On Reductions from Multi-Domain Noninterference to the Two-Level Case

TL;DR

This paper investigates how multi-domain noninterference security policies can be effectively reduced to two-domain cases, comparing different partitioning methods and highlighting the robustness of cut-based reductions.

Contribution

It introduces and analyzes cut-based partitionings for reducing multi-domain security policies to two-domain cases, showing their advantages over traditional Low-down and High-up methods.

Findings

Low-down reduction is weaker than cut-based and High-up reductions.

High-up reduction can be equivalent to cut-based reduction in some cases.

Cut-based partitioning offers a more robust approach for policy reduction.

Abstract

The literature on information flow security with respect to transitive policies has been concentrated largely on the case of policies with two security domains, High and Low, because of a presumption that more general policies can be reduced to this two-domain case. The details of the reduction have not been the subject of careful study, however. Many works in the literature use a reduction based on a quantification over "Low-down" partitionings of domains into those below and those not below a given domain in the information flow order. A few use "High-up" partitionings of domains into those above and those not above a given domain. Our paper argues that more general "cut" partitionings are also appropriate, and studies the relationships between the resulting multi-domain notions of security when the basic notion for the two-domain case to which we reduce is either Nondeducibility on Inputs or Generalized Noninterference. The Low-down reduction is shown to be weaker than the others, and while the High-up reduction is sometimes equivalent to the cut reduction, both it and the Low-down reduction may have an undesirable property of non-monotonicity with respect to a natural ordering on policies. These results suggest that the cut-based partitioning yields a more robust general approach for reduction to the two-domain case.