Safety of mixed model access control in a multilevel system

Abstract

Information sharing can result in emergent behaviors that affect the safety properties associated with overt information flows. Secure cross-domain integration, involving the safety properties of both individual domains and the information dissemination across those domains, can result in leakage of information during the brokering of that information in an enterprise-level, multilevel secure (MLS) system using mixed model access control. Existing access control models do not address this problem. To address this gap, we developed a technique for building compositional models that combine both role-based access control and traditional MLS-based Bell-LaPadula models to provide for a high-assurance MLS system access controller. However, such compositional models introduce information rights proliferation during the specification of high-assurance security requirements and the security policy to provide for safety within the system. We addressed that problem with a technique that leverages RuleML to specify declassification policies for securing information exchange between different security levels of disparate access control models. The technique supports the tranquility principle allowing for desired information flows while not violating the overall security policy of the system. We demonstrated the technical feasibility of using both of these techniques, using as our example application cross-domain information sharing in conducting Maritime Domain Awareness operations.