Abstract
Quantitative information-flow analysis (QIF) is an emerging technique for establishing information-theoretic confidentiality properties. Automation of QIF is an important step towards ensuring its practical applicability, since manual reasoning about program security has been shown to be a tedious and expensive task. In this chapter we describe a approximation and randomization techniques to bear on the challenge of sufficiently precise, yet efficient computation of quantitative information flow properties.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Backes, M., Berg, M., Köpf, B.: Non-Uniform Distributions in Quantitative Information-Flow. In: Proc. 6th ACM Conference on Information, Computer and Communications Security, ASIACCS 2011, pp. 367–374. ACM (2011)
Backes, M., Köpf, B., Rybalchenko, A.: Automatic Discovery and Quantification of Information Leaks. In: Proc. IEEE Symp. on Security and Privacy, S&P 2009, pp. 141–153. IEEE (2009)
Bagnara, R., Hill, P.M., Zaffanella, E.: The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Science of Computer Programming 72(1-2) (2008)
Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2001, pp. 203–213. ACM (2001)
Ball, T., Millstein, T.D., Rajamani, S.K.: Polymorphic predicate abstraction. ACM Trans. Program. Lang. Syst. 27(2) (2005)
Banerjee, A., Naumann, D.A., Rosenberg, S.: Expressive declassification policies and modular static enforcement. In: Proc. IEEE Symp. on Security and Privacy, S&P 2008, pp. 339–353. IEEE (2008)
Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2004, pp. 100–114. IEEE (2004)
Barvinok, A.: A Polynomial Time Algorithm for Counting Integral Points in Polyhedra when the Dimension is Fixed. Mathematics of Operations Research 19, 189–202 (1994)
Batu, T., Dasgupta, S., Kumar, R., Rubinfeld, R.: The complexity of approximating entropy. In: Proc. ACM Symp. on Theory of Computing, STOC 2002, pp. 678–687. ACM (2002)
Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2003, pp. 196–207. ACM (2003)
Boreale, M.: Quantifying information leakage in process calculi. Information and Computation 207(6), 699–725 (2009)
Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D.: BitScope: Automatically dissecting malicious binaries. Technical Report CS-07-133, School of Computer Science, Carnegie Mellon University (2007)
Cachin, C.: Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH Zürich (1997)
Cadar, C., Dunbar, D., Engler, D.R.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proc. USENIX Symp. on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX (2008)
Cerny, P., Chatterjee, K., Henzinger, T.: The complexity of quantitative information flow problems. In: Proc. IEEE Computer Security Foundations Symposium, CSF 2011. IEEE (2011) (to appear)
Chatzikokolakis, K., Chothia, T., Guha, A.: Statistical Measurement of Information Leakage. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 390–404. Springer, Heidelberg (2010)
Chatzikokolakis, K., Palamidessi, C., Panangaden, P.: Anonymity protocols as noisy channels. Information and Computation 206(2-4), 378–401 (2008)
Clark, D., Hunt, S., Malacaria, P.: Quantitative Information Flow, Relations and Polymorphic Types. J. Log. Comput. 18(2), 181–199 (2005)
Clark, D., Hunt, S., Malacaria, P.: A static analysis for quantifying information flow in a simple imperative language. Journal of Computer Security 15(3), 321–371 (2007)
Clarkson, M.R., Myers, A.C., Schneider, F.B.: Belief in Information Flow. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2005, pp. 31–45. IEEE (2005)
Clulow, J.: The Design and Analysis of Cryptographic Application Programming Interfaces for Security Devices. Master’s thesis, University of Natal, SA (2003)
Cohen, E.: Information Transmission in Sequential Programs. In: Foundations of Secure Computation, pp. 297–335. Academic Press (1978)
Cook, B., Gupta, A., Magill, S., Rybalchenko, A., Simsa, J., Vafeiadis, V.: Finding heap-bounds for hardware synthesis. In: Proc. Intl. Conf. on Formal Methods in Computer-Aided Design, FMCAD 2009, pp. 205–212. IEEE (2009)
Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 1977, pp. 238–252. ACM (1977)
Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 1978, pp. 84–96. ACM (1978)
Denning, D.E.: Cryptography and Data Security. Addison-Wesley (1982)
Giacobazzi, R., Mastroeni, I.: Abstract Non-Interference: Parameterizing Non-Interference by Abstract Interpretation. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 2004, pp. 186–197. ACM (2004)
Godefroid, P.: Software model checking: The VeriSoft approach. Formal Methods in System Design 26(2), 77–101 (2005)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2005, pp. 213–223. ACM (2005)
Gomez, C., Sabharwal, A., Selman, B.: Chapter 20: Model counting. In: Handbook of Satisfiability. Frontiers in Artificial Intelligence and Applications, vol. 185, IOS Press (2009)
Gray, J.W.: Toward a Mathematical Foundation for Information Flow Security. Journal of Computer Security 1(3-4), 255–294 (1992)
Gulwani, S., Jain, S., Koskinen, E.: Control-flow refinement and progress invariants for bound analysis. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2009, pp. 375–385. ACM (2009)
Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 2004, pp. 232–244. ACM (2004)
Heusser, J., Malacaria, P.: Quantifying information leaks in software. In: 26th Annual Computer Security Applications Conference, ACSAC 2010, pp. 261–269. ACM (2010)
Jeannet, B., Miné, A.: Apron: A library of numerical abstract domains for static analysis. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 661–667. Springer, Heidelberg (2009)
Jhala, R., Majumdar, R.: Software model checking. ACM Comput. Surv. 41, 21:1–21:54 (2009)
Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Köpf, B., Basin, D.: An Information-Theoretic Model for Adaptive Side-Channel Attacks. In: Proc. ACM Conf. on Computer and Communications Security, CCS 2007, pp. 286–296. ACM (2007)
Köpf, B., Dürmuth, M.: A Provably Secure and Efficient Countermeasure against Timing Attacks. In: Proc. IEEE Computer Security Foundations Symposium, CSF 2009, pp. 324–335. IEEE (2009)
Köpf, B., Mauborgne, L., Ochoa, M.: Automatic Quantification of Cache Side-Channels. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 564–580. Springer, Heidelberg (2012)
Köpf, B., Rybalchenko, A.: Approximation and Randomization for Quantitative Information-Flow Analysis. In: Proc. 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 3–14. IEEE (2010)
Lalire, G., Argoud, M., Jeannet, B.: The interproc analyzer, http://pop-art.inrialpes.fr/people/bjeannet/bjeannet-forge/interproc/index.html
Loera, J.A.D., Haws, D., Hemmecke, R., Huggins, P., Tauzer, J., Yoshida, R.: LattE, http://www.math.ucdavis.edu/~latte/ (accessed November 08, 2008)
Lowe, G.: Quantifying Information Flow. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2002, pp. 18–31. IEEE (2002)
Malacaria, P.: Risk assessment of security threats for looping constructs. Journal of Computer Security 18(2), 191–228 (2010)
Manna, Z., Pnueli, A.: Temporal verification of reactive systems: Safety. Springer (1995)
Massey, J.L.: Guessing and Entropy. In: Proc. IEEE Intl. Symp. on Information Theory, ISIT 1994, p. 204. IEEE Computer Society (1994)
McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2008, pp. 193–205. ACM (2008)
Millen, J.K.: Covert Channel Capacity. In: Proc. IEEE Symp. on Security and Privacy, S&P 1987, pp. 60–66. IEEE (1987)
Miné, A.: The Octagon abstract domain. Higher-Order and Symbolic Computation 19(1), 31–100 (2006)
Mu, C., Clark, D.: An Interval-based Abstraction for Quantifying Information Flow. ENTCS 253(3), 119–141 (2009)
Mu, C., Clark, D.: Quantitative Analysis of Secure Information Flow via Probabilistic Semantics. In: Proc. 4th International Conference on Availability, Reliability and Security, ARES 2009, pp. 49–57. IEEE Computer Society (2009)
Newsome, J., McCamant, S., Song, D.: Measuring channel capacity to distinguish undue influence. In: Proc. ACM Workshop on Programming Languages and Analysis for Security, PLAS 2009, pp. 73–85. ACM (2009)
Park, S., Pfenning, F., Thrun, S.: A Probabilistic Language based upon Sampling Functions. In: Proc. ACM Symposium on Principles of Programming Languages, POPL 2005 (2005)
Pierro, A.D., Hankin, C., Wiklicky, H.: Approximate Non-Interference. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2002, pp. 3–17. IEEE (2002)
Sabelfeld, A., Myers, A.C.: Language-based Information-Flow Security. IEEE J. Selected Areas in Communication 21(1), 5–19 (2003)
Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)
Shannon, C.E.: A Mathematical Theory of Communication. Bell System Technical Journal 27, 379–423, 623–656 (1948)
Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)
Yasuoka, H., Terauchi, T.: Quantitative information flow - verification hardness and possibilities. In: Proc. IEEE Computer Security Foundations Symposium, CSF 2010, pp. 15–27. IEEE (2010)
Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2001, pp. 15–23. IEEE (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Köpf, B., Rybalchenko, A. (2013). Automation of Quantitative Information-Flow Analysis. In: Bernardo, M., de Vink, E., Di Pierro, A., Wiklicky, H. (eds) Formal Methods for Dynamical Systems. SFM 2013. Lecture Notes in Computer Science, vol 7938. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38874-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-38874-3_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38873-6
Online ISBN: 978-3-642-38874-3
eBook Packages: Computer ScienceComputer Science (R0)