Just forget it - The semantics and enforcement of information erasure

Abstract. There are many settings in which sensitive information is made available to a system or organisation for a specific purpose, on the understanding that it will be erased once that purpose has been fulfilled. A familiar example is that of online credit card transactions: a customer typically provides credit card details to a payment system on the understanding that the following promises are kept: (i) Noninterference (NI): the card details may flow to the bank (in order that the payment can be authorised) but not to other users of the system; (ii) Erasure: the payment system will not retain any record of the card details once the transaction is complete. This example shows that we need to reason about NI and erasure in combination, and that we need to consider interactive systems: the card details are used in the interaction between the principals, and then erased; without the interaction, the card details could be dispensed with altogether and erasure would be unnecessary. The contributions of this paper are as follows. (i) We show that an end-to-end erasure property can be encoded as a “flow sensitive ” noninterference property. (ii) By a judicious choice of language construct to support erasur

Termination-insensitive noninterference leaks more than just a bit

Current tools for analysing information flow in programs build upon ideas going back to Denning's work from the 70's. These systems enforce an imperfect notion of information flow which has become known as termination-insensitive noninterference. Under this version of noninterference, information leaks are permitted if they are transmitted purely by the program's termination behaviour (i.e., whether it terminates or not). This imperfection is the price to pay for having a security condition which is relatively liberal (e.g. allowing while-loops whose termination may depend on the value of a secret) and easy to check. But what is the price exactly? We argue that, in the presence of output, the price is higher than the “one bit” often claimed informally in the literature, and effectively such programs can leak all of their secrets. In this paper we develop a definition of termination-insensitive noninterference suitable for reasoning about programs with outputs. We show that the definition generalises “batch-job” style definitions from the literature and that it is indeed satisfied by a Denning-style program analysis with output. Although more than a bit of information can be leaked by programs satisfying this condition, we show that the best an attacker can do is a brute-force attack, which means that the attacker cannot reliably (in a technical sense) learn the secret in polynomial time in the size of the secret. If we further assume that secrets are uniformly distributed, we show that the advantage the attacker gains when guessing the secret after observing a polynomial amount of output is negligible in the size of the secret

Convex hull method for the determination of vapour-liquid equilibria (VLE) phase diagrams for binary and ternary systems

Amieibibama Joseph wishes to thank Petroleum Technology Development Fund (PTDF) for their financial support which has made this research possible.Peer reviewedPostprin

Creating Large Disturbances in the Power Grid: Methods of Attack After Cyber Infiltration

Researchers are pursuing methods of securing the cyber aspect of the U.S. power grid, one of the country\u27s most critical infrastructures. An attacker who is able to infiltrate an Energy Management System (EMS) can instruct elements of the grid to function improperly or can skew the state information received by the control programs or operators. In addition, a cyber attack can combine multiple attacks and affect many physical locations at once. A study of the possible adverse effects an attack could generate can underline the urgency of improving grid security, contribute to a roadmap and priority list for security researchers, and advise on how defending against cyber attacks can differ from defending against point failures and physical attacks. In this paper I discuss the physical and cyber systems that compose the power grid, and I explore ways in which a compromise of the cyber system can affect the physical system, with a particular emphasis on the best means of creating large disturbances. Further, I consider ways in which cyber attacks differ from physical attacks