Information Technology Reference
In-Depth Information
that are not secure according to one of these notions, the probabilistic approach
allows us to give a quantitative measure of the appearing information flow.
An important issue when defining security properties is deciding what kinds
of information flow are acceptable. In some existing definitions of information
flow, such as noninference [14] or the perfect security property [18], covert chan-
nels already existent in the description of a system are allowed, such as auditing
or copying low-level events on a high-level. Such definitions take a
causal
view,
defining information flow as the fact that high-level behavior influences low-level
behavior. Conversely, this means that viewing a string of low-level events may
allow us to deduce something about the high-level events that have occurred in
the past, prior to these observations.
Incontrast,wetakeapurely
observational
view. Thus, if a low-level obser-
vation is compatible only with an interleaving of high-level events, but not with
another, this constitutes information flow, regardless whether this knowledge is
already present in the description (trace set) of the system. Indeed, the proba-
bility of a given interleaving of high-level events depends in this situation on the
low-level observation, which corresponds to our definition of information flow.
Related Work
Work on tailoring security properties to the system under consideration orig-
inates with the string of different definitions for information flow [5,11,14,13].
Following the recognition that security is a property of trace sets rather than
traces (e.g., [13]), in [18], security properties are defined uniformly by specifying
a predicate that the low-level equivalent bunch of a trace has to satisfy. The ap-
proach is taken further in [10] by defining basic security predicates in terms of a
restriction and a closure requirement on a trace set. The parameterization in the
latter paper is given by the variants in which the basic operations of inserting
and deleting high-level events in a trace (to keep their absence and presence,
respectively, confidential) can be performed.
Probabilistic information flow has naturally been more dicult to treat than
the possibilistic version. McLean [12] introduces the
flow model
which distin-
guishes mere correlation from actual causal influence. Gray [7] introduces prob-
abilistic interference in a context of finite state machines and gives a more general
information-theoretic framework, including probabilistic channel capacity [6].
Sabelfeld and Sands [16] define probabilistic noninterference in the context of
schedulers for multithreaded programs, based on the concept of probabilistic
bisimulation, and show compositionality properties. Lowe [9] treats quantita-
tive information flow distinguishing probabilistic aspects from nondeterminism,
which is handled from an adversarial worst-case perspective; the treatment is
done in a discrete-time context, considering also the rate of information flow. A
probabilistic process-algebraic approach is given in [1], focused on noninterfer-
ence, generalizing the possibilistic variant and allowing formal reasoning about
the amount of information flow.
All these approaches, whether possibilistic or probabilistic, treat general,
system-independent notion of information flow. A framework which parameter-
