Information Erasure: An Information-Flow Approach to Semantics and Enforcement

Abstract: Many modern online services require sensitive data to complete their tasks. For this reason, guaranteeing security policies in such services is a major concern. The traditional (and well studied) aspects of security, namely confidentiality, integrity, and availability of data, capture many but not all desirable policies involving sensitive-data. In this thesis we study an important but less-studied aspect of security, namely information erasure. More in detail, this work presents an information-flow approach to information erasure, that tries to address both its formal semantics and an enforcement mechanism. Our results in the formalization of information erasure are twofold. On one hand, we present a novel information-flow framework to express quantitative and conditional erasure policies. The framework is equipped with a knowledge-based notion of erasure policies that takes into account both the semantics of the system enforcing erasure, and the observational power of the attacker. On the other hand, we show how to include an explicit model of the user who provides secrets to the system which is to perform erasure. By doing so we are able to provide guarantees for erasure policies as long as the user’s behaviour is within certain well-defined bounds. The thesis also shows a concrete implementation of an enforcement mechanism as a library in Python. The library allows programmers to embed expressive erasure policies (involving arbitrary conditions, over resources of the runtime environment, when erasure is performed as well as time-based policies). The library supports policy annotations that do not require changes to the runtime system and adapt smoothly to existing applications.