This paper describes the decentralized label model, a new model for controlling information flow in systems with mutual distrust and decentralized authority. The model allows users to share information with distrusted code (e.g., downloaded applets), yet still control how that code disseminates the shared information to others. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. It supports static program analysis of information flow, so that programs can be certified to permit only acceptable information flows and to avoid most run-time information flow checks. In addition to presenting the model, the paper also discusses how the model can be supported in a distributed environment, including an introduction to Jif an extension to Java that incorporates the model and permits static checking of information flow.
展开▼