Information Security as Strategic (In)effectivity

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)

Abstract

Security of information flow is commonly understood as preventing any information leakage, regardless of how grave or harmless consequences the leakage can have. In this work, we suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary’s ability to harm the system. Then, we propose that the information flow in a system is effectively information-secure if it does not allow for more harm than its idealized variant based on the classical notion of noninterference.

References

  1. 1.
    Acquisti, A., Grossklags, J.: Privacy attitudes and privacy behavior - losses, gains, and hyperbolic discounting. In: Economics of Information Security. Advances in Information Security, vol. 12, pp. 165–178. Springer, New York (2004)Google Scholar
  2. 2.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24, 84–90 (1981)CrossRefGoogle Scholar
  3. 3.
    Dimovski, A.S.: Ensuring secure non-interference of programs by game semantics. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 81–96. Springer, Heidelberg (2014)Google Scholar
  4. 4.
    Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game theory meets information security management. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 15–29. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55415-5_2 CrossRefGoogle Scholar
  5. 5.
    Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993). doi:10.1007/3-540-57220-1_66 CrossRefGoogle Scholar
  6. 6.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proceedings of POPL, pp. 186–197. ACM (2004)Google Scholar
  7. 7.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of S&P, pp. 11–20. IEEE Computer Society (1982)Google Scholar
  8. 8.
    Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, STOC 1987, pp. 218–229. ACM (1987)Google Scholar
  9. 9.
    Gray III, J.W.: Probabilistic interference. In: Proceedings of S&P, pp. 170–179. IEEE (1990)Google Scholar
  10. 10.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of WWW, pp. 209–218. ACM (2008)Google Scholar
  11. 11.
    Hankin, C., Nagarajan, R., Sampath, P.: Flow analysis: games and nets. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 135–156. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Harris, W.R., Jha, S., Reps, T.W., Anderson, J., Watson, R.N.M.: Declarative, temporal, and practical programming with capabilities. In: Proceedings of SP, pp. 18–32. IEEE Computer Society (2013)Google Scholar
  13. 13.
    Jamroga, W., Tabatabaei, M.: Strategic noninterference. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IFIP AICT, vol. 455, pp. 67–81. Springer, Heidelberg (2015). doi:10.1007/978-3-319-18467-8_5 CrossRefGoogle Scholar
  14. 14.
    Levin, J.: In what city did you honeymoon? and other monstrously stupid bank security questions. Slate (2008)Google Scholar
  15. 15.
    Leyton-Brown, K., Shoham, Y.: Essentials of Game Theory: A Concise, Multidisciplinary Introduction. Morgan & Claypool (2008)Google Scholar
  16. 16.
    Li, P., Zdancewic, S.: Downgrading policies and relaxed noninterference. In: ACM SIGPLAN Notices, vol. 40, pp. 158–170. ACM (2005)Google Scholar
  17. 17.
    Malacaria, P., Hankin, C.: Non-deterministic games, program analysis: an application to security. In: Proceedings of LICS, pp. 443–452. IEEE Computer Society (1999)Google Scholar
  18. 18.
    McCullough, D.: Noninterference and the composability of security properties. In: Proceedings of S&P, pp. 177–186. IEEE (1988)Google Scholar
  19. 19.
    McIver, A., Morgan, C.: A probabilistic approach to information hiding. In: Programming Methodology, pp. 441–460 (2003)Google Scholar
  20. 20.
    McNaughton, R.: Testing and generating infinite sequences by a finite automaton. Inf. Control 9, 521–530 (1966)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Moore, T., Anderson, R.: Economics, internet security: a survey of recent analytical, empirical and behavioral research. Technical report TR-03-11, Computer Science Group, Harvard University (2011)Google Scholar
  22. 22.
    O’Halloran, C.: A calculus of information flow. In: Proceedings of ESORICS, pp. 147–159 (1990)Google Scholar
  23. 23.
    Di Pierro, A., Hankin, C., Wiklicky, H.: Approximate non-interference. J. Comput. Secur. 12(1), 37–81 (2004)CrossRefGoogle Scholar
  24. 24.
    Robinson, J.A.: A machine-oriented logic based on the resolution principle. J. ACM 12(1), 23–41 (1965)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Roscoe, A.W., Hoare, C.A.R., Bird, R.: The Theory and Practice of Concurrency. Prentice Hall PTR, Upper Saddle River (1997)Google Scholar
  26. 26.
    Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: Proceedings of CSFW-18, pp. 255–269. IEEE Computer Society (2005)Google Scholar
  27. 27.
    Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Sutherland, D.: A model of information. In: Proceedings of the 9th National Computer Security Conference, pp. 175–183 (1986)Google Scholar
  29. 29.
    Meyden, R., Zhang, C.: A comparison of semantic models for noninterference. Theoret. Comput. Sci. 411(47), 4123–4147 (2010)MathSciNetCrossRefMATHGoogle Scholar
  30. 30.
    Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symposium on Security and Privacy, p. 144 (1990)Google Scholar
  31. 31.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of CSFW-16, pp. 29–43. IEEE Computer Society (2003)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Institute of Computer SciencePolish Academy of SciencesWarszawaPoland
  2. 2.Interdisciplinary Centre for Security and TrustUniversity of LuxembourgLuxembourgLuxembourg

Personalised recommendations