Introducing availability in information flow control

Another important security property for addressing the challenge of location inhomogeneity (cf. Def.4.6) is the availability of virtual resources. When being utilised, virtual resources have to be accessible and functional. Both depend on several factors, which are internal and external to the virtual resources. The accessibility depends, for example, on the connectiv- ity of the access network (external) and the functioning of the connection end-points of the virtual resources (internal). The functioning of virtual resources depends, for example, on the functioning of the hosting hardware resources (external) and the applications running on them (internal). For the information flow of virtual resources, external factors that influence the availability of virtual resources can change, while internal factors do not change due to migration. For example, the migration of a virtual resource from a highly available hardware resource to another with lower availability also reduces the availability of the virtual resource, but the migration itself does not change the state of applications running on the virtual ma- chine (assuming that downtimes during migration are negligible and virtual resources are fully functioning after migration which is possible when using live migration [72]). With respect to information flow of virtual resources, availability can be modelled as a requirement for a subject (i.e., hardware resource) when gaining access to an object (i.e, virtual resource). For that reason, objects are classified by their required availability and subjects are classified by their provided availability.

To model classifications by availability the following definition of availability is used.

Definition 5.43 (Availability [221]) According toXie et al.[221, pp. 11–12],availability A(t) is defined as the probability that a system is up at a given time t. Further, the asymptotic availability is given by

A= lim

t→∞A(t) =

system up time

system up time+ system down time =

MT T F MT T F+ MT T R

where MT T F is themean time to failure of a system, and MT T R is the mean time to repair of a system. In the following, the termavailability is used in the sense of asymptotic availability.

Remark 5.10 (Availability is totally ordered and finite) According to the Def. 5.43, avail- ability is represented by a value of the interval [0, 1], and therefore, it is totally ordered by the<-relation. Theoretically, there are infinite values for availability, but in practice, only a

finite number of availabilities are relevant. The reason is that availability is used in practice by the following scheme: 90%, 95%, 99%, 99.5%, 99.9%, 99.95%, 99.99%, 99.995%, ..., 100%. Further, the highest availabilities that are used can be found in function safety standards and are not higher then 0.99999%, which is the upper boundary of safety integrity level 4 (based on IEC 61508 [108]). Therefore, the number of relevant availabilities in practice is finite. This makes availability (according to Def.5.43) a good candidate for classifying subjects and objects in a lattice-based model for information flow control.

In the model, the required availability of an object is classified by the minimum availability that has to be provided by an accessing subject. Analogously, the provided availability of a subject is classified by the minimum availability that is provided by the subject. Consequently, availability classesare defined as follows:

Definition 5.44 (Availability class) An availability classavSCx := [x, 1] with x ∈ [0, 1] is de-

fined as a continuous interval of (asymptotic) availabilities A∈av_SC

x. Then, avSCis set of

availability classesavSCx. Further, letavSCx17→

av_SC

x2 for all x1, x2∈ [0, 1] and

av_SC x1, av_SC x2∈ av SCif and only ifavSCx1 ⊇ av SCx2, i.e., information in av SCx1 is allowed to flow to av SCx2 if

and only if availability x1is less or equal availability x2.

Then, (avSC,7→) is partially ordered since ⊂-relation partial order and availabilities are

totally ordered by the <-relation. Further,avSCis finite for availabilities that are relevant in

practice (cf. Remark5.10). In addition,avSC_100%∈av

SCis upper bound andavSC0%∈avSCis

lower bound. This implies that Denning’s Axioms apply for availability classes and (avSC,7→

,⊕,⊗) is a lattice.

Moreover, the fact that (avSC,7→) is partially ordered implies thatγΣ(γR, D,γW,γz0)with

SC=avSCis a secure system satisfying the general ∗-property (cf. Theorem 5.5). Analo-

gously to location classes (cf. Section5.3.2), this is made plausible by looking at the general simple-security property(cf. Def.5.36) and the general ∗-property (cf. Def.5.37). The gen- eral simple-security property defines allowed information flow from objects to subjects, which is caused by viewing objects. This is allowed only if the object’s availability class contains the subject’s availability class, i.e., the availability provided by the subject is higher then the required availability of the object. Thereby, the subject can ensure the required availability of the object – which is the intention of information flow control with respect to availabil- ity. The general ∗-property defines the information flow allowed between objects via subjects (and, therefore, from subjects to objects), which is caused by modifying objects. Here, the access of a subject to an object is allowed only if the availability of objects that are modified is higher than the availability of objects that are viewed. This implies that information can flow only from lower availability classes to higher availability classes – which is again the intention of information flow control with respect to availability. Consequently, the availability classes

av

SCsatisfy the General Security Theorem (cf. Theorem.5.5).

Remark 5.11 (Deletion and availability) When deleting an object, the availability of the ob- ject is no longer given. Therefore, deletion is allowed only if the availability of the object is no longer needed. The information model addresses this in the ruleγ

ρ10for deleting objects

long as at least one subject has access to an object, the deletion of the object is forbidden. In such a case, the object is said to be “locked”. This mechanism of locking objects can be used to control the deletion of objects. In addition, a new subject having the object’s security class is added to the system γ

Σ(γR, D,γW,γz0). The new subject is used to lock the object (or its

backup instance) as long as it has to be available. It is possible then to control the deletion of objects by giving and rescinding access privileges to the locking subject.

Remark 5.12 (Modelling confidentiality, integrity, availability, and location) Analogously to Remark5.8and Remark5.9, confidentiality, integrity, availability, and location can be mod- elled at the same time by using combined security classes that are defined as quadruples of confidentiality, integrity, availability, and location classes which are defined by:

c,i,av,loc

SC⊂cSC×iSC×avSC×locSCwithc,i,av,locSCi= (cSCi,iSCi,avSCi,locSCi) ∈c,i,av,locSC

wherecSCi∈cSC,iSCi∈iSC,avSCi∈avSC, andlocSCi∈locSC.

Allowed information flow is defined:

c,i,a,loc_SC

17→c,i,a,locSC2 if and only ifcSC17→cSC2andiSC17→iSC2andavSC17→avSC2and loc

SC17→locSC2wherec,i,a,locSC1,c,i,a,locSC2∈c,i,av,locSC,cSC1,cSC2∈cSC,iSC1,iSC2∈iSC,

av

SC1,avSC2∈avSC, andlocSC1,locSC2∈locSC.

Then,(c,i,av,locSC,7→) is partially ordered and finite (due to the fact thatcSC,iSC, avSC,

andlocSCare partial ordered and finite). Therefore,Denning’s Axioms apply (cf. Theorem5.2)

and(c,i,av,locSC,7→,⊕,⊗) is a lattice with upper boundc,i,av,locSCL= (cSCL,iSCL,avSCL,locSCL)

and lower boundc,i,av,locSCH= (cSCH,iSCH,avSCH,locSCH).