Skip to main content
SpringerLink
Log in

Automation of Quantitative Information-Flow Analysis

  • Chapter
Formal Methods for Dynamical Systems (SFM 2013)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7938))

Abstract

Quantitative information-flow analysis (QIF) is an emerging technique for establishing information-theoretic confidentiality properties. Automation of QIF is an important step towards ensuring its practical applicability, since manual reasoning about program security has been shown to be a tedious and expensive task. In this chapter we describe a approximation and randomization techniques to bear on the challenge of sufficiently precise, yet efficient computation of quantitative information flow properties.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 16.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Backes, M., Berg, M., Köpf, B.: Non-Uniform Distributions in Quantitative Information-Flow. In: Proc. 6th ACM Conference on Information, Computer and Communications Security, ASIACCS 2011, pp. 367–374. ACM (2011)

    Google Scholar 

  2. Backes, M., Köpf, B., Rybalchenko, A.: Automatic Discovery and Quantification of Information Leaks. In: Proc. IEEE Symp. on Security and Privacy, S&P 2009, pp. 141–153. IEEE (2009)

    Google Scholar 

  3. Bagnara, R., Hill, P.M., Zaffanella, E.: The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Science of Computer Programming 72(1-2) (2008)

    Google Scholar 

  4. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2001, pp. 203–213. ACM (2001)

    Google Scholar 

  5. Ball, T., Millstein, T.D., Rajamani, S.K.: Polymorphic predicate abstraction. ACM Trans. Program. Lang. Syst. 27(2) (2005)

    Google Scholar 

  6. Banerjee, A., Naumann, D.A., Rosenberg, S.: Expressive declassification policies and modular static enforcement. In: Proc. IEEE Symp. on Security and Privacy, S&P 2008, pp. 339–353. IEEE (2008)

    Google Scholar 

  7. Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2004, pp. 100–114. IEEE (2004)

    Google Scholar 

  8. Barvinok, A.: A Polynomial Time Algorithm for Counting Integral Points in Polyhedra when the Dimension is Fixed. Mathematics of Operations Research 19, 189–202 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  9. Batu, T., Dasgupta, S., Kumar, R., Rubinfeld, R.: The complexity of approximating entropy. In: Proc. ACM Symp. on Theory of Computing, STOC 2002, pp. 678–687. ACM (2002)

    Google Scholar 

  10. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2003, pp. 196–207. ACM (2003)

    Google Scholar 

  11. Boreale, M.: Quantifying information leakage in process calculi. Information and Computation 207(6), 699–725 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  12. Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D.: BitScope: Automatically dissecting malicious binaries. Technical Report CS-07-133, School of Computer Science, Carnegie Mellon University (2007)

    Google Scholar 

  13. Cachin, C.: Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH Zürich (1997)

    Google Scholar 

  14. Cadar, C., Dunbar, D., Engler, D.R.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proc. USENIX Symp. on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX (2008)

    Google Scholar 

  15. Cerny, P., Chatterjee, K., Henzinger, T.: The complexity of quantitative information flow problems. In: Proc. IEEE Computer Security Foundations Symposium, CSF 2011. IEEE (2011) (to appear)

    Google Scholar 

  16. Chatzikokolakis, K., Chothia, T., Guha, A.: Statistical Measurement of Information Leakage. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 390–404. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  17. Chatzikokolakis, K., Palamidessi, C., Panangaden, P.: Anonymity protocols as noisy channels. Information and Computation 206(2-4), 378–401 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  18. Clark, D., Hunt, S., Malacaria, P.: Quantitative Information Flow, Relations and Polymorphic Types. J. Log. Comput. 18(2), 181–199 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  19. Clark, D., Hunt, S., Malacaria, P.: A static analysis for quantifying information flow in a simple imperative language. Journal of Computer Security 15(3), 321–371 (2007)

    Article  Google Scholar 

  20. Clarkson, M.R., Myers, A.C., Schneider, F.B.: Belief in Information Flow. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2005, pp. 31–45. IEEE (2005)

    Google Scholar 

  21. Clulow, J.: The Design and Analysis of Cryptographic Application Programming Interfaces for Security Devices. Master’s thesis, University of Natal, SA (2003)

    Google Scholar 

  22. Cohen, E.: Information Transmission in Sequential Programs. In: Foundations of Secure Computation, pp. 297–335. Academic Press (1978)

    Google Scholar 

  23. Cook, B., Gupta, A., Magill, S., Rybalchenko, A., Simsa, J., Vafeiadis, V.: Finding heap-bounds for hardware synthesis. In: Proc. Intl. Conf. on Formal Methods in Computer-Aided Design, FMCAD 2009, pp. 205–212. IEEE (2009)

    Google Scholar 

  24. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 1977, pp. 238–252. ACM (1977)

    Google Scholar 

  25. Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 1978, pp. 84–96. ACM (1978)

    Google Scholar 

  26. Denning, D.E.: Cryptography and Data Security. Addison-Wesley (1982)

    Google Scholar 

  27. Giacobazzi, R., Mastroeni, I.: Abstract Non-Interference: Parameterizing Non-Interference by Abstract Interpretation. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 2004, pp. 186–197. ACM (2004)

    Google Scholar 

  28. Godefroid, P.: Software model checking: The VeriSoft approach. Formal Methods in System Design 26(2), 77–101 (2005)

    Article  Google Scholar 

  29. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2005, pp. 213–223. ACM (2005)

    Google Scholar 

  30. Gomez, C., Sabharwal, A., Selman, B.: Chapter 20: Model counting. In: Handbook of Satisfiability. Frontiers in Artificial Intelligence and Applications, vol. 185, IOS Press (2009)

    Google Scholar 

  31. Gray, J.W.: Toward a Mathematical Foundation for Information Flow Security. Journal of Computer Security 1(3-4), 255–294 (1992)

    Article  MathSciNet  Google Scholar 

  32. Gulwani, S., Jain, S., Koskinen, E.: Control-flow refinement and progress invariants for bound analysis. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2009, pp. 375–385. ACM (2009)

    Google Scholar 

  33. Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: Proc. ACM Symp. on Principles of Programming Languages, POPL 2004, pp. 232–244. ACM (2004)

    Google Scholar 

  34. Heusser, J., Malacaria, P.: Quantifying information leaks in software. In: 26th Annual Computer Security Applications Conference, ACSAC 2010, pp. 261–269. ACM (2010)

    Google Scholar 

  35. Jeannet, B., Miné, A.: Apron: A library of numerical abstract domains for static analysis. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 661–667. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  36. Jhala, R., Majumdar, R.: Software model checking. ACM Comput. Surv. 41, 21:1–21:54 (2009)

    Google Scholar 

  37. Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  38. Köpf, B., Basin, D.: An Information-Theoretic Model for Adaptive Side-Channel Attacks. In: Proc. ACM Conf. on Computer and Communications Security, CCS 2007, pp. 286–296. ACM (2007)

    Google Scholar 

  39. Köpf, B., Dürmuth, M.: A Provably Secure and Efficient Countermeasure against Timing Attacks. In: Proc. IEEE Computer Security Foundations Symposium, CSF 2009, pp. 324–335. IEEE (2009)

    Google Scholar 

  40. Köpf, B., Mauborgne, L., Ochoa, M.: Automatic Quantification of Cache Side-Channels. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 564–580. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  41. Köpf, B., Rybalchenko, A.: Approximation and Randomization for Quantitative Information-Flow Analysis. In: Proc. 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 3–14. IEEE (2010)

    Google Scholar 

  42. Lalire, G., Argoud, M., Jeannet, B.: The interproc analyzer, http://pop-art.inrialpes.fr/people/bjeannet/bjeannet-forge/interproc/index.html

  43. Loera, J.A.D., Haws, D., Hemmecke, R., Huggins, P., Tauzer, J., Yoshida, R.: LattE, http://www.math.ucdavis.edu/~latte/ (accessed November 08, 2008)

  44. Lowe, G.: Quantifying Information Flow. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2002, pp. 18–31. IEEE (2002)

    Google Scholar 

  45. Malacaria, P.: Risk assessment of security threats for looping constructs. Journal of Computer Security 18(2), 191–228 (2010)

    Article  Google Scholar 

  46. Manna, Z., Pnueli, A.: Temporal verification of reactive systems: Safety. Springer (1995)

    Google Scholar 

  47. Massey, J.L.: Guessing and Entropy. In: Proc. IEEE Intl. Symp. on Information Theory, ISIT 1994, p. 204. IEEE Computer Society (1994)

    Google Scholar 

  48. McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: Proc. ACM Conf. on Programming Language Design and Implementation, PLDI 2008, pp. 193–205. ACM (2008)

    Google Scholar 

  49. Millen, J.K.: Covert Channel Capacity. In: Proc. IEEE Symp. on Security and Privacy, S&P 1987, pp. 60–66. IEEE (1987)

    Google Scholar 

  50. Miné, A.: The Octagon abstract domain. Higher-Order and Symbolic Computation 19(1), 31–100 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  51. Mu, C., Clark, D.: An Interval-based Abstraction for Quantifying Information Flow. ENTCS 253(3), 119–141 (2009)

    Google Scholar 

  52. Mu, C., Clark, D.: Quantitative Analysis of Secure Information Flow via Probabilistic Semantics. In: Proc. 4th International Conference on Availability, Reliability and Security, ARES 2009, pp. 49–57. IEEE Computer Society (2009)

    Google Scholar 

  53. Newsome, J., McCamant, S., Song, D.: Measuring channel capacity to distinguish undue influence. In: Proc. ACM Workshop on Programming Languages and Analysis for Security, PLAS 2009, pp. 73–85. ACM (2009)

    Google Scholar 

  54. Park, S., Pfenning, F., Thrun, S.: A Probabilistic Language based upon Sampling Functions. In: Proc. ACM Symposium on Principles of Programming Languages, POPL 2005 (2005)

    Google Scholar 

  55. Pierro, A.D., Hankin, C., Wiklicky, H.: Approximate Non-Interference. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2002, pp. 3–17. IEEE (2002)

    Google Scholar 

  56. Sabelfeld, A., Myers, A.C.: Language-based Information-Flow Security. IEEE J. Selected Areas in Communication 21(1), 5–19 (2003)

    Article  Google Scholar 

  57. Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  58. Shannon, C.E.: A Mathematical Theory of Communication. Bell System Technical Journal 27, 379–423, 623–656 (1948)

    Google Scholar 

  59. Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  60. Yasuoka, H., Terauchi, T.: Quantitative information flow - verification hardness and possibilities. In: Proc. IEEE Computer Security Foundations Symposium, CSF 2010, pp. 15–27. IEEE (2010)

    Google Scholar 

  61. Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. IEEE Computer Security Foundations Workshop, CSFW 2001, pp. 15–23. IEEE (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IMDEA Software Institute, Spain

    Boris Köpf

  2. Technische Universität München, Germany

    Andrey Rybalchenko

Authors
  1. Boris Köpf
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrey Rybalchenko
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Scienze di Base e Fondamenti, Università di Urbino "Carlo Bo", , ,, Piazza della Repubblica 13, 61029, Urbino, Italy

    Marco Bernardo

  2. Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, Den Dolech 2, 5612 AZ, Eindhoven, The Netherlands

    Erik de Vink

  3. Dipartimento di Informatica,, Università di Verona, Ca’ Vignal 2, Strada le Grazie 15, 37134, Verona, Italy

    Alessandra Di Pierro

  4. Department of Computing, Imperial College London, Huxley Building,180 Queen’s Gate, SW7 2BZ, London, UK

    Herbert Wiklicky

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Köpf, B., Rybalchenko, A. (2013). Automation of Quantitative Information-Flow Analysis. In: Bernardo, M., de Vink, E., Di Pierro, A., Wiklicky, H. (eds) Formal Methods for Dynamical Systems. SFM 2013. Lecture Notes in Computer Science, vol 7938. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38874-3_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-38874-3_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-38873-6

  • Online ISBN: 978-3-642-38874-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation