3 research outputs found
Hidden-Markov Program Algebra with iteration
We use Hidden Markov Models to motivate a quantitative compositional
semantics for noninterference-based security with iteration, including a
refinement- or "implements" relation that compares two programs with respect to
their information leakage; and we propose a program algebra for source-level
reasoning about such programs, in particular as a means of establishing that an
"implementation" program leaks no more than its "specification" program.
This joins two themes: we extend our earlier work, having iteration but only
qualitative, by making it quantitative; and we extend our earlier quantitative
work by including iteration. We advocate stepwise refinement and
source-level program algebra, both as conceptual reasoning tools and as targets
for automated assistance. A selection of algebraic laws is given to support
this view in the case of quantitative noninterference; and it is demonstrated
on a simple iterated password-guessing attack
Abstract Hidden Markov Models: a monadic account of quantitative information flow
Hidden Markov Models, HMM's, are mathematical models of Markov processes with
state that is hidden, but from which information can leak. They are typically
represented as 3-way joint-probability distributions.
We use HMM's as denotations of probabilistic hidden-state sequential
programs: for that, we recast them as `abstract' HMM's, computations in the
Giry monad , and we equip them with a partial order of increasing
security. However to encode the monadic type with hiding over some state
we use rather
than the conventional that suffices for
Markov models whose state is not hidden. We illustrate the
construction with a small
Haskell prototype.
We then present uncertainty measures as a generalisation of the extant
diversity of probabilistic entropies, with characteristic analytic properties
for them, and show how the new entropies interact with the order of increasing
security. Furthermore, we give a `backwards' uncertainty-transformer semantics
for HMM's that is dual to the `forwards' abstract HMM's - it is an analogue of
the duality between forwards, relational semantics and backwards,
predicate-transformer semantics for imperative programs with demonic choice.
Finally, we argue that, from this new denotational-semantic viewpoint, one
can see that the Dalenius desideratum for statistical databases is actually an
issue in compositionality. We propose a means for taking it into account