Information Technology Reference
In-Depth Information
Subsequently, various frameworks for information flow [13,18,10], have been
developed, attempting to unify the various existing definitions. McLean's intro-
duction of selective interleaving functions [13] provides a way to reason about
the relative strength of different security properties and their preservation under
composition. Zakinthinos and Lee [18] propose “perfect security” as the weakest
property on trace sets which guarantees absence of information flow (in a rather
informally defined sense). In contrast, Mantel [10] argues the need for variety
and modularity, and provides a library of basic security predicates from which
common notions of security properties can be constructed.
In the same view, that an analysis of information flow must be flexible enough
to be adapted to the specific features and needs of the considered application,
we propose a
parameterized
view of information flow that develops a quantita-
tive, probabilistic approach sketched in [17]. We define information flow with
respect to a
property
(a set of system traces, possibly abstracted in its low-level
part) which is deemed important for the system under scrutiny. The system has
information flow with respect to the given property if there exist two low-level
observations for which the chosen property has different probabilities of occur-
rence. In this case, the quantitative, probabilistic knowledge about the given
property is sensitive to the observation which can be made, and so there is
information flow in the system with respect to this property.
From this starting point, we define several generic notions of information
flow, corresponding to different classes of properties of interest. These include
high-level
information flow, in which properties are sets of sequences of high-level
events, and
sequential
information flow, in which properties can describe not only
sequences of high-level events but also how these sequences are interrupted by
the low-level, following the view of [12].
In examining information flow, we consider two views on the sequence of
events in a trace. In the first, a
global
view, properties are simply sets of traces
(infinite sequences of events). Alternatively, in a
relativized
view, the present
timepoint splits a trace into a pair: a finite sequence of past events and an
infinite sequence of future events. In this way, we can express properties that
link the past behavior with the future behavior of the system; we have absence of
information flow if such a behavior set is equiprobable regardless of the low-level
observation up to the current timepoint. For instance, a property may state that
if the last event before the time point is
a
then the next event is
a
and if the
last event before the time point is
b
then the next event cannot be
a
.
We then give characterizations of systems that are secure according to these
views of information flow, describing the structure of their trace sets in terms of
high/low-level events and their probabilities.
Using this framework, and choosing appropriate sets of properties, we can
express several classical definitions of possibilistic security: generalized noninter-
ference [11], noninference [14], and separability [13]. At the same time, by sup-
porting a user-defined choice of properties, we allow a finer granularity for the
definition of information flow than previous approaches. In addition, for systems
