Towards Information Flow Properties for Distributed Systems

In this paper we present a framework for the specification of information flow properties for distributed systems. We consider partially specified distributed systems in which there are several unspecified components located in different places. As a case study, in this paper we consider the notion of Non Deducibility on Composition, NDC for short, originally proposed for nondeterministic systems and based on trace semantics. We study how this information flow property can be extended in order to deal also with distributed partially specified systems. In particular, we adapt the NDC property to distributed systems by distinguishing between two different approaches. The first one we call centralized NDC, according to which there is just one unspecified global component that has complete control of the n distributed locations where interaction occurs between the system and the unspecified component. The second one is called distributed NDC, according to which there is one unspecified component for each distributed location, and the n unspecified components are completely independent, i.e., they cannot coordinate or cooperate each other. Surprisingly enough, we prove that centralized NDC is as discriminating as decentralized NDC. However, when we move to Bisimulation-based Non-Deducibility on Composition, BNDC for short, the situation is completely different. Indeed, we prove that centralized BNDC is strictly finer than decentralized BNDC, hence proving the quite expected fact that a system that can resist to coordinated attacks is also able to resist to simpler attacks performed by independent entities.