3661(there)X 3928(is)X 547 1860(no)N 684(formal)X 1005(requirement)X 1588(that)X 1803(it)X 1899(be)X 2029(hidden)X 2364(from)X 2601(the)X 2774(observer,)X 3209(it)X 3305(is)X 3409(reasonable)X 3918(to)X 547 1968(take)N 778(the)X 958(pessimistic)X 1487(view)X 1727(that)X 1949(it)X 2052(is)X 2163(part)X 2387(of)X 2 f 2503(visible)X 9 s 2788 1987(s)N 1 f 12 s 2828 1968(\()N 9 f 2860(w)X 1 f 2926(\).)X 3048(With)X 3304(this)X 3511(do)X 3650(the)X 3830(sys-)X 547 2076(tem)N 744(will)X 936(again)X 1209(be)X 1337(found)X 1617(insecure.)X 3 f 547 2472(7.3.2.)N 847 0.3125(Controlling)AX 1453(Pessimism)X 1 f 747 2628(Note)N 990(that)X 1208(no)X 1347(reference)X 1791(has)X 1980(been)X 2220(made)X 2493(to)X 2611(the)X 2788(statistical)X 3261(properties)X 3746(of)X 3859(the)X 547 2736(signal)N 844(in)X 962(either)X 1256(of)X 1364(the)X 1536(previous)X 1943(cases.)X 2259(Both)X 2500(analyses)X 2912(are)X 3084(therefore)X 2 f 3518(pessimistic)X 1 f 547 2844(\320)N 678(they)X 908(\256nd)X 1117(the)X 1297(system)X 1644(to)X 1765(be)X 1902(insecure)X 2313(no)X 2456(matter)X 2795(what)X 3055(the)X 3235(characteristics)X 3923(of)X 547 2952(the)N 718(noise)X 975(signal.)X 747 3108(There)N 1043(is)X 1152(a)X 1239(third)X 1497(option)X 1808(for)X 1965(analysis)X 2365(in)X 2488(cases)X 2756(where)X 3063(the)X 3241(pessimism)X 3744(of)X 3859(the)X 547 3216(\256rst)N 769(two)X 967(is)X 1080(known)X 1416(to)X 1539(be)X 1678(excessive,)X 2152(or)X 2281(where)X 2592(a)X 2683(more)X 2945(detailed)X 3339(analysis)X 3742(of)X 3859(the)X 547 3324(system)N 886(is)X 989(desired.)X 1395(This)X 1622(might)X 1913(be)X 2043(appropriate)X 2592(in)X 2710(situations)X 3182(where)X 3484(the)X 3657(statisti-)X 547 3432(cal)N 711(nature)X 1048(of)X 1166(the)X 1348(interfering)X 1866(noise)X 2133(is)X 2245(well)X 2465(known.)X 2854(It)X 2967(involves)X 3366(characterising)X 547 3540(the)N 736(system's)X 1157(operation)X 1623(as)X 1767(a)X 1866(function)X 2279(of)X 2405(the)X 2595(extra)X 2873(signal,)X 3214(regarding)X 3693(it)X 3806(as)X 3950(a)X 547 3648(parameter)N 1044(rather)X 1359(than)X 1599(as)X 1729(an)X 1873(ordinary)X 2287(input)X 2558(with)X 2790(an)X 2933(assigned)X 3350(level.)X 3642(Statisti-)X 547 3756(cal)N 738(knowledge)X 1274(concerning)X 1822(the)X 2031(noise)X 2326(input)X 2631(may)X 2885(then)X 3153(be)X 3319(used)X 3592(with)X 3859(the)X 547 3864(parametrized)N 1170(model)X 1463(to)X 1575(derive)X 1877(statistics)X 2306(relating)X 2684(to)X 2796(the)X 2967(system's)X 3370(execution.)X 747 4020(Since)N 1016(the)X 1189(model)X 1484(will)X 1678(now)X 1889(be)X 2019(dealing)X 2374(with)X 2604(probabilistic)X 3183(issues)X 3484(\(though)X 3859(the)X 547 4128(system)N 892(model)X 1192(is)X 1301(deterministic,)X 1952(the)X 2130(noise)X 2394(inputs)X 2713(are)X 2891(not\))X 3101(a)X 3188(security)X 3578(de\256nition)X 547 4236(is)N 681(required)X 1119(that)X 1364(prohibits)X 1824(probabilistic)X 2434(inference.)X 2958(Non-deducibility)X 3756(is)X 3891(an)X 547 4344(attractive)N 1006(starting)X 1388(point)X 1644(for)X 1794(formulating)X 2348(such)X 2581(a)X 2661(de\256nition.)X 747 4500(Let)N 9 f 940(W)X 1 f 1059(be)X 1205(a)X 1303(deterministic)X 1938(set)X 2113(of)X 2238(worlds,)X 2606(and)X 2 f 2818(visible)X 9 s 3103 4519(s)N 1 f 12 s 3143 4500(\()N 9 f 3175(w)X 1 f 3241(\),)X 2 f 3345(secret)X 9 s 3594 4519(s)N 1 f 12 s 3634 4500(\()N 9 f 3666(w)X 1 f 3732(\),)X 3836(and)X 2 f 547 4608(noise)N 1 f 772(\()X 9 f 804(w)X 1 f 870(\))X 942(be)X 1083(information)X 1647(functions)X 2099(such)X 2344(that)X 2 f 2569(noise)X 1 f 2794(\()X 9 f 2826(w)X 1 f 2892(\))X 2963(is)X 3077(a)X 3169(value)X 3449(of)X 3568(a)X 3660(random)X 547 4716(variable)N 2 f 938(N)X 1 f 1016(.)X 1101(Then,)X 1389(the)X 1564(system)X 1906(is)X 4 f 2012(quasi-deterministically)X 3193(non-deducibility)X 547 4824(secure)N 1 f 887(with)X 1115(respect)X 1461(to)X 2 f 1573(visible)X 9 s 1858 4843(s)N 1 f 12 s 1925 4824(and)N 2 f 2119(secret)X 9 s 2368 4843(s)N 1 f 12 s 2435 4824(if)N 2524(the)X 2695(following)X 3125(holds:)X 747 4980(For)N 932(each)X 1165(observation)X 2 f 1711(v)X 1 f 2 f 10 s 9 f 1796(\316)X 1 f 12 s 1880({)X 2 f 1912(visible)X 9 s 2197 4999(s)N 1 f 12 s 2237 4980(\()N 9 f 2269(w)X 1 f 2335(\),)X 9 f 2429(w)X 2 f 10 s 9 f 2522(\316)X 1 f 12 s 9 f 2606(W)X 1 f 2680(})X 2743(there)X 3009(exists)X 3296(a)X 3380(unique)X 3719(proba-)X 547 5088(bility)N 2 f 805(p)X 1 f 887(such)X 1120(that)X 1333(for)X 1483(all)X 1623(secrets)X 2 f 1959(k)X 1 f 2 f 10 s 9 f 2047(\316)X 1 f 12 s 2131({)X 2 f 2163(secret)X 9 s 2412 5107(s)N 1 f 12 s 2452 5088(\()N 9 f 2484(w)X 1 f 2550(\),)X 9 f 2644(w)X 2 f 10 s 9 f 2737(\316)X 1 f 12 s 9 f 2821(W)X 1 f 2895(})X 2 f 1513 5244(p)N 9 f 1630(=)X 9 s 2 f 1762 5549(secret)N 6 s 1947 5563(s)N 1 f 9 s 1974 5549(\()N 9 f (w)S 1 f 2047(\))X 2 f 9 f 2091(=)X 2 f 2151(k)X 1737 5435(visible)N 6 s 1950 5449(s)N 1 f 9 s 1977 5435(\()N 9 f (w)S 1 f 2050(\))X 2 f 9 f 2094(=)X 2 f 2154(v)X 1 f 2191(,)X 9 f 1872 5335(w)N 2 f 7 s 9 f 1941(\316)X 1 f 9 s 9 f 2001(W)X 1 f 2056(,)X 17 s 9 f 1937 5274(S)N 12 s 1 f 2217 5246(Prob\()N 2 f (N)S 9 f 2570(=)X 2 f 2650(noise)X 1 f 2875(\()X 9 f 2907(w)X 1 f 2973(\)\))X 175 p %%Page: 175 14 12 s 0 xH 0 xS 1 f 3 f 835 396(7.4.)N 1026(Evaluation)X 1605(of)X 1728(Nondeducibility)X 4008(-)X 4067(175)X 4259(-)X 1 f 1035 684(The)N 1254(sense)X 1547(of)X 1675(this)X 1894(de\256nition)X 2368(is)X 2492(that)X 2727(all)X 2889(secrets)X 3247(must)X 3522(be)X 3672(equally)X 4045(likely)X 835 792(given)N 1117(any)X 1323(observation.)X 1935(In)X 2076(other)X 2353(words,)X 2688(the)X 2874(probability)X 3399(of)X 3521(a)X 3616(noise)X 3888(sequence)X 835 900(that)N 1049(will)X 1242(allow)X 1506(a)X 1587(secret)X 1879(to)X 1993(coexist)X 2324(with)X 2554(some)X 2809(observation)X 3353(must)X 3608(be)X 3738(independent)X 835 1008(of)N 942(the)X 1113(secret.)X 1035 1164(In)N 1170(our)X 1358(communications)X 2120(channel)X 2509(example,)X 2944(the)X 3126(memoryless)X 3692(nature)X 4029(of)X 4147(the)X 835 1272(channel)N 1213(means)X 1530(that)X 1743(the)X 1914(functional)X 2391(dependency)X 2939(can)X 3121(be)X 3249(expressed)X 3714(as)X 2 f 2142 1428(out)N 9 s 2283 1447(i)N 12 s 9 f 2369 1428(=)N 2 f 2476(in)X 9 s 2567 1447(i)N 12 s 9 f 2626 1428(\305)N 2 f 2727(noise)X 9 s 2952 1447(i)N 1 f 12 s 835 1584(where)N 2 f 1140(x)X 9 s 1603(i)Y 1 f 12 s 1252 1584(is)N 1359(the)X 2 f 1535(i)X 1 f 1567(th)X 1695(element)X 2083(of)X 2196(the)X 2 f 2373(n)X 1 f 2432(-long)X 2685(bit)X 2838(sequence)X 2 f 3274(x)X 9 s 3334 1546(n)N 1 f 12 s 3386 1584(.)N 3473(We)X 3648(identify)X 4023(the)X 2 f 4200(n)X 1 f 4259(-)X 835 1692(bit)N 996(sequences)X 2 f 1485(in)X 9 s 1588 1654(n)N 1 f 12 s 1681 1692(as)N 1820(the)X 2005(secret,)X 2 f 2336(out)X 9 s 2477 1711(n)N 1 f 12 s 2569 1692(as)N 2707(the)X 2891(observation,)X 3473(and)X 2 f 3680(noise)X 9 s 3917 1654(n)N 1 f 12 s 4009 1692(as)N 4147(the)X 835 1800(random)N 1230(noise.)X 1566(If)X 1689(the)X 1885(individual)X 2389(noise)X 2672(values)X 2 f 3011(noise)X 9 s 3236 1819(i)N 1 f 12 s 3321 1800(are)N 3518(independent)X 4124(and)X 835 1908(equiprobably)N 1439(0)X 1520(or)X 1638(1,)X 1745(then)X 1975(given)X 2241(any)X 2 f 2431(n)X 1 f 2490(-bit)X 2669(observation)X 3211(and)X 3405(secret,)X 3723(the)X 3894(probabil-)X 835 2016(ity)N 1006(of)X 1139(a)X 1245(noise)X 1528(sequence)X 1984(necessary)X 2472(for)X 2648(their)X 2918(coexistence)X 3471(is)X 3599(1)X 2 f 3652(/)X 1 f 3710(2)X 2 f 9 s 3763 1978(n)N 1 f 12 s 3815 2016(,)N 3896(which)X 4216(is)X 835 2124(independent)N 1415(of)X 1522(the)X 1693(secret)X 1984(sequence.)X 2468(The)X 2666(system)X 3004(is)X 3106(secure.)X 1035 2280(If)N 1141(the)X 1320(noise)X 1586(signal)X 1890(samples)X 2287(are)X 2467(again)X 2749(independent,)X 3365(but)X 3550(take)X 3781(the)X 3961(value)X 4238(1)X 835 2407(with)N 1071(probability)X 1589(only)X 1812(10)X 9 s 9 f 1918 2369(-)N 1 f 1958(9)X 12 s 1998 2407(,)N 2059(the)X 2237(system)X 2582(is)X 2691(insecure.)X 3154(A)X 3257(simple)X 3584(counterexample)X 835 2515(with)N 2 f 1084(n)X 1 f 2 f 9 f 1178(=)X 1 f 1258(1)X 1359(has)X 2 f 1564(out)X 1 f 2 f 9 f 1740(=)X 1 f 2 f 1820(<)X 1 f 1878(0)X 2 f 1931(>)X 1 f 1989(.)X 2091(Coexistence)X 2665(with)X 2 f 2914(in)X 1 f 2 f 9 f 3040(=)X 1 f 2 f 3120(<)X 1 f 3178(0)X 2 f 3231(>)X 1 f 3337(requires)X 2 f 3755(noise)X 1 f 2 f 9 f 4015(=)X 1 f 2 f 4095(<)X 1 f 4153(0)X 2 f 4206(>)X 1 f 4264(,)X 835 2642(which)N 1175(occurs)X 1530(with)X 1805(probability)X 2362(1)X 9 f 2415(-)X 1 f 2468(10)X 9 s 9 f 2574 2604(-)N 1 f 2614(9)X 12 s 2654 2642(,)N 2754(while)X 3069(coexistence)X 3642(with)X 2 f 3916(in)X 1 f 2 f 9 f 4042(=)X 1 f 2 f 4122(<)X 1 f 4180(1)X 2 f 4233(>)X 1 f 835 2769(requires)N 2 f 1233(noise)X 1 f 2 f 9 f 1493(=)X 1 f 2 f 1573(<)X 1 f 1631(1)X 2 f 1684(>)X 1 f 1742(,)X 1799(which)X 2095(occurs)X 2406(with)X 2637(probability)X 3150(10)X 9 s 9 f 3256 2731(-)N 1 f 3296(9)X 12 s 3336 2769(.)N 3420(Since)X 3690(the)X 3864(probabili-)X 835 2877(ties)N 1022(vary)X 1247(for)X 1397(different)X 1808(secrets,)X 2171(the)X 2342(system)X 2680(is)X 2782(insecure.)X 1035 3033(Consider)N 1459(\256nally)X 1768(the)X 1939(case)X 2155(where)X 2455(the)X 2626(noise)X 2883(source)X 3196(has)X 3380(the)X 3551(behaviour)X 2 f 1641 3189(noise)N 9 s 1878 3151(i)N 12 s 9 f 1964 3189(=)N 2 f 2071(noise)X 9 s 2308 3151(i)N 9 f 2338(-)X 1 f 2378(1)X 12 s 2426 3189(with)N 2654(probability)X 3164(0.9)X 2 f 9 f 1964 3345(=)N 1 f 2071(1)X 2 f 9 f 2124(-)X 2 f 2177(noise)X 9 s 2414 3307(i)N 9 f 2444(-)X 1 f 2484(1)X 12 s 2532 3345(with)N 2760(probability)X 3270(0.1)X 2 f 3457(.)X 1 f 1035 3549(The)N 1241(probability)X 1759(of)X 1874(a)X 1962(single)X 2260(noise)X 2525(sample)X 2876(being)X 3152(a)X 3241(1)X 3330(is)X 3441(1)X 2 f 3494(/)X 1 f 3552(2,)X 3668(as)X 3802(in)X 3927(the)X 4107(\256rst)X 835 3657(case,)N 1097(but)X 1292(the)X 1482(samples)X 1889(are)X 2079(no)X 2232(longer)X 2557(independent.)X 3210(This)X 3454(noise)X 3729(process)X 4101(gen-)X 835 3765(erates)N 1140(alternating)X 1671(strings)X 2013(of)X 2125(zeroes)X 2435(and)X 2634(ones,)X 2893(with)X 3126(a)X 3211(mean)X 3488(burst)X 3757(length)X 4073(of)X 4185(10)X 835 3873(samples.)N 1284(This)X 1515(is)X 1623(like)X 1821(having)X 2157(low-frequency)X 2811(bandlimited)X 3379(noise)X 3642(in)X 3764(a)X 3850(communi-)X 835 3981(cations)N 1183(channel.)X 1621(This)X 1852(system)X 2196(is)X 2304(also)X 2513(insecure,)X 2948(as)X 3079(can)X 3267(be)X 3401(seen)X 3634(from)X 3876(an)X 4022(exam-)X 835 4089(ple)N 997(using)X 1270(4-bit)X 1503(sequences.)X 2033(Let)X 2210(the)X 2382(observation)X 2925(be)X 3054(the)X 3226(string)X 2 f 3519(<)X 1 f 3577(0,)X 3665(0,)X 3753(0,)X 3841(0)X 2 f 3894(>)X 1 f 3952(,)X 4007(then)X 4238(a)X 835 4197(secret)N 1128(input)X 1397(of)X 2 f 1506(<)X 1 f 1564(0,)X 1652(0,)X 1740(0,)X 1828(0)X 2 f 1881(>)X 1 f 1968(requires)X 2366(a)X 2448(noise)X 2708(sequence)X 3141(of)X 2 f 3251(<)X 1 f 3309(0,)X 3397(0,)X 3485(0,)X 3573(0)X 2 f 3626(>)X 1 f 3714(which)X 4010(occurs)X 835 4305(with)N 1082(probability)X 1611(1)X 2 f 1664(/)X 1 f 1722(2)X 9 f 1791(\264)X 1 f 1860(9)X 2 f 1913(/)X 1 f 1971(10)X 9 f 2093(\264)X 1 f 2162(9)X 2 f 2215(/)X 1 f 2273(10)X 9 f 2395(\264)X 1 f 2464(9)X 2 f 2517(/)X 1 f 2575(10)X 2 f 9 f 2708(=)X 1 f 2 f 2788(.)X 1 f 2815(36.)X 3021(The)X 3237(secret)X 3546(input)X 2 f 3831(<)X 1 f 3889(0,)X 3977(1,)X 4065(0,)X 4153(1)X 2 f 4206(>)X 1 f 4264(,)X 835 4413(however,)N 1267(requires)X 1669(a)X 1755(noise)X 2018(sequence)X 2454(of)X 2 f 2567(<)X 1 f 2625(0,)X 2713(1,)X 2801(0,)X 2889(1)X 2 f 2942(>)X 1 f 3033(to)X 3152(coexist,)X 3515(and)X 3716(the)X 3894(probabil-)X 835 4521(ity)N 985(of)X 1097(this)X 1300(is)X 1407(only)X 1627(1)X 2 f 1680(/)X 1 f 1738(2)X 9 f 1807(\264)X 1 f 1876(1)X 2 f 1929(/)X 1 f 1987(10)X 9 f 2109(\264)X 1 f 2178(1)X 2 f 2231(/)X 1 f 2289(10)X 9 f 2411(\264)X 1 f 2480(1)X 2 f 2533(/)X 1 f 2591(10)X 2 f 9 f 2724(=)X 1 f 2804(0.0005.)X 3182(Note)X 3425(that)X 3643(the)X 3819(probabilis-)X 835 4629(tic)N 983(security)X 1377(models,)X 1754(which)X 2059(assume)X 2433(independent)X 3025(perturbations,)X 3701(would)X 4007(not)X 4190(be)X 835 4737(able)N 1051(to)X 1168(distinguish)X 1699(this)X 1901(case)X 2121(from)X 2360(the)X 2535(\256rst)X 2750(one)X 2936(and)X 3134(so)X 3258(would)X 3556(erroneously)X 4109(con-)X 835 4845(sider)N 1083(this)X 1281(system)X 1619(secure.)X 3 f 835 5241(7.4.)N 1053(EVALUATION)X 1793(OF)X 1969(NONDEDUCIBILITY)X 1 f 1035 5397(There)N 1331(are)X 1509(various)X 1872(sources)X 2237(of)X 2352 -0.3250(variability)AX 2848(in)X 2972(the)X 3151(execution)X 3609(of)X 3724(realistic)X 4118(sys-)X 835 5505(tems.)N 1143(Nondeducibility)X 1887(and)X 2092(its)X 2242(immediate)X 2751 0.4167(successors)AX 3253(represented)X 3820(this)X 4029(varia-)X 835 5613(bility,)N 1141(but)X 1338(did)X 1526(so)X 1667(in)X 1804(a)X 1905(way)X 2132(that)X 2366(could)X 2649(give)X 2877(very)X 3118(optimistic)X 3607(assessments)X 4211(of)X 176 p %%Page: 176 15 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(176)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 547 684(security.)N 989(Probabilistic)X 1580(models,)X 1950(where)X 2255(every)X 2527(transition)X 2999(is)X 3105(assigned)X 3522(a)X 3606(probabil-)X 547 792(ity,)N 730(are)X 912(appropriate)X 1470(only)X 1696(where)X 2007(the)X 2189 -0.3250(variability)AX 2688(is)X 2801(\(or)X 2962(very)X 3193(closely)X 3526(resembles\))X 547 900(true)N 767(randomness)X 1340(and)X 1540(where)X 1845(meaningful)X 2383(probabilities)X 2970(may)X 3191(be)X 3324(assigned)X 3742(to)X 3859(the)X 547 1008(transitions.)N 1115(Where)X 1436(this)X 1636(is)X 1740(not)X 1913(the)X 2086(case,)X 2331(more)X 2584(detailed)X 2969(modelling)X 3434(may)X 3652(uncover)X 547 1116(the)N 750(deterministic)X 1399(mechanism)X 1965(behind)X 2328(some)X 2613(variation)X 3076(but)X 3284(the)X 3487(increase)X 3914(in)X 547 1224(model)N 840(complexity)X 1345(can)X 1527(quickly)X 1877(become)X 2229(overwhelming.)X 747 1380(Quasi-deterministic)N 1658(modelling)X 2121(appears)X 2500(to)X 2612(be)X 2741(applicable)X 3219(in)X 3336(all)X 3477(these)X 3742(cases.)X 547 1488(Where)N 884(variation)X 1332(exists)X 1632(but)X 1825(cannot)X 2168(be)X 2313(statistically)X 2878(characterised,)X 3549(the)X 3737(model)X 547 1596(used)N 789(is)X 899(naturally)X 1349(pessimistic.)X 1931(On)X 2100(the)X 2279(other)X 2549(hand,)X 2837(if)X 2934(the)X 3113(statistical)X 3588(nature)X 3923(of)X 547 1704(the)N 723(random)X 1098(effects)X 1414(can)X 1600(be)X 1732(realistically)X 2286(represented)X 2846(then)X 3080(the)X 3255(opportunities)X 3880(for)X 547 1812(probabilistic)N 1124(inference)X 1561(can)X 1743(be)X 1871(accurately)X 2358(detected.)X 3 f 547 2208(7.5.)N 765(WHAT)X 1112(IS)X 1246(SECRET?)X 1 f 747 2364(Early)N 1049(information)X 1629(\257ow)X 1867(models)X 2234(including)X 2706(noninterference)X 3466([Goguen82],)X 547 2472(nondeducibility)N 1269([Sutherland86],)X 2004(and)X 2205(restrictiveness)X 2891([McCullough87],)X 3661(identify)X 547 2580(the)N 726(sensitive)X 1154(information)X 1713(in)X 1837(a)X 1925(system)X 2272(as)X 2406(the)X 2586(sequence)X 3025(of)X 3141(high-level)X 3615(inputs)X 3936(it)X 547 2688(receives,)N 971(and)X 1179(de\256ne)X 1489(con\256dentiality)X 2169(as)X 2308(the)X 2492(prevention)X 3010(of)X 3130(disclosure)X 3616(to)X 3741(unau-)X 547 2796(thorized)N 952(observers)X 1415(of)X 1534(those)X 1810(inputs.)X 2188(This)X 2425(de\256nition)X 2889(subsumes)X 3367(detail)X 3659(such)X 3905(as)X 547 2904(the)N 735(existence)X 1188(of)X 1312(labelled)X 1703(objects)X 2049(\320)X 2189(if)X 2295(an)X 2451(object's)X 2816(contents)X 3235(are)X 3422(derived)X 3795(from)X 547 3012(past)N 785(high-level)X 1271(inputs)X 1604(then)X 1855(they)X 2099(must)X 2374(not)X 2567(be)X 2717(divulged,)X 3172(and)X 3388(as)X 3535(far)X 3712(as)X 3859(the)X 547 3120(model)N 850(is)X 962(concerned)X 1445(the)X 1626(object's)X 1985(label)X 2236(is)X 2348(simply)X 2681(a)X 2771(bookkeeping)X 3362(device)X 3674(used)X 3918(to)X 547 3247(achieve)N 911(this)X 1114(protection)X 1594(by)X 1730(an)X 1874(implementation)X 9 s 2578 3209(7)N 12 s 2618 3247(.)N 2704(Similarly,)X 3175(low)X 3360(observers)X 3816(can-)X 547 3355(not)N 736(have)X 992(access)X 1314(to)X 1444(outputs)X 1829(that)X 2060(are)X 2249(derived)X 2624(from)X 2877(high)X 3121(inputs.)X 3505(Thus,)X 3804(high)X 547 3463(inputs)N 878(are)X 1068(explicitly)X 1519(protected,)X 2006(while)X 2295(\256les)X 2524(and)X 2738(outputs)X 3125(may)X 3361(be)X 3509(consequen-)X 547 3571(tially)N 806(protected)X 1248(to)X 1361(the)X 1533(extent)X 1841(that)X 2055(they)X 2278(do)X 2409(or)X 2528(may)X 2745(inherit)X 3079(sensitivity)X 3569(from)X 3804(high)X 547 3679(inputs)N 859(used)X 1093(to)X 1205(create)X 1504(them.)X 747 3835(Joshua)N 1119(Guttman)X 1579(and)X 1801(Mark)X 2100(Nadel)X 2419(challenged)X 2951(this)X 3178(practice)X 3586(in)X 3731([Gutt-)X 547 3943(man88],)N 937(arguing)X 1311(that)X 1525(in)X 1641(many)X 1916(systems)X 2299(high)X 2525(inputs)X 2837(are)X 3008(not)X 3179(the)X 3350(only)X 3565(sources)X 3923(of)X 547 4051(sensitive)N 971(information.)X 1580(They)X 1833(suggest)X 2200(that)X 2417(a)X 2501(valid)X 2751(de\256nition)X 3207(of)X 3319(security)X 3707(should)X 547 4159(also)N 764(explicitly)X 1210(protect)X 1562(high-level)X 2040(outputs,)X 2447(to)X 2572(ensure)X 2914(that)X 3140(any)X 3343(high-level)X 3821(con-)X 547 4267(tents)N 810(that)X 1034(are)X 1216(not)X 1398(derived)X 1766(from)X 2012(high)X 2249(inputs)X 2572(will)X 2775(also)X 2989(not)X 3171(be)X 3310(divulged.)X 3781(They)X 547 4375(also)N 757(contend)X 1140(that)X 1360(the)X 1538(interleaving)X 2111(between)X 2513(high-level)X 2985(inputs)X 3304(and)X 3505(low)X 3692(system)X 547 4483(activity)N 906(may)X 1122(be)X 1250(sensitive)X 1670(and)X 1864(should)X 2187(also)X 2390(be)X 2518(explicitly)X 2950(protected.)X 747 4639(Since)N 1015(that)X 1229(paper)X 1511(was)X 1712(published,)X 2201(there)X 2464(has)X 2649(been)X 2885(surprisingly)X 3454(little)X 3694(discus-)X 547 4747(sion)N 767(of)X 885(the)X 1066(topics)X 1361(it)X 1465(raised.)X 1830(Some)X 2108(published)X 2579(material)X 2995(references)X 3489(it)X 3593(and)X 3797(even)X 547 4855(accepts)N 905(its)X 1051(assertions,)X 1565(but)X 1748(there)X 2017(is)X 2126(little)X 2372(or)X 2497(no)X 2638(work)X 2895(to)X 3015(be)X 3151(found)X 3439(that)X 3660(actively)X 547 4963(either)N 848(supports)X 1271(or)X 1398(refutes)X 1746(them.)X 2065(In)X 2198(this)X 2404(chapter,)X 2804(however,)X 3238(it)X 3340(will)X 3540(be)X 3676(demon-)X 547 5071(strated)N 916(that)X 1154(the)X 1350(issues)X 1674(raised)X 2000(by)X 2156(Guttman)X 2613(and)X 2832(Nadel)X 3148(have)X 3411(not)X 3607(yet)X 3795(been)X 10 s 10 f 547 5161(h)N 579(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 719 5254(7)N 10 s 776 5286(Implementations)N 1433(usually)X 1731(protect)X 2017(\256les)X 2194(and)X 2359(outputs)X 2668(which)X 2915(are)X 3062(labelled)X 3378(high,)X 3593(whether)X 3927(or)X 547 5376(not)N 691(the)X 835(information)X 1296(in)X 1394(them)X 1609(is)X 1695(actually)X 2016(derived)X 2316(from)X 2514(high)X 2704(inputs.)X 3009(The)X 3174(models)X 3456(permit)X 3728(this)X 3893(ex-)X 547 5466(tra)N 680(protection,)X 1098(but)X 1244(do)X 1352(not)X 1494(require)X 1786(it.)X 177 p %%Page: 177 16 10 s 0 xH 0 xS 1 f 12 s 3 f 835 396(7.5.)N 1026(What)X 1313(is)X 1424(Secret)X 4008(-)X 4067(177)X 4259(-)X 1 f 835 684(appropriately)N 1474(resolved,)X 1907(and)X 2112(that)X 2336(it)X 2442(would)X 2748(be)X 2888(premature)X 3398(to)X 3522(attempt)X 3913(to)X 4037(``close)X 835 792(the)N 1006(book'')X 1279(on)X 1413(them.)X 3 f 835 1188(7.5.1.)N 1135(Output)X 1520(Security)X 1 f 1035 1344(In)N 1188(support)X 1585(of)X 1720(their)X 1992(claim)X 2288(of)X 2424(innate)X 2766(output)X 3117(sensitivity,)X 3663(Guttman)X 4124(and)X 835 1452(Nadel)N 1138(present)X 1512(several)X 1869(examples)X 2323(that)X 2548(are)X 2731(perhaps)X 3128(not)X 3311(as)X 3448(convincing)X 3960(as)X 4096(they)X 835 1560(might)N 1125(be.)X 1309(Their)X 1582(third)X 1835(example)X 2234(contains)X 2637(a)X 2719(decryptor,)X 3198(and)X 3394(it)X 3490(is)X 3594(argued)X 3932(that)X 4147(the)X 835 1668(output)N 1165(is)X 1275(sensitive)X 1703(although)X 2134(the)X 2313(inputs)X 2633(are)X 2812(not.)X 3045(This)X 3278(is)X 3387(clearly)X 3719(not)X 3897(the)X 4075(case,)X 835 1776(since)N 1093(one)X 1281(very)X 1507(important)X 1987(input)X 2260(is)X 2368(the)X 2545(decryption)X 3047(key,)X 3263(which)X 3562(is)X 3671(very)X 3898(sensitive)X 835 1884(indeed.)N 1211(In)X 1336(this)X 1534(case,)X 1777(at)X 1894(least,)X 2161(the)X 2332(conventional)X 2924(approach)X 3360(will)X 3552(suf\256ce.)X 1035 2040(However,)N 1496(this)X 1708(does)X 1945(not)X 2130(deny)X 2384(the)X 2569(validity)X 2947(of)X 3069(their)X 3328(claims)X 3656(as)X 3796(much)X 4084(as)X 4224(it)X 835 2148(illustrates)N 1325(the)X 1502(dif\256culty)X 1931(of)X 2043(generating)X 2554(good,)X 2815(non-toy)X 3181(examples.)X 3682(It)X 3790(is)X 3897(certainly)X 835 2256(true)N 1054(that)X 1272(the)X 1448(outputs)X 1820(of)X 1932(real)X 2138(systems)X 2526(may)X 2747(be)X 2880(sensitive)X 3305(despite)X 3655(their)X 3905(indepen-)X 835 2364(dence)N 1115(from)X 1350(high-level)X 1815(inputs.)X 2181(There)X 2470(are)X 2641(several)X 2986(ways)X 3237(that)X 3450(this)X 3648(can)X 3830(happen:)X 3 f 835 2520(1\))N 1 f 995(Nondeterminstic)X 1798(systems)X 2212(may)X 2459(spontaneously)X 3154(generate)X 3600(or)X 3750(modify)X 995 2628(high-level)N 1479(outputs.)X 1919(The)X 2136(outputs)X 2521(are)X 2710(then)X 2958(not)X 3147(fully)X 3394(determined)X 3947(by)X 995 2736(inputs,)N 1339(and)X 1538(at)X 1660(least)X 1906(in)X 2028(the)X 2205(information-theoretic)X 3187(sense)X 3465(contain)X 3827(more)X 995 2844(information)N 1553(than)X 1795(the)X 1973(inputs.)X 2346(It)X 2456(is)X 2565(conceivable)X 3104(that)X 3323(this)X 3527(information)X 995 2952(might)N 1290(be)X 1424(sensitive,)X 1877(perhaps)X 2268(not)X 2445(intrinsically)X 3018(but)X 3200(because)X 3582(of)X 3695(the)X 3872(way)X 995 3060(it)N 1095(will)X 1293(be)X 1427(used.)X 1721(For)X 1909(example,)X 2339(the)X 2516(government's)X 3143(revenue)X 3531(department)X 995 3168(might)N 1324(use)X 1543(a)X 1664(random-number)X 2454(generator)X 2952(to)X 3105(select)X 3424(taxpayers)X 3928(for)X 995 3276(income)N 1356(tax)X 1545(audits,)X 1899(and)X 2113(may)X 2349(validly)X 2696(desire)X 3012(to)X 3144(prevent)X 3532(leaking)X 3907(the)X 995 3384(selections)N 1455(and)X 1649(tipping)X 1993(off)X 2132(the)X 2303(lucky)X 2570(winners.)X 3 f 835 3540(2\))N 1 f 995(Time)X 1257(and)X 1459(computational)X 2131(resources)X 2588(used)X 2830(in)X 2954(producing)X 3432(a)X 3520(result,)X 3845(even)X 995 3648(if)N 1106(it)X 1222(is)X 1346(ultimately)X 1855(derived)X 2234(from)X 2491(non-sensitive)X 3131(data,)X 3405(can)X 3608(constitute)X 995 3756(added)N 1303(value)X 1586(that)X 1814(is)X 1931(worthy)X 2286(of)X 2408(protection.)X 2952(This)X 3192(might)X 3496(occur)X 3775(in)X 3907(the)X 995 3864(national)N 1392(security)X 1776(setting,)X 2138(as)X 2264(in)X 2381(the)X 2552(results)X 2886(of)X 2993(a)X 3073(sophisticated)X 3685(analysis)X 995 3972(or)N 1113(simulation)X 1616(based)X 1897(strategic)X 2311(projection,)X 2804(but)X 2980(may)X 3197(be)X 3326(more)X 3578(familiar)X 3962(in)X 995 4080(the)N 1167(commercial)X 1702(sector)X 1993(where)X 2293(the)X 2464(sensitivity)X 2954(of)X 3061(information)X 3612(is)X 3714(directly)X 995 4188(related)N 1363(to)X 1502(the)X 1700(commercial)X 2262(advantage)X 2776(enjoyed)X 3168(by)X 3327(its)X 3494(holder.)X 3886(But)X 995 4296(perhaps)N 1396(the)X 1583(classic)X 1915(example)X 2328(is)X 2446(a)X 2542(code)X 2778(breaking)X 3214(machine)X 3633(that)X 3861(gen-)X 995 4404(erates)N 1313(two)X 1517(very)X 1754(sensitive)X 2191(100-digit)X 2629(prime)X 2934(factors)X 3279(from)X 3531(its)X 3687(input,)X 3998(a)X 995 4512(rather)N 1305(mundane)X 1750(number)X 2124(200)X 2310(digits)X 2585(long.)X 3 f 835 4668(3\))N 1 f 995(Sensitive)X 1434(information)X 1989(built)X 2229(into)X 2435(the)X 2611(structure)X 3057(of)X 3169(the)X 3345(system,)X 3715(such)X 3953(as)X 995 4776(a)N 1086(pre-loaded)X 1591(database)X 2026(or)X 2155(hardwired)X 2654(key,)X 2874(may)X 3100(also)X 3313(contribute)X 3807(infor-)X 995 4884(mation)N 1346(to)X 1470(outputs.)X 1903(Sutherland)X 2445(explicitly)X 2889(disallows)X 3339(this)X 3550(in)X 3679(his)X 3853(non-)X 995 4992(deducibility)N 1586(de\256nition,)X 2108(since)X 2403(he)X 2580(assumes)X 3030(that)X 3286(the)X 3500(construction)X 995 5100(details)N 1357(of)X 1501(the)X 1709(system)X 2084(are)X 2292(public)X 2626(knowledge.)X 3215(Other)X 3541(trace-based)X 995 5208(de\256nitions)N 1512(make)X 1801(the)X 1991(same)X 2268(assumption,)X 2857(although)X 3299(they)X 3540(may)X 3775(fail)X 3966(to)X 995 5316(recognize)N 1442(it.)X 1594(Systems)X 1996(of)X 2107(this)X 2309(type)X 2531(may)X 2751(be)X 2883(modelled)X 3313(by)X 3448(assuming)X 3907(the)X 995 5424(presence)N 1423(of)X 1542(phantom)X 1977(past)X 2206(inputs)X 2530(responsible)X 3073(for)X 3235(creating)X 3638(the)X 3821(data-)X 995 5532(base)N 1230(or)X 1357(installing)X 1817(the)X 1997(key,)X 2217(but)X 2403(this)X 2611(practice)X 3000(is)X 3112(somewhat)X 3599(unnatural)X 995 5640(and)N 1189(nonintuitive)X 1763(and)X 1957(therefore)X 2390(may)X 2606(contribute)X 3090(to)X 3202(modelling)X 3665(errors.)X 178 p %%Page: 178 17 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(178)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 547 684(4\))N 1 f 707(As)X 851(a)X 934(distinguishable)X 1648(variation)X 2082(of)X 2192(previous)X 2602(cases,)X 2894(if)X 2987(secret)X 3282(algorithms)X 707 792(are)N 883(employed)X 1335(to)X 1452(process)X 1811(data)X 2041(then)X 2276(the)X 2452(sensitivity)X 2947(of)X 3059(the)X 3235(results)X 3574(may)X 707 900(be)N 838(affected.)X 1270(This)X 1498(is)X 1604(similar)X 1951(to)X 2067(the)X 2242(case)X 2462(2,)X 2573(except)X 2886(that)X 3103(here)X 3332(the)X 3507(factor)X 707 1008(contributing)N 1299(to)X 1426(the)X 1612(value)X 1895(of)X 2017(the)X 2203(outputs)X 2585(is)X 2702(embedded)X 3191(high)X 3432(data)X 3672(or)X 707 1116(development)N 1302(effort)X 1573(rather)X 1887(than)X 2126(computational)X 2794(effort.)X 3119(It)X 3226(is)X 3333(also)X 3541(simi-)X 707 1224(lar)N 870(to)X 991(case)X 1216(3,)X 1332(except)X 1650(that)X 1872(the)X 2052(sensitive)X 2481(technology)X 2991(is)X 3102(embedded)X 3585(in)X 3710(a)X 707 1332(program)N 1128(rather)X 1454(than)X 1705(in)X 1838(preloaded)X 2317(or)X 2452(precon\256gured)X 3107(data,)X 3376(and)X 3587(also)X 707 1440(that)N 930(the)X 1110(program)X 1524(need)X 1770(not)X 1950(be)X 2087(initially)X 2473(present)X 2844(in)X 2969(the)X 3149(system.)X 3523(Actu-)X 707 1548(ally,)N 928(a)X 1011(consistent)X 1492(interpretation)X 2150(of)X 2261(most)X 2507(models)X 2849(would)X 3147(regard)X 3471(a)X 3555(com-)X 707 1656(puter)N 992(system)X 1345(as)X 1485(a)X 1580(machine-instruction)X 2521(interpreter,)X 3081(and)X 3290(a)X 3385(program)X 707 1764(as)N 832(part)X 1047(of)X 1154(the)X 1325(data)X 1550(input)X 1817(to)X 1929(that)X 2142(system.)X 2534(Then,)X 2819(just)X 3016(as)X 3142(in)X 3259(the)X 3431(general)X 707 1872(case)N 934(of)X 1052(a)X 1143(computation)X 1735(driven)X 2059(by)X 2201(high-level)X 2676(data,)X 2938(the)X 3119(outputs)X 3496(would)X 707 1980(naturally)N 1153(inherit)X 1491(the)X 1667(sensitivity)X 2162(of)X 2274(that)X 2492(data.)X 2776(However,)X 3228(there)X 3495(is)X 3602(evi-)X 707 2088(dence)N 1037(that)X 1300(this)X 1548(interpretation)X 2252(is)X 2404(not)X 2625(suf\256ciently)X 3195(obvious)X 3605(\(eg.)X 707 2196([McLean90])N 1262(appears)X 1641(to)X 1753(consider)X 2151(it)X 2245(novel\))X 2540(to)X 2652(be)X 2780(widely)X 3096(practised.)X 747 2352(Guttman)N 1203(and)X 1421(Nadel)X 1736(propose)X 2130(a)X 2235(security)X 2643(de\256nition)X 3120(that)X 3358(protects)X 3766(these)X 547 2460(other)N 818(sources)X 1184(by)X 1323(explicitly)X 1763(protecting)X 2249(all)X 2397(aspects)X 2758(of)X 2873(high-level)X 3346(outputs)X 3721(except)X 547 2568(those)N 832(that)X 1066(can)X 1269(be)X 1418(traced)X 1745(to)X 1879(low)X 2081(inputs.)X 2469(The)X 2689(exception)X 3157(is)X 3281(made)X 3571(to)X 3705(permit)X 547 2676(write-up.)N 1010(McLean)X 1398(recommends)X 1987(a)X 2070(similar)X 2416(style)X 2657(of)X 2766(output)X 3090(protection)X 3567(in)X 3685(his)X 3848(FM)X 547 2784(model)N 840([McLean90].)X 747 2940(It)N 858(is)X 968(the)X 1147(reputed)X 1527(advantage)X 2022(of)X 2137(these)X 2409(de\256nitions)X 2914(that)X 3135(they)X 3365(protect)X 3711(all)X 3859(the)X 547 3048(information)N 1122(in)X 1262(high)X 1512(outputs)X 1903(that)X 2140(comes)X 2459(from)X 2717(the)X 2911(``other)X 3236 0.3819(sources''.)AX 3711(Unfor-)X 547 3156(tunately,)N 981(this)X 1185(characteristic)X 1825(is)X 1933(also)X 2142(their)X 2392(greatest)X 2787(fault:)X 3058(any)X 3255(information)X 3813(gen-)X 547 3264(erated)N 871(within)X 1201(the)X 1385(system,)X 1763(if)X 1865(it)X 1972(affects)X 2302(high-level)X 2779(outputs,)X 3185(will)X 3389(be)X 3529(considered)X 547 3372(high-level.)N 1079(This)X 1318(happens)X 1733(automatically)X 2383(and)X 2591(ungovernably,)X 3264(despite)X 3623(any)X 3827(rea-)X 547 3480(sonable)N 919(wishes)X 1256(to)X 1376(the)X 1555(contrary)X 1967(on)X 2109(the)X 2288(part)X 2511(of)X 2626(the)X 2805(system)X 3151(designers)X 3610(or)X 3736(users,)X 547 3588(because)N 923(it)X 1017(is)X 1119(inherent)X 1529(in)X 1645(the)X 1816(notion)X 2124(of)X 2231(output)X 2553(security.)X 747 3744(As)N 900(a)X 992(result,)X 1320(no)X 1466(system)X 1816(that)X 2041(is)X 2155(to)X 2279(be)X 2419(judged)X 2754(secure)X 3079(by)X 3222(these)X 3498(models)X 3848(can)X 547 3852(generate)N 981(unclassi\256ed)X 1554(random)X 1944(numbers,)X 2409(or)X 2546(process)X 2919(transactions)X 3517(against)X 3891(an)X 547 3960(unclassi\256ed)N 1101(database,)X 1554(unless)X 1869(its)X 2010(security)X 2395(policy)X 2681(prevents)X 3096(those)X 3362(activities)X 3795(from)X 547 4068(affecting)N 983(high-level)X 1472(outputs.)X 1917(This)X 2166(amounts)X 2603(to)X 2739(the)X 2934(elimination)X 3494(of)X 3624(write-up)X 547 4176(occurring)N 1009(within)X 1342(the)X 1529(system,)X 1910(and)X 2120(Guttman)X 2568(and)X 2778(Nadel's)X 3150(model)X 3459(does)X 3699(not,)X 3914(in)X 547 4284(fact,)N 771(permit)X 1100(write-up)X 1510(to)X 1626(occur)X 1893(unless)X 2210(the)X 2385(low)X 2569(input)X 2840(is)X 2946(received)X 3343(directly)X 3711(from)X 3950(a)X 547 4392(user.)N 824(The)X 1023(effect)X 1291(of)X 1399(this)X 1598(rule)X 1806(depends)X 2199(on)X 2334(the)X 2507(granularity)X 3045(of)X 3154(decomposition)X 3814(dur-)X 547 4500(ing)N 726(modelling,)X 1228(but)X 1416(presumably)X 1977(would)X 2283(prevent)X 2663(high-level)X 3140(users)X 3418(from)X 3664(reading)X 547 4608(low)N 727(\256les)X 936(fetched)X 1285(over)X 1502(a)X 1582(network)X 1976(or)X 2094(from)X 2329(magnetic)X 2762(tape.)X 747 4764(It)N 856(is)X 964(dif\256cult)X 1342(to)X 1460(see)X 1634(how)X 1849(restrictions)X 2390(like)X 2588(these)X 2859(contribute)X 3350(to)X 3469(the)X 3647(security)X 547 4872(of)N 674(a)X 773(system.)X 1184(It)X 1306(seems)X 1623(more)X 1893(likely)X 2185(that)X 2417(the)X 2607(formal)X 2944(security)X 3346(de\256nition)X 3817(that)X 547 4980(inspires)N 949(them)X 1225(is)X 1347(too)X 1528(aggressive,)X 2068(and)X 2283(attempts)X 2728(to)X 2861(protect)X 3220(more)X 3492(than)X 3748(really)X 547 5088(deserves)N 975(protecting.)X 1525(An)X 1697(improved)X 2156(de\256nition)X 2625(should)X 2965(allow)X 3245(\256ner)X 3498(discrimina-)X 547 5196(tion)N 748(of)X 855(information)X 1406(and)X 1600(more)X 1851(accurate)X 2257(description)X 2777(of)X 2884(sensitivity)X 3374(than)X 3609(this.)X 179 p %%Page: 179 18 12 s 0 xH 0 xS 1 f 3 f 835 396(7.6.)N 1026(Upgrading)X 1590(and)X 1806(Downgrading)X 4008(-)X 4067(179)X 4259(-)X 835 684(7.6.)N 1053(UPGRADING)X 1747(AND)X 2007(DOWNGRADING)X 1 f 1035 840(Popular)N 1455(security)X 1879(models)X 2258(also)X 2502(have)X 2781(dif\256culty)X 3245(encompassing)X 3935(systems)X 835 948(where)N 1140(the)X 1316(sensitivity)X 1811(of)X 1923(information)X 2479(changes,)X 2896(or)X 3019(where)X 3323(special)X 3658(circumstances)X 835 1056(render)N 1171(a)X 1264(con\256guration)X 1893(secure)X 2219(that)X 2445(would)X 2752(ordinarily)X 3234(be)X 3375(considered)X 3889(insecure.)X 835 1164(Often,)N 1143(any)X 1336(processes)X 1786(by)X 1920(which)X 2216(these)X 2483(changes)X 2871(occur)X 3137(is)X 3242(required)X 3651(to)X 3766(be)X 3896(analyzed)X 835 1272(outside)N 1272(the)X 1531(model)X 1912(by)X 2131(some)X 2472(alternate,)X 3023(special-purpose)X 3828(technique.)X 835 1380(Information-\257ow-based)N 1935(security)X 2358(de\256nitions)X 2895(may)X 3151(not)X 3361(permit)X 3725(representing)X 835 1488(these)N 1103(\257ows)X 1361(even)X 1598(if)X 1691(they)X 1917(have)X 2159(been)X 2398(separately)X 2892(approved.)X 3385(Although)X 3828(it)X 3926(may)X 4147(not)X 835 1596(be)N 965(reasonable)X 1474(to)X 1588(expect)X 1899(a)X 1981(general)X 2342(security)X 2727(model)X 3022(to)X 3136(handle)X 3469(verifying)X 3892(the)X 4064(secu-)X 835 1704(rity)N 1038(of)X 1160(these)X 1439(functions,)X 1920(it)X 2029(is)X 2146(still)X 2360(desirable)X 2807(that)X 3035(the)X 3221(result)X 3525(of)X 3647(veri\256cation)X 4190(be)X 835 1812(representable)N 1472(in)X 1588(the)X 1759(model.)X 1035 1968(Upgrading)N 1543(is)X 1651(not)X 1828(particularly)X 2388(dif\256cult)X 2766(to)X 2884(handle,)X 3248(since)X 3506(it)X 3606(may)X 3829(usually)X 4190(be)X 835 2076(modelled)N 1269(either)X 1569(as)X 1702(simple)X 2030(write-up,)X 2471(or)X 2596(as)X 2728(computational)X 3399(added)X 3699(value)X 3974(accord-)X 835 2184(ing)N 1018(to)X 1146(case)X 1378(2)X 1474(of)X 1597(the)X 1784(previous)X 2206(list.)X 2445(A)X 2558(third)X 2826(possibility)X 3324(is)X 3443(when)X 3728(two)X 3932(or)X 4067(more)X 835 2292(non-sensitive)N 1465(data)X 1702(items)X 1986(are)X 2169(selectively)X 2668(bound)X 2980(together)X 3389(\(eg.)X 3585(a)X 3676(picture)X 4029(of)X 4147(the)X 835 2400(Statue)N 1173(of)X 1297(Liberty)X 1667(and)X 1878(the)X 2066(phrase)X 2413(``Missile)X 2817(Site''\))X 3109(forming)X 3502(a)X 3600(high-level)X 4083(com-)X 835 2508(pound,)N 1173(but)X 1357(since)X 1617(this)X 1823(binding)X 2195(is)X 2305(not)X 2483(spontaneous)X 3073(there)X 3342(must)X 3602(be)X 3737(other)X 4006(inputs)X 835 2616(to)N 947(the)X 1118(process)X 1472(that)X 1685(can)X 1867(be)X 1995(identi\256ed)X 2443(as)X 2568(supplying)X 3030(the)X 3201(sensitive)X 3621(information.)X 1035 2772(Downgrading)N 1664(is)X 1769(a)X 1852(much)X 2128(more)X 2382(dif\256cult)X 2757(problem.)X 3203(Information-\257ow)X 3980(models)X 835 2880(do)N 965(not)X 1136(admit)X 1423(that)X 1636(a)X 1716(low-level)X 2135(output)X 2457(can)X 2639(securely)X 3033(depend)X 3380(on)X 3514(high-level)X 3979(inputs.)X 835 2988(In)N 960(practical)X 1374(systems,)X 1784(there)X 2046(are)X 2217(several)X 2562(ways)X 2813(in)X 2929(which)X 3222(this)X 3420(can)X 3602(happen.)X 1035 3144(Downgrading)N 1688(can)X 1897(happen)X 2280(as)X 2432(a)X 2539(\256ltering)X 2951(operation,)X 3454(in)X 3598(which)X 3919(formally)X 835 3252(high-level)N 1308(data)X 1541(is)X 1651(sanitized,)X 2116(often)X 2374(manually,)X 2855(extracting)X 3341(low-level)X 3767(information)X 835 3360(from)N 1074(it.)X 1226(A)X 1326(reasonable)X 1837(view)X 2072(to)X 2188(take)X 2414(in)X 2534(this)X 2736(situation)X 3165(is)X 3271(that)X 3488(the)X 3663(input)X 3935(actually)X 835 3468(consists)N 1226(of)X 1345(intermixed)X 1870(high)X 2108(and)X 2314(low-level)X 2744(information,)X 3333(and)X 3538(that)X 3762(rather)X 4083(than)X 835 3576(saying)N 1181(that)X 1424(the)X 1625(output)X 1977(information)X 2558(has)X 2772(changed)X 3197(level)X 3461(it)X 3585(would)X 3909(be)X 4067(more)X 835 3684(correct)N 1180(to)X 1305(say)X 1494(that)X 1720(its)X 1872(overclassi\256cation)X 2677(has)X 2874(been)X 3122(corrected.)X 3624(Since)X 3903(this)X 4113(pro-)X 835 3792(cess)N 1058(ultimately)X 1560(depends)X 1967(on)X 2117(the)X 2304(correct)X 2652(functioning)X 3202(of)X 3325(a)X 3421(human,)X 3806(full)X 4000(formal)X 835 3900(veri\256cation)N 1364(is)X 1467(probably)X 1881(too)X 2042(much)X 2316(to)X 2429(expect.)X 2793(Still,)X 3035(a)X 3116(model)X 3410(would)X 3704(be)X 3832(more)X 4083(com-)X 835 4008(plete)N 1084(if)X 1178(it)X 1277(could)X 1544(at)X 1666(least)X 1911(represent)X 2369(the)X 2545(\(assumed\))X 3031(secure)X 3349(functioning)X 3888(of)X 4000(such)X 4238(a)X 835 4116(downgrader.)N 1462(Perhaps)X 1872(a)X 1968(recognition)X 2507(in)X 2639(the)X 2826(model)X 3135(of)X 3257(the)X 3443(difference)X 3923(between)X 835 4224(sensitivity)N 1325(and)X 1519(label)X 1760(might)X 2049(permit)X 2374(this)X 2572(representation.)X 1035 4380(A)N 1131(rather)X 1441(more)X 1692(dif\256cult)X 2064(downgrading)X 2670(event)X 2940(is)X 3042(one)X 3224(in)X 3340(which)X 3633(the)X 3804(actual)X 4107(sen-)X 835 4488(sitivity)N 1195(of)X 1324(information)X 1897(does)X 2142(change.)X 2558(This)X 2805(is)X 2929(fairly)X 3217(common)X 3634(with)X 3883(classi\256ed)X 835 4596(material)N 1253(that)X 1478(becomes)X 1887(less)X 2094(sensitive)X 2526(with)X 2766(the)X 2949(passage)X 3338(of)X 3457(time)X 3697([Williams88],)X 835 4704(and)N 1039(may)X 1265(even)X 1508(be)X 1646(mandated)X 2127(for)X 2286(data)X 2520(subject)X 2869(to)X 2990(freedom)X 3385(of)X 3501(information)X 4061(laws.)X 835 4812(It)N 949(is)X 1062(different)X 1484(from)X 1730(the)X 1912(sanitizing)X 2391(downgrader)X 2960(both)X 3196(because)X 3584(the)X 3767(information)X 835 4920(really)N 1126(does)X 1358(change)X 1707(level,)X 1977(and)X 2180(because)X 2564(the)X 2743(event)X 3021(that)X 3242(triggers)X 3625(the)X 3804(downgrade)X 835 5028(may)N 1054(be)X 1185(as)X 1313(mundane)X 1761(as)X 1889(the)X 2063(changing)X 2498(of)X 2608(the)X 2783(calendar,)X 3225(where)X 3529(previously)X 4020(it)X 4118(was)X 835 5136(a)N 920(carefully)X 1341(considered)X 1847(decision)X 2237(of)X 2348(a)X 2432(security)X 2819(of\256cer.)X 3177([Sutherland89])X 3881(describes)X 835 5244(a)N 920(notation)X 1324(that)X 1543(can)X 1731(express)X 2099(changing)X 2537(levels)X 2822(of)X 2935(this)X 3139(type)X 3363(and)X 3563(sketches)X 3978(a)X 4064(secu-)X 835 5352(rity)N 1023(de\256nition)X 1475(that)X 1688(employs)X 2077(it.)X 1035 5508(Encryption)N 1569(is)X 1684(a)X 1777(process)X 2145(in)X 2275(which)X 2582(high-level)X 3061(inputs)X 3387(\(data)X 3658(and)X 3866(key)X 4063(seed\))X 835 5616(produce)N 1218(a)X 1303(low-level)X 1727(output.)X 2108(If)X 2211(it)X 2310(is)X 2417(a)X 2501(public-key)X 2990(system,)X 3359(then)X 3593(both)X 3821(the)X 3996(output)X 180 p %%Page: 180 19 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(180)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 547 684(and)N 776(the)X 982(input)X 1285(key)X 1504(are)X 1711(low.)X 1981(Information)X 2577(\257ow)X 2822(considers)X 3301(these)X 3601(insecure,)X 547 792(because)N 926(the)X 1100(output)X 1425(is)X 1530(affected)X 1908(by)X 2042(the)X 2216(inputs)X 2531(\(noninterference\))X 3329(or)X 3450(is)X 3555(correlated)X 547 900(with)N 777(particular)X 1252(input)X 1521(values)X 1836(\(nondeducibility\).)X 2671(These)X 2965(are)X 3139(prohibited)X 3627(because,)X 547 1008(in)N 687(principle,)X 1158(an)X 1321(observer)X 1751(could)X 2037(invert)X 2355(the)X 2549(function)X 2966(and)X 3183(deduce)X 3541(something)X 547 1116(about)N 828(the)X 1003(sensitive)X 1427(input,)X 1725(but)X 1905(in)X 2025(practice)X 2408(the)X 2583(inversion)X 3027(is)X 3133(suf\256ciently)X 3658(dif\256cult)X 547 1224(that)N 790(the)X 990(deduction)X 1480(is)X 1611(impractical.)X 2223(Cryptologists)X 2868(can)X 3079(distinguish)X 3635(between)X 547 1332(secure)N 881(and)X 1097(insecure)X 1521(encryption)X 2043(systems)X 2448(because)X 2846(they)X 3090(explicitly)X 3544(model)X 3859(the)X 547 1440(computational)N 1227(capabilities)X 1777(of)X 1900(the)X 2087(observer.)X 2563(Adding)X 2925(that)X 3153(full)X 3346(capability)X 3823(to)X 3950(a)X 547 1548(general)N 922(model)X 1231(would)X 1541(probably)X 1970(be)X 2114(excessive,)X 2593(since)X 2861(we)X 3027(wish)X 3279(only)X 3510(to)X 3638(describe)X 547 1656(systems)N 930(containing)X 1426(encryption)X 1926(rather)X 2236(than)X 2471(prove)X 2743(the)X 2914(encryption)X 3414(secure.)X 747 1812(Looking)N 1150(inside)X 1463(the)X 1653(encryptor,)X 2153(we)X 2323(may)X 2559(\256nd)X 2779(one)X 2981(unit)X 3213(that)X 3446(expands)X 3859(the)X 547 1920(supplied)N 970(key)X 1172(into)X 1392(a)X 1490(semi-in\256nite)X 2097(string)X 2407(of)X 2532(symbols)X 2934(and)X 3146(a)X 3244(second)X 3587(unit)X 3817(that)X 547 2028(combines)N 985(this)X 1183(key)X 1366(stream)X 1704(with)X 1932(the)X 2103(data)X 2328(to)X 2440(produce)X 2818(the)X 2989(encrypted)X 3455(output.)X 3832(The)X 547 2136(expanded)N 999(key)X 1183(is)X 1286(highly)X 1594(sensitive,)X 2041(since)X 2293(its)X 2432(possession)X 2927(would)X 3221(enable)X 3539(the)X 3710(simple)X 547 2244(decryption)N 1046(of)X 1157(the)X 1332(ciphertext.)X 1868(The)X 2070(unit)X 2286(that)X 2503(combines)X 2945(the)X 3120(two)X 3311(high)X 3541(streams)X 3928(is)X 547 2352(yet)N 716(another)X 1096(dif\256cult)X 1474(case)X 1696(of)X 1809(downgrading,)X 2448(because)X 2830(it)X 2930(combines)X 3373(two)X 3565(high-level)X 547 2460(signals)N 890(using)X 1164(a)X 1247(simple)X 1570(and)X 1767(easily)X 2054(invertible)X 2513(function)X 2910(to)X 3025(form)X 3263(its)X 3405(low-level)X 3827(out-)X 547 2568(put.)N 796(Information)X 1373(\257ow)X 1599(calls)X 1844(this)X 2059(insecure)X 2477(as)X 2618(well,)X 2871(and)X 3081(appeals)X 3463(to)X 3591(computa-)X 547 2676(tional)N 831(complexity)X 1336(are)X 1507(not)X 1678(available.)X 747 2832(Intuitively,)N 1285(the)X 1469(key)X 1665(stream)X 2016(is)X 2131(not)X 2315(innately)X 2722(sensitive,)X 3182(and)X 3389(we)X 3552(permit)X 3891(an)X 547 2940(observer)N 958(to)X 1075(deduce)X 1414(possible)X 1799(pairs)X 2056(of)X 2167(data)X 2396(and)X 2594(key)X 2781(stream)X 3123(symbols)X 3511(because)X 3891(its)X 547 3048(randomness)N 1115(prevents)X 1529(deduction)X 1991(about)X 2269(the)X 2441(data)X 2668(alone.)X 2989(However,)X 3438(conventional)X 547 3156(information)N 1101(\257ow)X 1312(will)X 1506(accept)X 1814(this)X 2014(only)X 2231(if)X 2322(we)X 2474(treat)X 2721(the)X 2894(key)X 3079(stream)X 3419(as)X 3546(a)X 3628(random-)X 547 3264(izing)N 806(in\257uence,)X 1281(and)X 1491(not)X 1678(as)X 1819(a)X 1916(signal)X 2228(like)X 2437(other)X 2716(signals.)X 3127(But,)X 3363(if)X 3469(we)X 3636(use)X 3832(this)X 547 3372(approach,)N 1022(we)X 1184(lose)X 1394(the)X 1577(ability)X 1899(to)X 2022(distinguish)X 2560(between)X 2966(a)X 3057(secure)X 3381(system)X 3730(where)X 547 3480(the)N 718(key)X 902(stream)X 1241(is)X 1344(protected)X 1786(as)X 1912(high-level)X 2378(data)X 2604(and)X 2799(an)X 2939(insecure)X 3342(one)X 3525(in)X 3642(which)X 3936(it)X 547 3588(is)N 649(not.)X 3 f 547 3984(7.7.)N 765(WHAT)X 1112(TO)X 1288(DO?)X 1 f 747 4140(So)N 890(far)X 1053(we)X 1211(have)X 1457(an)X 1604(extensive)X 2056(wishlist)X 2442(but)X 2626(few)X 2817(leads)X 3084(on)X 3227(how)X 3445(to)X 3566(accommo-)X 547 4248(date)N 768(it)X 863(all.)X 1058(It)X 1162(is)X 1265(not)X 1437(even)X 1671(clear)X 1916(at)X 2033(this)X 2231(point)X 2487(whether)X 2883(a)X 2963(suf\256ciently)X 3483(comprehen-)X 547 4356(sive)N 773(security)X 1181(de\256nition)X 1658(is)X 1785(feasible.)X 2230(We)X 2424(wish)X 2686(to)X 2824(handle)X 3181(as)X 3332(many)X 3633(of)X 3766(these)X 547 4464(dif\256cult)N 923(cases)X 1188(as)X 1317(possible,)X 1729(but)X 1908(without)X 2283(signi\256cantly)X 2860(increasing)X 3351(the)X 3525(complexity)X 547 4572(of)N 672(modelling)X 1153(simpler)X 1534(systems.)X 1989(That)X 2247(is,)X 2394(any)X 2603(complexity)X 3127(added)X 3439(to)X 3570(deal)X 3802(with)X 547 4680(these)N 820(dif\256cult)X 1201(cases)X 1471(should,)X 1830(as)X 1964(far)X 2128(as)X 2262(possible,)X 2679(affect)X 2960(only)X 3184(models)X 3531(of)X 3647(systems)X 547 4788(that)N 760(display)X 1106(the)X 1277(troublesome)X 1848(characteristics.)X 747 4944(Some)N 1015(of)X 1122(the)X 1293(discussion)X 1779(in)X 1895(the)X 2066(previous)X 2472(sections)X 2854(suggested)X 3320(the)X 3492(ideas)X 3751(of)X 3859(the)X 547 5052(transmission)N 1173(of)X 1300(sensitivity)X 1810(and)X 2024(of)X 2151(clarifying)X 2620(the)X 2811(distinction)X 3330(between)X 3744(sensi-)X 547 5160(tivity)N 810(and)X 1004(label.)X 1299(We)X 1468(begin)X 1736(by)X 1867(looking)X 2217(a)X 2297(little)X 2536(more)X 2787(closely)X 3109(at)X 3226(these)X 3490(issues.)X 181 p %%Page: 181 20 12 s 0 xH 0 xS 1 f 3 f 835 396(7.7.)N 1026(What)X 1313(to)X 1440(Do?)X 4008(-)X 4067(181)X 4259(-)X 835 684(7.7.1.)N 1135(Sensitivity)X 1703(Flow)X 1 f 1035 840(Earlier)N 1387(it)X 1490(was)X 1699(remarked)X 2167(that)X 2390(many)X 2675(early)X 2937(security)X 3330(models)X 3678(assumed)X 4105(that)X 835 948(the)N 1007(sensitivity)X 1498(of)X 1606(high)X 1833(inputs)X 2146(is)X 2248(inherited)X 2684(by)X 2815(the)X 2986(high)X 3212(outputs)X 3579(they)X 3801(are)X 3972(used)X 4206(to)X 835 1056(produce.)N 1272(As)X 1418(information)X 1974(\257ows)X 2233(from)X 2473(the)X 2649(inputs)X 2966(to)X 3083(the)X 3259(derived)X 3621(outputs,)X 4020(it)X 4120(car-)X 835 1164(ries)N 1043(its)X 1197(sensitivity)X 1702(along.)X 2039(The)X 2252(explanation)X 2817(for)X 2982(this)X 3195(is)X 3312(that)X 3539(disclosure)X 4026(of)X 4147(the)X 835 1272(outputs)N 1229(would)X 1550(provide)X 1934(some)X 2214(information)X 2792(about)X 3097(the)X 3296(inputs,)X 3663(and)X 3885(therefore)X 835 1380(must)N 1088(be)X 1216(avoided.)X 1035 1536(Often,)N 1355(though,)X 1737(the)X 1924(``\257ow'')X 2229(of)X 2352(sensitivity)X 2858(is)X 2976(really)X 3274(in)X 3406(the)X 3593(other)X 3871(direction,)X 835 1644(originating)N 1364(in)X 1491(the)X 1673(use)X 1863(of)X 1980(some)X 2243(signal)X 2548(and)X 2752(propagating)X 3324(back)X 3567(to)X 3689(its)X 3838(source.)X 4215(It)X 835 1752(may)N 1052(be)X 1181(fair)X 1367(to)X 1481(say)X 1659(that)X 1874(information)X 2427(comes)X 2725(from)X 2962(sources,)X 3349(but)X 3527(sinks)X 3792(are)X 3965(the)X 4138(ori-)X 835 1860(gins)N 1047(of)X 1154(sensitivity.)X 1035 2016(In)N 1165(some)X 1423(sense,)X 1727(of)X 1840(course,)X 2186(all)X 2332(classi\256ed)X 2773(information)X 3330(derives)X 3683(its)X 3828(sensitivity)X 835 2124(from)N 1074(its)X 1217(use.)X 1454(More)X 1715(precisely,)X 2166(the)X 2341(sensitivity)X 2835(is)X 2941(a)X 3025(consequence)X 3609(of)X 3720(the)X 3894(potential)X 835 2232(for)N 989(abuse)X 1278(if)X 1371(the)X 1546(information)X 2101(should)X 2428(be)X 2560(improperly)X 3079(distributed.)X 3656(However,)X 4107(sen-)X 835 2340(sitivity)N 1179(can)X 1367(also)X 1576(be)X 1710(traceable)X 2151(to)X 2268(a)X 2353(permitted)X 2823(use.)X 3061(This)X 3291(is)X 3398(particularly)X 3957(obvious)X 835 2448(in)N 958(cases)X 1226(where)X 1533(the)X 1711(sensitivity)X 2208(of)X 2322(an)X 2468(output)X 2797(depends)X 3196(on)X 3337(how)X 3554(it)X 3656(is)X 3766(used)X 4008(rather)X 835 2556(than)N 1070(any)X 1260(meaning)X 1672(it)X 1766(might)X 2055(possess.)X 1035 2712(In)N 1172(the)X 1355(dissected)X 1800(encryptor)X 2267(example,)X 2704(the)X 2888(pseuorandom)X 3526(generator)X 3996(output)X 835 2820(has)N 1027(no)X 1169(inherent)X 1587(meaning,)X 2034(and)X 2236(so)X 2364(cannot)X 2698(be)X 2834(said)X 3052(to)X 3172(be)X 3308(sensitive)X 3736(for)X 3894(that)X 4115(rea-)X 835 2928(son,)N 1042(but)X 1219(is)X 1323(very)X 1545(sensitive)X 1967(if)X 2058(used)X 2294(to)X 2408(encrypt)X 2773(other)X 3037(high-level)X 3504(data.)X 3785(And,)X 4024(there-)X 835 3036(fore,)N 1081(the)X 1273(key)X 1477(seed)X 1721(input)X 2009(to)X 2142(the)X 2333(generator)X 2810(must)X 3083(also)X 3306(be)X 3454(protected,)X 3942(because)X 835 3144(someone)N 1265(who)X 1496(knew)X 1784(it)X 1901(could)X 2186(duplicate)X 2646(the)X 2840(key)X 3046(stream)X 3407(output.)X 3806(This)X 4054(is)X 4179(an)X 835 3252(example)N 1232(of)X 1339(sensitivity)X 1829(propagating)X 2391(from)X 2626(an)X 2765(output)X 3087(back)X 3320(to)X 3432(an)X 3571(input.)X 1035 3408(Occasionally,)N 1650(sensitivity)X 2141(may)X 2358(also)X 2562(spread)X 2889(from)X 3125(one)X 3308(input)X 3576(to)X 3690(another.)X 4120(The)X 835 3516(key)N 1036(stream)X 1392(input)X 1677(had)X 1889(to)X 2019(be)X 2165(protected)X 2624(as)X 2767(high-level)X 3249(in)X 3382(order)X 3663(to)X 3792(protect)X 4147(the)X 835 3624(high-level)N 1310(plaintext)X 1747(data)X 1982(\320)X 2115(therefore)X 2558(it)X 2662(inherits)X 3050(its)X 3199(sensitivity)X 3699(from)X 3944(another)X 835 3732(input.)N 1161(It)X 1269(seems)X 1572(that)X 1790(sensitivity)X 2285(can)X 2472(originate)X 2903(in)X 3024(a)X 3109(small)X 3384(number)X 3763(of)X 3874(meaning-)X 835 3840(ful)N 990(signals,)X 1365(and)X 1567(propagate)X 2045(backward,)X 2539(forward,)X 2950(and)X 3152(sideways)X 3589(through)X 3980(system)X 835 3948(components)N 1389(to)X 1501(other)X 1763(signals.)X 1035 4104(Informally,)N 1570(at)X 1698(least,)X 1976(we)X 2138(can)X 2332(recognize)X 2787(sensitivity)X 3289(propagation)X 3860(by)X 4003(distin-)X 835 4212(guishing)N 1247(between)X 1643(signals)X 1984(that)X 2197(are)X 2 f 2368(inherently)X 1 f 2847(sensitive)X 3267(and)X 3461(those)X 3725(that)X 3938(are)X 2 f 4109(con-)X 835 4320(sequentially)N 1 f 1432(sensitive.)X 1943(The)X 2178(sensitivity)X 2706(of)X 2851(inherently)X 3380(sensitive)X 3838(signals)X 4216(is)X 835 4428(imposed)N 1228(from)X 1463(outside)X 1812(the)X 1983(system.)X 2375(In)X 2500(order)X 2764(to)X 2876(protect)X 3214(those)X 3478(signal)X 3773(from)X 4008(disclo-)X 835 4536(sure,)N 1084(some)X 1337(collection)X 1780(of)X 1888(other)X 2151(signals)X 2492(must)X 2746(also)X 2950(be)X 3079(assigned)X 3493(a)X 3574(high)X 3801(sensitivity,)X 835 4644(and)N 1029(these)X 1293(are)X 1464(the)X 1635(consequentially)X 2355(sensitive)X 2775(ones.)X 1035 4800(Sometimes,)N 1576(a)X 1657(system)X 1996(may)X 2213(have)X 2452(more)X 2704(than)X 2940(one)X 3124(satisfactory)X 3670(assignment)X 4211(of)X 835 4908(sensitivity)N 1329(levels)X 1612(to)X 1727(signals.)X 2124(The)X 2325(encryptor)X 2782(submodule)X 3294(that)X 3510(combined)X 3961(the)X 4135(key)X 835 5016(stream)N 1203(with)X 1461(high-level)X 1956(data)X 2211(had)X 2435(to)X 2577(have)X 2845(its)X 3014(second)X 3370(input)X 3668(be)X 3827(high)X 4084(level)X 835 5124(because)N 1227(its)X 1382(output)X 1720(was)X 1936(low.)X 2185(Note,)X 2465(however,)X 2906(that)X 3134(if)X 3238(a)X 3333(functionally)X 3906(identical)X 835 5232(component)N 1350(were)X 1597(used)X 1837(such)X 2076(that)X 2295(its)X 2440(output)X 2768(were)X 3015(high,)X 3274(the)X 3451(second)X 3782(input)X 4056(could)X 835 5340(be)N 998(left)X 1207(low)X 1422(without)X 1829(incurring)X 2308(any)X 2533(compromise.)X 3178(Knowing)X 3636(the)X 3841(functional)X 835 5448(speci\256cation)N 1429(of)X 1553(the)X 1741(component)X 2267(plus)X 2500(the)X 2688(fact)X 2897(that)X 3127(one)X 3326(of)X 3450(its)X 3606(inputs)X 3935(receives)X 835 5556(high-level)N 1316(data)X 1557(is)X 1675(not)X 1862(suf\256cient)X 2317(to)X 2445(uniquely)X 2877(determine)X 3372(the)X 3558(correct)X 3905(labels)X 4206(to)X 835 5664(apply)N 1112(to)X 1230(its)X 1375(other)X 1643(ports.)X 1958(The)X 2162(choice)X 2466(of)X 2579(the)X 2756(right)X 3009(assignment)X 3554(here)X 3785(depends)X 4184(on)X 182 p %%Page: 182 21 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(182)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 547 684(the)N 720(externally)X 1199(imposed)X 1594(constraint)X 2076(that)X 2290(the)X 2462(output)X 2785(must)X 3039(be)X 3168(low.)X 3403(Our)X 3608(interpre-)X 547 792(tation)N 855(of)X 979(this)X 1194(is)X 1313(that)X 1543(a)X 1640(security)X 2040(model)X 2350(should)X 2690(not)X 2878(dictate)X 3226(the)X 3415(sensitivity)X 3923(of)X 547 900(information,)N 1161(but)X 1372(should)X 1730(allow)X 2028(the)X 2234(modeller)X 2683(to)X 2830(represent)X 3318(some)X 3606(proposed)X 547 1008(assignment)N 1091(together)X 1494(with)X 1727(a)X 1812(description)X 2337(of)X 2449(the)X 2625(system)X 2968(functionality,)X 3595(and)X 3795(from)X 547 1116(this)N 758(the)X 941(model)X 1246(should)X 1581(indicate)X 1975(whether)X 2383(or)X 2513(not)X 2696(the)X 2879(assignment)X 3430(and)X 3636(function)X 547 1224(together)N 952(are)X 1130(consistent)X 1615(with)X 1850(the)X 2028(protection)X 2510(of)X 2624(the)X 2802(inherently)X 3300(secure)X 3621(informa-)X 547 1332(tion.)N 3 f 547 1728(7.7.2.)N 847(Labels)X 1201(vs.)X 1362(Sensitivity)X 1 f 747 1884(Systems)N 1149(that)X 1366(process)X 1724(multilevel)X 2203(information)X 2758(must)X 3015(have)X 3257(some)X 3514(way)X 3724(to)X 3841(dis-)X 547 1992(tinguish)N 981(one)X 1200(level)X 1471(from)X 1743(another,)X 2181(whether)X 2614(the)X 2822(separation)X 3356(is)X 3494(maintained)X 547 2100(through)N 950(the)X 1142(static)X 1435(con\256guration)X 2072(of)X 2200(the)X 2392(system)X 2751(or)X 2890(by)X 3042(dynamically)X 3630(tracking)X 547 2208(sensitivity)N 1051(as)X 1190(data)X 1429(progresses)X 1941(through)X 2337(the)X 2521(system.)X 2926(This)X 3164(is)X 3279(typically)X 3699(accom-)X 547 2316(plished)N 905(by)X 1045(applying)X 1465(labels)X 1760(to)X 1881(the)X 2061(system's)X 2473(state)X 2729(components)X 3292(\(\256les,)X 3570(variables,)X 547 2424(etc.\))N 781(and)X 995(to)X 1127(its)X 1286(external)X 1702(and)X 1915(internal)X 2320(interconnections.)X 3156(This)X 3400(is)X 3521(convenient)X 547 2532(when)N 823(an)X 970(access)X 1282(control-based)X 1911(de\256nition)X 2371(of)X 2486(security)X 2877(is)X 2987(used)X 3229(to)X 3349(model)X 3650(the)X 3830(sys-)X 547 2640(tem,)N 779(since)X 1039(the)X 1218(notion)X 1534(of)X 1648(access)X 1959(to)X 2078(labelled)X 2459(objects)X 2795(corresponds)X 3361(very)X 3588(naturally)X 547 2748(to)N 659(labelled)X 1033(data)X 1258(containers.)X 747 2904(On)N 915(the)X 1093(other)X 1362(hand,)X 1649(if)X 1745(the)X 1923(actual)X 2232(sensitivity)X 2730(of)X 2845(information)X 3404(is)X 3514(of)X 3629(interest,)X 547 3012(it)N 643(is)X 747(not)X 920(necessarily)X 1444(accurately)X 1933(indicated)X 2372(by)X 2505(the)X 2678(label)X 2921(af\256xed)X 3248(to)X 3362(the)X 3534(containing)X 547 3120(\256le)N 713(or)X 833(port.)X 1099(The)X 1299(contents)X 1704(of)X 1813(a)X 1895(\256le)X 2061(labelled)X 2437(``Secret'')X 2825(are)X 2998(not)X 3172(necessarily)X 3697(Secret,)X 547 3228(since)N 801(they)X 1025(may)X 1243(have)X 1483(been)X 1720(written)X 2077(up)X 2219(from)X 2455(some)X 2709(lower-level)X 3220(source.)X 3588(What)X 3859(the)X 547 3336(label)N 795(does)X 1025(provide)X 1389(is)X 1498(an)X 1644(upper)X 1938(bound)X 2246(to)X 2365(the)X 2543(sensitivity,)X 3067(a)X 3154(guarantee)X 3639(that)X 3859(the)X 547 3444(state)N 811(of)X 935(the)X 1123(\256le)X 1304(depends)X 1712(only)X 1943(on)X 2093(information)X 2660(that)X 2889(is)X 3007(``Secret'')X 3409(or)X 3543(lower)X 3830(\(see)X 547 3552([DiVito88]\).)N 747 3708(An)N 909(important)X 1390(point)X 1653(to)X 1772(note)X 1998(is)X 2107(that)X 2327(the)X 2505(state)X 2759(of)X 2873(a)X 2960(\256le)X 3132(includes)X 3536(more)X 3795(than)X 547 3816(its)N 696(contents,)X 1135(and)X 1338(sometimes)X 1845(different)X 2265(aspects)X 2627(of)X 2743(its)X 2891(state)X 3147(may)X 3372(have)X 3619(different)X 547 3924(sensitivies.)N 1103(If)X 1208(a)X 1295(process)X 1656(with)X 1891(access)X 2202(to)X 2321(Secret)X 2634(data)X 2866(writes)X 3179(Unclassi\256ed)X 3759(infor-)X 547 4032(mation)N 891(into)X 1097(a)X 1182(Secret)X 1493(\256le,)X 1689(we)X 1844(still)X 2048(can)X 2235(not)X 2411(permit)X 2741(an)X 2885(Unclassi\256ed)X 3462(user)X 3688(to)X 3804(read)X 547 4140(it.)N 700(Not)X 895(because)X 1276(the)X 1453(contents)X 1862(are)X 2039(too)X 2205(sensitive,)X 2658(but)X 2840(because)X 3222(their)X 3472(existence)X 3914(in)X 547 4248(that)N 770(\256le)X 943(is)X 1054(the)X 1234(result)X 1532(of)X 1648(Secret-level)X 2202(activity)X 2570(and)X 2773(therefore)X 3215(may)X 3440(encode)X 3777(some)X 547 4356(information)N 1098(that)X 1311(is)X 1413(Secret.)X 747 4512(Even)N 1012(if)X 1112(an)X 1262(Unclassi\256ed)X 1846(process)X 2212(writes)X 2529(Unclassi\256ed)X 3113(information)X 3676(up)X 3829(into)X 547 4620(the)N 725(Secret)X 1038(\256le,)X 1236(there)X 1505(is)X 1614(still)X 1820(good)X 2056(reason)X 2386(to)X 2505(prohibit)X 2894(subsequent)X 3434(reads)X 3712(by)X 3850(low)X 547 4728(users.)N 877(Not)X 1077(because)X 1463(the)X 1644(data)X 1879(is)X 1991(sensitive,)X 2448(nor)X 2635(because)X 3021(it)X 3125(resulted)X 3527(from)X 3772(high-)X 547 4836(level)N 800(activity,)X 1205(but)X 1400(because)X 1795(its)X 1953(continued)X 2437(presence)X 2871(in)X 3005(the)X 3194(\256le)X 3376(is)X 3496(evidence)X 3923(of)X 547 4944(high-level)N 2 f 1023(in)X 1 f 1114(activity:)X 1511(It)X 1625(indicates)X 2063(that)X 2287(no)X 2432(Secret)X 2749(process)X 3114(has)X 3309(yet)X 3484(overwritten)X 547 5052(the)N 741(\256le.)X 982(Because)X 1397(its)X 1559(Secret)X 1888(label)X 2152(permits)X 2545(the)X 2738(\256le)X 2924(to)X 3058(be)X 3208(altered)X 3571(by)X 3724(Secret)X 547 5160(users,)N 843(its)X 984(state)X 1233(will)X 1427(always)X 1763(re\257ect)X 2070(some)X 2325(Secret)X 2633(information,)X 3213(even)X 3448(if)X 3539(only)X 3757(by)X 3891(its)X 547 5268(unrealized)N 1045(potential)X 1469(for)X 1619(modi\256cation.)X 747 5424(What)N 1020(is)X 1125(really)X 1410(``Secret'')X 1799(in)X 1919(the)X 2094(last)X 2290(case)X 2510(is)X 2616(not)X 2791(the)X 2966(contents)X 3373(of)X 3484(the)X 3659(\256le,)X 3854(but)X 547 5532(the)N 745(fact)X 964(that)X 1204(that)X 1444(data)X 1696(is)X 1825(in)X 1968(that)X 2208(Secret)X 2540(\256le.)X 2784(That)X 3050(is,)X 3205(the)X 3402(data)X 3653(itself)X 3928(is)X 547 5640(Unclassi\256ed)N 1125(but)X 1308(the)X 1486(binding)X 1857(between)X 2259(data)X 2491(and)X 2692(container)X 3146(is)X 3255(Secret)X 3568(since)X 3827(it)X 3928(is)X 183 p %%Page: 183 22 12 s 0 xH 0 xS 1 f 3 f 835 396(7.8.)N 1026(Prescriptions)X 4008(-)X 4067(183)X 4259(-)X 1 f 835 684(subject)N 1232(to)X 1401(Secret-level)X 2003(alteration.)X 2579(To)X 2774(see)X 2998(this,)X 3279(consider)X 3733(that)X 4002(if)X 4147(the)X 835 792(Unclassi\256ed)N 1417(data)X 1652(were)X 1903(leaked)X 2231(in)X 2357(such)X 2600(a)X 2690(way)X 2906(that)X 3129(its)X 3278(presence)X 3704(in)X 3830(the)X 4012(Secret)X 835 900(\256le)N 999(were)X 1240(not)X 1411(revealed,)X 1841(there)X 2103(would)X 2397(be)X 2525(no)X 2659(compromise.)X 1035 1056(What)N 1305(is)X 1407(true)X 1621(for)X 1771(\256les)X 1980(holds)X 2244(as)X 2370(well)X 2581(for)X 2732(other)X 2995(data)X 3221(conduits.)X 3679(A)X 3776(system)X 4115(out-)X 835 1164(put)N 1016(labelled)X 1393(high)X 1622(may)X 1841(carry)X 2104(data)X 2332(that)X 2547(is)X 2651(itself)X 2902(sensitive,)X 3351(or)X 3471(it)X 3567(may)X 3785(carry)X 4047(infor-)X 835 1272(mation)N 1183(that)X 1405(is)X 1516(low)X 1705(but)X 1890(whose)X 2201(presence)X 2626(at)X 2752(that)X 2974(port)X 3193(is)X 3304(sensitive.)X 3787(When)X 4083(com-)X 835 1380(ponents)N 1245(are)X 1448(connected)X 1947(to)X 2091(form)X 2358(composite)X 2856(systems)X 3271(these)X 3567(outputs)X 3966(become)X 835 1488(inputs)N 1151(to)X 1267(other)X 1534(components,)X 2120(and)X 2319(so)X 2444(inputs)X 2761(that)X 2979(are)X 3155(nominally)X 3632(high-level)X 4102(may)X 835 1596(also)N 1038(convey)X 1365(information)X 1916(whose)X 2218(actual)X 2520(sensitivity)X 3010(is)X 3112(not)X 3283(high.)X 1035 1752(Information)N 1621(\257ow)X 1856(models)X 2220(are)X 2417(concerned)X 2916(with)X 3170(the)X 3367(actual)X 3695(sensitivity)X 4211(of)X 835 1860(information,)N 1427(not)X 1612(with)X 1853(the)X 2037(labels)X 2336(on)X 2483(its)X 2635(containers.)X 3194(In)X 3332(the)X 3516(absence)X 3905(of)X 4025(better)X 835 1968(indicators,)N 1335(however,)X 1764(the)X 1938(container)X 2389(label)X 2634(is)X 2740(often)X 2995(assumed)X 3416(to)X 3532(re\257ect)X 3841(the)X 4016(actual)X 835 2076(sensitivity)N 1346(of)X 1474(its)X 1634(contents.)X 2112(Thus,)X 2414(non-interference)X 3198(de\256nes)X 3560(the)X 3751(intrinsically)X 835 2184(sensitive)N 1271(information)X 1838(in)X 1970(the)X 2158(system)X 2513(to)X 2642(be)X 2787(events)X 3119(on)X 3270(high-level)X 3752(input)X 4036(ports.)X 835 2292(Nondeducibility)N 1573(gives)X 1830(some)X 2088(leeway)X 2424(in)X 2544(its)X 2687(de\256nition,)X 3170(but)X 3350(in)X 3470(practice)X 3853(high-level)X 835 2400(inputs)N 1147(are)X 1318(a)X 1398(common)X 1793(choice)X 2091(here)X 2316(as)X 2441(well.)X 1035 2556(Interestingly,)N 1667(the)X 1839(possible)X 2221(discrepance)X 2771(between)X 3167(label)X 3409(and)X 3604(sensitivity)X 4095(does)X 835 2664(not)N 1008(create)X 1309(problems)X 1745(for)X 1897(these)X 2162(models)X 2501(as)X 2627(they)X 2850(are)X 3022(usually)X 3377(applied.)X 3785(One)X 3995(reason)X 835 2772(is)N 948(that)X 1172(the)X 1354(equivalence)X 1914(of)X 2032(label)X 2284(and)X 2489(sensitivity)X 2990(is)X 3104(assumed)X 3533(only)X 3760(for)X 3922(external)X 835 2880(high)N 1078(inputs,)X 1434(not)X 1622(for)X 1789(high)X 2032(outputs)X 2415(or)X 2549(high)X 2791(internal)X 3193(connections,)X 3782(and)X 3992(so)X 4128(any)X 835 2988(overclassi\256cation)N 1628(that)X 1842(occurs)X 2151(is)X 2255(not)X 2428(``visible'')X 2824(to)X 2938(the)X 3111(model.)X 3460(Compare)X 3890(this)X 4090(with)X 835 3096(the)N 1011(unusual)X 1407(application)X 1932(of)X 2044(nondeducibility)X 2763(described)X 3214(in)X 3334([McLean90],)X 3920(where)X 4224(it)X 835 3204(is)N 943(interpreted)X 1479(as)X 1610(applying)X 2027(directly)X 2397(to)X 2515(high-labelled)X 3126(objects)X 3461(and,)X 3688(in)X 3811(that)X 4031(incar-)X 835 3312(nation,)N 1189(is)X 1305(found)X 1599(to)X 1725(be)X 1867(\257awed.)X 2252(A)X 2361(second)X 2699(reason)X 3035(is)X 3150(that)X 3376(existing)X 3767(information)X 835 3420(\257ow)N 1054(security)X 1447(de\256nitions)X 1954(do)X 2094(not)X 2275(depend)X 2632(on)X 2777(``high'')X 3094(information)X 3656(actually)X 4050(being)X 835 3528(unknown)N 1278(to)X 1390(low)X 1570(observers.)X 1035 3684(These)N 1360(saving)X 1711(graces)X 2056(may)X 2307(disappear)X 2806(with)X 3069(the)X 3275(emergence)X 3810(of)X 3952(a)X 4067(more)X 835 3792(comprehensive)N 1539(security)X 1936(de\256nition.)X 2456(Bringing)X 2889(downgrading)X 3509(within)X 3840(the)X 4025(model)X 835 3900(requires)N 1239(recognizing)X 1782(overclassi\256ed)X 2415(data,)X 2675(whether)X 3079(it)X 3181(was)X 3389(overclassi\256ed)X 4022(at)X 4147(the)X 835 4008(time)N 1078(of)X 1201(its)X 1356(introduction)X 1947(to)X 2075(the)X 2261(system)X 2614(or)X 2747(whether)X 3158(its)X 3312(actual)X 3629(sensitivity)X 4134(has)X 835 4116(changed)N 1255(over)X 1497(time.)X 1803(If)X 1926(a)X 2031(model)X 2349(is)X 2476(to)X 2614(be)X 2768(able)X 3005(to)X 3143(include)X 3520(systems)X 3929(like)X 4147(the)X 835 4224(dissected)N 1277(encryptor,)X 1767(it)X 1870(must)X 2132(be)X 2269(able)X 2489(to)X 2610(represent)X 3072(the)X 3252(fact)X 3453(that)X 3674(the)X 3853(high-level)X 835 4332(key)N 1018(stream)X 1356(input)X 1623(really)X 1905(is)X 2007(high-level,)X 2499(and)X 2693(unknown)X 3137(to)X 3250(low)X 3431(observers,)X 3910(and)X 4105(that)X 835 4440(an)N 992(upgraded)X 1456(low-level)X 1893(signal)X 2206(is)X 2326(not)X 2515(appropriate)X 3080(here)X 3322(even)X 3572(if)X 3678(it)X 3789(has)X 3990(all)X 4147(the)X 835 4548(right)N 1086(statistical)X 1557(properties.)X 2094(And,)X 2335(in)X 2456(order)X 2725(to)X 2842(protect)X 3185(high-level)X 3655(information)X 4211(of)X 835 4656(internal)N 1241(system)X 1599(origin,)X 1934(we)X 2103(need)X 2359(a)X 2458(way)X 2683(to)X 2814(specify)X 3164(sensitivity)X 3673(that)X 3905(does)X 4147(not)X 835 4764(depend)N 1208(on)X 1368(input)X 1661(port)X 1897(labels)X 2209(but)X 2411(that)X 2650(is)X 2778(more)X 3055(\257exible)X 3427(that)X 3666(Guttman)X 4124(and)X 835 4872(Nadel's)N 1191(reliance)X 1572(on)X 1706(the)X 1877(output)X 2199(port)X 2409(label.)X 3 f 835 5268(7.8.)N 1053(PRESCRIPTIONS)X 1 f 1035 5424(The)N 1235(techniques)X 1745(that)X 1960(will)X 2154(be)X 2284(described)X 2733(here)X 2960(allow)X 3225(a)X 3308(security)X 3694(model)X 3990(to)X 4105(deal)X 835 5532(in)N 956(some)X 1214(manner)X 1593(with)X 1826(most)X 2073(of)X 2185(the)X 2361(problematic)X 2918(situations)X 3393(listed)X 3670(earlier.)X 4050(Some)X 835 5640(allow)N 1102(the)X 1277(troublesome)X 1853(mechanisms)X 2437(to)X 2554(be)X 2687(analyzed,)X 3141(while)X 3415(others)X 3727(simply)X 4055(allow)X 184 p %%Page: 184 23 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(184)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 547 684(them)N 805(to)X 919(be)X 1049(represented)X 1607(in)X 1725(a)X 1807(system)X 2147(model)X 2442(after)X 2683(their)X 2928(security)X 3312(properties)X 3792(have)X 547 792(been)N 782(veri\256ed)X 1143(by)X 1274(other)X 1536(means.)X 747 948(Unfortunately,)N 1448(these)X 1725(techniques)X 2246(do)X 2389(not)X 2573(afford)X 2877(complete)X 3312(coverage)X 3738(of)X 3859(the)X 547 1056(problem)N 938(areas,)X 1236(but)X 1414(for)X 1566(the)X 1739(scenarios)X 2182(they)X 2405(do)X 2536(address)X 2908(they)X 3131(provide)X 3489(\257exible)X 3836(and)X 547 1164(relatively)N 997(uncomplicated)X 1671(means)X 1990(of)X 2099(handling)X 2524(them)X 2782(in)X 2901(a)X 2984(high-level)X 3452(system-wide)X 547 1272(security)N 930(model.)X 3 f 547 1668(7.8.1.)N 847(Non-deducibility)X 1 f 747 1824(We)N 954(use)X 1172(non-deducibility)X 1957(as)X 2121(the)X 2331(foundation)X 2877(for)X 3066(these)X 3369(improvements)X 547 1932(because)N 923(it)X 1017(has)X 1201(the)X 1372(following)X 1802(properties)X 2281(that)X 2494(we)X 2644(feel)X 2829(are)X 3000(desirable:)X 547 2088(1\))N 707(It)X 836(is)X 964(based)X 1271(on)X 1431(information)X 2008(\257ow)X 2243(rather)X 2579(than)X 2840(access)X 3171(control,)X 3560(which)X 3880(we)X 707 2196(believe)N 1042(to)X 1154(be)X 1282(more)X 1533(appropriate)X 2080(for)X 2230(a)X 2310(fundamental)X 2907(de\256nition)X 3359(of)X 3466(security.)X 547 2352(2\))N 707(It)X 824(can)X 1021(be)X 1164(instantiated)X 1749(to)X 1876(view)X 2122(components)X 2691(as)X 2831(black)X 3109(boxes,)X 3423(so)X 3558(that)X 3786(their)X 707 2460(security)N 1137(properties)X 1663(are)X 1881(de\256ned)X 2279(entirely)X 2698(in)X 2860(terms)X 3191(of)X 3344(their)X 3634(external)X 707 2568(behaviour.)N 1235(Functionally)X 1828(equivalent)X 2326(systems)X 2712(are)X 2886(then)X 3120(credited)X 3510(with)X 3742(ident-)X 707 2676(ical)N 907(security)X 1306(guarantees.)X 1899(Although)X 2354(the)X 2541(internal)X 2943(structure)X 3400(of)X 3523(a)X 3619(box)X 3814(may)X 707 2784(affect)N 996(our)X 1190(willingness)X 1737(to)X 1867(trust)X 2133(it,)X 2272(this)X 2488(is)X 2608(really)X 2908(a)X 3006(question)X 3430(of)X 3555(assurance)X 707 2892(rather)N 1017(than)X 1252(of)X 1359(guarantee.)X 547 3048(3\))N 707(Nondeducibility)X 1476(gives)X 1764(some)X 2053(\257exibility)X 2535(in)X 2688(the)X 2896(designation)X 3475(of)X 3619(different)X 707 3156(classes)N 1059(of)X 1182(information)X 1749(that)X 1978(are)X 2164(to)X 2291(be)X 2434(separated.)X 2967(While)X 3270(the)X 3456(de\256nition)X 3923(of)X 707 3264(noninterference)N 1463(speci\256cally)X 2002(separates)X 2481(the)X 2677(sequence)X 3132(of)X 3264(input)X 3556(events)X 3896(on)X 707 3372(high-labelled)N 1337(ports)X 1616(from)X 1875(the)X 2070(events)X 2409(on)X 2567(low-level)X 3010(ports,)X 3316(nondeducibility)X 707 3480(relies)N 980(on)X 1117(``information)X 1711(functions)X 2153('')X 2223(to)X 2338(isolate)X 2659(the)X 2833(various)X 3192(components)X 3749(of)X 3859(the)X 707 3588(system)N 1045(execution)X 1495(that)X 1708(should)X 2031(be)X 2159(separated.)X 747 3744(Nondeducibility)N 1492(requires)X 1900(the)X 2083(de\256nition)X 2547(of)X 2666(two)X 2865(information)X 3428(functions)X 3880(for)X 547 3852(each)N 788(distinct)X 1162(security)X 1556(classi\256cation.)X 2223(The)X 2432(\256rst)X 2654(isolates)X 3028(all)X 3179(of)X 3297(the)X 3479(information)X 547 3960(in)N 682(a)X 781(given)X 1066(system)X 1423(execution)X 1892(that)X 2124(is)X 2246(intrinsically)X 2833(sensitive,)X 3300(and)X 3514(the)X 3705(second)X 547 4068(function)N 943(represents)X 1443(all)X 1585(information)X 2138(that)X 2353(is)X 2457(directly)X 2823(visible)X 3138(at)X 3256(the)X 3428(classi\256cation)X 547 4176(in)N 676(question.)X 1149(Nondeducibility)X 1895(security)X 2291(requires)X 2700(that)X 2927(these)X 3205(two)X 3406(functions)X 3859(not)X 547 4284(exhibit)N 882(any)X 1072(correlation)X 1581(over)X 1798(the)X 1969(universe)X 2379(of)X 2486(possible)X 2867(system)X 3205(executions.)X 747 4440(An)N 919(event-trace)X 1462(representation)X 2160(of)X 2285(system)X 2641(operation)X 3107(can)X 3307(be)X 3453(employed)X 3918(to)X 547 4548(allow)N 811(different)X 1223(aspects)X 1577(of)X 1685(events)X 2001(to)X 2114(be)X 2243(assigned)X 2657(different)X 3069(sensitivities.)X 3686(If)X 3785(``pro-)X 547 4656(cess)N 2 f 756(p)X 1 f 840(writes)X 1147(data)X 2 f 1374(x)X 1 f 1451(to)X 1565(\256le)X 2 f 1731(y)X 1 f 1808(and)X 2004(receives)X 2389(return)X 2707(code)X 2 f 2930(r)X 1 f 2973('')X 3042(is)X 3146(an)X 3287(event,)X 3586(it)X 3682(is)X 3786(clear)X 547 4764(that)N 768(the)X 947(value)X 2 f 1223(x)X 1 f 1306(conveys)X 1686(information,)X 2272(as)X 2405(does)X 2636(the)X 2815(type)X 3041(of)X 3156(event)X 3433(\(i.e.)X 3631(``write''\),)X 547 4872(and)N 748(also)X 958(that)X 1178(the)X 1356(names)X 2 f 1680(p)X 1 f 1769(and)X 2 f 1970(y)X 1 f 2053(and)X 2255(the)X 2434(value)X 2710(of)X 2 f 2825(r)X 1 f 2903(also)X 3114(have)X 3360(some)X 3621(informa-)X 547 4980(tion)N 768(content.)X 1200(All)X 1376(may)X 1612(have)X 1870(\(possibly)X 2305(different\))X 2767(associated)X 3270(sensitivities.)X 3905(In)X 547 5088(addition,)N 969(even)X 1204(if)X 1295(all)X 1437(the)X 1610(data)X 1837(in)X 1955(the)X 2128(event)X 2400(is)X 2504(ignored)X 2867(the)X 3040(existence)X 3478(of)X 3587(the)X 3760(event)X 547 5196(can)N 729(also)X 932(contain)X 1288(information,)X 1866(and)X 2060(so)X 2180(also)X 2383(may)X 2599(be)X 2727(sensitive.)X 747 5352(In)N 902([Thomson88])X 1537(the)X 1738(visible)X 2083(information)X 2665(function)X 3090(was)X 3321(de\256ned)X 3703(as)X 3859(the)X 547 5460(subsequence)N 1146(of)X 1265(system)X 1615(events)X 1942(that)X 2167(involve)X 2523(any)X 2724(low-level)X 3154(port.)X 3429(The)X 3638(intrinsi-)X 547 5568(cally)N 810(sensitive)X 1259(information)X 1839(was)X 2068(de\256ned)X 2449(as)X 2604(the)X 2805(high-level)X 3300(event)X 3600(sequence)X 547 5676(\256ltered)N 900(by)X 1037(a)X 1123(function)X 1523(called)X 1815(simply)X 2144(the)X 3 f 2321(h)X 1 f 2420(function.)X 2874(Its)X 3028(purpose)X 3414(was)X 3620(to)X 3737(delete)X 185 p %%Page: 185 24 12 s 0 xH 0 xS 1 f 3 f 835 396(7.8.)N 1026(Prescriptions)X 4008(-)X 4067(185)X 4259(-)X 1 f 835 684(all)N 985(parts)X 1256(of)X 1374(the)X 1556(high-level)X 2032(event)X 2313(stream)X 2662(that)X 2886(were)X 3138(not)X 3320(intrinsically)X 3898(sensitive)X 835 792(high-level)N 1310(information.)X 1925(In)X 2059(the)X 2239(example)X 2645(model)X 2947(described)X 3403(in)X 3528(the)X 3708(report,)X 4045(the)X 3 f 4225(h)X 1 f 835 900(function)N 1247(left)X 1440(only)X 1674(those)X 1957(parts)X 2236(of)X 2362(an)X 2520(event)X 2809(that)X 3041(were)X 3301(inputs)X 3632(to)X 3763(the)X 3953(system.)X 835 1008(This)N 1074(permitted)X 1553(what)X 1818(we)X 1982(normally)X 2422(think)X 2705(of)X 2826(as)X 2965(input)X 3246(events)X 3575(to)X 3701(include)X 4065(some)X 835 1116(inseparable)N 1380(outputs,)X 1776(such)X 2011(as)X 2138(return)X 2456(codes.)X 2778(The)X 2978(event)X 2 f 9 f 3250(\341)X 2 f 3282(p)X 1 f 3337(,)X 2 f 3396(write)X 1 f 3623(,)X 2 f 3682(x)X 1 f (,)S 2 f 3789(y)X 1 f (,)S 2 f 3896(r)X 9 f 3963(\361)X 1 f 4024(would)X 835 1224(be)N 973(massaged)X 1444(by)X 1584(the)X 3 f 1764(h)X 1 f 1866(function)X 2269(into)X 2 f 9 f 2479(\341)X 2 f 2511(p)X 1 f 2566(,)X 2 f 2625(write)X 1 f 2852(,)X 2 f 2911(x)X 1 f (,)S 2 f 3018(y)X 1 f (,)S 2 f 9 f 3125(\306)X 3220(\361)X 1 f 3252(,)X 3315(as)X 3449(the)X 3629(non-input)X 4103(part)X 835 1332(of)N 942(the)X 1113(event)X 1383(\(the)X 1586(return)X 1902(code\))X 2155(is)X 2257(replaced)X 2659(by)X 2790(the)X 2961(placeholder)X 2 f 9 f 3500(\306)X 1 f (.)S 1035 1488(This)N 1261(use)X 1441(of)X 1549(the)X 3 f 1721(h)X 1 f 1815(function)X 2210(is)X 2313(very)X 2534(conventional,)X 3155(since)X 3409(it)X 3505(is)X 3609(only)X 3826(the)X 3999(princi-)X 835 1596(ple)N 1008(of)X 1128(high-input)X 1639(protection)X 2127(applied)X 2493(to)X 2618(the)X 2802(situation)X 3240(where)X 3553(events)X 3881(may)X 4109(con-)X 835 1704(tain)N 1055(both)X 1293(inputs)X 1619(and)X 1827(outputs.)X 2262(However,)X 2723(if)X 2826(we)X 2991(knew)X 3272(more)X 3538(about)X 3830(the)X 4016(actual)X 835 1812(sensitivities)N 1405(of)X 1520(the)X 1699(components)X 2261(of)X 2376(these)X 2648(high)X 2881(inputs,)X 3227(a)X 3314(more)X 3572(complex)X 3 f 3966(h)X 1 f 4066(func-)X 835 1920(tion)N 1036(could)X 1298(be)X 1426(more)X 1677(selective)X 2084(in)X 2200(its)X 2339(identi\256cation)X 2954(of)X 3061(sensitive)X 3481(information.)X 3 f 835 2316(7.8.2.)N 1135 0.2344(Quasi-Determinism)AX 1 f 1035 2472(It)N 1140(was)X 1342(argued)X 1680(earlier)X 2004(that)X 2219(an)X 2360(appropriate)X 2909(way)X 3117(to)X 3232(represent)X 3688(nondetermin-)X 835 2580(ism)N 1034(in)X 1162(a)X 1254(security)X 1649(model)X 1954(is)X 2068(to)X 2192(de\256ne)X 2499(one)X 2692(or)X 2821(more)X 3083(extra)X 3353(system)X 3702(inputs)X 4025(which)X 835 2688(are)N 1040(assumed)X 1491(to)X 1637(be)X 1799(driven)X 2146(by)X 2312(external)X 2743(random)X 3148(sources.)X 3595(This)X 3855(technique)X 835 2796(corrected)N 1281(a)X 1372(situation)X 1808(where)X 2119(nondeducibility)X 2844(could)X 3117(be)X 3256(overly)X 3564(optimistic)X 4041(about)X 835 2904(the)N 1006(noisiness)X 1442(of)X 1549(the)X 1720(nondeterminism.)X 1035 3060(Another)N 1427(bene\256cial)X 1879(side-effect)X 2358(of)X 2467(this)X 2668(technique)X 3134(is)X 3239(that)X 3455(it)X 3552(exposes)X 3922(a)X 4005(source)X 835 3168(of)N 972(internally-generated)X 1943(information,)X 2551(allowing)X 2984(it)X 3108(to)X 3250(be)X 3407(classi\256ed)X 3871(and)X 4094(kept)X 835 3276(secret)N 1143(\(or)X 1310(not\))X 1530(just)X 1743(as)X 1885(any)X 2093(other)X 2373(information)X 2942(source.)X 3327(This)X 3570(method)X 3947(is)X 4067(more)X 835 3384(\257exible)N 1182(than)X 1418(that)X 1632(the)X 1804(Guttman-Nadel)X 2533(approach,)X 2997(because)X 3374(it)X 3469(allows)X 3778(these)X 4042(inter-)X 835 3492(nal)N 1030(information)X 1607(sources)X 1991(to)X 2129(be)X 2283(treated)X 2657(as)X 2808(having)X 3164(whatever)X 3631(sensitivity)X 4147(the)X 835 3600(modeller)N 1249(feels)X 1479(is)X 1581(appropriate.)X 1035 3756(Modelling)N 1526(spontaneous)X 2131(generation)X 2656(or)X 2796(modi\256cation)X 3392(of)X 3521(data)X 3768(\320)X 3913(the)X 4107(\256rst)X 835 3864(non-input)N 1303(information)X 1857(source)X 2172(listed)X 2446(in)X 2564(section)X 2903(7.1)X 3065(\320)X 3190(is)X 3294(an)X 3435(obvious)X 3798(application)X 835 3972(for)N 995(this)X 1203(method.)X 1626(Less)X 1865(obviously,)X 2344(it)X 2448(can)X 2640(also)X 2853(be)X 2991(used)X 3235(to)X 3357(model)X 3660(other)X 3933(sources,)X 835 4080(such)N 1074(as)X 1205(built-in)X 1568(secret)X 1865(information)X 2422(like)X 2620(a)X 2706(database)X 3136(or)X 3260(key)X 3449(\(this)X 3685(was)X 3891(the)X 4067(third)X 835 4188(source)N 1148(in)X 1264(the)X 1435(list\).)X 1035 4344(Non-deducibility)N 1808(assumes)X 2224(that)X 2446(the)X 2626(observer)X 3041(knows)X 3361(which)X 3663(system)X 4010(execu-)X 835 4452(tions)N 1088(are)X 1266(possible,)X 1681(together)X 2086(with)X 2321(the)X 2499(values)X 2819(that)X 3039(would)X 3340(be)X 3475(taken)X 3763(by)X 3901(all)X 4047(infor-)X 835 4560(mation)N 1178(functions)X 1621(in)X 1741(each)X 1976(execution.)X 2485(In)X 2615(other)X 2882(words,)X 3207(the)X 3383(observer)X 3794(is)X 3901(assumed)X 835 4668(to)N 971(know)X 1261(how)X 1494(the)X 1689(system)X 2051(is)X 2177(built,)X 2464(in)X 2604(at)X 2745(least)X 3009(enough)X 3383(detail)X 3686(to)X 3821(be)X 3972(able)X 4206(to)X 835 4776(enumerate)N 1366(all)X 1530(possible)X 1935(traces.)X 2309(This)X 2558(assumption)X 3125(is)X 3252(incompatible)X 3875(with)X 4128(any)X 835 4884(secrets)N 1180(in)X 1305(the)X 1485(system)X 1832(construction,)X 2446(and)X 2649(makes)X 2973(it)X 3076(dif\256cult)X 3457(to)X 3577(faithfully)X 4025(model)X 835 4992(built-in)N 1198(sensitive)X 1624(information.)X 2235(An)X 2396(extra)X 2661(input)X 2935(that)X 3155(conceptually)X 3745(removes)X 4147(the)X 835 5100(sensitive)N 1294(information)X 1884(from)X 2158(the)X 2368(system)X 2744(allows)X 3090(modelling)X 3591(such)X 3862(a)X 3980(system)X 835 5208(without)N 1207(rebuilding)X 1692(the)X 1863(basic)X 2114(de\256nition)X 2566(of)X 2673(nondeducibility.)X 1035 5364(Straightforward)N 1788(use)X 1974(of)X 2088(this)X 2293(technique)X 2763(does)X 2994(not)X 3173(appear)X 3515(to)X 3635(be)X 3771(appropriate)X 835 5472(for)N 987(handling)X 1412(the)X 1585(other)X 1849(listed)X 2123(problems.)X 2613(It)X 2718(is)X 2822(tempting)X 3252(to)X 3365(try)X 3524(to)X 3637(use)X 3817(it)X 3912(to)X 4025(model)X 835 5580(the)N 1010(sensitivity)X 1504(resulting)X 1937(from)X 2176(computational)X 2845(value)X 3118(added,)X 3443(for)X 3598(example)X 4000(by)X 4136(for-)X 835 5688(mally)N 1120(adding)X 1458(an)X 1605(extra)X 1872(external)X 2276(high-level)X 2749(input)X 3024(that)X 3245(does)X 3476(not)X 3655(actually)X 4046(affect)X 186 p %%Page: 186 25 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(186)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 547 684(the)N 726(output.)X 1110(This)X 1343(can)X 1533(be)X 1670(viewed)X 2013(as)X 2147(injecting)X 2568(high)X 2803(sensitivity)X 3302(into)X 3512(the)X 3692(system)X 547 792(and,)N 780(hopefully,)X 1258(into)X 1471(the)X 1654(output)X 1987(so)X 2118(that)X 2342(it)X 2447(will)X 2650(become)X 3013(consequentially)X 3744(sensi-)X 547 900(tive.)N 795(However,)X 1243(since)X 1496(the)X 1668(output)X 1991(will)X 2184(not)X 2356(be)X 2485(correlated)X 2961(to)X 3074(the)X 3247(extra)X 3508(high)X 3736(input,)X 547 1008(nondeducibility)N 1265(will)X 1461(not)X 1636(be)X 1768(fooled)X 2060(by)X 2195(this)X 2397(type)X 2618(of)X 2728(ploy)X 2942(and)X 3139(will)X 3334(not)X 3508(complain)X 3941(if)X 547 1116(the)N 718(output)X 1040(is)X 1142(disclosed)X 1568(to)X 1680(a)X 1760(low)X 1940(observer.)X 747 1272(This)N 982(dif\256culty)X 1415(may)X 1641(be)X 1779(overcome)X 2230(if)X 2329(the)X 2510(security)X 2904(modeller)X 3329(is)X 3442(permitted)X 3918(to)X 547 1380(be)N 682(a)X 769(little)X 1015(less)X 1216(than)X 1457(honest)X 1786(about)X 2069(the)X 2246(functioning)X 2786(of)X 2899(the)X 3076(modelled)X 3508(subsystem.)X 547 1488(An)N 712(extra)X 981(high-level)X 1456(input)X 1733(is)X 1845(introduced,)X 2386(as)X 2521(before,)X 2857(but)X 3043(now)X 3262(it)X 3366(is)X 3478(used)X 3723(as)X 3859(the)X 547 1596(source)N 864(of)X 975(the)X 1150(data)X 1379(contained)X 1842(in)X 1962(any)X 2156(output)X 2482(events.)X 2855(It)X 2962(is)X 3067(probably)X 3483(appropriate)X 547 1704(to)N 663(still)X 866(trigger)X 1200(the)X 1375(outputs)X 1747(by)X 1883(the)X 2059(occurrence)X 2568(of)X 2680(low-level)X 3104(inputs,)X 3448(but)X 3629(the)X 3805(data)X 547 1812(in)N 690(the)X 888(outputs)X 1282(\(i.e.)X 1527(the)X 1725(results)X 2086(of)X 2220(the)X 2418(value-added)X 3011(computation)X 3619(that)X 3859(are)X 547 1920(presumably)N 1122(dif\256cult)X 1520(to)X 1658(duplicate\))X 2153(is)X 2281(modelled)X 2733(as)X 2885(originating)X 3430(in)X 3573(the)X 3771(extra)X 547 2028(external)N 957(high-level)X 1436(input.)X 1771(This)X 2010(will)X 2216(result)X 2519(in)X 2649(the)X 2834(output)X 3170(being)X 3451(protected)X 3905(as)X 547 2136(desired.)N 3 f 547 2532(7.8.3.)N 847(Limited)X 1268(Observer)X 1754(Knowledge)X 1 f 747 2688(Nondeducibility)N 1498(assumes)X 1923(that)X 2154(the)X 2343(observer)X 2767(knows)X 3097(all)X 3256(valid)X 3521(traces)X 3836(and)X 547 2796(uses)N 786(this)X 999(information)X 1565(when)X 1848(making)X 2225(deductions.)X 2799(The)X 3011(extra)X 3284(inputs)X 3610(of)X 3731(quasi-)X 547 2904(determinism)N 1146(can)X 1335(get)X 1505(around)X 1856(this)X 2061(limitation)X 2534(in)X 2657(some)X 2917(cases,)X 3212(but)X 3395(not)X 3573(in)X 3696(others.)X 547 3012(Another)N 945(possible)X 1334(approach)X 1778(is)X 1888(to)X 2008(face)X 2219(the)X 2398(problem)X 2794(directly,)X 3192(and)X 3393(to)X 3512(change)X 3859(the)X 547 3120(model)N 840(de\256nition)X 1292(to)X 1404(place)X 1660(limits)X 1944(on)X 2078(the)X 2249(observer's)X 2720(knowledge)X 3218(of)X 3325(the)X 3496(system.)X 747 3276([Marcus88])N 1297(describes)X 1753(a)X 1852(security)X 2254(model)X 2566(which,)X 2906(although)X 3349(it)X 3463(differs)X 3795(from)X 547 3384(nondeducibilty)N 1239(in)X 1363(structure,)X 1839(does)X 2070(explicitly)X 2510(represent)X 2971(limits)X 3262(to)X 3381(the)X 3559(observer's)X 547 3492(knowledge)N 1061(of)X 1184(system)X 1538(operation.)X 2056(Their)X 2343(model)X 2652(is)X 2771(described)X 3235(in)X 3368(terms)X 3670(of)X 3794(vari-)X 547 3600(ables)N 809(and)X 1009(their)X 1259(values,)X 1605(and)X 1805(a)X 1891(generalized)X 2435(de\256nition)X 2893(of)X 3006(``reading'')X 3458(of)X 3570(variables,)X 547 3708(de\256ned)N 907(in)X 1032([Marcus86],)X 1600(that)X 1823(includes)X 2229(not)X 2410(only)X 2635(direct)X 2928(observation)X 3480(of)X 3597(variables)X 547 3816(but)N 725(also)X 930(any)X 1122(deductions)X 1630(about)X 1909(their)X 2155(contents.)X 2614(In)X 2741([Marcus88])X 3274(this)X 3474(de\256nition)X 3928(is)X 547 3924(summarized)N 1123(as)X 11 s 835 4056(There)N 1134(is)X 1262(an)X 2 f 1424(adversary)X 1 f 1885(observing)X 2337(how)X 2563(a)X 2671(given)X 2951(``open'')X 3276(variable)X 2 f 3669(v)X 1 f 835 4155(``behaves'')N 1282(during)X 1602(the)X 1781(computation)X 2337(of)X 2457(some)X 2711(process.)X 3106(The)X 3309(adversary)X 835 4254(knows)N 1126(some)X 1364(facts)X 1587(about)X 1848(the)X 2011(process,)X 2366(the)X 2529(``public)X 2845(knowledge'')X 3346(K.)X 3497(He)X 3646(is)X 835 4353(trying)N 1121(to)X 1236(deduce)X 1556(additional)X 2009(information)X 2526(about)X 2792(some)X 3035(``protected'')X 3523(vari-)X 835 4452(able)N 2 f 1030(x)X 1 f (,)S 1124(based)X 1383(on)X 2 f 1507(v)X 1 f 1553('s)X 1638(behaviour)X 2072(and)X 2252(the)X 2410(public)X 2685(knowledge.)X 3194(If)X 3285(he)X 3409(can,)X 3602(we)X 835 4551(say)N 1006(that)X 2 f 1210(v)X 1 f 1289(``reads'')X 2 f 1618(x)X 1 f 1695(with)X 1913(respect)X 2238(to)X 2349(K.)X 2501(Some)X 2755(behaviour)X 3196(of)X 2 f 3302(x)X 1 f (,)S 3404(a)X 3486(priori)X 835 4650(consistent)N 1273(with)X 1483(K,)X 1602(is)X 1696(ruled)X 1937(out)X 2094(by)X 2215(the)X 2372(observed)X 2756(behaviour)X 3189(of)X 2 f 3287(v)X 1 f 3333(.)X 12 s 747 4839(A)N 849(similar)X 1198(elaboration)X 1733(of)X 1846(the)X 2023(nondeducibility)X 2743(model)X 3042(may)X 3264(allow)X 3534(us)X 3672(to)X 3791(limit)X 547 4947(the)N 729(observers)X 1191(knowledge)X 1700(of)X 1818(the)X 2000(system.)X 2402(This)X 2637(would)X 2941(enable)X 3269(the)X 3450(modelling)X 3923(of)X 547 5055(systems)N 955(with)X 1208(secret)X 1525(information)X 2102(incorporated)X 2717(into)X 2944(their)X 3214(structure,)X 3708(as)X 3859(the)X 547 5163(extra)N 823(input)X 1107(technique)X 1587(does,)X 1853(but)X 2045(would)X 2355(not)X 2542(give)X 2765(us)X 2912(the)X 3099(ability)X 3426(to)X 3554(make)X 3840(any)X 547 5271(assertions)N 1035(about)X 1320(the)X 1499(security)X 1890(of)X 2006(that)X 2228(information.)X 2842(So,)X 3013(although)X 3445(we)X 3604(might)X 3902(be)X 547 5379(able)N 786(to)X 925(show)X 1206(that)X 1446(an)X 1612(observer)X 2045(who)X 2281(is)X 2410(ignorant)X 2844(of)X 2978(certain)X 3345(aspects)X 3725(of)X 3859(the)X 547 5487(system's)N 961(construction)X 1550(cannot)X 1887(deduce)X 2233(other)X 2507(high-level)X 2984(information,)X 3574(we)X 3736(would)X 547 5595(not)N 719(be)X 848(able)X 1060(to)X 1173(easily)X 1458(identify)X 1827(the)X 1998(built-in)X 2355(secrets)X 2691(themselves)X 3214(as)X 3339(sensitive)X 3759(infor-)X 547 5703(mation)N 886(and)X 1080(show)X 1334(that)X 1547(they)X 1769(are)X 1940(not)X 2111(compromised.)X 187 p %%Page: 187 26 12 s 0 xH 0 xS 1 f 3 f 835 396(7.8.)N 1026(Prescriptions)X 4008(-)X 4067(187)X 4259(-)X 1 f 1035 684(More)N 1318(attractive)X 1803(uses)X 2053(for)X 2229(this)X 2453(technique)X 2942(are)X 3139(cases)X 3426(where)X 3752(we)X 3928(want)X 4206(to)X 835 792(assume)N 1199(that)X 1414(an)X 1555(observer)X 1963(cannot)X 2291(make)X 2563(a)X 2645(deduction,)X 3135(but)X 3313(where)X 3615(this)X 3815(inability)X 4216(is)X 835 900(due)N 1040(to)X 1168(something)X 1673(other)X 1951(than)X 2202(lack)X 2429(of)X 2553(formally)X 2969(prohibited)X 3471(information.)X 4093(This)X 835 1008(would)N 1133(include,)X 1515(at)X 1636(least,)X 1907(the)X 2082(encryption)X 2586(example)X 2987(in)X 3107(which)X 3403(security)X 3789(depends)X 4184(on)X 835 1116(the)N 1006(extreme)X 1393(dif\256culty)X 1816(of)X 1923(inverting)X 2358(the)X 2529(encryption)X 3029(function.)X 1035 1272(Rather)N 1385(than)X 1634(assuming)X 2102(that)X 2329(the)X 2514(observer)X 2935(knows)X 3261(whether)X 3672(a)X 3767(given)X 4048(event)X 835 1380(sequence)N 9 f 1269(t)X 1 f 1342(is)X 1448(or)X 1570(is)X 1676(not)X 1851(a)X 1935(system)X 2277(trace,)X 2559(let)X 2705(us)X 2839(suppose)X 3224(that)X 3440(there)X 3705(exists)X 3991(a)X 4074(\256lter)X 835 1488(function)N 3 f 1230(f)X 1 f 1295(\(similar)X 1671(to)X 1784(the)X 3 f 1957(h)X 1 f 2052(function)X 2448(encountered)X 3024(before\))X 3357(that)X 3572(edits)X 3816(sequences,)X 835 1596(removing)N 1286(the)X 1466(parts)X 1735(that)X 1957(correspond)X 2480(to)X 2601(knowledge)X 3108(the)X 3287(observer)X 3701(does)X 3932(not)X 4111(pos-)X 835 1704(sess.)N 1104(Then,)X 1393(given)X 1664(an)X 1808(event)X 2084(sequence)X 2 f 2520(s)X 1 f 2563(,)X 2623(the)X 2800(observer)X 3212(believes)X 3598(it)X 3698(to)X 3816(be)X 3950(a)X 4036(possi-)X 835 1812(ble)N 993(trace)X 1244(iff)X 2 f 9 f 2133 1968($)N 1 f 9 f 2202(t)X 2 f 10 s 9 f 2271(\316)X 12 s 2 f 2355(T)X 1 f 2456(:)X 3 f 2537(f)X 1 f 2574(\()X 2 f 2606(s)X 1 f 2657(\))X 2 f 9 f 2743(=)X 3 f 2850(f)X 1 f 2887(\()X 9 f 2919(t)X 1 f 2961(\))X 835 2124(Let)N 2 f 1012(S)X 1 f 1104(be)X 1233(the)X 1405(set)X 1564(of)X 1673(such)X 1908(sequences,)X 2412(which)X 2707(we)X 2859(will)X 3053(also)X 3258(call)X 2 f 3443(plausible)X 3876(traces)X 1 f 4137(.)X 4220(If)X 3 f 835 2232(f)N 1 f 899(represents)X 1397(a)X 1477(restriction)X 1967(on)X 2101(knowledge,)X 2626(then)X 2 f 2856(S)X 1 f 2947(will)X 3139(be)X 3267(a)X 3347(proper)X 3666(superset)X 4073(of)X 2 f 4180(T)X 1 f 4246(.)X 1035 2388(This)N 1278(affects)X 1613(how)X 1840(the)X 2029(observer)X 2453(can)X 2653(make)X 2941(deductions.)X 3520(If)X 3637(we)X 3806(denote)X 4147(the)X 835 2496(secret)N 1138(and)X 1344(observable)X 1855(information)X 2417(functions)X 2867(as)X 3003(``secret'')X 3385(and)X 3590(``visible'',)X 4022(repec-)X 835 2604(tively,)N 1155(then)X 1404(his)X 2 f 1584(a)X 1685(priori)X 1 f 1984(knowledge)X 2501(about)X 2797(the)X 2987(secret)X 3298(information)X 3869(is)X 3991(that)X 4224(it)X 835 2712(must)N 1099(be)X 1238(compatible)X 1758(with)X 1997(some)X 2261(plausible)X 2702(trace.)X 3018(That)X 3268(is,)X 3407(it)X 3511(must)X 3774(be)X 3912(secret\()X 2 f 4208(s)X 1 f 4259(\))X 835 2820(for)N 985(some)X 2 f 1238(s)X 1 f 2 f 10 s 9 f 1316(\316)X 1 f 12 s 2 f 1400(S)X 1 f 1464(.)X 1035 2976(In)N 1172(a)X 1264(particular)X 1749(execution)X 9 f 2211(t)X 9 s 1 f 2253 2995(0)N 12 s 2301 2976(,)N 2368(the)X 2552(observer)X 2971(sees)X 3197(visible\()X 9 f 3516(t)X 9 s 1 f 3558 2995(0)N 12 s 3606 2976(\))N 3678(and)X 3885(therefore)X 835 3084(knows)N 1169(that)X 1405(he)X 1561(must)X 1836(be)X 1986(experiencing)X 2600(a)X 2702(plausible)X 3154(trace)X 2 f 3427(s)X 1 f 3519(with)X 3769(that)X 4004(visible)X 835 3192(behaviour,)N 1340(visible\()X 2 f 1659(s)X 1 f 1710(\))X 2 f 9 f 1796(=)X 1 f 1903(visible\()X 9 f 2222(t)X 9 s 1 f 2264 3211(0)N 12 s 2312 3192(\),)N 2405(but)X 2588(in)X 2711(general)X 3077(there)X 3346(are)X 3524(many)X 3806(such)X 2 f 4046(s)X 1 f 4124(and)X 835 3300(he)N 979(does)X 1212(not)X 1393(know)X 1668(which)X 1970(of)X 2086(them)X 2351(is)X 2462(the)X 2642(actual)X 2953(current)X 3321(trace.)X 3635(He)X 3799(may)X 4024(there-)X 835 3408(fore)N 1033(deduce)X 1368(only)X 1583(that)X 1796(the)X 1967(secret)X 2258(information)X 2809(has)X 2993(the)X 3164(value)X 1295 3564(secret\()N 9 f 1591(t)X 9 s 1 f 1633 3583(0)N 12 s 1681 3564(\))N 2 f 10 s 9 f 1767(\316)X 1 f 12 s 1878({)X 1937(secret\()X 2 f 2233(s)X 1 f 2284(\))X 9 f 2386(|)X 2 f 2475(s)X 10 s 9 f 2553(\316)X 12 s 2 f 2637(S)X 9 f 2736(\331)X 1 f 2821(visible\()X 2 f 3140(s)X 1 f 3191(\))X 2 f 9 f 3250(=)X 1 f 3330(visible\()X 9 f 3649(t)X 9 s 1 f 3691 3583(0)N 12 s 3739 3564(\))N 3798(})X 1035 3768(For)N 1217(the)X 1388(system)X 1726(to)X 1838(be)X 1966(secure,)X 2306(there)X 2568(must)X 2821(be)X 2950(no)X 3085(extra)X 3345(knowledge)X 3844(gained)X 4168(for)X 835 3876(any)N 1025(value)X 1293(of)X 9 f 1400(t)X 9 s 1 f 1442 3895(0)N 12 s 1490 3876(.)N 1571(That)X 1811(is,)X 1940(for)X 2090(all)X 9 f 2230(t)X 9 s 1 f 2272 3895(0)N 12 s 2 f 10 s 9 f 2347 3876(\316)N 1 f 12 s 2 f 2431(T)X 1 f 2497(,)X 2551(it)X 2645(must)X 2898(be)X 3026(the)X 3197(case)X 3413(that)X 1137 4032({)N 1196(secret\()X 2 f 1492(s)X 1 f 1543(\))X 9 f 1618(|)X 2 f 1680(s)X 10 s 9 f 1747(\316)X 12 s 2 f 1820(S)X 1 f 1919(})X 2 f 9 f 2005(=)X 1 f 2112({)X 2171(secret\()X 2 f 2467(s)X 1 f 2518(\))X 9 f 2593(|)X 2 f 2655(s)X 10 s 9 f 2722(\316)X 12 s 2 f 2795(S)X 9 f 2894(\331)X 1 f 2979(visible\()X 2 f 3298(s)X 1 f 3349(\))X 2 f 9 f 3408(=)X 1 f 3488(visible\()X 9 f 3807(t)X 9 s 1 f 3849 4051(0)N 12 s 3897 4032(\))N 3956(})X 835 4188(which)N 1128(is)X 1230(equivalent)X 1725(to)X 2 f 9 f 1132 4344(")N 1 f 9 f 1201(t)X 2 f 10 s 9 f 1243(\316)X 12 s 2 f 1300(T)X 1 f 1382(:)X 2 f 9 f 1436(")X 2 f 1505(s)X 10 s 9 f 1556(\316)X 12 s 2 f 1613(S)X 1 f 1693(:)X 2 f 9 f 1747($)X 1 f 9 f 1800(w)X 2 f 10 s 9 f 1866(\316)X 12 s 2 f 1923(S)X 1 f 2003(:)X 2084(visible\()X 9 f 2403(w)X 1 f 2469(\))X 2 f 9 f 2528(=)X 1 f 2608(visible\()X 9 f 2927(t)X 1 f 2969(\))X 2 f 9 f 3028(\331)X 1 f 3113(secret\()X 9 f 3409(w)X 1 f 3475(\))X 2 f 9 f 3534(=)X 1 f 3614(secret\()X 2 f 3910(s)X 1 f 3961(\))X 835 4500(This)N 1076(is)X 1194(identical)X 1622(to)X 1750(the)X 1938(original)X 2326(nondeducibility)X 3057(requirement)X 3654(except)X 3980(for)X 4147(the)X 835 4608(substitutions)N 1448(of)X 1557(plausible)X 1989(traces)X 2 f 2287(S)X 1 f 2380(for)X 2532(actual)X 2836(traces)X 2 f 3134(T)X 1 f 3229(in)X 3346(the)X 3518(quanti\256cations)X 4211(of)X 2 f 835 4716(s)N 1 f 905(and)X 9 f 1099(w)X 1 f 1165(.)X 1035 4872(This)N 1269(de\256nition)X 1730(can)X 1921(be)X 2058(explained)X 2524(in)X 2650(English)X 3030(as)X 3165(follows:)X 3537(the)X 3718(observer)X 4134(has)X 835 4980(some)N 2 f 1098(a)X 1190(priori)X 1 f 1479(knowledge)X 1986(about)X 2272(what)X 2532(secret)X 2832(behaviour)X 3312(is)X 3423(possible)X 3813(in)X 3938(the)X 4118(sys-)X 835 5088(tem,)N 1076(although)X 1516(because)X 1909(his)X 2087(knowledge)X 2602(of)X 2726(the)X 2914(system)X 3269(itself)X 3536(is)X 3656(incomplete)X 4184(he)X 835 5196(considers)N 1296(some)X 1567(high-level)X 2049(behaviour)X 2537(to)X 2666(be)X 2811(possible)X 3209(when,)X 3521(in)X 3654(fact,)X 3890(it)X 4001(is)X 4120(not.)X 835 5304(The)N 1033(system)X 1371(is)X 1473(secure)X 1786(if,)X 1903(in)X 2020(every)X 2289(possible)X 2671(trace)X 2923(of)X 3031(the)X 3203(system,)X 3569(his)X 3731(observations)X 835 5412(are)N 1015(compatible)X 1533(\(as)X 1698(far)X 1861(as)X 1994(he)X 2136(knows\))X 2487(with)X 2723(all)X 2871(of)X 2986(the)X 3165(presumed)X 3638(possible)X 4027(secret)X 835 5520(behaviours.)N 188 p %%Page: 188 27 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(188)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 747 684(Consider)N 1176(the)X 1352(public-key)X 1842(encryption)X 2348(module)X 2706(diagrammed)X 3297(in)X 3419(\256gure)X 3712(7.1.)X 3932(If)X 547 792(the)N 737(high-level)X 1221(plaintext)X 1667(is)X 1788(values)X 2120(from)X 2374(set)X 2 f 2550(P)X 1 f 2614(,)X 2686(the)X 2875(key)X 3076(from)X 3329(set)X 2 f 3504(K)X 1 f 3575(,)X 3647(and)X 3859(the)X 547 900(ciphertext)N 1042(from)X 2 f 1295(C)X 1 f 1364(,)X 1436(we)X 1604(may)X 1838(represent)X 2309(a)X 2407(``trace'')X 2756(of)X 2881(this)X 3097(machine)X 3519(as)X 3662(a)X 3760(triple)X 2 f 9 f 547 1008(\341)N 1 f 2 f 606(p)X 1 f 661(,)X 2 f 696(k)X 1 f 749(,)X 2 f 784(c)X 1 f 2 f 9 f 862(\361)X 1 f 894(.)X 975(The)X 1173(set)X 1330(of)X 1437(traces)X 1733(is,)X 1862(therefore,)X 2 f 629 1164(T)N 9 f 757(=)X 1 f 864({)X 2 f 9 f 896(\341)X 2 f 928(p)X 1 f 9 s 995 1183(1)N 12 s 1043 1164(,)N 2 f 1078(k)X 9 s 1131 1183(a)N 1 f 12 s 1180 1164(,)N 2 f 1215(crypt)X 1 f 1454(\()X 2 f 1486(p)X 1 f 9 s 1553 1183(1)N 12 s 1601 1164(,)N 2 f 1636(k)X 9 s 1689 1183(a)N 1 f 12 s 1738 1164(\))N 2 f 9 f 1770(\361)X 1 f 1802(,)X 2 f 9 f 1837(\341)X 2 f 1869(p)X 1 f 9 s 1936 1183(2)N 12 s 1984 1164(,)N 2 f 2019(k)X 9 s 2072 1183(b)N 1 f 12 s 2120 1164(,)N 2 f 2155(crypt)X 1 f 2394(\()X 2 f 2426(p)X 1 f 9 s 2493 1183(2)N 12 s 2541 1164(,)N 2 f 2576(k)X 9 s 2629 1183(b)N 1 f 12 s 2677 1164(\))N 2 f 9 f 2709(\361)X 1 f 2741(,)X 2 f 9 f 2776(\341)X 2 f 2808(p)X 1 f 9 s 2875 1183(3)N 12 s 2923 1164(,)N 2 f 2958(k)X 9 s 3011 1183(c)N 1 f 12 s 3051 1164(,)N 2 f 3086(crypt)X 1 f 3325(\()X 2 f 3357(p)X 1 f 9 s 3424 1183(3)N 12 s 3472 1164(,)N 2 f 3507(k)X 9 s 3560 1183(c)N 1 f 12 s 3600 1164(\))N 2 f 9 f 3632(\361)X 1 f 3664(,)X 3726 1136(.)N 3780(.)X 3834(.)X 3888 1164(})N 547 1320(If)N 653(we)X 811(wish)X 1055(to)X 1175(express)X 1545(the)X 1724(notion)X 2040(that)X 2261(the)X 2440(observer)X 2854(cannot)X 3188(invert)X 3492(the)X 3672(encryp-)X 547 1428(tion)N 748(function,)X 1169(we)X 1319(can)X 1501(de\256ne)X 1797(the)X 1968(set)X 2125(of)X 2232(plausible)X 2662(traces)X 2958(as)X 2 f 1963 1584(S)N 9 f 2089(=)X 2 f 2196(P)X 1 f 9 f 2284(\264)X 2 f 2353(K)X 1 f 9 f 2448(\264)X 2 f 2517(C)X 1 f 547 1740(which)N 846(says)X 1074(that)X 1294(the)X 1472(observer)X 1885(believes)X 2272(that)X 2492(any)X 2689(ciphertext)X 3174(may)X 3397(correspond)X 3918(to)X 547 1848(any)N 761(combination)X 1357(of)X 1488(plaintext)X 1939(and)X 2157(key.)X 2418(The)X 2640(security)X 3047(de\256nition)X 3523(is)X 3648(trivially)X 547 1956(satis\256ed)N 946(by)X 1077(this)X 1275(system.)X 747 2112(This)N 980(limited-knowledge)X 1833(nondeducibility)X 2555(de\256nition)X 3015(not)X 3195(only)X 3419(prevents)X 3841(dis-)X 547 2220(closure)N 893(of)X 1003(the)X 1177(secret)X 1470(activity,)X 1858(it)X 1954(also)X 2159(prohibits)X 2588(the)X 2761(observer)X 3169(from)X 3406(learning)X 3808(any-)X 547 2328(thing)N 835(more)X 1111(about)X 1414(the)X 1611(system.)X 2029(A)X 2151(security)X 2560(violation)X 2999(is)X 3127(considered)X 3654(to)X 3792(have)X 547 2436(occurred)N 987(if)X 1107(the)X 1309(observer)X 1746(can,)X 1985(from)X 2250(an)X 2419(observation,)X 3018(rule)X 3255(out)X 3456(some)X 3739(secret)X 547 2544(behaviour)N 1025(that)X 1245(was)X 1452(initially)X 1836(believed)X 2233(possible,)X 2648(including)X 3098(cases)X 3366(where)X 3673(the)X 3852(ini-)X 547 2652(tial)N 724(belief)X 992(resulted)X 1384(from)X 1619(ignorance)X 2080(about)X 2357(the)X 2528(system)X 2866(operation.)X 747 2808(The)N 953(drawbacks)X 1466(of)X 1582(this)X 1789(method)X 2157(are,)X 2364(\256rstly,)X 2692(that)X 2914(it)X 3017(is)X 3128(not)X 3308(intuitively)X 3806(easy)X 547 2916(to)N 674(apply,)X 987(and)X 1196(secondly,)X 1644(that)X 1872(it)X 1981(does)X 2219(not)X 2405(accurately)X 2907(represent)X 3374(the)X 3559(observer's)X 547 3024(knowledge)N 1059(about)X 1350(the)X 1535(system.)X 1941(These)X 2247(result)X 2551(from)X 2801(the)X 2987(fact)X 3194(that)X 3422(the)X 3608(essential)X 547 3132(structure)N 999(of)X 1117(nondeducibility)X 1841(is)X 1953(unchanged,)X 2503(and)X 2707(the)X 2888(model)X 3191(still)X 3400(assumes)X 3817(that)X 547 3240(any)N 752(function)X 1161(known)X 1501(by)X 1647(the)X 1834(observer)X 2256(can)X 2454(be)X 2598(inverted)X 3012(by)X 3159(him.)X 3430(Thus,)X 3727(in)X 3859(the)X 547 3348(encryptor)N 1018(example,)X 1459(when)X 1744(we)X 1911(wanted)X 2282(to)X 2411(express)X 2790(the)X 2978(idea)X 3208(that)X 3437(the)X 3624(observer)X 547 3456(could)N 810(not)X 982(invert)X 1278(the)X 1450(encryption)X 1951(function,)X 2373(it)X 2468(was)X 2670(necessary)X 3134(to)X 3248(also)X 3453(assume)X 3817(that)X 547 3564(he)N 703(could)X 987(not)X 1180(work)X 1452(it)X 1568(in)X 1706(the)X 1899(forward)X 2297(direction)X 2739(either.)X 3107(This)X 3353(is)X 3476(a)X 3577(confusing)X 10 f 547 3768(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 1 f 1207 4359(Plaintext)N 1280 4575(\(high\))N 1123 4448 MXY 576 0 Dl 1641 4462 MXY 57 -14 Dl 1641 4433 MXY 57 14 Dl 1699 4736 MXY 0 -576 Dl 576 144 Dl 2260 4246 MXY 14 57 Dl 2289 4246 MXY -14 57 Dl 4304 MY 0 -288 Dl 2404 4125(Key)N 2383 4233(\(low\))N 2275 4304 MXY 576 144 Dl -1152 288 Dl 2901 4359(Ciphertext)N 3031 4575(\(low\))N 2851 4448 MXY 576 0 Dl 3369 4462 MXY 57 -14 Dl 3369 4433 MXY 57 14 Dl 1325 4952(Figure)N 1647(7.1:)X 1834(Public-Key)X 2346(Encryption)X 2867(Module.)X 10 f 547 5276(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 189 p %%Page: 189 28 12 s 0 xH 0 xS 10 f 3 f 835 396(7.8.)N 1026(Prescriptions)X 4008(-)X 4067(189)X 4259(-)X 1 f 835 684(characteristic)N 1469(and)X 1663(may)X 1879(make)X 2149(the)X 2320(model)X 2613(dif\256cult)X 2985(to)X 3097(apply.)X 1035 840(Alternatively,)N 1691(a)X 1787(version)X 2155(of)X 2279(the)X 2467(extra)X 2743(input)X 3027(technique)X 3507(may)X 3740(be)X 3885(useful)X 4202(in)X 835 948(representing)N 1429(this)X 1628(situation.)X 2108(Instead)X 2472(of)X 2580(using)X 2852(the)X 3024(limited)X 3367(knowledge)X 3866(de\256nition)X 835 1056(of)N 948(nondeducibility,)X 1696(we)X 1853(may)X 2076(use)X 2262(the)X 2440(standard)X 2874(de\256nition,)X 3360(and)X 3561(a)X 3648(external)X 4051(input)X 835 1164(may)N 1052(be)X 1181(introduced)X 1686(in)X 1803(the)X 1975(system)X 2314(de\256nition)X 2767(but)X 2944(not)X 3116(included)X 3523(in)X 3640(either)X 3932(the)X 4103(visi-)X 835 1272(ble)N 1000(or)X 1125(secret)X 1423(information)X 1981(functions.)X 2482(It)X 2593(can)X 2783(then)X 3021(be)X 3157(used)X 3399(as)X 3532(the)X 3711(source)X 4032(of)X 4147(the)X 835 1380(encryptor's)N 1355(output)X 1678(data,)X 1931(so)X 2052(that)X 2266(for)X 2417(the)X 2589(purposes)X 3015(of)X 3123(the)X 3295(model)X 3589(the)X 3761(encryptor)X 4216(is)X 835 1488(considered)N 1342(to)X 1460(ignore)X 1772(its)X 1917(plaintext)X 2351(and)X 2552(key)X 2742(inputs)X 3061(and)X 3262(simply)X 3592(repeat)X 3910(its)X 4056(other)X 835 1596(input.)N 1161(This)X 1391(has)X 1580(the)X 1755(same)X 2017(effect)X 2288(as)X 2417(the)X 2592(previous)X 3002(exercise,)X 3416(since)X 3672(the)X 3847(observer's)X 835 1704(ability)N 1155(to)X 1277(relate)X 1573(inputs)X 1895(and)X 2099(outputs)X 2476(to)X 2598(traces)X 2904(is)X 3016(reduced,)X 3431(but)X 3617(now)X 3836(his)X 4007(uncer-)X 835 1812(tainty)N 1148(about)X 1444(the)X 1634(execution)X 2103(trace)X 2373(is)X 2494(embedded)X 2986(in)X 3120(the)X 3309(external)X 3723(input)X 4008(rather)X 835 1920(than)N 1089(in)X 1224(the)X 1414(de\256nition)X 1885(of)X 2011(the)X 3 f 2201(f)X 1 f 2284(function)X 2697(\(and)X 2942(therefore)X 3394(the)X 3584(set)X 3761(of)X 3888(plausible)X 835 2028(traces)N 2 f 1131(S)X 1 f 1195(\).)X 3 f 835 2424(7.8.4.)N 1135(Variable)X 1590(Sensitivity)X 1 f 1035 2580(Identifying)N 1553(the)X 1724(sensitivity)X 2214(of)X 2321(information)X 2872(can)X 3054(be)X 3182(a)X 3263(dif\256cult)X 3636(task.)X 3910(The)X 4109(con-)X 835 2688(ventional)N 1284(method)X 1650(of)X 1764(assuming)X 2225(that)X 2445(whatever)X 2893(is)X 3002(received)X 3402(over)X 3626(a)X 3713(high-labelled)X 835 2796(input)N 1107(is)X 1214(high)X 1445(is)X 1552(adequate)X 1990(if)X 2084(overclassi\256cation)X 2881(is)X 2989(not)X 3166(critical,)X 3535(but)X 3717(fails)X 3940(to)X 4058(prop-)X 835 2904(erly)N 1059(model)X 1376(information)X 1951(in)X 2091(composed)X 2569(systems)X 2976(and)X 3194(breaks)X 3544(down)X 3832(entirely)X 4229(if)X 835 3012(downgrading)N 1441(is)X 1543(to)X 1655(be)X 1783(addressed)X 2257(in)X 2373(the)X 2544(model.)X 1035 3168(Nondeducibility)N 1778(offers)X 2063(unlimited)X 2533(discretion)X 3008(in)X 3134(the)X 3316(classi\256cation)X 3929(of)X 4047(infor-)X 835 3276(mation.)N 1232(Information)X 1796(functions)X 2239(are)X 2414(conveniently)X 3008(thought)X 3388(of)X 3498(as)X 3626(extracting)X 4108(par-)X 835 3384(ticular)N 1162(bits)X 1360(from)X 1601(an)X 1746(event)X 2022(trace,)X 2306(but)X 2488(they)X 2716(do)X 2852(not)X 3029(necessarily)X 3557(have)X 3801(to)X 3919(take)X 4147(the)X 835 3492(form)N 1081(of)X 1198(\256lters.)X 1551(All)X 1717(that)X 1940(is)X 2052(necessary)X 2524(for)X 2684(the)X 2865(theory)X 3188(to)X 3310(work)X 3570(correctly)X 3993(is)X 4105(that)X 835 3600(the)N 1017(results)X 1363(of)X 1482(applying)X 1905(an)X 2056(information)X 2619(function)X 3025(to)X 3149(two)X 3348(executions)X 3855(should)X 4190(be)X 835 3708(equal)N 1119(if)X 1222(and)X 1430(only)X 1659(if)X 1762(the)X 1947(``information'')X 2592(of)X 2713(interest)X 3101(in)X 3231(those)X 3508(two)X 3708(executions)X 4216(is)X 835 3816(also)N 1053(equal.)X 1392(Whether)X 1823(or)X 1957(not)X 2144(this)X 2358(freedom)X 2760(can)X 2958(be)X 3102(of)X 3225(practical)X 3655(use)X 3850(is)X 3968(not)X 4155(yet)X 835 3924(clear,)N 1123(but)X 1316(at)X 1450(least)X 1707(in)X 1840(principle)X 2277(there)X 2556(is)X 2675(no)X 2826(bar)X 3018(to)X 3146(de\256ning)X 3550(the)X 3737(``secret'')X 4124(and)X 835 4032(``visible'')N 1229(functions)X 1668(in)X 1784(any)X 1974(way)X 2180(we)X 2330(see)X 2498(\256t.)X 1035 4188(The)N 1245(simplest)X 1659(test)X 1865(for)X 2027(inclusion)X 2470(in)X 2599(the)X 2783(``secret'')X 3167(function)X 3574(is)X 3689(to)X 3814(include)X 4178(all)X 835 4296(events)N 1172(occurring)X 1640(on)X 1796(high-level)X 2283(input)X 2572(ports.)X 2903(In)X 3050(the)X 3243(model)X 3558(of)X 3686([Thomson88],)X 835 4404(where)N 1144(events)X 1468(were)X 1718(more)X 1978(complex)X 2374(and)X 2577(capable)X 2948(of)X 3064(containing)X 3569(both)X 3802(inputs)X 4124(and)X 835 4512(outputs,)N 1234(the)X 3 f 1410(h)X 1 f 1508(function)X 1907(was)X 2112(introduced)X 2620(to)X 2736(extract)X 3079(the)X 3254(input)X 3525(components)X 4083(from)X 835 4620(a)N 936(composite)X 1423(event.)X 1768(More)X 2046(involved)X 2466(de\256nitions)X 2984(may)X 3221(be)X 3370(necessary)X 3853(to)X 3987(handle)X 835 4728(downgrading.)N 1035 4884(One)N 1246(approach)X 1684(is)X 1788(to)X 1902(de\256ne)X 2200(a)X 2282(classi\256cation)X 2886(function)X 3283(that)X 3499(maps)X 3767(information)X 835 4992(onto)N 1077(classi\256cation)X 1701(levels.)X 2056([Sutherland89])X 2778(does)X 3023(this)X 3243(for)X 3415(entire)X 3729(events.)X 4120(The)X 835 5100(function)N 1242(he)X 1389(uses)X 1626(takes)X 1906(into)X 2120(account)X 2502(the)X 2686(context)X 3049(of)X 3169(the)X 3353(event,)X 3663(permitting)X 4179(an)X 835 5208(event's)N 1171(classi\256cation)X 1774(to)X 1887(be)X 2016(different)X 2428(in)X 2545(different)X 2957(traces)X 3254(or)X 3373(at)X 3490(different)X 3901(points)X 4202(in)X 835 5316(the)N 1006(same)X 1264(trace.)X 1569(In)X 1694(particular,)X 2194(since)X 2446(an)X 2585(execution)X 3035(viewed)X 3370(at)X 3488(different)X 3900(points)X 4202(in)X 835 5424(time)N 1091(is)X 1222(just)X 1446(a)X 1554(set)X 1739(of)X 1874(traces)X 2198(that)X 2439(are)X 2638(pre\256xes)X 3042(of)X 3177(one)X 3387(another,)X 3816(an)X 3983(event's)X 835 5532(classi\256cation)N 1448(can)X 1641(change)X 1992(over)X 2220(time)X 2459(or)X 2589(in)X 2717(response)X 3147(to)X 3271(other)X 3545(events)X 3872(occurring)X 835 5640(later)N 1073(in)X 1189(the)X 1360(execution)X 1810(\(eg.)X 1995(downgrading)X 2601(commands\).)X 190 p %%Page: 190 29 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(190)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 747 684(Sutherland's)N 1367(scheme)X 1747(needs)X 2054(enhancement)X 2704(in)X 2845(order)X 3135(to)X 3273(properly)X 3699(handle)X 547 792(downgrading,)N 1182(since)X 1436(it)X 1531(is)X 1634(not)X 1806(always)X 2141(appropriate)X 2689(to)X 2802(consider)X 3201(an)X 3341(entire)X 3634(event)X 3905(as)X 547 900(being)N 845(at)X 992(a)X 1102(single)X 1422(sensitivity)X 1942(level.)X 2260(It)X 2393(may)X 2639(also)X 2872(be)X 3030(useful)X 3360(to)X 3503(distinguish)X 547 1008(between)N 952(the)X 1133(cases)X 1404(of)X 1521(downgrading)X 2137(in)X 2262(which)X 2564(the)X 2744(sensitivity)X 3243(of)X 3359(some)X 3621(informa-)X 547 1116(tion)N 768(is)X 890(initially)X 1287(overestimated)X 1962(\(eg.)X 2194(sanitizing\))X 2713(and)X 2927(those)X 3211(where)X 3532(it)X 3647(actually)X 547 1224(drops.)N 747 1380(First,)N 1027(we)X 1184(need)X 1428(templates)X 1900(for)X 2057(the)X 2236(``secret'')X 2615(and)X 2817(``visible'')X 3219(information)X 3778(func-)X 547 1488(tions)N 799(that)X 1018(will)X 1216(allow)X 1485(us)X 1622(to)X 1740(separate)X 2155(the)X 2332(different)X 2748(aspects)X 3106(of)X 3218(an)X 3362(execution)X 3817(that)X 547 1596(may)N 772(have)X 1019(different)X 1439(sensitivities.)X 2064(Consider)X 2497(the)X 2677(system)X 3024(diagrammed)X 3618(in)X 3743(\256gure)X 547 1704(7.2.)N 764(In)X 892(the)X 1066(subsystem)X 1564(on)X 1701(the)X 1875(left,)X 2079(a)X 2162(Con\256dential-level)X 2977(user)X 3201(enters)X 3510(data)X 3737(which)X 547 1812(is)N 663(reviewed)X 1102(by)X 1247(another)X 1635(user)X 1871(running)X 2272(at)X 2403(Secret)X 2723(level.)X 3025(This)X 3264(user)X 3500(marks)X 3825(por-)X 547 1920(tions)N 821(of)X 956(the)X 1155(data)X 1408(as)X 1561(``selected'',)X 2077(and)X 2299(at)X 2444(various)X 2828(times)X 3128(during)X 3480(the)X 3678(day)X 3891(an)X 547 2028(Unclassi\256ed-level)N 1376(operator)X 1796(issues)X 2113(a)X 2211(``copy-selected'')X 2919(command)X 3392(which)X 3704(dumps)X 547 2136(all)N 690(of)X 800(the)X 974(selected)X 1358(data)X 1586(\(which)X 1914(the)X 2088(U-user)X 2423(does)X 2649(not)X 2823(see\))X 3026(over)X 3246(to)X 3361(the)X 3535(subsystem)X 547 2244(on)N 695(the)X 880(right.)X 1195(The)X 1407(second)X 1746(subsystem)X 2255(has)X 2454(observers)X 2920(at)X 3052(all)X 3207(three)X 3484(levels.)X 3832(The)X 547 2352(question)N 956(we)X 1109(wish)X 1347(to)X 1461(answer)X 1813(is)X 1917(how)X 2128(to)X 2242(characterise)X 2816(the)X 2989(sensitivity)X 3481(of)X 3590(the)X 3763(input)X 547 2460(to)N 663(the)X 838(right-hand)X 1347(subsystem)X 1846(to)X 1962(accurately)X 2453(represent)X 2910(which)X 3208(aspects)X 3566(of)X 3678(it)X 3777(must)X 547 2568(be)N 676(hidden)X 1010(from)X 1246(each)X 1477(of)X 1585(the)X 1757(three)X 2020(observers.)X 2526(Initially,)X 2940(we)X 3091(will)X 3284(assume)X 3646(that)X 3859(the)X 547 2676(data)N 781(entered)X 1155(is)X 1266(actually)X 1658(Con\256dential,)X 2268(and)X 2471(that)X 2694(the)X 2875(selector)X 3254(is)X 3366(actually)X 3759(using)X 547 2784(Secret-level)N 1092(information)X 1643(to)X 1755(make)X 2025(his)X 2186(selections.)X 747 2940(If)N 862(we)X 1029(consider)X 1444(an)X 1600(execution)X 2067(trace)X 2335(of)X 2460(the)X 2649(right-hand)X 3172(component,)X 3726(it)X 3838(will)X 547 3048(contain)N 926(several)X 1294(input)X 1584(events)X 1922(of)X 2052(the)X 2246(form)X 2 f 9 f 2503(\341)X 2 f 2551(c)X 9 f 2610(-)X 2 f 2663(data)X 9 f 2890(\361)X 1 f 2922(.)X 3025(It)X 3150(may)X 3388(be)X 3538(argued)X 3896(on)X 547 3156(intuitive)N 964(grounds)X 1360(that)X 1582(the)X 1762(data)X 1996(is)X 2107(Con\256dential,)X 2717(since)X 2978(its)X 3126(original)X 3507(source)X 3830(was)X 10 f 547 3360(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 10 s 1 f 993 4095("copy-selected")N 12 s 1228 4311(U)N 979 4184 MXY 576 0 Dl 1497 4198 MXY 57 -14 Dl 1497 4169 MXY 57 14 Dl 1555 4472 MXY 0 -576 Dl 576 0 Dl 0 576 Dl -576 0 Dl 1828 3838 MXY 14 57 Dl 1857 3838 MXY -14 57 Dl 3896 MY 0 -288 Dl 10 s 1874 3717("data")N 12 s 1953 3825(C)N 1857 4529 MXY -14 -57 Dl 1828 4529 MXY 14 -57 Dl 1843 MX 0 288 Dl 10 s 1852 4581("select")N 12 s 1957 4689(S)N 2272 4095(output)N 2248 4311(MIXED)N 2131 4184 MXY 576 0 Dl 2649 4198 MXY 57 -14 Dl 2649 4169 MXY 57 14 Dl 2707 4472 MXY 0 -576 Dl 576 0 Dl 0 576 Dl -576 0 Dl 3388 3976(U)N 3283 4011 MXY 288 0 Dl 3513 4025 MXY 57 -14 Dl 3513 3996 MXY 57 14 Dl 3393 4149(C)N 3283 4184 MXY 288 0 Dl 3513 4198 MXY 57 -14 Dl 3513 4169 MXY 57 14 Dl 3397 4321(S)N 3283 4356 MXY 288 0 Dl 3513 4371 MXY 57 -14 Dl 3513 4342 MXY 57 14 Dl 1292 4976(Figure)N 1614(7.2:)X 1801(Signal)X 2111(with)X 2339(Complex)X 2752(Sensitivity.)X 10 f 547 5300(hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh)N 191 p %%Page: 191 30 12 s 0 xH 0 xS 10 f 3 f 835 396(7.8.)N 1026(Prescriptions)X 4008(-)X 4067(191)X 4259(-)X 1 f 835 684(that)N 1084(level,)X 1381(but)X 1593(it)X 1723(may)X 1975(not)X 2182(be)X 2347(immediately)X 2963(clear)X 3244(what,)X 3559(if)X 3685(any,)X 3939(are)X 4147(the)X 835 792(Unclassi\256ed)N 1407(and)X 1601(Secret)X 1907(parts)X 2167(of)X 2274(the)X 2445(signal.)X 1035 948(The)N 1234(key)X 1418(is)X 1521(to)X 1634(consider)X 2033(what)X 2285(kind)X 2514(of)X 2622(control)X 2958(is)X 3061(exercised)X 3500(over)X 3718(the)X 3890(signal)X 4187(by)X 835 1056(each)N 1069(source.)X 1439(The)X 1640(Unclassi\256ed)X 2215(operator)X 2620(triggers)X 2998(the)X 3172(input)X 3442(event,)X 3742(but)X 3921(does)X 4147(not)X 835 1164(control)N 1180(the)X 1361(contents,)X 1801(so)X 1931(it)X 2036(should)X 2370(be)X 2509(permissible)X 3059(for)X 3220(the)X 3402(U-observer)X 3929(to)X 4052(know)X 835 1272(when)N 1106(the)X 1280(inputs)X 1595(occur)X 1861(but)X 2040(not)X 2213(to)X 2327(know)X 2595(what)X 2848(they)X 3072(transmit.)X 3544(The)X 3744(Con\256dential)X 835 1380(input)N 1113(supplies)X 1518(data)X 1754(but)X 1942(does)X 2177(not)X 2360(select)X 2650(it,)X 2783(so)X 2915(the)X 3098(Con\256dential)X 3684(observer)X 4102(may)X 835 1488(see)N 1019(the)X 1205(data)X 1445(only)X 1675(if)X 1779(viewing)X 2165(it)X 2274(does)X 2512(not)X 2698(disclose)X 3084(any)X 3289(information)X 3855(about)X 4147(the)X 835 1596(selection)N 1253(process.)X 1664(In)X 1792(practice,)X 2201(this)X 2403(would)X 2701(require)X 3056(either)X 3352(that)X 3569(the)X 3744(Con\256dential)X 835 1704(observer)N 1259(is)X 1379(not)X 1568(permitted)X 2051(to)X 2181(see)X 2366(the)X 2554(data)X 2796(at)X 2930(all,)X 3114(or)X 3249(that)X 3479(an)X 3635(alternate)X 4087(path)X 835 1812(must)N 1089(exist)X 1328(so)X 1449(that)X 1663(if)X 1753(the)X 1925(C-observer)X 2433(does)X 2657(see)X 2826(part)X 3042(of)X 3150(the)X 3322(data)X 3548(it)X 3643(does)X 3867(not)X 4040(imply)X 835 1920(that)N 1048(it)X 1142(was)X 1342(ever)X 1559(selected.)X 1035 2076(Different)N 1468(variations)X 1946(may)X 2164(be)X 2294(made)X 2564(of)X 2673(this)X 2873(situation,)X 3327(for)X 3479(example,)X 3905(using)X 4179(an)X 835 2184(Unclassi\256ed)N 1420(data)X 1658(source,)X 2011(a)X 2103(Con\256dential)X 2689(reviewer-and-selector,)X 3714(and)X 3920(a)X 4012(Secret)X 835 2292(dumper.)N 1276(Now,)X 1546(the)X 1732(Unclassi\256ed)X 2319(observer)X 2740(may)X 2971(see)X 3154(the)X 3340(data)X 3580(but)X 3771(only)X 4001(if)X 4105(that)X 835 2400(will)N 1028(not)X 1200(imply)X 1479(that)X 1693(it)X 1787(was)X 1987(selected)X 2368(or)X 2486(dumped.)X 2924(The)X 3122(Con\256dential)X 3696(observer)X 4102(may)X 835 2508(see)N 1010(the)X 1188(data,)X 1448(and)X 1650(may)X 1874(see)X 2050(which)X 2351(portions)X 2751(were)X 3000(selected,)X 3416(but)X 3600(only)X 3823(if)X 3920(so)X 4048(doing)X 835 2616(will)N 1030(not)X 1204(indicate)X 1589(when)X 1860(or)X 1981(whether)X 2379(any)X 2571(dump-copies)X 3155(were)X 3398(performed.)X 3938(In)X 4065(prac-)X 835 2724(tice,)N 1067(these)X 1351(constraints)X 1897(will)X 2109(require)X 2480(that)X 2713(if)X 2822(the)X 3013(Unclassi\256ed)X 3605(or)X 3744(Con\256dential)X 835 2832(observers)N 1298(are)X 1481(permitted)X 1958(to)X 2082(make)X 2364(any)X 2566(observations,)X 3192(those)X 3467(observations)X 4065(must)X 835 2940(be)N 985(possible)X 1388(even)X 1643(in)X 1782(the)X 1976(absence)X 2375(of)X 2505(any)X 2718(``copy-selected'')X 3431(commands,)X 3981(and)X 4198(so)X 835 3048(there)N 1097(must)X 1350(be)X 1478(some)X 1731(other)X 1993(mechanism)X 2527(that)X 2740(could)X 3002(be)X 3130(responsible.)X 1035 3204(These)N 1338(limits)X 1635(on)X 1782(knowledge)X 2293(can)X 2488(be)X 2629(expressed)X 3107(easily)X 3404(and)X 3611(naturally)X 4066(if)X 4168(we)X 835 3312(are)N 1016(free)X 1224(to)X 1346(express)X 1718(them)X 1983(in)X 2108(terms)X 2402(of)X 2518(the)X 2698(inputs)X 3019(received)X 3421(by)X 3561(the)X 3741(\256rst)X 3961(subsys-)X 835 3420(tem.)N 1094(If)X 1200(we)X 1358(are)X 1537(restricted)X 2001(to)X 2121(dealing)X 2482(only)X 2705(with)X 2941(the)X 3120(signals)X 3468(that)X 3689(pass)X 3923(between)X 835 3528(subsystems,)N 1402(the)X 1573(problem)X 1962(becomes)X 2359(more)X 2610(dif\256cult.)X 1035 3684(Even)N 1317(after)X 1585(we)X 1763(have)X 2029(a)X 2137(satisfactory)X 2709(method)X 3096(of)X 3232(separating)X 3762(the)X 3962(various)X 835 3792(aspects)N 1206(of)X 1331(inputs)X 1661(so)X 1799(that)X 2030(they)X 2269(may)X 2502(be)X 2647(assigned)X 3077(different)X 3505(sensitivity)X 4012(levels,)X 835 3900(there)N 1099(remains)X 1491(the)X 1664(problem)X 2055(of)X 2164(selecting)X 2585(the)X 2759(correct)X 3094(level)X 3331(to)X 3446(assign.)X 3813(In)X 3941(the)X 4115(ear-)X 835 4008(lier)N 1026(examples,)X 1508(it)X 1615(was)X 1828(assumed)X 2258(that)X 2484(a)X 2577(subject)X 2930(operating)X 3394(at)X 3524(level)X 3770(X)X 3877(and)X 4083(com-)X 835 4116(municating)N 1370(over)X 1590(an)X 1732(input)X 2002(port)X 2215(labelled)X 2592(level)X 2829(X)X 2927(used)X 3164(information)X 3718(of)X 3828(sensitivity)X 835 4224(X)N 936(to)X 1054(form)X 1295(its)X 1440(inputs.)X 1812(This)X 2043(is)X 2151(the)X 2328(safest)X 2621(default)X 2968(assumption,)X 3544(since)X 3801(the)X 3977(X)X 4077(label)X 835 4332(guarantees)N 1359(only)X 1576(the)X 1749(absence)X 2127(of)X 2236(any)X 2428(in\257uence)X 2862(from)X 3099(higher)X 3418(levels.)X 3753(However,)X 4202(in)X 835 4440(the)N 1010(general)X 1373(case)X 1593(these)X 1861(inputs)X 2177(may)X 2397(themselves)X 2924(be)X 3056(overclassi\256ed)X 3685(or)X 3807(mixed)X 4107(sen-)X 835 4548(sitivity)N 1173(signals,)X 1540(and)X 1734(this)X 1932(complicates)X 2476(matters)X 2851(further.)X 1035 4704(The)N 1240(\256rst)X 1458(guiding)X 1827(principle)X 2254(in)X 2377(this)X 2582(assignment)X 3128(is)X 3237(the)X 3415(realization)X 3926(that)X 4147(the)X 835 4812(classi\256cation)N 1442(of)X 1554(a)X 1638(datum)X 1958(need)X 2199(only)X 2418(be)X 2550(a)X 2634(conservative)X 3221(estimate)X 3635(of)X 3746(its)X 3889(true)X 4107(sen-)X 835 4920(sitivity.)N 1239(The)X 1449(initial)X 1757(estimate)X 2179(may)X 2407(be)X 2547(\(and)X 2785(probably)X 3210(will)X 3414(be\))X 3586(as)X 3723(crude)X 4010(as)X 4147(the)X 835 5028(level)N 1076(of)X 1190(the)X 1368(source)X 1688(\(equivalently,)X 2330(the)X 2508(value)X 2783(of)X 2897(the)X 3074(input)X 3347(port's)X 3628(label\),)X 3934(but)X 4116(it)X 4216(is)X 835 5136(entirely)N 1217(reasonable)X 1733(to)X 1854(revise)X 2155(this)X 2362(estimate)X 2781(as)X 2915(further,)X 3299(more)X 3560(precise)X 3909(informa-)X 835 5244(tion)N 1041(becomes)X 1443(available.)X 1930(This)X 2160(further)X 2512(information)X 3067(may)X 3287(come)X 3542(in)X 3662(several)X 4011(forms,)X 835 5352(including)N 1286(duplication)X 1820(of)X 1935(the)X 2114(input)X 2389(by)X 2528(a)X 2616(lower)X 2895(level)X 3137(source)X 3459(and)X 3662(explicit)X 4022(down-)X 835 5460(grading)N 1204(commands)X 1704(issued)X 2013(by)X 2144(a)X 2224(reliable)X 2586(user.)X 192 p %%Page: 192 31 12 s 0 xH 0 xS 1 f 3 f 547 396(-)N 606(192)X 798(-)X 2036(7.)X 2145(Nondeterministic)X 3051(Security)X 3502(Modelling)X 1 f 747 684(A)N 847(more)X 1102(accurate)X 1512(classi\256cation)X 2118(rule)X 2330(will)X 2527(permit)X 2857(this)X 3060(kind)X 3293(of)X 3405(re\256nement)X 3923(of)X 547 792(initial)N 863(classi\256cations.)X 1584(The)X 1802(Arti\256cial)X 2243(Intelligence)X 2812(community)X 3356(has)X 3560(long)X 3795(been)X 547 900(studying)N 961(the)X 1132(technical)X 1562(problem)X 1952(of)X 2060(specifying)X 2532(logical)X 2845(systems)X 3229(for)X 3380(nonmonotonic)X 547 1008(reasoning)N 1019([Reiter87].)X 1554(These)X 1854(are)X 2034(logical)X 2355(systems)X 2746(that)X 2967(permit)X 3300(the)X 3479(formulation)X 547 1116(and)N 766(derivation)X 1272(of)X 1404(plausible)X 1860(conclusions)X 2422(from)X 2683(a)X 2789(combination)X 3387(of)X 3520(incomplete)X 547 1224(knowledge)N 1051(and)X 1251(reasonable)X 1764(assumptions,)X 2384(with)X 2617(the)X 2793(proviso)X 3145(that)X 3363(the)X 3539(conclusion)X 547 1332(may)N 776(be)X 917(retracted)X 1365(when)X 1647(new)X 1870(information)X 2435(becomes)X 2846(available.)X 3342(Unfortunately,)X 547 1440(these)N 843(systems)X 1258(are)X 1461(complex)X 1880(to)X 2024(work)X 2306(with,)X 2593(and)X 2819(there)X 3113(remains)X 3535(contention)X 547 1548(among)N 895(specialists)X 1408(as)X 1558(to)X 1695(their)X 1964(suitability)X 2471(for)X 2646(use)X 2850(at)X 2992(their)X 3262(present)X 3650(state)X 3923(of)X 547 1656(development.)N 1192(It)X 1295(may)X 1511(be)X 1639(that)X 1852(a)X 1932(suitably)X 2317(restricted)X 2773(logic,)X 3029(tailored)X 3400(to)X 3512(this)X 3710(partic-)X 547 1764(ular)N 759(application,)X 1306(might)X 1595(escape)X 1914(these)X 2178(drawbacks.)X 3 f 547 2160(7.9.)N 765(STATUS)X 1 f 747 2316(In)N 887(this)X 1100(chapter)X 1480(we)X 1645(described)X 2107(seven)X 2400(secrecy)X 2763(problems)X 3212(that)X 3441(are)X 3628(not)X 3815(ade-)X 547 2424(quately)N 909(addressed)X 1387(by)X 1522(existing)X 1904(formal)X 2226(models.)X 2622(At)X 2759(the)X 2934(end)X 3127(of)X 3238(this)X 3440(chapter)X 3808(they)X 547 2532(have)N 785(been)X 1020(dealt)X 1270(with)X 1498(in)X 1614(various)X 1970(degrees)X 2335(of)X 2442(completeness.)X 547 2688(Invented)N 970(Information)X 707 2796(The)N 908(extra)X 1170(external)X 1569(input,)X 2 f 1866(a)X 1878(\302)X 1951(la)X 1 f 2068(quasi-determinism,)X 2962(appears)X 3344(to)X 3459(be)X 3591(both)X 3819(use-)X 707 2904(ful)N 881(and)X 1101(appropriate.)X 1728(It)X 1857(enjoys)X 2188(an)X 2352(advantage)X 2864(over)X 3106(the)X 3302(Guttman-Nadel)X 707 3012(approach)N 1171(in)X 1315(that)X 1556(it)X 1678(allows)X 2014(the)X 2213(internally-generated)X 3182(information)X 3761(to)X 3902(be)X 707 3120(treated)N 1055(as)X 1180(having)X 1510(whatever)X 1951(sensitivity)X 2441(the)X 2612(modeller)X 3026(feels)X 3256(is)X 3358(appropriate.)X 547 3276(Added)N 856(Value)X 1142(of)X 1249(Computation)X 707 3384(A)N 803(external)X 1199(input)X 1466(may)X 1683(also)X 1887(be)X 2016(used)X 2251(here)X 2477(to)X 2590(achieve)X 2950(the)X 3122(desired)X 3474(effect)X 3742(in)X 3859(the)X 707 3492(model,)N 1029(although)X 1454(it)X 1550(does)X 1775(not)X 1948(faithfully)X 2389(represent)X 2843(the)X 3015(functioning)X 3550(of)X 3658(the)X 3830(sys-)X 707 3600(tem.)N 547 3756(Built-In)N 929(Information)X 707 3864(Built-in)N 1088(sensitive)X 1516(data)X 1749(may)X 1973(straightforwardly)X 2793(be)X 2929(represented)X 3494(by)X 3634(external)X 707 3972(high-level)N 1185(inputs,)X 1537(or)X 1667(by)X 1810(assuming)X 2276(that)X 2501(all)X 2653(traces)X 2961(are)X 3144(pre\256xed)X 3542(by)X 3685(a)X 3777(stan-)X 707 4080(dard)N 942(sequence)X 1374(of)X 1483(phantom)X 1908(inputs)X 2222(that)X 2437(install)X 2750(the)X 2924(information)X 3478(in)X 3597(questino.)X 707 4188(Sensitive)N 1143(programs)X 1594(are)X 1766(best)X 1977(handled)X 2364(by)X 2496(recognizing)X 3032(that)X 3245(a)X 3325(process)X 3679(``reads'')X 707 4296(the)N 904(\256le)X 1094(containing)X 1616(the)X 1814(executing)X 2294(program,)X 2753(and)X 2974(so)X 3121(that)X 3361(\256le)X 3552(should)X 3902(be)X 707 4404(treated)N 1062(as)X 1194(input)X 1468(data)X 1700(to)X 1819(the)X 1997(process.)X 2412(A)X 2515(sensitive)X 2941(algorithm)X 3410(built)X 3652(into)X 3859(the)X 707 4512(hardware)N 1163(might)X 1452(be)X 1580(treated)X 1928(by)X 2059(the)X 2230(methods)X 2634(described)X 3081(in)X 3197(section)X 3534(7.8.3.)X 547 4668(Filter)N 826(Downgrading)X 707 4776(This)N 935(refers)X 1225(to)X 1341(downgrading)X 1951(that)X 2168(is)X 2274(essentially)X 2781(the)X 2956(correction)X 3429(of)X 3540(a)X 3624(previous)X 707 4884(overclassi\256cation.)N 1556(Further)X 1939(development)X 2533(along)X 2804(the)X 2978(directions)X 3446(developed)X 3914(in)X 707 4992(section)N 1044(7.8.4)X 1284(should)X 1607(yield)X 1848(methods)X 2252(appropriate)X 2799(to)X 2911(this)X 3109(situation.)X 547 5148(Time-Varying)N 1189(Sensitivity)X 707 5256(Again,)N 1039(development)X 1646(of)X 1769(the)X 1957(ideas)X 2232(in)X 2365(section)X 2719(7.8.4,)X 3003(particularly)X 3574(along)X 3859(the)X 707 5364(lines)N 980(suggested)X 1480(by)X 1645([Sutherland89],)X 2406(should)X 2762(provide)X 3152(suitable)X 3567(modelling)X 707 5472(techniques.)N 193 p %%Page: 193 32 12 s 0 xH 0 xS 1 f 3 f 835 396(7.9.)N 1026(Status)X 4008(-)X 4067(193)X 4259(-)X 1 f 835 684(Non-Invertibility)N 995 792(Section)N 1353(7.8.3)X 1600(describes)X 2044(the)X 2222(approaches)X 2758(that)X 2978(appear)X 3319(to)X 3438(best)X 3655(suit)X 3860(the)X 4038(inclu-)X 995 900(sion)N 1206(of)X 1315(subsystems)X 1857(like)X 2051(encryptors,)X 2579(whose)X 2883(security)X 3267(depends)X 3660(on)X 3795(noninverti-)X 995 1008(bility)N 1253(of)X 1360(some)X 1613(function.)X 835 1164(Security)N 1233(through)X 1616(Unpredictability)X 995 1272(This)N 1220(is)X 1322(the)X 1494(case)X 1711(represented)X 2268(by)X 2400(the)X 2572(decomposed)X 3130(encryptor,)X 3612(in)X 3729(which)X 4023(a)X 4104(ran-)X 995 1380(dom)N 1236(signal)X 1557(was)X 1783(combined)X 2257(with)X 2511(high-level)X 3002(data)X 3253(to)X 3391(produce)X 3794(a)X 3899(low-level)X 995 1488(encrypted)N 1480(output.)X 1875(We)X 2063(have)X 2320(no)X 2474(consistent)X 2972(and)X 3186(thorough)X 3637(model)X 3950(for)X 4120(this)X 995 1596(case.)N 1276(The)X 1485(combination)X 2067(of)X 2184(the)X 2365(two)X 2562(signals)X 2912(is)X 3024(a)X 3114(simple)X 3444(function,)X 3875(thus)X 4112(it)X 4216(is)X 995 1704(not)N 1174(reasonable)X 1689(to)X 1809(describe)X 2209(it)X 2311(as)X 2444(non-invertible.)X 3160(It)X 3271(is)X 3382(possible)X 3772(to)X 3893(treat)X 4147(the)X 995 1812(key)N 1210(stream)X 1580(signal)X 1907(as)X 2064(a)X 2176(randomizing)X 2794(in\257uence,)X 3285(but)X 3492(in)X 3639(doing)X 3940(so)X 4091(it)X 4216(is)X 995 1920(removed)N 1406(from)X 1647(all)X 1793(information)X 2350(functions)X 2795(and)X 2995(we)X 3151(lose)X 3355(the)X 3532(ability)X 3849(to)X 3967(require)X 995 2028(that)N 1212(it)X 1310(be)X 1442(protected)X 1887(as)X 2016(a)X 2100(high-level)X 2569(signal.)X 2922(Part)X 3150(of)X 3260(the)X 3434(problem)X 3826(is)X 3931(that)X 4147(the)X 995 2136(security)N 1380(of)X 1489(the)X 1662(subsystem)X 2159(depends)X 2554(intimately)X 3044(on)X 3181(the)X 3355(characteristics)X 4037(of)X 4147(the)X 995 2244(random)N 1375(signal,)X 1706(and)X 1909(speci\256cally)X 2432(on)X 2575(its)X 2723(statistical)X 3199(behaviour.)X 3733(We)X 3911(feel)X 4105(that)X 995 2352(it)N 1102(would)X 1409(be)X 1550(an)X 1702(excessive)X 2151(complication)X 2752(to)X 2877(burden)X 3234(a)X 3327(model)X 3633(with)X 3874(extensive)X 995 2460(statistical)N 1470(information,)X 2056(particularly)X 2618(when)X 2894(it)X 2996(is)X 3106(useful)X 3414(only)X 3636(in)X 3759(a)X 3846(few)X 4035(situa-)X 995 2568(tions,)N 1269(and)X 1464(yet)X 1628(there)X 1891(does)X 2115(not)X 2287(appear)X 2622(to)X 2735(be)X 2864(any)X 3056(other)X 3320(way)X 3528(of)X 3637(preventing)X 4147(the)X 995 2676(hookup)N 1348(of)X 1455(just)X 1651(any)X 1841(high-level)X 2306(signal)X 2601(to)X 2713(the)X 2884(key)X 3067(stream)X 3405(input.)X 32 p %%Trailer xt xs %!PS-Adobe-1.0 %%Creator: hub:peter (& Boulton,CSRI,SF2002C,5034,2318367,A,petergrp R) %%Title: stdin (ditroff) %%CreationDate: Fri Jan 29 16:36:35 1993 %%EndComments % Start of psdit.pro -- prolog for ditroff translator % Copyright (c) 1985,1987 Adobe Systems Incorporated. All Rights Reserved. % GOVERNMENT END USERS: See Notice file in TranScript library directory % -- probably /usr/lib/ps/Notice % RCS: $Header: psdit.pro,v 1.2 88/10/29 07:37:27 moraes Exp $ /$DITroff 140 dict def $DITroff begin %% Psfig additions /DocumentInitState [ matrix currentmatrix currentlinewidth currentlinecap currentlinejoin currentdash currentgray currentmiterlimit ] cvx def /startFig { /SavedState save def userdict maxlength dict begin currentpoint transform DocumentInitState setmiterlimit setgray setdash setlinejoin setlinecap setlinewidth setmatrix itransform moveto /ury exch def /urx exch def /lly exch def /llx exch def /y exch 72 mul resolution div def /x exch 72 mul resolution div def currentpoint /cy exch def /cx exch def /sx x urx llx sub div def % scaling for x /sy y ury lly sub div def % scaling for y sx sy scale % scale by (sx,sy) cx sx div llx sub cy sy div ury sub translate /DefFigCTM matrix currentmatrix def /initmatrix { DefFigCTM setmatrix } def /defaultmatrix { DefFigCTM exch copy } def /initgraphics { DocumentInitState setmiterlimit setgray setdash setlinejoin setlinecap setlinewidth setmatrix DefFigCTM setmatrix } def /showpage { initgraphics } def } def % Args are llx lly urx ury (in figure coordinates) /clipFig { currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll exch lineto exch lineto exch lineto closepath clip newpath moveto } def % doclip, if called, will always be just after a `startfig' /doclip { llx lly urx ury clipFig } def /endFig { end SavedState restore } def /globalstart { % Push details about the enviornment on the stack. fontnum fontsize fontslant fontheight firstpage mh my resolution slotno currentpoint pagesave restore gsave } def /globalend { grestore moveto /slotno exch def /resolution exch def /my exch def /mh exch def /firstpage exch def /fontheight exch def /fontslant exch def /fontsize exch def /fontnum exch def F /pagesave save def } def %% end Psfig additions /fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def /xi {0 72 11 mul translate 72 resolution div dup neg scale 0 0 moveto /fontnum 1 def /fontsize 10 def /fontheight 10 def /fontslant 0 def F /pagesave save def}def /PB{save /psv exch def currentpoint translate resolution 72 div dup neg scale 0 0 moveto}def /PE{psv restore}def /m1 matrix def /m2 matrix def /m3 matrix def /oldmat matrix def /tan{dup sin exch cos div}bind def /point{resolution 72 div mul}bind def /dround {transform round exch round exch itransform}bind def /xT{/devname exch def}def /xr{/mh exch def /my exch def /resolution exch def}def /xp{}def /xs{docsave restore end}def /xt{}def /xf{/fontname exch def /slotno exch def fontnames slotno get fontname eq not {fonts slotno fontname findfont put fontnames slotno fontname put}if}def /xH{/fontheight exch def F}bind def /xS{/fontslant exch def F}bind def /s{/fontsize exch def /fontheight fontsize def F}bind def /f{/fontnum exch def F}bind def /F{fontheight 0 le {/fontheight fontsize def}if fonts fontnum get fontsize point 0 0 fontheight point neg 0 0 m1 astore fontslant 0 ne{1 0 fontslant tan 1 0 0 m2 astore m3 concatmatrix}if makefont setfont .04 fontsize point mul 0 dround pop setlinewidth}bind def /X{exch currentpoint exch pop moveto show}bind def /N{3 1 roll moveto show}bind def /Y{exch currentpoint pop exch moveto show}bind def /S /show load def /ditpush{}def/ditpop{}def /AX{3 -1 roll currentpoint exch pop moveto 0 exch ashow}bind def /AN{4 2 roll moveto 0 exch ashow}bind def /AY{3 -1 roll currentpoint pop exch moveto 0 exch ashow}bind def /AS{0 exch ashow}bind def /MX{currentpoint exch pop moveto}bind def /MY{currentpoint pop exch moveto}bind def /MXY /moveto load def /cb{pop}def % action on unknown char -- nothing for now /n{}def/w{}def /p{pop showpage pagesave restore /pagesave save def}def /abspoint{currentpoint exch pop add exch currentpoint pop add exch}def /dstroke{currentpoint stroke moveto}bind def /Dl{2 copy gsave rlineto stroke grestore rmoveto}bind def /arcellipse{oldmat currentmatrix pop currentpoint translate 1 diamv diamh div scale /rad diamh 2 div def rad 0 rad -180 180 arc oldmat setmatrix}def /Dc{gsave dup /diamv exch def /diamh exch def arcellipse dstroke grestore diamh 0 rmoveto}def /De{gsave /diamv exch def /diamh exch def arcellipse dstroke grestore diamh 0 rmoveto}def /Da{currentpoint /by exch def /bx exch def /fy exch def /fx exch def /cy exch def /cx exch def /rad cx cx mul cy cy mul add sqrt def /ang1 cy neg cx neg atan def /ang2 fy fx atan def cx bx add cy by add 2 copy rad ang1 ang2 arcn stroke exch fx add exch fy add moveto}def /Barray 200 array def % 200 values in a wiggle /D~{mark}def /D~~{counttomark Barray exch 0 exch getinterval astore /Bcontrol exch def pop /Blen Bcontrol length def Blen 4 ge Blen 2 mod 0 eq and {Bcontrol 0 get Bcontrol 1 get abspoint /Ycont exch def /Xcont exch def Bcontrol 0 2 copy get 2 mul put Bcontrol 1 2 copy get 2 mul put Bcontrol Blen 2 sub 2 copy get 2 mul put Bcontrol Blen 1 sub 2 copy get 2 mul put /Ybi /Xbi currentpoint 3 1 roll def def 0 2 Blen 4 sub {/i exch def Bcontrol i get 3 div Bcontrol i 1 add get 3 div Bcontrol i get 3 mul Bcontrol i 2 add get add 6 div Bcontrol i 1 add get 3 mul Bcontrol i 3 add get add 6 div /Xbi Xcont Bcontrol i 2 add get 2 div add def /Ybi Ycont Bcontrol i 3 add get 2 div add def /Xcont Xcont Bcontrol i 2 add get add def /Ycont Ycont Bcontrol i 3 add get add def Xbi currentpoint pop sub Ybi currentpoint exch pop sub rcurveto }for dstroke}if}def end /ditstart{$DITroff begin /nfonts 60 def % NFONTS makedev/ditroff dependent! /fonts[nfonts{0}repeat]def /fontnames[nfonts{()}repeat]def /docsave save def }def % character outcalls /oc {/pswid exch def /cc exch def /name exch def /ditwid pswid fontsize mul resolution mul 72000 div def /ditsiz fontsize resolution mul 72 div def ocprocs name known{ocprocs name get exec}{name cb} ifelse}def /fractm [.65 0 0 .6 0 0] def /fraction {/fden exch def /fnum exch def gsave /cf currentfont def cf fractm makefont setfont 0 .3 dm 2 copy neg rmoveto fnum show rmoveto currentfont cf setfont(\244)show setfont fden show grestore ditwid 0 rmoveto} def /oce {grestore ditwid 0 rmoveto}def /dm {ditsiz mul}def /ocprocs 50 dict def ocprocs begin (14){(1)(4)fraction}def (12){(1)(2)fraction}def (34){(3)(4)fraction}def (13){(1)(3)fraction}def (23){(2)(3)fraction}def (18){(1)(8)fraction}def (38){(3)(8)fraction}def (58){(5)(8)fraction}def (78){(7)(8)fraction}def (sr){gsave .05 dm .16 dm rmoveto(\326)show oce}def (is){gsave 0 .15 dm rmoveto(\362)show oce}def (->){gsave 0 .02 dm rmoveto(\256)show oce}def (<-){gsave 0 .02 dm rmoveto(\254)show oce}def (==){gsave 0 .05 dm rmoveto(\272)show oce}def end % DIThacks fonts for some special chars 50 dict dup begin /FontType 3 def /FontName /DIThacks def /FontMatrix [.001 0.0 0.0 .001 0.0 0.0] def /FontBBox [-220 -280 900 900] def% a lie but ... /Encoding 256 array def 0 1 255{Encoding exch /.notdef put}for Encoding dup 8#040/space put %space dup 8#110/rc put %right ceil dup 8#111/lt put %left top curl dup 8#112/bv put %bold vert dup 8#113/lk put %left mid curl dup 8#114/lb put %left bot curl dup 8#115/rt put %right top curl dup 8#116/rk put %right mid curl dup 8#117/rb put %right bot curl dup 8#120/rf put %right floor dup 8#121/lf put %left floor dup 8#122/lc put %left ceil dup 8#140/sq put %square dup 8#141/bx put %box dup 8#142/ci put %circle dup 8#143/br put %box rule dup 8#144/rn put %root extender dup 8#145/vr put %vertical rule dup 8#146/ob put %outline bullet dup 8#147/bu put %bullet dup 8#150/ru put %rule dup 8#151/ul put %underline pop /DITfd 100 dict def /BuildChar{0 begin /cc exch def /fd exch def /charname fd /Encoding get cc get def /charwid fd /Metrics get charname get def /charproc fd /CharProcs get charname get def charwid 0 fd /FontBBox get aload pop setcachedevice 40 setlinewidth newpath 0 0 moveto gsave charproc grestore end}def /BuildChar load 0 DITfd put %/UniqueID 5 def /CharProcs 50 dict def CharProcs begin /space{}def /.notdef{}def /ru{500 0 rls}def /rn{0 750 moveto 500 0 rls}def /vr{20 800 moveto 0 -770 rls}def /bv{20 800 moveto 0 -1000 rls}def /br{20 770 moveto 0 -1040 rls}def /ul{0 -250 moveto 500 0 rls}def /ob{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath stroke}def /bu{200 250 rmoveto currentpoint newpath 200 0 360 arc closepath fill}def /sq{80 0 rmoveto currentpoint dround newpath moveto 640 0 rlineto 0 640 rlineto -640 0 rlineto closepath stroke}def /bx{80 0 rmoveto currentpoint dround newpath moveto 640 0 rlineto 0 640 rlineto -640 0 rlineto closepath fill}def /ci{355 333 rmoveto currentpoint newpath 333 0 360 arc 50 setlinewidth stroke}def /lt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 add exch s4 a4p stroke}def /lb{20 800 moveto 0 -550 rlineto currx -200 2cx s4 add exch s4 a4p stroke}def /rt{20 -200 moveto 0 550 rlineto currx 800 2cx s4 sub exch s4 a4p stroke}def /rb{20 800 moveto 0 -500 rlineto currx -200 2cx s4 sub exch s4 a4p stroke}def /lk{20 800 moveto 20 300 -280 300 s4 arcto pop pop 1000 sub currentpoint stroke moveto 20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def /rk{20 800 moveto 20 300 320 300 s4 arcto pop pop 1000 sub currentpoint stroke moveto 20 300 4 2 roll s4 a4p 20 -200 lineto stroke}def /lf{20 800 moveto 0 -1000 rlineto s4 0 rls}def /rf{20 800 moveto 0 -1000 rlineto s4 neg 0 rls}def /lc{20 -200 moveto 0 1000 rlineto s4 0 rls}def /rc{20 -200 moveto 0 1000 rlineto s4 neg 0 rls}def end /Metrics 50 dict def Metrics begin /.notdef 0 def /space 500 def /ru 500 def /br 0 def /lt 250 def /lb 250 def /rt 250 def /rb 250 def /lk 250 def /rk 250 def /rc 250 def /lc 250 def /rf 250 def /lf 250 def /bv 250 def /ob 350 def /bu 350 def /ci 750 def /bx 750 def /sq 750 def /rn 500 def /ul 500 def /vr 0 def end DITfd begin /s2 500 def /s4 250 def /s3 333 def /a4p{arcto pop pop pop pop}def /2cx{2 copy exch}def /rls{rlineto stroke}def /currx{currentpoint pop}def /dround{transform round exch round exch itransform} def end end /DIThacks exch definefont pop ditstart (psc)xT 576 1 1 xr 1(NewCenturySchlbk-Roman)xf 1 f 2(NewCenturySchlbk-Italic)xf 2 f 3(NewCenturySchlbk-Bold)xf 3 f 4(NewCenturySchlbk-BoldItalic)xf 4 f 5(Helvetica)xf 5 f 6(Helvetica-Bold)xf 6 f 7(Courier)xf 7 f 8(Courier-Bold)xf 8 f 9(Symbol)xf 9 f 10(DIThacks)xf 10 f 10 s 1 f xi %%EndProlog %%Page: 1 1 10 s 0 xH 0 xS 1 f 194 p %%Page: 194 2 10 s 0 xH 0 xS 1 f 12 s 3 f 547 396(-)N 606(194)X 798(-)X 2193(8.)X 2302(Closed)X 2664(System)X 3051(Security)X 3502(Modelling)X 1 f 10 s 3 f 12 s 2133 5952(-)N 2192(194)X 2384(-)X 195 p %%Page: 195 3 12 s 0 xH 0 xS 3 f 1 f 24 s 1399 1185(C)N 1537(L)X 1665(O)X 1815(S)X 1936(E)X 2074(D)X 12 s 24 s 1399 1377(S)N 1520(Y)X 1655(S)X 1776(T)X 1904(E)X 2042(M)X 12 s 24 s 1399 1569(S)N 1520(E)X 1658(C)X 1796(U)X 1952(R)X 2090(IT)X 2296(Y)X 12 s 100 s 835 1473(8)N 24 s 1399 1761(M)N 1580(O)X 1730(D)X 1880(E)X 2018(L)X 2146(L)X 2274(IN)X 2508(G)X 9 s 2218 1971(Before)N 2454(a)X 2514(group)X 2726(can)X 2862(enter)X 3058(open)X 3235(society)X 3482(it)X 3553(must)X 3742(\256rst)X 3899(close)X 4079(ranks.)X 6 s 3880 2025(Charles)N 4066(Hamilton,)X 3986 2079(Black)N 4126(Power!,)X 4170 2133(1967.)N 9 s 3132 2322(En)N 3248(boca)X 3416(cerrada)X 3689(no)X 3789(entran)X 4033(moscas.)X 6 s 3910 2376(Spanish)N 4103(Proverb.)X 3 f 12 s 835 2772(8.1.)N 1053(INTRODUCTION)X 1 f 1035 2928(In)N 1174(this)X 1386(chapter,)X 1792(the)X 1977(problem)X 2380(of)X 2501(generating)X 3021(composable)X 3570(security)X 3967(proper-)X 835 3036(ties)N 1039(is)X 1157(considered)X 1674(to)X 1802(result)X 2107(from)X 2358(the)X 2545(attempt)X 2940(to)X 3068(de\256ne)X 3380(security)X 3779(for)X 3945(isolated)X 835 3144(components,)N 1444(and)X 1666(subsequently)X 2309(retro\256t)X 2680(composition)X 3264(into)X 3494(the)X 3694(model.)X 4070(Such)X 835 3252(models)N 1180(are)X 1358(here)X 1589(called)X 1881(``open'')X 2204(models,)X 2575(in)X 2697(that)X 2916(they)X 3144(are)X 3321(based)X 3608(on)X 3748(the)X 3925(analysis)X 835 3360(of)N 961(an)X 1119(individual)X 1617(component)X 2145(operating)X 2615(in)X 2750(isolation,)X 3203(without)X 3595(regard)X 3935(to)X 4067(what)X 835 3468(might)N 1139(actually)X 1537(be)X 1680(producing)X 2164(or)X 2296(consuming)X 2816(the)X 3001(signals)X 3355(that)X 3582(enter)X 3858(or)X 3990(exit)X 4197(it.)X 835 3576(This)N 1094(chapter)X 1493(suggests)X 1935(the)X 2140(use)X 2353(of)X 2494(``closed'')X 2904(modelling)X 3401(as)X 3560(a)X 3674(basis)X 3962(for)X 4147(the)X 835 3684(de\256nition)N 1304(of)X 1428(security)X 1828(properties,)X 2351(where)X 2668(a)X 2765(closed)X 3078(model)X 3388(is)X 3507(one)X 3706(in)X 3838(which)X 4147(the)X 835 3792(component)N 1363(under)X 1673(scrutiny)X 2087(is)X 2209(assumed)X 2646(from)X 2901(the)X 3092(start)X 3354(to)X 3486(be)X 3634(interconnected)X 835 3900(with)N 1063(an)X 1202(assortment)X 1729(of)X 1836(information)X 2387(sources,)X 2772(sinks,)X 3062(and)X 3256(processors.)X 1035 4056(Rethinking)N 1572(security)X 1966(modelling)X 2441(from)X 2688(this)X 2898(perspective)X 3440(presents)X 3859(an)X 4010(oppor-)X 835 4164(tunity)N 1178(to)X 1333(review)X 1698(some)X 1994(fundamental)X 2634(ideas)X 2935(about)X 3254(information)X 3847(that)X 4102(may)X 835 4272(pro\256tably)N 1291(be)X 1419(changed)X 1814(from)X 2049(those)X 2313(conventionally)X 2986(used)X 3220(in)X 3336(open-system)X 3916(models.)X 3 f 835 4668(8.2.)N 1053(INFORMATION,)X 1896(FLOW,)X 2262(AND)X 2522(KNOWLEDGE)X 1 f 1035 4824(Our)N 1239(primary)X 1626(goal)X 1835(is)X 1937(to)X 2049(express)X 2411(certain)X 2751(restrictions)X 3286(on)X 3420(the)X 3591(\257ow)X 3801(of)X 3909(informa-)X 835 4932(tion)N 1062(within)X 1405(the)X 1602(composite)X 2094(system,)X 2485(and)X 2705(to)X 2843(detect)X 3163(whether)X 3584(a)X 3689(given)X 3980(system)X 835 5040(design)N 1164(will)X 1371(obey)X 1613(those)X 1892(restrictions.)X 2496(This)X 2736(brings)X 3059(up)X 3215(the)X 3401(question)X 3822(of)X 3944(how)X 4168(we)X 835 5148(will)N 1027(de\256ne)X 1323(information)X 1874(and)X 2068(how)X 2277(we)X 2427(will)X 2619(determine)X 3099(where)X 3399(and)X 3593(when)X 3861(it)X 3955(\257ows.)X 1035 5304(The)N 1233(de\256nition)X 1685(of)X 1792(information)X 2344(and)X 2539(detection)X 2972(of)X 3080(its)X 3220(transmission)X 3827(in)X 3944(a)X 4025(model)X 835 5412(is)N 949(a)X 1041(dif\256cult)X 1425(problem,)X 1853(and)X 2059(one)X 2253(that)X 2478(cannot)X 2816(be)X 2956(said)X 3178(to)X 3301(have)X 3550(a)X 3641(single,)X 3969(univer-)X 835 5520(sally)N 1101(applicable)X 1608(solution.)X 2075(In)X 2230(particular,)X 2760(de\256nitions)X 3287(that)X 3531(may)X 3778(be)X 3937(usefully)X 3 f 2421 5952(-)N 2480(195)X 2672(-)X 196 p %%Page: 196 4 12 s 0 xH 0 xS 3 f 547 396(-)N 606(196)X 798(-)X 2193(8.)X 2302(Closed)X 2664(System)X 3051(Security)X 3502(Modelling)X 1 f 547 684(applied)N 914(in)X 1044(an)X 1197(open)X 1448(security)X 1845(model)X 2152(may)X 2382(no)X 2530(longer)X 2850(be)X 2992(reasonable)X 3512(in)X 3641(a)X 3734(closed)X 547 792(one.)N 801(Several)X 1179(\256elds)X 1461(of)X 1586(research)X 2013(have)X 2269(struggled)X 2733(with)X 2979(this)X 3195(question,)X 3646(and)X 3859(the)X 547 900(many)N 833(different)X 1255(answers)X 1661(that)X 1884(have)X 2132(been)X 2377(proposed)X 2811(re\257ect)X 3126(some)X 3389(very)X 3619(different)X 547 1008(assumptions.)N 1189(We)X 1358(present)X 1720(here)X 1945(a)X 2025(survey)X 2349(of)X 2456(some)X 2709(of)X 2816(these)X 3080(methods.)X 3 f 547 1404(8.2.1.)N 847(Noninterference)X 1698(and)X 1914(Nondeducibility)X 1 f 747 1560(For)N 949(completeness,)X 1614(we)X 1784(brie\257y)X 2116(mention)X 2530(these)X 2815(security)X 3219(de\256nitions)X 3737(which)X 547 1668(have)N 805(become)X 1177(the)X 1368(conventional)X 1979(formal)X 2316(de\256nitions)X 2832(of)X 2958(con\256dentiality.)X 3697(Nonin-)X 547 1776(terference,)N 1065(which)X 1373(is,)X 1518(strictly)X 1877(speaking,)X 2345(applicable)X 2838(only)X 3069(to)X 3197(deterministic)X 3830(sys-)X 547 1884(tems,)N 819(states)X 1114(that)X 1330(a)X 1413(system)X 1753(is)X 1857(secure)X 2172(if)X 2263(and)X 2459(only)X 2676(if)X 2767(the)X 2940(sequence)X 3372(of)X 3481(inputs)X 3795(from)X 547 1992(and)N 750(outputs)X 1126(to)X 1247(low-level)X 1675(users)X 1951(is)X 2062(unaffected)X 2564(by)X 2704(changes)X 3098(in)X 3223(high-level)X 3698(users's)X 547 2100(inputs.)N 747 2256(Nondeducibility)N 1497(is,)X 1643(in)X 1776(practice,)X 2199(a)X 2296(similar)X 2657(concept,)X 3062(though)X 3420(derived)X 3795(from)X 547 2364(slightly)N 927(different)X 1358(principles.)X 1897(It)X 2020(requires)X 2436(that)X 2669(the)X 2859(hidden)X 3211(information)X 3781(\(gen-)X 547 2472(erally,)N 899(high-level)X 1407(inputs\))X 1795(not)X 2010(be)X 2182(deducible)X 2674(from)X 2953(low-level)X 3416(observations.)X 547 2580(Unlike)N 885(noninterference,)X 1652(nondeducibility)X 2374(may)X 2598(be)X 2734(applied)X 3095(to)X 3215(non-deterministic)X 547 2688(\(more)N 864(correctly,)X 1338(probabilistic\))X 1981(systems,)X 2425(in)X 2575(which)X 2902(it)X 3030(takes)X 3332(the)X 3538(form)X 3808(of)X 3950(a)X 547 2796(requirement)N 1142(that)X 1370(there)X 1647(must)X 1915(exist)X 2168(at)X 2300(least)X 2555(one)X 2752(system)X 3104(execution)X 3568(that)X 3795(com-)X 547 2904(bines)N 809(any)X 999(given)X 1265(high-level)X 1730(input)X 1997(string)X 2289(with)X 2517(any)X 2707(given)X 2973(low-level)X 3392(behaviour.)X 747 3060(One)N 970(other)X 1247(difference)X 1727(arises)X 2033(if)X 2137(the)X 2323(system)X 2676(has)X 2875(any)X 3080(inputs)X 3407(that)X 3635(are)X 3821(con-)X 547 3168(sidered)N 920(neither)X 1293(high)X 1541(nor)X 1740(low.)X 1996(Noninterference)X 2768(requires)X 3185(that)X 3419(the)X 3611(low-level)X 547 3276(observations)N 1171(remain)X 1554(unaltered)X 2051(when)X 2357(high)X 2621(inputs)X 2971(change,)X 3376(and)X 3608(so)X 3766(these)X 547 3384(``other'')N 926(inputs)X 1275(must)X 1565(also)X 1805(be)X 1970(held)X 2226(\256xed.)X 2557(Nondeducibility,)X 3353(however,)X 3815(only)X 547 3492(requires)N 948(that)X 1166(the)X 1342(high)X 1573(and)X 1772(low)X 1958(coexist)X 2293(in)X 2415(some)X 2674(execution,)X 3157(and)X 3357(so)X 3483(permits)X 3859(the)X 547 3600(other)N 809(inputs)X 1121(to)X 1233(be)X 1361(varied)X 1668(to)X 1780(meet)X 2025(this)X 2223(condition.)X 747 3756(Both)N 1030(de\256nitions)X 1570(have)X 1852(problems)X 2330(dealing)X 2727(with)X 2999(probabilistic)X 3620(systems.)X 547 3864(Noninterference)N 1317(simply)X 1660(isn't)X 1898(de\256ned)X 2269(so)X 2408(as)X 2552(to)X 2683(be)X 2830(applicable)X 3326(to)X 3457(them.)X 3786(Non-)X 547 3972(deducibility)N 1107(can)X 1301(be)X 1442(applied,)X 1835(but)X 2024(may)X 2253(give)X 2473(unreasonably)X 3114(optimistic)X 3594(results)X 3941(if)X 547 4080(some)N 800(desired)X 1151(system)X 1489(execution)X 1939(exists)X 2222(only)X 2437(at)X 2554(a)X 2634(very)X 2854(low)X 3034(probability.)X 747 4236(Both)N 1010(de\256nitions)X 1531(assume)X 1917(that)X 2154(any)X 2368(illicit)X 2649(channel)X 3051(may)X 3291(be)X 3443(exploited)X 3896(no)X 547 4344(matter)N 881(how)X 1093(much)X 1369(computation)X 1953(may)X 2172(be)X 2303(required)X 2712(to)X 2827(recover)X 3181(the)X 3355(sensitive)X 3778(data.)X 547 4452(That)N 794(is,)X 931(they)X 1161(assume)X 1531(in\256nite)X 1888(computing)X 2390(resources)X 2847(on)X 2989(the)X 3168(part)X 3391(of)X 3506(the)X 3685(enemy.)X 547 4560(They)N 818(also)X 1043(assume)X 1427(that)X 1662(the)X 1855(enemy)X 2194(has)X 2399(full)X 2598(knowledge)X 3117(of)X 3245(the)X 3437(principles)X 3923(of)X 547 4668(operation)N 1022(of)X 1156(the)X 1355(system,)X 1748(and)X 1970(can)X 2180(effectively)X 2685(compute)X 3115(all)X 3283(possible)X 3692(system)X 547 4776(behaviours.)N 3 f 547 5172(8.2.2.)N 847(Information)X 1483(Theory)X 1 f 747 5328(The)N 954(\256rst)X 1174(quantitative)X 1757(treatments)X 2285(of)X 2402(information)X 2963(are)X 3144(connected)X 3621(with)X 3859(the)X 547 5436(study)N 825(of)X 936(communication.)X 1700(In)X 1829(connection)X 2334(with)X 2565(telegraphy,)X 3097(Nyquist)X 3480([Nyquist24])X 547 5544(used)N 784(a)X 867(logarithmic)X 1406(measure)X 1817(of)X 1928(the)X 2103(information)X 2658(content)X 3020(of)X 3131(a)X 3215(signal.)X 3568(If)X 3670(the)X 3845(sig-)X 547 5652(nal)N 721(can)X 908(take)X 2 f 1135(n)X 1 f 1226(possible)X 1611(values,)X 1955(it)X 2053(can)X 2239(store)X 2491(log)X 2 f 9 s 2620 5671(b)N 1 f 12 s 2 f 2695 5652(n)N 1 f 2785(units)X 3046(of)X 3157(information,)X 3739(in)X 3859(the)X 197 p %%Page: 197 5 12 s 0 xH 0 xS 1 f 3 f 835 396(8.2.)N 1026 0.3011(Information,)AX 1689(Flow,)X 1990(and)X 2206(Knowledge)X 4008(-)X 4067(197)X 4259(-)X 1 f 835 684(sense)N 1116(that)X 1338(it)X 1442(would)X 1746(take)X 1978(that)X 2201(number)X 2585(of)X 2 f 2702(b)X 1 f 2755(-way)X 3003(signals)X 3353(to)X 3475(represent)X 3938(a)X 4028(single)X 2 f 835 792(n)N 1 f 894(-way)X 1135(one.)X 1374(The)X 1575(choice)X 1876(of)X 2 f 1986(b)X 1 f 2069(affects)X 2389(only)X 2607(the)X 2781(size)X 2980(of)X 3090(the)X 3264(units,)X 3550(and)X 3746(if)X 3837(the)X 4010(base)X 4238(2)X 835 919(is)N 937(chosen)X 1266(the)X 1437(resulting)X 1866(units)X 2123(are)X 2294(known)X 2619(as)X 2 f 2744(bits)X 1 f 9 s 2906 881(1)N 12 s 2946 919(.)N 1035 1075(The)N 1234(subsequent)X 1768(development)X 2361(of)X 2470(communication)X 3178(theory)X 3493(led)X 3655(to)X 3769(the)X 3942(employ-)X 835 1183(ment)N 1105(of)X 1226(several)X 1585(related)X 1939(measures.)X 2459(In)X 2597(considering)X 3148(the)X 3332(problem)X 3734(of)X 3854(ef\256ciently)X 835 1291(encoding)N 1272(a)X 1369(\(discrete\))X 1826(data)X 2068(stream,)X 2451(it)X 2563(is)X 2683(advantageous)X 3340(to)X 3470(employ)X 3832(a)X 3930(variable)X 835 1399(length)N 1153(code,)X 1408(such)X 1648(that)X 1868(high-frequency)X 2569(source)X 2889(symbols)X 3280(\(or)X 3436(sequences)X 3917(of)X 4030(them\))X 835 1507(are)N 1022(encoded)X 1422(into)X 1640(short)X 1916(codes)X 2199(and)X 2410(rare)X 2641(source)X 2971(symbols)X 3372(into)X 3590(long)X 3822(ones.)X 4120(The)X 2 f 835 1615(entropy)N 1 f 1192(of)X 1299(a)X 1379(signal)X 2 f 1674(s)X 9 s 1729 1577(n)N 1 f 12 s 1808 1615(of)N 1915(length)X 2 f 2226(n)X 1 f 2312(symbols)X 2696(is)X 2798(de\256ned)X 3149(as)X 2 f 1951 1771(H)N 9 s 2031 1790(n)N 1 f 12 s 2083 1771(\()N 2 f 2115(S)X 1 f 2187(\))X 2 f 9 f 2246(=)X 2326(-)X 9 s 2 f 2381 1867(s)N 6 s 2421 1828(n)N 1 f 17 s 9 f 2379 1799(S)N 2 f 12 s 2486 1771(p)N 1 f 2549(\()X 2 f 2581(s)X 9 s 2636 1733(n)N 1 f 12 s 2688 1771(\))N 2747(log)X 9 s 2876 1790(2)N 2 f 12 s 2940 1771(p)N 1 f 3003(\()X 2 f 3035(s)X 9 s 3090 1733(n)N 1 f 12 s 3142 1771(\))N 835 2003(where)N 1149(the)X 1334(sum)X 1564(is)X 1680(taken)X 1975(over)X 2206(all)X 2360(possible)X 2755(length)X 2 f 3080(n)X 1 f 3180(source)X 3507(strings.)X 3912(It)X 4030(is)X 4147(the)X 835 2111(average)N 1216(number)X 1597(of)X 1711(bits)X 1910(needed)X 2257(to)X 2376(encode)X 2711(each)X 2948(string)X 2 f 3247(s)X 9 s 3302 2073(n)N 1 f 12 s 3388 2111(in)N 3510(the)X 3687(most)X 3935(ef\256cient)X 835 2219(possible)N 1238(encoding.)X 1734(This)X 1981(code)X 2224(ef\256ciency)X 2687(is)X 2812(sometimes)X 3333(improved,)X 3825(and)X 4042(never)X 835 2327(worsened,)N 1315(by)X 1451(encoding)X 1876(longer)X 2187(and)X 2386(longer)X 2697(strings)X 3039(of)X 3151(source)X 3469(symbols)X 3858(at)X 3980(a)X 4064(time.)X 835 2435(The)N 1058(theoretical)X 1586(lower)X 1882(bound)X 2208(on)X 2367(the)X 2563(average)X 2962(number)X 3362(of)X 3495(bits)X 3713(required)X 4145(per)X 835 2543(source)N 1148(symbol)X 1487(\(from)X 1754([Shannon49]\))X 2380(is)X 2 f 1790 2737(H)N 1 f 1886(\()X 2 f 1918(S)X 1 f 1990(\))X 2 f 9 f 2049(=)X 9 s 2 f 2129 2804(n)N 1 f 9 f 2179 MX (->)174 987 oc 2250(\245)X 12 s 1 f 2142 2737(lim)N 2 f 2324 2804(n)N 1 f 2327 2680(1)N 10 f 2309 2708(h)N 2349(h)X 2 f 2422 2736(H)N 9 s 2502 2755(n)N 1 f 12 s 2554 2736(\()N 2 f 2586(S)X 1 f 2658(\))X 2 f 9 f 2049 2979(=)N 2129(-)X 9 s 2 f 2182 3046(n)N 1 f 9 f 2232 MX (->)174 987 oc 2303(\245)X 12 s 1 f 2195 2979(lim)N 2 f 2404 3046(n)N 1 f 2407 2922(1)N 10 f 2389 2950(h)N 2429(h)X 2 f 9 s 2542 3074(s)N 6 s 2582 3035(n)N 1 f 17 s 9 f 2540 3006(S)N 2 f 12 s 2647 2978(p)N 1 f 2710(\()X 2 f 2742(s)X 9 s 2797 2940(n)N 1 f 12 s 2849 2978(\))N 2908(log)X 9 s 3037 2997(2)N 2 f 12 s 3101 2978(p)N 1 f 3164(\()X 2 f 3196(s)X 9 s 3251 2940(n)N 1 f 12 s 3303 2978(\))N 835 3211(where)N 1135(the)X 1306(sum)X 1522(is)X 1624(taken)X 1905(over)X 2123(all)X 2 f 2264(s)X 9 s 2319 3173(n)N 1 f 12 s 2371 3211(,)N 2426(the)X 2598(source)X 2912(symbol)X 3252(strings)X 3590(of)X 3698(length)X 2 f 4010(n)X 1 f 4069(,)X 4124(and)X 835 3319(where)N 2 f 1140(p)X 1 f 1203(\()X 2 f 1235(s)X 9 s 1290 3281(n)N 1 f 12 s 1342 3319(\))N 1406(is)X 1513(the)X 1689(probability)X 2203(of)X 2314(the)X 2489(string)X 2 f 2785(s)X 9 s 2840 3281(n)N 1 f 12 s 2892 3319(.)N 2977(This)X 2 f 3206(H)X 1 f 3302(\()X 2 f 3334(S)X 1 f 3406(\),)X 3496(called)X 3786(the)X 2 f 3961(entropy)X 1 f 835 3427(\(per)N 1050(symbol\))X 1431(of)X 1548(the)X 1729(source,)X 2080(represents)X 2589(its)X 2739(information)X 3301(content)X 3670(in)X 3797(the)X 3979(precise)X 835 3535(sense)N 1120(that)X 1346(the)X 1530(source)X 1856(may)X 2085(not)X 2269(be)X 2410(encoded)X 2806(using,)X 3117(on)X 3264(average,)X 3678(fewer)X 3964(than)X 2 f 4211(H)X 1 f 835 3643(bits)N 1032(per)X 1210(source)X 1528(symbol.)X 1926(If)X 2029(only)X 2249(one)X 2436(source)X 2754(symbol)X 2 f 3099(s)X 1 f 2 f 10 s 9 f 3177(\316)X 1 f 12 s 2 f 3261(S)X 1 f 3358(is)X 3466(encoded)X 3855(at)X 3978(a)X 4064(time,)X 835 3751(it)N 941(theoretically)X 1536(requires)X 2 f 9 f 1943(-)X 2 f 1996(p)X 1 f 2059(\()X 2 f 2091(s)X 1 f 2142(\))X 2201(log)X 9 s 2330 3770(2)N 2 f 12 s 2394 3751(p)N 1 f 2457(\()X 2 f 2489(s)X 1 f 2540(\))X 2610(bits)X 2813(in)X 2940(a)X 3031(minimum)X 3502(length)X 3824(code,)X 4083(from)X 835 3859(which)N 1146(it)X 1258(is)X 1378(sometimes)X 1894(concluded)X 2379(that)X 2610(the)X 2799(lower-probability)X 3603(source)X 3934(symbols)X 835 3967(``contain)N 1231(more)X 1482(information'')X 2073(than)X 2308(the)X 2479(higher)X 2796(probability)X 3306(ones.)X 1035 4123(In)N 1185(coding)X 1523(and)X 1742(communication)X 2473(systems)X 2881(it)X 3000(is)X 3127(also)X 3356(sometimes)X 3880(useful)X 4206(to)X 835 4231(measure)N 1283(the)X 1494(mutual)X 1884(information)X 2475(content)X 2873(of)X 3020(two)X 3247(signals,)X 3653(considered)X 4193(as)X 835 4339(sequences)N 1313(of)X 1423(random)X 1796(variables.)X 2286(That)X 2530(is,)X 2663(how)X 2876(much)X 3153(information)X 3708(from)X 3947(one)X 4133(sig-)X 835 4447(nal)N 1017(can)X 1212(be)X 1353(gained)X 1689(by)X 1833(observing)X 2301(the)X 2484(other.)X 2812(The)X 2 f 3022(average)X 3401(mutual)X 3764(information)X 1 f 835 4555(between)N 2 f 1230(X)X 1 f 1325(and)X 2 f 1519(Y)X 1 f 1612(is)X 1714(de\256ned)X 2065(\(in)X 2213([Gray90]\))X 2664(as)X 2 f 1525 4778(I)N 1 f 1580(\()X 2 f 1612(X)X 1 f 1696(;)X 2 f 1723(Y)X 1 f 1797(\))X 2 f 9 f 1883(=)X 9 s 2 f 1990 4874(x)N 6 s 2034 4835(n)N 1 f 9 s 2069 4874(,)N 2 f 2095(y)X 6 s 2139 4835(m)N 1 f 17 s 9 f 2049 4806(S)N 2 f 12 s 2188 4778(p)N 9 s 2243 4797(X)N 1 f 2294(,)X 2 f 2320(Y)X 1 f 12 s 2377 4778(\()N 2 f 2409(x)X 9 s 2469 4740(n)N 1 f 12 s 2521 4778(,)N 2 f 2556(y)X 9 s 2616 4740(m)N 1 f 12 s 2688 4778(\))N 2747(log)X 9 s 2876 4797(2)N 2 f 12 s 2964 4854(p)N 9 s 3019 4873(X)N 1 f 12 s 3078 4854(\()N 2 f 3110(x)X 9 s 3170 4816(n)N 1 f 12 s 3222 4854(\))N 2 f 3270(p)X 9 s 3325 4873(Y)N 1 f 12 s 3382 4854(\()N 2 f 3414(y)X 9 s 3474 4816(m)N 1 f 12 s 3546 4854(\))N 2 f 3005 4701(p)N 9 s 3060 4720(X)N 1 f 3111(,)X 2 f 3137(Y)X 1 f 12 s 3194 4701(\()N 2 f 3226(x)X 9 s 3286 4663(n)N 1 f 12 s 3338 4701(,)N 2 f 3373(y)X 9 s 3433 4663(m)N 1 f 12 s 3505 4701(\))N 10 f 2949 4749(h)N 2968(hhhhhhhhhhhhh)X 1 f 835 5010(The)N 1056(consistency)X 1614(of)X 1745(these)X 2033(de\256nitions)X 2554(is)X 2680(demonstrated)X 3344(by)X 3499(the)X 3694(fact)X 3910(that)X 4147(the)X 835 5118(information)N 2 f 1427(I)X 1 f 1482(\()X 2 f 1514(X)X 1 f 1598(;)X 2 f 1625(X)X 1 f 1701(\))X 1801(communicated)X 2514(by)X 2 f 2685(X)X 1 f 2820(about)X 3137(itself)X 3426(equals)X 2 f 3781(H)X 9 s 3861 5137(n)N 1 f 12 s 3913 5118(\()N 2 f 3945(X)X 1 f 4021(\),)X 4147(the)X 10 s 10 f 835 5208(h)N 867(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 1007 5301(1)N 10 s 1062 5333(Another)N 1389(popular)X 1699(choice)X 1949(for)X 2 f 2076(b)X 1 f 2144(is)X 2 f 2231(e)X 1 f 2267(,)X 2314(yielding)X 2635(the)X 2780(natural)X 3083(logarithm,)X 3494(in)X 3593(which)X 3839(case)X 4021(the)X 4166(un-)X 835 5423(its)N 950(are)X 1092(known)X 1362(as)X 2 f 1465(nats)X 1 f 1624(.)X 198 p %%Page: 198 6 10 s 0 xH 0 xS 1 f 12 s 3 f 547 396(-)N 606(198)X 798(-)X 2193(8.)X 2302(Closed)X 2664(System)X 3051(Security)X 3502(Modelling)X 1 f 547 684(information)N 1098(content)X 1456(of)X 2 f 1563(X)X 1 f 1631(.)X 747 840(In)N 873(deriving)X 1268(expressions)X 1813(for)X 1964(the)X 2137(capacity)X 2531(of)X 2640(noisy)X 2902(bandlimited)X 3466(communica-)X 547 948(tion)N 755(channels,)X 1212(Shannon)X 1643(used)X 1884(entropy)X 2258(as)X 2389(a)X 2475(measure)X 2889(of)X 3002(information)X 3559(content)X 3923(of)X 547 1056(a)N 629(message.)X 1087(His)X 1271(use)X 1452(of)X 1562(this)X 1763(measure)X 2174(was)X 2377(narrowly)X 2809(restricted:)X 3295(the)X 3469(entropy)X 3840(of)X 3950(a)X 547 1164(set)N 705(of)X 813(signals,)X 1181(divided)X 1533(by)X 1665(the)X 1837(time)X 2065(required)X 2472(to)X 2585(communicate)X 3203(them)X 3460(over)X 3677(a)X 3757(chan-)X 547 1272(nel,)N 742(yields)X 1032(the)X 1207(signalling)X 1677(rate)X 1890(of)X 2002(the)X 2178(channel)X 2561(in)X 2682(units)X 2944(that)X 3162(are)X 3338(independent)X 3923(of)X 547 1380(the)N 739(mechanism)X 1293(used.)X 1601(Equivalently,)X 2245(it)X 2359(is)X 2481(the)X 2672(signalling)X 3157(rate)X 3385(assuming)X 3859(the)X 547 1488(most)N 789(ef\256cient)X 1172(possible)X 1553(encoding)X 1973(of)X 2080(the)X 2251(source)X 2564(data.)X 747 1644(These)N 1047(types)X 1319(of)X 1435(measures)X 1897(have)X 2144(recently)X 2539(become)X 2900(popular)X 3279(in)X 3404(the)X 3585(computer)X 547 1752(security)N 939(\256eld.)X 1221(If)X 1328(the)X 1508(system)X 1855(is)X 1966(viewed)X 2309(as)X 2442(a)X 2530(communications)X 3289(medium,)X 3713(as)X 3846(has)X 547 1860(been)N 799(done)X 1054(in)X 1188(the)X 1377(traditional)X 1897(open)X 2152(security)X 2553(model,)X 2891(it)X 3003(is)X 3123(not)X 3312(surprising)X 3817(that)X 547 1968(communication)N 1260(theory)X 1580(should)X 1910(\256nd)X 2117(application.)X 2698(This)X 2930(is)X 3039(particularly)X 3600(apparent)X 547 2076(in)N 666(the)X 840(case)X 1059(of)X 1169(covert)X 1469(channels,)X 1922(where)X 2225(it)X 2322(may)X 2541(be)X 2673(of)X 2784(interest)X 3162(to)X 3278(perform)X 3663(a)X 3747(quan-)X 547 2184(titative)N 898(analysis)X 1291(of)X 1398(a)X 1478(channel's)X 1921(transmission)X 2527(capacity)X 2919([Millen87].)X 3458(Related)X 3825(pro-)X 547 2292(babilistic)N 980(techniques)X 1490(have)X 1730(also)X 1935(been)X 2172(proposed)X 2598(for)X 2750(modelling)X 3215(non-deterministic)X 547 2400(systems)N 935(without)X 1311(suffering)X 1741(the)X 1916(overoptimism)X 2552(exhibited)X 2994(by)X 3129(straight)X 3515(nondeduci-)X 547 2508(bility)N 805([Wittbold90])X 1386([McLean90].)X 747 2664(However,)N 1228(in)X 1378(the)X 1583(study)X 1892(of)X 2034(communication)X 2775(systems)X 3193(the)X 3399(``information'')X 547 2772(source)N 867(and)X 1068(sink)X 1293(are)X 1471(left)X 1652(unspeci\256ed.)X 2241(In)X 2373(fact,)X 2599(it)X 2700(is)X 2809(common)X 3211(to)X 3329(model)X 3628(the)X 3805(data)X 547 2880(source)N 862(as)X 989(being)X 1259(random,)X 1658(with)X 1888(some)X 2143(known)X 2471(\(and)X 2700(hopefully)X 3142(exploitable\))X 3687(statist-)X 547 2988(ical)N 756(properties.)X 1315(Whether)X 1756(or)X 1900(not)X 2097(there)X 2385(is)X 2513(any)X 2729(meaning)X 3166(to)X 3303(these)X 3592(bits,)X 3836(and)X 547 3096(whether)N 956(some)X 1222(bits)X 1427(are)X 1611(more)X 1875(important)X 2363(than)X 2612(others,)X 2960(is)X 3076(of)X 3197(no)X 3345(interest)X 3733(to)X 3859(the)X 547 3204(communications)N 1316(engineer,)X 1774(and)X 1986(is)X 2106(not)X 2295(re\257ected)X 2721(in)X 2854(the)X 3042(information)X 3610(theoretic)X 547 3312(de\256nitions.)N 747 3468(Indeed,)N 1112(this)X 1317(lack)X 1534(of)X 1648(interest)X 2029(is)X 2138(mandated)X 2617(by)X 2755(the)X 2934(nature)X 3268(of)X 3383(the)X 3562(communi-)X 547 3576(cation)N 846(problem)X 1236(itself.)X 1540(Since)X 1808(those)X 2073(systems)X 2457(do)X 2588(not)X 2760(create)X 3060(nor)X 3238(interpret)X 3666(the)X 3838(bits)X 547 3684(they)N 770(convey,)X 1125(there)X 1388(is)X 1491(no)X 1626(``handle'')X 2038(that)X 2252(the)X 2424(communications)X 3177(theorist)X 3553(can)X 3737(use)X 3918(to)X 547 3792(assign)N 875(signi\256cance)X 1440(to)X 1570(the)X 1759(data.)X 2056(For)X 2255(this)X 2470(reason,)X 2837(it)X 2948(is)X 3067(perhaps)X 3469(unfortunate)X 547 3900(that)N 766(the)X 943(term)X 1189(``information'')X 1826(has)X 2016(come)X 2273(into)X 2480(popular)X 2856(use)X 3041(as)X 3172(a)X 3258(synonym)X 3689(for)X 3845(sig-)X 547 4008(nal)N 721(entropy.)X 1147(The)X 1349(bandlimited)X 1915(signal)X 2214(with)X 2446(the)X 2621(highest)X 2981(entropy)X 3353(is)X 3459(white)X 3739(Gaus-)X 547 4135(sian)N 761(noise,)X 1045(which)X 1338(we)X 1488(would)X 1782(normally)X 2208(consider)X 2606(to)X 2719(be)X 2848(information-free)X 9 s 3575 4097(2)N 12 s 3615 4135(.)N 3697(On)X 3859(the)X 547 4243(other)N 817(hand,)X 1105(a)X 1193(signal)X 1496(which)X 1797(is)X 1907(almost)X 2240(always)X 2582(a)X 2670("0")X 2832(and)X 3034(only)X 3257(very)X 3485(rarely)X 3788(a)X 3876("1")X 547 4351(\(eg.,)N 759(only)X 974(when)X 1242(the)X 1413(missile)X 1753(\256res\))X 2007(has)X 2191(very)X 2411(low)X 2591(entropy.)X 747 4507(Open)N 1015(system)X 1357(security)X 1744(models)X 2087(inherit)X 2425(a)X 2510(disinterest)X 3019(in)X 3140(the)X 3316(nature)X 3647(of)X 3759(infor-)X 547 4615(mation)N 929(when)X 1240(communication)X 1988(theoretic)X 2450(measurements)X 3174(are)X 3387(used,)X 3690(unaug-)X 547 4723(mented,)N 951(to)X 1081(characterize)X 1672(leaky)X 1956(information)X 2525(systems.)X 2981(In)X 3125(this)X 3342(case,)X 3604(however,)X 547 4831(the)N 727(disinterest)X 1240(cannot)X 1575(reasonably)X 2094(be)X 2231(justi\256ed.)X 2682(Information)X 3250(systems)X 3641(do)X 3779(often)X 547 4939(interpret)N 995(data,)X 1268(and)X 1483(occasionally)X 2064(even)X 2319(invent)X 2652(it.)X 2822(The)X 3042(opportunity)X 3613(exists)X 3918(to)X 10 s 10 f 547 5029(h)N 579(hhhhhhhhhhhhhhhhhhhhhhhhhhhh)X 7 s 1 f 719 5122(2)N 10 s 781 5154(It)N 875(is)X 969(admitted)X 1335(that)X 1522(there)X 1750(exist)X 1958(cases)X 2184(in)X 2290(which)X 2543(noise)X 2766(may)X 2956(have)X 3164(a)X 3240(signi\256cance,)X 3727(derived)X 547 5244(from)N 750(its)X 872(application,)X 1334(e.g.)X 1490(if)X 1571(it)X 1656(is)X 1747(used)X 1948(to)X 2047(generate)X 2398(keys)X 2594(or)X 2698(passwords.)X 3155(We)X 3301(will)X 3466(tentatively)X 3896(ac-)X 547 5334(cept)N 726(this)X 894(as)X 1001(``information'',)X 1550(and)X 1715(worthy)X 2002(of)X 2095(protection,)X 2517(although)X 2874(with)X 3068(a)X 3139(truly)X 3350(complete)X 3706(security)X 547 5424(model)N 795(it)X 877(should)X 1149(be)X 1259(possible)X 1579(to)X 1676(derive)X 1932(the)X 2078(necessity)X 2442(of)X 2535(protecting)X 2938(key)X 3095(material)X 3436(rather)X 3697(than)X 3895(as-)X 547 5514(suming)N 2 f 843(ab)X 955(initio)X 1 f 1175(that)X 1352(it)X 1430(is)X 1514(sensitive)X 1863(``information''.)X 199 p %%Page: 199 7 10 s 0 xH 0 xS 1 f 12 s 3 f 835 396(8.2.)N 1026 0.3011(Information,)AX 1689(Flow,)X 1990(and)X 2206(Knowledge)X 4008(-)X 4067(199)X 4259(-)X 1 f 835 684(distinguish)N 1376(between)X 1785(a)X 1879(one)X 2075(bit)X 2236(per)X 2423(hour)X 2673(leak)X 2902(of)X 3023(an)X 3176(unspeci\256ed)X 3719(sensitive)X 4154(\256le)X 835 792(and)N 1035(a)X 1121(similar)X 1470(leak)X 1691(of)X 1804(a)X 1890(password,)X 2369(because)X 2751(the)X 2928(system)X 3271 0.3828(``knows'')AX 3667(in)X 3788(some)X 4046(sense)X 835 900(which)N 1128(bits)X 1320(are)X 1491(passwords)X 1982(and)X 2176(which)X 2469(are)X 2640(not.)X 1035 1056(Another)N 1491(criticism)X 1970(that)X 2249(may)X 2531(be)X 2725(levelled)X 3158(at)X 3342(information-theoretic)X 835 1164(de\256nitions)N 1341(is)X 1452(that)X 1673(they)X 1903(may)X 2127(be)X 2263(making)X 2633(unreasonable)X 3266(assumptions)X 3862(about)X 4147(the)X 835 1272(capabilities)N 1374(of)X 1486(the)X 1662(receiver)X 2048(or,)X 2198(when)X 2471(these)X 2740(methods)X 3149(are)X 3325(applied)X 3683(to)X 3800(secure)X 4118(sys-)X 835 1380(tems,)N 1105(of)X 1213(the)X 1385(adversary.)X 1909(If)X 2008(what)X 2260(an)X 2400(observer)X 2806(sees)X 3019(is)X 3121(affected)X 3496(by)X 3627(sensitive)X 4047(infor-)X 835 1488(mation,)N 1207(it)X 1307(is)X 1415(assumed)X 1838(that)X 2057(the)X 2234(observer)X 2646(will)X 2844(be)X 2979(able)X 3197(to)X 3316(decode)X 3647(those)X 3918(observa-)X 835 1596(tions)N 1098(into)X 1316(some)X 1586(assertion)X 2038(about)X 2332(the)X 2520(sensitive)X 2957(information.)X 3579(In)X 3720(other)X 3998(words,)X 835 1704(whatever)N 1297(``transfer)X 1745(function'')X 2200(is)X 2323(represented)X 2900(by)X 3052(the)X 3244(transformation)X 3964(of)X 4092(high)X 835 1812(inputs)N 1147(to)X 1259(low)X 1439(perturbations)X 2076(is)X 2178(assumed)X 2595(to)X 2707(be)X 2835(invertible.)X 1035 1968(And)N 1247(yet,)X 1439(it)X 1535(is)X 1639(known)X 1967(that)X 2183(some)X 2439(functions)X 2881(whose)X 3186(inversion)X 3629(is)X 3734(theoretically)X 835 2076(possible)N 1229(\(i.e.)X 1433(with)X 1674(unbounded)X 2209(computing)X 2716(power\))X 3057(are,)X 3268(in)X 3397(practical)X 3823(terms,)X 4147(not)X 835 2184(invertible.)N 1361(For)X 1559(example,)X 1999(assume)X 2377(that)X 2606(a)X 2702(sensitive)X 3138(input)X 3421(consists)X 3816(of)X 3940(a)X 4037(set)X 4211(of)X 835 2292(large)N 1093(prime)X 1387(numbers,)X 1839(and)X 2039(the)X 2216(output)X 2544(observed)X 2968(by)X 3105(the)X 3282(adversary)X 3757(is)X 3864(their)X 4113(pro-)X 835 2400(duct.)N 1111(Since)X 1379(the)X 1551(prime)X 1840(factors)X 2169(of)X 2278(any)X 2470(number)X 2846(are)X 3019(unique,)X 3383(the)X 3556(observation)X 4100(logi-)X 835 2508(cally)N 1089(implies)X 1459(the)X 1650(input)X 1937(data)X 2182(and)X 2396(so)X 2536(information)X 3107(theory)X 3439(concludes)X 3915(that)X 4147(the)X 835 2616(adversary)N 1317(possesses)X 1781(all)X 1935(the)X 2120(sensitive)X 2554(data.)X 2847(But,)X 3080(factoring)X 3517(large)X 3783(numbers)X 4216(is)X 835 2724(computationally)N 1598(intractable)X 2129(\(for)X 2329(suf\256ciently)X 2867(large)X 3137(numbers,)X 3601(that)X 3832(is\),)X 4010(so)X 4147(the)X 835 2832(function)N 1229(may)X 1445(fail)X 1617(to)X 1729(be)X 1857(invertible)X 2313(in)X 2429(practice.)X 3 f 835 3228(8.2.3.)N 1135(Knowledge)X 1717(Modelling)X 1 f 1035 3384(Hintikka)N 1469([Hintikka62])X 2073(is)X 2180(reported)X 2589(to)X 2706(be)X 2839(the)X 3015(\256rst)X 3231(to)X 3348(attempt)X 3732(to)X 3849(model)X 4147(the)X 835 3492(concept)N 1204(of)X 1320(knowledge,)X 1854(using)X 2133(the)X 2312(notion)X 2628(of)X 2 f 2743(possible)X 3127(worlds)X 1 f 3427(.)X 3516(In)X 3649(this)X 3855(approach,)X 835 3600(an)N 988(agent)X 1277(does)X 1514(not)X 1699(know)X 1979(the)X 2164(state)X 2425(of)X 2546(the)X 2731(real)X 2946(world,)X 3265(but)X 3455(is)X 3572(able)X 3798(to)X 3925(rule)X 4147(out)X 835 3708(some)N 1101(possibilities)X 1667(based)X 1961(on)X 2107(observations.)X 2760(A)X 2868(predicate)X 9 f 3319(y)X 1 f 3424(is)X 3538(then)X 2 f 3780(known)X 1 f 4113(pre-)X 835 3816(cisely)N 1111(if)X 1202(it)X 1298(is)X 1402(true)X 1618(in)X 1736(each)X 1968(of)X 2077(the)X 2250(remaining)X 2737(possible)X 3120(worlds.)X 3499(This)X 3727(notion)X 4038(forms)X 835 3924(the)N 1018(basis)X 1283(of)X 1402(much)X 1687(of)X 1806(the)X 1988(formal)X 2317(reasoning)X 2791(about)X 3079(knowledge)X 3588(in)X 3715(the)X 3897(Arti\256cial)X 835 4032(Intelligence)N 1384(research)X 1793(community.)X 1035 4188(Logical)N 1415(statements)X 1970(about)X 2281(knowledge)X 2813(can)X 3029(be)X 3191(formally)X 3624(expressed)X 4124(and)X 835 4296(manipulated)N 1450(by)X 1605(the)X 1800(introduction)X 2399(of)X 2530(the)X 2 f 2724(modal)X 3053(operator)X 3472(K)X 9 s 3543 4315(i)N 1 f 12 s 3575 4296(,)N 3652(enabling)X 4085(such)X 835 4404(assertions)N 1328(as)X 2 f 1466(K)X 9 s 1537 4423(i)N 1 f 12 s 9 f 1585 4404(y)N 1 f 1651(,)X 1718(meaning)X 2143(``player)X 2 f 2503(i)X 1 f 2575(knows)X 9 f 2899(y)X 1 f 2965(''.)X 3099(These)X 3403(modal)X 3714(operators,)X 4202(in)X 835 4512(turn,)N 1105(are)X 1294(often)X 1563(given)X 1847(a)X 1945(\256rm)X 2177(semantic)X 2622(interpretation)X 3294(through)X 2 f 3695(Kripke)X 4037(struc-)X 0(ZapfChancery-MediumItalic)xf 0 f 1 f 2 f 835 4620(tures)N 1 f 1057(.)X 1145(A)X 1248(Kripke)X 1590(structure)X 2 f 2038(M)X 1 f 2 f 9 f 2164(=)X 1 f 2244(\()X 2 f 2276(S)X 1 f 2340(,)X 9 f 2383(p)X 1 f 2436(,)X 0 f 2471(K)X 1 f 9 s 2534 4639(1)N 12 s 2582 4620(,)N 2644 4592(.)N 2698(.)X 2752(.)X 2806 4620(,)N 0 f 2841(K)X 2 f 9 s 2904 4639(n)N 1 f 12 s 2956 4620(\))N 3022(is)X 3131(a)X 3218(set)X 3382(of)X 2 f 3496(states)X 3783(S)X 1 f 3847(,)X 3909(a)X 9 f 3997(p)X 1 f 4085(such)X 835 4728(that)N 9 f 1053(p)X 1 f 1106(\()X 2 f 1138(s)X 1 f 1189(\))X 1253(yields,)X 1571(for)X 1725(each)X 1959(state)X 2 f 2210(s)X 1 f 2253(,)X 2311(a)X 2395(truth)X 2661(assignment)X 3204(to)X 3320(the)X 3495(primitive)X 3935(proposi-)X 835 4836(tions,)N 1119(and)X 1324(some)X 1588(number)X 1973(of)X 2091(relations)X 2522(between)X 2928(states)X 0 f 3225(K)X 2 f 9 s 3288 4855(i)N 1 f 12 s 3320 4836(,)N 3386(one)X 3580(for)X 3742(each)X 3984(player.)X 835 4944(The)N 1038(modal)X 1341(operator)X 1748(semantics)X 2224(are)X 2399(then)X 2633(de\256ned)X 2988(for)X 2 f 3142(K)X 9 s 3213 4963(i)N 1 f 12 s 3276 4944(as)N 3405(follows:)X 2 f 3771(M)X 1 f 3862(,)X 2 f 3897(s)X 1 f 9 f 3991(|)X 2 f 9 f 4026(=)X 1 f 2 f 4106(K)X 9 s 4177 4963(i)N 1 f 12 s 9 f 4225 4944(y)N 1 f 835 5052(\(read,)N 1132(``)X 2 f 1172(K)X 9 s 1243 5071(i)N 1 f 12 s 9 f 1291 5052(y)N 1 f 1396(is)X 2 f 1510(satis\256ed)X 1 f 1917(in)X 2045(state)X 2 f 2304(s)X 1 f 2386(of)X 2505(structure)X 2 f 2958(M)X 1 f 3049(''\))X 3161(if)X 2 f 3263(M)X 1 f 3354(,)X 2 f 3389(t)X 1 f 9 f 3474(|)X 2 f 9 f 3509(=)X 1 f 9 f 3589(y)X 1 f 3695(for)X 3858(all)X 2 f 4011(t)X 1 f 4085(such)X 835 5160(that)N 1059(\()X 2 f 1091(s)X 1 f 1134(,)X 2 f 1169(t)X 1 f 1211(\))X 2 f 10 s 9 f 1270(\316)X 1 f 12 s 0 f 1354(K)X 2 f 9 s 1417 5179(i)N 1 f 12 s 1449 5160(.)N 1541(The)X 0 f 1744(K)X 1 f 1845(relations)X 2276(can)X 2469(be)X 2608(used)X 2853(to)X 2976(de\256ne)X 3282(the)X 3463(knowledge)X 3971(of)X 4088(each)X 835 5268(player,)N 1174(in)X 1295(the)X 1471(sense)X 1748(that)X 1966(\()X 2 f 1998(s)X 1 f 2041(,)X 2 f 2076(t)X 1 f 2118(\))X 2 f 10 s 9 f 2177(\316)X 1 f 12 s 0 f 2261(K)X 2 f 9 s 2324 5287(i)N 1 f 12 s 2388 5268(iff)N 2514(states)X 2811(\(i.e.,)X 3034(worlds\))X 2 f 3394(s)X 1 f 3470(and)X 2 f 3670(t)X 1 f 3737(are)X 3914(indistin-)X 835 5376(guishable)N 1293(as)X 1421(far)X 1579(as)X 1707(player)X 2 f 2016(i)X 1 f 2077(is)X 2181(concerned.)X 2710(One)X 2921(can)X 3105(also)X 3310(de\256ne)X 3608(a)X 3690(dual)X 3916(operator)X 2 f 835 5484(P)N 9 s 899 5503(i)N 12 s 947 5484(p)N 1 f 1030(as)X 2 f 9 f 1156(~)X 2 f 1225(K)X 9 s 1296 5503(i)N 12 s 9 f 1344 5484(~)N 2 f 1413(p)X 1 f 1496(which)X 1790(can)X 1973(be)X 2103(interpreted)X 2635(as)X 2762(saying)X 3080(that)X 3295(``player)X 2 f 3644(i)X 1 f 3705(thinks)X 4021(that)X 2 f 4236(p)X 1 f 835 5592(is)N 937(possible'')X 1358(\(i.e.,)X 1576(does)X 1799(not)X 1970(know)X 2 f 2236(p)X 1 f 2318(to)X 2430(be)X 2558(false\).)X 200 p %%Page: 200 8 0(ZapfChancery-MediumItalic)xf 0 f 12 s 0 xH 0 xS 0 f 3 f 547 396(-)N 606(200)X 798(-)X 2193(8.)X 2302(Closed)X 2664(System)X 3051(Security)X 3502(Modelling)X 1 f 747 684(Using)N 1046(Kripke)X 1390(structures)X 1885(to)X 2006(de\256ne)X 2312(the)X 2493(modal)X 2801(operators)X 3258(means)X 3585(that)X 3808(they)X 547 792(are,)N 767(formally)X 1187(at)X 1325(least,)X 1613(simply)X 1957(new)X 2187(notation)X 2606(for)X 2777(conventional)X 3390(mathematical)X 547 900(notions,)N 932(and)X 1131(so)X 1256(inherit)X 1594(all)X 1739(the)X 1915(soundness)X 2410(and)X 2609(self-consistency)X 3336(of)X 3449(the)X 3626(underly-)X 547 1008(ing)N 738(theory.)X 1129(It)X 1255(also)X 1481(means)X 1821(that)X 2057(several)X 2425(useful)X 2748(axioms)X 3110(may)X 3349(be)X 3500(derived)X 3880(for)X 547 1116(them,)N 830(such)X 1063(as)X 2 f 892 1440(K)N 9 s 963 1459(i)N 1 f 12 s 9 f 1011 1440(y)N 2 f 9 f 1104(=)X 2 f 1157(>)X 1 f 2 f 9 f 1242(~)X 2 f 1311(K)X 9 s 1382 1459(i)N 12 s 9 f 1430 1440(~)N 1 f 9 f 1499(y)X 1 f 1756(``Cannot)X 2148(simultaneously)X 2854(know)X 9 f 3120(y)X 1 f 3213(and)X 2 f 9 f 3407(~)X 1 f 9 f 3476(y)X 1 f 3542('')X 2 f 892 1656(K)N 9 s 963 1675(i)N 1 f 12 s 9 f 1011 1656(y)N 2 f 9 f 1104(=)X 2 f 1157(>)X 1 f 9 f 1242(y)X 1 f 1756(``Can)X 2004(only)X 2219(know)X 2485(things)X 2793(that)X 3006(are)X 3177(true'')X 2 f 892 1872(K)N 9 s 963 1891(i)N 1 f 12 s 9 f 1011 1872(y)N 2 f 9 f 1104(=)X 2 f 1157(>)X 1 f 2 f 1242(K)X 9 s 1313 1891(i)N 12 s 1345 1872(K)N 9 s 1416 1891(i)N 1 f 12 s 9 f 1464 1872(y)N 1 f 1756(``If)X 2 f 1894(i)X 1 f 1953(knows)X 9 f 2264(y)X 1 f 2330(,)X 2384(then)X 2614(he)X 2748(knows)X 3059(that)X 3272(he)X 3406(knows)X 3717(it'')X 2 f 9 f 892 2088(~)N 2 f 945(K)X 9 s 1016 2107(i)N 1 f 12 s 9 f 1064 2088(y)N 2 f 9 f 1157(=)X 2 f 1210(>)X 1 f 2 f 1295(K)X 9 s 1366 2107(i)N 12 s 9 f 1414 2088(~)N 2 f 1483(K)X 9 s 1554 2107(i)N 1 f 12 s 9 f 1602 2088(y)N 1 f 1756(``If)X 2 f 1894(i)X 1 f 1953(does)X 2176(not)X 2347(know)X 9 f 2613(y)X 1 f 2679(,)X 2733(he)X 2867(knows)X 3178(that)X 3391(he)X 3525(does)X 3748(not'')X 747 2352(Actually,)N 1188(the)X 1374(case)X 1605(where)X 1920(the)X 0 f 2100(K)X 1 f 2205(are)X 2391(equivalence)X 2955(relations)X 3391(\(i.e.)X 3598(re\257exive,)X 547 2460(transitive,)N 1038(and)X 1236(symmetric\))X 1766(is)X 1872(only)X 2091(one)X 2277(of)X 2388(the)X 2563(cases)X 2828(treated)X 3180(in)X 3300([Kripke63],)X 3836(and)X 547 2568(is)N 654(a)X 739(model)X 1037(for)X 1192(a)X 1277(logic)X 1511(known)X 1841(as)X 1972(S5.)X 2172(In)X 2303(S5,)X 2476(all)X 2622(four)X 2837(of)X 2950(the)X 3127(above)X 3413(listed)X 3691(axioms)X 547 2676(are)N 737(valid.)X 1056(Some)X 1343(work)X 1612(mentioned)X 2127(in)X 2262(this)X 2479(section)X 2835(are)X 3025(based)X 3324(on)X 3476(other)X 3756(logics)X 547 2784(whose)N 854(models)X 1197(do)X 1332(not)X 1508(have)X 1751(equivalence)X 2305(relations,)X 2757(notably)X 3120(the)X 3296(logic)X 3530(S4)X 3675(used)X 3914(in)X 547 2892([Glasgow89],)N 1161(and)X 1368(KD45)X 1664(used)X 1911(in)X 2040([Moser89].)X 2579(Figure)X 2914(8.1)X 3087(shows)X 3398(how)X 3619(different)X 547 3000(modal)N 866(axioms)X 1226(are)X 1418(tied)X 1636(to)X 1769(properties)X 2269(of)X 2397(the)X 2589(model's)X 0 f 2962(K)X 1 f 3074(relation.)X 3525(\(Note)X 3817(that)X 547 3108(axiom)N 3 f 856(T)X 1 f 966(implies)X 1330(axiom)X 3 f 1638(D)X 1 f 1718(\).)X 1845(Various)X 2233(combinations)X 2864(of)X 2985(these)X 3263(have)X 3515(been)X 3764(given)X 547 3216(conventional)N 1146(names;)X 1497(a)X 1585(partial)X 1921(list)X 2098(is)X 2208(presented)X 2681(in)X 2805(Table)X 3088(8.3.)X 3310(Note)X 3556(that)X 3777(some)X 547 3324(of)N 654(the)X 825(logics)X 1099(can)X 1281(be)X 1409(characterized)X 2037(in)X 2153(several)X 2498(equivalent)X 2993(ways.)X 3019 3687(Valid)N 3283(Axioms)X 595 3741(Logic)N 0 f 1091(K)X 1 f 1181(Properties)X 2856 3795(Basic)N 3433(Implied)X 10 f 547 3807(i)N 559(iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii)X 1 f 595 3915(T)N 1091(re\257exive)X 3 f 2856(K)X 2961(T)X 1 f 3433(D)X 595 4023(D)N 1091(not)X 1262(isolated)X 3 f 2856(K)X 2961(D)X 1 f 595 4131(B)N 1091(re\257exive,)X 1523(symmetric)X 3 f 2856(K)X 2961(T)X 3057(B)X 1 f 3433(D)X 595 4239(S4)N 1091(re\257exive,)X 1523(transitive)X 3 f 2856(K)X 2961(T)X 3057(4)X 1 f 3433(D)X 595 4347(KD45)N 1091(transitive,)X 1578(euclidean,)X 2057(not)X 2228(isolated)X 3 f 2856(K)X 2961(D)X 3068(4)X 3150(5)X 1 f 595 4455(KB4)N 1091(symmetric,)X 1612(transitive)X 3 f 2856(K)X 2961(B)X 3063(4)X 1 f 1091 4563(symmetric,)N 1612(euclidean)X 595 4671(S5)N 1091(re\257exive,)X 1523(transitive,)X 2010(symmetric)X 3 f 2856(K)X 2961(T)X 3057(5)X 1 f 3433(B)X 3529(D)X 3631(4)X 1091 4779(re\257exive,)N 1523(euclidean)X 1091 4887(not)N 1262(isolated,)X 1662(symmetric,)X 2183(transitive)X 1091 4995(not)N 1262(isolated,)X 1662(symmetric,)X 2183(euclidean)X 1079 5352(Table)N 1354(8.3:)X 1541(Some)X 1809(well-studied)X 2380(varieties)X 2792(of)X 2899(modal)X 3197(logics.)X 201 p %%Page: 201 9 0(ZapfChancery-MediumItalic)xf 0 f 12 s 0 xH 0 xS 0 f 3 f 835 396(8.2.)N 1026 0.3011(Information,)AX 1689(Flow,)X 1990(and)X 2206(Knowledge)X 4008(-)X 4067(201)X 4259(-)X 1 f 1035 684(When)N 1338(the)X 1525(desired)X 1892(modality)X 2324(relates)X 2671(to)X 2799(knowledge,)X 3340(we)X 3506(can)X 3704(interpret)X 4147(the)X 835 792(``states'')N 1214(as)X 1346(``possible)X 1774(worlds'')X 2144(and)X 2345(the)X 2523(relation)X 2904(between)X 3305(states)X 3603(as)X 3734(``indistingui-)X 835 900(shability'',)N 1318(in)X 1435(which)X 1729(case)X 1946(the)X 2119(modal)X 2419(expression)X 2 f 2920(K)X 3015(p)X 1 f 3099(is)X 3203(true)X 3419(in)X 3537(some)X 3792(state)X 2 f 4041(s)X 1 f 4113(iff)X 2 f 4236(p)X 1 f 835 1008(is)N 963(true)X 1203(in)X 1345(all)X 1511(states)X 1829(indistinguishable)X 2655(from)X 2 f 2916(s)X 1 f 2959(,)X 3039(just)X 3261(as)X 3412(Hintikka)X 3867(proposed.)X 835 1116(Clearly,)N 1238(the)X 1434(indistinguishability)X 2359(relation)X 2759(is)X 2887(re\257exive,)X 3345(transitive,)X 3858(and)X 4078(sym-)X 835 1224(metric,)N 1179(and)X 1377(therefore)X 1814(the)X 1989(logic)X 2222(that)X 2439(naturally)X 2885(results)X 3223(from)X 3461(this)X 3662(formulation)X 4216(is)X 835 1332(the)N 1006(S5)X 1146(logic)X 1375(de\256ned)X 1726(above.)X 1035 1488(With)N 1292(these)X 1566(formalities)X 2084(completed,)X 2597(the)X 2778(resulting)X 3217(logic)X 3456(is)X 3568(a)X 3658(useful)X 3968(tool)X 4168(for)X 835 1596(representing)N 1463(and)X 1692(for)X 1877(reasoning)X 2375(about)X 2687(states)X 3014(of)X 3156(knowledge)X 3689(in)X 3839(a)X 3953(system.)X 835 1704([Fagin86])N 1295(contains)X 1702(an)X 1847(excellent)X 2274(discussion)X 2766(of)X 2879(the)X 3056(strengths)X 3514(and)X 3715(limits)X 4006(of)X 4120(this)X 835 1812(representation.)N 1561(It)X 1683(also)X 1904(describes)X 2359(a)X 2457(general)X 2834(model)X 3145(of)X 3270(knowledge)X 3786(in)X 3920(a)X 4018(multi-)X 835 1920(player)N 1164(system,)X 1551(and)X 1767(explores)X 2184(the)X 2377(variations)X 2875(that)X 3110(result)X 3421(from)X 3678(varying)X 4065(some)X 835 2028(basic)N 1096(assumptions)X 1694(about)X 1980(the)X 2160(system,)X 2534(such)X 2776(as)X 2910(whether)X 3315(it)X 3418(is)X 3529(synchronous)X 4124(and)X 835 2136(whether)N 1258(knowledge,)X 1810(once)X 2062(acquired,)X 2528(is)X 2658(ever)X 2903(forgotten.)X 3415(From)X 3710(this)X 3936(starting)X 835 2244(point)N 1107(logical)X 1435(systems)X 1834(have)X 2088(been)X 2339(created)X 2708(that)X 2936(represent)X 3404(not)X 3590(only)X 3820(knowledge)X 835 2352(but)N 1011(knowledge)X 1509(about)X 1786(what)X 2037(is)X 2139(known)X 2464(\(by)X 2627(oneself)X 2964(and)X 3158(others\))X 3497([Fagin84].)X 1035 2508(Other)N 1349(modal)X 1672(logics)X 1972(can)X 2180(also)X 2409(be)X 2563(created)X 2943(based)X 3250(on)X 3410(a)X 3516(Kripke)X 3877(structure)X 835 2616(model.)N 1184(If)X 1284(a)X 1366(temporal)X 1794(logic)X 2025(is)X 2129(desired,)X 2509(one)X 2693(that)X 2908(permits)X 3280(statements)X 3803(of)X 3911(the)X 4083(form)X 2 f 851 2700 MXY 0 -28 Dl 28 0 Dl 0 28 Dl -28 0 Dl 915 2724(p)N 1 f 1008(\(read,)X 1304(``henceforth)X 2 f 1858(p)X 1 f 1913(''\))X 2023(with)X 2262(the)X 2444(meaning)X 2868(``p)X 3002(is)X 3116(true)X 3342(now)X 3563(and)X 3769(will)X 3973(remain)X 835 2832(true''.)N 1147(In)X 1276(this)X 1478(case,)X 1725(the)X 1900(``states'')X 2276(of)X 2387(the)X 2562(Kripke)X 2900(structure)X 3344(can)X 3529(be)X 3660(interpreted)X 4193(as)X 835 2940(instants)N 1229(in)X 1347(time,)X 1603(and)X 1799(the)X 1972(relation)X 2349(between)X 2746(them)X 3004(as)X 3132(\()X 2 f 3164(s)X 9 s 3207 2959(i)N 1 f 12 s 3239 2940(,)N 2 f 3274(s)X 9 s 3323 2959(j)N 1 f 12 s 3354 2940(\))N 2 f 10 s 9 f 3413(\316)X 1 f 12 s 0 f 3497(K)X 1 f 3590(iff)X 3714(moment)X 2 f 4106(s)X 9 s 4155 2959(j)N 1 f 12 s 4216 2940(is)N 835 3048(at)N 959(or)X 1084(later)X 1329(than)X 2 f 1571(s)X 9 s 1614 3067(i)N 1 f 12 s 1646 3048(.)N 1734(This)X 1966(relation)X 2348(is)X 2457(clearly)X 2788(re\257exive,)X 3226(transitive,)X 3719(but)X 3901(not)X 4078(sym-)X 835 3156(metric,)N 1179(and)X 1377(so)X 1501(the)X 2 f 1692 3132 MXY 0 -28 Dl 28 0 Dl 0 28 Dl -28 0 Dl 1 f 1787 3156(operator)N 2193(it)X 2291(de\256nes)X 2636(has)X 2824(the)X 2999(properties)X 3482(of)X 3593(an)X 3737(S4)X 3882(logic.)X 4170(Its)X 835 3264(dual)N 1068(operator)X 2 f 1495 3228 MXY 24 -24 Dl 24 24 Dl -24 24 Dl -24 -24 Dl 1 f 1595 3264(\(read)N 1862(``eventually''\))X 2476(then)X 2715(means)X 3040(that)X 2 f 3261(p)X 1 f 3351(is)X 3461(either)X 3761(true)X 3983(now)X 4200(or)X 835 3372(will)N 1027(be)X 1155(true)X 1369(at)X 1486(some)X 1739(future)X 2044(time.)X 1035 3528(It)N 1144(is)X 1252(also)X 1461(possible)X 1848(to)X 1966(create)X 2271(a)X 2358(modal)X 2663(logic)X 2899(without)X 3278(reference)X 3724(to)X 3843(a)X 3930(de\256ning)X 835 3636(structure.)N 1343(For)X 1538(example,)X 1975(we)X 2138(may)X 2367(have)X 2618(a)X 2711(notion)X 3032(of)X 3152(``belief'')X 3512(that)X 3737(is)X 3851(similar)X 4206(to)X 835 3744(knowledge,)N 1364(but)X 1544(differs)X 1860(in)X 1980(that)X 2197(something)X 2690(we)X 2844(believe)X 3183(may)X 3403(turn)X 3632(out)X 3807(to)X 3923(be)X 4056(false.)X 835 3852(A)N 951(logic)X 1200(could)X 1482(be)X 1630(designed)X 2068(by)X 2219(starting)X 2621(with)X 2869(an)X 3028(S5-type)X 3410(knowledge)X 3927(logic,)X 4202(in)X 835 3960(which)N 1129(all)X 1270(of)X 3 f 1378(K)X 1 f 1456(,)X 3 f 1511(D)X 1 f 1591(,)X 3 f 1646(T)X 1 f 1715(,)X 3 f 1770(4)X 1 f 1825(,)X 3 f 1880(B)X 1 f 1955(,)X 2010(and)X 3 f 2205(5)X 1 f 2288(are)X 2461(valid,)X 2736(renaming)X 3193(the)X 3366(modal)X 3666(operator)X 2 f 4070(B)X 1 f 4168(for)X 835 4068(belief,)N 1145(and)X 1354(removing)X 1810(the)X 1995(axiom)X 3 f 2303(T:)X 2 f 2440(B)X 2533(p)X 1 f 2 f 9 f 2623(=)X 2 f 2676(>)X 1 f 2 f 2761(p)X 1 f 2857(so)X 2991(that)X 3218(belief)X 3500(no)X 3648(longer)X 3968(implies)X 835 4176(truth.)N 1177(However,)X 1650(without)X 2048(the)X 2245(Kripke)X 2606(structure)X 3073(as)X 3224(a)X 3331(guide)X 3628(it)X 3749(may)X 3992(not)X 4190(be)X 835 4284(apparent)N 1279(that)X 1506(the)X 1690(original)X 2074(set)X 2244(were)X 2498(not)X 2682(independent.)X 3329(In)X 3467(fact,)X 3 f 3699(T)X 1 f 3808(is)X 3923(a)X 4016(conse-)X 835 4392(quence)N 1173(of)X 3 f 1281(B)X 1 f 1356(,)X 3 f 1411(4)X 1 f 1466(,)X 1522(and)X 3 f 1718(D)X 1 f 1798(,)X 1854(or)X 1974(alternately)X 2492(of)X 3 f 2601(B)X 1 f 2676(,)X 3 f 2732(4)X 1 f 2787(,)X 2843(and)X 3 f