SlideShare a Scribd company logo

Towards an SMT-based approach for Quantitative Information Flow

Quoc-Sang Phan
Quoc-Sang Phan

Presentation at the Dagstuhl Seminar on Quantitative Security Analysis. Full paper is here: http://dl.acm.org/citation.cfm?id=2590328

1 of 32
Download to read offline
INTRODUCTION THE APPROACH CONCLUSION Towards an SMT-based approach for Quantitative Information Flow Quoc-Sang Phan Pasquale Malacaria Queen Mary, University of London November 29, 2012 1 / 32
INTRODUCTION THE APPROACH CONCLUSION Outline 1 INTRODUCTION 2 THE APPROACH QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment 3 CONCLUSION 2 / 32
INTRODUCTION THE APPROACH CONCLUSION Contributions 1 Introduction of a new research problem: #SMT, and its applications to QIF and Symbolic Execution. 2 A framework, called #DPLL(T ), to build a solver for #SMT-based QIF. 3 We show that Symbolic Execution analysis can be view as #SMT solver. 4 Two prototyping tools for QIF: sqifc employs CBMC and jpf-qif is built on top of Symbolic Pathfinder. 5 Experiment of the tools on non-trivial case studies, with dramatic improvement of performance compared with existing tools. 3 / 32
INTRODUCTION THE APPROACH CONCLUSION Quantitative Information Flow Analysis Channel Capacity ∆F (H) = F(H) − F(H|L) ≤ log2(N) Lagrange multipliers and maximum information leakage in different observational models. Malacaria and Chen (PLAS 2008) On the Foundations of Quantitative Information Flow. Smith (FOSSACS 2009). 4 / 32
INTRODUCTION THE APPROACH CONCLUSION Challenge f : D → Do N = 0 for all v in Do do if (assert O != v is violated) then N ← N + 1 end if end for return N Figure: Exhaustive counting of outputs of a program f 5 / 32
INTRODUCTION THE APPROACH CONCLUSION STATE OF THE ART Existing techniques: DisQuant: Backes et al. S&P 2009. Employ model checking to compute an equivalence relation R. If R is in linear integer inequalities A¯x ¯b (bounded integer polytope), then use Barvinok algorithm to count. selfcomp: Heusser and Malacaria. ACSAC 2010. Exploit assume-guarantee reasoning to extend self-composition. Applied to programs in Linux kernel. 6 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment The #SMT problem The SMT problem Satisfiability Modulo Theories (SMT) is a decision problem for logical formulas w.r.t. combinations of background theories T expressed in classical first-order logic with equality. Boolean abstraction BA(ϕ): a bijective function that maps Boolean atoms into themselves. maps non-Boolean T -atoms into fresh Boolean atoms. 7 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment The #SMT problem ϕ := {¬(x + y > 1) ∨ A1} ∧ {(x + y > 1) ∨ ¬A2} ∧ {¬A3 ∨ (y − z < 7)} BA(ϕ) := {¬B1 ∨ A1} ∧ {B1 ∨ ¬A2} ∧ {¬A3 ∨ B2} The #SMT problem Propositional abstract model counting or #SMT is the problem of computing the number of boolean abstraction of models for a given logical formula. - The number of boolean abstraction of the models is always finite. - #SMT solver: #SAT solver + T -solvers. 8 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment The #SMT problem ϕ := {¬(x + y > 1) ∨ A1} ∧ {(x + y > 1) ∨ ¬A2} ∧ {¬A3 ∨ (y − z < 7)} BA(ϕ) := {¬B1 ∨ A1} ∧ {B1 ∨ ¬A2} ∧ {¬A3 ∨ B2} The #SMT problem Propositional abstract model counting or #SMT is the problem of computing the number of boolean abstraction of models for a given logical formula. - The number of boolean abstraction of the models is always finite. - #SMT solver: #SAT solver + T -solvers. 9 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment QIF as a #SMT problem A set of boolean variables Φ := {p1, p2, .., pM}, in which each pi corresponds to a bit bi of the output O. Without any constraints: Φ represents 2M possible values. With the constraints from program P: Φ represents N possible values (possible outputs of the program). 10 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment QIF as a #SMT problem P can be encoded into a logical formula ϕ w.r.t. theories T . Each pi is a boolean abstraction of the T -atom expressing the constraints on bit bi → QIF is a #SMT problem. Program ←→ Logical formula Model checker ←→ T -solver 11 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment An example base = 8; if (H < 16) then O = base + H else O = base end if Figure: Data sanitization program H is in [0..15]. O is in [8..23]. 12 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Quantitative Information Flow UNSAT p1 p1 ∧ p2 p1 ∧ p2 ∧ p3 p1 ∧ p2 ∧ p3 ∧ p4 p1 ∧ p2 ∧ p3 ∧ p4 ∧ p5p1 ∧ p2 ∧ p3 ∧ p4 ∧ ¬p5 p1 p2 p3 p4 p5 assert !(p1 && p2 && p3 && p4 && p5); 13 / 32
A #DPLL(T ) for QIF 1: function SymCount(Φ, Ψ, N, pc, i) 2: Extract pi from Φ 3: pc1 ← pc ∧ pi 4: if (T -solver(pc1)) then 5: if (i == M) then 6: Ψ ← Ψ ∪ {pc1} 7: N ← N + 1 8: else 9: SymCount(Φ, Ψ, N, pc1, i + 1) 10: end if 11: end if 12: pc2 ← pc ∧ ¬pi 13: . . . 14: end function Figure: Symbolic counting for QIF
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as a #SMT solver If a program is encoded as a logical formula, e.g. Static Single Assignment form, then a Symbolic Execution tool is a #SMT solver for this formula. 15 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as a #SMT solver if (x > 1) y = x < 5 ? x + 10 : x ; else y = 0 ; C1 as (x > 1). C2 as (x < 5). A1 as (y1 = x + 10). A2 as (y2 = x). A3 as (y3 = 0). C1 ∧ (C2 ∧ A1 ∨ ¬C2 ∧ A2) ∨ ¬C1 ∧ A3 There are 4 models {C1 ∧ C2, C1 ∧ ¬C2, ¬C1 ∧ C2, ¬C1 ∧ ¬C2} 16 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as a #SMT solver O =    f1(i1, i2.., iM) if pc1 f2(i1, i2.., iM) if pc2 . . . . . . fN(i1, i2.., iM) if pcN    Where: ∀i, j ∈ [1, N] ∧ i = j, pci ∧ pcj = ⊥ 17 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as #DPLL(T ) pc c : execute then path → unit propagation pc ¬c : execute else path → unit propagation (pc c) ∧ (pc ¬c) then path: pc1 = pc ∧ c else path: pc2 = pc ∧ ¬c → branching 18 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment SQIF-SE: SQIF by Symbolic Execution base = 8; if (H < 16) then O = base + H else O = base end if for all element bi in vector bvo do if (bi == 1) then pi = True else pi = False end if end for Figure: Additional conditions 19 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment SQIF-SE: SQIF by Symbolic Execution base = 8; if (H < 16) then O = base + H else O = base end if for all element bi in vector bvo do if (bi == 1) then pi = True else pi = False end if end for Figure: Additional conditions 20 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment SQIF-SE: SQIF by Symbolic Execution s1 s2 s3 p1 p1 p2 p2 H ≥ 16 pc := (H 16) H < 16 pc := (H ≥ 16)< pc ∧ p1 pc ∧ p1 pc ∧ p1 ∧ p2 pc ∧ p1 ∧ ¬p2 (H ≥ 16) and (H < 16): program conditions. p1, p2, ..: additional conditions. 21 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Soundness and Completeness Theoretically, the SQIF approach is both sound and complete. 1 In reality, SQIF is sound and complete with small leaks. 2 SQIF-SE is sound and complete with bounded model of program. Does it leak more than k? Quantifying information leaks in software. ACSAC 2010. Heusser and Malacaria. With user policy k, SQIF may not be complete but the result of secure/insecure is always sound. 22 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Soundness and Completeness Theoretically, the SQIF approach is both sound and complete. 1 In reality, SQIF is sound and complete with small leaks. 2 SQIF-SE is sound and complete with bounded model of program. Does it leak more than k? Quantifying information leaks in software. ACSAC 2010. Heusser and Malacaria. With user policy k, SQIF may not be complete but the result of secure/insecure is always sound. 23 / 32
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Experiment Two prototyping tools: jpf-qif tool for Java and also developed in Java. built on top of Symbolic Pathfinder (Symbolic Execution extension of Java Pathfinder). sqifc tool for C and also develped in C. built on top of CBMC (Bounded Model Checking tool for C). Compare with selfcomp (Heusser and Malacaria, ACSAC 2010). 24 / 32
CVE-2011-2208 1 int osf_getdomainname (char __user *name , int namelen) 2 { 3 unsigned len; 4 int i, error; 5 6 error = verify_area(VERIFY_WRITE , name , namelen ); 7 if (error) 8 goto out; 9 10 len = namelen; 11 if (namelen > 32) 12 len = 32; 13 14 down_read (& uts_sem ); 15 for (i = 0; i < len; ++i) { 16 __put_user( system_utsname .domainname[i], name + i); 17 if ( system_utsname .domainname[i] == ’0’) 18 break; 19 } 20 up_read (& uts_sem ); 21 out: 22 return error; 23 } Figure: arch/alpha/kernel/osf sys.c
CVE-2011-1078 1 static int sco_sock_getsockopt_old (struct socket *sock , int optname , 2 char __user *optval , int __user *optlen) 3 { 4 struct sock *sk = sock ->sk; 5 struct sco_conninfo cinfo; 6 int len , err = 0; 7 ... 8 9 lock_sock(sk); 10 11 switch (optname) { 12 case SCO_OPTIONS : 13 ... 14 15 case SCO_CONNINFO : 16 ... 17 18 cinfo.hci_handle = sco_pi(sk)->conn ->hcon ->handle; 19 memcpy(cinfo.dev_class , sco_pi(sk)->conn ->hcon ->dev_class , 3); 20 21 len = min_t(unsigned int , len , sizeof(cinfo )); 22 if ( copy_to_user (optval , (char *)& cinfo , len )) 23 err = -EFAULT; 24 break; 25 ... 26 } 27 28 release_sock (sk); 29 return err; 30 } Figure: net/bluetooth/sco.c
Cyclic Redundancy Check 1 unsigned char GetCRC8( unsigned char check , 2 unsigned char ch) 3 { 4 int i, sft ; 5 for ( i = 0 ; i < 8 ; i++ ) { 6 if ( check & 0x80 ) { 7 check < <=1; 8 if ( ch & 0x80 ) { 9 check = check | 0x01; 10 } else { 11 check =check & 0xfe; 12 } 13 check = check ^ 0x85; 14 } else { 15 check <<=1; 16 if ( ch & 0x80 ) { 17 check = check | 0x01; 18 } else { 19 check = check & 0xfe; 20 } 21 } 22 ch < <=1; 23 } 24 check >>= sft; 25 return check; 26 } Figure: Cyclic Redundancy Check
Tax Record taxPayer1 taxRecord1 * checker1 1 server1 1* taxRecords TaxRecord <<interface>> TaxRecord4taxPayer getTaxes(): int getAmountPayed(): int payTaxes(don:int, amnt:int) <<interface>> TaxRecord4taxChecker verifyPayment(): int freeze(): int TaxPayer TaxChecker checkTaxes(tr:TaxRecord4taxChecker): int Charity <<interface>> TaxServer4charity getCharity(): int TaxServer Figure: The tax program taxChecker1: income × F% + donation > payment taxChecker2: income × F% + donation − payment jpf-qif: chanel capacity of 4.86 bits
INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment DEMO 29 / 32
Case Study LoC Language sqifc jpf-qif selfcomp Data Sanitization < 10 C/Java 28.179 20.695 timed out CVE-2011-2208 (64) > 200 C 22.759 × 119.117 CVE-2011-2208 (256) C 88.196 × timed out CVE-2011-1078 (8) > 200 C 10.380 × 13.853 CVE-2011-1078 (64) C 37.899 × timed out CRC (8) < 30 C/Java 1.209 8.386 0.498 CRC (32) C/Java 8.657 9.357 timed out Tax Record 267 Java × 24.988s × Figure: Times in seconds for all case studies, timeout is 30 minutes
INTRODUCTION THE APPROACH CONCLUSION Conclusions 1 Introduction of a new research problem: #SMT, and its applications to QIF and Symbolic Execution. 2 A framework, called #DPLL(T ), to build a solver for #SMT-based QIF. 3 The methodology of Symbolic Execution re-casted as #DPLL(T ). 4 Two prototyping tools for QIF: sqifc and jpf-qif. 5 Experiment of the tools on non-trivial case studies. 31 / 32
INTRODUCTION THE APPROACH CONCLUSION THANK YOU FOR YOUR ATTENTION! 32 / 32

Recommended

Unsupervised program synthesis
Unsupervised program synthesisUnsupervised program synthesis
Unsupervised program synthesis
Amrith Krishna
 
Software Abstractions for Parallel Hardware
Software Abstractions for Parallel HardwareSoftware Abstractions for Parallel Hardware
Software Abstractions for Parallel Hardware
Joel Falcou
 
Computability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionComputability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable Function
Reggie Niccolo Santos
 
Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...
Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...
Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...
Yusuke Izawa
 
Daa chapter10
Daa chapter10Daa chapter10
Daa chapter10
B.Kirron Reddi
 
Fault Tolerant Parallel Filters Based On Bch Codes
Fault Tolerant Parallel Filters Based On Bch CodesFault Tolerant Parallel Filters Based On Bch Codes
Fault Tolerant Parallel Filters Based On Bch Codes
IJERA Editor
 
Cs2251 daa
Cs2251 daaCs2251 daa
Cs2251 daa
Srinivasan Lakshmanan
 
Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)
Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)
Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)
Aditya Yadav
 

Recommended

Unsupervised program synthesis
Unsupervised program synthesisUnsupervised program synthesis
Unsupervised program synthesis
Amrith Krishna
 
Software Abstractions for Parallel Hardware
Software Abstractions for Parallel HardwareSoftware Abstractions for Parallel Hardware
Software Abstractions for Parallel Hardware
Joel Falcou
 
Computability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable FunctionComputability - Tractable, Intractable and Non-computable Function
Computability - Tractable, Intractable and Non-computable Function
Reggie Niccolo Santos
 
Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...
Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...
Stack Hybridization: A Mechanism for Bridging Two Compilation Strategies in a...
Yusuke Izawa
 
Daa chapter10
Daa chapter10Daa chapter10
Daa chapter10
B.Kirron Reddi
 
Fault Tolerant Parallel Filters Based On Bch Codes
Fault Tolerant Parallel Filters Based On Bch CodesFault Tolerant Parallel Filters Based On Bch Codes
Fault Tolerant Parallel Filters Based On Bch Codes
IJERA Editor
 
Cs2251 daa
Cs2251 daaCs2251 daa
Cs2251 daa
Srinivasan Lakshmanan
 
Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)
Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)
Automatski - NP-Complete - TSP - Travelling Salesman Problem Solved in O(N^4)
Aditya Yadav
 
Lecture26
Lecture26Lecture26
Lecture26Dr Sandeep Kumar Poonia
 
High-Level Synthesis with GAUT
High-Level Synthesis with GAUTHigh-Level Synthesis with GAUT
High-Level Synthesis with GAUT
AdaCore
 
Code optimisation presnted
Code optimisation presntedCode optimisation presnted
Code optimisation presnted
bhavanatmithun
 
Isorc18 keynote
Isorc18 keynoteIsorc18 keynote
Isorc18 keynote
Abhik Roychoudhury
 
Intro to Functional Reactive Programming In Scala
Intro to Functional Reactive Programming In ScalaIntro to Functional Reactive Programming In Scala
Intro to Functional Reactive Programming In Scala
Diego Alonso
 
Principal source of optimization in compiler design
Principal source of optimization in compiler designPrincipal source of optimization in compiler design
Principal source of optimization in compiler design
Rajkumar R
 
Actors and functional_reactive_programming
Actors and functional_reactive_programmingActors and functional_reactive_programming
Actors and functional_reactive_programming
Diego Alonso
 
ESL Anyone?
ESL Anyone? ESL Anyone?
ESL Anyone? DVClub
 
Introduction to Approximation Algorithms
Introduction to Approximation AlgorithmsIntroduction to Approximation Algorithms
Introduction to Approximation Algorithms
Jhoirene Clemente
 
Introduction to python programming [part 1]
Introduction to python programming [part 1]Introduction to python programming [part 1]
Introduction to python programming [part 1]
Akhil Nadh PC
 
Python Bindings Overview
Python Bindings OverviewPython Bindings Overview
Python Bindings Overview
Sébastien Tandel
 
Unit 1
Unit 1Unit 1
Unit 1Abha Damani
 
Ca notes
Ca notesCa notes
Ca notesankitadhoot
 
From logistic regression to linear chain CRF
From logistic regression to linear chain CRFFrom logistic regression to linear chain CRF
From logistic regression to linear chain CRF
Darren Yow-Bang Wang
 
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
Yamagishi Laboratory, National Institute of Informatics, Japan
 
Modern C++ for Beginners
Modern C++ for BeginnersModern C++ for Beginners
Modern C++ for Beginners
Kangjun Heo
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
Ben Hermann
 
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-IssueCodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
Dhaval Dalal
 
4 informed-search
4 informed-search4 informed-search
4 informed-search
Mhd Sb
 
Advance Data Structure
Advance Data StructureAdvance Data Structure
Advance Data StructureRamzi Alqrainy
 
Self-composition by Symbolic Execution
Self-composition by Symbolic ExecutionSelf-composition by Symbolic Execution
Self-composition by Symbolic Execution
Quoc-Sang Phan
 
Papaya
Papaya Papaya
Papaya
PACIFIC HAVEN RESORT. VANUATU
 

More Related Content

What's hot

High-Level Synthesis with GAUT
High-Level Synthesis with GAUTHigh-Level Synthesis with GAUT
High-Level Synthesis with GAUT
AdaCore
 
Code optimisation presnted
Code optimisation presntedCode optimisation presnted
Code optimisation presnted
bhavanatmithun
 
Isorc18 keynote
Isorc18 keynoteIsorc18 keynote
Isorc18 keynote
Abhik Roychoudhury
 
Intro to Functional Reactive Programming In Scala
Intro to Functional Reactive Programming In ScalaIntro to Functional Reactive Programming In Scala
Intro to Functional Reactive Programming In Scala
Diego Alonso
 
Principal source of optimization in compiler design
Principal source of optimization in compiler designPrincipal source of optimization in compiler design
Principal source of optimization in compiler design
Rajkumar R
 
Actors and functional_reactive_programming
Actors and functional_reactive_programmingActors and functional_reactive_programming
Actors and functional_reactive_programming
Diego Alonso
 
ESL Anyone?
ESL Anyone? ESL Anyone?
ESL Anyone? DVClub
 
Introduction to Approximation Algorithms
Introduction to Approximation AlgorithmsIntroduction to Approximation Algorithms
Introduction to Approximation Algorithms
Jhoirene Clemente
 
Introduction to python programming [part 1]
Introduction to python programming [part 1]Introduction to python programming [part 1]
Introduction to python programming [part 1]
Akhil Nadh PC
 
Python Bindings Overview
Python Bindings OverviewPython Bindings Overview
Python Bindings Overview
Sébastien Tandel
 
From logistic regression to linear chain CRF
From logistic regression to linear chain CRFFrom logistic regression to linear chain CRF
From logistic regression to linear chain CRF
Darren Yow-Bang Wang
 
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
Yamagishi Laboratory, National Institute of Informatics, Japan
 
Modern C++ for Beginners
Modern C++ for BeginnersModern C++ for Beginners
Modern C++ for Beginners
Kangjun Heo
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
Ben Hermann
 
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-IssueCodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
Dhaval Dalal
 
4 informed-search
4 informed-search4 informed-search
4 informed-search
Mhd Sb
 
Advance Data Structure
Advance Data StructureAdvance Data Structure
Advance Data StructureRamzi Alqrainy
 

What's hot (20)

Lecture26
Lecture26Lecture26
Lecture26
 
High-Level Synthesis with GAUT
High-Level Synthesis with GAUTHigh-Level Synthesis with GAUT
High-Level Synthesis with GAUT
 
Code optimisation presnted
Code optimisation presntedCode optimisation presnted
Code optimisation presnted
 
Isorc18 keynote
Isorc18 keynoteIsorc18 keynote
Isorc18 keynote
 
Intro to Functional Reactive Programming In Scala
Intro to Functional Reactive Programming In ScalaIntro to Functional Reactive Programming In Scala
Intro to Functional Reactive Programming In Scala
 
Principal source of optimization in compiler design
Principal source of optimization in compiler designPrincipal source of optimization in compiler design
Principal source of optimization in compiler design
 
Actors and functional_reactive_programming
Actors and functional_reactive_programmingActors and functional_reactive_programming
Actors and functional_reactive_programming
 
ESL Anyone?
ESL Anyone? ESL Anyone?
ESL Anyone?
 
Introduction to Approximation Algorithms
Introduction to Approximation AlgorithmsIntroduction to Approximation Algorithms
Introduction to Approximation Algorithms
 
Introduction to python programming [part 1]
Introduction to python programming [part 1]Introduction to python programming [part 1]
Introduction to python programming [part 1]
 
Python Bindings Overview
Python Bindings OverviewPython Bindings Overview
Python Bindings Overview
 
Unit 1
Unit 1Unit 1
Unit 1
 
Ca notes
Ca notesCa notes
Ca notes
 
From logistic regression to linear chain CRF
From logistic regression to linear chain CRFFrom logistic regression to linear chain CRF
From logistic regression to linear chain CRF
 
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
エンドツーエンド音声合成に向けたNIIにおけるソフトウェア群 ~ TacotronとWaveNetのチュートリアル (Part 2)~
 
Modern C++ for Beginners
Modern C++ for BeginnersModern C++ for Beginners
Modern C++ for Beginners
 
Hidden Truths in Dead Software Paths
Hidden Truths in Dead Software PathsHidden Truths in Dead Software Paths
Hidden Truths in Dead Software Paths
 
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-IssueCodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
CodeJugalbandi-Expression-Problem-HealthyCode-Magazine#Jan-2015-Issue
 
4 informed-search
4 informed-search4 informed-search
4 informed-search
 
Advance Data Structure
Advance Data StructureAdvance Data Structure
Advance Data Structure
 

Viewers also liked

Self-composition by Symbolic Execution
Self-composition by Symbolic ExecutionSelf-composition by Symbolic Execution
Self-composition by Symbolic Execution
Quoc-Sang Phan
 
Papaya
Papaya Papaya
Papaya
PACIFIC HAVEN RESORT. VANUATU
 
Symbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo TheoriesSymbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo Theories
Quoc-Sang Phan
 
Corporate Profile
Corporate ProfileCorporate Profile
Corporate Profile
Corporate Bridge of Risk Management (Pvt.) Limited
 
Symbolic Quantitative Information Flow
Symbolic Quantitative Information FlowSymbolic Quantitative Information Flow
Symbolic Quantitative Information Flow
Quoc-Sang Phan
 
Train to ramadan
Train to ramadanTrain to ramadan
Train to ramadan
Jaweria Mahreen
 
Quantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo TheoriesQuantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo Theories
Quoc-Sang Phan
 
Sea in europe martin
Sea in europe martinSea in europe martin
Sea in europe martinRio Prastia
 
Quantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability Analysis
Quoc-Sang Phan
 
Viva program test file
Viva program test fileViva program test file
Viva program test file
Sean Park
 
Bahan tayang menteri pu rakornas klhs
Bahan tayang menteri pu rakornas klhsBahan tayang menteri pu rakornas klhs
Bahan tayang menteri pu rakornas klhsRio Prastia
 
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
Quoc-Sang Phan
 
Urgensi KLHS-Dr. Sony Keraf
Urgensi KLHS-Dr. Sony KerafUrgensi KLHS-Dr. Sony Keraf
Urgensi KLHS-Dr. Sony KerafRio Prastia
 
Bahan kemendagri
Bahan kemendagriBahan kemendagri
Bahan kemendagriRio Prastia
 
Pemb berkelanjutan pengarusutamaan bappenas
Pemb berkelanjutan pengarusutamaan bappenasPemb berkelanjutan pengarusutamaan bappenas
Pemb berkelanjutan pengarusutamaan bappenasRio Prastia
 
Talkshow KLHS - Materi Dirjen Planologi - Kementerian Kehutanan
Talkshow KLHS - Materi Dirjen Planologi - Kementerian KehutananTalkshow KLHS - Materi Dirjen Planologi - Kementerian Kehutanan
Talkshow KLHS - Materi Dirjen Planologi - Kementerian KehutananRio Prastia
 
Penyelenggaraan klhs rtrw sulut
Penyelenggaraan klhs rtrw sulutPenyelenggaraan klhs rtrw sulut
Penyelenggaraan klhs rtrw sulutRio Prastia
 
Talkshow KLHS paparan Deputi Tata Lingkungan-KLH
Talkshow KLHS paparan Deputi Tata Lingkungan-KLHTalkshow KLHS paparan Deputi Tata Lingkungan-KLH
Talkshow KLHS paparan Deputi Tata Lingkungan-KLHRio Prastia
 

Viewers also liked (18)

Self-composition by Symbolic Execution
Self-composition by Symbolic ExecutionSelf-composition by Symbolic Execution
Self-composition by Symbolic Execution
 
Papaya
Papaya Papaya
Papaya
 
Symbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo TheoriesSymbolic Execution as DPLL Modulo Theories
Symbolic Execution as DPLL Modulo Theories
 
Corporate Profile
Corporate ProfileCorporate Profile
Corporate Profile
 
Symbolic Quantitative Information Flow
Symbolic Quantitative Information FlowSymbolic Quantitative Information Flow
Symbolic Quantitative Information Flow
 
Train to ramadan
Train to ramadanTrain to ramadan
Train to ramadan
 
Quantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo TheoriesQuantifying Information Leaks via Model Counting Modulo Theories
Quantifying Information Leaks via Model Counting Modulo Theories
 
Sea in europe martin
Sea in europe martinSea in europe martin
Sea in europe martin
 
Quantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability AnalysisQuantifying Information Leaks using Reliability Analysis
Quantifying Information Leaks using Reliability Analysis
 
Viva program test file
Viva program test fileViva program test file
Viva program test file
 
Bahan tayang menteri pu rakornas klhs
Bahan tayang menteri pu rakornas klhsBahan tayang menteri pu rakornas klhs
Bahan tayang menteri pu rakornas klhs
 
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
All-Solution Satisfiability Modulo Theories: applications, algorithms and ben...
 
Urgensi KLHS-Dr. Sony Keraf
Urgensi KLHS-Dr. Sony KerafUrgensi KLHS-Dr. Sony Keraf
Urgensi KLHS-Dr. Sony Keraf
 
Bahan kemendagri
Bahan kemendagriBahan kemendagri
Bahan kemendagri
 
Pemb berkelanjutan pengarusutamaan bappenas
Pemb berkelanjutan pengarusutamaan bappenasPemb berkelanjutan pengarusutamaan bappenas
Pemb berkelanjutan pengarusutamaan bappenas
 
Talkshow KLHS - Materi Dirjen Planologi - Kementerian Kehutanan
Talkshow KLHS - Materi Dirjen Planologi - Kementerian KehutananTalkshow KLHS - Materi Dirjen Planologi - Kementerian Kehutanan
Talkshow KLHS - Materi Dirjen Planologi - Kementerian Kehutanan
 
Penyelenggaraan klhs rtrw sulut
Penyelenggaraan klhs rtrw sulutPenyelenggaraan klhs rtrw sulut
Penyelenggaraan klhs rtrw sulut
 
Talkshow KLHS paparan Deputi Tata Lingkungan-KLH
Talkshow KLHS paparan Deputi Tata Lingkungan-KLHTalkshow KLHS paparan Deputi Tata Lingkungan-KLH
Talkshow KLHS paparan Deputi Tata Lingkungan-KLH
 

Similar to Towards an SMT-based approach for Quantitative Information Flow

Automated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWSAutomated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWS
Abhik Roychoudhury
 
Complexity.pdf
Complexity.pdfComplexity.pdf
Complexity.pdf
047atifzeya
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice Cryptography
Priyanka Aash
 
fft using labview
fft using labviewfft using labview
fft using labview
kiranrockz
 
Dsp file
Dsp fileDsp file
Dsp file
Rakesh Thakur
 
Towards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic RandomnessTowards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic Randomness
Hector Zenil
 
LDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check MatrixLDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check Matrix
Kavi
 
Sampling and Reconstruction (Online Learning).pptx
Sampling and Reconstruction (Online Learning).pptxSampling and Reconstruction (Online Learning).pptx
Sampling and Reconstruction (Online Learning).pptx
HamzaJaved306957
 
Allen Bradley- Micrologix PLC Instructions
Allen Bradley- Micrologix PLC InstructionsAllen Bradley- Micrologix PLC Instructions
Allen Bradley- Micrologix PLC Instructions
NFI - Industrial Automation Training Academy
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
IOSR Journals
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
IOSR Journals
 
REPORT MINI PROJECT.docx
REPORT MINI PROJECT.docxREPORT MINI PROJECT.docx
REPORT MINI PROJECT.docx
Zarifah5
 
Compositional Program Analysis using Max-SMT
Compositional Program Analysis using Max-SMTCompositional Program Analysis using Max-SMT
Compositional Program Analysis using Max-SMT
Facultad de Informática UCM
 
gio's tesi
gio's tesigio's tesi
gio's tesi
capitan_jo
 
008. PROGRAM EFFICIENCY computer science.pdf
008. PROGRAM EFFICIENCY computer science.pdf008. PROGRAM EFFICIENCY computer science.pdf
008. PROGRAM EFFICIENCY computer science.pdf
omchoubey297
 
Matlab 3
Matlab 3Matlab 3
Matlab 3asguna
 
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the CloudPrivacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Mateus S. H. Cruz
 
Efficiently Performing Arithmetic Operation over Fq18 Extension Field
Efficiently Performing Arithmetic Operation over Fq18 Extension FieldEfficiently Performing Arithmetic Operation over Fq18 Extension Field
Efficiently Performing Arithmetic Operation over Fq18 Extension Field
Md. Al-Amin Khandaker Nipu
 

Similar to Towards an SMT-based approach for Quantitative Information Flow (20)

Lecture 1
Lecture 1Lecture 1
Lecture 1
 
Automated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWSAutomated Program Repair, Distinguished lecture at MPI-SWS
Automated Program Repair, Distinguished lecture at MPI-SWS
 
Complexity.pdf
Complexity.pdfComplexity.pdf
Complexity.pdf
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice Cryptography
 
keeloq-final
keeloq-finalkeeloq-final
keeloq-final
 
fft using labview
fft using labviewfft using labview
fft using labview
 
Dsp file
Dsp fileDsp file
Dsp file
 
Towards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic RandomnessTowards a stable definition of Algorithmic Randomness
Towards a stable definition of Algorithmic Randomness
 
LDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check MatrixLDPC - Low Density Parity Check Matrix
LDPC - Low Density Parity Check Matrix
 
Sampling and Reconstruction (Online Learning).pptx
Sampling and Reconstruction (Online Learning).pptxSampling and Reconstruction (Online Learning).pptx
Sampling and Reconstruction (Online Learning).pptx
 
Allen Bradley- Micrologix PLC Instructions
Allen Bradley- Micrologix PLC InstructionsAllen Bradley- Micrologix PLC Instructions
Allen Bradley- Micrologix PLC Instructions
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
 
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve CryptographyLow Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
 
REPORT MINI PROJECT.docx
REPORT MINI PROJECT.docxREPORT MINI PROJECT.docx
REPORT MINI PROJECT.docx
 
Compositional Program Analysis using Max-SMT
Compositional Program Analysis using Max-SMTCompositional Program Analysis using Max-SMT
Compositional Program Analysis using Max-SMT
 
gio's tesi
gio's tesigio's tesi
gio's tesi
 
008. PROGRAM EFFICIENCY computer science.pdf
008. PROGRAM EFFICIENCY computer science.pdf008. PROGRAM EFFICIENCY computer science.pdf
008. PROGRAM EFFICIENCY computer science.pdf
 
Matlab 3
Matlab 3Matlab 3
Matlab 3
 
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the CloudPrivacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
Privacy-Preserving Multi-Keyword Fuzzy Search over Encrypted Data in the Cloud
 
Efficiently Performing Arithmetic Operation over Fq18 Extension Field
Efficiently Performing Arithmetic Operation over Fq18 Extension FieldEfficiently Performing Arithmetic Operation over Fq18 Extension Field
Efficiently Performing Arithmetic Operation over Fq18 Extension Field
 

Recently uploaded

Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
Pavel ( NSTU)
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
PedroFerreira53928
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
beazzy04
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
Nguyen Thanh Tu Collection
 
Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)
rosedainty
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
Excellence Foundation for South Sudan
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
EduSkills OECD
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
MIRIAMSALINAS13
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
Vivekanand Anglo Vedic Academy
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
kaushalkr1407
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
bennyroshan06
 

Recently uploaded (20)

Synthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptxSynthetic Fiber Construction in lab .pptx
Synthetic Fiber Construction in lab .pptx
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
 
Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
 

Towards an SMT-based approach for Quantitative Information Flow

  • 1. INTRODUCTION THE APPROACH CONCLUSION Towards an SMT-based approach for Quantitative Information Flow Quoc-Sang Phan Pasquale Malacaria Queen Mary, University of London November 29, 2012 1 / 32
  • 2. INTRODUCTION THE APPROACH CONCLUSION Outline 1 INTRODUCTION 2 THE APPROACH QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment 3 CONCLUSION 2 / 32
  • 3. INTRODUCTION THE APPROACH CONCLUSION Contributions 1 Introduction of a new research problem: #SMT, and its applications to QIF and Symbolic Execution. 2 A framework, called #DPLL(T ), to build a solver for #SMT-based QIF. 3 We show that Symbolic Execution analysis can be view as #SMT solver. 4 Two prototyping tools for QIF: sqifc employs CBMC and jpf-qif is built on top of Symbolic Pathfinder. 5 Experiment of the tools on non-trivial case studies, with dramatic improvement of performance compared with existing tools. 3 / 32
  • 4. INTRODUCTION THE APPROACH CONCLUSION Quantitative Information Flow Analysis Channel Capacity ∆F (H) = F(H) − F(H|L) ≤ log2(N) Lagrange multipliers and maximum information leakage in different observational models. Malacaria and Chen (PLAS 2008) On the Foundations of Quantitative Information Flow. Smith (FOSSACS 2009). 4 / 32
  • 5. INTRODUCTION THE APPROACH CONCLUSION Challenge f : D → Do N = 0 for all v in Do do if (assert O != v is violated) then N ← N + 1 end if end for return N Figure: Exhaustive counting of outputs of a program f 5 / 32
  • 6. INTRODUCTION THE APPROACH CONCLUSION STATE OF THE ART Existing techniques: DisQuant: Backes et al. S&P 2009. Employ model checking to compute an equivalence relation R. If R is in linear integer inequalities A¯x ¯b (bounded integer polytope), then use Barvinok algorithm to count. selfcomp: Heusser and Malacaria. ACSAC 2010. Exploit assume-guarantee reasoning to extend self-composition. Applied to programs in Linux kernel. 6 / 32
  • 7. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment The #SMT problem The SMT problem Satisfiability Modulo Theories (SMT) is a decision problem for logical formulas w.r.t. combinations of background theories T expressed in classical first-order logic with equality. Boolean abstraction BA(ϕ): a bijective function that maps Boolean atoms into themselves. maps non-Boolean T -atoms into fresh Boolean atoms. 7 / 32
  • 8. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment The #SMT problem ϕ := {¬(x + y > 1) ∨ A1} ∧ {(x + y > 1) ∨ ¬A2} ∧ {¬A3 ∨ (y − z < 7)} BA(ϕ) := {¬B1 ∨ A1} ∧ {B1 ∨ ¬A2} ∧ {¬A3 ∨ B2} The #SMT problem Propositional abstract model counting or #SMT is the problem of computing the number of boolean abstraction of models for a given logical formula. - The number of boolean abstraction of the models is always finite. - #SMT solver: #SAT solver + T -solvers. 8 / 32
  • 9. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment The #SMT problem ϕ := {¬(x + y > 1) ∨ A1} ∧ {(x + y > 1) ∨ ¬A2} ∧ {¬A3 ∨ (y − z < 7)} BA(ϕ) := {¬B1 ∨ A1} ∧ {B1 ∨ ¬A2} ∧ {¬A3 ∨ B2} The #SMT problem Propositional abstract model counting or #SMT is the problem of computing the number of boolean abstraction of models for a given logical formula. - The number of boolean abstraction of the models is always finite. - #SMT solver: #SAT solver + T -solvers. 9 / 32
  • 10. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment QIF as a #SMT problem A set of boolean variables Φ := {p1, p2, .., pM}, in which each pi corresponds to a bit bi of the output O. Without any constraints: Φ represents 2M possible values. With the constraints from program P: Φ represents N possible values (possible outputs of the program). 10 / 32
  • 11. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment QIF as a #SMT problem P can be encoded into a logical formula ϕ w.r.t. theories T . Each pi is a boolean abstraction of the T -atom expressing the constraints on bit bi → QIF is a #SMT problem. Program ←→ Logical formula Model checker ←→ T -solver 11 / 32
  • 12. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment An example base = 8; if (H < 16) then O = base + H else O = base end if Figure: Data sanitization program H is in [0..15]. O is in [8..23]. 12 / 32
  • 13. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Quantitative Information Flow UNSAT p1 p1 ∧ p2 p1 ∧ p2 ∧ p3 p1 ∧ p2 ∧ p3 ∧ p4 p1 ∧ p2 ∧ p3 ∧ p4 ∧ p5p1 ∧ p2 ∧ p3 ∧ p4 ∧ ¬p5 p1 p2 p3 p4 p5 assert !(p1 && p2 && p3 && p4 && p5); 13 / 32
  • 14. A #DPLL(T ) for QIF 1: function SymCount(Φ, Ψ, N, pc, i) 2: Extract pi from Φ 3: pc1 ← pc ∧ pi 4: if (T -solver(pc1)) then 5: if (i == M) then 6: Ψ ← Ψ ∪ {pc1} 7: N ← N + 1 8: else 9: SymCount(Φ, Ψ, N, pc1, i + 1) 10: end if 11: end if 12: pc2 ← pc ∧ ¬pi 13: . . . 14: end function Figure: Symbolic counting for QIF
  • 15. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as a #SMT solver If a program is encoded as a logical formula, e.g. Static Single Assignment form, then a Symbolic Execution tool is a #SMT solver for this formula. 15 / 32
  • 16. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as a #SMT solver if (x > 1) y = x < 5 ? x + 10 : x ; else y = 0 ; C1 as (x > 1). C2 as (x < 5). A1 as (y1 = x + 10). A2 as (y2 = x). A3 as (y3 = 0). C1 ∧ (C2 ∧ A1 ∨ ¬C2 ∧ A2) ∨ ¬C1 ∧ A3 There are 4 models {C1 ∧ C2, C1 ∧ ¬C2, ¬C1 ∧ C2, ¬C1 ∧ ¬C2} 16 / 32
  • 17. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as a #SMT solver O =    f1(i1, i2.., iM) if pc1 f2(i1, i2.., iM) if pc2 . . . . . . fN(i1, i2.., iM) if pcN    Where: ∀i, j ∈ [1, N] ∧ i = j, pci ∧ pcj = ⊥ 17 / 32
  • 18. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Symbolic Execution as #DPLL(T ) pc c : execute then path → unit propagation pc ¬c : execute else path → unit propagation (pc c) ∧ (pc ¬c) then path: pc1 = pc ∧ c else path: pc2 = pc ∧ ¬c → branching 18 / 32
  • 19. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment SQIF-SE: SQIF by Symbolic Execution base = 8; if (H < 16) then O = base + H else O = base end if for all element bi in vector bvo do if (bi == 1) then pi = True else pi = False end if end for Figure: Additional conditions 19 / 32
  • 20. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment SQIF-SE: SQIF by Symbolic Execution base = 8; if (H < 16) then O = base + H else O = base end if for all element bi in vector bvo do if (bi == 1) then pi = True else pi = False end if end for Figure: Additional conditions 20 / 32
  • 21. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment SQIF-SE: SQIF by Symbolic Execution s1 s2 s3 p1 p1 p2 p2 H ≥ 16 pc := (H 16) H < 16 pc := (H ≥ 16)< pc ∧ p1 pc ∧ p1 pc ∧ p1 ∧ p2 pc ∧ p1 ∧ ¬p2 (H ≥ 16) and (H < 16): program conditions. p1, p2, ..: additional conditions. 21 / 32
  • 22. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Soundness and Completeness Theoretically, the SQIF approach is both sound and complete. 1 In reality, SQIF is sound and complete with small leaks. 2 SQIF-SE is sound and complete with bounded model of program. Does it leak more than k? Quantifying information leaks in software. ACSAC 2010. Heusser and Malacaria. With user policy k, SQIF may not be complete but the result of secure/insecure is always sound. 22 / 32
  • 23. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Soundness and Completeness Theoretically, the SQIF approach is both sound and complete. 1 In reality, SQIF is sound and complete with small leaks. 2 SQIF-SE is sound and complete with bounded model of program. Does it leak more than k? Quantifying information leaks in software. ACSAC 2010. Heusser and Malacaria. With user policy k, SQIF may not be complete but the result of secure/insecure is always sound. 23 / 32
  • 24. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment Experiment Two prototyping tools: jpf-qif tool for Java and also developed in Java. built on top of Symbolic Pathfinder (Symbolic Execution extension of Java Pathfinder). sqifc tool for C and also develped in C. built on top of CBMC (Bounded Model Checking tool for C). Compare with selfcomp (Heusser and Malacaria, ACSAC 2010). 24 / 32
  • 25. CVE-2011-2208 1 int osf_getdomainname (char __user *name , int namelen) 2 { 3 unsigned len; 4 int i, error; 5 6 error = verify_area(VERIFY_WRITE , name , namelen ); 7 if (error) 8 goto out; 9 10 len = namelen; 11 if (namelen > 32) 12 len = 32; 13 14 down_read (& uts_sem ); 15 for (i = 0; i < len; ++i) { 16 __put_user( system_utsname .domainname[i], name + i); 17 if ( system_utsname .domainname[i] == ’0’) 18 break; 19 } 20 up_read (& uts_sem ); 21 out: 22 return error; 23 } Figure: arch/alpha/kernel/osf sys.c
  • 26. CVE-2011-1078 1 static int sco_sock_getsockopt_old (struct socket *sock , int optname , 2 char __user *optval , int __user *optlen) 3 { 4 struct sock *sk = sock ->sk; 5 struct sco_conninfo cinfo; 6 int len , err = 0; 7 ... 8 9 lock_sock(sk); 10 11 switch (optname) { 12 case SCO_OPTIONS : 13 ... 14 15 case SCO_CONNINFO : 16 ... 17 18 cinfo.hci_handle = sco_pi(sk)->conn ->hcon ->handle; 19 memcpy(cinfo.dev_class , sco_pi(sk)->conn ->hcon ->dev_class , 3); 20 21 len = min_t(unsigned int , len , sizeof(cinfo )); 22 if ( copy_to_user (optval , (char *)& cinfo , len )) 23 err = -EFAULT; 24 break; 25 ... 26 } 27 28 release_sock (sk); 29 return err; 30 } Figure: net/bluetooth/sco.c
  • 27. Cyclic Redundancy Check 1 unsigned char GetCRC8( unsigned char check , 2 unsigned char ch) 3 { 4 int i, sft ; 5 for ( i = 0 ; i < 8 ; i++ ) { 6 if ( check & 0x80 ) { 7 check < <=1; 8 if ( ch & 0x80 ) { 9 check = check | 0x01; 10 } else { 11 check =check & 0xfe; 12 } 13 check = check ^ 0x85; 14 } else { 15 check <<=1; 16 if ( ch & 0x80 ) { 17 check = check | 0x01; 18 } else { 19 check = check & 0xfe; 20 } 21 } 22 ch < <=1; 23 } 24 check >>= sft; 25 return check; 26 } Figure: Cyclic Redundancy Check
  • 28. Tax Record taxPayer1 taxRecord1 * checker1 1 server1 1* taxRecords TaxRecord <<interface>> TaxRecord4taxPayer getTaxes(): int getAmountPayed(): int payTaxes(don:int, amnt:int) <<interface>> TaxRecord4taxChecker verifyPayment(): int freeze(): int TaxPayer TaxChecker checkTaxes(tr:TaxRecord4taxChecker): int Charity <<interface>> TaxServer4charity getCharity(): int TaxServer Figure: The tax program taxChecker1: income × F% + donation > payment taxChecker2: income × F% + donation − payment jpf-qif: chanel capacity of 4.86 bits
  • 29. INTRODUCTION THE APPROACH CONCLUSION QIF as a #SMT problem A #DPLL(T ) for QIF Symbolic Execution as #DPLL(T ) Soundness and Completeness Experiment DEMO 29 / 32
  • 30. Case Study LoC Language sqifc jpf-qif selfcomp Data Sanitization < 10 C/Java 28.179 20.695 timed out CVE-2011-2208 (64) > 200 C 22.759 × 119.117 CVE-2011-2208 (256) C 88.196 × timed out CVE-2011-1078 (8) > 200 C 10.380 × 13.853 CVE-2011-1078 (64) C 37.899 × timed out CRC (8) < 30 C/Java 1.209 8.386 0.498 CRC (32) C/Java 8.657 9.357 timed out Tax Record 267 Java × 24.988s × Figure: Times in seconds for all case studies, timeout is 30 minutes
  • 31. INTRODUCTION THE APPROACH CONCLUSION Conclusions 1 Introduction of a new research problem: #SMT, and its applications to QIF and Symbolic Execution. 2 A framework, called #DPLL(T ), to build a solver for #SMT-based QIF. 3 The methodology of Symbolic Execution re-casted as #DPLL(T ). 4 Two prototyping tools for QIF: sqifc and jpf-qif. 5 Experiment of the tools on non-trivial case studies. 31 / 32
  • 32. INTRODUCTION THE APPROACH CONCLUSION THANK YOU FOR YOUR ATTENTION! 32 / 32