Quantitative Information Flow as Network Flow Capacity

McCamant, Stephen; Ernst, Michael D.

Author(s)

McCamant, Stephen; Ernst, Michael D.

DownloadMIT-CSAIL-TR-2007-057.pdf (1010.Kb)

Additional downloads

MIT-CSAIL-TR-2007-057.ps (24.05Mb)

Other Contributors

Program Analysis

Advisor

Michael Ernst

Metadata

Show full item record

Abstract

We present a new technique for determining how much information abouta program's secret inputs is revealed by its public outputs. Incontrast to previous techniques based on reachability from secretinputs (tainting), it achieves a more precise quantitative result bycomputing a maximum flow of information between the inputs andoutputs. The technique uses static control-flow regions to soundlyaccount for implicit flows via branches and pointer operations, butoperates dynamically by observing one or more program executions andgiving numeric flow bounds specific to them (e.g., "17 bits"). Themaximum flow in a network also gives a minimum cut (a set of edgesthat separate the secret input from the output), which can be used toefficiently check that the same policy is satisfied on futureexecutions. We performed case studies on 5 real C, C++, and ObjectiveC programs, 3 of which had more than 250K lines of code. The toolchecked multiple security policies, including one that was violated bya previously unknown bug.

Date issued

2007-12-10

URI

http://hdl.handle.net/1721.1/39812

Other identifiers

MIT-CSAIL-TR-2007-057

Keywords

Confidentiality, Privacy, Information disclosure, Tainting, Implicit flows, Valgrind, Memcheck

Collections

CSAIL Technical Reports (July 1, 2003 - present)