Skip to main content

Algebraic foundations for quantitative information flow


Several mathematical ideas have been investigated for quantitative information flow. Information theory, probability, guessability are the main ideas in most proposals. They aim to quantify how much information is leaked, how likely is to guess the secret and how long does it take to guess the secret respectively. In this work, we investigate the relationship between these ideas in the context of the quantitative analysis of deterministic systems. We propose the lattice of information as a valuable foundation for these approaches; not only it provides an elegant algebraic framework for the ideas, but also to investigate their relationship. In particular, we will use this lattice to prove some results establishing order relation correspondences between the different quantitative approaches. The implications of these results w.r.t. recent work in the community is also investigated. While this work concentrates on the foundational importance of the lattice of information its practical relevance has been recently proven, notably with the quantitative analysis of Linux kernel vulnerabilities. Overall, we believe these works set the case for establishing the lattice of information as one of the main reference structure for quantitative information flow.

Hide All
Alvim, M., Andrés, M. and Palamidessi, C. (2010a) Information flow in interactive systems. In: Proceedings CONCUR 2010 102–116.
Alvim, M., Andrés, M. and Palamidessi, C. (2010b) Probabilistic information flow. In: Proceedings LICS 2010 314–321.
Backes, M., Köpf, B. and Rybalchenko, P. (2009) Automatic discovery and quantification of information leaks. In: Proceeding of the 30th IEEE Symposium on Security and Privacy 141–153.
Barthe, G., D'Argenio, P. and Rezk, T. (2004) Secure information flow by self-composition. In: CSFW'04: Proceedings of the 17th IEEE workshop on Computer Security Foundations 100–114.
Birkhoff, G. (1948) Lattice Theory, American Mathematical Society Colloquium Publications, volume 25, revised edition, American Mathematical Society, New York.
Braun, C., Chatzikokolakis, K. and Palamidessi, C. (2009) Quantitative notions of leakage for one-try attacks. In: Proceeding of the 25th Conference on Mathematical Foundations of Programming Semantics (MFPS 2009). Elsevier Electronic Notes in Theoretical Computer Science 249 7591.
Chatzikokolakis, K., Palamidessi, C. and Panangaden, P. (2008) Anonymity protocols as noisy channels. Information and Computation 206 (2–4)378401.
Chen, H. and Malacaria, P. (2007) Quantitative analysis of leakage for multi-threaded programs. In: Proceedings ACM Workshop on Programming Languages and Analysis for Security (PLAS'07) 31–40.
Chen, H. and Malacaria, P. (2009) Quantifying maximal loss of anonymity in protocols. In: Proceedings ACM Symposium on Information, Computer and Communication Security (ASIACCS) 206–217.
Clark, D., Hunt, S. and Malacaria, P. (2002) Quantitative analysis of the leakage of confidential data. In: QAPL'01, Quantitative Aspects of Programming Languages. Electronic Notes in Theoretical Computer Science 59 (3)238251.
Clark, D., Hunt, S. and Malacaria, P. (2005) Quantitative information flow, relations and polymorphic types. Journal of Logic and Computation 18 (2)181199.
Clark, D., Hunt, S. and Malacaria, P. (2007) A static analysis for quantifying information flow in a simple imperative language. Journal of Computer Security 15 (3)321371.
Clarke, E., Kroening, D. and Lerda, F. (2004) A tool for checking ANSI-C programs. Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004) Springer 988168176.
Clarkson, M., Myers, A. and Schneider, F. (2009) Quantifying information flow with beliefs. Journal of Computer and Security 17 (5)655701.
Cover, T. and Thomas, J. (1991) Elements of Information Theory, John Wiley.
Denning, D. (1976) A lattice model of secure information flow. Communication of the ACM 19 (5)236243 ACM, New York, NY, USA.
Giacobazzi, R. and Mastroeni, I. (2004) Abstract non-interference: Parameterizing non-interference by abstract interpretation. In: 31st Annual Symposium on Principles of Programming Languages (POPL'04), ACM, Venice, Italy186197.
Gray, J. W. III (1991) Toward a mathematical foundation for information flow security. In: Proceeding of the 1991 IEEE Symposium on Security and Privacy Oakland, CA 2134.
Heusser, J. and Malacaria, P. (2009) Quantifying loop leakage using a lattice of partitions. In: Proceedings of the 1st Workshop on Quantitative Analysis of Software (QA'09) 17–26.
Heusser, J. and Malacaria, P. (2010) Quantifying information leaks in software. In: Proceedings ACM Annual Computer Security Applications Conference, ACSAC 2010, Austin, Texas. ACM 216219.
Köpf, B. and Basin, D. (2007) An information-theoretic model for adaptive side-channel attacks. In: Proceedings ACM conference on Computer and Communications Security 286–296.
Köpf, B. and Smith, G. (2010) Vulnerability bounds and leakage resilience of blinded cryptography under timing attacks. CSF 2010 44–56.
Landauer, J. and Redmond, T. (1993) A lattice of information. In: Proceeding of the IEEE Computer Security Foundations Workshop, IEEE Computer Society Press 6570.
Lowe, G. (2002) Quantifying information flow. In: 15th IEEE Computer Security Foundations Workshop (CSFW 2002), Nova Scotia Canada, IEEE Computer Society 1831.
Malacaria, P. (2007) Assessing security threats of looping constructs. In: Proceeding of the ACM Symposium on Principles of Programming Language (POPL'07) 225–235.
Malacaria, P. (2010) Risk assessment of security threats for looping constructs. Journal Of Computer Security 18 (2)191228.
Malacaria, P. and Chen, H. (2008) Lagrange multipliers and maximum information leakage in different observational models. ACM Workshop on Programming Languages and Analysis for Security 135–146.
Malacaria, P. and Heusser, J. (2010) Information theory and security: Quantitative information flow. In: 10th International School on Formal Methods for the Design of Computer, Communication and Software Systems, SFM 2010. Springer Lecture Notes in Computer Science Bertinoro 6154 87134.
Massey, J. (1994) Guessing and entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory 204.
Mclean, J. (1990) Security models and information flow. In: Proceedings of the IEEE Symposium on Security and Privacy, IEEE Computer Society Press 180187.
McIver, A. and Morgan, C. (2003) A probabilistic approach to information hiding. Programming Methodology, Springer, New York, NY, USA441460.
Millen, J. K. (1987) Covert channel capacity. IEEE Symposium on Security and Privacy 600, 15407993 IEEE Computer Society, Los Alamitos, CA, USA.
Morgan, C. C. (2009) The shadow knows: Refinement of ignorance in sequential programs. Science of Computer Programming Elsevier 74 (8)629653.
Mu, C. and Clark, D. (2009) An abstraction quantifying information flow over probabilistic semantics. In: Workshop on Quantitative Aspects of Programming Languages (QAPL). ENTCS 253 (3)119141.
Nakamura, Y. (1970) Entropy and semivaluations on semilattices. Kodai Mathematical Seminar Reports 22 443468.
Rényi, A. (1960) On measures of information and entropy. In: Proceedings of the 4th Berkeley Symposium on Mathematics, Statistics and Probability 547–561.
Shannon, C. (1948) A mathematical theory of communication. Bell Systems Technical Journal 27 (3)379423.
Shannon, C. (1953) The lattice theory of information. IEEE Transactions on Information Theory 1 105107.
Smith, G. (2009) On the foundations of quantitative information flow. In: Proceeding of the FOSSACS 2009: 12th International Conference on Foundations of Software Science and Computation Structures. Lecture Notes in Computer Science 5504288302York, UK.
Terauchi, T. and Aiken, A. (2005) Secure information flow as a safety problem. In: SAS. Lecture Notes in Computer Science 3672 352367.
Yasuoka, H. and Terauchi, T. (2010a) Quantitative information flow - verification hardness and possibilities. In: Proceedings CSF 15–27.
Yasuoka, H. and Terauchi, T. (2010b) On bounding problems of quantitative information flow. In: Proceedings ESORICS 357–372.
Winskel, G. (1993) The Formal Semantics of Programming Languages, The MIT Press.
Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Mathematical Structures in Computer Science
  • ISSN: 0960-1295
  • EISSN: 1469-8072
  • URL: /core/journals/mathematical-structures-in-computer-science
Please enter your name
Please enter a valid email address
Who would you like to send this to? *


Full text views

Total number of HTML views: 0
Total number of PDF views: 30 *
Loading metrics...

Abstract views

Total abstract views: 232 *
Loading metrics...

* Views captured on Cambridge Core between September 2016 - 21st March 2018. This data will be updated every 24 hours.