|
|
|
GONERIL: Combine together 'gainst the enemy,
For those domestic poor particulars
Are not to question here.—The Tragedy of King Lear, V, i, 29–31.
Organizations usually have multiple policy making units. If two different branches of an organization have conflicting policy needs, or even different policy needs, what policy should the organization as a whole adopt? If one of the policies requires six levels of security, and another three, how can they be composed into a coherent whole—or can they? The answers to these general questions come from information flow models that abstract the essence of security policies. Introduced in 1982, these models focus on each process' view of the system to ensure that no high-level information is visible, or can be deduced, by a low-level process. We begin by reviewing the problem and introducing the notions of noninterference and unwinding. We then expand with variations of noninterference called "nondeducibility" and "restrictiveness." We conclude by studying the composition of security policies using these models.
|
|
|
| Top |