Abstract
A core property of program semantics is that local reasoning about program fragments remains sound even when the fragments are executed within a larger system. Mathematically this property corresponds to monotonicity of refinement: if A refines B then \(\mathcal{C}(A)\) refines \(\mathcal{C}(B)\) for any (valid) context defined by \(\mathcal{C}(\cdot )\).
In other work we have studied a refines order for information flow in programs where the comparison defined by the order preserves both functional and confidentiality properties of secrets. However the semantic domain used in that work is only sufficient for scenarios where either the secrets are static (i.e. once initialised they never change), or where contexts \(\mathcal{C}(\cdot )\) never introduce fresh secrets.
In this paper we show how to extend those ideas to obtain a model of information flow which supports local reasoning about confidentiality. We use our model to explore some algebraic properties of programs which contain secrets that can be updated, and which are valid in arbitrary contexts made up of possibly freshly declared secrets.
T. Rabehaja—We acknowledge the support of the Australian Research Council Grant DP140101119. This work was carried out while visiting the Security Institute at ETH Zürich.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Mostly we use the conventional f(x) for application of function f to argument x. Exceptions include \(\delta _x\) for \(\delta \) applied to x and \({\mathbb D}f\) for functor \({\mathbb D}\) applied to f and f.x.y for function f(x), or f.x, applied to argument y, and \([\![H]\!].\pi \), when H is an HMM inside semantic brackets \([\![\cdot ]\!]\).
- 2.
The point distribution on x assigns probability 1 to x alone, and probability 0 to everything else; we write it [x].
- 3.
We are aware that in \({\mathbb D}({\mathbb D}\mathcal{X})\) the outer \({\mathbb D}\) is not acting over a finite type: indeed \({\mathbb D}\mathcal{X}\) is non-denumerable even when \(\mathcal{X}\) is finite, so a fully general treatment would use proper measures as we have done elsewhere [14, 16]. Here however we use the fact that, for programs, the only members of \({\mathbb D}^2\mathcal{X}\) we encounter have finite support (i.e. finitely many \({\mathbb D}\mathcal{X}\)’s within them), and constructions like \(\sum _{\delta {:}\,{\mathbb D}{\mathcal{X}}} \varDelta _\delta \delta _x\) remain meaningful.
- 4.
This is the standard method of composing functions defined by a monad.
- 5.
A matrix is stochastic if its rows sum to 1.
- 6.
Here \(\ell .i\) is the function \(\ell (i)\) of type \(\mathcal{X}{\mathbin {\rightarrow }}{\mathbb R}\) — we are using Currying.
- 7.
This was called the Coriaceous Conjecture in [2].
- 8.
We overload \(\widetilde{\mathrel \sqsubset }\) defined on HMM’s directly to be defined similarly for the abstract semantics: \(h^1 \widetilde{\mathrel \sqsubset }h^2\) of type \({\mathbb D}\mathcal{X}^2\mathbin {\rightarrow }{\mathbb D}^2\mathcal{X}^2\) if \(\mathcal{E}_{{h^1}(\delta )}(U_{\ell }) \le \mathcal{E}_{{h^2}(\delta )}(U_{\ell })\) for all \(\ell \).
References
Alvim, M.S., Chatzikokolakis, K., McIver, A., Morgan, C., Palamidessi, C., Smith, G.: Additive and multiplicative notions of leakage, and their capacities. In: IEEE 27th Computer Security Foundations Symposium, CSF 2014, Vienna, Austria, 19–22 July 2014, pp. 308–322. IEEE (2014)
Alvim, M.S., Chatzikokolakis, K., Palamidessi, C., Smith, G.: Measuring information leakage using generalized gain functions. In: Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF 2012), pp. 265–279, June 2012
Back, R.-J.R., von Wright, J.: Refinement Calculus: A Systematic Introduction. Springer, Heidelberg (1998)
Clark, D., Hunt, S., Malacaria, P.: Quantitative analysis of the leakage of confidential data. Electr. Notes Theor. Comput. Sci. 59(3), 238–251 (2001)
Clarkson, M.R., Myers, A.C., Schneider, F.B.: Belief in information flow. In: 18th IEEE Computer Security Foundations Workshop, (CSFW-18 2005), 20–22 June 2005, Aix-en-Provence, France, pp. 31–45 (2005)
Dalenius, T.: Towards a methodology for statistical disclosure control. Statistik Tidskrift 15, 429–444 (1977)
Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006). doi:10.1007/11787006_1
Giry, M.: A categorical approach to probability theory. In: Banaschewski, B. (ed.) Categorical Aspects of Topology and Analysis. LNM, vol. 915, pp. 68–85. Springer, Heidelberg (1981). doi:10.1007/BFb0092872
Goguen, J.A., Meseguer, J.: Unwinding and inference control. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 75–86. IEEE Computer Society (1984)
Jones, C., Plotkin, G.: A probabilistic powerdomain of evaluations. In: Proceedings of the IEEE 4th Annual Symposium on Logic in Computer Science, Los Alamitos, California, pp. 186–195. Computer Society Press (1989)
Mardziel, P., Alvim, M.S., Hicks, M.W., Clarkson, M.R.: Quantifying information flow for dynamic secrets. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, 18–21 May 2014, pp. 540–555 (2014)
McIver, A.K., Morgan, C.C.: Abstraction, Refinement and Proof for Probabilistic Systems. Monographs in Computer Science. Springer, New York (2005)
McIver, A., Meinicke, L., Morgan, C.: Compositional closure for bayes risk in probabilistic noninterference. In: Abramsky, S., Gavoille, C., Kirchner, C., Meyer auf der Heide, F., Spirakis, P.G. (eds.) ICALP 2010. LNCS, vol. 6199, pp. 223–235. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14162-1_19
McIver, A., Meinicke, L., Morgan, C.: A Kantorovich-monadic powerdomain for information hiding, with probability and nondeterminism. In: Proceedings of LiCS 2012 (2012)
McIver, A., Meinicke, L., Morgan, C.: Hidden-Markov program algebra with iteration. Mathematical Structures in Computer Science (2014)
McIver, A., Morgan, C., Rabehaja, T.: Abstract hidden Markov models: a monadic account of quantitative information flow. In: Proceedings of LiCS 2015 (2015)
McIver, A., Morgan, C., Rabehaja, T., Bordenabe, N.: Reasoning about distributed secrets. Submitted to FORTE 2017
McIver, A., Morgan, C., Smith, G., Espinoza, B., Meinicke, L.: Abstract channels and their robust information-leakage ordering. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 83–102. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54792-8_5
Moggi, E.: Computational lambda-calculus and monads. In: Proceedings of 4th Symposium on LiCS, pp. 14–23 (1989)
Morgan, C.C.: Programming from Specifications, 2nd edn. Prentice-Hall, Upper Saddle River (1994). web.comlab.ox.ac.uk/oucl/publications/books/PfS/
Morgan, C.C.: The Shadow Knows: refinement of ignorance in sequential programs. In: Uustalu, T. (ed.) MPC 2006. LNCS, vol. 4014, pp. 359–378. Springer, Heidelberg (2006). doi:10.1007/11783596_21
Morgan, C.C., McIver, A.K., Seidel, K.: Probabilistic predicate transformers. ACM Trans. Program. Lang. Syst. 18(3), 325–353 (1996). doi.acm.org/10.1145/229542.229547
Schrijvers, T., Morgan, C.: Hypers.hs Haskell code implementing quantitative non-interference monadic security semantics (2015). http://www.cse.unsw.edu.au/~carrollm/Hypers.pdf
Smith, G.: On the foundations of quantitative information flow. In: Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00596-1_21
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
McIver, A.K., Morgan, C.C., Rabehaja, T. (2017). Algebra for Quantitative Information Flow. In: Höfner, P., Pous, D., Struth, G. (eds) Relational and Algebraic Methods in Computer Science. RAMICS 2017. Lecture Notes in Computer Science(), vol 10226. Springer, Cham. https://doi.org/10.1007/978-3-319-57418-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-57418-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57417-2
Online ISBN: 978-3-319-57418-9
eBook Packages: Computer ScienceComputer Science (R0)