D.E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....A s item. Consequently, it is necessary to guarantee that nothing bad happens within the check routines. The bad things which may happen refer to the presence of information ow from inside the check routine to another party. This should include information ow through hidden channels [26], which is particularly di cult. In some contexts, it is even necessary to have information ow from inside to outside of the check routine. For example, if one item consists of electronic money, it is impossible to prevent double spending without online access to a bank. This means that the check ....

Denning, D. E. (1976) A lattice model of secure information ow. Communications of the ACM , 19, 236{ 243.

....a subject may only read objects with classi cation level no higher than its clearance, but may only write to objects with classi cation level no lower than its clearance. Information is always unidirectionally owing from low classi cation source to high classi cation destination. Denning [18, 16, 17] rst applied this idea to the control of information ow in high level programming languages through static analysis. Subsequent developments have been constantly reported [50] among which the work of Volpano and Smith [68, 64, 63, 55, 65, 56, 66, 67, 62, 53, 54] has recently attracted ....

Dorothy E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976. Also available at http://www.cs.georgetown.edu/~denning/publications.html.

....[20] Suppose data, manipulated by a program, is partitioned into high (private) and low (public) According to noninterference, the program is secure i high inputs do not interfere with low observable behavior of the system (low outputs, timing, etc. Originating from early work of Denning [15, 17] and Cohen [13, 14] a large body of work has followed the noninterference based approach to con dentiality for various programming languages including [2, 22, 47, 49, 29, 6, 44, 45, 43, 12, 32, 46] We follow this line of work in our de nition of security for a language enriched with ....

D. E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976.

....and stack operations from over owing [12] While safety is not the same thing as security it is an essential foundation for the latter [13] 2.2. Information ow control Over the last 20 years an abundant body of work has been devoted to information ow control. Multilevel security policies [14], originally conceived for military applications, are based on the notion that all data is labeled with security levels and that principals may only access data for which they have security clearance. The objective being to guarantee non interference a property which, informally, means that the ....

Denning D. A lattice model of secure information ow. Communications of the ACM, 1976; 19(5):236{ 243.

....(JFlow) to the Java programming language. Information ow constraints are statically veri ed, so JFlow requires little run time overhead, and can enforce security policies that cannot be enforced by run time checks. Volpano, Smith, and Irvine [VSI96] formalized the lattice model of Denning [Den76, DD77] as a type system for an imperative language; Smith and Volpano [SV98] generalized this type system to concurrent systems. The SLam calculus [HR98] is an extension of the lambda calculus that tracks security information as well as type information; the security information allows ....

Dorothy E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May

....here, although it is rarely considered by protocols developers. The problem of secure information ow within systems having di erent sensitivity levels has been recognized widely and studied extensively. The early work was by Bell and LaPadula [2] and it was extended by Denning s lattice model [5, 6]. Denning used a program certi cation, an ecient form of static analysis that could be incorporated into a compiler to verify secure information ow in programs. Liskov et. al [9] proposed a method of using labeled types to control information ows. The labeled type consisted of a regular type ....

D. E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-242, 1976.

....and in large systems it is almost certain to do so. The ability to modify policy to meet the changing needs of an organization is an important bene t of RBAC. Traditional access control models include mandatory access control (MAC) which we shall call lattice based access control (LBAC) here [Denning 1976; Sandhu 1993] and discretionary access control (DAC) Lampson 1971; Sandhu and Samarati 1994; Sandhu and Samarati 1997] Since the introduction of RBAC, several authors have discussed the relationship between RBAC and these traditional models [Sandhu 1996; Sandhu and Munawer 1998; Munawer 2000; ....

Denning, D. 1976. A lattice model of secure information ow. Communications of the ACM 19, 5, 236-243.

....e has the non interference property with respect to H and L if, for all legal ; 0 ; 1 , for all =L equivalence classes S: 0 = H 1 ) X 0 2S [ e] 0 0 = X 0 2S [ e] 1 0 where H is the set complement of H. 4 An Information Flow Analysis Following Denning [2] we consider two classes of information ow: Explicit There are two kinds of explicit ow. Direct ows arise from variables involved in a simple assignment statement such as x : y z: Here there is an information ow from y and z to x. Indirect ows are transitive ows arising from sequences ....

D. Denning. A lattice model of secure information ow. In Communications of the ACM, pages 236-243. ACM, 1976.

....Flow Over the last 20 years an abundant body of work has been devoted to information ow control. Multilevel 1 Here, the notion of object is more general than in object oriented programming. In the security literature an object may be a datum, a le, a hardware device, etc. security policies [8] originally conceived for military applications are based on the notion that all data is labeled with security levels and that principals may only access data for which they have security clearance. The objective of information control techniques is to obtain a form of non interference a ....

D. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976.

....array and stack operations from over owing [45] While safety is not security, these mechanisms are an essential foundation for language based security. 2.2 Information Flow Over the last 20 years an abundant body of work has been devoted to information ow control. Multilevel security policies [8] originally conceived for military applications are based on the notion that all data is labeled with security levels and that principals may only access data for which they have security clearance. The objective of information control techniques is to obtain a form of non interference a ....

D. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976.

....an applet to read local les or open network connections, but not both) are de nitely beyond the scope of our framework, however. 27 8 Related work 8. 1 Type systems for security The work most closely related to ours is the recent formulations of Denning s information ow approach to security [13, 14] as non standard type systems by Palsberg and rbaek [31] Volpano and Smith [41, 40] and Heintze and Riecke [20] Abadi et al. 2] reformulate some of those type systems in terms of a more basic calculus of dependency. The main points of comparison with our work are listed below. Information ....

D. E. Denning. A lattice model of secure information ow. Commun. ACM, 19(5):236-242, 1976.

No context found.

D.E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976.

No context found.

D. E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976.

No context found.

Dorothy Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-242, 1976.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC