Security challenges with cross-domain information exchange: Integrity and guessing attacks

Current research on cross-domain information exchange is advocating to move away from the inflexible Bell-La Padula (BLP) model, into a more complex policy-driven security model where information objects and end-users are characterized in terms of complex meta-data. It will lead to higher flexibility but will also rely not only on guards, but also on automatic or semi-automatic tools for forming and processing the metadata. In this paper, we point out some potential pitfalls with this approach. The paper focuses specifically on the relaxation of the BLP security model for confidentiality and discusses security concerns that arise from the use of such tools in combination with guards.