#### DMCA

## Quantifying information flow for dynamic secrets

Citations: | 5 - 2 self |

### Citations

600 | Cryptography and Data Security
- Denning
- 1982
(Show Context)
Citation Context ...security of the password checker—and of other systems that, by design or by technological constraints, must leak information. A. QIF for static secrets The classic model for QIF, pioneered by Denning =-=[17]-=-, represents a system as an information-theoretic channel: low input high input observable output system A channel is a probabilistic function. The system is a channel, because it probabilistically ma... |

346 |
Reasoning About Uncertainty
- Halpern
- 2003
(Show Context)
Citation Context ...gh input. The change in the adversary’s uncertainty is the amount of leakage: leakage = initial uncertainty − revised uncertainty . Uncertainty is typically represented with probability distributions =-=[18]-=-. Specific metrics for QIF use these distributions to calculate a numeric quantity of leakage [1]–[5]. More formally, let XH, XL and XO be random variables representing the distribution of high inputs... |

338 | Modelling and verification of randomized distributed real time systems
- Segala
- 1995
(Show Context)
Citation Context ...initiates the study of quantitative information flow (henceforth, QIF) for dynamic secrets. First, we present a core model of programs that compute with dynamic secrets. We use probabilistic automata =-=[10]-=- to model program execution. These automata are interactive: they accept inputs and produce outputs throughout execution. The output they produce is a random function of the inputs. To capture the dyn... |

148 | Causality, feedback and directed information
- Massey
- 1990
(Show Context)
Citation Context ...ity. Characterizing this for scenarios in general is another part of our ongoing work. VII. RELATED WORK Other works in the literature have considered systems with some notion of time-passing. Massey =-=[36]-=- considers systems that can be re-executed several times, whereby new secret and observable values are produced constantly. He conjectured that the flow of information in these systems is more precise... |

133 | Guessing and entropy
- Massey
- 1994
(Show Context)
Citation Context ...d to be Eo←XO [F (XH | XO = o,XL = ℓ)], where Ex←X [f(x)] denotes ∑ x Pr (X = x) · f(x). Various instantiations of F have been proposed, including Shannon entropy [1]–[3], [19]–[22], guessing entropy =-=[23]-=-, [24], marginal guesswork [25], vulnerability [4], [26], and gleakage [14]. B. Toward QIF for dynamic secrets There are several ways in which the classic model for QIF is insufficient for reasoning a... |

126 |
Information flow in nondeterministic systems
- Wittbold, Johnson
- 1990
(Show Context)
Citation Context ...ractive: they accept inputs and produce outputs throughout execution. The output they produce is a random function of the inputs. To capture the dynamics of secrets, our model uses strategy functions =-=[11]-=- to generate new inputs based on the history of inputs and outputs. For example, a strategy function might yield the GPS coordinates of a high-security user as a function of time, and of the path the ... |

116 |
C.: Abstraction, Refinement and Proof for Probabilistic Systems
- McIver, Morgan
- 2005
(Show Context)
Citation Context ...ones as seen in Section VI-B. At the top of Clark and Hunt’s hierarchy, strategies may be nondeterministic, whereas our model’s are probabilistic. Probabilistic choice refines nondeterministic choice =-=[40]-=-, so in that sense our model is a refinement of Clark and Hunt’s. But probabilities are essential for informationtheoretic quantification of information flow. Clark and Hunt do not address quantificat... |

115 | On the foundations of quantitative information flow
- Smith
- 2009
(Show Context)
Citation Context ..., the adversary might learn all, some, or no information about dynamic secrets. We show that our metric generalizes previous metrics for quantifying leakage of static secrets, including vulnerability =-=[4]-=-, guessing entropy [15], and g-vulnerability [14]. We also show how to limit the power of the adversary, such that it cannot influence inputs or delay attacks. Finally, we put our model and metric to ... |

94 | The capacity of channels with feedback
- Tatikonda, Mitter
- 2009
(Show Context)
Citation Context ...the distribution on low and high inputs. Such a channel is required by classic information-theoretic metrics of maximum leakage. Our solution is to employ a technique proposed by Tatikonda and Mitter =-=[30]-=- and applied by Alvim et al. [28] to interactive systems. The details are given in our technical report [29]. Here, we summarize the two main results. First, we give a well-defined probability distrib... |

87 |
Assessing security threats of looping constructs
- Malacaria
- 2007
(Show Context)
Citation Context ...F (XH | XL = ℓ,XO) is defined to be Eo←XO [F (XH | XO = o,XL = ℓ)], where Ex←X [f(x)] denotes ∑ x Pr (X = x) · f(x). Various instantiations of F have been proposed, including Shannon entropy [1]–[3], =-=[19]-=-–[22], guessing entropy [23], [24], marginal guesswork [25], vulnerability [4], [26], and gleakage [14]. B. Toward QIF for dynamic secrets There are several ways in which the classic model for QIF is ... |

84 | Anonymity protocols as noisy channels
- Chatzikokolakis, Palamidessi, et al.
- 2008
(Show Context)
Citation Context ...ard, F (XH | XL = ℓ,XO) is defined to be Eo←XO [F (XH | XO = o,XL = ℓ)], where Ex←X [f(x)] denotes ∑ x Pr (X = x) · f(x). Various instantiations of F have been proposed, including Shannon entropy [1]–=-=[3]-=-, [19]–[22], guessing entropy [23], [24], marginal guesswork [25], vulnerability [4], [26], and gleakage [14]. B. Toward QIF for dynamic secrets There are several ways in which the classic model for Q... |

83 | An information-theoretic model for adaptive side-channel attacks
- Köpf, Basin
(Show Context)
Citation Context ...learn all, some, or no information about dynamic secrets. We show that our metric generalizes previous metrics for quantifying leakage of static secrets, including vulnerability [4], guessing entropy =-=[15]-=-, and g-vulnerability [14]. We also show how to limit the power of the adversary, such that it cannot influence inputs or delay attacks. Finally, we put our model and metric to use by implementing the... |

78 | Stochastic lambda calculus and monads of probability distributions
- Ramsey, Pfeffer
(Show Context)
Citation Context ... best moment to attack. Section VI conducts experiments that explore some of these metrics. V. IMPLEMENTATION We have implemented our model using a simple monadic embedding of probabilistic computing =-=[32]-=- in OCaml, as per Kiselyov and Shan [33]. The basic approach is as follows. The model function, translated into monadic style, is probabilistically evaluated to produce the full joint distribution ove... |

71 | Quantifying location privacy
- Shokri, Theodorakopoulos, et al.
- 2011
(Show Context)
Citation Context ...n a certain area, and Marconi et al. [37] demonstrate how an adversary with structured knowledge about a user’s behavior across time can pose a direct threat to his privacy. The work of Shokri et al. =-=[38]-=- strives to quantify the privacy of users of location-based services using Markov models and various machine learning techniques for constructing and applying them. Location privacy is a useful applic... |

69 | Automatic discovery and quantification of information leaks
- Backes, Köpf, et al.
- 2009
(Show Context)
Citation Context ...rmation flow. Keywords—dynamic secret, quantitative information flow, probabilistic programming, gain function, vulnerability I. INTRODUCTION Quantitative information-flow models [1]–[5] and analyses =-=[6]-=-–[9] typically assume that secret information is static. But real-world secrets evolve over time. Passwords, for example, should be changed periodically. Cryptographic keys have periods after which th... |

68 | The metric analogue of weak bisimulation for probabilistic processes
- Desharnais, Jagadeesan, et al.
- 2002
(Show Context)
Citation Context ...ets potentially replace old secrets. The classic model cannot handle these moving targets. To quantify leakage about moving-target secrets, we need a model of how secrets evolve over time. Prior work =-=[27]-=-, [28] has considered leakage only about the entire stream of secrets, rather than a particular value of a secret at a particular time. To address these insufficiencies in the classic model, we introd... |

46 |
Quantitative information flow, relations and polymorphic types
- Clark, Hunt, et al.
(Show Context)
Citation Context ...r time with static stash stay_stash given stakeouts stakeout_east_west with (1) all possible non-adaptive orderings order (loworder = Some order), (2) a possible nonadaptive ordering (loworder = Some =-=[0;1;2;7;3;4;5;6]-=-), and (3) adaptive (loworder = None) stakeout locations, all not wait-adaptive (waitadapt = false). Figure 5 plots how the gain differs when we have a static secret with perfect raids, a static secre... |

44 | Information-flow security for interactive programs
- O’Neill, Clarkson, et al.
- 2006
(Show Context)
Citation Context ...f a system, waiting 1Our probabilistic model of interaction is a refinement of the nondeterministic model of Clark and Hunt [12], and it is a generalization of the interaction model of O’Neill et al. =-=[13]-=-. See Section VII for details. until a point in time at which it appears profitable to attack. For example, an attacker might delay attacking until collecting enough observations of a GPS location to ... |

44 | Covert channels and anonymizing networks - Moskowitz, Newman, et al. - 2003 |

40 | Lagrange multipliers and maximum information leakage in different observational models - Malacaria, Chen - 2008 |

31 | Quantifying information flow with beliefs
- Clarkson, Myers, et al.
(Show Context)
Citation Context ...ty increases information flow. Keywords—dynamic secret, quantitative information flow, probabilistic programming, gain function, vulnerability I. INTRODUCTION Quantitative information-flow models [1]–=-=[5]-=- and analyses [6]–[9] typically assume that secret information is static. But real-world secrets evolve over time. Passwords, for example, should be changed periodically. Cryptographic keys have perio... |

31 |
On the incomparability of entropy and marginal guesswork in bruteforce attacks
- Pliam
- 2000
(Show Context)
Citation Context ...L = ℓ)], where Ex←X [f(x)] denotes ∑ x Pr (X = x) · f(x). Various instantiations of F have been proposed, including Shannon entropy [1]–[3], [19]–[22], guessing entropy [23], [24], marginal guesswork =-=[25]-=-, vulnerability [4], [26], and gleakage [14]. B. Toward QIF for dynamic secrets There are several ways in which the classic model for QIF is insufficient for reasoning about dynamic secrets: • Interac... |

30 | Embedded probabilistic programming, in
- Kiselyov, Shan
(Show Context)
Citation Context ...cts experiments that explore some of these metrics. V. IMPLEMENTATION We have implemented our model using a simple monadic embedding of probabilistic computing [32] in OCaml, as per Kiselyov and Shan =-=[33]-=-. The basic approach is as follows. The model function, translated into monadic style, is probabilistically evaluated to produce the full joint distribution over the history up to some time T. From th... |

28 | Measuring information leakage using generalized gain functions
- Alvim, Chatzikokolakis, et al.
- 2012
(Show Context)
Citation Context ...secrets. We show how to construct an optimal wait-adaptive adversary with respect to the metric, and how to quantify that adversary’s expected gain, as determined by a scenario-specific gain function =-=[14]-=-. These functions consider when, as a result of an attack, the adversary might learn all, some, or no information about dynamic secrets. We show that our metric generalizes previous metrics for quanti... |

26 | Quantitative notions of leakage for one-try attacks
- Braun, Chatzikokolakis, et al.
- 2009
(Show Context)
Citation Context ...] denotes ∑ x Pr (X = x) · f(x). Various instantiations of F have been proposed, including Shannon entropy [1]–[3], [19]–[22], guessing entropy [23], [24], marginal guesswork [25], vulnerability [4], =-=[26]-=-, and gleakage [14]. B. Toward QIF for dynamic secrets There are several ways in which the classic model for QIF is insufficient for reasoning about dynamic secrets: • Interactivity: Since secrets can... |

25 | Quasi-anonymous channels
- Moskowitz, Newman, et al.
- 2003
(Show Context)
Citation Context ...tivity increases information flow. Keywords—dynamic secret, quantitative information flow, probabilistic programming, gain function, vulnerability I. INTRODUCTION Quantitative information-flow models =-=[1]-=-–[5] and analyses [6]–[9] typically assume that secret information is static. But real-world secrets evolve over time. Passwords, for example, should be changed periodically. Cryptographic keys have p... |

25 | Non-interference for deterministic interactive programs
- Clark, Hunt
- 2008
(Show Context)
Citation Context ...ait-adaptive adversaries, which are adversaries that can observe execution of a system, waiting 1Our probabilistic model of interaction is a refinement of the nondeterministic model of Clark and Hunt =-=[12]-=-, and it is a generalization of the interaction model of O’Neill et al. [13]. See Section VII for details. until a point in time at which it appears profitable to attack. For example, an attacker migh... |

22 | Approximation and randomization for quantitative information-flow analysis - Köpf, Rybalchenko - 2010 |

16 |
Probabilistic programming
- Gordon, Henzinger, et al.
- 2014
(Show Context)
Citation Context ...ow to limit the power of the adversary, such that it cannot influence inputs or delay attacks. Finally, we put our model and metric to use by implementing them in a probabilistic programming language =-=[16]-=- and conducting a series of experiments. Several conclusions can be drawn from these experiments: • Frequent change of a secret can increase leakage, even though intuition might initially suggest that... |

14 | Protecting location privacy: optimal strategy against localization attacks
- Shokri, Theodorakopoulos, et al.
(Show Context)
Citation Context ...terleaved (and optimized) fashion. That said, Shokri et al’s simpler model and approximate techniques allows them to consider more realistic examples than those described in our work. Subsequent work =-=[39]-=- considers even simpler models (e.g., that a user’s locations are independent). Classic models of QIF in general assume that the secret is fixed across multiple observations, whereas we consider dynam... |

13 | Algebraic foundations for information theoretical, probabilistic and guessability measures of information flow
- Malacaria
(Show Context)
Citation Context ...e Eo←XO [F (XH | XO = o,XL = ℓ)], where Ex←X [f(x)] denotes ∑ x Pr (X = x) · f(x). Various instantiations of F have been proposed, including Shannon entropy [1]–[3], [19]–[22], guessing entropy [23], =-=[24]-=-, marginal guesswork [25], vulnerability [4], [26], and gleakage [14]. B. Toward QIF for dynamic secrets There are several ways in which the classic model for QIF is insufficient for reasoning about d... |

12 | M.: Dynamic Enforcement of Knowledge-based Security Policies
- Mardziel, Magill, et al.
- 2011
(Show Context)
Citation Context ...ion flow. Keywords—dynamic secret, quantitative information flow, probabilistic programming, gain function, vulnerability I. INTRODUCTION Quantitative information-flow models [1]–[5] and analyses [6]–=-=[9]-=- typically assume that secret information is static. But real-world secrets evolve over time. Passwords, for example, should be changed periodically. Cryptographic keys have periods after which they m... |

10 | Information Flow in Interactive Systems
- Alvim, Andrés, et al.
- 2010
(Show Context)
Citation Context ... | XL = ℓ,XO) is defined to be Eo←XO [F (XH | XO = o,XL = ℓ)], where Ex←X [f(x)] denotes ∑ x Pr (X = x) · f(x). Various instantiations of F have been proposed, including Shannon entropy [1]–[3], [19]–=-=[22]-=-, guessing entropy [23], [24], marginal guesswork [25], vulnerability [4], [26], and gleakage [14]. B. Toward QIF for dynamic secrets There are several ways in which the classic model for QIF is insuf... |

7 |
An interval-based abstraction for quantifying information flow
- Mu, Clark
(Show Context)
Citation Context ...r time with static stash stay_stash given stakeouts stakeout_east_west with (1) all possible non-adaptive orderings order (loworder = Some order), (2) a possible nonadaptive ordering (loworder = Some =-=[0;1;2;7;3;4;5;6]-=-), and (3) adaptive (loworder = None) stakeout locations, all not wait-adaptive (waitadapt = false). Figure 5 plots how the gain differs when we have a static secret with perfect raids, a static secre... |

6 | Min-entropy as a resource
- Espinoza, Smith
- 2013
(Show Context)
Citation Context ...t raids, and a dynamic secret with imperfect raids. The static portion (1) with perfect raid is an example of an analysis achievable by a parallel composition of channels and the vulnerability metric =-=[35]-=-. Adding the imperfect gain function (2) alters the shape of vulnerability over time though in a manner that is not a mere scaling of the perfect raid case. The small chance of a successful raid at th... |

5 | C.: Quantitative information flow in interactive systems
- Alvim, Andrés, et al.
(Show Context)
Citation Context ...tentially replace old secrets. The classic model cannot handle these moving targets. To quantify leakage about moving-target secrets, we need a model of how secrets evolve over time. Prior work [27], =-=[28]-=- has considered leakage only about the entire stream of secrets, rather than a particular value of a secret at a particular time. To address these insufficiencies in the classic model, we introduce a ... |

1 |
Time warp: How time affects privacy
- Marconi, Pietro, et al.
(Show Context)
Citation Context ...ced by the choice of low inputs. In the context of Location Based Services, the privacy of a moving individual is closely related to the amount of time he spends in a certain area, and Marconi et al. =-=[37]-=- demonstrate how an adversary with structured knowledge about a user’s behavior across time can pose a direct threat to his privacy. The work of Shokri et al. [38] strives to quantify the privacy of u... |