CONCEPT Cited by 1 source
Policy lattice (Denning)¶
Definition¶
A policy lattice is the formal mathematical structure used by information flow control systems to decide whether a given flow of data from source to sink is permitted. Each annotation (security label) is an element of a partially-ordered set — the lattice — and a flow is allowed only if the source's label can be joined upward to the sink's label without losing any constraint.
Introduced in Dorothy E. Denning, "A lattice model of secure information flow" (Communications of the ACM, 1976) — dl.acm.org/doi/10.1145/360051.360056 — the foundational paper Meta's 2024-08-31 PAI post cites explicitly.
Why a lattice¶
A lattice (not just a partial order) means every pair of labels has a
well-defined least upper bound (join) and greatest lower bound
(meet). In privacy terms, this makes it tractable to reason about what
happens when data under label A and data under label B are
combined in the same computation: the result must be tagged with the
join of A and B. Without this property, label combination is
ambiguous and runtime enforcement becomes inconsistent.
Performance engineering at Meta¶
The 2024-08-31 post names simplified policy-lattice representation and evaluation as one of the levers Meta used to achieve a "10x improvement in computational efficiency" of Policy Zones runtime checks. Lattice evaluation happens on every data flow in a zone, so the representation has to be cheap to hash / compare / join at production QPS. Specific implementation — data structure, encoding scheme — is not disclosed.
Seen in¶
- sources/2024-08-31-meta-enforces-purpose-limitation-via-privacy-aware-infrastructure — canonical industrial instance of Denning's lattice model deployed at hyperscale at runtime.
Related¶
- concepts/information-flow-control — parent primitive.
- concepts/data-annotation — lattice elements.
- systems/meta-policy-zones — industrial consumer of the lattice model.
- companies/meta