Compositional security and collateral leakage
Abstract
In quantitative information flow we say that program is "at least as secure as" just when the amount of secret information flowing from is never more than flows from , with of course a suitable quantification of "flow". This secure-refinement order is compositional just when implies for any context , again with a suitable definition of "context". Remarkable however is that leaks caused by executing might not be limited to their declared variables: they might impact correlated secrets in variables declared and initialised in some broader context to which do not refer even implicitly. We call such leaks collateral because their effect is felt in domains of which (the programmers of) might be wholly unaware: our inspiration is the "Dalenius" phenomenon for statistical databases. We show that a proper treatment of these collateral leaks is necessary for a compositional program semantics for read/write "open" programs. By adapting a recent Hidden-Markov denotational model for non-interference security, so that it becomes "collateral aware", we give techniques and examples (e.g.\ public-key encryption) to show how collateral leakage can be calculated and then bounded in its severity.
Cite
@article{arxiv.1604.04983,
title = {Compositional security and collateral leakage},
author = {N. Bordenabe and A. McIver and C Morgan and T. Rabehaja},
journal= {arXiv preprint arXiv:1604.04983},
year = {2016}
}