Abstract Hidden Markov Models: a monadic account of quantitative information flow

Hidden Markov Models, HMM's, are mathematical models of Markov processes with state that is hidden, but from which information can leak. They are typically represented as 3-way joint-probability distributions. We use HMM's as denotations of probabilistic hidden-state sequential programs: for that, we recast them as `abstract' HMM's, computations in the Giry monad $\mathbb{D}$, and we equip them with a partial order of increasing security. However to encode the monadic type with hiding over some state $\mathcal{X}$ we use $\mathbb{D}\mathcal{X}\to \mathbb{D}^2\mathcal{X}$ rather than the conventional $\mathcal{X}{\to}\mathbb{D}\mathcal{X}$ that suffices for Markov models whose state is not hidden. We illustrate the $\mathbb{D}\mathcal{X}\to \mathbb{D}^2\mathcal{X}$ construction with a small Haskell prototype. We then present uncertainty measures as a generalisation of the extant diversity of probabilistic entropies, with characteristic analytic properties for them, and show how the new entropies interact with the order of increasing security. Furthermore, we give a `backwards' uncertainty-transformer semantics for HMM's that is dual to the `forwards' abstract HMM's - it is an analogue of the duality between forwards, relational semantics and backwards, predicate-transformer semantics for imperative programs with demonic choice. Finally, we argue that, from this new denotational-semantic viewpoint, one can see that the Dalenius desideratum for statistical databases is actually an issue in compositionality. We propose a means for taking it into account

Hidden-Markov Program Algebra with iteration

We use Hidden Markov Models to motivate a quantitative compositional semantics for noninterference-based security with iteration, including a refinement- or "implements" relation that compares two programs with respect to their information leakage; and we propose a program algebra for source-level reasoning about such programs, in particular as a means of establishing that an "implementation" program leaks no more than its "specification" program. This joins two themes: we extend our earlier work, having iteration but only qualitative, by making it quantitative; and we extend our earlier quantitative work by including iteration. We advocate stepwise refinement and source-level program algebra, both as conceptual reasoning tools and as targets for automated assistance. A selection of algebraic laws is given to support this view in the case of quantitative noninterference; and it is demonstrated on a simple iterated password-guessing attack

Compositional bisimulation metric reasoning with Probabilistic Process Calculi

We study which standard operators of probabilistic process calculi allow for compositional reasoning with respect to bisimulation metric semantics. We argue that uniform continuity (generalizing the earlier proposed property of non-expansiveness) captures the essential nature of compositional reasoning and allows now also to reason compositionally about recursive processes. We characterize the distance between probabilistic processes composed by standard process algebra operators. Combining these results, we demonstrate how compositional reasoning about systems specified by continuous process algebra operators allows for metric assume-guarantee like performance validation

A Pre-expectation Calculus for Probabilistic Sensitivity

Sensitivity properties describe how changes to the input of a program affect the output, typically by upper bounding the distance between the outputs of two runs by a monotone function of the distance between the corresponding inputs. When programs are probabilistic, the distance between outputs is a distance between distributions. The Kantorovich lifting provides a general way of defining a distance between distributions by lifting the distance of the underlying sample space; by choosing an appropriate distance on the base space, one can recover other usual probabilistic distances, such as the Total Variation distance. We develop a relational pre-expectation calculus to upper bound the Kantorovich distance between two executions of a probabilistic program. We illustrate our methods by proving algorithmic stability of a machine learning algorithm, convergence of a reinforcement learning algorithm, and fast mixing for card shuffling algorithms. We also consider some extensions: using our calculus to show convergence of Markov chains to the uniform distribution over states and an asynchronous extension to reason about pairs of program executions with different control flow

Continuous probability distributions in model-based specification languages

PhD ThesisModel-based speci cation languages provide a means for obtaining assurance of dependability of complex computer-based systems, but provide little support for modelling and analysing fault behaviour, which is inherently probabilistic in nature. In particular, the need for a detailed account of the role of continuous probability has been largely overlooked. This thesis addresses the role of continuous probability in model-based speci cation languages. A model-based speci cation language (sGCL) that supports continuous probability distributions is de ned. The use of sGCL and how it interacts with engineering practices is also explored. In addition, a re nement ordering for continuous probability distributions is given, and the challenge of combining non-determinism and continuous probability is discussed in depth. The thesis is presented in three parts. The rst uses two case studies to explore the use of probability in formal methods. The rst case study, on ash memory, is used to present the capabilities of probabilistic formal methods and to determine the kinds of questions that require continuous probability distributions to answer. The second, on an emergency brake system, illustrates the strengths and weaknesses of existing languages and provides a basis for exploring a prototype language that includes continuous probability. The second part of the thesis gives the formal de nition of sGCL's syntax and semantics. The semantics is made up of two parts, the proof theory (transformer semantics) and the underpinning mathematics (relational semantics). The additional language constructs and semantical features required to include non-determinism as well as continuous probability are also discussed. The most challenging aspect lies in proving the consistency of the semantics when non-determinism is also included. The third part uses a nal case study, on an aeroplane pitch monitor, to demonstrate the use of sGCL. The new analysis techniques provided by sGCL, and how they t in with engineering practices, are explored.EPSRC: The School of Computing Science, Newcastle University: DEPLOY project