Analysing Cryptographically-Masked Information Flows in MILS-AADL Specifications

Information flow policies are widely used for specifying confidentiality and integrity requirements of securitycritical systems. In contrast to access control policies and security protocols, they impose global constraints on the information flow and thus provide end-to-end security guarantees. The information flow policy that is usually adopted is non-interference. It postulates that confidential data must not affect the publicly visible behaviour of a system. However, this requirement is usually broken in the presence of cryptographic operations.
In this paper, we propose a formal approach to distinguish between breaking non-interference because of legitimate use of sufficiently strong encryption on the one side, and due to unintended information leaks on the other side. It employs the well-known technique of program slicing to identify (potential) information flows between the data elements of a specification given in a MILS variant of the Architecture Analysis and Design Language (AADL). Moreover, we investigate the relation between our method and an extended notion of non-interference known as possibilistic non-interference, and demonstrate its applicability on a concrete example system.