Non Interference: Past, Present and Future

Security is a crucial property of system behaviour. It generally requires some kind of control over the information ow among parts of the system. In order to analyze these possible ows it has been introduced the Non-Interference (NI) property 7]. In particular NI was introduced to detect all the possible ows from a group of users to another one. A lot of research has been done about NI in the following years (e.g., see 7, 13, 11, 4, 5]) with the aims of generalizing NI to non deterministic systems, comparing diierent deenitions, automatically check some NI-like properties. One of the main motivation for NI was to limit, and possibly to avoid, the damages produced by malicious programs, called Trojan Horses, which try to broadcast secret information. In the classic approach of Discretionary Access Control security (DAC), a Trojan Horse program can easily attack the system by simply modifying the security properties of user's objects. In fact, in DAC we have that every subject (i.e., an active agent such as a user), decides the access properties of its objects (i.e., passive agents such as les). An example of DAC is the le management in Unix where a user can decide the access possibilities of her/his les. If a user's program is a Trojan Horse (the user could have get it by ftp) then it can make whatever it wants of the user's les. As a solution to this problem it could be possible to use a Mandatory Access Control (MAC for short), where some access rules are imposed by the system. An example of MAC is Multilevel Security 1]: every object is bounded to a security level, and so every subject is; information can ow from a certain object to a certain subject only if the level of the subject is greater than the level of the object. So a Trojan Horse, which operates at a certain level, has no way to downgrade information, and its action is restricted inside such a level. In general, Multilevel Security can be described through the following access rules: No Read Up (a subject cannot read data from an upper level object) and No Write Down (a subject cannot write data to a lower level object). However, these access rules are not enough. It could be possible to indirectly transmit information using some system side eeect. For example, if two levels { `high' andìow' { …