Brewer-Nash Scrutinised: Mechanised Checking of Policies featuring Write Revocation

TL;DR

This paper revisits and modernizes the Brewer-Nash security policy model, providing formal semantics, mechanized proofs, and a methodology for automated policy verification, especially focusing on write access revocation.

Contribution

It offers a modern operational semantics for Brewer-Nash, mechanizes all original theorems, and advances automated verification methods for complex security policies.

Findings

Full mechanisation of Brewer-Nash theorems using {log} and Coq.

Clarification of write access revocation semantics.

A step towards automated checking of complex security policies.

Abstract

This paper revisits the Brewer-Nash security policy model inspired by ethical Chinese Wall policies. We draw attention to the fact that write access can be revoked in the Brewer-Nash model. The semantics of write access were underspecified originally, leading to multiple interpretations for which we provide a modern operational semantics. We go on to modernise the analysis of information flow in the Brewer-Nash model, by adopting a more precise definition adapted from Kessler. For our modernised reformulation, we provide full mechanised coverage for all theorems proposed by Brewer & Nash. Most theorems are established automatically using the tool {log} with the exception of a theorem regarding information flow, which combines a lemma in {log} with a theorem mechanised in Coq. Having covered all theorems originally posed by Brewer-Nash, achieving modern precision and mechanisation, we propose this work as a step towards a methodology for automated checking of more complex security policy models.