1 / 36

Belief in Information Flow

Belief in Information Flow. Michael Clarkson, Andrew Myers, Fred B. Schneider Cornell University 18 th IEEE Computer Security Foundations Workshop June 20, 2005. Password Checker. Some programs require leakage of information. PWC: if p = g then a := 1 else a := 0.

munin
Télécharger la présentation

Belief in Information Flow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Belief in Information Flow Michael Clarkson, Andrew Myers, Fred B. Schneider Cornell University 18th IEEE Computer Security Foundations Workshop June 20, 2005

  2. Password Checker Some programs require leakage of information PWC: if p = g then a := 1 else a := 0 p: stored password g: guessed passworda: authentication flag Clarkson et al.: Belief in Information Flow

  3. Password Checker  PWC: if p = g then a := 1 else a := 0 a depends on p:Noninterference is too strong But intuitively secure because PWCleaks little information about p… Clarkson et al.: Belief in Information Flow

  4. Quantitative Information Flow • Quantitative security policies: • Expected rate of flow is at most k bits per second • At most k bits leak in any execution • Enforcing these requires a model for quantitative information flow (QIF) • This work: A model for QIF Clarkson et al.: Belief in Information Flow

  5. Traditional Model for QIF probability distributions Hin Hout S Lin Lout • Flow = Uncertainty(Hin) – Uncertainty(Hin| Lout) • Uncertainty measured with some variant of entropy[Denning 82; McIver and Morgan 03; Clark, Hunt, and Malacaria 05] Information flows when uncertainty is decreased Clarkson et al.: Belief in Information Flow

  6. Adding Beliefs to Model • Model attacker’s uncertainty about H inputs as a probability distribution • We call this distribution a belief Hin Hout S Lin Lout Clarkson et al.: Belief in Information Flow

  7. Analyzing PWC Attacker believes: p = A 0.98 B 0.01 C 0.01 After observing a = 0, attacker believes: p = A 0 B 0.5 C 0.5 PWC: if p = g then a := 1 else a := 0 Attacker guessesA: g = A (Password is really C) Clarkson et al.: Belief in Information Flow

  8. Analyzing PWC p = A 0.98 B 0.01 C 0.01 p = A 0 B 0.5 C 0.5 a little uncertainty more uncertainty Information flows when uncertainty is decreased Prebelief Postbelief Uncertainty = closeness to uniform distribution  Traditional metric: Clarkson et al.: Belief in Information Flow

  9. Why Uncertainty Fails Uncertainty-based approach addresses objective probabilities on system but not subjective probabilities of attacker Clarkson et al.: Belief in Information Flow

  10. Metric for Belief d2 d1 p = A 0 B 0 C 1 reality p = A 0 B 0.5 C 0.5 postbelief p = A 0.98 B 0.01 C 0.01 prebelief d1 > d2: postbelief closer to reality because of observation of program Clarkson et al.: Belief in Information Flow

  11. Accuracy Certainty p = A 0.98 B 0.01 C 0.01 p = A 0 B 0.5 C 0.5 prebelief postbelief Accuracy Accuracy: Distance from a belief to reality Accuracy is the correct metric for QIF Clarkson et al.: Belief in Information Flow

  12. Belief in Information Flow • Experiment protocol Describes how attackers revise beliefs from observation of program execution • Accuracy metric How change in accuracy of belief can be used to measure the amount of information flow • Extensions Repeated experiments, other metrics, and misinformation Clarkson et al.: Belief in Information Flow

  13. Experiments p = A 0.98 B 0.01 C 0.01 p = A 0 B 0.5 C 0.5 Experiment: How an attacker revises his belief Prebelief Postbelief Clarkson et al.: Belief in Information Flow

  14. Experiment Protocol Hin Hout S Lin Lout preB postB Clarkson et al.: Belief in Information Flow

  15. Experiment Protocol Hin Hout • Attacker chooses prebelief S Lin Lout preB postB preB Clarkson et al.: Belief in Information Flow

  16. Experiment Protocol Hin Hout • Attacker chooses prebelief • System and attacker choose inputs Hin, Lin S Lin Lout preB postB preB Clarkson et al.: Belief in Information Flow

  17. Experiment Protocol Hin Hout • Attacker chooses prebelief • System and attacker choose inputs Hin, Lin • System executes S and produces observation Execution modeled as a distribution transformer semantics: «S¬ : Dist!Dist S Lin Lout observation preB postB preB Clarkson et al.: Belief in Information Flow

  18. Experiment Protocol Hin Hout • Attacker chooses prebelief • System and attacker choose inputs Hin, Lin • System executes S and produces observation • Attacker conducts thought-experiment to obtain prediction S Lin Lin Lout observation preB postB preB Clarkson et al.: Belief in Information Flow

  19. Experiment Protocol H’out L’out Hin preB Hin • Attacker conducts thought-experiment to obtain prediction S prediction Lin Clarkson et al.: Belief in Information Flow

  20. Experiment Protocol | = prediction observation postB • Attacker chooses prebelief • System and attacker choose inputs Hin, Lin • System executes S and produces observation • Attacker conducts thought-experiment to obtain prediction • Attacker infers postbelief: preB Hin S prediction S Lin observation Lin preB Bayesian inference postB preB Clarkson et al.: Belief in Information Flow

  21. Belief Revision in PWC = preB p,a = A,0 0 A,1 0.98B,0 0.01 B,1 0C,0 0.01C,1 0 | prediction observation p = A 0.98 B 0.01 C 0.01 = | a = 0 p = A 0 B 0.5 C 0.5 ´ = postB Clarkson et al.: Belief in Information Flow

  22. Accuracy Metric Amount of flow Q is improvement in accuracy of belief i.e. (initial error) – (final error) D(postB ! Hin) D(preB ! Hin) preB postB Hin Q = D(preB ! Hin) –D(postB ! Hin) Clarkson et al.: Belief in Information Flow

  23. Belief Distance Unit is (information theoretic) bits Relative entropy: When D is defined as relative entropy, Q is the amount of information that the attacker’s observation contains about the high input. Clarkson et al.: Belief in Information Flow

  24. Amount of Flow from PWC Max leakage of lg 3 bits implies uniform prebelief: .6 bits 5 bits 1.6 bits p = A,B,C 1/3 each .98, .01, .01 1/3, 1/3, 1/3 0, 0, 1 0, .5, .5 Q = D(.98, .01, .01!0, 0, 1) – D(0, .5, .5!0, 0, 1) = 5.6 bits Information is in the eye of the beholder Clarkson et al.: Belief in Information Flow

  25. Repeated Experiments Information flow is also compositional The amount of information flow over a series of experiments is equal to the sum of the amount of information flow in each individual experiment. Experiment protocol is compositional Exp Exp B B’ B’’ Clarkson et al.: Belief in Information Flow

  26. Extensions of Metric • So far: exact flow for a single execution • Extend to: {Expected, maximum} amount of information flow {for a given experiment, over all experiments} • Language for quantitative flow policies Clarkson et al.: Belief in Information Flow

  27. Misinformation Certainty ? Accuracy FPWC: if p = g then a := 1 else a := 0; if random() < .1 then a := !a Non-probabilistic programs cannot create misinformation. Clarkson et al.: Belief in Information Flow

  28. Summary • Attackers have beliefs • Quantifying information flow with beliefs requires accuracy • Traditional uncertainty model is inappropriate • Presented more expressive, fine-grained model of quantitative information flow • Compositional experiment protocol • Probabilistic language semantics • Accuracy-based metric Clarkson et al.: Belief in Information Flow

  29. Related Work • Information theory in information flow • [Denning 82], [Millen 87], [Wittbold, Johnson 90], [Gray 91] • Quantitative information flow • Using uncertainty: [Lowe 02], [McIver, Morgan 03], [Clark, Hunt, Malacaria 01 - 05] • Using sampling theory: [Di Pierro, Hankin, Wiklicky 00 - 05] • Database privacy • Using relative entropy: [Evfimievski, Gehrke, Srikant 03] Clarkson et al.: Belief in Information Flow

  30. Future Work • Extended programming language • Lattice of security levels • Static analysis • Quantitative security policies Clarkson et al.: Belief in Information Flow

  31. Belief in Information Flow Michael Clarkson, Andrew Myers, Fred B. Schneider Cornell University 18th IEEE Computer Security Foundations Workshop June 20, 2005

  32. Extra Slides Clarkson et al.: Belief in Information Flow

  33. Beliefs as Distributions • Other choices: Dempster-Shafer belief functions, plausibility measures, etc. • Probability distributions are: • Quantitative • Axiomatically justifiable • Straightforward • Familiar • Abstract operations • Product: combine disjoint beliefs • Update: condition belief to include new information • Distance: quantification of difference between two beliefs Clarkson et al.: Belief in Information Flow

  34. Program Semantics Clarkson et al.: Belief in Information Flow

  35. Postbeliefs are Bayesian • Standard techniques for inference in applied statistics • Bayesian inference • Sampling/frequentist theory • Bayesian inference: • Formalization of scientific method • Consistent with principles of rationality in a betting game • May be subjective but is not arbitrary Clarkson et al.: Belief in Information Flow

  36. Interpreting Flow Quantities • Uncertainty (entropy) interpreted as: • Improvement of expected codeword length • Accuracy (relative entropy) interpreted as: • Improvement in efficiency of optimal code Clarkson et al.: Belief in Information Flow

More Related