Secure information flow connections

Denning's lattice model provided secure information flow analyses with an intuitive mathematical foundation: the lattice ordering determines permitted flows. We propose a connection-based extension of this framework that permits two autonomous organisations, each employing possibly quite different security lattices, to exchange information while maintaining security of information flow as well as their autonomy in formulating and maintaining security policies. Our prescriptive framework is based on the rigorous mathematical framework of Lagois connections proposed by Melton, together with a simple type system and operational model for transferring object data between the two domains. The merit of this formulation is that it is simple, minimal, adaptable and intuitive. We show that our framework is semantically sound, by proving that the connections proposed preserve standard correctness notions such as noninterference. We then illustrate via examples how Lagois theory also provides a robust framework and methodology for negotiating and maintaining secure agreements on information flow between autonomous organisations, even when either or both organisations change their security lattices. Composition and decomposition properties indicate support for a modular approach to secure flow frameworks in complex organisations. Finally, a natural and conservative extension of the Decentralised Labels Model of Myers et al. shows the applicability of the framework — a Lagois connection between the hierarchies of principals in two organisations naturally induces a Lagois connection between the corresponding security label lattices, thus extending the security guarantees ensured by the decentralised model to encompass bidirectional interorganisational flows.