This paper presents a framework for describing information and information flow. We show that information can be represented as a lattice. We will motivate the idea that this framework is applicable for demonstrating security properties of systems. In particular, we show the relationship between the lattice representing information and the unwinding theorem. We will also demonstrate the relationship between properties of this lattice and the aggregation problem.
IntroductionConsider a system as a black box that allows users to query its internal state. For example, an airline database can be queried for different kinds of information, e.g., estimated time of arrival. The queries can be ordered by the amount of information returned. For example, if a query returns the complete flight information, then one can deduce the estimated time of arrival. In this example, the first query that requests ETA is "less" than the query that requests the flight information.Users may also be ordered by the type of information that they can access. For example, the president of an airline company may be able to make more detailed queries than a random customer. In particular, a customer may not be able to obtain the passenger manifest whereas this information is available to the president.In this paper, we formalize the notion of information as a complete lattice. The queries described in the above example will define elements of this lattice. The information determined by a query, q1, is greater than the information determined by a query, 42, if the result of qz can be explicitly determined from the result of the query q1. The information obtained by making two queries at once will be the join of the information obtained by making each of the queries individually.We will then provide a necessary and sufficient condition for non-interference in terms of the information lattice. The condition is the existence of a sensitivity labelling of the information lattice in such a way that e instructions with a high sensitivity label do not modify information with a low sensitivity label e the flow of information in the system is from information with low sensitivity labels to information with high sensitivity labels. the output at a sensitivity level can be determined by the information at that sensitivity level.We will also show a possible connection of some properties of the lattice with the aggregation problem. This may point to a way of dealing with the aggregation problem in an algebraic manner.
The Information LatticeFor the purposes of this section, we will fix a set C, representing a state space of a system. In this paper we will show how information about elements of the set C can be regarded as a lattice. This information lattice can be described in two equivalent manners. First, we can view the lattice as the set of equivalence relations on the set C. The equivalence classes represent sets of states that cannot be distinguished with the information being described. Second, we can view information in terms of functions from C. The...
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.