Lying versus refusal for known potential secrets

作者:

Highlights:

摘要

Security policies and the corresponding enforcement mechanisms may have to deal with the logical consequences of the data encoded in information systems. Users may apply background knowledge about the application domain and about the system to infer more information than what is explicitly returned as answers to their queries. Some of the approaches to dealing with such a scenario are dynamic. For each query, the correct answer is first judged by some censor and then – if necessary – appropriately modified to preserve security. In this paper we contribute to the formal study of such approaches by extending to the case of known potential secrets the comparison of the two possible answer modifications, namely, lying and refusal. First, we explicitly define the security requirements. Second, we extend to such requirements a previous results on security preservation using lies. Then we introduce a variant of the refusal-based approach, suitable for potential secrets. Finally, we extensively analyze and compare the two approaches. We prove formally that, in general, they are incomparable in many respects, but, under fairly natural assumptions, lies and refusals lead to surprisingly similar behaviors and convey exactly the same information to the user. The latter result leads to a fundamental new insight on the relative benefits of the two approaches.

论文关键词:Inference control,Controlled query evaluation,Secrecy,Potential secret,Censor,Modificator,User log,Refusal,Lying,Reliable answer,Indistinguishable instances

论文评审过程:Received 10 October 2000, Revised 20 February 2001, Accepted 2 May 2001, Available online 24 July 2001.

论文官网地址:https://doi.org/10.1016/S0169-023X(01)00024-6