1,567 research outputs found
A Temporal Logic for Hyperproperties
Hyperproperties, as introduced by Clarkson and Schneider, characterize the
correctness of a computer program as a condition on its set of computation
paths. Standard temporal logics can only refer to a single path at a time, and
therefore cannot express many hyperproperties of interest, including
noninterference and other important properties in security and coding theory.
In this paper, we investigate an extension of temporal logic with explicit path
variables. We show that the quantification over paths naturally subsumes other
extensions of temporal logic with operators for information flow and knowledge.
The model checking problem for temporal logic with path quantification is
decidable. For alternation depth 1, the complexity is PSPACE in the length of
the formula and NLOGSPACE in the size of the system, as for linear-time
temporal logic
A Semantic Hierarchy for Erasure Policies
We consider the problem of logical data erasure, contrasting with physical
erasure in the same way that end-to-end information flow control contrasts with
access control. We present a semantic hierarchy for erasure policies, using a
possibilistic knowledge-based semantics to define policy satisfaction such that
there is an intuitively clear upper bound on what information an erasure policy
permits to be retained. Our hierarchy allows a rich class of erasure policies
to be expressed, taking account of the power of the attacker, how much
information may be retained, and under what conditions it may be retained.
While our main aim is to specify erasure policies, the semantic framework
allows quite general information-flow policies to be formulated for a variety
of semantic notions of secrecy.Comment: 18 pages, ICISS 201
Existential Types for Relaxed Noninterference
Information-flow security type systems ensure confidentiality by enforcing
noninterference: a program cannot leak private data to public channels.
However, in practice, programs need to selectively declassify information about
private data. Several approaches have provided a notion of relaxed
noninterference supporting selective and expressive declassification while
retaining a formal security property. The labels-as-functions approach provides
relaxed noninterference by means of declassification policies expressed as
functions. The labels-as-types approach expresses declassification policies
using type abstraction and faceted types, a pair of types representing the
secret and public facets of values. The original proposal of labels-as-types is
formulated in an object-oriented setting where type abstraction is realized by
subtyping. The object-oriented approach however suffers from limitations due to
its receiver-centric paradigm.
In this work, we consider an alternative approach to labels-as-types,
applicable in non-object-oriented languages, which allows us to express
advanced declassification policies, such as extrinsic policies, based on a
different form of type abstraction: existential types. An existential type
exposes abstract types and operations on these; we leverage this abstraction
mechanism to express secrets that can be declassified using the provided
operations. We formalize the approach in a core functional calculus with
existential types, define existential relaxed noninterference, and prove that
well-typed programs satisfy this form of type-based relaxed noninterference
FISA Reform
Congress and the Executive Branch are poised to take up the issue of FISA reform in 2014. What has been missing from the discussion is a comprehensive view of ways in which reform could be given effect—i.e., a taxonomy of potential options. This article seeks to fill the gap. The aim is to deepen the conversation about abeyant approaches to foreign intelligence gathering, to allow fuller discussion of what a comprehensive package could contain, and to place initiatives that are currently under consideration within a broader, over-arching framework. The article begins by considering the legal underpinnings and challenges to the President\u27s Surveillance Program. It then examines how technology has altered the types of information available, as well as methods of transmission and storage. The article builds on this to develop a taxonomy for how a statutory approach to foreign intelligence gathering could be given force. It divides foreign intelligence gathering into two categories: front-end collection and back-end analysis and use. Each category contains a counterpoise structured to ensure the appropriate exercise of Congressionally-mandated authorities. For the front-end, this means balancing the manner of collection with requirements for approval. For the back-end, this means offsetting implementation with transparency and oversight. The article then considers the constituent parts of each category
Just forget it - The semantics and enforcement of information erasure
Abstract. There are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit card details to a payment system on the understanding that the following promises are kept: (i) Noninterference (NI): the card details may flow to the bank (in order that the payment can be authorised) but not to other users of the system; (ii) Erasure: the payment system will not retain any record of the card details once the transaction is complete. This example shows that we need to reason about NI and erasure in combination, and that we need to consider interactive systems: the card details are used in the interaction between the principals, and then erased; without the interaction, the card details could be dispensed with altogether and erasure would be unnecessary. The contributions of this paper are as follows. (i) We show that an end-to-end erasure property can be encoded as a “flow sensitive ” noninterference property. (ii) By a judicious choice of language construct to support erasur
Declassifying Knowledge Organization
Classification, as is common knowledge, is simultaneously an operation (classer) and an instrument of knowledge organization (classifier), regardless of more technical or specific designations used in that area of research, although an operation that ‘naturally’ transcends the very realm of knowledge organization (KO) to which it descended from the logos. In this text, a summary of more than 35 years of work, the author presents a series of hypothesis and itineraries of declassified thought, a way of thinking based on strategies of reflexivity and pluralism that buttress the automatic, hierarchical and essentialist tendencies enhanced by totalitarian mind, whether this be harsh or subtle, which are imposed by all levels of power in order to re-orientate them towards civic commitment, re-politicization of KO practices that were never depoliticized. Declassification is a hermeneutics of KO that recuperates criticism, rhetoric, reflection, emotions, affection and even contradiction as the cornerstones of systematic knowledge production processes. The world is not only full of heterogeneous knowledge but also heterogeneous forms of knowing that must be restored and deliberated upon on an equal basis. That is the aim of declassification on putting forward an open and alternative interpretation of rethinking and practising identity, culture, memory or social sciences and KO, particularly in the new digital space of unlimited interaction
- …