Security model for resource availability - subject and object type enforcement

Confidentiality, integrity and availability are the three basic aspects of information security. The purpose of the paper is to refine the availability dimension. In the context of security an object is the passive entity to be protected. "Object" can refer to both an information object and to a resource, e.g. the program (or service) that retrieves the information and enables access to it. Thus, we make a distinction between information and resource availability. We propose a new security model for resource availability called "subject and object type enforcement" (SOTE). The model can express policies for information flow between resources of different administrative domains. It controls the types of resources that are allowed to interact. The ability to express the security requirements and conditions a resource must fulfill, is also part of the model. SOTE is a variation of type enforcement. The main difference is that SOTE is a model for information flow control instead of operating system access control. Type enforcement is well suited for restricting information flows. In particular type enforcements can express intransitive (indirect) information flows. The SOTE model can express such information flow policies at a fine-grained level. This is a prerequisite for flexible and secure information flow in heterogeneous environment where the domains do not implement the same set of security policies and security levels. We also describe how multiple security models can be combined in order to express a composite security policy for information flow. We combine the classic multilevel security models (Bell-LaPadula and Biba) with the SOTE resource availability model.