Role-based Information Flow Control Models

In information systems, data in an object may illegally flow into another object if a subject manipulates the objects. In this paper, we discuss information flow control models to prevent illegal information to occur in the role-based access control (RBAC) model. First, we define a legal information flow relation r(i) double right arrow r(j) among roles r(i) and r(j). It means, if a subject granted the role r(i) manipulates objects before another subject granted the role r(j), no illegal information flow occur. We discuss safe systems where no illegal information flow occur even if operations from different subjects are performed in any order. Then, we discuss a role-based synchronization (RBS) protocol and an object-based synchronization (OBS) protocol to prevent illegal information flow in unsafe systems. Here, a transaction is aborted if the transaction reads an object and illegal information flow might occur. In the RBS protocol, the illegal information flow condition is specified in terms of roles while objects in the OBS protocol. We evaluate the RBS and OBS protocols in terms of number of transactions aborted.