Show simple item record

dc.contributor.advisorMichael D. Ernst.en_US
dc.contributor.authorMcCamant, Stephenen_US
dc.contributor.otherMassachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.en_US
dc.date.accessioned2009-03-20T19:30:40Z
dc.date.available2009-03-20T19:30:40Z
dc.date.copyright2008en_US
dc.date.issued2008en_US
dc.identifier.urihttp://hdl.handle.net/1721.1/44903
dc.descriptionThesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2008.en_US
dc.descriptionThis electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.en_US
dc.descriptionIncludes bibliographical references (p. 99-105).en_US
dc.description.abstractAn information-flow security policy constrains a computer system's end-to-end use of information, even as it is transformed in computation. For instance, a policy would not just restrict what secret data could be revealed directly, but restrict any output that might allow inferences about the secret. Expressing such a policy quantitatively, in terms of a specific number of bits of information, is often an effective program independent way of distinguishing what scenarios should be allowed and disallowed. This thesis describes a family of new techniques for measuring how much information about a program's secret inputs is revealed by its public outputs on a particular execution, in order to check a quantitative policy on realistic systems. Our approach builds on dynamic tainting, tracking at runtime which bits might contain secret in formation, and also uses static control-flow regions to soundly account for implicit flows via branches and pointer operations. We introduce a new graph model that bounds information flow by the maximum flow between inputs and outputs in a flow network representation of an execution. The flow bounds obtained with maximum flow are much more precise than those based on tainting alone (which is equivalent to graph reachability). The bounds are a conservative estimate of channel capacity: the amount of information that could be transmitted by an adversary making an arbitrary choice of secret inputs. We describe an implementation named Flowcheck, built using the Valgrind framework for x86/Linux binaries, and use it to perform case studies on six real C, C++, and Objective C programs, three of which have more than 250,000 lines of code. We used the tool to check the confidentiality of a different kind of information appropriate to each program. Its results either verified that the information was appropriately kept secret on the examined executions, or revealed unacceptable leaks, in one case due to a previously unknown bug.en_US
dc.description.statementofresponsibilityby Stephen Andrew McCamant.en_US
dc.format.extent105 p.en_US
dc.language.isoengen_US
dc.publisherMassachusetts Institute of Technologyen_US
dc.rightsM.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission.en_US
dc.rights.urihttp://dspace.mit.edu/handle/1721.1/7582en_US
dc.subjectElectrical Engineering and Computer Science.en_US
dc.titleQuantitative information-flow tracking for real systemsen_US
dc.typeThesisen_US
dc.description.degreePh.D.en_US
dc.contributor.departmentMassachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
dc.identifier.oclc297537875en_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record