skip to main content
10.1145/2993600.2993607acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
short-paper

Short Paper: Dynamic leakage: A Need for a New Quantitative Information Flow Measure

Published: 24 October 2016 Publication History

Abstract

A number of measures for quantifying information leakage of a program have been proposed. Most of these measures evaluate a program as a whole by quantifying how much information can be leaked on average by different program outputs. While these measures perfectly fit for static program analyses, they cannot be used by dynamic analyses since they do not specify what information an attacker learns through observing one concrete program output. In this paper we study the existing definitions of quantitative information flow. Our goal is to find the definition of dynamic leakage -- it should evaluate how much information an attacker learns when she observes one program output.
Surprisingly, we find out that none of the existing definitions provide a suitable measure for dynamic leakage. We hence open a new research question in quantitative information flow area: which definition of dynamic leakage is suitable?

References

[1]
M. S. Alvim, K. Chatzikokolakis, C. Palamidessi, and G. Smith. Measuring information leakage using generalized gain functions. In CSF'12, pages 265--279, 2012.
[2]
A. Askarov and A. Sabelfeld. Gradual release: Unifying declassification, encryption and key release policies. In S&P'07, pages 207--221. IEEE, 2007.
[3]
T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In PLAS'10, pages 3:1--3:12. ACM, 2010.
[4]
T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. In Proc. of the 39th Symposium of Principles of Programming Languages. ACM, 2012.
[5]
M. Backes, B. Köpf, and A. Rybalchenko. Automatic discovery and quantification of information leaks. In Proc. of the 2009 Symposium on Security and Privacy, pages 141--153, 2009.
[6]
F. Besson, N. Bielova, and T. Jensen. Hybrid information flow monitoring against web tracking. In IEEE Computer Security Foundations Symposium, CSF'16, pages 240--254. IEEE, 2013.
[7]
F. Besson, N. Bielova, and T. Jensen. Hybrid information flow monitoring of attacker knowledge. In IEEE Computer Security Foundations Symposium, CSF'16, pages 225--238. IEEE, 2016.
[8]
N. Bielova and T. Rezk. A taxonomy of information flow monitors. In International Conference on Principles of Security and Trust (POST 2016), volume 9635, pages 46--67. Springer, 2016.
[9]
M. R. Clarkson, A. C. Myers, and F. B. Schneider. Quantifying information flow with beliefs. Journal of Computer Security, 17(5):655--701, 2009.
[10]
T. M. Cover and J. A. Thomas. Elements of Information Theory (2. ed.). Wiley, 2006.
[11]
D. Devriese and F. Piessens. Non-interference through secure multi-execution. In Proc. of the 2010 Symposium on Security and Privacy, pages 109--124. IEEE, 2010.
[12]
B. Espinoza and G. Smith. Min-entropy as a resource. Inf. Comp., 226:57--75, 2013.
[13]
Gareth A. Jones and J. Mary Jones. Information and Coding Theory. Springer, 2000.
[14]
D. Hedin, L. Bello, and A. Sabelfeld. Value-sensitive Hybrid Information Flow Control for a JavaScript-like Language. In Proc. of the 28th Computer Security Foundations Symposium. IEEE, 2015.
[15]
D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. In Proc. of the 25th Computer Security Foundations Symposium, pages 3--18. IEEE, 2012.
[16]
B. Köpf and A. Rybalchenko. Approximation and Randomization for Quantitative Information-Flow Analysis. In CSF'10, pages 3--14. IEEE, 2010.
[17]
P. Mardziel, S. Magill, M. Hicks, and M. Srivatsa. Dynamic Enforcement of Knowledge-based Security Policies. In CSF'11, pages 114--128. IEEE, 2011.
[18]
S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. In Proc. of the ACM 2008 Conf. on Programming Language Design and Implementation, pages 193--205. ACM, 2008.
[19]
J. F. Santos, T. Jensen, T. Rezk, and A. Schmitt. Hybrid typing of secure information flow in a javascript-like language. In Trustworthy Global Computing TGC'15, pages 63--78, 2015.
[20]
G. Smith. On the Foundations of Quantitative Information Flow. In Foundations of Software Science and Computational Structures, volume 5504 of LNCS, pages 288--302. Springer, 2009.
[21]
G. Smith. Quantifying information flow using min-entropy. In 8th International Conference on Quantitative Evaluation of Systems, pages 159--167, 2011.
[22]
S. A. Zdancewic. Programming languages for information security. PhD thesis, Cornell University, 2002.

Cited By

View all
  • (2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
  • (2024)Dynamic Controllability Analysis for Preventing Injection Attacks2024 IEEE 29th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC63035.2024.00026(131-142)Online publication date: 13-Nov-2024
  • (2019)Quantifying the Information Leakage in Cache Attacks via Symbolic ExecutionACM Transactions on Embedded Computing Systems10.1145/328875818:1(1-27)Online publication date: 8-Jan-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLAS '16: Proceedings of the 2016 ACM Workshop on Programming Languages and Analysis for Security
October 2016
116 pages
ISBN:9781450345743
DOI:10.1145/2993600
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. dynamic analysis
  2. dynamic leakage
  3. probabilistic programs
  4. quantitative information flow

Qualifiers

  • Short-paper

Funding Sources

  • Agence Nationale de la Recherche

Conference

CCS'16
Sponsor:

Acceptance Rates

PLAS '16 Paper Acceptance Rate 6 of 11 submissions, 55%;
Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)11
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
  • (2024)Dynamic Controllability Analysis for Preventing Injection Attacks2024 IEEE 29th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC63035.2024.00026(131-142)Online publication date: 13-Nov-2024
  • (2019)Quantifying the Information Leakage in Cache Attacks via Symbolic ExecutionACM Transactions on Embedded Computing Systems10.1145/328875818:1(1-27)Online publication date: 8-Jan-2019
  • (2019)On the Pitfalls and Vulnerabilities of Schedule Randomization Against Schedule-Based Attacks2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS.2019.00017(103-116)Online publication date: Apr-2019
  • (2017)Quantifying the information leak in cache attacks via symbolic executionProceedings of the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design10.1145/3127041.3127044(25-35)Online publication date: 29-Sep-2017

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media