Computer Science – Cryptography and Security
Scientific paper
2010-07-06
Computer Science
Cryptography and Security
submitted, under review
Scientific paper
Leakage of confidential information represents a serious security risk. Despite a number of novel, theoretical advances, it has been unclear if and how quantitative approaches to measuring leakage of confidential information could be applied to substantial, real-world programs. This is mostly due to the high complexity of computing precise leakage quantities. In this paper, we introduce a technique which makes it possible to decide if a program conforms to a quantitative policy which scales to large state-spaces with the help of bounded model checking. Our technique is applied to a number of officially reported information leak vulnerabilities in the Linux Kernel. Additionally, we also analysed authentication routines in the Secure Remote Password suite and of a Internet Message Support Protocol implementation. Our technique shows when there is unacceptable leakage; the same technique is also used to verify, for the first time, that the applied software patches indeed plug the information leaks. This is the first demonstration of quantitative information flow addressing security concerns of real-world industrial programs.
Heusser Jonathan
Malacaria Pasquale
No associations
LandOfFree
Quantifying Information Leak Vulnerabilities does not yet have a rating. At this time, there are no reviews or comments for this scientific paper.
If you have personal experience with Quantifying Information Leak Vulnerabilities, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Quantifying Information Leak Vulnerabilities will most certainly appreciate the feedback.
Profile ID: LFWR-SCP-O-216884