This is an interesting topic that came up during my study for CISSP. I’m going to discuss poly-instantiation in the context of preventing inference attacks on a dataset. There is another meaning (of technical nature) as we talk about isolating objects within an operating system, but I’d like to focus on the prior for the purposes of this discussion as it’s extremely under-researched. Poly-instantiation is an incredibly effective security measure but must be executed with extreme care.
The Nuclear Transport Scenario
Imagine for a second that you are a key officer within the United States department of energy. Consider the recent attacks on Qasem Soleimani and Iran’s retaliation on Ali Al Slam, Erbil, and other US airbase locations within Iraq. You have been ordered by a superior to transport a nuclear weapon to the region for staging, but this type of movement in the context of recent developments results in concerns about inference attacks on the movement. If less-cleared personnel see a weapon deallocated (-1) from a key United States location and then added to the database of a middle eastern location (+1), they may be able to figure out what’s happening. Through inference and aggregation they might determine not only what is being moved, but the path the weapon is taking, and further what the potential targets could be.
This idea might seem far fetched, but it is in fact very real. If a spy exists within an organization, but their clearance is limited, these types of attacks are a common means of acquiring information. Even if we’re not talking about a spy, ignorant users and their social media account can get ordinary organizations in a lot of trouble.
Most of us Aren’t Transporting Nuclear Weapons
If we step away from the shock and awe of nuclear weapons, we can put this in the context of more common organizations, specifically various civilian organizations. Consider that your company is about to release a hot new product to market, and wants to prevent others from developing similar items while the product is associated with the brand (for example, Apple AirPods). In the same context as nuclear weapons movement, other companies acquiring information about spending on certain materials or liquidation of old products could result in the inference of a new release, what is being released, or even the engineering behind it. When a company is moving product or currency with any sort of significance, it can be shockingly easy to draw conclusions.
Combating Inference and Aggregation
The above situation is termed an, “inference attack,” or in some cases considered, “aggregation.” This is where we can apply the titled method as a solution. When you have a database, there are a variety of different people that must retain access. Just as administrators must often be able to view all network media–ex: how Edward Snowden was able to acquire information at the NSA–there are many database personnel from custodians to users that will have a considerable amount of access. If we redact a tuple then we quite literally point a finger to the critical information. While a user might not be able to ascertain the classified data, a user that works with the dataset on a regular basis can probably derive certain information without knowing exactly what the tuple contains.
It doesn’t really matter how the underlying data is conceived, the fact that it is redacted is enough to curate interest. So how can we combat this effect? We have to lie to our users. While it may be unfortunate, it also may be a necessary evil. Moreover, it also must be done with extreme care and scrupulous diligence. That data is most likely still actionable, and the small group that is cleared for the real information must take enormous effort to ensure they have as minimal an effect on day-to-day operations as possible. Proper risk analysis is key.
Preventing Residual Adversity
When a group decides to take the special action of creating a duplicate instance within a data set, restricted to a very specific group of cleared individuals, some important considerations must be put on the table. Say that a business shows it has 10k products stocked for shipment, but the real data is only 500 as the product is being discontinued prior to a new launch, we could see some real problems. It must therefore either accept the risk of over purchasing, mitigate the risk through some sort of technical means, or transfer the risk by some other technique. Risk avoidance is not an option here, and the lack of risk management will very likely result in some expensive issues.
While this discussion is intentionally high-level, the important takeaway is that while poly-instantiation is the best defense against inference attacks on intelligence, it is also must be used with extreme caution. By its implementation, we prevent people from surmising the data behind a black hole in a data-set. If we perform good risk management and weigh the relevant outcomes, poly-instantiation can be a vital technique for the executive toolbelt.