A Demonic Lattice of Information

Landuaer and Redmond’s Lattice of Information was an early and influential formalisation of the pure structure of security [8]: a partial order was defined for information-flow from a hidden state. In modern terms we would say that more-security refines less-security. For Landauer, the deterministic case [op. cit.], the refinement order is a lattice. Very recently [9, 3] a similar approach has been taken to purely probabilistic systems and there too a refinement order can be defined; but it is not a lattice [12]. In between deterministic and probabilistic is demonic, where behaviour is not deterministic but also not quantifiable. We show that our own earlier approach to this [15, 16] fits into the same pattern as deterministic and probabilistic, and illustrate that with results concerning compositionality, testing, soundness and completeness. Finally, we make some remarks about source-level reasoning. 1 A deterministic lattice of information — the original 1.1 Historical introduction and intuition Landauer and Redmond proposed in 1993 A Lattice of Information [8] for deterministic channels that accept hidden input and produce visible output. The “information” in Landauer’s title is what the channel’s output tells an observer about the input that we are trying to hide from her. 1 Definition 1. Deterministic channel Given non-empty input space I and output space O, a deterministic channel is a total function from I to O. For channel C: I→O, an input i in I produces an output C(i) in O. 2 With “deterministic” we emphasise that for any input i the channel C always outputs the same output o, that is o = C(i). Take for the input space I the letters {A,B,E,W}, and let the output space O be {vowel,cons} for “vowel” or “consonant”; then define channel C: I→O in the obvious way. Define another channel C: I→O whereO is {early, late} for “early” or “late” in the alphabet. These two channels C have different output spaces O (but the same input space) because they are observing different 1 We use the feminine she/her consistently for adversaries. Plural we/us is used for the designers or users of programs, or the readers of this article; and neuter “it” or plural “they” is used for third parties. things. We compare them therefore only wrt. the information they release about their inputs: the precise values of their outputs will be seen to be irrelevant. Each channel induces a partition on I via the kernels of the functions C, as shown in Fig. 1, where the partitions’ cells show just which elements of I can be distinguished by an observer who sees the output of the channel: two input elements can be distinguished by an observer just when they are not in the same cell. Thus Fig. 1(a) shows that B,W cannot be distinguished by an observer of C’s output, because they are both consonants; but Fig. 1(b) shows that B,W can be distinguished by C, because B is early but W is late.