A New Definition of Multilevel Security
Author: Riccardo Focardi, Roberto Gorrieri, Roberto Segala
Appears: Proceedings of the Workshop on Issues in the Theory of Security (WITS), Geneve, Switzerland, July 2000.
Abstract: Multilevel security has played an important role in the literature because even such a simple requirement turns out to be very complicated and subtle from the definitional point of view. In the simplest formulation of multilevel security we start with users that can be in one of two levels, either high or low, and we impose that there must be no information flow from users at the high level to users at the low level.
Most of the definitions proposed in the literature aim at restricting the set of behaviors of a system so that any low level user cannot observe any of the operations performed at the high level. The main problem with such an approach is that the link between the definitions and the fact that there is no information flow from high to low is not always clear or easy to get.
In this paper we propose a reversed approach to the definitional problem of multilevel security. Specifically, we start with the objects that we want to rule out, i.e., covert channels, and we say that an object or a collection of objects guarantee multilevel security if it cannot be used to implement the covert channels.