## P.: Applied quantitative information flow and statistical databases

Venue: | In: Proc. of the Int. Workshop on Formal Aspects in Security and Trust. Volume 5983 of LNCS., Springer (2009) 96–110 inria-00580122, version 5 - 30 Sep 2011 |

Citations: | 7 - 0 self |

### BibTeX

@INPROCEEDINGS{Heusser_p.:applied,

author = {Jonathan Heusser and Pasquale Malacaria},

title = {P.: Applied quantitative information flow and statistical databases},

booktitle = {In: Proc. of the Int. Workshop on Formal Aspects in Security and Trust. Volume 5983 of LNCS., Springer (2009) 96–110 inria-00580122, version 5 - 30 Sep 2011},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract We firstly describe an algebraic structure which serves as solid basis to quantitatively reason about information flows. We demonstrate how programs in form of partition of states fit into that theoretical framework. The paper presents a new method and implementation to automatically calculate such partitions, and compares it to existing approaches. As a novel application, we describe a way to transform database queries into a suitable program form which then can be statically analysed to measure its leakage and to spot database inference threats. 1

### Citations

204 | Using CSP look-back techniques to solve real-world SAT instances
- Bayardo, Schrag
- 1997
(Show Context)
Citation Context ...tisfying model to the tool. The newly found inputs are stored until P̸= is reported to be unsat. For Algorithm 2, Spear will bit-blast P= down to CNF which in turn gets model counted by either RelSat =-=[4]-=- or C2D. C2D is only used in case the user specifies fast model counting through command line options. While the counting is much faster on difficult problems than RelSat, the CNF instances have to be... |

82 | Secure databases: protection against user influence
- Dobkin, Jones, et al.
- 1979
(Show Context)
Citation Context ...urn quantify the leakage of the queries. This section is not about showcasing AQuA’s performance but to illustrate the width of applications of applied QIF. We will use concepts used by Dobkin et al. =-=[11]-=- to describe databases Definition 1. A database D is a function from 1, . . . , n to N. The number of elements in the database is denoted by n; N is the set of possible attributes. A database D can al... |

80 | Secure information flow by self-composition
- Barthe, D’Argenio, et al.
- 2004
(Show Context)
Citation Context ...′ 2 where the primed programs P ′ 1, P ′ 2 are P1, P2 with variables renamed so to have disjoint variable sets. If the two programs are syntactically equivalent, then this results in self-composition =-=[3]-=-. For example, consider the two programs P1 ≡ if (h == 0) x = 0 else x = 1, P2 ≡ if (h == 1) x = 0 else x = 1 with their partitions Π(P1) = {{0}{h ̸= 0}} and Π(P2) = {{1}{h ̸= 1}}. The program P1⊔2 is... |

55 | Secure information flow as a safety problem
- Terauchi, Aiken
- 2005
(Show Context)
Citation Context ...resenting the two reachability questions. The two programs are defined as follows: P̸=(i) ≡ h = i; P ; P ′ ; assert(l! = l ′ ) P=(i) ≡ h = i; P ; P ′ ; assert(l = l ′ ) The program P is self-composed =-=[3,19]-=- and is either asserting low-equality or lowinequality on the output variable and its copy. Their argument is the initialisation value for the input variable. This method works on any number of input ... |

42 | A Static Analysis for Quantifying the Information Flow in a Simple Imperative Programming Language
- Clark, Hunt, et al.
(Show Context)
Citation Context ...m database queries into a suitable program form which then can be statically analysed to measure its leakage and to spot database inference threats. 1 Introduction Quantitative Information Flow (QIF) =-=[5,6]-=- provides a general setting for measuring information leaks in programs and protocols. In QIF programs are interpreted as equivalence relations on input states: two inputs are equivalent if they gener... |

38 | An information-theoretic model for adaptive side-channel attacks
- Köpf, Basin
- 2007
(Show Context)
Citation Context ...same results as qualitative ones anytime soon. There are however important families of programs where automatic analysis is within reach, for example side channel analysis for cryptographic protocols=-=[13]-=-. Also the integration of quantitative analysis with heuristics and software engineering tools has been successfully demonstrated [18]. In this paper we will introduce an original technique to automat... |

21 |
A tool for checking ANSI-C programs, Tools and Algorithms for the Construction and Analysis of Systems
- Clarke, Kroening, et al.
- 2004
(Show Context)
Citation Context ...r code annotations needed except command line options – supports non-linear arithmetic and integer overflows AQuA works on the equational intermediate representation of the CBMC bounded model checker =-=[7]-=-. C code is translated by CBMC into a program of constraints which in turn gets optimised through standard program analysis techniques into cleaned up constraints 1 . This program then gets self-compo... |

19 |
T.: A lattice of information
- Landauer, Redmond
- 1993
(Show Context)
Citation Context ...nt if they generate the same observations, e.g. if the program-run on those two inputs terminates with the same output. These equivalence relations form a complete lattice, the Lattice of Information =-=[14]-=- that satisfies nice algebraic properties. Also, once input states are equipped with a probability distribution the equivalence relations correspond to random variables. Information theoretical notion... |

16 | A fast procedure for finding a tracker in a statistical database
- Denning, Schlorer
- 1980
(Show Context)
Citation Context ...es. Ideally, a statistical database security officer should prevent or detect attacks that gain individual information. However, this has been shown as unachievable, for example because of “trackers” =-=[10]-=-. In Section 5 we sketch how applied QIF can be used to measure the amount of confidential information leaked by a set of queries and hence to improve security risk assessment for statistical database... |

6 |
Malacaria: Assessing security threats of looping constructs
- Pasquale
- 2007
(Show Context)
Citation Context ...X). We write M(X) to indicate Shannon’s entropy or a more general Renyi’s entropy.3 Measuring Program Leakage In previous works, we developed theories to quantify the information leakage of programs =-=[5,15]-=-. The main idea for deterministic programs is to interpret observations on a program as equivalence relations on states [15,16] and therefore as random variables in the lattice of information. The ran... |

3 |
Pasquale Malacaria: Quantitative information flow, relations and polymorphic types
- Clark, Hunt
- 2005
(Show Context)
Citation Context ...m database queries into a suitable program form which then can be statically analysed to measure its leakage and to spot database inference threats. 1 Introduction Quantitative Information Flow (QIF) =-=[5,6]-=- provides a general setting for measuring information leaks in programs and protocols. In QIF programs are interpreted as equivalence relations on input states: two inputs are equivalent if they gener... |

3 |
Entropy and semivaluations on semilattices
- Nakamura
- 1970
(Show Context)
Citation Context ...uation on LoI is a real valued map ν : LoI → R, that satisfies the following properties: ν(X ⊓ Y ) + ν(X ⊔ Y ) ≤ ν(X) + ν(Y ) (3) X ⊑ Y implies ν(X) ≤ ν(Y ) (4) for every element X and Y in a lattice =-=[17]-=-. The property (4) is order-preserving: a higher element in the lattice has a larger valuation than elements below itself. The first property (3) is a weakened inclusion-exclusion principle. Propositi... |

2 |
Boris Köpf and Andrey Rybalchenko: Automatic Discovery and Quantification of Information Leaks
- Backes
(Show Context)
Citation Context ...n a growing number of impressive progress in the field of model checking, SAT solvers, theorem provers and program analysis it is now possible to test quantitative information flow ideas on real code =-=[2,18]-=-. Of course there are still severe limitations of this kind of automatic analysis and it is well possible that most complex code will be out of reach for the foreseeable future. As a comparison a quan... |

1 |
Clarke and Daniel Kroening: Using SAT based Image Computation for Reachability
- Chauhan, Edmund
- 2003
(Show Context)
Citation Context ...nd then translated in Conjunctive Normal Form (CNF) in a standard fashion. P̸= is solved using a number of SAT solver calls using a standard reachability algorithm (SAT-based fixed point calculation) =-=[12]-=-. Algorithm 1 describes this input discovery. In each iteration it discovers a new input h ′ which does not lead to the same output as previous the input h. The new input h ′ is added to the set Sinpu... |

1 |
Malacaria: Risk Assessment of Security Threats for Looping Constructs
- Pasquale
- 2009
(Show Context)
Citation Context ...ks, we developed theories to quantify the information leakage of programs [5,15]. The main idea for deterministic programs is to interpret observations on a program as equivalence relations on states =-=[15,16]-=- and therefore as random variables in the lattice of information. The random variable associated to a program P is the equivalence relation on any states σ, σ ′ from the universe of states Σ defined b... |

1 |
McCamant: Quantitative Information-Flow Tracking for Real Systems
- Andrew
- 2008
(Show Context)
Citation Context ...n a growing number of impressive progress in the field of model checking, SAT solvers, theorem provers and program analysis it is now possible to test quantitative information flow ideas on real code =-=[2,18]-=-. Of course there are still severe limitations of this kind of automatic analysis and it is well possible that most complex code will be out of reach for the foreseeable future. As a comparison a quan... |

1 |
and V.Kumar Entropy as a Measure of Database
- Unger
- 1990
(Show Context)
Citation Context ...ple works [18]. The lattice of information has been described by Landauger and Redmond [14]. There is a large and inspiring literature of Information theoretical notions in statistical databases e.g. =-=[9,20]-=-. No work however has so far used applied QIF for queries analysis. 5 To understand the numbers 4.6556 comes by the fact that the queries reveal h6 i.e. 2 bits, plus sum(h4, h5) which is 2.6556 bitsR... |