symbolic quantitative information flow

THE PROBLEMTHE APPROACH

CONCLUSION

Symbolic Quantitative Information Flow

Quoc-Sang Phan1 Pasquale Malacaria1 Oksana Tkachuk2

Corina S. Pasareanu2

Queen Mary University of London

Nasa Ames Research Center

November 12, 2012

1 / 17


CONCLUSION

Non-interferenceQuantitative Information FlowState of the art

Attacker model

2 / 17


CONCLUSION


Attacker model: an example

Example: an attacker steals your cash card

Having no idea about your pin number.

A priori probability to guess: 0.0001.

Randomly try a pin number:

The pin is accepted (with probability 0.0001)

The pin is rejected (with probability 0.9999)What did the attacker learn?

3 / 17


CONCLUSION


Quantitative Information Flow Analysis

Definition 1

leakage = secrecy before observing - secrecy after observing

Given a function F measuring secrecy

∆F (H) = F (H)− F (H|L)

F is based on Information Theory

Shannon Entropy: cash machine ∆H = 0.00147

Min Entropy

Guessing Entropy

4 / 17


CONCLUSION


State of the art

Channel Capacity

∆F (H) ≤ log2(N)

Existing work:

Barvinok-based counting (Backes et al, S&P 2009): toorestrictive and over-complicated.

Bit patterns counting (Meng and Smith, PLAS 2011): largelymanual, imprecise when outputs are diverged in the statespace.

5 / 17


CONCLUSION

Symbolic Quantitative Information FlowPreliminary Experiment

Data Sanitization Example

base = 8;if (H < 16) then

O = base + Helse

O = baseend if

Output in [8..23]

Output is represented by a bit vector bvo := bKbK−1..b1.

For each bit, check whether it’s always 0 or 1 or any

6 / 17


CONCLUSION


Automation of BitPattern method

Input symbolic

Extracting ith bit

for all element bi in vector bvo dobi = (O >> i) &1

end for

Check assert bi == 0

Automate bit queries by verifying assertions by JPF

7 / 17


CONCLUSION


Bit Pattern Results for Sanitization Example

Output in [8..23]

One-Bit Pattern: 000000000000000000000000000*****

Two-Bit Pattern: b4b3 can only be {01,10} → 16 possibleoutputs

Max leakage = 4 bits

Translate BitPattern to CNF, count solutions by RelSat

8 / 17


CONCLUSION


Symbolic Quantitative Information Flow

Output is represented by a bit vector bvo := bKbK−1..b1.

Use Symbolic Execution to explore all possible values of bvoAdd one condition for each bit bi to test it.There are K additional conditions in total.There are 2K combinations of condition, each one represents adistinct possible value.

Count the distinct concrete values return by SymbolicPathfinder.

9 / 17


CONCLUSION


Symbolic Counting by Symbolic Execution

base = 8;if (H < 16) then

O = base + Helse

O = baseend iffor all element bi in vector bvo do

bi = (O >> i) &1end forfor all element bi in vector bvo do

if (bi == 1) thenpi = True

elsepi = False

end ifend for

Figure: Additional conditions

10 / 17


CONCLUSION


Symbolic Counting by Symbolic Execution

s1

s2 s3

p1p1

p2 p2

H ≥ 16

pc := (H 16)InitializePC InitializePC

H < 16

pc := (H ≥ 16)<

pc ∧ p1 pc ∧ p1

pc ∧ p1 ∧ p2pc ∧ p1 ∧ ¬p2

(H ≥ 16) and (H < 16): program conditions.

p1, p2, ..: additional conditions.

11 / 17


CONCLUSION


Path Exploration with Addtional Constraints

UNSAT

pc ∧ p1

pc ∧ p1 ∧ p2

pc ∧ p1 ∧ p2 ∧ p3

pc ∧ p1 ∧ p2 ∧ p3 ∧ p4

pc ∧ p1 ∧ p2 ∧ p3 ∧ p4 ∧ p5pc ∧ p1 ∧ p2 ∧ p3 ∧ p4 ∧ ¬p5

p1

p2

p3

p4

p5

assert p1 is SATassert p1 && p2 && p3 && p4 && p5 is UNSAT

12 / 17


CONCLUSION


DEMO

13 / 17


CONCLUSION


Implicit Flow

O = 0;if (H == 0) O = 0;else if (H == 1) O = 1;else if (H == 2) O = 2;else if (H == 3) O = 3;else if (H == 4) O = 4;else if (H == 5) O = 5;else if (H == 6) O = 6;else O = 0;

Figure: Implicit Flow

BitPattern: 45ms, channel capacity: 3 bits

SQIF-SE: 717ms, channel capacity: 2.81 bits

14 / 17


CONCLUSION


Ten random outputs

if (H == r1) O = r1;else if (H == r2) O = r2;else if (H == r3) O = r3;...else if (H == r9) O = r9;else O = r10;

Figure: Ten random outputs

BitPattern: 5 seconds, channel capacity: 18.645.

SQIF-SE: less than 1 second, channel capacity: 3.322 bits.

15 / 17


CONCLUSION

Conclusions

A novel method for precise QIF.

Compare to Barvinok-based counting: simpler, less restrictive,more applicable.Compare to BitPattern : always more precise, faster whenpossible outputs are diverged in state-space.

Automation of BitPattern method.

jpf-qif: the first tool to support information-theoretic QIFanalysis.

16 / 17


CONCLUSION

THANK YOU FOR YOUR ATTENTION!

17 / 17

symbolic quantitative information flow

Education