Lying versus refusal for known potential secrets

摘要

Security policies and the corresponding enforcement mechanisms may have to deal with the logical consequences of the data encoded in information systems. Users may apply background knowledge about the application domain and about the system to infer more information than what is explicitly returned as answers to their queries. Some of the approaches to dealing with such a scenario are dynamic. For each query, the correct answer is first judged by some censor and then – if necessary – appropriately modified to preserve security. In this paper we contribute to the formal study of such approaches by extending to the case of known potential secrets the comparison of the two possible answer modifications, namely, lying and refusal. First, we explicitly define the security requirements. Second, we extend to such requirements a previous results on security preservation using lies. Then we introduce a variant of the refusal-based approach, suitable for potential secrets. Finally, we extensively analyze and compare the two approaches. We prove formally that, in general, they are incomparable in many respects, but, under fairly natural assumptions, lies and refusals lead to surprisingly similar behaviors and convey exactly the same information to the user. The latter result leads to a fundamental new insight on the relative benefits of the two approaches.