This family describes the rules for the specific functions that can implement the information flow control SFPs named in FDP_IFC, which also specifies the scope of control of the policies. It consists of two "trees:" one addressing the common information flow control function issues, and a second addressing illicit information flows (i.e. covert channels) with respect to one or more information flow control SFPs. This division arises because the issues concerning illicit information flows are, in some sense, orthogonal to the rest of an SFP. Illicit information flows are flows in violation of policy; thus they are not a policy issue.
User notes
In order to implement strong protection against disclosure or modification in the face of untrusted software, controls on information flow are required. Access controls alone are not sufficient because they only control access to containers, allowing the information they contain to flow, without controls, throughout a system.
In this family, the phrase "types of illicit information flows" is used. This phrase may be used to refer to the categorisation of flows as "Storage Channels" or "Timing Channels", or it can refer to improved categorisations reflective of the needs of a PP/ST author.
The flexibility of these components allows the definition of a privilege policy within FDP_IFF.1 and FDP_IFF.2 to allow the controlled bypass of all or part of a particular SFP. If there is a need for a predefined approach to SFP bypass, the PP/ ST author should consider incorporating a privilege policy.