Security Properties as Nested Causal Statements. (arXiv:2104.00872v1 [cs.AI])

Thinking in terms of causality helps us structure how different parts of a
system depend on each other, and how interventions on one part of a system may
result in changes to other parts. Therefore, formal models of causality are an
attractive tool for reasoning about security, which concerns itself with
safeguarding properties of a system against interventions that may be
malicious. As we show, many security properties are naturally expressed as
nested causal statements: not only do we consider what caused a particular
undesirable effect, but we also consider what caused this causal relationship
itself to hold. We present a natural way to extend the Halpern-Pearl (HP)
framework for causality to capture such nested causal statements. This
extension adds expressivity, enabling the HP framework to distinguish between
causal scenarios that it could not previously naturally tell apart. We moreover
revisit some design decisions of the HP framework that were made with
non-nested causal statements in mind, such as the choice to treat specific
values of causal variables as opposed to the variables themselves as causes,
and may no longer be appropriate for nested ones.