Computing Information Flow Using Symbolic Model-Checking

Several measures have been proposed in literature for quantifying the information leaked by the public outputs of a program with secret inputs. We consider the problem of computing information leaked by a deterministic or probabilistic program when the measure of information is based on (a) min-entropy and (b) Shannon entropy. The key challenge in computing these measures is that we need the total number of possible outputs and, for each possible output, the number of inputs that lead to it. A direct computation of these quantities is infeasible because of the state-explosion problem. We therefore propose symbolic algorithms based on binary decision diagrams (BDDs). The advantage of our approach is that these symbolic algorithms can be easily implemented in any BDD-based model-checking tool that checks for reachability in deterministic non-recursive programs by computing program summaries. We demonstrate the validity of our approach by implementing these algorithms in a tool Moped-QLeak, which is built upon Moped, a model checker for Boolean programs. Finally, we show how this symbolic approach extends to probabilistic programs.

[1]  David Clark,et al.  Quantitative Information Flow, Relations and Polymorphic Types , 2005, J. Log. Comput..

[2]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .

[3]  Prakash Panangaden,et al.  Probability of Error in Information-Hiding Protocols , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[4]  Hirotoshi Yasuoka,et al.  Quantitative information flow as safety and liveness hyperproperties , 2014, Theor. Comput. Sci..

[5]  C. Y. Lee Representation of switching circuits by binary-decision programs , 1959 .

[6]  Masahiro Fujita,et al.  Spectral Transforms for Large Boolean Functions with Applications to Technology Mapping , 1993, 30th ACM/IEEE Design Automation Conference.

[7]  Geoffrey Smith,et al.  Computing the Leakage of Information-Hiding Systems , 2010, TACAS.

[8]  Mahesh Viswanathan,et al.  Quantitative Information Flow in Boolean Programs , 2014, POST.

[9]  Axel Legay,et al.  QUAIL: A Quantitative Security Analyzer for Imperative Code , 2013, CAV.

[10]  Javier Esparza,et al.  Abstraction Refinement with Craig Interpolation and Symbolic Pushdown Systems , 2006, J. Satisf. Boolean Model. Comput..

[11]  Vladimir Klebanov,et al.  SAT-Based Analysis and Quantification of Information Flow in Programs , 2013, QEST.

[12]  Prakash Panangaden,et al.  Anonymity protocols as noisy channels , 2008, Inf. Comput..

[13]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[14]  Andrey Rybalchenko,et al.  Approximation and Randomization for Quantitative Information-Flow Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[15]  Tom Chothia,et al.  Probabilistic Point-to-Point Information Leakage , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[16]  David Clark,et al.  Quantified Interference for a While Language , 2005, QAPL.

[17]  Andrew Hinton,et al.  PRISM: A Tool for Automatic Verification of Probabilistic Systems , 2006, TACAS.

[18]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[19]  Vladimir Klebanov,et al.  Precise Quantitative Information Flow Analysis Using Symbolic Model Counting , 2012 .

[20]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[21]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[22]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Tom Chothia,et al.  Statistical Measurement of Information Leakage , 2010, TACAS.

[24]  Sheldon B. Akers,et al.  Binary Decision Diagrams , 1978, IEEE Transactions on Computers.

[25]  David Clark,et al.  A static analysis for quantifying information flow in a simple imperative language , 2007, J. Comput. Secur..

[26]  Pavol Cerný,et al.  The Complexity of Quantitative Information Flow Problems , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[27]  Masahiro Fujita,et al.  Spectral Transforms for Large Boolean Functions with Applications to Technology Mapping , 1997, Formal Methods Syst. Des..

[28]  Geoffrey Smith,et al.  Calculating bounds on information leakage using two-bit patterns , 2011, PLAS '11.

[29]  Jan J. M. M. Rutten,et al.  Mathematical techniques for analyzing concurrent and probabilistic systems , 2004, CRM monograph series.

[30]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[31]  John C. Reynolds,et al.  Syntactic control of interference , 1978, POPL.

[32]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[33]  Hirotoshi Yasuoka,et al.  Quantitative Information Flow - Verification Hardness and Possibilities , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[34]  Geoffrey Smith,et al.  Faster Two-Bit Pattern Analysis of Leakage , 2013 .

[35]  Pasquale Malacaria,et al.  Abstract model counting: a novel approach for quantification of information leaks , 2014, AsiaCCS.