2,979 research outputs found
Abstract Hidden Markov Models: a monadic account of quantitative information flow
Hidden Markov Models, HMM's, are mathematical models of Markov processes with
state that is hidden, but from which information can leak. They are typically
represented as 3-way joint-probability distributions.
We use HMM's as denotations of probabilistic hidden-state sequential
programs: for that, we recast them as `abstract' HMM's, computations in the
Giry monad , and we equip them with a partial order of increasing
security. However to encode the monadic type with hiding over some state
we use rather
than the conventional that suffices for
Markov models whose state is not hidden. We illustrate the
construction with a small
Haskell prototype.
We then present uncertainty measures as a generalisation of the extant
diversity of probabilistic entropies, with characteristic analytic properties
for them, and show how the new entropies interact with the order of increasing
security. Furthermore, we give a `backwards' uncertainty-transformer semantics
for HMM's that is dual to the `forwards' abstract HMM's - it is an analogue of
the duality between forwards, relational semantics and backwards,
predicate-transformer semantics for imperative programs with demonic choice.
Finally, we argue that, from this new denotational-semantic viewpoint, one
can see that the Dalenius desideratum for statistical databases is actually an
issue in compositionality. We propose a means for taking it into account
The Shadow Knows: Refinement and security in sequential programs
AbstractStepwise refinement is a crucial conceptual tool for system development, encouraging program construction via a number of separate correctness-preserving stages which ideally can be understood in isolation. A crucial conceptual component of security is an adversary’s ignorance of concealed information. We suggest a novel method of combining these two ideas.Our suggestion is based on a mathematical definition of “ignorance-preserving” refinement that extends classical refinement by limiting an adversary’s access to concealed information: moving from specification to implementation should never increase that access. The novelty is the way we achieve this in the context of sequential programs.Specifically we give an operational model (and detailed justification for it), a basic sequential programming language and its operational semantics in that model, a “logic of ignorance” interpreted over the same model, then a program-logical semantics bringing those together — and finally we use the logic to establish, via refinement, the correctness of a real (though small) protocol: Rivest’s Oblivious Transfer. A previous report⋆ treated Chaum’s Dining Cryptographers similarly.In passing we solve the Refinement Paradox for sequential programs
Hidden-Markov Program Algebra with iteration
We use Hidden Markov Models to motivate a quantitative compositional
semantics for noninterference-based security with iteration, including a
refinement- or "implements" relation that compares two programs with respect to
their information leakage; and we propose a program algebra for source-level
reasoning about such programs, in particular as a means of establishing that an
"implementation" program leaks no more than its "specification" program.
This joins two themes: we extend our earlier work, having iteration but only
qualitative, by making it quantitative; and we extend our earlier quantitative
work by including iteration. We advocate stepwise refinement and
source-level program algebra, both as conceptual reasoning tools and as targets
for automated assistance. A selection of algebraic laws is given to support
this view in the case of quantitative noninterference; and it is demonstrated
on a simple iterated password-guessing attack
A New Proof Rule for Almost-Sure Termination
An important question for a probabilistic program is whether the probability
mass of all its diverging runs is zero, that is that it terminates "almost
surely". Proving that can be hard, and this paper presents a new method for
doing so; it is expressed in a program logic, and so applies directly to source
code. The programs may contain both probabilistic- and demonic choice, and the
probabilistic choices may depend on the current state.
As do other researchers, we use variant functions (a.k.a.
"super-martingales") that are real-valued and probabilistically might decrease
on each loop iteration; but our key innovation is that the amount as well as
the probability of the decrease are parametric.
We prove the soundness of the new rule, indicate where its applicability goes
beyond existing rules, and explain its connection to classical results on
denumerable (non-demonic) Markov chains.Comment: V1 to appear in PoPL18. This version collects some existing text into
new example subsection 5.5 and adds a new example 5.6 and makes further
remarks about uncountable branching. The new example 5.6 relates to work on
lexicographic termination methods, also to appear in PoPL18 [Agrawal et al,
2018
Characterising Testing Preorders for Finite Probabilistic Processes
In 1992 Wang & Larsen extended the may- and must preorders of De Nicola and
Hennessy to processes featuring probabilistic as well as nondeterministic
choice. They concluded with two problems that have remained open throughout the
years, namely to find complete axiomatisations and alternative
characterisations for these preorders. This paper solves both problems for
finite processes with silent moves. It characterises the may preorder in terms
of simulation, and the must preorder in terms of failure simulation. It also
gives a characterisation of both preorders using a modal logic. Finally it
axiomatises both preorders over a probabilistic version of CSP.Comment: 33 page
Source-level reasoning for quantitative information flow
We present a novel formal system for proving quantitative-leakage properties
of programs. Based on a theory of Quantitative Information Flow (QIF) that
models information leakage as a noisy communication channel, it uses
"gain-functions" for the description and measurement of expected leaks.
We use a small imperative programming language, augmented with leakage
features, and with it express adversaries' activities in the style of, but more
generally than, the Hoare triples or expectation transformers that
traditionally express deterministic or probabilistic correctness but without
information flow.
The programs are annotated with "gain-expressions" that capture simple
adversarial settings such as "Guess the secret in one try." but also much more
general ones; and our formal syntax and logic -based framework enables us to
transform such gain-expressions that apply after a program has finished to ones
that equivalently apply before the program has begun.
In that way we enable a formal proof-based reasoning system for QIF at the
source level. We apply it to the %programming language we have chosen, and
demonstrate its effectiveness in a number of small but sometimes intricate
situations
Who Shall Gainsay Our Decision? Choctaw Literary Nationalism in the Nineteenth Century
This study examines the writing of a group of young Choctaw intellectuals, the first generation of that society of American Indians to embrace literacy as a fully viable tool of discourse. Working in the pre-removal period, 1824-1831, as the Choctaws made preparations for their great emigration from the state of Mississippi to their new sovereign soil west of the Mississippi River, their writing evinces a nationalistic fervor. In conversation with each other, the tribal intellectuals conceptualize their transition from a pre-modern ethno-historical group to a fully-fledged constitutional republic. Primary focal texts for the study include James L. McDonald's Spectre Essay of 1830 and Peter Perkins Pitchlynn's journal of 1828. McDonald's essay presents a translation of an old Choctaw legend into English and a comparative analysis of Choctaw language arts with English language art forms. Pitchlynn's journal chronicles the findings of a multi-tribal delegation, dispatched to explore the southeastern section of Indian Territory, present-day Oklahoma, when the region was largely uninhabited and unimproved wilderness. Pitchlynn reports his encounters with such famous nineteenth century Native luminaries as Tenskwatawa, the Shawnee Prophet, and Pahuska, great chief of the Osages. Secondary texts include correspondence between McDonald, Pitchlynn and their peers in the period right after the removal Treaty of Dancing Rabbit Creek was signed, but before the emigration actually took place
The social justice issues of smoke im/mobilities
In 2014, the Hazelwood mine fire burned for 45 days. Local communities were impacted by smoke and ash, and there were reports of raised carbon monoxide levels. Local news and social media reported residents experiencing numerous physical symptoms of smoke inhalation, including bleeding noses, coughing, wheezing and chest tightness. Paper masks to filter particulate matter were made available to residents to wear outside. The dust and ash constantly seeped into homes and offices, which required cleaning daily and sometimes multiple times during the day. Smoke was free to move across physical and bodily boundaries while those most vulnerable were hampered by lack of movement: pregnant women, the elderly and children were advised to leave the area. However, this suggestion to ‘simply’ move ignored the context of a community disproportionately impacted through years of economic decline and societal change. This paper explores the unequal mobilities of smoke and people that arose as a result of this event and draws on concepts of mobility justice (Sheller 2018) and emergency mobilities (Adey 2016) to reflect on the political dimensions of uneven mobility in times of crisi
A novel analysis of utility in privacy pipelines, using Kronecker products and quantitative information flow
We combine Kronecker products, and quantitative information flow, to give a
novel formal analysis for the fine-grained verification of utility in complex
privacy pipelines. The combination explains a surprising anomaly in the
behaviour of utility of privacy-preserving pipelines -- that sometimes a
reduction in privacy results also in a decrease in utility. We use the standard
measure of utility for Bayesian analysis, introduced by Ghosh at al., to
produce tractable and rigorous proofs of the fine-grained statistical behaviour
leading to the anomaly. More generally, we offer the prospect of
formal-analysis tools for utility that complement extant formal analyses of
privacy. We demonstrate our results on a number of common privacy-preserving
designs
- …