Ordering Labels

3.2.2 Information from Lattice Properties

Labels evaluate to domains fromDom^¦, which are ordered as a lattice. For example, it can be inferred that data may always flow from an expression labelled with⊥to an expression labelled withx_δty.f_δfor any variabley, as the evaluation of⊥is always the lowest element inDom^¦.

One can thus order labels by computing thelattice closureofQ. This is done syntac-tically by the rules in Figure 3.1 on the next page, which define an order and an equality judgement on labels. A judgement of the form`1vQ`2states that information may flow from`1to`2, while`1≡Q`2states that the two labels, though possibly syntacti-cally different, must refer to the same security domain. Thus, they abstractly describe the operator≤^¦and equality for the domain setDom^¦.

The first row of rules translates the label pair information fromQinto a partial order that is reflexive, transitive, and antisymmetric. The second row of rules describes how the order relates to least upper bounds, exploiting basic lattice properties: every label is equal or larger than the lowest element⊥and equal or smaller than the highest element>. A least upper bound (join) of two labels is larger than each of the two labels.

Also, the least upper bound operation is monotone with respect to the order. The third row of rules mirrors idempotence, commutativity, and associativity of the join operator.

Finally, the last two rules link label equality back to the order.

The following theorem states that the rules for label order and equality are sound with respect to their interpretation in satisfying program states.

Theorem 3.3 Given a constraint set Q, two labels`1and`2and a stateσsatisfying Q.

1. If`1vQ`2, thenJ`1K

¦σ≤^¦J`2K

¦σ. 2. If`1≡Q`2, thenJ`1K

¦σ=J`2K

¦σ.

PROOF By induction over the derivation of the label order and equality.

3.2.3 Constraint Sets as Program Predicates

In the type system, constraint sets are regarded as simple predicates over program states. I now define a syntactic implication relation for constraint sets, and show that this implication is indeed sound with respect to constraint set satisfiability.

Definition 3.4 A constraint set Q implies another set Q⁰, written Q ⇒Q⁰, if and only if

∀(`1,`2)∈Q⁰.`1vQ`2.

Lemma 3.5 Ifσ|=^¦Q and Q ⇒Q⁰, thenσ|=^¦Q⁰.

PROOF The lemma follows directly from the definitions.

3.2 Ordering Labels

(`1,`2)∈Q

`1vQ`2 `vQ`

`1vQ`2 `2vQ`3

`1vQ`3

`1vQ`2 `2vQ`1

`1≡Q`2

⊥ vQ` `vQ> `vQ`t`⁰

`1vQ`3 `2vQ`4

`1t`2vQ`3t`4

`≡Q`t` `1t`2≡Q`2t`1 `1t(`2t`3)≡Q(`1t`2)t`3

`1≡Q`2

`1vQ`2

`1≡Q`2

`2vQ`1

Figure 3.1: Rules for label order and label equality with respect to a constraint setQ 3.2.4 Remarks on the Lattice Structure of Labels

The proof of Theorem 3.3 on the facing page justifies the soundness of the label order rules with respect to the domain lattice. While this is sufficient to show the correctness of the type system, I will now elaborate on the relation between the statically inferred label order, the denotational semantics of labels and the domain lattice¦in order to clarify what is actually described by a constraint setQ.

We observe that

LQ=(Lab,vQ,t,>,⊥)

forms a bounded join-semilattice over the set of labels, where labels related by≡Q

denote the same point in the lattice. This is the case becausevQis a partial order (it is reflexive, transitive, and antisymmetric),>and⊥are the top and bottom element ofLab, and for any two label classes`1and`2, there exists a unique join (least upper bound), namely the label`1t`2, which is indeed larger than both`1and`2 with respect tovQ.²Note that there are labels, such as`1t`2and`2t`1, which are distinct elements inLabbut equal with respect to the lattice order; this does not contradict the definition of a lattice.

The evaluation functionJ·K

¦σis a homomorphism that embeds the label latticeLQ

into the domain lattice ¦, because it adheres to the definition of a lattice homo-morphism: the evaluation function preserves least upper bounds (by definition of

2As arbitrary sets of labels can be joined together, including the empty set which yields⊥andLabwhich yields>, it is even a complete join semi-lattice.

⊥

y.f_δ x_δ . . .

>

z.f_δ y.f_δtx_δ

Q

HIGH

MED

LOW

label latticeL_Q

J·K

¦σ

domain lattice¦ Figure 3.2: Example for embedding label lattice into domain lattice

J`1t`2K

¦σ), the greatest and least element (by definition ofJ>K

¦σandJ⊥K

¦σ), as well as the order (by the soundness property stated in Theorem 3.3). The interpretation of the label latticeLQis thus a sublattice of¦.

Figure 3.2 illustrates the embedding, when one takes as an example the constraint setQ={(x_δ,z.f_δ)} and Sue’s domain lattice¦as presented in Section 2.1.2 on page 18.

The label lattice overQ,LQ, is partly shown on the left, with the arrows corresponding to the ordervQ(not all transitive edges are shown). For any stateσsuch thatσ|=^¦Q, the label evaluation functionJ·K

¦σassigns to each label a domain fromDom^¦on the right such that the order is preserved. The dotted lines in the diagram represent the evaluation in an assumed example stateσthat satisfiesQ. In particular, the thick edge fromx_δtoz.f_δ, induced by the constraint setQ, corresponds to an edge in the domain lattice (fromLOWtoMED).

A constraint setQspans a label latticeLQ. Via the satisfiability relationσ|=^¦Q, the setQdescribes those program statesσfor whichLQcan be embedded into the domain lattice¦byJ·K

¦σ. From a different perspective, if one fixes the stateσ, thenQcan as well be interpreted as a description of those domain lattices¦whose structure includes the pairwise domain positionings which are abstractly described by label pairs inQ.

Therefore, the setQand thus the entire label latticeLQcollect information about both the stateσ(namely the values of domain variables and fields) and the structure of the domain lattice¦which describes the effective security policy.