11,896 research outputs found
A Semantic Hierarchy for Erasure Policies
We consider the problem of logical data erasure, contrasting with physical
erasure in the same way that end-to-end information flow control contrasts with
access control. We present a semantic hierarchy for erasure policies, using a
possibilistic knowledge-based semantics to define policy satisfaction such that
there is an intuitively clear upper bound on what information an erasure policy
permits to be retained. Our hierarchy allows a rich class of erasure policies
to be expressed, taking account of the power of the attacker, how much
information may be retained, and under what conditions it may be retained.
While our main aim is to specify erasure policies, the semantic framework
allows quite general information-flow policies to be formulated for a variety
of semantic notions of secrecy.Comment: 18 pages, ICISS 201
Common Representation of Information Flows for Dynamic Coalitions
We propose a formal foundation for reasoning about access control policies
within a Dynamic Coalition, defining an abstraction over existing access
control models and providing mechanisms for translation of those models into
information-flow domain. The abstracted information-flow domain model, called a
Common Representation, can then be used for defining a way to control the
evolution of Dynamic Coalitions with respect to information flow
Just forget it - The semantics and enforcement of information erasure
Abstract. There are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit card details to a payment system on the understanding that the following promises are kept: (i) Noninterference (NI): the card details may flow to the bank (in order that the payment can be authorised) but not to other users of the system; (ii) Erasure: the payment system will not retain any record of the card details once the transaction is complete. This example shows that we need to reason about NI and erasure in combination, and that we need to consider interactive systems: the card details are used in the interaction between the principals, and then erased; without the interaction, the card details could be dispensed with altogether and erasure would be unnecessary. The contributions of this paper are as follows. (i) We show that an end-to-end erasure property can be encoded as a “flow sensitive ” noninterference property. (ii) By a judicious choice of language construct to support erasur
- …