Assumption:
attacker can see constants and all low security variable
attacker can see program and control
attacker cannot see nontermination or abort
Observationally Equivalence for Security: as far as the attacker can see, if the starting program state is the same, the state after program execution must also be the same.
\Sigma \models \omega_1 \approx_L \omega_2 if two states \omega_1 and \omega_2 are observationally equivalent at level L with respect to security policy \Sigma.
Noninterference: high security variable should not affect low security variables.
Above definition relies on deterministic language. "In a nondeterministic language we would need to compare sets of possible low-observable (when observing only at low-security level) outcomes, not just a single run from each initial state. Noninterference also does not talk about the case where there is no final state, which is why this condition is called termination-insensitive noninterference."
Note that y := (x - x)+ 1 satisfies noninterference. The proposed type system is incomplete because static type system often have to make sound (and decidable) approximation of often undecidable semantic properties.
The rule is incomplete. We can prove soundness by proving in one direction \Sigma \models \alpha \ \text{ secure } \ \implies \Sigma \models \alpha \ \text{ secure }.
To prove confidentiality, we prove
where Q = \bigwedge_{\Sigma(x) = L} (x = x'). This can be done by finding \text{wlp}:
Confidentiality: no information flow from high security variable to low security variable.
Integrity: no information flow from low security variable to high security variable.
Table of Content