#import "../common.typ": *
#import "@preview/prooftrees:0.1.0": *
#show: doc => conf("Language-Based Security", doc)

Security labels

Flow relations

- If $l_1 subset.sq.eq l_2$ then information is allowed to flow from $l_1$ to $l_2$
  - This should be reflexive and transitive
  - *NOT* be symmetric
  - This is known as a _pre-order_
  - We may also want to add anti-symmetry, which makes it a _partial order_

- Actually, we could use a join-semi-lattice. (Denning 1978)
  - _Unique_ least upper bound operation
  - If we didn't have least upper bound, then $c = a plus.circle b ; d_1 = c; d_2 = c$ may not work

More general form of non-interference:

- Lattice $(Lambda, subset.sq.eq)$ of security levels
- Using this, Program $c$ is non-interfering if:
  - $forall sigma_1, sigma_2, sigma'_1, sigma'_2, l in Lambda => \
  "if" sigma_1 op(=)_l sigma_2 "and" angle.l c, sigma_1 angle.r arrow.b.double sigma'_1 "and" angle.l c, sigma_2 angle.r arrow.b.double sigma'_2 \
  "then" sigma'_1 op(=)_l sigma'_2$

=== Threat model

Information channels convey information

Categorized into (Lampson 1973)

- Legitimate channels
- Covert channels (and side channels)

=== Interaction

Adding to IMP:

$
x := ... | "input from" l | "output" x "to" l \
"Trace" in.rev tau ::= epsilon | tau dot "in"(n, l) | tau dot "out"(n, l)
$

Trace is a sequence of events

New non-interference, based on traces. The execution trace needs to be the same!