## Quantifying Timing Leaks and Cost Optimisation

### Cached

### Download Links

- [profs.sci.univr.it]
- [arxiv.org]
- [www.doc.ic.ac.uk]
- DBLP

### Other Repositories/Bibliography

Citations: | 7 - 1 self |

### BibTeX

@MISC{Pierro_quantifyingtiming,

author = {Alessandra Di Pierro and Chris Hankin and Herbert Wiklicky},

title = {Quantifying Timing Leaks and Cost Optimisation},

year = {}

}

### OpenURL

### Abstract

We develop a new notion of security against timing attacks where the attacker is able to simultaneously observe the execution time of a program and the probability of the values of low variables. We then show how to measure the security of a program with respect to this notion via a computable estimate of the timing leakage and use this estimate for cost optimisation.

### Citations

1967 | A Theory of Timed Automata - Alur, Dill - 1994 |

723 |
Security policies and security models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...erve different behaviours as a result of different secrets – i.e. the system “operates in the same way” whatever value a secret key has – goes back at least to the seminal work of Goguen and Meseguer =-=[17]-=-. This led in a number of settings to formalisations of security concepts such as “non-interference” via various notions of behavioural equivalencies (see e.g. [18,19]). One of the perhaps most promin... |

414 | Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...ks we can determine the (average) execution time of the fixed program in comparison with the improvement in security. Agat presents in his paper [3] an example which itself is based on Kocher’s study =-=[2]-=- of timing attacks against the RSA algorithm. In order to illustrate our approach we simplify the example� �� � �� �� � �� � �� � �� � i := 1; while i<=3 do if k[i]==1 then s := s; else skip; fi; i :... |

403 | Bisimulation through probabilistic testing
- Larsen, Skou
- 1991
(Show Context)
Citation Context ...usly different from being able to distinguish the probability distributions of the results and the running time. 4.1 Probabilistic Time Bisimulation Probabilistic bisimulation was first introduced in =-=[8]-=- and refers to an equivalence on probability distributions over the states of the processes. This latter equivalence is defined as a lifting of the bisimulation relation on the support sets of the dis... |

353 |
Three partition refinement algorithms
- Paige, Tarjan
- 1987
(Show Context)
Citation Context ... observational difference between the system’s components. We show here how to compute a non-trivial upper bound δ to ε by essentially exploiting the algorithmic solution proposed by Paige and Tarjan =-=[11]-=- for computing bisimulation equivalence. This was already adapted to PTS’s in [12], where it was used for constructing a padding algorithm as part of a transformational approach to the timing leaks pr... |

200 | Secure information flow in a multi-threaded imperative language
- Smith, Volpano
- 1998
(Show Context)
Citation Context ...this notion via a computable estimate of the timing leakage and use this estimate for cost optimisation. 1 Introduction Early work on language-based security, such as Volpano and Smith’s type systems =-=[1]-=-, precluded the use of high security variables to affect control flow. Specifically, the conditions in if-commands and while-commands were restricted to using only low security information. If this re... |

155 | Transforming out timing leaks
- Agat
- 2000
(Show Context)
Citation Context ...aneously observe the execution time of a (probabilistic) program and the probability of the values of low variables. This notion is a non-trivial extension of similar ideas for deterministic programs =-=[3]-=- which also covers attacks based on the combined observation of time and low variables. This earlier work presents an approach which, having identified a covert timing channel, provides a program tran... |

97 | Approximate noninterference
- Pierro, Hankin, et al.
- 2002
(Show Context)
Citation Context ...on turns out to be still too strict and a number of researchers developed “approximate” versions; among them we just name the approaches by Desharnais et.al. [20,21] and van Breugel [22] and our work =-=[10,24]-=- (an extensive bibliography on this issue can be found in [23]). We based this current paper on the latter approach because it allows for an implementation of the semantics of pWhile via linear operat... |

89 | Classification of security properties (Part I: Information flow
- Focardi, Gorrieri
- 2001
(Show Context)
Citation Context ...seminal work of Goguen and Meseguer [17]. This led in a number of settings to formalisations of security concepts such as “non-interference” via various notions of behavioural equivalencies (see e.g. =-=[18,19]-=-). One of the perhaps most prominent of these equivalence notions, namely bisimilarity, plays an important role in the context of security of concurrent systems but also found application for sequenti... |

82 | S.: Process algebra and non-interference
- Ryan, Schneider
(Show Context)
Citation Context ...seminal work of Goguen and Meseguer [17]. This led in a number of settings to formalisations of security concepts such as “non-interference” via various notions of behavioural equivalencies (see e.g. =-=[18,19]-=-). One of the perhaps most prominent of these equivalence notions, namely bisimilarity, plays an important role in the context of security of concurrent systems but also found application for sequenti... |

51 | The metric analogue of weak bisimulation for probabilistic processes
- Desharnais, Gupta, et al.
- 2002
(Show Context)
Citation Context ...by Larson and Skou [8]. However, this notion turns out to be still too strict and a number of researchers developed “approximate” versions; among them we just name the approaches by Desharnais et.al. =-=[20,21]-=- and van Breugel [22] and our work [10,24] (an extensive bibliography on this issue can be found in [23]). We based this current paper on the latter approach because it allows for an implementation of... |

49 | Symbolic model checking for probabilistic timed automata
- Kwiatkowska, Norman, et al.
- 2004
(Show Context)
Citation Context ... a well-established model [4]. These automata have been extended with probability and used in model-checking for the verification of probabilistic timed temporal logic properties of real-time systems =-=[5]-=-. The resulting model is essentially a Markov Decision Process where rewards are interpreted as time durations and is therefore quite different from our MC approach. In particular, the presence of non... |

42 | Metrics for labelled markov systems
- Desharnais, Gupta, et al.
- 1999
(Show Context)
Citation Context ...by Larson and Skou [8]. However, this notion turns out to be still too strict and a number of researchers developed “approximate” versions; among them we just name the approaches by Desharnais et.al. =-=[20,21]-=- and van Breugel [22] and our work [10,24] (an extensive bibliography on this issue can be found in [23]). We based this current paper on the latter approach because it allows for an implementation of... |

32 | An efficient algorithm for computing bisimulation equivalence
- Dovier, Piazza, et al.
- 2004
(Show Context)
Citation Context ...ence) of two tPTS’s T1 and T2. In particular, Algorithm 1 refers to a such a procedure which follows the algorithmic paradigm for partition refinement introduced by Paige and Tarjan in [11] (see also =-=[13,14]-=-). The Paige-Tarjan algorithm constructs a partition of a state space Σ which is stable for a given transition relation →. It is a well-known result that this partition corresponds to a bisimulation e... |

32 | P.: Quantitative information flow, relations and polymorphic types - Clark, Hunt, et al. |

21 | Quantitative relations and approximate process equivalences
- Pierro, Hankin, et al.
(Show Context)
Citation Context ...hile program P is probabilistic time secure or PT-secure if for any set of initial states E and E ′ such that EL = E ′ L , we have 〈E, P 〉 ∼ 〈E′ , P 〉. 5 Computing Approximate Bisimulation The papers =-=[9, 10]-=- introduce an approximate version of bisimulation and confinement where the approximation can be used as a measure ε for the information leakage of the system under analysis. The quantity ε is formall... |

20 |
Optimal state-space lumping
- Derisavi, Hermanns, et al.
- 2003
(Show Context)
Citation Context ...ence) of two tPTS’s T1 and T2. In particular, Algorithm 1 refers to a such a procedure which follows the algorithmic paradigm for partition refinement introduced by Paige and Tarjan in [11] (see also =-=[13,14]-=-). The Paige-Tarjan algorithm constructs a partition of a state space Σ which is stable for a given transition relation →. It is a well-known result that this partition corresponds to a bisimulation e... |

16 |
H.: Measuring the confinement of probabilistic systems
- Pierro, Hankin, et al.
(Show Context)
Citation Context ...hile program P is probabilistic time secure or PT-secure if for any set of initial states E and E ′ such that EL = E ′ L , we have 〈E, P 〉 ∼ 〈E′ , P 〉. 5 Computing Approximate Bisimulation The papers =-=[9, 10]-=- introduce an approximate version of bisimulation and confinement where the approximation can be used as a measure ε for the information leakage of the system under analysis. The quantity ε is formall... |

12 | G.: Confinement properties for programming languages
- Volpano, Smith
- 1998
(Show Context)
Citation Context ...s) from programs written in a sequential imperative programming language. The language used is a language of security types with two security levels that is based on earlier work by Volpano and Smith =-=[16,1]-=-. Whilst Volpano and Smith restrict the condition in both while-loops and ifcommands to being of the lowest security level, Agat allows the condition in an if-command to be high security providing tha... |

12 |
F.: A behavioural pseudometric for metric labelled transition systems
- Breugel
- 2005
(Show Context)
Citation Context ...However, this notion turns out to be still too strict and a number of researchers developed “approximate” versions; among them we just name the approaches by Desharnais et.al. [20,21] and van Breugel =-=[22]-=- and our work [10,24] (an extensive bibliography on this issue can be found in [23]). We based this current paper on the latter approach because it allows for an implementation of the semantics of pWh... |

4 | H.: Tempus fugit: How to plug it
- Pierro, Hankin, et al.
- 2007
(Show Context)
Citation Context ...pute a non-trivial upper bound δ to ε by essentially exploiting the algorithmic solution proposed by Paige and Tarjan [11] for computing bisimulation equivalence. This was already adapted to PTS’s in =-=[12]-=-, where it was used for constructing a padding algorithm as part of a transformational approach to the timing leaks problem. In this approach the computational paths of a program are transformed so as... |

4 | Quantifying information leakage in process calculi - Boreale |

3 | K.: Probabilistic extentions of process algebras - Jonsson, Yi, et al. - 2001 |

3 | K.: Probabilistic extentions of process algebras - Jonsson, Yi, et al. - 2001 |

2 |
Probability and Random Variables
- Stirzaker
- 1999
(Show Context)
Citation Context ... X2 we have π(x1, x2) = π1(x1)π2(x2). In the special cases where a joint distribution π can be expressed in this way, as a ‘product’, we say that the distributions π1 and π2 are independent (cf. e.g. =-=[7]-=-). 2.1 Timed Probabilistic Transition Systems The execution model of programs which we will use in the following is that of a labelled transition system; more precisely, we will consider probabilistic... |

1 | R.: Classification of Security Properties (Part I). In: Foundations of Security Analysis and Design. Volume 2171 of LNCS - Focardi, Gorrieri - 2001 |