Information flow controls vs inference controls: An integrated approach

Abstract

This paper proposes a formal method for modeling database security based on a logical interpretation of two problems: the (internal) information flow controls and the (external) information inference controls. Examples are developed that illustrate the inability of “classical” security models such as non-interference and non-deducibility to completely take into account the inference problem, because both are too constraining: the former model leads to the existence problem, whereas the latter one leads to the elimination problem. The causality model, which has been developed to solve the information flow control problem by considering that “what is known, must be permitted to be known”, does not also explicitly take into account the inference problem. But we show that it is possible to extend causality so that inference can in fact be solved by formalizing the security policy consistency in the following way “any information must not be both permitted and forbidden, to be known”. However, some difficulties remain if we do not consider that a subject can perform not only valid derivations but also plausible derivations. In particular, we show that classical solutions to the inference problem such as use of polyinstantiated databases are not plainly satisfactory, unless the security policy is able to estimate how it is plausible that an abductive reasoning can occur.