We provide a framework for reasoning about information-hiding requirements in multiagent systems and for reasoning about anonymity in particular. Our framework employs the modal logic of knowledge within the context of the runs and systems framework, much in the spirit of our earlier work on secrecy [9]. We give several definitions of anonymity with respect to agents, actions, and observers in multiagent systems, and we relate our definitions of anonymity to other definitions of information hiding, such as secrecy. We also give probabilistic definitions of anonymity that are able to quantify an observer's uncertainty about the state of the system. Finally, we relate our definitions of anonymity to other formalizations of anonymity and information hiding, including definitions of anonymity in the process algebra CSP and definitions of information hiding using function views.

Information leakage traditionally has been defined to occur when uncertainty about secret data is reduced. This uncertainty-based approach is inadequate for measuring information flow when an attacker is making assumptions about secret inputs and these assumptions might be incorrect; such attacker beliefs are an unavoidable aspect of any satisfactory definition of leakage. To reason about information flow based on beliefs, a model is developed that describes how attacker beliefs change due to the attacker’s observation of the execution of a probabilistic (or deterministic) program. The model leads to a new metric for quantitative information flow that measures accuracy rather than uncertainty of beliefs. 1.

Abstract. We propose a general framework of secrecy and preservation of secrecy for labeled transition systems. Our definition of secrecy is parameterized by the distinguishing power of the observer, the properties to be kept secret, and the executions of interest, and captures a multitude of definitions in the literature. We define a notion of secrecy preserving refinement between systems by strengthening the classical trace-based refinement so that the implementation leaks a secret only when the specification also leaks it. We show that secrecy is in general not definable in μ-calculus, and thus not expressible in specification logics supported by standard model-checkers. However, we develop a simulation-based proof technique for establishing secrecy preserving refinement. This result shows how existing refinement checkers can be used to show correctness of an implementation with respect to a specification. 1

Interactive programs allow users to engage in input and output throughout execution. The ubiquity of such programs motivates the development of models for reasoning about their information-flow security, yet no such models seem to exist for imperative programming languages. Further, existing language-based security conditions founded on noninteractive models permit insecure information flows in interactive imperative programs. This paper formulates new strategybased information-flow security conditions for a simple imperative programming language that includes input and output operators. The semantics of the language enables a fine-grained approach to the resolution of nondeterministic choices. The security conditions leverage this approach to prohibit refinement attacks while still permitting observable nondeterminism. Extending the language with probabilistic choice yields a corresponding definition of probabilistic noninterference. A soundness theorem demonstrates the feasibility of statically enforcing the security conditions via a simple type system. These results constitute a step toward understanding and enforcing information-flow security in real-world programming languages, which include similar input and output operators.

To reason about information flow, a new model is developed that describes how attacker beliefs change due to the attacker’s observation of the execution of a probabilistic (or deterministic) program. The model enables compositional reasoning about information flow from attacks involving sequences of interactions. The model also supports a new metric for quantitative information flow that measures accuracy of an attacker’s beliefs. Applying this new metric reveals inadequacies of traditional information flow metrics, which are based on reduction of uncertainty. However, the new metric is sufficiently general that it can be instantiated to measure either accuracy or uncertainty. The new metric can also be used to reason about misinformation; deterministic programs are shown to be incapable of producing misinformation. Additionally, programs in which nondeterministic choices are made by insiders, who collude with attackers, can be analyzed. 1

This paper is about the exploration of logical concepts in cryptography and their linguistic abstraction and model-theoretic combination in a logical system, called CPL (for Cryptographic Protocol Logic).

Many programs operate reactively, patiently waiting for user input, subsequently running for a while producing output, and eventually returning to a state where they are ready to accept another input (or perhaps diverging). When a reactive program communicates with multiple parties, we would like to be sure that it can be given secret information from one without leaking it to others. In this paper, we explore various definitions of noninterference for reactive programs and identify two of special interest—one corresponding to terminationinsensitive noninterference for a standard sequential language, the other to termination-sensitive noninterference. We focus on the former and develop a proof technique for showing that program behaviors are secure according to this definition. To demonstrate the viability of the approach, we define a simple reactive language with an information-flow type system and apply our proof technique to show that well-typed programs are secure. 1

Abstract. We study probabilistic information flow from a propertyspecific viewpoint. For a given property of interest, specified as set of traces, we examine whether different low-level observations imply different probabilities for the occurrence of the property. Quantifying over all properties in a given class (e.g., high-level traces, or high-level sequences separated by low-level events) we obtain different notions of information flow. We give characterizations of systems that are secure according to these definitions. We consider both properties that are expressed over whole traces and those that distinguish between past and future given a reference point. In this framework, we can express several classical definitions of possibilistic security, as well as giving a more detailed, quantitative measure of information flow. 1

We (1) define a logic , called CPL (for Cryptographic Protocol Logic), where truth is established on the grounds of evidence-based knowledge (as opposed to awarenessbased belief), spanning the dimensions of first-order, temporal, epistemic, deontic, and linear logic; (2) state a few of its key properties; and (3) illustrate how it can be used to compositionally specify and verify cryptographic protocols designed to establish trust in the security of communication (as opposed to security of storage) between protocolcompliant participants in a hostile environment. Our claim hereby is to give (1) the first formalisation of cryptographic discourse within the framework of multi-dimensional logic, (2) the most comprehensive, logically connected formal model of cryptographic protocols proposed so far, and (3) a rigourous clarification of the concepts constituting the common knowledge of the community of protocol designers.

Any entity operating in cyberspace is susceptible to debilitating attacks. With cyber attacks intended to gather intelligence and disrupt communications rapidly replacing the threat of conventional and nuclear attacks, a new age of warfare is at hand. In 2003, the United States acknowledged that the speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult. Even President Obama’s Cybersecurity Chief-elect recognizes the challenge of increasingly sophisticated cyber attacks. Now through April 2009, the White House is reviewing federal cyber initiatives to protect US citizen privacy rights. Indeed, the rising quantity and ubiquity of new surveillance technologies in cyberspace enables instant, undetectable, and unsolicited information collection about entities. Hence, anonymity and privacy are becoming increasingly important issues. Anonymization enables