Program algebra for quantitative information flow

Abstract Models for quantitative information flow traditionally assume that the secret, once set, never changes. More recently, however, Hidden Markov Models (HMM's) have been used to describe program features that include both state updates and information flow, thus supporting more realistic contexts where secrets can indeed be refreshed. In this paper we explore HMM's further, with the aim of bringing algebraic concepts to bear in the analysis of confidentiality properties of programs. Of particular importance is the idea that local reasoning about program fragments should remain sound even when those same fragments are executed within a larger system. We show how to extend the basic HMM model to incorporate this core idea within an algebraic setting and, in so doing, show how it is related to established notion about privacy and correlated data sets in statistical databases. Using our algebra for an HMM-style model we show how to describe and prove some foundational properties of quantitative information flow.

[1]  Mário S. Alvim,et al.  Quantifying Information Flow for Dynamic Secrets , 2014, 2014 IEEE Symposium on Security and Privacy.

[2]  Annabelle McIver,et al.  Algebra for Quantitative Information Flow , 2017, RAMiCS.

[3]  C. Jones,et al.  A probabilistic powerdomain of evaluations , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[4]  Eugenio Moggi,et al.  Computational lambda-calculus and monads , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.

[5]  K. Parthasarathy,et al.  Probability measures on metric spaces , 1967 .

[6]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[7]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[8]  Alison L Gibbs,et al.  On Choosing and Bounding Probability Metrics , 2002, math/0209021.

[9]  Geoffrey Smith,et al.  Vulnerability Bounds and Leakage Resilience of Blinded Cryptography under Timing Attacks , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[10]  Annabelle McIver,et al.  Reasoning About Distributed Secrets , 2017, FORTE.

[11]  Annabelle McIver,et al.  Abstract Hidden Markov Models: A Monadic Account of Quantitative Information Flow , 2015, 2015 30th Annual ACM/IEEE Symposium on Logic in Computer Science.

[12]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[13]  Mário S. Alvim,et al.  Additive and Multiplicative Notions of Leakage, and Their Capacities , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[14]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[15]  Dexter Kozen A Probabilistic PDL , 1985, J. Comput. Syst. Sci..

[16]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[17]  Carroll Morgan The Shadow Knows: Refinement of Ignorance in Sequential Programs , 2006, MPC.

[18]  Pasquale Malacaria,et al.  Algebraic foundations for quantitative information flow , 2014, Mathematical Structures in Computer Science.

[19]  Mário S. Alvim,et al.  Measuring Information Leakage Using Generalized Gain Functions , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[20]  Annabelle McIver,et al.  Compositional Closure for Bayes Risk in Probabilistic Noninterference , 2010, ICALP.

[21]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[22]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[23]  Annabelle McIver,et al.  Hidden-Markov program algebra with iteration , 2011, Mathematical Structures in Computer Science.

[24]  Michèle Giry,et al.  A categorical approach to probability theory , 1982 .

[25]  Bart Jacobs,et al.  A Predicate/State Transformer Semantics for Bayesian Learning , 2016, MFPS.

[26]  Annabelle McIver,et al.  Abstraction, Refinement and Proof for Probabilistic Systems , 2004, Monographs in Computer Science.