8.6 Summary

Noninterference is an alternative formulation of security policy models. It asserts that a strict separation of subjects requires that all channels, not merely those designed to transmit information, must be closed. The various definitions of noninterference, generalized noninterference, nondeducibility, and restrictiveness are attempts to determine under what conditions different systems with the same security policy can be composed to produce a secure system.

When policies of component systems differ, the issue becomes one of reconciling policies or establishing a systemwide definition of "security" and then demonstrating that the composition meets the definition. The composite system should reflect the principles of security and autonomy. Although establishing whether a particular action is to be allowed is easy, optimizing the checking of accesses is not. Reconciling disparate policies also can be a complex matter, involving technical analysis and politics to determine what the managers of the autonomous components will allow.