A Semantic Hierarchy for Erasure Policies
Paper in proceedings, 2011
We consider the problem of logical data erasure, contrasting with physical erasure in the same way that end-to-end information ﬂow control contrasts with access control. We present a semantic hierarchy for erasure policies, using a possibilistic knowledge-based semantics to deﬁne policy satisfaction such that there is an intuitively clear upper bound on what information an erasure policy permits to be retained. Our hierarchy allows a rich class of erasure policies to be expressed, taking account of the power of the attacker, how much information may be retained, and under what conditions it may be retained. While our main aim is to specify erasure policies, the semantic framework allows quite general information-ﬂow policies to be formulated for a variety of semantic notions of secrecy.