Quantifying information leaks in software

11 years 8 months ago
Quantifying information leaks in software
Leakage of confidential information represents a serious security risk. Despite a number of novel, theoretical advances, it has been unclear if and how quantitative approaches to measuring leakage of confidential information could be applied to substantial, real-world programs. This is mostly due to the high complexity of computing precise leakage quantities. In this paper, we introduce a technique which makes it possible to decide if a program conforms to a quantitative policy which scales to large state-spaces with the help of bounded model checking. Our technique is applied to a number of officially reported information leak vulnerabilities in the Linux Kernel. Additionally, we also analysed authentication routines in the Secure Remote Password suite and of a Internet Message Support Protocol implementation. Our technique shows when there is unacceptable leakage; the same technique is also used to verify, for the first time, that the applied software patches indeed plug the informa...
Jonathan Heusser, Pasquale Malacaria
Added 10 Feb 2011
Updated 10 Feb 2011
Type Journal
Year 2010
Authors Jonathan Heusser, Pasquale Malacaria
Comments (0)