#### DMCA

## P.: Quantifying information leaks in software (2010)

Venue: | In: Proc. ACSAC ’10 |

Citations: | 28 - 3 self |

### Citations

949 |
Security Policies and Security Models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...ement being the relation relating every state and top element being the identity relation. This is described as the Lattice of Information [10]. Non leaking programs (i.e. satisfying non-interference =-=[7]-=-) are characterised as follows: Proposition 1. P is non-interfering iff for all l, ≃P,l is the least element in I(SH) . An attacker controlling the low inputs can be modelled by an equivalence relatio... |

137 | Secure Information Flow by SelfComposition
- Barthe, D’Argenio, et al.
- 2004
(Show Context)
Citation Context ...verification techniques are used to compute leakage of programs. Those works are both in-spired by the important previous theoretical work on self composition by G. Barthe, P. D’Argenio, and T. Rezk =-=[2]-=- and T. Terauchi and A. Aiken [18]. However as already noted, those approaches attempt primarily to answer questions about how much a program leak and seem unable to scale to real code in terms of lin... |

90 | Quantitative information flow as network flow capacity
- McCamant, Ernst
- 2008
(Show Context)
Citation Context ...y H. Yasuoka and T. Terauchi [19] who, amongst other aspects, explored the relation to verification and k-safety properties. Approaches that do scale to large programs are by S. McCamant, M. D. Ernst =-=[14]-=- and J. Newsome, S. McCamant, D. Song [15]. They released an impressive tool, FlowCheck, which is able to analyse very large programs. There are however significant differences between the approaches ... |

83 | Secure information flow as a safety problem
- Terauchi, Aiken
- 2005
(Show Context)
Citation Context ...to compute leakage of programs. Those works are both in-spired by the important previous theoretical work on self composition by G. Barthe, P. D’Argenio, and T. Rezk [2] and T. Terauchi and A. Aiken =-=[18]-=-. However as already noted, those approaches attempt primarily to answer questions about how much a program leak and seem unable to scale to real code in terms of line of code, state space and languag... |

66 | A static analysis for quantifying information flow in a simple imperative language
- Clark, Hunt, et al.
- 2007
(Show Context)
Citation Context ...ibute to lists, requires prior specific permission and/or a fee. ACSAC ’10 Dec. 6-10, 2010, Austin, Texas USA Copyright 2010 ACM 978-1-4503-0133-6/10/12 ...$10.00. Quantitative Information Flow (QIF) =-=[3, 11]-=- aims to provide techniques and tools able to quantify leakage of confidential information. As a motivating example consider a prototypical password checking program if (password==guess) access=1; els... |

41 | Measuring channel capacity to distinguish undue influence
- Newsome, McCamant, et al.
- 2009
(Show Context)
Citation Context ...ngst other aspects, explored the relation to verification and k-safety properties. Approaches that do scale to large programs are by S. McCamant, M. D. Ernst [14] and J. Newsome, S. McCamant, D. Song =-=[15]-=-. They released an impressive tool, FlowCheck, which is able to analyse very large programs. There are however significant differences between the approaches in that FlowCheck is a security testing to... |

41 | Assumeguarantee model checking of software: A comparative case study
- Pasareanu, Dwyer, et al.
- 1999
(Show Context)
Citation Context ...ive policy if it makes more distinctions than what is allowed in the policy. A leaking program is one breaching the policy N = 1 in the above definition. We take ideas from assume-guarantee reasoning =-=[17]-=- to encode such a policy in a driver function, which tries to trigger a violation, i.e. producing a counterexample, of the policy. If the policy states that the function func is not allowed to make mo... |

40 |
Lagrange multipliers and maximum information leakage in different observational models
- Malacaria, Chen
- 2008
(Show Context)
Citation Context ...-interfering iff log 2(| ≃P |) = 0 2. The channel capacity 3 of P is log 2(| ≃P |) . 3. If for all probability distributions H(RP ) ≤ H(RP ′) then | ≃P | ≤ | ≃P ′ | Point (1) is proved in [4], (2) in =-=[12]-=- and (3) is a consequence of proposition 2 whose proof is in [8]. Hence a lower bound on | ≃P | provides a lower bound on the channel capacity of the program P . Hence, because of proposition 3 the in... |

37 |
A Tool for Checking ANSI-C Programs ,” in Tools and Algorithms for the Construction and Analysis
- Clarke, Kroening, et al.
- 2004
(Show Context)
Citation Context ...k?” to the simpler quantitative question “Does it leak more than k?”. We will show how the questions are related and more importantly we will show that off-the-shelf symbolic model checkers like CBMC =-=[5]-=- are able to efficiently answer the second kind of question. CBMC is a good choice 1 http://cve.mitre.org, CVE is industry-endorsed with over 70 companies actively involved.for several reasons: (i) i... |

32 | Model checking an entire linux distribution for security violations - Schwarz, Chen, et al. - 2005 |

27 |
A lattice of information
- Landauer, Redmond
- 1993
(Show Context)
Citation Context ...plete lattice over X. It is a refinement order with bottom element being the relation relating every state and top element being the identity relation. This is described as the Lattice of Information =-=[10]-=-. Non leaking programs (i.e. satisfying non-interference [7]) are characterised as follows: Proposition 1. P is non-interfering iff for all l, ≃P,l is the least element in I(SH) . An attacker controll... |

9 |
Malacaria: Assessing security threats of looping constructs
- Pasquale
(Show Context)
Citation Context ...ibute to lists, requires prior specific permission and/or a fee. ACSAC ’10 Dec. 6-10, 2010, Austin, Texas USA Copyright 2010 ACM 978-1-4503-0133-6/10/12 ...$10.00. Quantitative Information Flow (QIF) =-=[3, 11]-=- aims to provide techniques and tools able to quantify leakage of confidential information. As a motivating example consider a prototypical password checking program if (password==guess) access=1; els... |

6 |
Pasquale Malacaria: Quantitative information flow, relations and polymorphic types
- Clark, Hunt
- 2005
(Show Context)
Citation Context ... 1. P is non-interfering iff log 2(| ≃P |) = 0 2. The channel capacity 3 of P is log 2(| ≃P |) . 3. If for all probability distributions H(RP ) ≤ H(RP ′) then | ≃P | ≤ | ≃P ′ | Point (1) is proved in =-=[4]-=-, (2) in [12] and (3) is a consequence of proposition 2 whose proof is in [8]. Hence a lower bound on | ≃P | provides a lower bound on the channel capacity of the program P . Hence, because of proposi... |

5 |
Kopf and Andrey Rybalchenko Automatic Discovery and Quantification of Information Leaks
- Backes, Boris
- 2009
(Show Context)
Citation Context ...nds. 6. RELATED WORK There have been several attempts in recent years to build a quantitative analysis of leakage, starting with the static analysis in [4]. The most relevant works for this paper are =-=[1]-=- by M. Backes, B. Köpf and A. Rybalchenko and [8] by J. Heusser and P. Malacaria where verification techniques are used to compute leakage of programs. Those works are both in-spired by the important... |

4 |
Heusser: Information Theory and Security: Quantitative Information Flow
- Malacaria, Jonathan
- 2010
(Show Context)
Citation Context ...ariable RP 2. compute the entropy of RP (noted H(RP )) 2 In the paper such attacker choices will be modelled by the nondeterministic choice function input().It has been shown that RP and ≃P coincide =-=[11, 13]-=-. For example for the modulo program above under the assumption of uniform distribution on the input there are 4 equivalence classes each having probability 1 . The Shannon entropy of 4 that program i... |

2 |
and Pasquale Malacaria: Applied Quantitative Information Flow and Statistical Databases. Formal Aspects in Security and Trust 2009
- Heusser
(Show Context)
Citation Context ...uantitative Information Flow uses information theoretical measures like Shannon entropy to measure leakage of confidential information. The measure of a program can be broken down into two main steps =-=[11, 8]-=-: 1. interpret the program as a random variable RP 2. compute the entropy of RP (noted H(RP )) 2 In the paper such attacker choices will be modelled by the nondeterministic choice function input().It... |

2 | and Andrey Rybalchenko: Approximation and randomization for quantitative informationflow analysis - Köpf |