Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et...
Transcript of Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et...
![Page 1: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/1.jpg)
Quantitative Information Flow with Monads in Haskell
Kuifje
© Tom Schrijvers
Uitgeverij WG 2.1
![Page 2: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/2.jpg)
Carroll Morgan
Annabelle McIver
Jeremy Gibbons
Joint work with
![Page 3: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/3.jpg)
Background
![Page 4: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/4.jpg)
Quantified Information Flow
Channel
observer
Hidden Data How big is the leak?
leak
![Page 5: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/5.jpg)
Quantified Information Flow
Program
leak
observer
Hidden State
McIver et al. 2010 McIver et al. 2014
How big is the leak?
![Page 6: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/6.jpg)
Kuifje
QIF-aware Haskell DSL
monad-based semantics
enables experiments
![Page 7: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/7.jpg)
Outline
CL s s ! s
s ! D sPCL s
Kuifje s s ! D (Bits,s)
D s ! D (D s)
Syntax Semantics
1
2
3
4
sem
psem
posem
hysem
⊆⊆
![Page 8: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/8.jpg)
Outline
CL s s ! s
s ! D sPCL s
Kuifje s s ! D (Bits,s)
D s ! D (D s)
Syntax Semantics
1
2
3
4
sem
psem
posem
hysem
⊆⊆
![Page 9: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/9.jpg)
Outline
CL s s ! s
s ! D sPCL s
Kuifje s s ! D (Bits,s)
D s ! D (D s)
Syntax Semantics
1
2
3
4
sem
psem
posem
hysem
⊆⊆
![Page 10: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/10.jpg)
Outline
CL s s ! s
s ! D sPCL s
Kuifje s s ! D (Bits,s)
D s ! D (D s)
Syntax Semantics
1
2
3
4
sem
psem
posem
hysem
⊆⊆
![Page 11: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/11.jpg)
Basic Command Language
![Page 12: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/12.jpg)
Command Language
type CL s = [Instruction s]
data Instruction s = Update (s ! s) | If (s ! Bool) (CL s) (CL s) | While (s ! Bool) (CL s)
![Page 13: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/13.jpg)
Command Language
data CL s = Skip | Update (s ! s) (CL s) | If (s ! Bool) (CL s)(CL s)(CL s) | While (s ! Bool) (CL s) (CL s)
![Page 14: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/14.jpg)
Constructor Functionsskip " CL s skip = Skipupdate " (s ! s) ! CL supdate f = Update f skipcond " (s ! Bool) ! CL s ! CL s ! CL s cond c p q = If c p q skip while " (s ! Bool) ! CL s ! CL s while c p = While c p skip
![Page 15: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/15.jpg)
Sequential Composition
(⨾) "CL s ! CL s ! CL s Skip ⨾ k = k Update f p ⨾ k = Update f (p ⨾ k) If c p q r ⨾ k = If c p q (r ⨾ k) While c p q ⨾ k = While c p (q ⨾ k)
instance Monoid (CL s) where mempty = skip mappend = (⨾)
![Page 16: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/16.jpg)
Example Program
data S = S { _x " Int, _y " Int} example " CL Sexample = update (\s ! s.^y $= 0) ⨾ while (\s ! s^.x > 0) ( update (\s ! s.^y $= (s^.y + s^.x)) ⨾ update (\s ! s.^x $= (s^.x - 1)) )
![Page 17: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/17.jpg)
Compositional Semantics
fold " (CLF s a ! a) ! (CL s ! a)
data CLF s r = SkipF | UpdateF (s ! s) r | IfF (s ! Bool) r r r | WhileF (s ! Bool) r r
where
![Page 18: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/18.jpg)
Semanticssem " CL s ! (s ! s) sem = fold alg where alg " CLF s (s ! s) ! (s ! s) alg SkipF = id alg (UpdateF f p) = f # p alg (IfF c p q r) = conditional c p q # r alg (WhileF c p q) = let while = conditional c (p # while) q in while
conditional " (s ! Bool) ! (s ! s) ! (s ! s) ! (s ! s) conditional c t e = (c &&& id) # (\(b,s) ! if b then t s else e s)
![Page 19: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/19.jpg)
Monoid Morphism
sem (p ⨾ q) = sem p # sem q
sem skip = id
![Page 20: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/20.jpg)
ProbabilisticCommand Language
![Page 21: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/21.jpg)
Syntax
type a $ b = a ! D b data PCL s = Skip | Update (s $ s) (PCL s) | If (s $ Bool) (PCL s)(PCL s)(PCL s ) | While (s $ Bool) (PCL s) (PCL s)
![Page 22: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/22.jpg)
Command Language
type a $ b = a ! Dist b data PCL s = Skip | Update (s $ s) (PCL s) | If (s $ Bool) (PCL s)(PCL s)(PCL s ) | While (s $ Bool) (PCL s) (PCL s)
![Page 23: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/23.jpg)
Example Program
data S = S { _x " Int, _y " Int}example " PCL Sexample = update (\s ! return (s.^y $= 0)) ⨾ while (\s ! return (s^.x > 0)) ( update (\s ! return (s.^y $= (s^.y + s^.x))) ⨾ update (\s ! (s.^x $= (s^.x - 1)) 2÷3⨁ (s.^x $= (s^.x - 2)) ) )
![Page 24: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/24.jpg)
Semanticspsem " PCL s ! (s $ s) psem = fold algM where alg " PCLF s (s $ s) ! (s $ s) alg SkipF = return alg (UpdateF f p) = f % p alg (IfF c p q r) = conditional c p q % r alg (WhileF c p q) = let while = conditional c (p % while) q in while
conditional " (s $ Bool) ! (s $ s) ! (s $ s) ! (s $ s) conditional c t e = (c &&& return) % (\(b,s) ! if b then t s else e s)
![Page 25: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/25.jpg)
Monoid Morphism
psem (p ⨾ q) = psem p % psem q
psem skip = return
![Page 26: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/26.jpg)
CL vs PCL
CL s
PCL s
s ! s
s ! D s
embed out lift
sem
psem
Syntax Semantics
Basic
Probabilities
![Page 27: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/27.jpg)
Leaking ProbabilisticCommand Language
![Page 28: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/28.jpg)
Syntax
data Kuifje s = Skip | Update (s $ s) (Kuifje s) | If (s $ Bool)(Kuifje s)(Kuifje s)(Kuifje s ) | While (s $ Bool) (Kuifje s) (Kuifje s) | Observe (s $ Bits) (Kuifje s)
type Bits = [Bool]
![Page 29: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/29.jpg)
Constructor Function
observe " ToBits a & a ! Kuifje s observe x = Observe (toBits x) skipclass ToBits a where toBits " a ! Bits
Yoneda lemma in action
![Page 30: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/30.jpg)
Example
p " Kuifje (Bool,Bool) p = observe (\(b1,b2) ! choose 0.5 b1 b2)
![Page 31: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/31.jpg)
posem " Kuifje s ! (s $B s)
type a $B b = a ! D (Bits, b) = a ! WriterT Bits D b
Semantics
![Page 32: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/32.jpg)
Examplep " Kuifje (Bool,Bool) p = observe (\(b1,b2) ! choose 0.5 b1 b2)
1 % 4 ([False],(False,False))1 % 8 ([False],(False,True))1 % 8 ([False],(True,False))1 % 8 ([True],(False,True))1 % 8 ([True],(True,False))1 % 4 ([True],(True,True))
boolPairs = uniform [(b1,b2) | b1 ' [True,False] , b2 ' [True,False]]
> boolPairs ( posem p
![Page 33: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/33.jpg)
Monoid Morphism
posem (p ⨾ q) = posem p % posem q
posem skip = return
![Page 34: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/34.jpg)
PCL vs Kuifje
PCL s
Kuifje s
s ! D s
s ! D (Bits, s)
embed out lift
psem
posem
![Page 35: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/35.jpg)
PCL vs Kuifje
PCL s
Kuifje s
s ! D s
s ! D (Bits, s)
embed out lift
psem
posem
![Page 36: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/36.jpg)
Example
p1 " PCL Boolp1 = skip
p2 " PCL Boolp2 = cond id skip skip
uniform [True,False] ( psem p1 ) uniform [True,False] ( psem p2 ) 1÷2 True
1÷2 False
![Page 37: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/37.jpg)
Example
p1 " Kuifje Boolp1 = skip
p2 " Kuifje Boolp2 = cond id skip skip
uniform [True,False] ( posem p1 ) 1÷2 ([],True)
1÷2 ([],False) * uniform [True,False] ( posem p2 ) 1÷2 ([True], True)
1÷2 ([False],False)
![Page 38: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/38.jpg)
Example
p1 " Kuifje Boolp1 = skip
p2 " Kuifje Boolp2 = cond id skip skip
uniform [True,False] ( posem p1 ) 1÷2 ([],True)
1÷2 ([],False) * uniform [True,False] ( posem p2 ) 1÷2 ([True], True)
1÷2 ([False],False)
Conditionals leak their condition!
![Page 39: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/39.jpg)
Semanticstype a $B b = a ! WriterT Bits (D b)
posem " Kuifje s ! (s $B s) posem = fold alg where alg " KuifjeF s (s $B s) ! (s $B s) alg SkipF = return alg (UpdateF f p) = (lift . f) % p alg (IfF c p q r) = conditional c p q % r alg (WhileF c p q) = let while = conditional c (p % while) q in while alg (ObserveF f q) = obsem f % p
![Page 40: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/40.jpg)
Semantics
obsem " (s $ Bits) ! (s $B s) obsem f = f &&& return
conditional " (s $ Bool) ! (s $B s) ! (s $B s) ! (s $B s) conditional c t e = ((lift . c) &&& return) % (obsem (\(b,s) ! return b)) % (\(b,s) ! if b then t s else e s)
![Page 41: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/41.jpg)
Hyper Kuifje
![Page 42: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/42.jpg)
Hyper Semantics
Kuifje s s ! D (Bits, s)
D s ! D (D s)
post
posem
Syntax Semantics
Values
Information
Leaked
Leaked
![Page 43: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/43.jpg)
Hyper Semanticshyper " Ord s & Kuifje s ! (D s ! D (D s))hyper = post . posem
post " Ord s & (s ! D (Bits, s)) ! (D s ! D (D s))post t = \d ! multiply (toPair (d ( t)) where toPair " D (Bits, s) ! (D Bits, Bits ! D s) multiply " (D Bits, Bits ! D s) ! D (D s)
![Page 44: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/44.jpg)
Hyper Semanticsp " Kuifje (Bool,Bool) p = observe (\(b1,b2) ! choose 0.5 b1 b2)
hyper p (uniform [(b1,b2) | b1 ' [True,False] , b2 ' [True,False]])" D (D (Bool,Bool))
1÷2 1÷4 (False,True) 1÷4 (True,False) 1÷2 (True,True)1÷2 1÷2 (False,False) 1÷4 (False,True) 1÷4 (True,False)
![Page 45: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/45.jpg)
Fold Fusion
Kuifje s s ! D (Bits, s)
D s ! D (D s)
post
posem
Syntax Semantics
![Page 46: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/46.jpg)
Fold Fusion
Kuifje s s ! D (Bits, s)
D s ! D (D s)
post
fold alg
Syntax Semantics
![Page 47: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/47.jpg)
Fold Fusion
Kuifje s s ! D (Bits, s)
D s ! D (D s)
post
fold alg
Syntax Semantics
fold alg’
![Page 48: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/48.jpg)
Fold Fusion
Kuifje s s ! D (Bits, s)
D s ! D (D s)
post
fold alg
Syntax Semantics
hysem
![Page 49: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/49.jpg)
Monty Hall
![Page 50: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/50.jpg)
doors = uniform [DoorA,DoorB,DoorC] monty = hysem (hall DoorA) doors
Semanticshall " Door ! Kuifje Door hall chosenDoor = observe (\prizeDoor ! uniform ([DoorA,DoorB,DoorC] + [chosenDoor,prizeDoor]))
1÷2 1÷3 DoorA 2÷3 DoorB1÷2 1÷3 DoorA 2÷3 DoorC
![Page 51: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/51.jpg)
doors = uniform [DoorA,DoorB,DoorC] monty = hysem (hall DoorA) doors
Semanticshall " Door ! Kuifje Door hall chosenDoor = observe (\prizeDoor ! uniform ([DoorA,DoorB,DoorC] + [chosenDoor,prizeDoor]))
1÷2 1÷3 DoorA 2÷3 DoorB1÷2 1÷3 DoorA 2÷3 DoorC
![Page 52: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/52.jpg)
doors = uniform [DoorA,DoorB,DoorC] monty = hysem (hall DoorA) doors
Semanticshall " Door ! Kuifje Door hall chosenDoor = observe (\prizeDoor ! uniform ([DoorA,DoorB,DoorC] + [chosenDoor,prizeDoor]))
1÷2 1÷3 DoorA 2÷3 DoorB1÷2 1÷3 DoorA 2÷3 DoorC
![Page 53: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/53.jpg)
Bayes Vulnerability
bv " D a ! Rational bv d = maximum . fmap snd . runD
Probability of a rational adversary guessing right when the distribution is known.
![Page 54: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/54.jpg)
Conditional Entropy
condEntropy " (D a ! Rational) ! (D (D a) ! Rational) condEntropy r h = weightedSum (fmap r h)
> condEntropy bv monty2÷3
![Page 55: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/55.jpg)
Conditional Entropy
condEntropy " (D a ! Rational) ! (D (D a) ! Rational) condEntropy r h = weightedSum (fmap r h)
> condEntropy bv monty2÷3
![Page 56: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/56.jpg)
Fast Exponentiation
![Page 57: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/57.jpg)
Fast Exponentiation40
VAR B Base. Global variables.E Exponent.p To be set to BE.
BEGIN VAR b,e:= B,E Local variables.p:= 1WHILE e 6=0 DO
VAR r:= e MOD 2IF r6=0 THEN p:= p*b FI Side channel.b,e:= b2,e÷2
ENDEND{ p = BE }
Here we are assuming that the ‘branch on high’ is the undesired side-channel: bydetecting whether or not the branch is taken, the adversary can learn the bits ofexponent E –which is the secret key– one by one. When the loop ends, she willhave learned them all.
Figure 7 Insecure implementation of public/private key encryption.
Global variables.VAR B Base. Global variables.
D Set of possible divisors.
p To be set to BE.E:= uniform(0..N-1) Choose exponent uniformly at random.
BEGIN VAR b,e:= B,E Local variables.p:= 1WHILE e 6=0 DO
VAR d:= uniform(D) Choose divisor uniformly from set D.VAR r:= e MOD dIF r6=0 THEN p:= p*br FI Side channel.b,e:= bd,e÷d
ENDEND{ p = BE } What does the adversary know about E at this point?
Here the side channel is much less e↵ective: although the adversary learns whetherr=0, she knows nothing about d except that it was chosen uniformly from D, andthus learns little about e, and hence E at that point. A typical choice for D wouldbe [2, 3, 5]. When the loop ends, she will have learned something about E, but notall of it. (In order to be able to analyse the program’s treatment of E as a secret,we have initialised it uniformly from N possible values.)
Figure 8 Obfuscated implementation of public/private key encryption.
![Page 58: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/58.jpg)
Generalisation
40
VAR B Base. Global variables.E Exponent.p To be set to BE.
BEGIN VAR b,e:= B,E Local variables.p:= 1WHILE e 6=0 DO
VAR r:= e MOD 2IF r6=0 THEN p:= p*b FI Side channel.b,e:= b2,e÷2
ENDEND{ p = BE }
Here we are assuming that the ‘branch on high’ is the undesired side-channel: bydetecting whether or not the branch is taken, the adversary can learn the bits ofexponent E –which is the secret key– one by one. When the loop ends, she willhave learned them all.
Figure 7 Insecure implementation of public/private key encryption.
Global variables.VAR B Base. Global variables.
D Set of possible divisors.
p To be set to BE.E:= uniform(0..N-1) Choose exponent uniformly at random.
BEGIN VAR b,e:= B,E Local variables.p:= 1WHILE e 6=0 DO
VAR d:= uniform(D) Choose divisor uniformly from set D.VAR r:= e MOD dIF r6=0 THEN p:= p*br FI Side channel.b,e:= bd,e÷d
ENDEND{ p = BE } What does the adversary know about E at this point?
Here the side channel is much less e↵ective: although the adversary learns whetherr=0, she knows nothing about d except that it was chosen uniformly from D, andthus learns little about e, and hence E at that point. A typical choice for D wouldbe [2, 3, 5]. When the loop ends, she will have learned something about E, but notall of it. (In order to be able to analyse the program’s treatment of E as a secret,we have initialised it uniformly from N possible values.)
Figure 8 Obfuscated implementation of public/private key encryption.
![Page 59: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/59.jpg)
Evaluation
> condEntropy bv hyper235161÷1296
> condEntropy bv hyper21÷1
![Page 60: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/60.jpg)
Evaluation
> condEntropy bv hyper235161÷1296
> condEntropy bv hyper21÷1
![Page 61: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/61.jpg)
Evaluation
> condEntropy bv hyper235161÷1296
> condEntropy bv hyper21÷1
![Page 62: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/62.jpg)
Conclusion
![Page 63: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/63.jpg)
Kuifje
QIF-aware Haskell DSL with
hyper-distribution semantics
featuring lots of 2.1 ideas
![Page 64: Kuifje - KU Leuven€¦ · Quantified Information Flow Program leak observer Hidden State McIver et al. 2010 McIver et al. 2014 How big is the leak?](https://reader036.fdocuments.us/reader036/viewer/2022071501/61202c4d86205d16f14a99e1/html5/thumbnails/64.jpg)
Einde