Optimal mining on security labels for decentralized information flow control

Abstract

Decentralized information flow control (DIFC) is a key innovation of traditional information flow control (IFC). When compared with IFC, DIFC provides new features including decentralized declassification, taint-tracking and privilege-transferring. These characteristics make DIFC more applicable than traditional IFC to the control of information flows in systems. This paper presents an optimal approach to the mining of security labels for DIFC. This approach can effectively improve DIFC's applicability and manageability in a wide variety of environments. We firstly design a novel policy description language to express security requirements in DIFC characterized assertions. Next, we prove that the problem of obtaining security labels from DIFC assertions is NP-complete. Based on logic programming and genetic algorithm, the proposed approach finally outputs optimal security labels separately for different DIFC systems in both small and large-scale environments. The objectives of this paper are to address two practical aspects of DIFC: (1) how to express security requirements by using DIFC characterized assertions; (2) how to obtain optimal DIFC labels to satisfy security requirements. The experimental results show that the proposed approach is effective in implementing fine-grained information control according to practical security requirements.