Abstract
Security of information flow is commonly understood as preventing any information leakage, regardless of how grave or harmless consequences the leakage can have. In this work, we suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary’s ability to harm the system. Then, we propose that the information flow in a system is effectively information-secure if it does not allow for more harm than its idealized variant based on the classical notion of noninterference.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is a real-life example from the authors’ personal experience. For similar security questions, used by various phone or web services, cf. e.g. [14].
- 2.
We will only sketch the proofs due to lack of space. The complete proofs can be found in the extended version of the paper, available at http://arxiv.org/abs/1608.02247.
References
Acquisti, A., Grossklags, J.: Privacy attitudes and privacy behavior - losses, gains, and hyperbolic discounting. In: Economics of Information Security. Advances in Information Security, vol. 12, pp. 165–178. Springer, New York (2004)
Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24, 84–90 (1981)
Dimovski, A.S.: Ensuring secure non-interference of programs by game semantics. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 81–96. Springer, Heidelberg (2014)
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game theory meets information security management. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 15–29. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55415-5_2
Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993). doi:10.1007/3-540-57220-1_66
Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proceedings of POPL, pp. 186–197. ACM (2004)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of S&P, pp. 11–20. IEEE Computer Society (1982)
Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, STOC 1987, pp. 218–229. ACM (1987)
Gray III, J.W.: Probabilistic interference. In: Proceedings of S&P, pp. 170–179. IEEE (1990)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of WWW, pp. 209–218. ACM (2008)
Hankin, C., Nagarajan, R., Sampath, P.: Flow analysis: games and nets. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 135–156. Springer, Heidelberg (2002)
Harris, W.R., Jha, S., Reps, T.W., Anderson, J., Watson, R.N.M.: Declarative, temporal, and practical programming with capabilities. In: Proceedings of SP, pp. 18–32. IEEE Computer Society (2013)
Jamroga, W., Tabatabaei, M.: Strategic noninterference. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IFIP AICT, vol. 455, pp. 67–81. Springer, Heidelberg (2015). doi:10.1007/978-3-319-18467-8_5
Levin, J.: In what city did you honeymoon? and other monstrously stupid bank security questions. Slate (2008)
Leyton-Brown, K., Shoham, Y.: Essentials of Game Theory: A Concise, Multidisciplinary Introduction. Morgan & Claypool (2008)
Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: ACM SIGPLAN Notices, vol. 40, pp. 158–170. ACM (2005)
Malacaria, P., Hankin, C.: Non-deterministic games, program analysis: an application to security. In: Proceedings of LICS, pp. 443–452. IEEE Computer Society (1999)
McCullough, D.: Noninterference and the composability of security properties. In: Proceedings of S&P, pp. 177–186. IEEE (1988)
McIver, A., Morgan, C.: A probabilistic approach to information hiding. In: Programming Methodology, pp. 441–460 (2003)
McNaughton, R.: Testing and generating infinite sequences by a finite automaton. Inf. Control 9, 521–530 (1966)
Moore, T., Anderson, R.: Economics, internet security: a survey of recent analytical, empirical and behavioral research. Technical report TR-03-11, Computer Science Group, Harvard University (2011)
O’Halloran, C.: A calculus of information flow. In: Proceedings of ESORICS, pp. 147–159 (1990)
Di Pierro, A., Hankin, C., Wiklicky, H.: Approximate non-interference. J. Comput. Secur. 12(1), 37–81 (2004)
Robinson, J.A.: A machine-oriented logic based on the resolution principle. J. ACM 12(1), 23–41 (1965)
Roscoe, A.W., Hoare, C.A.R., Bird, R.: The Theory and Practice of Concurrency. Prentice Hall PTR, Upper Saddle River (1997)
Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: Proceedings of CSFW-18, pp. 255–269. IEEE Computer Society (2005)
Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)
Sutherland, D.: A model of information. In: Proceedings of the 9th National Computer Security Conference, pp. 175–183 (1986)
Meyden, R., Zhang, C.: A comparison of semantic models for noninterference. Theoret. Comput. Sci. 411(47), 4123–4147 (2010)
Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symposium on Security and Privacy, p. 144 (1990)
Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of CSFW-16, pp. 29–43. IEEE Computer Society (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Jamroga, W., Tabatabaei, M. (2016). Information Security as Strategic (In)effectivity. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-46598-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46597-5
Online ISBN: 978-3-319-46598-2
eBook Packages: Computer ScienceComputer Science (R0)