lncs 3073 - a novel policy and information flow security ... · a novel policy and information flow...

14
H. Chen et al. (Eds.): ISI 2004, LNCS 3073, pp. 42–55, 2004. © Springer-Verlag Berlin Heidelberg 2004 A Novel Policy and Information Flow Security Model for Active Network Zhengyou Xia 1 , Yichuan Jiang 2 , Yiping Zhong 2 , and Shiyong Zhang 2 1 Department of computer, NanJing University of Aeronautics and Astronautics, China [email protected] 2 Department of Computer information & technology, Fudan University, China {jiangyc,zhongyp,shizhang}@fudan.edu.cn Abstract. In this paper, we describe the active network security model from ac- cess control and information flow model. We present an access control policy called family tree policy for active network. The family tree policy can cor- rectly represent active network that cannot be correctly modeled by BLP and Chinese wall model. At the same time, we further research the information flow security properties of active network and present the novel methods to research the information flow based on inheriting classes. The properties of information flow are described by properties of the inheriting class inner flow and flow among the different inheriting classes. Research For the inheriting class flow, the classic information flow model can be used. For the flow among the inherit- ing classes, we present a novel method to research it based on the conception of timestamp and flow. 1 Introduction Active networks [1][2] provide a programmable platform on which network services can be defined or altered by injecting code or other information into the nodes of the network. This paradigm offers a number of potential advantages, including the ability to develop and deploy new network protocols and services quickly, and the ability to customize services to meet the different needs of the different classes of users. Since the concept of the active network was put forward in 1996, the current active network research focuses on the support of flexible, dynamically changing [3][4], and fine-grained quality of service. Similar to traditional network security, it is crucial thing for active networks to protect its security. Active network security presents significant security challenges. There are a little research security features that exploit active networking. Despite significant energy devoted to security research in active networks [3][4][5], the issues of the security are by no means solved. This paper at- tempts to present active network security from access control policy and information flow model. Since the active network is different from the passive network, we pre- sent the novel access control policy (family tree policy) for active network. At the same time, we further research the information flow security properties of active net- work and present the novel methods to research the information flow based on inherit- ing classes.

Upload: duonganh

Post on 30-May-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

H. Chen et al. (Eds.): ISI 2004, LNCS 3073, pp. 42–55, 2004. © Springer-Verlag Berlin Heidelberg 2004

A Novel Policy and Information Flow Security Model for Active Network

Zhengyou Xia1, Yichuan Jiang2, Yiping Zhong2, and Shiyong Zhang2

1 Department of computer, NanJing University of Aeronautics and Astronautics, China [email protected]

2 Department of Computer information & technology, Fudan University, China {jiangyc,zhongyp,shizhang}@fudan.edu.cn

Abstract. In this paper, we describe the active network security model from ac-cess control and information flow model. We present an access control policy called family tree policy for active network. The family tree policy can cor-rectly represent active network that cannot be correctly modeled by BLP and Chinese wall model. At the same time, we further research the information flow security properties of active network and present the novel methods to research the information flow based on inheriting classes. The properties of information flow are described by properties of the inheriting class inner flow and flow among the different inheriting classes. Research For the inheriting class flow, the classic information flow model can be used. For the flow among the inherit-ing classes, we present a novel method to research it based on the conception of timestamp and flow.

1 Introduction

Active networks [1][2] provide a programmable platform on which network services can be defined or altered by injecting code or other information into the nodes of the network. This paradigm offers a number of potential advantages, including the ability to develop and deploy new network protocols and services quickly, and the ability to customize services to meet the different needs of the different classes of users.

Since the concept of the active network was put forward in 1996, the current active network research focuses on the support of flexible, dynamically changing [3][4], and fine-grained quality of service. Similar to traditional network security, it is crucial thing for active networks to protect its security. Active network security presents significant security challenges. There are a little research security features that exploit active networking. Despite significant energy devoted to security research in active networks [3][4][5], the issues of the security are by no means solved. This paper at-tempts to present active network security from access control policy and information flow model. Since the active network is different from the passive network, we pre-sent the novel access control policy (family tree policy) for active network. At the same time, we further research the information flow security properties of active net-work and present the novel methods to research the information flow based on inherit-ing classes.

A Novel Policy and Information Flow Security Model for Active Network 43

2 Related Work and Motivation

The DARPA active network community has defined architecture for an active net-work node (ANN)[1][5]. That depicts a node as comprising a Node OS and one or more Execution Environments. The Execution Environments (EEs) provide a pro-gramming interface or virtual machine that can be programmed or controlled by the active packets. We briefly describe a simple threat model in figure1, which can be used to evaluate the effectiveness of our proposed solution to the active networks security problem.

Fig. 1. Security threats model

Node’s viewpoint for threat: The node hopes to protect its resource against unau-thorized usage, protect the availability of its services, protect the integrity of the state that will allow it to continue to offer services, and protect its state against unauthor-ized exposure.

EE’s viewpoint for threat: The EE can feel these threats coming from other EEs, from the senders of packets, and from the active code it hosts, Because others EEs may consume resources of active node that should allocated to EE. At the same time, packets may consume resource of EE.

Active code/active packet’s viewpoint for threat: A node may wish to access an active code to install it, to retrieve it, to modify it, to terminate it, etc. Active code/packet may be able to create state that can be shared data and packet payload from unauthorized exposure or modification, to protect its services from unauthorized use, and to protect its resources against unauthorized usage.

The sender’s viewpoint for threat: The sender of the active packet hope to protect the data being transmitted in the packet: ensure the integrity and confidentiality of the data in the packet and ensure other attributes of the packet not represented by the bits in the packet such as the latency through the network. The sender of the packet feels threats directly to the data in the packet from other active code in the node, from the execution environment and from the node itself.

44 Zhengyou Xia et al.

Let S be a set of subjects, O be a set of objects. Ssi ∈ , jo O∈ , ( , 1 )i j n= � .

AA is set of active applications that consist of active codes/packets and EE be set of

execution environments. , , ( , 1 )i jAA AA EE EE i j n∈ ∈ = � . We can define the

following operations:

Subject can access object: j

access

i o~s . Subject cannot access object: j

access

i o~s / .

Subject can read object: j

read

i o~s . Subject cannot read object: j

read

i o~s / . Subject can

write object: j

write

i o~s . Subject cannot write object: j

write

i o~s / . Subject read the j BLP

model [6][7] comprises a set of subjects S and objects O and formulated two princi-

ples to protect information confidentiality. Object or other object: ~ |read

i j ks o o ,

subject writes the j object or other object: ~ |write

i j ks o o . We use the BLP and Chi-

nese wall models to analyze the active network policy.

Fig. 2. BLP models active networks

2.1 BLP Model to Analyze Active Network

The simple security property: A subject s is allowed to read access to an object o if and only if C(s) dominates C (o).

The *property: A subject s is not allowed to write to an object o if and only if C (o) dominates C(s).

We analyze the result of BLP modeling active network policy .It is shown in fig-ure 2 .In active node, there are three components. They are AA (active applications consist of active codes/active packets), EE (execution environment) and ANOS (ac-tive node OS). The level of different EEi is the same. Similarly, the level of different

A Novel Policy and Information Flow Security Model for Active Network 45

AAj is also the same. According to BLP model, AA can read data from EE and ANOS; However, AA cannot write data into EE and ANOS. Similarly, EE can read data form ANOS and write data into AA; however EE cannot write data into ANOS and read data from AA. ANOS can write data into AA and EE and cannot read data from EE and AA. However, different AAj must be executed on the different EEi that

corresponds with the AAj and the EEi only execute the corresponding AAj. If we apply the BLP model to the active network policy, we can get the following

five results:

2

read

11

read

1 EE~AA,EE~AA , 2

read

21

read

2 EE~AA,EE~AA , 2

read

31

read

3 EE~AA,EE~AA,

ANOSAAread

~1 , ANOSAAread

~2 , ANOSAA

read

~3

3

write

12

write

11

write

1 AA~EE,AA~EE,AA~EE, ,AA~EE,AA~EE 2

write

21

write

2

3

write

2 AA~EE, 1 2~ , ~

read read

EE ANOS EE ANOS.

1 2 1 3~ , ~access access

AA AA AA AA, , 2 1~

access

AA AA, 2 3~

access

AA AA, 3 2~ ,

access

AA AA

3 1~access

AA AA. 1 2 2 1~ , ~

access access

EE EE EE EE. 1~ AAANOS

write

,

2~ AAANOSwrite

, 3~ AAANOSwrite

, 1~ EEANOSwrite

2~ EEANOSwrite

These operations are not all allowed in active network security architecture. Ac-

cording to the above security threat model of active network, the following operations must be ensured in active network secure architecture.

Secure operation requirement of Active network:

2

read

11

read

1 EE~AA,EE~AA , 2

read

21

read

2 EE~AA,EE~AA , 2

read

31

read

3 EE~AA,EE~AA,

ANOSAAread

~1 , ANOSAAread

~2 ,

ANOSAAread

~3 3

write

12

write

11

write

1 AA~EE,AA~EE,AA~EE,

,AA~EE,AA~EE 2

write

21

write

2 3

write

2 AA~EE, 1 2~ , ~

read read

EE ANOS EE ANOS.

1 2 1 3~ , ~access access

AA AA AA AA, , 2 1~

access

AA AA, 2 3~

access

AA AA, 3 2~ ,

access

AA AA

3 1~access

AA AA. 1 2 2 1~ , ~

access access

EE EE EE EE. 1~ AAANOS

write

,

2~ AAANOSwrite

, 3~ AAANOSwrite

, 1~ EEANOSwrite

2~ EEANOSwrite

46 Zhengyou Xia et al.

If we use BLP to model the active network, we will violate secure operations of ac-tive network and cannot ensure the active network security. For example,

21 ~ AAAAaccess

/ , 1 3~write

EE AA, 3 1~

access

AA AAand 1 2~

access

EE EE, etc, are allowed

by using BLP model. However, the operations are forbidden in active network secure architecture, because the AA sees the threat arising from the other AA and the EE can feel these threats from other EE. Therefore, we can assert that single BLP model can-not model the active network information flow.

2.2 Chinese Wall Model to Analyze the Active Network

We now apply the Chinese wall to model the active network policy. The Chinese wall model [8] has the following rules.

The simple security: People are only allowed to access information, which is not held to conflict with any other information that they already possess.

*Property: write access is only permitted if

a) Access is permitted by the simple security rule, and b) No subject can be read which is in a different company dataset to the one for

which write access is requested and contains un-sanitized information.

According to Chinese wall model, we model active network policy. It is shown in figure3. There would be three conflicts of interest classes, one for AA (containing all active code executing on active node), one for EE (containing EE existing in active node) and the last for active node OS. If we apply Chinese wall model to active net-work, we can get the five results:

1) AA1, AA2 and AA3 belong to the same conflict of interest class. If users access any one of AA, they cannot access other AA. For example, if users execute AA1, they

cannot access AA2 and AA3 ( 21 ~ AAAAaccess

/ , 12 ~ AAAAaccess

/ , 31 ~ AAAAaccess

/ ,

13 ~ AAAAaccess

/ , 32 ~ AAAAaccess

/ , 23 ~ AAAAaccess

/ ).

2) EE1 and EE2 belong to the same conflict of interest class. If users access any one of EE, they cannot access other EE. For example, if users access EE1, they cannot

access EE2 ( 12 ~ EEEEaccess

/ , 21 ~ EEEEaccess

/ ).

3) EE, AA and ANOS belong to different conflict of interest class and User can ac-cess any one from different conflict of interest class.

4) When user accesses one AA from the first conflict of interest class, they still have freedom to access any one of EE from the second conflict of interest class.

( 123122121 |~,|~,|~ EEEEAAEEEEAAEEEEAAreadreadread

).

A Novel Policy and Information Flow Security Model for Active Network 47

5) When user accesses some one EE from the second conflict of interest class, they still have freedom to access any one of AA from the first conflict of interest class.

( 3121 ||~ AAAAAAEEwrite

, 3122 ||~ AAAAAAEEwrite

).

Fig. 3. Chinese wall models active network

According to active network security architecture and security threat model, the first and second results are accord with security requirement of active network. How-ever, the fourth and fifth results are volatile with principle of active network security architecture and security threat model. In active network security architecture, AAi can only execute on EEj that is accord with the AAi. EEj can only access the AAi that

is accord with EEj .For example when AA1 is forward to active node; the AA1 can only be executed on EE1 and cannot be executed by EE2.Though the EE and AA belong to different conflicts of interest class, according to active network secure ar-chitecture, when the user first accesses AAi or EEj from the one conflict of interest class, user doesn’t have freedom to accesses EEj or AAi from the other conflict of interest class. Therefore, the single Chinese wall cannot model the active network policy. In order to model active network, we present a new kind of security policy, we called it Family Tree policy. The model is described detailed in the next section.

3 Family Tree Policies and Its Property

Access control is the process of mediating every request to resource and data main-tained by an active node system and determining whether the request should be granted or denied. From the above section we assert that the BLP and Chinese wall

48 Zhengyou Xia et al.

cannot model the active network policy, then we presents the novel access control policy called family tree policy for active network.

Fig. 4. Family tree policy for active networks

The family tree policy is shown in figure 4. Grandparent is the root of family tree. Tom and Jack inherit from their parent. Mike inherits from the parent. If we consider one inheriting class from view of Tom, the inheriting class includes {Tom, Tom and Jack’s parent, grandparent}. Similarly, the inheriting class of Jack and Mike is respec-tively {Jack, Tom and Jack’s parent, grandparent} and {Mike, Mike’ parent, grand-parent}. In the same inheriting class there is different level between components. We suppose the level of Jack, Tom and Mike as the second level. Their parent and grand parent is defined as the first level and zero level respectively. We now map family tree to the active network. That is. We can get the following:

Similarly, we can get the inheriting class of the AA1, AA2 and AA3.

A Novel Policy and Information Flow Security Model for Active Network 49

1 1 1 2 2 1 3 3 2:{ , , }; :{ , , }; :{ , , }AA AA EE ANOS AA AA EE ANOS AA AA EE ANOSWe consider the family tree policy to have the following two properties. That is sim-ple property and * property.

Simple property (Access Property): A Subject cannot access the object of different inheriting class that doesn’t belong to the subject inheriting class. Similarly, the sub-ject of different inheriting class that doesn’t belong to the object inheriting class can-not access the object. The subject in the same inheriting class can only access a Sub-ject can only access the object in the same inheriting class and the object. All different inheriting classes have the same one ancestor. The ancestor can access any inheriting class and comply with BLP model.

* Property: Write access is only permitted if

Access is permitted by the simple security rule, and a subject is allowed to write to an object o if and only if subject dominates object.

According to the properties of family tree policy, we analyze the active network policy to get the following conclusion:

In the inheriting class of AA1, we can get 11 ~ EEAAread

, ANOSEEread

~1 ,

ANOSAAread

~1 , 1~ EEANOSwrite

, 11 ~ AAEEwrite

, 1~ AAANOSwrite

In the inheriting class of AA2, we can get 12 ~ EEAAread

, ANOSEEread

~1 ,

ANOSAAread

~2 , 1~ EEANOSwrite

, 21 ~ AAEEwrite

, 2~ AAANOSwrite

In the inheriting class of AA3, we can get 23 ~ EEAAread

, ANOSEEread

~2 ,

ANOSAAread

~3 , 2~ EEANOSwrite

, 32 ~ AAEEwrite

, 3~ AAANOSwrite

According to access property, in the different inheriting class, we can get the fol-

lowing operations. 21 ~ EEAAread

/ , 22 ~ EEAAread

/ , 13 ~ EEAAread

/ , 21 ~ EEEEaccess

/ ,

12 ~ EEEEaccess

/ , 21 ~ AAAAaccess

/ , 12 ~ AAAAaccess

/ , 31 ~ AAAAaccess

/ , 13 ~ AAAAaccess

/ ,

32 ~ AAAAaccess

/ , 23 ~ AAAAaccess

/ . 31 ~ AAEEwrite

/ , 12 ~ AAEEwrite

/ , 22 ~ AAEEwrite

/ . The above conclusion is accord with the secure operations requirement of active

network security and security threat model. These can ensure security for the active network. Supposing, the AA1 is executing on active node and sends request to access EE2. If the active network is modeled by BLP or Chinese wall policy model, the re-quest of AA1 is allowed. In fact this is forbidden in active network. If the active net-work is modeled by family tree policy, according to the access property of family tree policy, the request of AA1 is refused, because the EE2 is not in the same inheriting class of AA1. Supposing, the AA1 is executing on active node and send request ac-cess AA2 or AA3. If we use the BLP to model the active network, the request of AA1

50 Zhengyou Xia et al.

is allowed. If Chinese wall is used to model the active network, the request of AA1 is refused. If the active network is modeled by the family tree, the request of the AA1 is refused.

Similarly, the EE1 sends request to access AA3. If the BLP and Chinese wall model is used to model active network policy, this request is allowed. However, the request is not allowed in active network secure architecture. If the family tree policy is used to model active network policy, the request of EE1 is not allowed.

In order to discuss other properties of family tree policy, Now we formalize these properties.

Let S be a set of subjects, O be a set of objects, FT be family Tree of system and

root is the root of FT. iL be leaf of FT, ( 1,i n= � ) and in

be node of family tree.

iLICis defined as inheriting class of iL

. The composing inheriting class algorithm is described as the following:

4 Information Flow Security

From the architecture of active network, we known there are five kinds of information flows in active network. It is shown as the figure 5.

Fig. 5. Information flow in active network

A Novel Policy and Information Flow Security Model for Active Network 51

In active network, the AA, EE and ANOS are let as the second level, the first level and the zero level. From the figure 5, the first and second flows belong to the same level. However the third fourth and fifth flows belong to the different level. In classic information flow security model, the subject and object is comparatively flow be-tween the high level and low level. There is little research for the same level informa-tion flow. In the active network secure architecture, the first and second flow is pro-hibited. We cannot analyze the first and second information flow by using the classic information flow security properties. Therefore, we present a novel solution for ana-lyze the information flow of the active network.

Fig. 6. Information flow based on inheriting class

We take figure 6 as an example. The first information flow in figure 4 is one among the AA1, AA2 and AA3. The second flow is information one between the EE1 and EE2. The third flow is the information one between AAi and EEj (i=1,2,3;j =1,2). The fourth flow is the information one between AAi and ANOS ((i=1,2,3). The fifth flow is information one between the EEj and ANOS. According to active network secure architecture, the AA1 and AA2 are only executed on EE1. The EE1 only sup-ports the AA1 and AA2. The EE1 doesn’t support the AA3. The AA3 is only exe-cuted on EE2. In order to analyze the information flow of active network, we intro-duce the ides of inheriting class of above section to analyze the information security properties of active network. We can get the three inheriting classes. The three inher-iting classes is described as the following:

1 1 1 2 2 1 3 3 2:{ , , }; :{ , , }; :{ , , }AA AA EE ANOS AA AA EE ANOS AA AA EE ANOS

From the above analyze, the information flows security properties of active network are researched as the flow of among the inheriting classes and the inheriting class inner flow. The first information flow is contained in the flow among the three differ-ent inheriting classes. The second information flow is contained in flow between the

52 Zhengyou Xia et al.

second and third inheriting classes. The third, fourth and fifth information flows are contained in the three different inheriting classes inner flow.

4.1 Information Flow Security Properties of Inheriting Class Inner

Since the inheriting class inner flow is relation of the high and low level, we can use the classic information flow security model to research the inheriting class inner flow.

Goguen and Meseguer based on some earlier work of Feiertag and Cohen proposed the idea of non-interference [9]. It can be thought of as an attempt to get to the es-sence of what constitutes an information flow in a system and, more to the point, how to characterize the absence of any flow. In this sense it resides at a more abstract level than the access-control models and can be thought of as providing a formal semantics to the one-way-.flow intuition behind terms like read and write. In particular, it ab-stracts completely from the inner workings of the system in question and formulates the property purely in terms of user interactions with the system interfaces.

In the Ricardo and Ryan’s paper [10][11], they present the information flow secu-rity properties. Definition NNI based on bi- simulation:

/ ( \ )/H B I H HE BNNI E Act E Act Act∈ ⇔ ≈

Proposition BNDC: E is BNDC if and only if HBHH ActIIEActEII \)|(/, ≈∈∀ ε .

We use the BNDC to research the information flow between the EE and AA. We can get the figure 7. If we claim the EE is low level, the AA is comparatively high level in active network system. The active node is BNDC if for every high level proc-ess AA a low level user cannot distinguish between EE and (EE| AA)\ActH. In other words, the active node system is BNDC if what a low level user sees of the system is not modified by composing any high level process AA to EE.

Fig. 7. Information flows between EE and AA based on BND C

4.2 Information Flow Security Properties between the Inheriting Flows

Information flow among the inheriting classes doesn’t belong to flow between the high and low level. They are the same level, so we cannot use the classic information flow security properties to analyze them. In this section, we present a novel method to analyze them based on timestamp.

A Novel Policy and Information Flow Security Model for Active Network 53

Let )),...1((ICit timedenotstni ∈ means the i inheriting class at t time. We hope

the flow between the inheriting classes is independent.

jinjiIC jt≠∈= &)...1(,)P(IC)ICP( it

it .

This means that the i inheriting class is independent from the j inheriting class at the t tine.

In order to ensure secure for active network, we can get the following requirement.

jinjiIC jt≠∈=

−&)...1(,)P(IC)ICP( it

1

it .The requirement means that the i inherit-

ing class at t time is independent from the j inheriting class at t-1 time. In other word, when an active application AAi is executing in executive environment at t time, AAi hopes that AAj that executing at t-1 time doesn’t influence it..

Further, we consider the following condition.

jinji

ICPICICICPandICPICIC

ICP ititjt

ititit

jt

it

≠∈

== −−−

−−

&)...1(,

)()&()()&( 111

11 .

It is that the i inheriting class at t time depends on the i inheriting class at t-1 time. This is accord with requirement of active network secure architecture, because an active application AAi executing at t time must depend on state of AAi executing in executive environment at t-1 time. In simple word, the state diversification of an in-heriting class is only dependent on its state at t-1 time but independent on other classes' states at t or t-1 time.

If jinjiIC jt≠∈≠ &)...1(,)P(IC)ICP( it

it , it means the state diversification of

inheriting class itIC at t time is depend on state of the jtIC at t time. At this condi-

tion, there are insecure information flows between the two inheriting classes. Let, a normal active application is executing in executive environment, at the same time, a malicious active application is executing in executive environment, too. If the state diversification of the normal active application is depend on state of malicious active application. The malicious active application will make unexpected harm on normal active application.

Similarly, )P(IC)ICP( it1

it ≠−jtIC It means that the state diversification of itIC at t

time is depend on state of 1−jtIC at t-1 time, which denotes the flow among the inher-

iting classes at this condition is insecure. For example, when a normal active applica-tion is executing in executive environment, if the state of normal active application is depend on state of the malicious active application at the previous time, the normal active application will can be attacked by the malicious active application.

We further consider the complex condition, if the information flows between the inheriting classes satisfy the following condition.

jinjiPICPIC jtjt≠∈==

−&)...1(,)IC()IC(and )P(IC)ICP( it

itit

1

it

54 Zhengyou Xia et al.

And the information flows between the inheriting classes don’t satisfy the follow-ing condition.

jinjiPICICPIC itjtjt

≠∈≠≠ −−−

&)...1(,)IC()&IC(and )P(IC)IC&ICP( 1-it11

it1-it1-it

1

it

At these conditions, the information flow among inheriting classes is insecure. However, these conditions are very strong restriction to design the monitor system of the active network. If we don’t consider these conditions, it is necessary that the in-formation flow among the inheriting classes ensure its security under the following conditions.

a) jinjiIC jt≠∈= &)...1(,)P(IC)ICP( it

it

b) jinjiIC jt≠∈=

−&)...1(,)P(IC)ICP( it

1

it

jinji

ICPICICICPandICPICIC

ICP ititjt

ititit

jt

it

≠∈

== −−−

−−

&)...1(,

)()&()()&( 111

11

5 Conclusion

In this paper, we describe the active network security model from access control and information flow model. Access control is the process of mediating every request to resource and data maintained by an active node system and determining whether the request should be granted or denied. We present an access control policy called fam-ily tree policy. The family tree policy can correctly represent active network that can-not be correctly modeled by BLP and Chinese wall model. In the family tree policy, the subjects and objects of the system are classified as different inheriting classes. A Subject cannot access the object of the different inheriting class. In the same inherit-ing class, the subject and object abide by the BLP model. All different inheriting classes have the same ancestor. The ancestor can access any inheriting class and com-ply with BLP model. In order to research the information flow security properties of active network, we use inheriting class ideas to analyze these information flows of active network. The properties of information flow are described by inner properties of the inheriting class and properties among different inheriting class. Using the prop-erties between the different inheriting classes searches the first and second informa-tion flow of active network. The third, fourth and fifth information flow of active network is described by the inheriting class inner properties.

References

1. Tennenhouse, D. and D. Wetherall.. Towards an Active Network Architecture. In Multi-media Computing and Networking. 1996. San Jose, CA.

2. D. Wetherall, John V. etc ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols IEEE OPENARCH’98, San Francisco, CA, April 1998.

A Novel Policy and Information Flow Security Model for Active Network 55

3. www.choices.cs.uiuc.edu/Security/seraphim/May2000/SecurityArchitecture.pdf a6AN Se-curity working group. May 2000.

4. Roy H.Campbell, Zhaoyu Liu. Dynamic interoperable security architecture for active net-work. IEEE OPENARCH 2000, Israel, March 2000. 32-41.

5. K.L. Calvert, Architectural framework for active networks, version 1.0 University of Ken-tucky, July 1999. www.ccgatech.edu/project/canes/papers/arch-1-0.ps.gz.

6. D.E. Bell and L.J. LaPadula. Secure computer systems: Mathematical founda-tions.Technical Report ESD-TR-278, vol. 1, The Mitre Corp., Bedford, MA, 1973.

7. D. E. Bell. Secure computer systems: A re.nement of the mathematical model.Technical Report ESD-TR-278, vol. 3, The Mitre Corp., Bedford, MA, 1973.

8. D. F. C. Brewer and M. J. Nash. The Chinese wall security policy. In Proc. IEEE Sympo-sium on Security and Privacy, pages 215–228, Oakland, CA, 1989.

9. A. Goguen and J. Meseguer, Security policies and security models, in: Proc. of the 1982 Symposium on Security and Privacy, pp. 11–20.

10. Focardi, R. and Gorrieri, R.: A Classification of Security Properties, JCS, 3(1):(1995) 5-33 11. Focardi, R., Gorrieri, R.: The Compositional Security Checker: A Tool for the Verification

of Information Flow Security Properties. IEEE Trans. on Soft. Eng., 23(9): (1997) 550-571.