Date post: | 13-Dec-2014 |
Category: |
Education |
Upload: | quoc-sang-phan |
View: | 287 times |
Download: | 5 times |
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information Flow
Quoc-Sang Phan1 Pasquale Malacaria1 Oksana Tkachuk2
Corina S. Pasareanu2
Queen Mary University of London
Nasa Ames Research Center
November 12, 2012
1 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Non-interferenceQuantitative Information FlowState of the art
Attacker model
2 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Non-interferenceQuantitative Information FlowState of the art
Attacker model: an example
Example: an attacker steals your cash card
Having no idea about your pin number.
A priori probability to guess: 0.0001.
Randomly try a pin number:
The pin is accepted (with probability 0.0001)
The pin is rejected (with probability 0.9999)What did the attacker learn?
3 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Non-interferenceQuantitative Information FlowState of the art
Quantitative Information Flow Analysis
Definition 1
leakage = secrecy before observing - secrecy after observing
Given a function F measuring secrecy
∆F (H) = F (H)− F (H|L)
F is based on Information Theory
Shannon Entropy: cash machine ∆H = 0.00147
Min Entropy
Guessing Entropy
4 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Non-interferenceQuantitative Information FlowState of the art
State of the art
Channel Capacity
∆F (H) ≤ log2(N)
Existing work:
Barvinok-based counting (Backes et al, S&P 2009): toorestrictive and over-complicated.
Bit patterns counting (Meng and Smith, PLAS 2011): largelymanual, imprecise when outputs are diverged in the statespace.
5 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Data Sanitization Example
base = 8;if (H < 16) then
O = base + Helse
O = baseend if
Output in [8..23]
Output is represented by a bit vector bvo := bKbK−1..b1.
For each bit, check whether it’s always 0 or 1 or any
6 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Automation of BitPattern method
Input symbolic
Extracting ith bit
for all element bi in vector bvo dobi = (O >> i) &1
end for
Check assert bi == 0
Automate bit queries by verifying assertions by JPF
7 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Bit Pattern Results for Sanitization Example
Output in [8..23]
One-Bit Pattern: 000000000000000000000000000*****
Two-Bit Pattern: b4b3 can only be {01,10} → 16 possibleoutputs
Max leakage = 4 bits
Translate BitPattern to CNF, count solutions by RelSat
8 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Symbolic Quantitative Information Flow
Output is represented by a bit vector bvo := bKbK−1..b1.
Use Symbolic Execution to explore all possible values of bvoAdd one condition for each bit bi to test it.There are K additional conditions in total.There are 2K combinations of condition, each one represents adistinct possible value.
Count the distinct concrete values return by SymbolicPathfinder.
9 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Symbolic Counting by Symbolic Execution
base = 8;if (H < 16) then
O = base + Helse
O = baseend iffor all element bi in vector bvo do
bi = (O >> i) &1end forfor all element bi in vector bvo do
if (bi == 1) thenpi = True
elsepi = False
end ifend for
Figure: Additional conditions
10 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Symbolic Counting by Symbolic Execution
s1
s2 s3
p1p1
p2 p2
H ≥ 16
pc := (H 16)InitializePC InitializePC
H < 16
pc := (H ≥ 16)<
pc ∧ p1 pc ∧ p1
pc ∧ p1 ∧ p2pc ∧ p1 ∧ ¬p2
(H ≥ 16) and (H < 16): program conditions.
p1, p2, ..: additional conditions.
11 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Path Exploration with Addtional Constraints
UNSAT
pc ∧ p1
pc ∧ p1 ∧ p2
pc ∧ p1 ∧ p2 ∧ p3
pc ∧ p1 ∧ p2 ∧ p3 ∧ p4
pc ∧ p1 ∧ p2 ∧ p3 ∧ p4 ∧ p5pc ∧ p1 ∧ p2 ∧ p3 ∧ p4 ∧ ¬p5
p1
p2
p3
p4
p5
assert p1 is SATassert p1 && p2 && p3 && p4 && p5 is UNSAT
12 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
DEMO
13 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Implicit Flow
O = 0;if (H == 0) O = 0;else if (H == 1) O = 1;else if (H == 2) O = 2;else if (H == 3) O = 3;else if (H == 4) O = 4;else if (H == 5) O = 5;else if (H == 6) O = 6;else O = 0;
Figure: Implicit Flow
BitPattern: 45ms, channel capacity: 3 bits
SQIF-SE: 717ms, channel capacity: 2.81 bits
14 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Symbolic Quantitative Information FlowPreliminary Experiment
Ten random outputs
if (H == r1) O = r1;else if (H == r2) O = r2;else if (H == r3) O = r3;...else if (H == r9) O = r9;else O = r10;
Figure: Ten random outputs
BitPattern: 5 seconds, channel capacity: 18.645.
SQIF-SE: less than 1 second, channel capacity: 3.322 bits.
15 / 17
THE PROBLEMTHE APPROACH
CONCLUSION
Conclusions
A novel method for precise QIF.
Compare to Barvinok-based counting: simpler, less restrictive,more applicable.Compare to BitPattern : always more precise, faster whenpossible outputs are diverged in state-space.
Automation of BitPattern method.
jpf-qif: the first tool to support information-theoretic QIFanalysis.
16 / 17