A Metadata Calculus for Securing Information Flows

Traditional approaches to information sharing use a highly conservative approach to deduce the meta- data for an output object x derived from input ob- jects y1, y2, ···, yn (e.g.: maximum over the se- curity labels of all input objects). Such approaches does not account for functions that explicitly down- grade the value of an object. Consequently, the se- curity labels in traditional approaches tend to mono- tonically increase as newer objects are derived from existing ones. In this paper we present a novel meta- data calculus for securing information flows. The metadata calculus defines a metadata vector space that supports a time varying value function that is computed as a function of the object's metadata and operators + and · to compute the metadata of an output object that is derived by downgrad- ing, transforming or fusing other objects. We also describe a concrete realization of our metadata cal- culus wherein the tightness of our value estimates competes in an optimization problem. We present several tradeoffs with space and accuracy and ex- plore a spectrum of solutions ranging from conser- vative to risk-based value estimates.