The Decentralized Label Model (DLM) is an influential model of information flow that allows users of a system to express their own security policies in a dencentralized fashion, while assuming mutual distrust. Finally, the DLM allows users to selectively declassify their data at will.
The DLM was proposed by Andrew Myers and Barbara Liskov in the late 1990s. See [Myers and Liskov 1998] for its formal semantics, and [Myers and Liskov 2000] for a high-level discussion of the model.
To begin, the DLM assumes a set of principals. These could be users (e.g. bob), groups (e.g. manager) or roles (e.g. doctor). There is an acts for relation, where if principal can act in the name of principal . This can encode membership in groups, assigned roles, etc.
The DLM model assumes that programs run on a trusted execution platform. That is: each program, even if untrusted, must have gone through a static checker verifying that it does not violate the security policies expressed in annotations called labels.
Labels in the DLM consist of a set of policies. Each policy consists of an owner, and a set of readers. Both the owners and the readers are principals of the system.
An example label is
A datum or program marked by has two owners ( and ), each of which specifies a set of readers ( specifies that and may read, whereas specifies that and may read).
A resource marked with may be read if all owners agree that a principal can read it. In this case only can read the resource. Thus, if an owner were to add a new reader to their component of , that could declassify previously confidential data.
To preserve confidentiality, data can flow only towards more restrictive labels. Thus, if we have - say - a variable and a value, then we can assign that value to the variable only when the label of the variable is more restrictive than the label of the value. This causes incremental relabelling.
There are four safe ways to relabel:
While the notion of readers is well-known and well-understood (even from the days of Bell and LaPadula, the DLM's innovation is the inclusion of the notion of owner.
Each resource has one or more owners. These owners are able to change labels by adding readers under their name, thereby declassifying that resource. Previous models of information flow only allowed declassification when performed by a 'root' user. Because there are multiple owners, a single one cannot arbitrarily declassify data without consent from everyone else. Thus, the DLM allows a decentralized approach to declassification.
Myers, A.C., and B. Liskov. 1998. ‘Complete, Safe Information Flow with Decentralized Labels’. In Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186), 186–97. IEEE. https://doi.org/10.1109/SECPRI.1998.674834. [pdf]
@inproceedings{myers_1998,
title = {Complete, safe information flow with decentralized labels},
doi = {10.1109/SECPRI.1998.674834},
booktitle = {Proceedings. 1998 {IEEE} {Symposium} on {Security} and {Privacy} ({Cat}. {No}.{98CB36186})},
publisher = {IEEE},
author = {Myers, A.C. and Liskov, B.},
year = {1998},
pages = {186--197}
}
Myers, Andrew C., and Barbara Liskov. 2000. ‘Protecting Privacy Using the Decentralized Label Model’. ACM Transactions on Software Engineering and Methodology 9 (4): 410–42. https://doi.org/10.1145/363516.363526. [pdf]
@article{myers_protecting_2000,
title = {Protecting privacy using the decentralized label model},
volume = {9},
doi = {10.1145/363516.363526},
number = {4},
journal = {ACM Transactions on Software Engineering and Methodology},
author = {Myers, Andrew C. and Liskov, Barbara},
year = {2000},
pages = {410--442}
}