Information Technology Reference
In-Depth Information
A Probabilistic Property-Specific Approach to
Information Flow
Daniele Beauquier 1 , , Marie Duflot 1 , , and Marius Minea 2 ,
1 University Paris 12, France
{ beauquier, duflot } @univ-paris12.fr
2
Institute e-Austria Timisoara, Romania
marius@cs.utt.ro
Abstract. We study probabilistic information flow from a property-
specific viewpoint. For a given property of interest, specified as set of
traces, we examine whether different low-level observations imply differ-
ent probabilities for the occurrence of the property. Quantifying over all
properties in a given class (e.g., high-level traces, or high-level sequences
separated by low-level events) we obtain different notions of information
flow. We give characterizations of systems that are secure according to
these definitions. We consider both properties that are expressed over
whole traces and those that distinguish between past and future given
a reference point. In this framework, we can express several classical
definitions of possibilistic security, as well as giving a more detailed,
quantitative measure of information flow.
1
Introduction
Several classical treatments of information flow exist in the literature. Trace-
based approaches assume a set of observable low-level events L and a set of
(not directly observable) high-level events H . The question is whether observing
a certain low-level trace can give information about the occurrence of high-
level events, either in a possibilistic sense (the possibility or impossibility of a
certain high-level interleaving) or in a probabilistic sense, yielding quantitative
information about high-level activity.
It is generally accepted that there is no single all-encompassing definition
of information flow. Different notions are noninterference [5], generalized nonin-
terference [11], noninference [14], generalized noninference and separability [13],
depending on the kind of information about high-level behavior considered rele-
vant. In these possibilistic approaches, information flow is prevented if the trace
set corresponding to a low-level observation contains “enough” traces to make
inferences about high-level behavior impossible. Indeed, there can be no infor-
mation flow if all high-level behaviors of interest are possible, i.e., included in
the set of traces corresponding to a low-level observation. Precisely which traces
must be present depends on the individual notion of information flow.
Partially supported by ECO-NET project No 08112WJ.
Search WWH ::




Custom Search