Quantitative Analysis of Secure Information Flow via Probabilistic Semantics

We present an automatic analyzer for measuring information flow within software systems. In this paper, we quantify leakage in terms of information theory and incorporate this computation into probabilistic semantics. Our semantic functions provide information flow measurement for programs given secure inputs under any probability distribution. The major contribution is an automatic quantitative analyzer based on the leakage definition for such a language. While-loops are handled by applying entropy of generalized distributions and related properties in order to provide the analysis with the ability to incorporate the observation of elapsed time.

[1]  Gavin Lowe,et al.  Defining information flow quantity , 2004, J. Comput. Secur..

[2]  Alfréd Rényi,et al.  Probability Theory , 1970 .

[3]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[4]  David Monniaux,et al.  Abstract Interpretation of Probabilistic Semantics , 2000, SAS.

[5]  David Monniaux,et al.  Backwards Abstract Interpretation of Probabilistic Programs , 2001, ESOP.

[6]  Annabelle McIver,et al.  A probabilistic approach to information hiding , 2003 .

[7]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[8]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Michael R. Clarkson,et al.  Quantifying information flow with beliefs , 2009, J. Comput. Secur..

[10]  D. G. Weber,et al.  Quantitative Hook-Up Security for Covert Channel Analysis , 1988 .

[11]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  W. Rudin Real and complex analysis , 1968 .

[13]  Pasquale Malacaria,et al.  Assessing security threats of looping constructs , 2007, POPL '07.

[14]  Chris Hankin,et al.  Quantitative static analysis of distributed systems , 2005, Journal of Functional Programming.

[15]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[16]  A. Rényi On Measures of Entropy and Information , 1961 .

[17]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  Michele Boreale Quantifying information leakage in process calculi , 2009, Inf. Comput..

[19]  V. Rokhlin LECTURES ON THE ENTROPY THEORY OF MEASURE-PRESERVING TRANSFORMATIONS , 1967 .

[20]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[21]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[22]  Chris Hankin,et al.  Approximate non-interference , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[23]  David Clark,et al.  Quantitative Information Flow, Relations and Polymorphic Types , 2005, J. Log. Comput..

[24]  Alessandro Aldini,et al.  A Quantitative Approach to Noninterference for Probabilistic Systems , 2004, MEFISTO.

[25]  David Clark,et al.  A static analysis for quantifying information flow in a simple imperative language , 2007, J. Comput. Secur..

[26]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[27]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[28]  Dexter Kozen,et al.  Semantics of probabilistic programs , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).