Information flow (information theory)

Information flow in an information theoretical context is the transfer of information from a variable x {displaystyle x} to a variable y {displaystyle y} in a given process. Not all flows may be desirable; for example, a system should not leak any secret (partially or not) to public observers. Information flow in an information theoretical context is the transfer of information from a variable x {displaystyle x} to a variable y {displaystyle y} in a given process. Not all flows may be desirable; for example, a system should not leak any secret (partially or not) to public observers. Securing the data manipulated by computing systems has been a challenge in the past years. Several methods to limit the information disclosure exist today, such as access control lists, firewalls, and cryptography. However, although these methods do impose limits on the information that is released by a system, they provide no guarantees about information propagation. For example, access control lists of file systems prevent unauthorized file access, but they do not control how the data is used afterwards. Similarly, cryptography provides a means to exchange information privately across a non-secure channel, but noguarantees about the confidentiality of the data are given once it is decrypted. In low level information flow analysis, each variable is usually assigned a security level. The basic model comprises two distinct levels: low and high, meaning, respectively, publicly observable information, and secret information. To ensure confidentiality, flowing information from high to low variables should not be allowed. On the other hand, to ensure integrity, flows to high variables should be restricted. More generally, the security levels can be viewed as a lattice with information flowing only upwards in the lattice. For example, considering two security levels L {displaystyle L} and H {displaystyle H} (low and high), if L ≤ H {displaystyle Lleq H} , flows from L {displaystyle L} to L {displaystyle L} , from H {displaystyle H} to H {displaystyle H} , and L {displaystyle L} to H {displaystyle H} would be allowed, while flows from H {displaystyle H} to L {displaystyle L} would not.