The decentralized label model is a policy for labeling data in a computer system to preserve confidentiality and integrity. Its philosophical roots are in the Denning lattice model, in which static analysis of programming language statements uncovers both explicit and implicit information flows through a program, from inputs to outputs. These labels are not the standard sensitivity/compartment lattice labels, but rather discretionary or owner-controlled labels such as Graubart’s reader/writer sets, which can be enforced, and which propagate when data is copied or computed. Instead of listing all (contributing) writers and all (permitted) readers, these labels specify each owner’s policy as a list of permitted readers; combining data results in concatenating the owners’ policies, and only principals in the intersection of the reader lists may read the data.
Keeping the owners’ policies separate enables owners to relax, or “declassify,” their own policies. The rights of owners to do this, as well as to read data, are automatically acquired by their superiors in an “acts-for” hierarchy. These features make the proposed model more practical. Another important advance in practicality is the implementation as an extension of Java, called Jif, with a compiler that performs the static label checking. A separate dual model is needed to deal with integrity, and some trust still resides in the operating system, to ensure that only checked programs can access protected data.