Access Flow: A Protection Model which Integrates Access Control and Information Flow

Past work concerning operating system protection has focused on two notions: access control and information flow. Access control or protection matrix based protection systems control the ways in which users may manipulate objects. Information flow or security class based systems control the flow of information between users. Although it has been noted that both notions are essential to real protection systems, no previous work has compared the two notions, or developed a protection model that integrates those notions. This paper compares and contrasts access control and information flow and supports the assertion that both notious are essential to real protection systems. It is argued that the military classification model of information flow poorly models reality, and a new information flow model based on the controlled sharing of secrets is introduced. A protection model that integrates access control and information flow is then developed and formally defined, and some example applications of this model are described.