Information-flow analysis for covert-channel identification in multilevel secure operating systems

Given an information flow consisting of the flow path and the flow condition under which the flow takes place, the problem of determining whether the information flow is legal is considered; that is, whether the flow complies with the underlying nondiscretionary security policy of a trusted computing base (TCB). It is shown that the proposed approach to information-flow analysis has the advantage of eliminating the possibility of generating false illegal flow, namely flows that are identified by the analysis process to be illegal but which, in reality, are legal. Without eliminating false illegal flows from analysis, automated tools for secure information-flow analysis would be of limited use in this area because manual work would still be needed. Finally, it is shown how to apply this information-flow analysis approach to Secure XENIX and how information-flow analysis can help reduce the amount of effort for information-flow integration within TCB programs