Adjoining Declassification and Attack Models by Abstract Interpretation

Giacobazzi, Roberto; Mastroeni, Isabella

doi:10.1007/978-3-540-31987-0_21

Cited by 20 publications

(25 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We are also interested in deriving appropriate metrics for estimating the quality of an obfuscation and watermarking method. The completeness-based approach to information hiding may provide here useful metrics, such as the one in [1,24] measuring the degree of information leakage, which is known to be strongly related with the incompleteness of an abstract interpretation [28]. Of particular interest could be exploiting incompleteness holes derived from the inaccurate propagation of roundoff errors in floating-point operations [38].…”

Section: Discussionmentioning

confidence: 99%

“…In order to model secrecy in code transformations we consider a higher-order version of ANI, called HOANI, which shares with ANI all relevant properties [27,28]. Here programs in P are partitioned in cover programs P ⊆ P and secret programs Q ⊆ P. The cover (unaffected) program plays the role of the public input, the private input is the secret code whose properties have to be kept secret by the program integration method I.…”

Section: Finding Completeness Holesmentioning

confidence: 99%

See 1 more Smart Citation

Hiding Information in Completeness Holes: New Perspectives in Code Obfuscation and Watermarking

Giacobazzi

2008

2008 Sixth IEEE International Conference on Software Engineering and Formal Methods

Self Cite

View full text Add to dashboard Cite

In this paper we show how abstract interpretation, and more specifically completeness, provides an adequate model for reasoning about code obfuscation and watermarking. The idea is that making a program obscure, or equivalently hiding information in it, corresponds to force an interpreter (the attacker) to become incomplete in its attempts to extract information about the program. Here abstract interpretation provides the model of the attacker (malicious host) and abstract interpretation transformers provide driving methods for understanding and designing new obfuscation and watermarking strategies: Obfuscation corresponds to make the malicious host incomplete and watermarking corresponds to hide secrets where incomplete attackers cannot extract them unless some secret key is given.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Finding Completeness Holesmentioning

confidence: 99%

Hiding Information in Completeness Holes: New Perspectives in Code Obfuscation and Watermarking

Giacobazzi

2008

2008 Sixth IEEE International Conference on Software Engineering and Formal Methods

Self Cite

View full text Add to dashboard Cite

show abstract

“…We will rely on this intution for checking (declassified) NI. The formal justification of this choice of semantics rests on the connection between NI and completeness of abstract interpretations (Giacobazzi and Mastroeni 2005) which we now consider.…”

Section: F -Completeness and Noninterferencementioning

confidence: 99%

“…By starting from Joshi and Leino's characterization of classic NI, (Giacobazzi and Mastroeni 2005) noted that classic NI is a completeness problem in abstract interpretation. (Joshi and Leino 2000) use a weakest precondition semantics of imperative programs to arrive at an equational definition of NI: a program P containing H and L variables (ranged over by h and l respectively) is secure iff HH ; P ; HH = P ; HH where HH is an assignment of an arbitrary value to h. "The postfix occurrences of HH on each side mean that we are only interested in the final value of l and the prefix HH on the left-hand-side means that the two programs are equal if the final value of l does not depend on the initial value of h" (Sabelfeld and Sands 2001).…”

Section: On Ni As a Completeness Problemmentioning

confidence: 99%

See 1 more Smart Citation

Modelling declassification policies using abstract domain completeness

Mastroeni¹,

Banerjee²

2011

Math. Struct. Comp. Sci.

Self Cite

View full text Add to dashboard Cite

This paper explores a three dimensional characterization of a declassification-based noninterference policy and its consequences. Two of the dimensions consist in specifying (a) the power of the attacker, that is, what public information an attacker can observe of a program, and (b) what secret information of a program needs to be protected. Both these dimensions are regulated by the third dimension, (c) the choice of program semantics, for example, trace semantics or denotational semantics, or, for instance, any semantics in Cousot's semantics hierarchy.To check whether a program satisfies a noninterference policy one can compute an abstract domain that over-approximates the information released by the policy and can subsequently check whether program execution may release more information than what is permitted by the policy. Counterexamples to a policy can be generated by using a variant of the Paige-Tarjan algorithm for partition refinement. Given the counterexamples the policy can be refined so that the least amount of confidential information necessary for making the program secure is declassified.

show abstract

The PER Model of Abstract Non-interference

Hunt

Mastroeni

2005

Static Analysis

Self Cite

View full text Add to dashboard Cite

In this paper, we study the relationship between two models of secure information flow: the PER model (which uses equivalence relations) and the abstract non-interference model (which uses upper closure operators). We embed the lattice of equivalence relations into the lattice of closures, re-interpreting abstract non-interference over the lattice of equivalence relations. For narrow abstract non-interference, we show that the new definition is equivalent to the original, whereas for abstract non-interference it is strictly less general. The relational presentation of abstract non-interference leads to a simplified construction of the most concrete harmless attacker. Moreover, the PER model of abstract noninterference allows us to derive unconstrained attacker models, which do not necessarily either observe all public information or ignore all private information. Finally, we show how abstract domain completeness can be used for enforcing the PER model of abstract non-interference.

show abstract

Adjoining Declassification and Attack Models by Abstract Interpretation

Cited by 20 publications

References 32 publications

Hiding Information in Completeness Holes: New Perspectives in Code Obfuscation and Watermarking

Hiding Information in Completeness Holes: New Perspectives in Code Obfuscation and Watermarking

Modelling declassification policies using abstract domain completeness

The PER Model of Abstract Non-interference

Contact Info

Product

Resources

About