The document proposes a symbolic approach to quantitatively measure information flow called Symbolic Quantitative Information Flow (SQIF). SQIF uses symbolic execution to precisely count the number of possible outputs, improving over prior approaches. It describes applying SQIF to examples and demonstrating it is faster and more precise than previous methods. The document concludes SQIF provides a novel method for precise quantitative information flow analysis.

1. THE PROBLEM
THE APPROACH
CONCLUSION
Symbolic Quantitative Information Flow
Quoc-Sang Phan1 Pasquale Malacaria1 Oksana Tkachuk2
Corina S. P˘s˘reanu2
aa
Queen Mary University of London
Nasa Ames Research Center
November 12, 2012
1 / 17

2. THE PROBLEM Non-interference
THE APPROACH Quantitative Information Flow
CONCLUSION State of the art
Attacker model
2 / 17

3. THE PROBLEM Non-interference
THE APPROACH Quantitative Information Flow
CONCLUSION State of the art
Attacker model: an example
Example: an attacker steals your cash card
Having no idea about your pin number.
A priori probability to guess: 0.0001.
Randomly try a pin number:
The pin is accepted (with probability 0.0001)
The pin is rejected (with probability 0.9999)
What did the attacker learn?
3 / 17

4. THE PROBLEM Non-interference
THE APPROACH Quantitative Information Flow
CONCLUSION State of the art
Quantitative Information Flow Analysis
Definition 1
leakage = secrecy before observing - secrecy after observing
Given a function F measuring secrecy
∆F (H) = F (H) − F (H|L)
F is based on Information Theory
Shannon Entropy: cash machine ∆H = 0.00147
Min Entropy
Guessing Entropy
4 / 17

5. THE PROBLEM Non-interference
THE APPROACH Quantitative Information Flow
CONCLUSION State of the art
State of the art
Channel Capacity
∆F (H) ≤ log2 (N)
Existing work:
Barvinok-based counting (Backes et al, S&P 2009): too
restrictive and over-complicated.
Bit patterns counting (Meng and Smith, PLAS 2011): largely
manual, imprecise when outputs are diverged in the state
space.
5 / 17

6. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Data Sanitization Example
base = 8;
if (H < 16) then
O = base + H
else
O = base
end if
Output in [8..23]
Output is represented by a bit vector bvo := bK bK −1 ..b1 .
For each bit, check whether it’s always 0 or 1 or any
6 / 17

7. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Automation of BitPattern method
Input symbolic
Extracting ith bit
for all element bi in vector bvo do
bi = (O >> i) &1
end for
Check assert bi == 0
Automate bit queries by verifying assertions by JPF
7 / 17

8. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Bit Pattern Results for Sanitization Example
Output in [8..23]
One-Bit Pattern: 000000000000000000000000000*****
Two-Bit Pattern: b4 b3 can only be {01,10} → 16 possible
outputs
Max leakage = 4 bits
Translate BitPattern to CNF, count solutions by RelSat
8 / 17

9. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Symbolic Quantitative Information Flow
Output is represented by a bit vector bvo := bK bK −1 ..b1 .
Use Symbolic Execution to explore all possible values of bvo
Add one condition for each bit bi to test it.
There are K additional conditions in total.
There are 2K combinations of condition, each one represents a
distinct possible value.
Count the distinct concrete values return by Symbolic
Pathfinder.
9 / 17

10. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Symbolic Counting by Symbolic Execution
base = 8;
if (H < 16) then
O = base + H
else
O = base
end if
for all element bi in vector bvo do
bi = (O >> i) &1
end for
for all element bi in vector bvo do
if (bi == 1) then
pi = True
else
pi = False
end if
end for 10 / 17

11. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Symbolic Counting by Symbolic Execution
s1
H < 16 H ≥ 16
s2 s3
InitializeP C InitializeP C
pc := (H < 16) pc := (H ≥ 16)
p1 p1
pc ∧ p1 pc ∧ p1
p2 p2
pc ∧ p1 ∧ ¬p2 pc ∧ p1 ∧ p2
(H ≥ 16) and (H < 16): program conditions.
p1 , p2 , ..: additional conditions.
11 / 17

12. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Path Exploration with Addtional Constraints
p1
pc ∧ p1
p2
pc ∧ p1 ∧ p2
p3
pc ∧ p1 ∧ p2 ∧ p3
p4
pc ∧ p1 ∧ p2 ∧ p3 ∧ p4
p5
pc ∧ p1 ∧ p2 ∧ p3 ∧ p4 ∧ ¬p5 pc ∧ p1 ∧ p2 ∧ p3 ∧ p4 ∧ p5
UNSAT
assert p1 is SAT
assert p1 && p2 && p3 && p4 && p5 is UNSAT 12 / 17

13. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
DEMO
13 / 17

14. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Implicit Flow
O = 0;
if (H == 0) O = 0;
else if (H == 1) O = 1;
else if (H == 2) O = 2;
else if (H == 3) O = 3;
else if (H == 4) O = 4;
else if (H == 5) O = 5;
else if (H == 6) O = 6;
else O = 0;
Figure: Implicit Flow
BitPattern: 45ms, channel capacity: 3 bits
SQIF-SE: 717ms, channel capacity: 2.81 bits
14 / 17

15. THE PROBLEM
Symbolic Quantitative Information Flow
THE APPROACH
Preliminary Experiment
CONCLUSION
Ten random outputs
if (H == r1) O = r1;
else if (H == r2) O = r2;
else if (H == r3) O = r3;
...
else if (H == r9) O = r9;
else O = r10;
Figure: Ten random outputs
BitPattern: 5 seconds, channel capacity: 18.645.
SQIF-SE: less than 1 second, channel capacity: 3.322 bits.
15 / 17

16. THE PROBLEM
THE APPROACH
CONCLUSION
Conclusions
A novel method for precise QIF.
Compare to Barvinok-based counting: simpler, less restrictive,
more applicable.
Compare to BitPattern : always more precise, faster when
possible outputs are diverged in state-space.
Automation of BitPattern method.
jpf-qif: the first tool to support information-theoretic QIF
analysis.
16 / 17

17. THE PROBLEM
THE APPROACH
CONCLUSION
THANK YOU FOR YOUR ATTENTION!
17 / 17