Quantifying Information Flow for Dynamic Secrets

Transcription

1 Quantifying Information Flow for Dynamic Secrets Piotr (Peter) Mardziel, Mário S. Alvim, + Michael Hicks, and Michael R. Clarkson University of Maryland, College Park, + Universidade Federal de Minas Gerais, George Washington University and Cornell University UM 1 / 20

2 Quantified Information Flow [QIF] Secrets leak to bad guys. Quantify leakage of the secret. secret information defender channel adversary 2 / 20

3 Why Quantified Information Flow? Evaluate risks. Evaluate relative merits of protection mechanisms. Design incentives to keep adversaries from participating. secret information defender channel adversary 2 / 20

4 Examples Password authentication Location-based services Address space randomization secret information defender channel adversary 2 / 20

5 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation 3 / 20

6 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation information 3 / 20

7 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation information 3 / 20

8 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation after observation information 3 / 20

9 Quantified Information Flow: The Approach Flow def = increase in adversary s expected success Model channel. Model adversary behavior, exploitation. Quantify expected success of optimal adversary. before observation flow information after observation 3 / 20

10 This work: define flow when the secret can change Defined formal model for scenarios with dynamic secrets. Accommodates adaptive adversaries. More expressive than prior models. Definition of flow generalizes prior measures. Demonstrated several interesting phenomena using an implementation of our model. Low-adaptive adversary exponentially higher flow. Wait-adaptive adversary monotonically increasing flow. More change does not necessarily mean more security. 4 / 20

11 Outline Example: Static secrets Low-adaptive adversaries decide how to influence the channel based on prior observations. Low-adaptivity exponentially higher flow. Example: Dynamic secrets Wait-adaptive adversaries decide when to exploit the secret. Wait adaptivity monotonically increasing flow with time. 5 / 20

12 Example: Pirate Treasure defender / 20

13 Secret Prior 0? 1? 2? 3? 4? 5? 6? 7? adversary 7 / 20

14 Secret Prior = Defender Belief 0? 1? 2? 3? 4? 5? 6? 7? adversary Assumption: adversary knows defender behavior. 7 / 20

15 Exploitation e 0? 1? 2? 3? 4? 5? 6? 7? adversary Adversary raids an island e for the treasure. If e = h he succeeds. 7 / 20

16 Exploitation e 0? 1? 2? 3? 4? 5? 6? 7? adversary Smith (FoSSaCS 09): (prior) Vulnerability: expected probability of optimal adversary with one guess being correct. 7 / 20

17 Exploitation: Measures of Success e 0? 1? 2? 3? 4? 5? 6? 7? adversary Optimal adversary behavior: Guessing Entropy: Minimal number of guesses to find secret. Alvim et al. (CSF 12): g-vulnerability Gain/payoff according to function g(secret, exploit). 7 / 20

18 Exploitation: Vulnerability e 0? 1? 2? 3? 4? 5? 6? 7? adversary Connect probability of success to economic quantities. If the treasure is worth w doubloons, the expected gain to adversary and loss to the defender is w V doubloons. Here, w/8. Will stick with expected probability of success using the term gain in the remainder of this talk. 7 / 20

19 Observation Gold compass points in the direction of the treasure. Adversary has a choice of where to use the compass. Analogy to timing side-channel in an RSA implementation as per Brumley and Boneh (USENIX Security 03) west east???????? channel adversary 8 / 20

20 Observation Gold compass points in the direction of the treasure. Adversary has a choice of where to use the compass. Analogy to timing side-channel in an RSA implementation as per Brumley and Boneh (USENIX Security 03) 1/2 1/ west channel adversary 8 / 20

21 Increased knowledge Observation leads to increase in knowledge. Which leads to increased odds of exploitation. 1/2 1/ adversary 9 / 20

22 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). 1/2 1/ adversary 9 / 20

23 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation 1/2 1/ adversary 9 / 20

24 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation 1/2 1/ adversary 9 / 20

25 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation 1/2 1/ adversary 9 / 20

26 Increased knowledge increased gain (posterior) Gain: expected probability of optimal adversary succeeding in one guess given observation(s). Optimize adversary strategy: α : {east, west} {0,, 7}. island to raid given the observation Here: 2/8. 1/2 1/ adversary 9 / 20

27 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} Island to raid given compass observation at island l / 20

28 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} (max) time = 2: observe at l 2, optimize α : {east, west} {east, west} {0,, 7}. Island to raid given compass observations at islands l 1 and l / 20

29 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} (max) time = 2: observe at l 2, optimize α : {east, west} {east, west} {0,, 7}. (max) time = T / 20

30 Observations over time Assume locations of compass use are fixed ahead of time: l 1, l 2,. (max) time = 1: observe at l 1, optimize {east, west} {0,, 7} (max) time = 2: observe at l 2, optimize α : {east, west} {east, west} {0,, 7}. (max) time = T... expected raid gain T = number of observations before raid 10 / 20

31 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. 11 / 20

32 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20

33 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20

34 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20

35 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. 11 / 20

36 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. Optimize how to exploit: α e : {0 l,, 7 l } t {east, west} t {0 e,, 7 e }. 11 / 20

37 Where to observe? Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. Optimize how to exploit: α e : {0 l,, 7 l } t {east, west} t {0 e,, 7 e }. 11 / 20

38 Where to observe? expected raid gain Low adaptivity: adversary uses prior observations to choose how to observe next. Optimize how to observe: α l : {0 l,, 7 l } t 1 {east, west} t 1 {0 l,, 7 l }. Optimize how to exploit: α e : {0 l,, 7 l } t {east, west} t {0 e,, 7 e }. Can perform binary search for the secret (cannot do so with fixed observation order) fixed observation order adaptive observations T = number of observations before raid 11 / 20

39 Low Adaptivity Köpf and Basin (CCS 07): low-adaptive adversaries for deterministic systems (side channels). Adaptivity is largely ignored in QIF literature (even since the above work). Our work: probabilistic systems (channel, defender behavior). expected raid gain fixed observation order adaptive observations T = number of observations before raid 12 / 20

40 Overview so far secrets adversary influence h 0 l 1 l 2 o 1 Time defender channel l 3 o 2 o 3 observation adversary exploitation e g defender s loss gain/loss g adversary s gain 13 / 20

41 Add dynamic secrets secrets h 0 adversary influence l 1 h 1 l 2 o 1 Time defender h 2 channel l 3 o 2 o 3 observation adversary exploitation e g defender s loss gain/loss g adversary s gain 13 / 20

42 Example: Moving treasure Defender s strategy changes the secret based on prior secret. Prior, he chooses one of two strategies with equal probability. 1/2 : move west 1/2 : move east 1/4 1/4 1/4 1/4 1/4 1/4 1/4 1/4 14 / 20

43 Example: Moving treasure Defender s strategy changes the secret based on prior secret. Prior, he chooses one of two strategies with equal probability. Assumption: adversary knows the process with which the defender chose his strategy (but not the resulting strategy). 1/2 : move west 1/2 : move east 1/4 1/4 1/4 1/4 1/4 1/4 1/4 1/4 14 / 20

44 Gain with moving treasure Defender moves his treasure every 3 time steps. expected raid gain without moves with moves T = number of observations before raid 15 / 20

45 Gain with moving treasure Defender moves his treasure every 3 time steps. expected raid gain without moves with moves T = number of observations before raid 15 / 20

46 Gain with moving treasure Defender moves his treasure every 3 time steps. Adversary eventually learns how the treasure moves. expected raid gain without moves with moves T = number of observations before raid 15 / 20

47 Hiding the treasure vs. Hiding its dynamics Uneasy balance: Protect secrecy of current secret. Protect secrecy of how the secret changes. This can lead to strangeness: more secret change quicker adversary inference of secret (see paper). 16 / 20

48 Negative flow? Gain at time 3 < Gain at time 2 expected raid gain T = number of observations before raid 17 / 20

49 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. expected raid gain T = number of observations before raid 17 / 20

50 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. Solution: Gain at time T : adversary makes at most T observations then raids. raid now? wait? expected raid gain T = number of observations before raid 17 / 20

51 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. Solution: Gain at time T : adversary makes at most T observations then raids. raid now? wait? expected raid gain T = number of observations before raid 17 / 20

52 Negative flow? Gain at time 3 < Gain at time 2 Problem: Gain at time T : adversary makes exactly T observations then raids. Solution: Gain at time T : adversary makes at most T observations then raids. raid now? wait? expected raid gain T = number of observations before raid 17 / 20

53 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } 18 / 20

54 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } 18 / 20

55 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } 18 / 20

56 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } Monotonic gain over time (positive flow). expected raid gain non-adaptive wait adaptive wait T = (max) number of observations before raid 18 / 20

57 Adaptive wait Adaptive-wait adversary: decides when to exploit based on prior observations. α : {0 l,, 7 l } t {east, west} t {0 l,, 7 l } {0 e,, 7 e } Monotonic gain over time (positive flow). Non-compositional : optimal behavior for time 3 is not the prefix to optimal behavior for time 5. expected raid gain non-adaptive wait adaptive wait T = (max) number of observations before raid 18 / 20

58 Prototype Implementation Describe models as probabilistic programs in monadic-style OCaml. Optimize adversary behavior via backward induction. Analyze a series of scenarios (including this talk s examples) Freely available online. 19 / 20

59 Conclusions Model for information flow with dynamic secrets. 20 / 20

60 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. 20 / 20

61 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. 20 / 20

62 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. Most expressive model for QIF to date (as far as we know) 20 / 20

63 Conclusions Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. Most expressive model for QIF to date (as far as we know) Implementation and Experiments More change more gain And more! (see paper and TR) 20 / 20

64 Quantifying Information Flow for Dynamic Secrets Model for information flow with dynamic secrets. Handling of adaptive adversary behavior. Low adaptivity exponential increase in gain. Wait adaptivity monotonically increasing gain. Most expressive model for QIF to date (as far as we know) Implementation and Experiments More change more gain And more! (see paper and TR) Paper, TR, Implementation, Experiments Follow up paper: adversary gain defender loss 20 / 20