A Cut Principle for Information Flow
This work addresses security and privacy in distributed systems by providing formal guarantees for information flow, though it appears incremental as it builds on existing cut principles with new blur operators.
The paper tackles the problem of information flow in distributed systems by proving a cut principle: if there is no disclosure from a source to a cut set of channels, then there is no disclosure to a sink, and extends this with blur operators for partial disclosure. The result includes a compositional principle for systems with limited disclosure.
We view a distributed system as a graph of active locations with unidirectional channels between them, through which they pass messages. In this context, the graph structure of a system constrains the propagation of information through it. Suppose a set of channels is a cut set between an information source and a potential sink. We prove that, if there is no disclosure from the source to the cut set, then there can be no disclosure to the sink. We introduce a new formalization of partial disclosure, called *blur operators*, and show that the same cut property is preserved for disclosure to within a blur operator. This cut-blur property also implies a compositional principle, which ensures limited disclosure for a class of systems that differ only beyond the cut.