## Belief in information flow (2005)

### Cached

### Download Links

Venue: | In Proc. 18th IEEE Computer Security Foundations Workshop |

Citations: | 53 - 9 self |

### BibTeX

@INPROCEEDINGS{Clarkson05beliefin,

author = {Michael R. Clarkson and Andrew C. Myers and Fred B. Schneider},

title = {Belief in information flow},

booktitle = {In Proc. 18th IEEE Computer Security Foundations Workshop},

year = {2005},

pages = {31--45}

}

### Years of Citing Articles

### OpenURL

### Abstract

Information leakage traditionally has been defined to occur when uncertainty about secret data is reduced. This uncertainty-based approach is inadequate for measuring information flow when an attacker is making assumptions about secret inputs and these assumptions might be incorrect; such attacker beliefs are an unavoidable aspect of any satisfactory definition of leakage. To reason about information flow based on beliefs, a model is developed that describes how attacker beliefs change due to the attacker’s observation of the execution of a probabilistic (or deterministic) program. The model leads to a new metric for quantitative information flow that measures accuracy rather than uncertainty of beliefs. 1.

### Citations

8567 |
Elements of Information Theory
- Cover, Thomas
- 1991
(Show Context)
Citation Context ...ensures that b is never off by more than a factor of ɛ from a uniform distribution. Another possible admissibility restriction is to require the attacker’s belief to be a maximal entropy distribution =-=[6]-=- with respect to attacker-specified constraints. Other admissibility restrictions may be substituted for these when stronger assumptions can be made about attacker beliefs. Finally, program semantics ... |

723 | Security policies and security models - Goguen, Meseguer - 1982 |

502 | Cryptography and Data Security - Denning - 1982 |

438 | The existence of refinement mappings
- Abadi, Lamport
- 1991
(Show Context)
Citation Context ...3. 7 To ensure that the fixed point for while exists, we have to verify that Dist is a complete partial order with a bottom element. To do so, we strengthen the definition Dist to be {δ | δ ∈ State → =-=[0, 1]-=- ∧ �δ� ≤ 1}. This makes distributions correspond to subprobability measures, and it is easy to check that the semantics produces subprobability measures as output. 21sTo lift the semantics in Figure 3... |

250 | Limiting privacy breaches in privacy preserving data mining - Evfimievski, Gehrke, et al. - 2003 |

234 | The formal semantics of programming languages: an introduction - Winskel - 1993 |

224 | Reasoning About Uncertainty - Halpern - 2003 |

208 |
Subjective probability: A judgment of representativeness
- Kahneman, Tversky
- 1972
(Show Context)
Citation Context ...11]. The attacker therefore reasons rationally, according to Halpern’s rationality axioms [16, Section 2.2], though the literature on human behavior shows that this is not the same as human reasoning =-=[20, 21]-=-. Let belief revision operator B yield the postbelief from an experiment E: B(E) � (([[S]](˙σL ⊗ bH)|o)) ↾ H where E = 〈S,bH,σH,σL〉 o ∈ Γ(δ ′ ) ↾ L δ ′ = [[S]](˙σL ⊗ ˙σH) Because it uses Γ, operator B... |

135 | Semantics of probabilistic programs - Kozen - 1981 |

118 | A model of information - Sutherland - 1986 |

113 |
Specifications for multi-level security and a hook-up property
- McCullough
- 1987
(Show Context)
Citation Context ...bservational determinism is too strong to be applicable to programs that require information flow, such as PWC .) Other nondeterministic security conditions, such as generalized noninterference (GNI) =-=[24]-=-, are already known to allow leakage of information [34]. Our model of insider choice allows this leakage to be quantified, which further demonstrates the weakness of such security conditions. For exa... |

111 | Security models and information flow - McLean - 1990 |

104 |
D.M.: Information flow in nondeterministic systems
- Wittbold, Johnson
- 1990
(Show Context)
Citation Context ...een certain inputs and outputs is zero. He also proposes mutual information as a metric for information flow, but he does not show how to compute the amount of flow for programs. Wittbold and Johnson =-=[38]-=- introduce nondeducibility on strategies, an extension of Sutherland’s nondeducibility [32]. Wittbold and Johnson observe that if a program is run multiple times and feedback between runs is allowed, ... |

97 | Approximate noninterference - Pierro, Hankin, et al. - 2002 |

89 | Toward a mathematical foundation for information flow security. sp - Gray - 1991 |

86 | CSP and determinism in security modeling
- Roscoe
- 1995
(Show Context)
Citation Context ...ider function I when conducting the thought-experiment. This function thus encodes choices that the insider and attacker have agreed upon in advance. 6.3 Security conditions Observational determinism =-=[28, 31, 39]-=- is a security condition for nondeterministic systems that generalizes noninterference [12]. We can state a probabilistic generalization of observational determinism that is applicable to our insider ... |

82 | Quantifying information flow - Lowe - 2001 |

72 | Covert channel capacity - Millen - 1987 |

71 | Knowledge, probability, and adversaries
- Halpern, Tuttle
- 1993
(Show Context)
Citation Context ... distinguish. When there are n such distinguishable behaviors, H can use them to transmit lg n bits to L. These both measure the size of channels rather than accuracy of belief. 26sHalpern and Tuttle =-=[18]-=- introduce a framework for reasoning about knowledge and probability based on three kinds of adversaries: adversaries who make nondeterministic choices, adversaries who represent the knowledge of the ... |

67 | Anonymity and Information Hiding in Multiagent Systems - Halpern, O’Neill - 2003 |

66 | Abstraction, Refinement and Proof for Probabilistic Systems - McIver, Morgan - 2005 |

65 |
Bayesian Data Analysis. Chapman and Hall/CRC, 2nd edition
- Gelman, Carlin, et al.
- 2004
(Show Context)
Citation Context ... a postbelief in step 5 is an application of Bayesian inference, which is a standard technique in applied statistics for making inferences when uncertainty is made explicit through probability models =-=[11]-=-. The attacker therefore reasons rationally, according to Halpern’s rationality axioms [16, Section 2.2], though the literature on human behavior shows that this is not the same as human reasoning [20... |

55 |
The base rate fallacy reconsidered: Descriptive, normative, and methodological challenges
- Koehler
- 1996
(Show Context)
Citation Context ...11]. The attacker therefore reasons rationally, according to Halpern’s rationality axioms [16, Section 2.2], though the literature on human behavior shows that this is not the same as human reasoning =-=[20, 21]-=-. Let belief revision operator B yield the postbelief from an experiment E: B(E) � (([[S]](˙σL ⊗ bH)|o)) ↾ H where E = 〈S,bH,σH,σL〉 o ∈ Γ(δ ′ ) ↾ L δ ′ = [[S]](˙σL ⊗ ˙σH) Because it uses Γ, operator B... |

50 | Verifying secrets and relative secrecy
- Volpano, Smith
- 2000
(Show Context)
Citation Context ...functions to be typed, so this type system is an improvement over previous type systems. However, the type system does not allow a general analysis of quantitative information flow. Volpano and Smith =-=[35]-=- give another type system that enforces relative secrecy, which requires that well-typed programs cannot leak confidential data in polynomial time. Weber [36] defines n-limited security, which allows ... |

47 | Observational determinism for concurrent program security
- Zdancewic, Myers
- 2003
(Show Context)
Citation Context ...ider function I when conducting the thought-experiment. This function thus encodes choices that the insider and attacker have agreed upon in advance. 6.3 Security conditions Observational determinism =-=[28, 31, 39]-=- is a security condition for nondeterministic systems that generalizes noninterference [12]. We can state a probabilistic generalization of observational determinism that is applicable to our insider ... |

46 | Proving noninterference and functional correctness using traces
- McLean
- 1992
(Show Context)
Citation Context ...ider function I when conducting the thought-experiment. This function thus encodes choices that the insider and attacker have agreed upon in advance. 6.3 Security conditions Observational determinism =-=[28, 31, 39]-=- is a security condition for nondeterministic systems that generalizes noninterference [12]. We can state a probabilistic generalization of observational determinism that is applicable to our insider ... |

41 | Secrecy in multiagent systems
- Halpern, O’Neill
- 2002
(Show Context)
Citation Context ...-Tuttle framework to reason about qualitative security of probabilistic systems. They relate their security condition to probabilistic noninterference [13] and information theory. Halpern and O’Neill =-=[15]-=- construct a framework for reasoning about secrecy that generalizes many previous results on qualitative and probabilistic, but not quantitative, security. Their framework, like ours, uses subjective ... |

37 | Quantified interference for a while language - Clark, Hunt, et al. |

36 | A logical approach to multilevel security of probabilistic systems
- Gray, Syverson
- 1998
(Show Context)
Citation Context ... an adversary who makes nondeterministic choices, and each of the models of the insider’s power in Section 6.1 correspond to an adversary representing the knowledge of the opponent. Gray and Syverson =-=[14]-=- apply the Halpern-Tuttle framework to reason about qualitative security of probabilistic systems. They relate their security condition to probabilistic noninterference [13] and information theory. Ha... |

32 |
P.: Quantitative information flow, relations and polymorphic types
- Clark, Hunt, et al.
(Show Context)
Citation Context ...ne additional distribution (reality). By ignoring reality, our framework can produce the same results as many uncertainty metrics. Here we show how to emulate the metric of Clark, Hunt, and Malacaria =-=[5]-=-. Their metric states that the amount of information flow L from high input Hin into low output Lout, given low input Lin, is: L(Hin,Lin,Lout) � H(Hin|Lin) − H(Hin|Lin,Lout) where H is the generalizat... |

29 | Secure introduction of one-way functions - Volpano - 2000 |

19 |
Formalizing the Analysis of Algorithms
- Ramshaw
- 1979
(Show Context)
Citation Context ...is essentially an unnormalized probability distribution over program states; it is easier to define a programming language semantics using frequency distributions than using probability distributions =-=[30]-=-. Henceforth, we write “distribution” to mean “frequency distribution”. The set of all program states is State, and the set of all distributions is Dist. The structure of State is mostly unimportant; ... |

16 |
H.: Measuring the confinement of probabilistic systems
- Pierro, Hankin, et al.
(Show Context)
Citation Context ..., in the sense of statistical hypothesis testing. Finally, the paper explores how to build an abstract interpretation that allows approximation of the confinement of a process. Their more recent work =-=[9]-=- generalizes this to measuring approximate confinement in probabilistic transition systems. Clark, Hunt, and Malacaria [4] apply information theory to the analysis of whileprograms. They develop a sta... |

12 | G.: Confinement properties for programming languages
- Volpano, Smith
- 1998
(Show Context)
Citation Context ...to programs that require information flow, such as PWC .) Other nondeterministic security conditions, such as generalized noninterference (GNI) [24], are already known to allow leakage of information =-=[34]-=-. Our model of insider choice allows this leakage to be quantified, which further demonstrates the weakness of such security conditions. For example, a program S satisfies GNI when S behaves as a rela... |

11 | Quantified interference: Information theory and information flow (extended abstract - Clark, Hunt, et al. - 2004 |

10 | The turing test and non-information flow - Browne - 1991 |

7 | Information and Coding Theory - Jones, Jones - 2000 |

7 | Quantitative hook-up security for covert channel analysis - Weber - 1988 |

5 | A probabilistic approach to information hiding - McIver, Morgan - 2003 |