Information Flow, Distributed Systems, and Refinement, by Example
文摘
Non-interference is one of the foundational notions of security stretching back to Goguen and Meseguer [3]. Roughly, a set of activities C is non-interfering with a set D if any possible behavior at D is compatible with anything that could have occurred at C. One also speaks of “no information flow” from C to D in this case. Many hands further developed the idea and its variants (e.g. [12, 15]), which also flourished within the process calculus context [1, 2, 6, 13]. A.W. Roscoe contributed a characteristically distinctive idea to this discussion, in collaboration with J. Woodcock and L. Wulf. The idea was that a system is secure for flow from C to D when, after hiding behaviors at the source C, the destination D experiences the system as deterministic [8, 11]. In the CSP tradition, a process is deterministic if, after engaging in a sequence t of events, it can refuse an event a, then it always refuses the event a after engaging in t [9].