HyLeak: Hybrid Analysis Tool for Information Leakage

We present HyLeak, a tool for reasoning about the quantity of information leakage in programs. The tool takes as input the source code of a program and analyzes it to estimate the amount of leaked information measured by mutual information. The leakage estimation is mainly based on a hybrid method that combines precise program analysis with statistical analysis using stochastic program simulation. This way, the tool combines the best of both symbolic and randomized techniques to provide more accurate estimates with cheaper analysis, in comparison with the previous tools using one of the analysis methods alone. HyLeak is publicly available and is able to evaluate the information leakage of randomized programs, even when the secret domain is large. We demonstrate with examples that HyLeaks has the best performance among the tools that are able to analyze randomized programs with similarly high precision of estimates.

[1]  Alan J. Hu,et al.  Precisely Measuring Quantitative Information Flow: 10K Lines of Code and Beyond , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[2]  Axel Legay,et al.  Quantifying information leakage of randomized protocols , 2013, Theor. Comput. Sci..

[3]  Tom Chothia,et al.  LeakWatch: Estimating Information Leakage from Java Programs , 2014, ESORICS.

[4]  Axel Legay,et al.  Hybrid Statistical Estimation of Mutual Information for Quantifying Information Flow , 2016, FM.

[5]  Stephen McCamant,et al.  Measuring channel capacity to distinguish undue influence , 2009, PLAS '09.

[6]  Terence Parr The Definitive ANTLR Reference: Building Domain-Specific Languages , 2007 .

[7]  Andrey Rybalchenko,et al.  Approximation and Randomization for Quantitative Information-Flow Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[8]  Tom Chothia,et al.  A Tool for Estimating Information Leakage , 2013, CAV.

[9]  Rohit Chadha,et al.  Computing Information Flow Using Symbolic Model-Checking , 2014, FSTTCS.

[10]  Tom Chothia,et al.  Probabilistic Point-to-Point Information Leakage , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[11]  Corina S. Pasareanu,et al.  Symbolic quantitative information flow , 2012, SOEN.

[12]  Tom Chothia,et al.  Statistical Measurement of Information Leakage , 2010, TACAS.

[13]  Catuscia Palamidessi,et al.  Compositionality Results for Quantitative Information Flow , 2014, QEST.

[14]  Pasquale Malacaria,et al.  Abstract model counting: a novel approach for quantification of information leaks , 2014, AsiaCCS.

[15]  Marcelo d'Amorim,et al.  Quantifying information leaks using reliability analysis , 2014, SPIN.

[16]  Axel Legay,et al.  Comparative Analysis of Leakage Tools on Scalable Case Studies , 2015, SPIN.

[17]  Alexander Weigl Efficient SAT-Based Pre-image Enumeration for Quantitative Information Flow in Programs , 2016, DPM/QASA@ESORICS.

[18]  Axel Legay,et al.  QUAIL: A Quantitative Security Analyzer for Imperative Code , 2013, CAV.