Security and “Information Flow”

From the beginning of the Information “era” the Security disciplines already had the hierarchical imprint that is now current, centring it around the protection of “informational assets.” Although not directly relevant to the subject of Erlang Security, I want to quote here a paper by Bhavani Thuraisingham (MITRE Corporation) published in 1993 by the ACM. The paper, titled “Secure Computing with the Actor Paradigm” describes the model of computation called the “actor model” with the apparent aim of presenting the Security aspects of the model.

It is symptomatic from the start of the paper that the author assumes that the “roots” of the actor model are “in the programming language Simula” –an assumption that tells us a lot about the implicit philosophy here at work: one where a language can be at the root of another. I fear that the author missed completely the fact that the actor model (especially after the work of Carl Hewitt in the 70’s) is based on a mathematical theory of interaction and not on any particular language. Thuraisingham gives almost all credit for the actor model to one of Hewitt’s students (Gul Agha) who in fact developed his own interpretation of the model. Part of the misunderstanding also leads Mr Thuraisingham to assume that the actor model presupposes that every “actor” should have a “mail address” and a “mail queue” – which, as far as I know, are *not* part of Hewitt’s model.  In the way the author describes the actor model there would be no difference from the object-oriented model.

These aspects are important but here I want to point to an old prejudice that has caused a lot of damage not only in software development but in Security in general, which is the traditional idea of “information flow.” As presented by Thuraisingham, a key question for the development of a Security approach is “how should computation proceed in such a model so that there is no information flow from a higher level to a lower level?”

We see there the old paradigm of “information flow” as precisely aligned with the assumption that there are “levels” of security, some of which are “higher” than others. The problem is not that there are no such levels (that is something obvious) but the intrinsic assumption that the security risk lies in the “flow” of information (for example variable values) from a “high level” to a “low level.”

The case is that the assumptions of high and low levels are fundamentally extraneous to the definition of a Security mechanism, for which it is only necessary to define, establish, enforce and verify a Security Policy. In reality, in any interaction, information flows in both directions (if we assume two participants) or in many (if we assume many linked entities). An acceptable (or agreed) state of security is one where information is exchanged according agreed, common or standard policies *independently* of what nodes or entities have higher or lower security requirements.

It is not only a prejudice but a historical limitation to continue speaking about Security as if only the “high” levels (some unassailable elite perhaps?) is the only Security-interested party and where the “low” levels are some sort of rabble or just “potential attackers” who are better kept in check.  I ask myself: When are we going to free Security from the attack-defence paradigm and understand that for every risk component there is a trust counterpart? When will we understand that for every user access to information there is also a counter-flow of information from the user to the service which also requires a Security policy?

(The paper commented can be found here: )