Information Flow Control (IFC)

https://en.wikipedia.org/wiki/Information_flow_(information_theory)

In low level information flow analysis, each variable is usually assigned a security level. The basic model comprises two distinct levels: low and high, meaning, respectively, publicly observable information, and secret information. To ensure confidentiality, flowing information from high to low variables should not be allowed. On the other hand, to ensure integrity, flows to high variables should be restricted.[1]

More generally, the security levels can be viewed as a lattice with information flowing only upwards in the lattice.[2]

For example, considering two security levels L and H (low and high), if `L ≤ H`, flows from L to L, from H to H, and L to H would be allowed, while flows from H to L would not.[3]

Throughout this article, the following notation is used:

a) variable `l ∈ L` (low) shall denote a publicly observable variable

b) variable `h ∈ H` (high) shall denote a secret variable

Where L and H are the only two security levels in the lattice being considered.

1

Andrei Sabelfeld and Andrew C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications, 21(1), Jan. 2003.

2

Dorothy Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236-242, 1976.

3

Smith, Geoffrey (2007). "Principles of Secure Information Flow Analysis". Advances in Information Security. 27. Springer US. pp. 291–307.