Quantifying Information Flow with Beliefs

To reason about information flow, a new model is developed that describes how attacker beliefs change due to the attacker's observation of the execution of a probabilistic (or deterministic) program. The model enables compositional reasoning about information flow from attacks involving sequences of interactions. The model also supports a new metric for quantitative information flow that measures accuracy of an attacker's beliefs. Applying this new metric reveals inadequacies of traditional information flow metrics, which are based on reduction of uncertainty. However, the new metric is sufficiently general that it can be instantiated to measure either accuracy or uncertainty. The new metric can also be used to reason about misinformation; deterministic programs are shown to be incapable of producing misinformation. Additionally, programs in which nondeterministic choices are made by insiders, who collude with attackers, can be analyzed

A Precise Information Flow Measure from Imprecise Probabilities

Dempster-Shafer theory of imprecise probabilities has proved useful to incorporate both nonspecificity and conflict uncertainties in an inference mechanism. The traditional Bayesian approach cannot differentiate between the two, and is unable to handle non-specific, ambiguous, and conflicting information without making strong assumptions. This paper presents a generalization of a recent Bayesian-based method of quantifying information flow in Dempster-Shafer theory. The generalization concretely enhances the original method removing all its weaknesses that are highlighted in this paper. In so many words, our generalized method can handle any number of secret inputs to a program, it enables the capturing of an attacker's beliefs in all kinds of sets (singleton or not), and it supports a new and precise quantitative information flow measure whose reported flow results are plausible in that they are bounded by the size of a program's secret input, and can be easily associated with the exhaustive search effort needed to uncover a program's secret information, unlike the results reported by the original metric.Comment: 10 pages. Appeared in the 6th International Conference on Software Security and Reliability (SERE 2012), Washington D.C., The United States, Proceedings of the 6th International Conference on Software Security and Reliability (SERE 2012), Washington D.C., The United State

A static analysis for quantifying information flow in a simple imperative language

We propose an approach to quantify interference in a simple imperative language that includes a looping construct. In this paper we focus on a particular case of this definition of interference: leakage of information from private variables to public ones via a Trojan Horse attack. We quantify leakage in terms of Shannon's information theory and we motivate our definition by proving a result relating this definition of leakage and the classical notion of programming language interference. The major contribution of the paper is a quantitative static analysis based on this definition for such a language. The analysis uses some non-trivial information theory results like Fano's inequality and L1 inequalities to provide reasonable bounds for conditional statements. While-loops are handled by integrating a qualitative flow-sensitive dependency analysis into the quantitative analysis

Deixis, binding and presupposition

Dynamic semantic accounts of presupposition have proven to quite successful improvements over earlier theories. One great advance has been to link presupposition and anaphora together (van der Sandt 92, Geurts 95), an approach that extends to integrate bridging and other discourse phenomena (Asher and Lascarides 1998a,b). In this extended anaphoric account, presuppositions attach, like assertions, to the discourse context via certain rhetorical relations. These discourse attachments constrain accommodation and help avoid some infelicitous predictions of standard accounts of presupposition. Further, they have interesting and complex interactions with underspecified conditions that are an important feature of the contributions of most presupposition triggers. Deictic uses of definites, on the other hand, seem at first glance to fall outside the purview of an anaphoric theory of presupposition. There seems to be little that a discourse based theory would have to say. I will argue, however, that a discourse based account can capture how these definites function in conversation. In particular such accounts can clarify the interaction between the uses of such deictic definites and various conversational moves. At least some deictic uses of definites generate presuppositions that are bound to the context via a rhetorical function that I'll call unchoring, which if successful entails a type of knowing how. If this anchoring function is accepted, then the acceptors know how to locate the referent of the definite in the present context. I'll concentrate here just on definites that refer to spatial locations, where the intuitions about anchoring are quite clear. But I think that this view extends to other deictic uses of definites and has ramifications for an analysis of de re attitudes as well