Quantitative security analysis for programs with low input and noisy output

Minh Tri Ngo, Marieke Huisman

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

4 Citations (Scopus)

Abstract

Classical quantitative information flow analysis often considers a system as an information-theoretic channel, where private data are the only inputs and public data are the outputs. However, for systems where an attacker is able to influence the initial values of public data, these should also be considered as inputs of the channel. This paper adapts the classical view of information-theoretic channels in order to quantify information flow of programs that contain both private and public inputs. Additionally, we show that our measure also can be used to reason about the case where a system operator on purpose adds noise to the output, instead of always producing the correct output. The noisy outcome is used to reduce the correlation between the output and the input, and thus to increase the remaining uncertainty. However, even though adding noise to the output enhances the security, it reduces the reliability of the program. We show how given a certain noisy output policy, the increase in security and the decrease in reliability can be quantified.
Original languageUndefined
Title of host publicationProceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014
Place of PublicationLondon
PublisherSpringer
Pages77-94
Number of pages18
ISBN (Print)978-3-319-04896-3
DOIs
Publication statusPublished - Feb 2014
Event6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014 - Technische Universität München, Munich, Germany
Duration: 26 Feb 201428 Feb 2014
Conference number: 6
https://distrinet.cs.kuleuven.be/events/essos/2014/

Publication series

NameLecture Notes in Computer Science
PublisherSpringer Verlag
Volume8364

Conference

Conference6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014
Abbreviated titleESSoS
CountryGermany
CityMunich
Period26/02/1428/02/14
Internet address

Keywords

  • EWI-24027
  • METIS-303973
  • IR-88367

Cite this

Ngo, M. T., & Huisman, M. (2014). Quantitative security analysis for programs with low input and noisy output. In Proceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014 (pp. 77-94). (Lecture Notes in Computer Science; Vol. 8364). London: Springer. https://doi.org/10.1007/978-3-319-04897-0_6
Ngo, Minh Tri ; Huisman, Marieke. / Quantitative security analysis for programs with low input and noisy output. Proceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014. London : Springer, 2014. pp. 77-94 (Lecture Notes in Computer Science).
@inproceedings{bd3f1a7a6ec54965944362e6ab8ef39a,
title = "Quantitative security analysis for programs with low input and noisy output",
abstract = "Classical quantitative information flow analysis often considers a system as an information-theoretic channel, where private data are the only inputs and public data are the outputs. However, for systems where an attacker is able to influence the initial values of public data, these should also be considered as inputs of the channel. This paper adapts the classical view of information-theoretic channels in order to quantify information flow of programs that contain both private and public inputs. Additionally, we show that our measure also can be used to reason about the case where a system operator on purpose adds noise to the output, instead of always producing the correct output. The noisy outcome is used to reduce the correlation between the output and the input, and thus to increase the remaining uncertainty. However, even though adding noise to the output enhances the security, it reduces the reliability of the program. We show how given a certain noisy output policy, the increase in security and the decrease in reliability can be quantified.",
keywords = "EWI-24027, METIS-303973, IR-88367",
author = "Ngo, {Minh Tri} and Marieke Huisman",
note = "10.1007/978-3-319-04897-0_6",
year = "2014",
month = "2",
doi = "10.1007/978-3-319-04897-0_6",
language = "Undefined",
isbn = "978-3-319-04896-3",
series = "Lecture Notes in Computer Science",
publisher = "Springer",
pages = "77--94",
booktitle = "Proceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014",

}

Ngo, MT & Huisman, M 2014, Quantitative security analysis for programs with low input and noisy output. in Proceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014. Lecture Notes in Computer Science, vol. 8364, Springer, London, pp. 77-94, 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014, Munich, Germany, 26/02/14. https://doi.org/10.1007/978-3-319-04897-0_6

Quantitative security analysis for programs with low input and noisy output. / Ngo, Minh Tri; Huisman, Marieke.

Proceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014. London : Springer, 2014. p. 77-94 (Lecture Notes in Computer Science; Vol. 8364).

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Quantitative security analysis for programs with low input and noisy output

AU - Ngo, Minh Tri

AU - Huisman, Marieke

N1 - 10.1007/978-3-319-04897-0_6

PY - 2014/2

Y1 - 2014/2

N2 - Classical quantitative information flow analysis often considers a system as an information-theoretic channel, where private data are the only inputs and public data are the outputs. However, for systems where an attacker is able to influence the initial values of public data, these should also be considered as inputs of the channel. This paper adapts the classical view of information-theoretic channels in order to quantify information flow of programs that contain both private and public inputs. Additionally, we show that our measure also can be used to reason about the case where a system operator on purpose adds noise to the output, instead of always producing the correct output. The noisy outcome is used to reduce the correlation between the output and the input, and thus to increase the remaining uncertainty. However, even though adding noise to the output enhances the security, it reduces the reliability of the program. We show how given a certain noisy output policy, the increase in security and the decrease in reliability can be quantified.

AB - Classical quantitative information flow analysis often considers a system as an information-theoretic channel, where private data are the only inputs and public data are the outputs. However, for systems where an attacker is able to influence the initial values of public data, these should also be considered as inputs of the channel. This paper adapts the classical view of information-theoretic channels in order to quantify information flow of programs that contain both private and public inputs. Additionally, we show that our measure also can be used to reason about the case where a system operator on purpose adds noise to the output, instead of always producing the correct output. The noisy outcome is used to reduce the correlation between the output and the input, and thus to increase the remaining uncertainty. However, even though adding noise to the output enhances the security, it reduces the reliability of the program. We show how given a certain noisy output policy, the increase in security and the decrease in reliability can be quantified.

KW - EWI-24027

KW - METIS-303973

KW - IR-88367

U2 - 10.1007/978-3-319-04897-0_6

DO - 10.1007/978-3-319-04897-0_6

M3 - Conference contribution

SN - 978-3-319-04896-3

T3 - Lecture Notes in Computer Science

SP - 77

EP - 94

BT - Proceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014

PB - Springer

CY - London

ER -

Ngo MT, Huisman M. Quantitative security analysis for programs with low input and noisy output. In Proceedings of the 6th International Symposium on Engineering Secure Software and Systems, ESSoS 2014. London: Springer. 2014. p. 77-94. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-319-04897-0_6