Only Connect, Securely

The lattice model proposed by Denning in her seminal work provided secure information flow analyses with an intuitive and uniform mathematical foundation. Different organisations, however, may employ quite different security lattices. In this paper, we propose a connection framework that permits different organisations to exchange information while maintaining both security of information flows as well as their autonomy in formulating and maintaining security policy. Our prescriptive framework is based on the rigorous mathematical framework of Lagois connections given by Melton, together with a simple operational model for transferring object data between domains. The merit of this formulation is that it is simple, minimal, adaptable and intuitive, and provides a formal framework for establishing secure information flow across autonomous interacting organisations. We show that our framework is semantically sound, by proving that the connections proposed preserve standard correctness notions such as non-interference.


Introduction
Denning's seminal work [7] proposed complete lattices as the appropriate mathematical framework for questions regarding secure information flow (SIF). An information flow model (IFM) is characterised as N, P, SC, ⊔, ⊑ where: Storage objects in N are assigned security levels drawn from a (finite) complete lattice SC. P is a set of processes (also assigned security classes as clearances). The partial ordering ⊑ represents permitted flows between classes; reflexivity and transitivity capture intuitive aspects of information flow; antisymmetry helps avoid redundancies in the framework, and the join operation ⊔ succinctly captures the combination of information belonging to different security classes in arithmetic, logical and computational operations. This lattice model provides an abstract uniform framework that identifies the commonalities of the variety of analyses for different applications -e.g., confidentiality and trust -whether at the language level or a system level. In the ensuing decades, the vast body of secure information flow analyses has been built on these mathematical foundations, with the development of a plethora of static and dynamic analysis techniques ⋆ Supported by Indo-Japanese project Security in the IoT Space, DST, Govt of India.
The objective of this paper is to propose a simple way in which large-scale distributed secure systems can be built by connecting components in a secure and modular manner. Our work begins with the observation that large information systems are not monolithic: Different organisations define their own information flow policies independently, and subsequently collaborate or federate with one another to exchange information. In general, the security classes and the lattices of any two organisations may be quite different -there is no single universal security class lattice. Moreover, modularity and autonomy are important requirements since each organisation would naturally wish to retain control over its own security policies and the ability to redefine them. Therefore, fusing different lattices by taking their union is an unsatisfactory approach, more so since the security properties of application programs would have to be re-established in this possibly enormous lattice.
When sharing information, most organisations limit the cross-domain communications to a limited set of security classes (which we call transfer classes). In order to ensure that shared data are not improperly divulged, two organisations usually negotiate agreements or memorandums of understanding (MoUs), promising that they will respect the security policies of the other organisation. We argue that a good notion of secure connection should require reasoning only about those flows from only the transfer classes mentioned in a MoU. Usually, cross-domain communication involves downgrading the security class of privileged information to public information using primitives such as encryption, and then upgrading the information to a suitable security class in the other domain. Such approaches, however, do not gel well with correctness notions such as non-interference. Indeed the question of how to translate information between security classes of different lattices is interesting [6].
Contributions of this paper.
In this paper, we propose a simple framework and sufficient conditions under which secure flow guarantees can be enforced without exposing the complexities and details of the component information flow models. The framework consists of (1) a way to connect security classes of one organisation to those in another while satisfying intuitive requirements; (2) a simple language that extends the operations within an organisation with primitives for transferring data between organisations; and (3) a type system and operational model for these constructs, which we use to establish that the framework conserves security.
In §2, we first identify, using intuitive examples, violations in secure flow that may arise when two secure systems are permitted to exchange information in both directions. Based on these lacunae, we formulate security and precision requirements for secure bidirectional flow. We then propose a framework that guarantees the absence of such policy violations, without impinging on the autonomy of the individual systems, without the need for re-verifying the security of the application procedures in either of the domains, and confining the analysis to only the transfer classes involved in potential exchange of data. Our approach is based on monotone functions and an elegant theory of connections [16] between the security lattices. Theorem 2 shows that Lagois connections between the security lattices satisfy the security and precision requirements.
We present, in §3, a minimal operational language consisting of a small set of atomic primitives to effect the transfer of data between domains. The framework is simple and can be adapted for establishing secure connections between distributed systems at any level of abstraction (language, system, database, ...). We assume each domain uses atomic transactional operations for object manipulation and intra-domain computation. The primitives of our model include reliable communication between two systems, transferring object data in designated output variables of one domain to designated input variables of a specified security class in the other domain. We also assume a generic set of operations in each domain for copying data from input variables to domain objects, and from domain objects to output variables. To avoid interference between inter-domain communication and the computations within the domains, we assume that the sets of designated input and output variables are all mutually exclusive of one another, and also with the program/system variables used in the computations within each domain. Thus by design we avoid the usual suspects that cause interference and insecure transfer of data. The operational description of the language consists of the primitives together with their execution rules ( §3.1).
The correctness of our framework is demonstrated by expressing soundness (with respect to the operational semantics) of a type system ( §3.2), stated in terms of the security lattices and their connecting functions. In particular, Theorem 8 shows the standard semantic property of non-interference in both domains holds of all operational behaviours. We adapt and extend the approach taken by Volpano et al [23] to encompass systems coupled using the Lagois connection conditions (and assuming atomicity of the data transfer operations), to show that security is conserved. We believe that our formulation is general enough to be applicable to other behavioural notions of secure information flow as a safety property [1].
In §4, we briefly review some related work. We conclude in §5 with a discussion on our approach and directions for future work.

Lagois Connections and All That
Motivating Examples. Consider a university system in which students study in semi-autonomously administered colleges (one such is C) that are affiliated to a university (U ). The university also has "university professors" with whom students can take classes. We assume each institution has established the security of its information flow mechanisms and policies.    We first observe that formulating an agreement between the institutions that respects the flow policies within the institutions is not entirely trivial. Consider an arrangement where the college Faculty and University Faculty can share information (say, course material and examinations), and the Dean of Colleges in the University can exchange information (e.g., students' official grade-sheets) with the college's Dean of Students. Even such an apparently reasonable arrangement suffers from insecurities, as illustrated in Fig. 1 by the flow depicted using dashed red arrows, where information can flow from the college's Faculty to the college's Dean of Students. (Moral: internal structure of the lattices matters.) As long as information flows unidirectionally from colleges to the University, monotone functions from the security classes of the college lattice C to university security lattice U suffice to ensure secure information flow. A function α : C → U is called monotone if whenever sc 1 ⊑ sc 2 in C then α(sc 1 ) ⊑ ′ α(sc 2 ) in U . 1 Monotonicity also constrains possible flows between classes of the two domains, once certain important flows between certain classes have been identified (see Fig. 2). Moreover, since monotone functions are closed under composition, one can chain them to create secure unidirectional information flow connections through a series of administrative domains. Monotonicity is a basic principle adopted for information flow analyses, e.g. [13].
However, when there is "blowback" of information, mere monotonicity is inadequate for ensuring SIF. Consider the bidirectional flow situation in Fig.  3, where data return to the original domain. Monotonicity of both functions α : C → U and γ : U → C does not suffice for security because the composition

⊤2 ⊤1
CollegeP rincipal Fig. 3. The blue/green and brown/red arrows define monotone functions in each direction. However, the red arrow highlights a flow that is a security violation.

⊤2 ⊤1
CollegeP rincipal Fig. 4. The arrows define a secure and precise connection. However, the security classification escalates quickly in a few round-trips, when information can flow in both directions. γ • α may not be non-decreasing. In Fig. 3, both α and γ are monotone but their composition can lead to information leaking from a higher class, e.g., College Principal, to a lower class, e.g., Faculty within C -an outright violation of the college's security policy. Similarly, composition α • γ may lead to violation of the University's security policy.
Requirements. We want to ensure that any "round-trip" flow of information, e.g., from a domain L to M and back to L, is a permitted flow in the lattice L, from where the data originated. Thus we require the following (tersely stated) "security conditions" SC1 and SC2 on α : L → M and γ : M → L, which preclude any violation of the security policies of both the administrative domains (see Fig. 5): We also desire precision, based on a principle of least privilege escalation -if data are exchanged between the two domains without any computation done on them, then the security level should not be needlessly raised. Precision is important for meaningful and useful analyses.
Further, if the data were to go back and forth between two domains more than once, the security classes to which data belong should not become increasingly restrictive after consecutive bidirectional data sharing (See Fig. 4, which shows monotone functions that keep climbing up to the top). This convergence requirement may be stated informally as conditions CC1 and CC2, requiring fixed points for the compositions γ • α and α • γ. Since security lattices are finite, CC1 and CC2 necessarily hold -such fixed points exist, though perhaps only at the topmost elements of the lattice. We would therefore desire a stronger requirement, where fixed points are reached as low in the orderings as possible.

⊤2 ⊤1
CollegeP rincipal Fig. 6. The arrows define a Galois Connection. However, the red arrows highlight flow security violations when information can flow in both directions.

Galois connections aren't the answer.
Any discussion on a pair of partial orders linked by a pair of monotone functions suggests the notion of a Galois connection, an elegant and ubiquitous mathematical structure that finds use in computing, particularly in static analyses. However, Galois connections are not the appropriate structure for bidirectional informational flow control.
Let L and M be two complete security class lattices, and α : L → M and γ : M → L be two monotone functions such that (L, α, γ, M ) forms a Galois connection. Recall that a Galois connection satisfies the condition , which would violate secure flow requirement SC2. Fig. 6 illustrates such a situation.
Why not Galois insertions? Now suppose L and M are two complete security class lattices, and α : L → M and γ : M → L be two monotone functions such that (L, α, γ, M ) forms a Galois insertion. Then the flow of information permitted by α and γ is guaranteed to be secure. However, Galois insertions mandate conditions on the definitions of functions α and γ that are much too strong, i.e., Typically data are shared only from a few security classes of any organisation. Organisations rarely make public their entire security class structure and permitted flow policies. Organisations also typically do not want any external influences on some subsets of its security classes. Thus, if not all elements of M are transfer classes, it may be impossible to define a Galois insertion (L, α, γ, M ) because we cannot force α to be surjective.

Lagois Connections.
Further, the connection we seek to make between two domains should allow us to transpose them. Fortunately there is an elegant structure, i.e., Lagois Connections [16], which exactly satisfies this as well as the requirements of security and bidirectional sharing (SC1, SC2, PC1, PC2, CC1 and CC2). They also conveniently generalise Galois Insertions.
Definition 1 (Lagois Connection [16]). If L = (L, ⊑) and M = (M , ⊑ ′ ) are two partially ordered sets, and α : L → M and γ : M → L are orderpreserving functions, then we call the quadruple (L, α, γ, M ) an increasing Lagois connection, if it satisfies the following properties: LC3 ensures that γ(α(c 1 )) is the least upper bound of all security classes in C that are mapped to the same security class, say The main result of this section is that if the negotiated monotone functions α and γ form a Lagois connection between the security lattices L and M , then information flows permitted are secure and precise. Proof. Condition SC1 holds because if α(l 1 ) ⊑ ′ m 2 , by monotonicity of γ, γ(α(l 1 )) ⊑ γ(m 2 ). But by LC1, l 1 ⊑ γ(α(l 1 )). So l 1 ⊑ γ(m 2 ). (A symmetric argument holds for SC2.) Conditions PC1 and PC2 are shown in Proposition 3.7 of [16]. Conditions CC1 and CC2 hold since the compositions γ •α and α•γ are closure operators, i.e., idempotent, extensive, order-preserving endo-functions on L and M .
In fact, Lagois connections ensure that information in a security class in the original domain remains accessible even after doing a round-trip from the other domain (Proposition 3.8 in [16]): We list various propositions about Lagois connections, which illustrate some of their important properties. In particular, the two functions γ and α uniquely determine each other. Moreover, there are largest members of their pre-images, which act as representatives for the equivalence classes of the equivalence relations ∼ M and ∼ L induced by these functions. Further, since our security domains are complete lattices, these distinguished points are closed under meets.  Let us consider two different organisations L and M that want to share data with each other. We start with the assumptions that the two domains comprise storage objects Z and Z ′ respectively, which are manipulated using their own sets of atomic transactional operations, ranged over by t and t ′ respectively. We further assume that these transactions within each domain are internally secure with respect to their flow models, and have no insecure or interfering interactions with the environment. Thus, we are agnostic to the level of abstraction of the systems we aim to connect securely, and since our approach treats the application domains as "black boxes", it is readily adaptable to any level of discourse (language, system, OS, database) found in the security literature. We extend these operations with a minimal set of operations to transfer data between the two domains. To avoid any concurrency effects, interference or race conditions arising from inter-domain transfer, we augment the storage objects of both domains with a fresh set of export and import variables into/from which the data of the domain objects can be copied atomically. We designate these sets X, X ′ as the respective export variables, and Y , Y ′ as the respective import variables, with the corresponding variable instances written as x i , x ′ i and y i , y ′ i . These export and import variables form mutually disjoint sets, and are distinct from any extant domain objects manipulated by the applications within a domain. These variables are used exclusively for transfer, and are manipulated atomically. We let w i range over all variables in N = Z ∪X ∪Y (respectively w ′ i over N ′ = Z ′ ∪X ′ ∪Y ′ ). Domain objects are copied to export variables and from import variables by special operations rd(z, y) and wr(x, z) (and rd ′ (z ′ , y ′ ) and wr ′ (x ′ , z ′ ) in the other domain). We assume atomic transfer operations (trusted by both domains) T RL , T LR that copy data from the export variables of one domain to the import variables of the other domain as the only mechanism for inter-domain flow of data. Let "phrase" p denote a command in either domain or a transfer operation, and let s be any (empty or non-empty) sequence of phrases.
(command) c ::= t | rd(z, y) | wr(x, z) c ′ : A store (typically µ, ν, µ ′ , ν ′ ) is a finite-domain function from variables to a set of values (not further specified). We write, e.g., µ(w) for the contents of the store µ at variable w, and µ[w := µ ′ (w ′ )] for the store that is the same as µ everywhere except at variable w, where it now takes value µ ′ (w ′ ).
The rules specifying execution of commands are given in Fig. 8. Assuming the specification of intradomain transactions of the form µ ⊢ t =⇒ ν and µ ′ ⊢ t ′ =⇒ ν ′ , our rules allow us to specify judgments of the form µ, µ ′ ⊢ p =⇒ ν, ν ′ for phrases, and (the reflexive-transitive closure) for sequences of phrases. Note that phrase execution occurs atomically, and the intra-domain transactions, as well as copying to and from the export/import variables affect

Fig. 8. Execution Rules
the store in only one domain, whereas the atomic transfer is only between export variables of one domain and the import variables of the other.

Typing Rules
Let the two domains have the respective different IFMs: such that the flow policies in both are defined over different sets of security classes SC and SC ′ . 2 The (security) types of the core language are as follows. Metavariables l and m ′ range over the sets of security classes, SC and SC ′ respectively, which are partially ordered by ⊑ and ⊑ ′ . A type assignment λ is a finite-domain function from variables N to SC (respectively, λ ′ from N ′ to SC ′ ). The important restriction we place on λ and λ ′ is that they map export and import variables X, X, Y ′ , Y only to points in the security lattices SC and SC ′ respectively which are in the domains of γ and α, i.e., these points participate in the Lagois connection. Intuitively, a variable w mapped to security class l can store information of security class l or lower. The type system works with respect to given type assignment. Given the security level, e.g., l, the typing rules track for each command within that domain whether all written-to variables in that domain are of security classes "above" l, and additionally for transactions within a domain, they ensure "simple security", i.e., that all variables which may have been read belong to security classes "below" l. We assume for the transactions within a domain, e.g., L, we have a type system that will give us judgments of the form λ ⊢ c : l. The novel extension of our approach is to extend this framework to work over two connected domains, i.e., given implicit security levels of the Fig. 9. Typing rules contexts in the respective domains. Cross-domain transfers will require pairing such judgments, and thus our type systems will have judgments of the form λ, λ ′ ⊢ p : l, m ′ We introduce a syntax-directed set of typing rules for the core language, given in Fig. 9. In many of the rules, the type for one of the domains is not constrained by the rule, and so any suitable type may be chosen as determined by the context, e.g., m ′ in the rules Tt, Trd, Twr and T T RL , and both l and m ′ in Com0.
For transactions e.g., t entirely within domain L, the typing rule Tt constrains the type in the left domain to be at a level l that dominates all variables read in t, and which is dominated by all variables written to in t, but places no constraints on the type m ′ in the other domain M . In the rule Trd, since a value in import variable y is copied to the variable z, we have λ(y) ⊑ λ(z), and the type in the domain L is λ(z) with no constraint on the type m ′ in the other domain. Conversely, in the rule Twr, since a value in variable z is copied to the export variable x, we have λ(z) ⊑ λ(x), and the type in the domain L is λ(x) with no constraint on the type m ′ in the other domain. In the rule T T RL , since the contents of a variable x ′ in domain M are copied into a variable y in domain L, we require γ(λ ′ (x ′ )) ⊑ λ(y), and constrain the type in domain L to λ(y). The constraint in the other domain is unimportant (but for the sake of convenience, we peg it at λ ′ (x ′ )). Finally, for the types of sequences of phrases, we take the meets of the collected types in each domain respectively, so that we can guarantee that no variable of type lower than these meets has been written into during the sequence. Note that Proposition 5 ensures that these types have the desired properties for participating in the Lagois connection.

Soundness
We now establish soundness of our scheme by showing a non-interference theorem with respect to operational semantics and the type systems built on the security lattices. This theorem may be viewed as a conservative adaptation (to a minimal secure data transfer framework in a Lagois-connected pair of domains) of the main result of Volpano et al [23].
We assume that underlying base transactional languages in each of the domains have the following simple property (stated for L, but an analogous property is assumed for M ): Within each transaction t, for each assignment of an expression e to any variable z, the following holds: If µ, ν are two stores such that for all w ∈ vars(e), we have µ(w) = ν(w), then after executing the assignment, we will get µ(z) = ν(z). That is, if two stores are equal for all variables appearing in the expression e, then the value assigned to the variable z will be the same. This assumption plays the rôle of "Simple Security" of expressions in [23] in the proof of the main theorem. The type system plays the rôle of "Confinement". We start with two obvious lemmas about the operational semantics, namely preservation of domains, and a "frame" lemma: Lemma 6 (Domain preservation). If µ, µ ′ ⊢ s ⇒ * µ 1 , µ ′ 1 , then dom(µ) = dom(µ 1 ), and dom(µ ′ ) = dom(µ ′ 1 ).
The main result of the paper assumes an "adversary" that operates at a security level l in domain L and at security level m ′ in domain M . Note however, that these two levels are interconnected by the monotone functions α : L → M and γ : M → L, since these levels are connected by the ability of information at one level in one domain to flow to the other level in the other domain.
Theorem 8 (Type Soundness). Suppose l, m ′ are the "adversarial" type levels in the respective domains, which satisfy the condition l = γ(m ′ ) and m ′ = α(l). Let

Related Work
The notion of Lagois connections [16] has surprisingly not been employed much in computer science. The only cited use of this idea seems to be the work of Huth [11] in establishing the correctness of programming language implementations. To our knowledge, our work is the only one to propose their use in secure information flow control. Abstract Interpretation and type systems [5] have been used in secure flow analyses, e.g., [3,4] and [24], where security types are defined using Galois connections employing, for instance, a standard collecting semantics. Their use of two domains, concrete and abstract, with a Galois connection between them, for performing static analyses within a single domain should not be confused with our idea of secure connections between independently-defined security lattices of two organisations.
There has been substantial work on SIF in a distributed setting at the systems level. DStar [26] for example, uses sets of opaque identifiers to define security classes. The DStar framework extends a particular DIFC model [12,25] for operating systems to a distributed network. The only partial order that is considered in DStar's security lattice is subset inclusion. So it is not clear if DStar can work on general IFC mechanisms such as FlowCaml [19], which can use any partial ordering. Nor can it express the labels of JiF [17] or Fabric [13] completely. DStar allows bidirectional communication between processes R and S only if L R ⊑ OR L S and L S ⊑ OS L R , i.e., if there is an order-isomorphism between the labels. Our motivating examples indicate such a requirement is far too restrictive for most practical arrangements for data sharing between organisations.
Fabric [13,14] adds trust relationships directly derived from a principal hierarchy to support federated systems with mutually distrustful nodes and allows dynamic delegation of authority.
Most of the previous DIFC mechanisms [2,8,12,17,20,25] including Fabric are susceptible to the vulnerabilities illustrated in our motivating examples, which we will mention in the concluding discussion.

Conclusions and Future Work
Our work is similar in spirit to Denning's motivation for proposing lattices, namely to identify a simple and mathematically elegant structure in which to frame the construction of scalable secure information flow in a modular manner that preserved the autonomy of the individual organisations. From the basic requirements, we identified the elegant theory of Lagois connections as an appropriate structure. Lagois connections provide us a way to connect the security lattices of two (secure) systems in a manner that does not expose their entire internal structure and allows us to reason only in terms of the interfaced security classes. We believe that this framework is also applicable in more intricate information flow control formulations such as decentralised IFC [18] and models with declassification, as well as formulations with data-dependent security classes [15]. We intend to explore these aspects in the future.
In this paper, we also proposed a minimal operational model for the transfer of data between the two domains. This formulation is spare enough to be adaptable at various levels of abstraction (programming language, systems, databases), and is intended to illustrate that the Lagois connection framework can conserve security, using non-interference as the semantic notion of soundness. The choice of non-interference and the use of a type system in the manner of Volpano et al. [23] was to illustrate in familiar terms how those techniques (removed from a particular language formulation) could be readily adapted to work in the context of secure connections between lattices. In this exercise, we made suitable assumptions of atomicity and the use of fresh variables for communication, so as to avoid usual sources of interference. We believe that the Lagois connection framework for secure flows between systems is readily adaptable for notions of semantic correctness other than non-interference, though that is an exercise for the future.
In the future we intend to explore how the theory of Lagois connections constitutes a robust framework that can support the discovery, decomposition, update and maintenance of secure MoUs for exchanging information. In this paper, we concerned ourselves only with two domains and bidirectional information exchange. Compositionality of Lagois connections allows these results to extend to chaining connections across several domains. In the future, we also intend to explore how one may secure more complicated information exchange arrangements than merely chains of bidirectional flow.
We close this discussion with a reminder of why it is important to have a framework in which secure flows should be treated in a modular and autonomous manner. Consider Myer's DIFC model described in [18], where a principal can delegate to others the capacity to act on its behalf. We believe that this notion does not scale well to large, networked systems since a principal may repose different levels of trust in the various hosts in the network. For this reason, we believe that frameworks such as Fabric [13,14] may provide more power than mandated by a principle of least privilege. In general, since a principal rarely vests unqualified trust in another in all contexts and situations, one should confine the influence of the principals possessing delegated authority to only specific domains. A mathematical framework that can deal with localising trust and delegation of authority in different domains and controlling the manner in which information flow can be secured deserves a deeper study. We believe that algebraic theories such as Lagois connections can provide the necessary structure for articulating these concepts.