Quantification of Information Leakage by Statistical Method Combined with Program Analysis

Transcription

1 Quantification of Information Leakage by Statistical Method Combined with Program Analysis Yusuke Kawamoto (AIST, Japan) Joint work with Fabrizio Biondi (INRIA/IRISA Rennes, France) Axel Legay (INRIA/IRISA Rennes, France) In French-Japanese Cybersecurity Workshop, September 2016

2 Information leakage In real world systems, there are usually some information leakage. Receipt of credit card always leaks 4 digits of card number **** **** **** 1234 Timing/power consumption in decrypting ciphertexts leaks information on the secret key Acceptable Security breach! Password checking leaks the password with small probability Message length/packet patterns leaks the sender of the message in (guess) if guess == password then out(secret) Acceptable Privacy breach! Want to quantify the information leakage! 2

3 3 Entropy as a secrecy measure Larger entropy Larger uncertainty Stronger secrecy When a secret value uniformly distributed over { 1, 2,, }, it s hard to guess the secret. sec = 1 sec = 2 sec = 3 sec = Stronger secrecy Shannon entropy = 999 bit (= ( log )) When a secret value is not uniformly distributed, it s easier to guess the secret. sec = 1 sec = 2 sec = 3 sec = Weaker secrecy Shannon entropy = 0.88 bit (= (0.7 log 0.7) (0.3 log 0.3))

4 Overview of this talk (1) Introduction on modelling information leakage: How much secret information is leaked by output in a system? (2) Statistical method for estimating information leakage amount: The accuracy of estimation is described by 95% confidence intervals. (3) Hybrid method combining statistical method with program improves the quality and cost of. 4

5 5 Information flow Systems are modeled as information-theoretic channels: secret s System output o Examples Secret decryption key Cipher Decryption time & power consumption Sender of message Anonymity protocol Packet patterns Secret in a process Process scheduler Scheduling of processes

6 Modelling a probabilistic system Probabilistic system Initial state s = 0 s = 1 s = 2 s = Observed outputs (no non-deterministic transitions) Joint distribution of secret & output Secret Output o = 0 o = 1 o = 2 o = 3 s = s = s = s = bit of s is leaked when observing o = 1 6

7 7 Modelling information leakage Probabilities of secrets Before observing output: After observing output: p(s) Distribution on secrets p(s, o) Joint distribution on secrets & outputs Secret Probability s = s = s = s = Output Secret o = 0 o = 1 o = 2 o = 3 s = s = s = s =

8 8 Modelling information leakage Probabilities of secrets Before observing output: p(s) Distribution on secrets Amount of information leakage Difference of the secrecy levels before and after the observation (Leakage amount) = (entropy before observation) (entropy after observation) E.g. (Mutual information) Secret Probability s = s = s = s = = Σ p(s) log p(s) Σ p(o) Σ p(s o) log p(s o) s Sec After observing output: p(s, o) Joint distribution on secrets & outputs Output Secret o Obs o = 0 o = 1 o = 2 o = 3 s = s = s = s = s Sec Remark: Other kinds of entropy (e.g. min-entropy) for other attack scenarios

9 9 Modelling information leakage Probabilities of secrets Before observing output: p(s) Distribution on secrets Secret Probability s = s = s = s = Amount of information leakage (Leakage amount) = (entropy before observation) (entropy after observation) Hardness in computing leakage amount After observing output: p(s, o) Joint distribution on secrets & outputs Output Secret o = 0 o = 1 o = 2 o = 3 s = s = s = s = Computation is hard if there are many traces, shown by T. Terauchi (JAIST, Japan). Limited compositionality (e.g. in QEST 14 with K. Chatzikokolakis & C. Palamidessi): Composing two systems may produce additional information leakage.

10 10 Overview Model of information leakage Statistical method for estimating leakage amount Hybrid statistical method Evaluation of the method Summary & future work

11 11 Statistical method [Chatzikokolakis, Chothia, Guha 10] CSF 13, ESORICS 14 with T. Chothia, C. Novakovic, D. Parker System Tool LeakWatch (1) (2) (3) Approximate (4) Execution Numbers probability traces of traces distribution Running many times Estimated leakage: bit? Probabilistic assignment produces different traces. bool sec 0 := { 0 0.5, }; bool sec 1 := { 0 0.5, }; secret sec 0, sec 1 ; bool r := { 0 0.5, }; bool obs 0 := sec 0 XOR r ; bool obs 1 := sec 1 XOR r ; output obs 0, obs 1 ; Record of 1000 traces (sec 0 =0, sec 1 =0, obs 0 =0, obs 1 =0) (sec 0 =0, sec 1 =0, obs 0 =1, obs 1 =1) (sec 0 =0, sec 1 =0, obs 0 =1, obs 1 =1) (sec 0 =0, sec 1 =0, obs 0 =0, obs 1 =0) (sec 0 =0, sec 1 =0, obs 0 =1, obs 1 =1)

12 12 Statistical method [Chatzikokolakis, Chothia, Guha 10] CSF 13, ESORICS 14 with T. Chothia, C. Novakovic, D. Parker System Tool LeakWatch (1) (2) (3) Approximate (4) Execution Numbers probability traces of traces distribution Running many times Estimated leakage: bit? Probabilistic assignment produces different traces. bool sec 0 := { 0 0.5, }; bool sec 1 := { 0 0.5, }; secret sec 0, sec 1 ; bool r := { 0 0.5, }; bool obs 0 := sec 0 XOR r ; bool obs 1 := sec 1 XOR r ; output obs 0, obs 1 ; Record of 1000 traces output secret obs 0 =0obs 0 =0obs 0 =1obs 0 =1 obs 1 =0obs 1 =1obs 1 =0obs 1 =1 sec 0 =0,sec 1 = sec 0 =0,sec 1 = sec 0 =1,sec 1 = sec 0 =1,sec 1 = secret output obs 0 =0 obs 0 =0 obs 0 =1 obs 0 =1 obs 1 =0 obs 1 =1 obs 1 =0 obs 1 =1 sec 0 =0,sec 1 = sec 0 =0,sec 1 = sec 0 =1,sec 1 = sec 0 =1,sec 1 =

13 13 Statistical method [Chatzikokolakis, Chothia, Guha 10] CSF 13, ESORICS 14 with T. Chothia, C. Novakovic, D. Parker System Tool LeakWatch (1) (2) (3) Approximate (4) Execution Numbers probability traces of traces distribution Running many times By Statistics Estimated leakage: bit? bit 95% confidence interval : [0.998, 1.003] secret output True distribution obs 0 =0 obs 1 =0 obs 0 =0 obs 1 =1 obs 0 =1 obs 1 =0 obs 0 =1 obs 1 =1 sec 0 =0,sec 1 = sec 0 =0,sec 1 = sec 0 =1,sec 1 = difference Approximate distribution secret output obs 0 =0 obs 1 =0 obs 0 =0 obs 1 =1 obs 0 =1 obs 1 =0 obs 0 =1 obs 1 =1 sec 0 =0,sec 1 = sec 0 =0,sec 1 = sec 0 =1,sec 1 = sec 0 =1,sec 1 = True value bit bias sec 0 =1,sec 1 = Estimate bit

14 Statistical method [Chatzikokolakis, Chothia, Guha 10] CSF 13, ESORICS 14 with T. Chothia, C. Novakovic, D. Parker System Lower bound (95% confidence) Tool LeakWatch (1) (2) (3) Approximate (4) Execution Numbers probability traces of traces distribution Running many times Mutual information (after removing bias) secret output obs 0 =0 obs 1 =0 obs 0 =0 obs 1 =1 By Statistics Estimated leakage: bit? bit 95% confidence interval : [0.998, 1.003] Approximate distribution obs 0 =1 obs 1 =0 obs 0 =1 obs 1 =1 sec 0 =0,sec 1 = Upper bound (95% confidence) sec 0 =0,sec 1 = sec 0 =1,sec 1 = sec 0 =1,sec 1 = More traces, more accurate estimate (less bias and smaller confidence interval). 14

15 15 Statistical method [Chatzikokolakis, Chothia, Guha 10] CSF 13, ESORICS 14 with T. Chothia, C. Novakovic, D. Parker System Implementation is enough. Source code is not necessary. Tool LeakWatch (1) (2) (3) Approximate (4) Execution Numbers probability traces of traces distribution Running many times May include side-channel info e.g. timing Estimated leakage: bit? bit 95% confidence interval : [0.998, 1.003]

16 E.g. Pseudorandom number generators Consecutive pseudorandom numbers r 1, r 2 (by a stateful generator) are correlated. By using LeakWatch, we can estimate how much information on r 1 is leaked by r 2. seed Pseudo-random number generator r 1 r 2 Correlated with r 1 Random.class SecureRandom.class Leakage estimate (after removing bias) distinguishable Leakage is not detected (with 95% confidence level) Estimates above this green line are the evidence of leakage (with 95% confidence level). 16

17 17 Overview Model of information leakage Statistical method for estimating leakage amount Hybrid statistical method Evaluation of the method Summary & future work

18 18 Statistical methods vs formal methods Both methods have advantages and disadvantages: Statistical methods (Monte Carlo simulation) Formal methods (program ) Analysis approach Black box (analyzing execution traces) White box (analyzing a source code) Produces Estimate + confidence interval Exact value Reduces costs by Random sampling Knowledge of code & abstraction Impractical for Large joint distribution matrix Large number of traces E.g. Linear congruential generators E.g. Conditional branching r 2 := (4801 * r ) mod 8192 Many internal states if 5 sec 100 then obs := 1; else.. We do not have to check every value of sec.

19 19 Motivation Examples that neither statistical method nor program can handle: Complicated subsystem Probability 0.5 Initial state Probability 0.5 Subsystem with too many traces Subsystem with too large matrix Statistical method Program Combine the two methods!

20 Motivation Examples that neither statistical method nor program can handle: Complicated subsystem Leakage by rare events Probability 0.5 Initial state Probability 0.5 Probability 0.99 Initial state Probability 0.01 May not be sampled Subsystem with too many traces Subsystem with too large matrix No leakage Much leakage Too many traces are executed Too few traces are executed Statistical method Program Smaller sample size Larger sample size Combine the two methods! Kind of importance sampling! 20

21 21 Hybrid statistical We combine statistical method with program. true conditional false To appear in FM 16 with F. Biondi, A. Legay conditional conditional true false true false large matrix many traces many traces large matrix Program Statistical Statistical Program sample size n 1 sample size n 2 Precise Approximate Approximate Precise = Estimated distribution

22 22 Hybrid statistical We combine statistical method with program. true conditional false To appear in FM 16 with F. Biondi, A. Legay conditional conditional true false true false large matrix Program many traces Statistical many traces Statistical sample size n 1 sample size n 2 Joint distribution large matrix Example of composing 3 subsystems Program Precise Approximate Approximate Precise = Estimated distribution

23 Hybrid statistical We combine statistical method with program. conditional true conditional false conditional true false true false To appear in FM 16 with F. Biondi, A. Legay large matrix many traces many traces large matrix Program Statistical Statistical Program sample size n 1 sample size n 2 Precise We ignored higher order terms in Taylor expansion of mutual information Approximate Approximate b 1 / n 1 b 2 / n 2 v 1 / n 1 v 2 / n Precise = bias = Estimated distribution Estimated value of mutual information = variance Confidence compositional interval 23

24 Hybrid statistical Formally please see our paper To appear in FM 16 with F. Biondi, A. Legay Theorem expectation = variance = (1-α) confidence interval: 24

25 25 Quality vs cost of Can optimize the sample size (the number of traces) for each component: true conditional false To appear in FM 16 with F. Biondi, A. Legay conditional conditional true false true false large matrix many traces many traces large matrix Program Statistical Statistical Program sample size n 1 sample size n 2 Precise Adaptively updating the sample sizes n i as Approximate Approximate b 1 / n 1 b 2 / n 2 v 1 / n 1 v 2 / n Precise = bias = Estimated distribution Estimated value of mutual information = variance Confidence interval

26 Abstraction-then-sampling To appear in FM 16 with F. Biondi, A. Legay Statistical method can be combined with qualitative program : of a subsystem If we know these rows are identical output secret obs =0 obs=1 obs=2 obs=3 sec = sec = sec = sec = sec = sec = it s sufficient to sample only one row. By program, we can find whether the output is independent of the secret inside a subsystem. More generally, prior knowledge on the system can reduce the cost of sampling. 26

27 27 Design of tool Decompose a source code into components and choose an type for each component: true conditional false conditional conditional true false Abstraction if possible true false To appear in FM 16 with F. Biondi, A. Legay We apply a rough static heuristics to estimate the number of traces & the size of the matrix for each component. large matrix many traces many traces large matrix Program Statistical Statistical Program sample size n 1 sample size n 2 Precise Adaptively updating the sample sizes n i as Approximate Approximate b 1 / n 1 b 2 / n 2 v 1 / n 1 v 2 / n Precise = bias = Estimated distribution Estimated value of mutual information = variance Confidence interval

28 28 Overview Model of information leakage Statistical method for estimating leakage amount Hybrid statistical method Evaluation of the method Summary & future work

29 29 Quality of the hybrid method Larger samples size, then narrower confidence interval More program, then narrower confidence interval

30 Comparison of approaches Our hybrid method outperforms the precise program and the fully statistical : We are still trying to add more techniques from formal methods. 30

31 31 Overview Model of information leakage Statistical method for estimating leakage amount Hybrid statistical method Evaluation of the method Summary & future work

32 Summary & future work Showed a hybrid method for estimating information leakage that combines statistical method with program. Gets the best of the both methods to improve the quality & cost. Our ongoing work: Developing a tool for estimating information leakage by hybrid method. My future work: More fusion of statistical methods & formal methods. 32

33 Question/comments?

34 References Yusuke Kawamoto, Fabrizio Biondi and Axel Legay. Hybrid Statistical Estimation of Mutual Information for Quantifying Information flow. In FM 2016, LNCS, November 2016, To appear. Yusuke Kawamoto, Konstantinos Chatzikokolakis, and Catuscia Palamidessi. Compositionality Results for Quantitative Information Flow. In QEST 2014, LNCS, Vol.8657, pp , September Tom Chothia, Yusuke Kawamoto and Chris Novakovic. LeakWatch: Estimating Information Leakage from Java Programs. In ESORICS 2014, LNCS, Vol.8713, pp , September Tom Chothia, Yusuke Kawamoto and Chris Novakovic. A Tool for Estimating Information Leakage. In CAV 2013, LNCS, Vol.8044, pp , July Tom Chothia, Yusuke Kawamoto, Chris Novakovic and David Parker. Probabilistic Point-to-Point Information Leakage. In CSF 2013, pp , June