Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quantification of Integrity

Published byBarrie Briggs Modified over 6 years ago

Similar presentations

Presentation on theme: "Quantification of Integrity"— Presentation transcript:

1 Quantification of Integrity
Michael Clarkson and Fred B. Schneider Cornell University SnT Seminar University of Luxembourg September 9, 2010 Joint work with FBS at Cornell University. The title says it all. This work is about quantification of integrity. But in more detail, I mean…

2 Goal Information-theoretic Quantification of programs’ impact on Integrity of Information [Denning 1982] Idea of applying info theory to programs isn’t new. But looking at integrity is a quite recent development. And what *is* integrity?

3 What is Integrity? Common Criteria: Biba (1977): Databases:
Protection of assets from unauthorized modification Biba (1977): Guarantee that a subsystem will perform as it was intended Isolation necessary for protection from subversion Dual to confidentiality Databases: Constraints that relations must satisfy Provenance of data Utility of anonymized data …no universal definition //Biba said “adheres to well-defined code of conduct” by analogy to personal integrity. So we take 2 starting points.

4 Our Notions of Integrity
Corruption: damage to integrity Starting Point Corruption Measure Taint analysis Contamination Program correctness Suppression

5 Our Notions of Integrity
Corruption: damage to integrity Starting Point Corruption Measure Taint analysis Contamination Program correctness Suppression …I’ll start by talking about contamination. Contamination: bad information present in output Suppression: good information lost from output …distinct, but interact

6 Contamination Goal: model taint analysis Program untrusted Attacker
User User Untrusted = tainted; trusted = untainted. This model has active attacker who provides inputs, not just an attacker who observes output.

7 Untrusted input contaminates trusted output
Contamination Goal: model taint analysis Untrusted input contaminates trusted output Program untrusted Attacker Attacker trusted User User If this looks familiar---it should.

8 Contamination u contaminates o o:=(t,u)

9 (Can’t u be filtered from o?)
Contamination u contaminates o (Can’t u be filtered from o?) o:=(t,u) Answer: Yes. Just like in real life, contaminants can be filtered out. But contamination is about the amount of contaminant present in the output---not about what user does with output.

10 Quantification of Contamination
Use information theory: information is surprise X, Y, Z: distributions I(X,Y): mutual information between X and Y (in bits) I(X,Y | Z): conditional mutual information An event with probability ½ conveys 1 bit of information. E.g., coin flip.

11 Quantification of Contamination
Program User Attacker trusted untrusted

12 Quantification of Contamination
Uin Program User Attacker trusted untrusted Tin Tout Uin and Tin characterize probability with which agents choose inputs. Tout is a function of the input distributions and the program, which might itself behave randomly.

13 Quantification of Contamination
Contamination = I(Uin,Tout | Tin) Uin Program User Attacker trusted untrusted Tin Tout Why condition on Tin? To model the fact that the user can observe the trusted inputs---since he does supply them himself. [Newsome et al. 2009] Dual of [Clark et al. 2005, 2007]

14 Example of Contamination
o:=(t,u) Contamination = I(U, O | T) = k bits if U is uniform on [0,2k-1]

15 Our Notions of Integrity
Corruption: damage to integrity Starting Point Corruption Measure Taint analysis Contamination Program correctness Suppression Contamination: bad information present in output Suppression: good information lost from output

16 Program Suppression Goal: model program (in)correctness Specification
Sender Receiver correct (Specification must be deterministic)

17 Program Suppression Goal: model program (in)correctness Specification
Sender Receiver correct Implementation untrusted Attacker Attacker Attacker and Sender could share choosing the Spec’s Inputs. How to divide Input between Attacker and Sender? Doesn’t matter; just need joint probability distribution on Spec and Impl to ensure that inputs are the same in individual runs. Likewise, can match up differing named, typed outputs via joint distribution. trusted Sender Receiver real

18 Program Suppression Goal: model program (in)correctness
Specification Sender Receiver correct Implementation untrusted Attacker Attacker Implementation might be buggy; attacker might influence output. Normally think of any incorrectness as bad. Here, we quantify---more nuanced. trusted Sender Receiver real Implementation might suppress information about correct output from real output

19 Example of Program Suppression
Spec. for (i=0; i<m; i++) { s := s + a[i]; } a[0..m-1]: trusted

20 Example of Program Suppression
Spec. for (i=0; i<m; i++) { s := s + a[i]; } a[0..m-1]: trusted Impl. 1 for (i=1; i<m; i++) { s := s + a[i]; } Suppression—a[0] missing No contamination

21 Example of Program Suppression
Spec. for (i=0; i<m; i++) { s := s + a[i]; } a[0..m-1]: trusted Impl. 1 Impl. 2 for (i=1; i<m; i++) { s := s + a[i]; } for (i=0; i<=m; i++) { s := s + a[i]; } a[m]: untrusted Suppression—a[0] missing No contamination Suppression—a[m] added Contamination

22 Suppression vs. Contamination
output := input Contamination Attacker Attacker * * Suppression

23 Quantification of Program Suppression
Specification Sender Receiver Implementation untrusted Attacker Attacker trusted Sender Receiver

24 Quantification of Program Suppression
In Spec Specification Sender Receiver Implementation untrusted Attacker Attacker trusted Sender Receiver

25 Quantification of Program Suppression
In Spec Specification Sender Receiver Uin Implementation untrusted Attacker Attacker trusted Sender Receiver Tin Impl

26 Quantification of Program Suppression
In Spec Specification Sender Receiver Uin Implementation untrusted Attacker Attacker trusted Sender Receiver Tin Impl Program transmission = I(Spec , Impl)

27 Quantification of Program Suppression
H(X): entropy (uncertainty) of X H(X|Y): conditional entropy of X given Y Program Transmission = I(Spec, Impl) = H(Spec) − H(Spec | Impl)

28 Quantification of Program Suppression
H(X): entropy (uncertainty) of X H(X|Y): conditional entropy of X given Y Program Transmission = I(Spec, Impl) = H(Spec) − H(Spec | Impl) Total info to learn about Spec

29 Quantification of Program Suppression
H(X): entropy (uncertainty) of X H(X|Y): conditional entropy of X given Y Program Transmission = I(Spec, Impl) = H(Spec) − H(Spec | Impl) Info actually learned about Spec by observing Impl Total info to learn about Spec

30 Quantification of Program Suppression
H(X): entropy (uncertainty) of X H(X|Y): conditional entropy of X given Y Program Transmission = I(Spec, Impl) = H(Spec) − H(Spec | Impl) Info actually learned about Spec by observing Impl Total info to learn about Spec Info NOT learned about Spec by observing Impl

31 Quantification of Program Suppression
H(X): entropy (uncertainty) of X H(X|Y): conditional entropy of X given Y Program Transmission = I(Spec, Impl) = H(Spec) − H(Spec | Impl) Program Suppression = H(Spec | Impl)

32 Example of Program Suppression
Spec. for (i=0; i<m; i++) { s := s + a[i]; } Impl. 1 Impl. 2 for (i=1; i<m; i++) { s := s + a[i]; } for (i=0; i<=m; i++) { s := s + a[i]; } Of course, we can quantify suppression of impl. 2 exactly, given specific probability distributions. I’ve defined contamination and suppression now for mutual information based definitions. Can extend to richer scenario of beliefs. Suppression = H(A) Suppression ≤ H(A) A = distribution of individual array elements

33 Echo Specification Tin Tin output := input trusted Sender Receiver

34 Echo Specification Tin Tin output := input trusted Sender Receiver Uin
Implementation untrusted Attacker Attacker trusted Sender Receiver Tin Tout

35 Simplifies to information-theoretic model of channels, with attacker
Echo Specification Tin Tin output := input trusted Sender Receiver Uin Implementation untrusted Attacker Attacker trusted Sender Receiver Tin Tout Simplifies to information-theoretic model of channels, with attacker

36 Channel Suppression Channel transmission = I(Tin,Tout)
Uin Channel untrusted Attacker Attacker trusted Sender Receiver Tin Tout Channel transmission = I(Tin,Tout) Channel suppression = H(Tin | Tout) (Tout depends on Uin)

37 Belief-based Metrics What if user’s/receiver’s distribution on unobservable inputs is wrong?  Belief-based information flow [Clarkson et al. 2005] Belief-based generalizes information-theoretic: On single executions, the same In expectation, the same …if user’s/receiver’s distribution is correct Correct means that the distribution is NOT wrong. What about relationship between confidentiality and integrity?

38 Suppression and Confidentiality
Declassifier: program that reveals (leaks) some information; suppresses rest Leakage: [Denning 1982, Millen 1987, Gray 1991, Lowe 2002, Clark et al. 2005, 2007, Clarkson et al. 2005, McCamant & Ernst 2008, Backes et al. 2009] Thm. Leakage + Suppression is a constant  What isn’t leaked is suppressed This is for a single execution. Constant determined by distribution on secret inputs---in particular, I(h) where h is the high input event for the execution.

39 Database Privacy Statistical database anonymizes query results: …sacrifices utility for privacy’s sake response Anonymizer Database User User query anonymized response

40 Database Privacy Statistical database anonymizes query results: …sacrifices utility for privacy’s sake …suppresses to avoid leakage response Anonymizer Database User User query anonymized response anon. resp. := resp.

41 Database Privacy Statistical database anonymizes query results: …sacrifices utility for privacy’s sake …suppresses to avoid leakage …sacrifices integrity for confidentiality’s sake response Anonymizer Database User User query anonymized response

42 K-anonymity DB. Every individual must be anonymous within set of size k [Sweeney 2002] Iflow. Every output corresponds to k inputs …no bound on leakage or suppression

43 L-diversity DB. Every individual’s sensitive information should appear to have L (roughly) equally likely values [Machanavajjhala et al. 2007] DB. Entropy L-diversity: H(anon. block) ≥ log L [Øhrn and Ohno-Machado 1999, Machanavajjhala et al. 2007] Iflow. H(Tin | tout) ≥ log L (if Tin uniform) …implies suppression ≥ log L

44 Differential Privacy DB. [Dwork et al. 2006, Dwork 2006]
No individual loses privacy by including data in database Anonymized data set reveals no information about an individual beyond what other individuals already reveal Iflow. Output reveals almost no information about individual input beyond what other inputs already reveal …implies almost all information about individual suppressed …quite similar to noninterference

45 Summary Measures of information corruption:
Contamination (generalizes taint analysis, dual to leakage) Suppression (generalizes program correctness, no dual) Application: database privacy (model anonymizers; relate utility and privacy; security conditions)

46 More Integrity Measures
Attacker- and program-controlled suppression Granularity: Average over all executions Single executions Sequences of executions …interaction of attacker with program Application: Error-correcting codes

47 Quantification of Integrity
Michael Clarkson and Fred B. Schneider Cornell University SnT Seminar University of Luxembourg September 9, 2010 Joint work with FBS at Cornell University. The title says it all. This work is about quantification of integrity. But in more detail, I mean…

Download ppt "Quantification of Integrity"

Similar presentations

Quantification of Integrity Michael Clarkson and Fred B. Schneider Cornell University MIT Systems Security and Cryptography Discussion Group October 15,

Quantification of Integrity Michael Clarkson and Fred B. Schneider Cornell University MIT Systems Security and Cryptography Discussion Group October 15,
Design by Contract.

Design by Contract.
Operating System Security

Operating System Security
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.
Trust and Profit Sensitive Ranking for Web Databases and On-line Advertisements Raju Balakrishnan (Arizona State University)

Trust and Profit Sensitive Ranking for Web Databases and On-line Advertisements Raju Balakrishnan (Arizona State University)
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
The Goldreich-Levin Theorem: List-decoding the Hadamard code

The Goldreich-Levin Theorem: List-decoding the Hadamard code
Verifiable Security Goals

Verifiable Security Goals
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Information Theory and Security Prakash Panangaden McGill University First Canada-France Workshop on Foundations and Practice of Security Montréal 2008.

Information Theory and Security Prakash Panangaden McGill University First Canada-France Workshop on Foundations and Practice of Security Montréal 2008.
STATISTIC & INFORMATION THEORY (CSNB134)

STATISTIC & INFORMATION THEORY (CSNB134)
INFORMATION THEORY BYK.SWARAJA ASSOCIATE PROFESSOR MREC.

INFORMATION THEORY BYK.SWARAJA ASSOCIATE PROFESSOR MREC.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 16 10/11/2011 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 16 10/11/2011 Security and Privacy in Cloud Computing.
Reasoning about Information Leakage and Adversarial Inference Matt Fredrikson 1.

Reasoning about Information Leakage and Adversarial Inference Matt Fredrikson 1.
Annual Conference of ITA ACITA 2010 Secure Sharing in Distributed Information Management Applications: Problems and Directions Piotr Mardziel, Adam Bender,

Annual Conference of ITA ACITA 2010 Secure Sharing in Distributed Information Management Applications: Problems and Directions Piotr Mardziel, Adam Bender,

Similar presentations

Ads by Google