition 9. (policy verification problem of EILCM systems). Given an EILCM system instance , for , we say can reach if and only if there is a path , where , , , , and the information can legally flow in terms of requirement of EILCM. Let be the initial secrecy level of before the query. Let be the secrecy levels of just when has received the information from . Let be the secrecy levels of when is sending the information to . That is, the path needs to satisfy two constraints: (1) information flow constraints: , ; , ; (2) level adjusting constraints: , , .
The problem of reachability analysis is a decision problem. We use the notation to represent the instance judging whether can reach in an EILCM system . Next, we use the reduction method to analyze the complexity of this problem. The problem used to reduce from is the 3SAT problem defined below:

Definition 10. (monotone 3SAT). Given a set of Boolean variables and a collection of clauses over , each having and containing either all positive variables or all negative variables, is there a satisfying truth assignment on for ? This problem is notated as . Monotone 3SAT is a special case of 3SAT.

Theorem 2. The problem of policy verifications of EILCM system is NP-complete.

Proof. We first reduce monotone 3SAT to the problem in polynomial time, that is, MSAT QEILCM. Given a monotone 3SAT instance , assume and , where each clause and each clause . We produce the corresponding QEILCM instance , as follows.
Constructing the tags: for each clause , , we introduce a secrecy protection tag into . For each clause , , we introduce three secrecy protection tags .
Constructing the first part of subject: for each Boolean variable , , we introduce a subject into with its initial secrecy level and its capabilities . Then, for each clause , let , , ; for each clause , let , where .
Constructing the second part of subject: for each clause , , we introduce three subjects: into , let each subject’s secrecy level , and let each subject’s capabilities .
Constructing , , and : let . Let . Let .
Clearly the construction process can be finished in polynomial time. Next, we prove that is true if and only if is true.
Equivalence of the two problems: in problem , if there exist true/false assignments to the variables such that formula is satisfiable, let set be the variables assigned to true. Then, in problem , we can prove that the path is legal, where , , denotes choosing one subject as the current node from subjects that can legally forward the information from the previous node. Here, we can reasonably assume that each node in the path will delete every tag it has the right to delete from its current level when it receives the information from previous node, that is, . Now, since each clause is true, , includes at least one variant of . Therefore, corresponding to each tag in ’s levels, , there is at least one subject of that can delete from its own contaminated level when the information flow from passes the path . And since is true, includes at most two variables of . Correspondingly, for each group of tags , , after the information flow passes the path , includes at most two tags of this group. This means that the path can delete all the tags that are bound with the information level and contaminated by . Therefore, if the formula is satisfiable, can reach .
For the “only if” part, assume that there exists a legal path , where . We first simplify the path. Let the node be the first one whose does not include the tags , . According to our transformation, for each where , we have , that is, another form of the path is . Moreover, it is easy to determine that the path remains legal after deleting arbitrary node where and , and we use to denote the remains of the path. From the path, we pick up the subjects that belong to to constitute set . Each variable in that corresponds to each user in constitutes the set . If the variables in are assigned to true and the variables in are assigned to false, we can prove is true. In fact, for each tag involved in ’s levels, there must be at least a subject that has the ability to delete from its own level. Correspondingly, for each , involves at least one of . Meanwhile, for each , it is impossible that simultaneously involves ; otherwise, before the information that comes from and flows down the path arrived , the information has been contaminated by simultaneously, that is, . However, according to our transformation, no subject among has the abilities to delete all the three tags simultaneously, and the path does not exist, which is contradictory to our assumption, so each holds. Therefore, if can reach , then formula is satisfiable. Now we can prove MSAT QEILCM, that is, QEILCM is NP-hard.
Next, we show the QEILCM in NP. Given an instance with a solution in form of a path, the verification algorithm can get the answers in linear time , where is the length of path. Now we prove that the problem of policy verifications of EILCM system is NP-complete.
Theorem 2 shows that in the worst case, the policy verification problem in EILCM system cannot be solved in polynomial time. It reflects that the EILCM policy with the rich expressive ability can provide management solutions for complex fine-grained information flow control. The high complexity of EILCM is attributed to the mechanisms of decentralized declassification and taint-tracking. According to this conclusion, the complexity of the verification algorithm is exponential, and a good verification algorithm should solve fewer instances over long time periods while solving most EILCM instances in short time periods. With some search optimization strategies, the backtracking algorithm can guarantee a low computational overhead in most cases.

4.2. Algorithms for QEILCM

The backtracking algorithm searches the solution in the tree of candidate solutions, which starts from the root node and does not search the subtree that must not include the solution. The process of searching is systematic and jumping. In our problem, if is a source node and is a destination node, then is regarded as the root node, the leaf nodes are the subjects who can send information to , and the middle nodes are the subjects that can receive information from their parent nodes. Therefore, the path from root node to leaf node is an information flow path from to . The tree is an arrangement of subjects. In our algorithm, the variable records the current searched path, and records the length of current searched path. The backtracking function searches all the possible paths’ depth recursively.

We adopt two policies to decrease the search space. We firstly introduce a pruning function to prune the subtree where there must not be solutions, and its root node is . That is, if the node has a tag in its levels that no subject on its extending subtree has the ability to delete, the function returns 0. The pruning function avoids the ineffective search. In order to decrease the computation amount, we introduce the integer array , with each item in it corresponding to a tag and recording the sum of subjects that do not exist in current path and have abilities to delete the tag. Each recursion only does the incremental computation rather than the overall computation again. Secondly, we adjust the search order and search preferentially the subjects that have greater benefits and smaller expense, which can efficiently select the next node to extend. We define a subject ’s priority , where is the sum of tags it has no ability to delete from its levels, that is, , and is the size of . considers the influence of the subject ’s contaminated situation (expenses) and its abilities of deleting tags (benefits). In the preprocess stage, function arranges the search priority from the subjects having small priority to subjects having great priority. Algorithm 1 is as follows.

	Input: array : each item records a subject’s levels and capabilities. : sum of the subjects. : set of mutually exclusive tags constraints.
	Output: if can reach , then print the path; else print “unreachable.”
	QEILCM ()
	{

	if
	then;
	else ; }
	Backtrack (depth, u, curpath, pathlen)
	{ if return 0;
	if not return 1;
	ifreturn 0;
	for
	{ ifcontinue;
	if
	continue;
	;
	;.
	ifreturn 1;
	;.
	; }
	return 0; }

In our algorithm, function judges whether subject1 can send information to subject2. Function judges whether subject 2’s levels change violates the constraints if subject1 can send information to subject2; moreover it will store the newly adjusted subject 1’s levels into if subjects have sent information to subject2. Functions and , respectively, add/subtract 1 to the value of each item if the node has the ability to delete the tag corresponding to the item. The algorithm’s computational complexity is . Nevertheless, because of the requirement of partial relation between the sender’s level and the receiver’s level, in general, the algorithm can get the answer in a shorter time, which can be demonstrated by the following experiments.

In order to validate QEILCM algorithm, we first create a test data generator. It performs as follows: given subjects and tags, for each tag and each subject , whether ’s levels include depends on the random choice based on , and ’s capabilities concerning depend on the random choice based on {0, 1,…, 5}, in which 0, 1, 2, and others denote, respectively, the following capabilities: adding , subtracting , both adding and subtracting d, and no capabilities. We implement the QEILCM algorithm using Visual C++. Our experiments are run on Windows2003 with an Intel P4 2.8 G CPU and 2 GB of memory.

Firstly, we present our results about the algorithm’s performance under different parameter values. These parameters are as follows: subject sum (), tag sum (), and the size of mutually exclusive set (). Each group with constant parameter values repeats the test 20 times. The evaluation index includes average runtime () and average path length () in case that there exists a path, average runtime () in case that there does not exist a path, successful times (),unsuccessful times (), and times (N/A) in case that all the tests do not work out the result in 30 minutes. The results are shown in Table 2.

Table 2 shows that although its complexity is exponential time, we can get the answers in most cases. If and are constants, the increase of runtime the algorithm takes will not be proportional to the increase of at all, and even has no distinct change, possibly because the scale of the arranging tree is not increased in proportion to the increase of subject sum under the constraints of partial relation of levels between the subjects. If the parameter is constant, with the increase of , the runtime will decrease remarkably because the subject’s levels are generated randomly and the probability that a pair of subject’s levels satisfying partial relations will decrease when is bigger. If and are constants, with the increase of , the success rate will appreciably decrease with the increase in , while the runtime has no distinct change.

Secondly, we present our results about the functions and influencing algorithm performance. Letting = 2, for different combinations of , we test eight times to compare the runtime in the case of using them with the runtime in the case of not using them. As shown in Figure 3, functions and improve the search efficiency remarkably.

Information flow models can effectively control information propagation to protect the secrecy and integrity of the operating system. The traditional one-directional information flow model is too rigid to use. Much work adopts the technique of taint-tracking to capture the more precise characterization of information flow. IX [39], an experimental MLS variant of Unix, has a “drop-on-exec” feature, in which a process will rise to cover the labels of code that the process executes and data that it reads. For integrity protection, the Low-Water Mark Policy of the Biba model permits subjects to “read down” objects, but adjusts the current level of a subject to the lowest level of the object it has read. LOMAC [40] is a dynamically loadable extension for COTS Linux kernels based on the Low-Water Mark model. UMIP [41] uses only high and low integrity levels to preserve system integrity in the face of network-based attacks, where a high-integrity process may drop its integrity to low when it receives remote network traffic, and a low-integrity subject cannot perform key operations. IFEDAC [42] improves UMIP to provide strong user separation, where the integrity labels of a subject are the ID set of users who have contaminated the subject, and a process integrity level will be contaminated by the object it executes or reads. In IFEDAC, each object has read/write/manage protect classes, which are the sets of users who are authorized to read/write/manage it and originated from system DAC policy. Each subject can read/write/manage it when its level is no less than the object’s read/write/manage protect class. Mao et al. [42] developed several techniques to automate the generation of low-level policies of the taint-tracking model from data contained in software package managers and logs that capture normal usage of these systems. However, these studies do not involve the problem of the covert channel in implicit label change model and some of them might not uphold noninterference.

Meanwhile, specifying and managing information flow model policies is a challenging problem. Much work develops verification techniques for access control policies. Such analysis on traditional access control models has been done well. In their landmark paper, Harrison et al. [43] first showed that in general, the safety analysis problem in the access control matrix model is undecidable. Jha et al. [44] proved that the problems of security analysis in ARBAC97 model are PSPACE-complete; further, a number of special cases of the problems are NP-complete. When it comes to policy verifications of information flow models, Chaudhuri et al. [23] presented a logic-programming language and tool, called EON, to model and analyze dynamic access control models of the Asbestos and Windows Vista systems. Query evaluation in EON can be reduced to decidable query satisfiability in a fragment of Datalog. Harris et al. [24] presented a method of abstraction that allows a model checker to verify policy soundly for DIFC programs that manipulate potentially unbounded sets of processes, principals, and communication channels. Harris et al. [20] also presented a technique that automatically turns a DIFC-unaware application with information flow requirements into a Flume application. Guttman et al. [45] presented a systematic way based on model checking to determine the information flow security properties of SELinux systems. Hicks et al. [46] modeled the SELinux MLS model, using a logical specification and implemented that specification in the Prolog language. Nevertheless, few of these studies in information flow policy analyze the computational complexity of policy verification.

6. Conclusions and Future Work

Aiming at the vulnerability and potential security risks of mobile operating systems, this paper proposes a flexible dynamic fine-grained security model. It can effectively protect the security of private data in untrusted operating system environments. In particular, our model can close the known covert channels because EILCM regards potential information flow situation as a possible information flow and expands the semantics of information propagation. It also solves the contradictions between users’ sharing of common software and authorization constraints for separation of duty or least privilege through mutually exclusive tags constraints.

We use two ways to formally analyze its safety. Firstly, in terms of Ryan and Schneider’s definition of noninterference [26], we verify that a known covert channel in the traditional implicit label change models does not exist in EILCM. Secondly, we used an automated checker to prove that abstract EILCM systems have the security property of noninterference with declassification due to our definition of noninterference with declassification based on standard CSP-oriented specification.

We prove that the problem of EILCM policy verification is an NP-complete problem through reducing the 3SAT problem to it. We also present a backtrack-based search algorithm to solve the problem. Experiments show that the algorithm is effective. This conclusion can reflect to some extent the computational complexity of the problem of Flume policy verification due to their partial similarity.

In the future, we plan to use our analysis method to verify the safety of other relevant models.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research was supported by the National Natural Science Foundation of China under grant nos. 61972040 and 62176265, the Premium Funding Project for Academic Human Resources Development in Beijing Union University under grant no. BPHR2020AZ03, and the National Key R&D Program of China under grant no. 2018YFB0803603.

References

K. Chen, Y. Zhang, and P. Liu, “Leveraging information asymmetry to transform android apps into self-defending code against repackaging attacks,” IEEE Transactions on Mobile Computing, vol. 17, no. 8, pp. 1879–1893, 2018.
View at: Publisher Site | Google Scholar
J. Zhang, A. R. Beresford, and I. Sheret, “SensorID: sensor calibration fingerprinting for smartphones,” in Proceedings of the 2019 IEEE Symposium on Security and Privacy, pp. 638–655, San Francisco, CA, USA, May 2019.
View at: Publisher Site | Google Scholar
S. Maruyama, S. Wakabayashi, and T. Mori, “Tap’n ghost: a compilation of novel attack techniques against smartphone touchscreens,” in Proceedings of the 2019 IEEE Symposium on Security and Privacy, pp. 620–637, San Francisco, CA, USA, May 2019.
View at: Publisher Site | Google Scholar
J. Gamba, M. Rashed, A. Razaghpanah, and J. Tapiador, “An analysis of pre-installed android software,” in Proceedings of the 2020 IEEE Symposium on Security and Privacy, pp. 1039–1055, San Francisco, CA, USA, May 2020.
View at: Publisher Site | Google Scholar
W. Qi, W. Ding, and X. Wang, “Construction and mitigation of user-behavior-based covert channels on smartphones,” IEEE Transactions on Mobile Computing, vol. 17, no. 1, pp. 44–57, 2018.
View at: Publisher Site | Google Scholar
D. Shen, Z. Li, X. Su, J. Ma, and R. Deng, “TinyVisor: an extensible secure framework on android platforms,” Computers & Security, vol. 72, pp. 145–162, 2018.
View at: Publisher Site | Google Scholar
T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel, “Ryoan: a distributed sandbox for untrusted computation on secret data,” in Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI’16), pp. 533–549, USENIX Association, Savannah, GA, USA, November 2016.
View at: Google Scholar
A. C. Myers and B. Liskov, “Protecting privacy using the decentralized label model,” ACM Transactions on Software Engineering and Methodology, vol. 9, no. 4, pp. 410–442, 2000.
View at: Publisher Site | Google Scholar
C. K. Ginny, C. Kumar, and K. Naik, “Smartphone processor architecture, operations, and functions: current state-of-the-art and future outlook: energy performance trade-off,” The Journal of Supercomputing, vol. 77, no. 2, pp. 1377–1454, 2021.
View at: Publisher Site | Google Scholar
Y. Zhao, D. Sanán, F. Zhang, and Y. Liu, “Refinement-based specification and security analysis of separation kernels,” IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 1, pp. 127–141, 2019.
View at: Publisher Site | Google Scholar
Y. Liu, T. Song, and L. Liao, “TPII: tracking personally identifiable information via user behaviors in HTTP traffic,” Frontiers of Computer Science, vol. 14, no. 3, Article ID 143801, 2020.
View at: Publisher Site | Google Scholar
G. Barthe, G. Betarte, J. D. Campo, and C. Luna, “System-level non-interference of constant-time cryptography. Part I: model,” Journal of Automated Reasoning, vol. 63, no. 1, pp. 1–51, 2019.
View at: Publisher Site | Google Scholar
N. B. Said and I. Cristescu, “End-to-end information flow security for web services orchestration,” Science of Computer Programming, vol. ‏ 187, Article ID 102376, 2020.
View at: Publisher Site | Google Scholar
Z. Wu, X. Chen, Z. Yang, and X. Du, “Reducing security risks of suspicious data and codes through a novel dynamic defense model,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 9, pp. 2427–2440, 2019.
View at: Publisher Site | Google Scholar
A. Nadkarni, B. Andow, W. Enck, and S. Jha, “Practical DIFC enforcement on android,” in Proceedings of the 25th USENIX Security Symposium, pp. 1119–1136, USENIX Association, Austin, TX, August 2016.
View at: Google Scholar
P. Efstathopoulos, M. Krohn, and S. Frey, “Labels and event processes in the asbestos operating system,” ACM SIGOPS-Operating Systems Review, vol. 39, no. 5, 2005.
View at: Publisher Site | Google Scholar
N. Zeldovich, S. B. Wickizer, E. Kohler, and D. Mazieres, “Making information flow explicit in HiStar,” in Proceedings of Usenix Association 7th Usenix Symposium on Operating Systems Design and Implementation (OSDI’2006), pp. 263–278, USENIX Association, Seattle, WA, November 2006.
View at: Google Scholar
M. Krohn and E. Tromer, “Noninterference for a practical DIFC-based operating system,” in Proceedings of the 2009 IEEE Symposium on Security and Privacy, pp. 61–76, IEEE, Berkeley, CA, USA, May 2009.
View at: Publisher Site | Google Scholar
D. Schultz and B. Liskov, “IFDB: decentralized information flow control for databases,” in Proceedings of the 8th ACM European Conference on Computer Systems, pp. 43–56, ACM, Prague, Czech Republic, April 2013.
View at: Google Scholar
W. R. Harris, S. Jha, and T. Reps, “DIFC programs by automatic instrumentation,” in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’2010), pp. 284–296, ACM, Chicago IL, USA, October 2010.
View at: Publisher Site | Google Scholar
I. Roy, D. E. Porter, M. D. Bond, K. S. McKinley, and E. Witchel, “Laminar: practical fine-grained decentralized information flow control,” in Proceedings of 2009 ACM Sigplan Conference on Programming Language Design & Implementation, pp. 63–74, ACM, Dublin, Ireland, June 2009.
View at: Publisher Site | Google Scholar
J. Burket, P. Mutchler, M. Weaver, M. Zaveri, and D. Evans, “GuardRails: a data-centric web application security framework,” in Proceedings of the 2nd USENIX Conference on Web Application Development, pp. 1–12, USENIX, Portland, OR, USA, June 2011.
View at: Google Scholar
A. Chaudhuri, P. Naldurg, S. K. Rajamani, G. Ramalingam, and L. Velaga, “EON: modeling and analyzing dynamic access control systems with logic programs,” in Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’2008), pp. 381–390, ACM, New York, USA, October 2008.
View at: Google Scholar
W. R. Harris, N. A. Kidd, S. Chaki, S. Jha, and T. Reps, “Verifying information flow control over unbounded processes,” in Proceedings of 16th International Symposium on Formal Methods (FM 2009), pp. 773–789, Springer, Eindhoven, Netherlands, October 2009.
View at: Publisher Site | Google Scholar
C. A. R. Hoare, Communicating Sequential Processes, Prentice Hall International, Englewood Cliffs, NJ, USA, 1985.
P. A. Ryan and S. A. Schneider, “Process algebra and non-interference,” Journal of Computer Security, vol. 9, no. 1-2, pp. 75–103, 2001.
View at: Publisher Site | Google Scholar
J. A. Goguen and J. Meseguer, “Security policies and security models,” in Proceedings of the 1982 IEEE Symposium on Security and Privacy, pp. 11–20, IEEE, Oakland, CA, USA, April 1982.
View at: Publisher Site | Google Scholar
A. G. Ramirez, J. Schmaltz, F. Verbeek, B. Langenstein, and H. Blasum, “On two models of noninterference: rushby and greve, wilding, and vanfleet,” in Proceedings of the 33rd International Conference on Computer Safety, Reliability, and Security, pp. 246–261, IEEE, Florence, Italy, September 2014.
View at: Publisher Site | Google Scholar
P. Baldan and A. Beggiato, “Multilevel transitive and intransitive non-interference, causally,” in Proceedings Of the 18th International Conference On Coordination Languages And Models, pp. 1–17, IFIP, Heraklion, Greece, June 2016.
View at: Publisher Site | Google Scholar
W. Jamroga and M. Tabatabaei, “Strategic noninterference,” in Proceedings of the 2015 International Conference On ICT Systems Security And Privacy Protection, pp. 67–81, IFIP, Hamburg, Germany, May 2015.
View at: Publisher Site | Google Scholar
Formal Systems (Europe) Ltd., Failures Divergences Refinement: FDR2 Manual, 2005, https://www.fsel.com.
A. Bossi, C. Piazza, and S. Rossi, “Modelling downgrading in information flow security,” in Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW’2004), pp. 187–201, IEEE, Pacific Grove, CA, USA, June 2004.
View at: Google Scholar
J. Rushby, Noninterference, Transitivity, and Channel-Control Security Policies,” CSL-92-02, Stanford Research Institute, Menlo Park, CA, USA, 1992.
A. Nanevski, A. Banerjee, and D. Garg, “Verification of information flow and access control policies with dependent types,” in Proceedings of the 2011 IEEE Symposium on Security and Privacy, pp. 165–179, IEEE, Berkeley, CA, USA, May 2011.
View at: Publisher Site | Google Scholar
P. Aldous and A. Might, “Static analysis of non-interference in expressive low-level languages,” Static Analysis, vol. 9291, pp. 1–17, 2015.
View at: Publisher Site | Google Scholar
A. J. Vaughan and S. Chong, “Inference of expressive declassification policies,” in Proceedings of the 2011 IEEE Symposium on Security and Privacy, pp. 180–195, IEEE, Berkeley, CA, USA, May 2011.
View at: Publisher Site | Google Scholar
T. Murray, D. Matichuk, M. Brassil et al., “Sel4: from general purpose to a proof of information flow enforcement,” in Proceedings of the 2013 IEEE Symposium on Security and Privacy, pp. 415–429, IEEE, Berkeley, CA, USA, May 2013.
View at: Publisher Site | Google Scholar
S. Eggert, R. V. D. Meyden, H. Schnoor, and T. Wilke, “The complexity of intransitive noninterference,” in Proceedings of the 2011 IEEE Symposium on Security and Privacy, pp. 196–211, IEEE, Berkeley, CA, USA, May 2011.
View at: Publisher Site | Google Scholar
M. D. McIlroy and J. A. Reeds, “Multilevel security in the UNIX tradition,” Software: Practice and Experience, vol. 22, no. 8, pp. 673–694, 1992.
View at: Publisher Site | Google Scholar
F. Timothy, “LOMAC: low water-mark integrity protection for COTS environments,” in Proceedings of 2000 IEEE Symposium on Security and Privacy, pp. 230–245, IEEE, Berkeley, CA, USA, May 2000.
View at: Google Scholar
N. Li, Z. Mao, and H. Chen, “Usable mandatory integrity protection for operating systems,” in Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 164–178, IEEE, Berkeley, CA, USA, May 2007.
View at: Publisher Site | Google Scholar
Z. Mao, N. Li, H. Chen, and X. Jiang, “Trojan horse resistant discretionary access control,” in Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT’2009), pp. 237–248, ACM, Stresa, Italy, June 2009.
View at: Publisher Site | Google Scholar
M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, “Protection in operating system,” Communications of the ACM, vol. 19, no. 8, pp. 461–471, 1976.
View at: Publisher Site | Google Scholar
S. Jha, N. H. Ninghui Li, M. W. TripunitaraQihua, and W. Winsborough, “Towards formal verification of role-based access control policies,” IEEE Transactions on Dependable and Secure Computing, vol. 5, no. 4, pp. 242–255, 2008.
View at: Publisher Site | Google Scholar
J. D. Guttman, A. L. Herzog, J. D. Ramsdell, and C. W. Skorupka, “Verifying information flow goals in security-enhanced Linux,” Journal of Computer Security, vol. 13, no. 3, pp. 115–134, 2005.
View at: Publisher Site | Google Scholar
B. Hicks, S. Rueda, L. S. Clair, T. Jaeger, and P. McDaniel, “A logical specification and analysis for SELinux MLS policy,” ACM Transactions on Information and System Security, vol. 13, no. 3, pp. 26–31, 2010.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Zhanhui Yuan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

572

Downloads

452

Citations

Security and Communication Networks

Conference Issue: Safety and Adaptivity in Mobile Wireless Middleware, Operating Systems, and Applications

A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

Abstract

1. Introduction

2. EILCM Descriptions

2.1. Informal Descriptions of EILCM

2.2. Formal Specifications of EILCM

2.2.1. User Processes

2.2.2. AEF

2.2.3. OM

2.2.4. ADF

2.2.5. Abstract EILCM System

2.3. Application of EILCM

3. Noninterference Analysis for EILCM

3.1. Analysis of Covert Channel in EILCM System

3.2. Proof of Noninterference Property of EILCM

4. Policy Verification for EILCM System

4.1. Problem Definition and Complexity

4.2. Algorithms for QEILCM

5. Related Work

6. Conclusions and Future Work

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright