The notion of distributed knowledge is used to express what a group of agents would know if they were to combine their information. The paper considers the application of this notion to systems in which there are constraints on how an agent's actions may cause changes to another agent's observations. Intuitively, in such a setting, one would like that anything an agent knows about other agents must be distributed knowledge to the agents that can causally affect it. In prior work, we have argued that the definition of intransitive noninterference — a notion of causality used in the literature on computer security — is flawed because it fails to satisfy this property, and have proposed alternate definitions of causality that we have shown to be better behaved with respect to the theory of intransitive noninterference. In this paper we refine this understanding, and show that in order for the converse of the property to hold, one also needs a novel notion of distributed knowledge, as well as a new notion of what it means for a proposition to be "about" other agents.
[1]
Yoram Moses,et al.
Knowledge, timed precedence and clocks (preliminary report)
,
1994,
PODC '94.
[2]
J. Thomas Haigh,et al.
Extending theNoninterference Versionof MLS
,
1987
.
[3]
J. Pearl.
Causality: Models, Reasoning and Inference
,
2000
.
[4]
Joseph Y. Halpern,et al.
Causes and Explanations: A Structural-Model Approach. Part II: Explanations
,
2001,
The British Journal for the Philosophy of Science.
[5]
Ronald Fagin,et al.
Reasoning about knowledge
,
1995
.
[6]
J. Meseguer,et al.
Security Policies and Security Models
,
1982,
1982 IEEE Symposium on Security and Privacy.
[7]
Ron van der Meyden,et al.
What, indeed, is intransitive noninterference?
,
2015,
J. Comput. Secur..
[8]
John Rushby,et al.
Noninterference, Transitivity, and Channel-Control Security Policies 1
,
2005
.