Static Analysis of Information Release in Interactive Programs


Electronic Communications of the EASST
Volume 35 (2010)

Proceedings of the
10th International Workshop on

Automated Verification of Critical Systems
(AVoCS 2010)

Static Analysis of Information Release in Interactive Programs

Adedayo O. Adetoye and Nikolaos Papanikolaou

15 pages

Guest Editors: Jens Bendisposto, Michael Leuschel, Markus Roggenbach
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

Static Analysis of Information Release in Interactive Programs

Adedayo O. Adetoye and Nikolaos Papanikolaou

International Digital Laboratory, WMG, University of Warwick, UK

Abstract: In this paper we present a model for analysing information release (or
leakage) in programs written in a simple imperative language. We present the se-
mantics of the language, an attacker model, and the notion of an information release
policy. Our key contribution is the static analysis technique to compute information
release of programs and to verify it against a policy. We demonstrate our approach
by analysing information released to an attacker by faulty password checking pro-
grams; our example is inspired by a known flaw in versions of OpenSSH distributed
with various Unix, Linux, and OpenBSD operating systems.

Keywords: Secure Information Release, Static Analysis, Program Verification.

1 Introduction

It is often inevitable, during the course of program execution, for sensitive information to be
leaked to the environment; in the presence of an attacker, such leakage — henceforth information
release — can be catastrophic, or at the very least damaging, to the parties with whom the
data is concerned. Ensuring that information release is minimal is a critical requirement in a
variety of applications; this is true, for instance, with authentication, encryption and statistical
analysis software. General purpose applications infected by malicious code, or malware, may
seek to release much more information than expected by the user; this is also the case with
Trojan horses (think of a tax-return calculator that releases private financial information to an
unauthorised observer). What the user generally expects in these applications is that the amount
of information release does not exceed what is absolutely necessary for normal operation.

Therefore it is highly necessary to have means of controlling the information released by a
program, while taking into account its purpose and functionality, namely, how it transforms its
inputs to publicly observable output. The problem we are then concerned with is how to check
whether the program does not release more than is specified. In other words, we seek a way of
checking that a given program conforms to an information release policy.

In this paper we present static analysis techniques to measure the information released by a
program, both qualitatively and quantitatively (using information theory), and develop a policy
model whereby users’ information release requirements may be specified. The intention is that,
by comparing the information actually released by the program with a specification of its ex-
pected information release, as stated in a policy, we can judge whether the program has secure
information flow and reject insecure implementations.

We demonstrate our approach by investigating attacks on password-checking programs, where
timing delays can give clues to potential attackers about the validity of user log-in names and
passwords. The examples are inspired by password checking programs used in different versions
of OpenSSH on various Unix, Linux, and OpenBSD operating system.

1 / 15 Volume 35 (2010)



Static Analysis of Information Release in Interactive Programs

Contributions. In this paper we present a general static analysis technique, parametrised by
attacker models, for the verification of secure information flow in interactive programs. This
includes a concrete static analysis technique for While programs under a “standard attacker”
model, which can observe program outputs as prescribed by the standard operational semantics.

Our analysis is both flow-sensitive and termination-sensitive, accounting for sequencing of
programs as well as correctly dealing with information release in the face of program diver-
gence. We present a qualitative policy framework, whereby users may enforce secure informa-
tion release requirements on programs. We also demonstrate how the qualitative policies can be
described quantitatively, with examples. We show a limitation of the quantitative technique.

The overall architecture and framework is described in Section 2, while the static analysis of
information release for arbitrary While programs is presented in Section 3. Information release
policies are described in Section 4. We illustrate our analysis and enforcement technique by
considering examples which exploit design, implementation and configuration flaws in password
authentication programs in Section 5. The examples are motivated by flaws in version of the
OpenSSH authentication module. Section 6 shows how the qualitative PER-based policies of
Section 4 may also be expressed quantitatively using information theory. Section 7 concludes
and looks at areas of future work.

Related Work. This paper describes a technique for the analysis of secure information release
in computer programs, which is an established field [10]. This paper extends our earlier work [2],
on the lattice-based formulation of secure information flow under various attacker models, with
a concrete static analysis methodology. We are evaluating ways of efficiently implementing the
proposed technique, which may benefit from minimal model generation results of [3]. In [1] a
theorem-proving approach is presented that deals with noninterference properties of programs.
The implementation for real languages is still further away, but we envisage applying the tech-
nique in the context of low-level code such as assembly or virtual machine languages [8, 14, 4].

2 Analysis and Enforcement Framework

Our approach forms the basis of a framework for analysing the security of programs. In partic-
ular, we envisage the technique of static analysis described in this paper as being implemented
in a software tool, possibly a kernel module for various operating systems, which computes the
information release of programs during installation or prior to that in a proof-carrying code set-
ting [9]. A user would supply (or be supplied with, by a trusted source) an information release
policy to this tool, and if a program fails to satisfy the requirement of the policy, its execution
would be prevented and the user warned.

We have so far developed the theory of information release for programs expressed in a sim-
ple, but typical, imperative language. The static analysis rules described in this paper could
be adapted to different languages and generalised to account for different types of attacker. As
part of a long-term research programme, we will be targeting the analysis of low-level code for
system software and applications running on mobile devices.

The analysis technique we are proposing would be used in a system architecture comprising:
a set of users , programs assumed to be potentially hostile (until verified otherwise), an execution

Proc. AVoCS 2010 2 / 15



ECEASST

environment, a set of information release policies, a static analyser. Users are assumed to have
legitimate uses for the programs in the system. The environment in which programs are executed
is assumed to include attackers, potentially waiting locally or on other networks for the program
to disclose confidential or sensitive information to them. That is, we consider the malicious code
scenario, where the program may contain spyware or design or implementation flaws that can be
used to reveal sensitive data that are ordinarily accessible only to the user and the programs.

Information release policies may be published by authors of programs; additionally, users can
define their own information release policies for programs they use, in order to specify their
expectations of information release. Most importantly, users control the application of the static
analysis tool to programs they execute in order to check that their policies are satisfied. On one
hand, if a program fails the analysis, this is an indication that it may contain exploitable flaws.
On the other hand, programs that pass verification are provably secure against the attacker model
used in the verification.

3 Static Analysis

In this section we present a static analysis of information flow in While programs.

3.1 Syntax and Semantics of the While Language.

In this section we present the core imperative language, While, which has loops and input-output
interactions. Its syntax (Figure 1) and the operational semantics (Figure 2) are largely familiar.

c ∶∶= skip ∣ z ∶= e ∣readz ∣writee ∣ c; c ∣if(b)thencelsec ∣while(b)doc

Figure 1: The While Language

In the language, expressions are either boolean-valued (with values taken from B ≜ {tt,ff}),
or integer-valued (taken from Z). Program states, Σ, are maps from variables to values. The
evaluation of the expression e at the state σ ∈ Σ is summarised as σ (e). Expression evaluations
are performed atomically and have no side-effect on state. A program action, ranged over by
a, can either be an internal action τ , which is not observable ordinarily; or it can be an input
action through the read command; or it can be an output action via the write command, where
the expression value can be observed. Secret program inputs are treated as parameters. The op-
erational semantics is specified through transition relations between expression configurations
(⟨e,σ ⟩ τÐ→ ⟨σ (e),σ ⟩) and command configurations (⟨c,σ ⟩ aÐ→ ⟨c′,σ ′⟩). A special terminal
command configuration, ⟨⋅,σ ⟩, indicates termination in the state σ . The set of all command
configurations, including the terminal command configuration is denoted by S.

We adopt the relational semantics definition of [6], where program semantics is modelled
as a relation j⋅o ⊂ Σ∞ × Σ∞ over the extended state space Σ∞ = Σ ∪{∞}, which is obtained by
adding a special “looping state” ∞ to Σ. Thus, for any program c, σ jco σ ′ holds if there exists
a terminating state σ ′ ∈ Σ of c when it is executed at the initial state of σ ∈ Σ; otherwise σ jco ∞
asserts the divergence of c under σ . Additionally, no program can exit the “looping state”, so that

3 / 15 Volume 35 (2010)



Static Analysis of Information Release in Interactive Programs

∞jco∞ always holds. Furthermore, we assume that ⟨c,∞⟩ τÐ→ ⟨c,∞⟩. The angelic relational
semantics j⋅o

↓
restricts the domain and range of j⋅o to Σ. The operators ; and ∪, when used with

relations, are respectively the standard relational composition and union operators.

⟨skip,σ ⟩ τÐ→ ⟨⋅,σ ⟩ ⟨z ∶= e,σ ⟩ τÐ→ ⟨⋅,σ [z ↦ σ (e)]⟩ ⟨read z,σ ⟩
in(n)
Ð→ ⟨⋅,σ [z ↦ n]⟩

⟨write e,σ ⟩
out(σ (e))
Ð→ ⟨⋅,σ ⟩

⟨c1,σ ⟩
aÐ→ ⟨⋅,σ ′⟩

⟨c1; c2,σ ⟩
aÐ→ ⟨c2,σ ′⟩

⟨c1,σ ⟩
aÐ→ ⟨c′1,σ

′⟩
⟨c1; c2,σ ⟩

aÐ→ ⟨c′1; c2,σ ′⟩

⟨b,σ ⟩ τÐ→ ⟨tt,σ ⟩ ⟨c1,σ ⟩
aÐ→ ⟨c′1,σ

′⟩
⟨if(b)thenc1 elsec2,σ ⟩

aÐ→ ⟨c′1,σ ′⟩
⟨b,σ ⟩ τÐ→ ⟨ff,σ ⟩ ⟨c2,σ ⟩

aÐ→ ⟨c′2,σ
′⟩

⟨if(b)thenc1 elsec2,σ ⟩
aÐ→ ⟨c′2,σ ′⟩

⟨b,σ ⟩ τÐ→ ⟨ff,σ ⟩
⟨while(b)doc,σ ⟩ τÐ→ ⟨⋅,σ ⟩

⟨b,σ ⟩ τÐ→ ⟨tt,σ ⟩ ⟨c,σ ⟩ aÐ→ ⟨c′,σ ′⟩
⟨while(b)doc,σ ⟩ aÐ→ ⟨c′;while(b)doc,σ ′⟩

Figure 2: Operational Semantics of While

Preliminaries. Partial Equivalence Relations (PERs) have been used to model information [7,
11]. A PER over a set Ω is a symmetric and transitive binary relation. If, in addition, the PER is
reflexive over Ω, then it is an equivalence relation over that set. For any given set Ω, we denote
the set of all PERs over Ω to be PER(Ω). Let R ∈ PER(Ω) be a PER, the domain of definition
of R is given by dom(R) ≜ {ω ∈ Ω ∣ ω R ω}, and for any ω ∈ dom(R), the equivalence class of ω
is given by [ω]R ≜ {ω′ ∈ Ω ∣ ω R ω′}. We denote by [Ω]R ≜ {[ω]R ∣ ω ∈ dom(R)} the set of all
equivalence classes of R.

A PER over Ω models information by its ability to distinguish, or not, the elements of the set
Ω [12]. Two elements of Ω are said to be indistinguishable (lack of knowledge) by a PER if
they are related by that PER, otherwise the PER distinguishes (has knowledge about) them. Let
R,R′ ∈ PER(Ω) be PERs, R′ is said to be more informative than R, written R ⊑ R′, iff for every
ω,ω′ ∈ Ω, ω R′ ω′ Ô⇒ ω R ω′. The intuition behind R ⊑ R′ is that if R′ cannot distinguish a
pair, neither can R; and thus by the contrapositive, R′ distinguishes more than R, making R′ more
informative. In order to combine the information in two PERs R and R′, we define the lattice join
operation ⊔ over PERs, such that for all ω,ω′ ∈ Ω,ω (R⊔R) ω′ iff ω R ω′ and ω R′ ω′. It is clear
that R ⊑ R′ ⇐⇒ R⊔R′ = R′. The extension of ⊔ to sets is defined in the usual way, such that for
any R⊆ PER(Ω), ω ⊔Rω′ iff ∀R ∈R, ω R ω′. For any set Ω, PER(Ω) is a complete lattice.
We also note the general property that the union R∪R′ of disjoint PERs is also a PER.

We define the identity (id) and the all (all) equivalence relations over Ω such that for all
ω,ω′ ∈ Ω, ω all ω′ holds; and ω id ω′ holds iff ω = ω′. For any While expression e of type t,
where ⟦t⟧ is the set of all t-values, and φ ∈ PER(⟦t⟧), define e ∶ φ ∈ PER(Σ) to be the PER over
program states defined such that ∀σ,σ ′ ∈ Σ,σ e ∶ φ σ ′ iff σ (e) φ σ ′(e). Let rng(R) be the range
of the relation R, we define the operator ●, which composes a relation and a PER, and is defined

Proc. AVoCS 2010 4 / 15



ECEASST

for any PER R over Σ such that ∀σ,σ ′ ∈ Σ,σ jco ● R σ ′ iff ∃σ1,σ2 ∈ rng(jco↓) s.t. σ jco σ1 ∧
σ
′ jco σ2 ∧σ1 R σ2 ∨(σ jco ∞∧σ ′ jco ∞). Since c is deterministic, and hence jco is a function,

the relation jco● R is a PER, and it mirrors in the domain of jco, the partitioning of the range
of jco by R. Additionally, jco● R partitions initial states of c that lead to divergence from those
under which c terminates.

The map µ ∶P(Ω) → [0,1] is a probability measure over Ω if µ(Ω) = 1, and for any disjoint
X,Y ⊆ Ω, µ(X ∪Y ) = µ(X)+ µ(Y ). For singleton events {ω} ⊆ Ω, we write µ(ω) instead of
µ({ω}). Given the probability measure µ over the space Ω, the entropy of the space due to µ is
given by H(µ) = −∑ω∈Ω µ(ω)log2(µ(ω)).

3.2 Attacker Models

The information gained by an attacker through a program is determined by what the attacker can
observe during the program’s execution. We refer to what the attacker can see about a program’s
execution as the attacker’s observational power. Therefore, the analysis of secure information
release is carried out relative to a specific attacker, modelled by the attacker’s observational
power. We formalise the attacker’s observational power as a rewrite of the labels of the standard
transition system of the program to an induced transition system. This allows us to parametrise
the static analysis with the specific attacker models, against which the analysis is secure. Let
T = ⟨S,Ð→,A⟩ be the labelled transition system of a program in the concrete semantics, then the
observational power of an attacker A over this program induces another transition system TA =
⟨S,Ð→A,AA⟩, where AA is the set of actions that can be observed by A, and Ð→A⊆S×AA ×S
is the transition relation as seen by A. Typically, Ð→A is defined as rewrite rules over Ð→. As
usual, A∗A is the Kleene closure of AA, and we abbreviate by

αÐ→A, the sequence of transitions
a1Ð→A

a2Ð→A ... in TA, where α = a1,a2,... ∈A∗A.
We consider a standard attacker AS, which is able to observe the output values of write state-

ments. This attacker cannot ordinarily observe input actions or the values read during input,
which allows us to model input actions (such as read from files), which are not visible to the
attacker. However, what the attacker knows about inputs is modelled directly in our informa-
tion flow definition (R ⇒ R′, introduced in Section 4). This is reasonable, since the attacker’s
prior knowledge is external to the program semantics, and is only a parameter to our analysis of
information flow. Thus, Ð→AS rewrites all labels of the transition relation Ð→ of the standard
operational semantics to τ , except for output labels out(v), which are left unchanged.

3.3 Information Release Typing Rules

We now present the concrete static analysis of While programs with respect to an attacker model
A. Firstly, we define an equivalence relation ≡Ac over states, which models the information re-
leased to the attacker A by observing the execution of c as follows: ∀σ,σ ′ ∈ Σ, σ ≡Ac σ ′ iff
∀α,α′ ∈A∗A

∃⟨⋅,σ1⟩ ∈S∧⟨c,σ ⟩
αÐ→A ⟨⋅,σ1⟩ ⇐⇒ ∃⟨⋅,σ2⟩ ∈S∧⟨c,σ ′⟩

αÐ→A ⟨⋅,σ2⟩ &

∃⟨c′,σ1⟩ ∈S∧⟨c,σ ⟩
α
′

Ð→A ⟨c′,σ1⟩ ⇐⇒ ∃⟨c′′,σ2⟩ ∈S∧⟨c,σ ′⟩
α
′

Ð→A ⟨c′′,σ2⟩ (1)

It is clear that ≡Ac relates any pair of states that lead to executions of c, which are observa-
5 / 15 Volume 35 (2010)



Static Analysis of Information Release in Interactive Programs

tionally equivalent as far as the attacker A can tell, and it captures semantically, the information
that A can gain about the initial states of c. The definition of ≡Ac is termination-sensitive, distin-
guishing between terminating and non-terminating executions of c. It is easy to see that ≡Ac is an
equivalence relation over states.

Our static analysis is defined as a type system, parametrised by an attacker model. The typing
derivation for a program c, under the attacker model A, captures how A’s knowledge changes
due to information released by c and is written in the form ΓA ⊢ c ∶ (RX ,R) ⇒ (RY ,R′). The
typing environment ΓA makes explicit the fact that the analysis is with respect to the attacker
model A. The PER R stands for our assumption about A’s initial knowledge and the PER R′

is the information released to the attacker, which includes the attacker’s initial knowledge (that
is, R ⊑ R′). We use RX and RY to model how c transforms program states, linking the analysis
of information flow to the program semantics. We assume RX ⊆ Σ∞ × Σ∞ is a function, which
maps an initial set of states of interest to the set of states prior to the execution of c. Then, RY ⊆
Σ∞ × Σ∞ is also a function, which maps the initial set of states to the states after the execution
of c, and is simply obtained by the composition RY = RX ;jco. Formally, the type judgement
ΓA ⊢ c ∶ (RX ,R) ⇒ (RY ,R′) is valid if RY = RX ;jco and ∀σ,σ ′ ∈ Σ,

σ R′ σ ′ Ô⇒ σ R σ ′ ∧(∃σ1,σ2 ∈ rng(RX ) ∶ σ RX σ1 ∧σ ′ RX σ2 Ô⇒ σ1 ≡Ac σ2). (2)

The judgement ΓA ⊢ c ∶ (RX ,R) ⇒ (RY ,R′) characterises the information released by c to the at-
tacker A, which refines A’s knowledge over the initial set of states in dom(RX ). For full program
analysis, we will typically take RX to be the identity relation over Σ. Thus, under the assumption
of initial information R that the attacker A might have, A can gain at most the information R′

by observing the execution of c which can be computed as R′ = (RX● ≡Ac )⊔ R. This semantic
definition of information flow ties together the standard program semantics, the attacker’s ob-
servational power, and the information release. Note that the clause σ R′ σ ′ Ô⇒ σ R σ ′ in (2)
ensures that the attacker’s knowledge is monotonically increasing.

We present the analysis rules for the standard attacker model AS in Figure 3. The rules also
apply to other attacker models, such as AT (introduced in Section 5), which are simple rewrites
of the transition relation under AS. Since the attacker model is clear, we shall simply write the
typing judgement ΓAS ⊢ c ∶ (RX ,R) ⇒ (RY ,R′) as c ∶ (RX ,R) ⇒ (RY ,R′), and ≡ASc as ≡c.

The analysis rules for skip, assignment and read statements do not change the attacker’s
knowledge, and hence do not ordinarily release information because the attacker model can-
not directly learn anything about the inputs by observing their execution. The rule for write
statement shows that the attacker gains information about the expression e, by partitioning the
input space so that all states in each class evaluates e to an identical value. The composition rule,
[COMP], shows how to compose the analysis of sequential statements. The rule [SUB] says that we
can safely weaken our assumptions about attacker’s prior knowledge and strengthen the result of
the analysis of the attacker’s final knowledge. The rule for if statement combines the informa-
tion released by the execution of the conditional statement with the attacker’s prior knowledge.
Finally, the while rule, computes a fixed point of the information released by unrolling the while
statement to an equivalent one-step execution, and applying the rule until a fixed point is reached.
Since the analysis rules are to be applied in a concrete static analysis tool, we assume that the
set of states Σ considered is finite, so that there exists a unique n for the least fixed point. A
more general definition, of the while fixed point, which copes with a countably infinite set of

Proc. AVoCS 2010 6 / 15



ECEASST

skip ∶ (RX ,R) ⇒ (RX ,R) z ∶= e ∶ (RX ,R) ⇒ (RX ;jz ∶= eo,R)

readx ∶ (RX ,R) ⇒ (RX ;jreadxo,R) writee ∶ (RX ,R) ⇒ (RX ,R⊔(RX ●e ∶ id))

[COMP]
c1 ∶ (RX ,R) ⇒ (RY ,R′) c2 ∶ (RY ,R′) ⇒ (RZ,R′′)

c1; c2 ∶ (RX ,R) ⇒ (RZ,R′′)
RY = RX ;jc1o
RZ = RY ;jc2o

[SUB]
c ∶ (RX ,R1) ⇒ (RY ,R2) R0 ⊑ R1 R2 ⊑ R3

c ∶ (RX ,R0) ⇒ (RY ,R3)
RY = RX ;jco

c = if(b)thenc1 elsec2
if(b)thenc1 elsec2 ∶ (RX ,R) ⇒ (RY ,R⊔(RX ● ≡c))

RY = RX ;jco

if(b)thencelseskip ∶ (RXi,Ri) ⇒ (R′Xi,Ri+1) RXi+1 = RXi ∪R
′

Xi
R′Xn ≜ {(σ,∞),(σ1,σ2)∣(σ,σ

′) ∈ RXn,σ ′(b) = tt∨σ ′ = ∞,(σ1,σ2) ∈ RXn,σ2(b) = ff}
σ R′nσ ′ ⇐⇒ (∃σ1,σ2 ∈ rng(kR′Xn p↓)∧σ R

′

Xn
σ1 ∧σ ′ R′Xn σ2)∨(σ R

′

Xn
∞∧σ ′ R′Xn ∞)

while(b)doc ∶ (RX0,R0) ⇒ (R′Xn,Rn ⊔R
′

n)
RXn = RXn+1
Rn = Rn+1

Figure 3: Information Release Typing Rules

states would be (⋃i∈N RXi,⊔i∈N Ri). At the fixed point, the while statement diverges at states that
evaluate the guard b to tt, hence those states are replaced by the “looping state” ∞, which cannot
cause further information flow in subsequent statements. Furthermore, R′n partitions the initial
states between those that lead to divergence of the while and those that do not.

Theorem 1 (Correctness) For any program P, and attacker AS’s initial knowledge R. Let
RX ⊆ Σ∞ × Σ∞ be a strict total function over the finite extended state space Σ∞ of P and let
σ ∣RX ∣σ ′ ⇐⇒ σ,σ ′ ∈ {σ1 ∈ dom(RX ) ∣∃σ2 ∈ rng(jRX o↓)∧σ1 RX σ2}. Then the type derivation
ΓAS ⊢ P ∶ (RX ,R) ⇒ (R′X ,R

′) has the following properties

1. R′X = RX ;jPo,

2. (RX● ≡ASP )⊔R ⊑ ∣RX ∣⊔R
′.

Theorem 1 establishes the correctness of the analysis by expressing a safety property of the
analysis. In particular, if we choose RX to be the identity relation over the state space of P,
then we can see that the result of the analysis of information release R′, under any assumption
of the attacker’s prior knowledge is always at least as great as the combination of the attacker’s
prior knowledge and the actual information (RX● ≡ASP ) =≡

AS
P released by the program P. That is,

≡ASP ⊔R ⊑ R
′.

7 / 15 Volume 35 (2010)



Static Analysis of Information Release in Interactive Programs

4 Information Flow Policies

Our objective is to ensure that a program that requires (legitimate) access to confidential data
does not release more information than is intended. We now present a semantic definition of
information flow policies, which characterises our intentional information release requirements.
Generically, we view information release policies such that, given a lattice of information, the
policy sets upper bounds on the information transferred through a program to an observer. Our
information release policies fall under the what dimension of information declassification, which
considers what information is released by a system. Other dimensions of declassification include
the who, when, and where dimensions [12].

After information release, the final knowledge of the observer is dependent on the observer’s
initial knowledge. In this paper, we consider the case where the observer’s final knowledge is
simply computed by taking the lattice join of the initial knowledge and the information release.
Schematically, if Ki ∈I is the initial knowledge of the observer, and R ∈I is the intended informa-
tion release, both taken from some underlying lattice of information I, then, in this scheme, the
final knowledge K f of the observer is computed simply as K f = Ki ⊔ R. More generally though,
we consider a class of information release policies, _, which are maps from some initial knowl-
edge of the observer to a final one. Since information release causes knowledge to increase, the
only requirement in this more general case is that the final knowledge is at least as much as the
initial one before receiving additional information. We define such a class of policies below. Be-
cause the secrets to be protected are stored in program states during computation, in this paper,
our information lattice is defined as partial equivalence relation over states.

Definition 1 (Enforcement of PER-based Information Release Policies) Let Σ be the set of
program states and let I ≜ PER(Σ) be the set of all partial equivalence relations over Σ such that
R,R′ ∈ I. An information release policy, R _ R′, is a transformer over the lattice I such that
R ⊑ R′.

A program P is said to satisfy the policy R _ R′ (under the attacker model A) if the typing
judgement ΓA ⊢ P ∶ (id,R) ⇒ (RY ,R′′) holds, and we have that R′′ ⊑ R′.

The information release policy R _ R′ allows the observer to gain at most the information
R′ if the observer has a prior information RA such that R ⊑ RA ⊑ R′. Intuitively, the require-
ment R ⊑ R′ means that information release policies can only increase the observer’s knowl-
edge; although, it may dissalow information gain in case of the noninterference [5] policy:
R _ R. As an example, a policy that releases at most the parity of the secret contained in
variable x may be defined as: all _ Parx, where Parx is the equivalence relation defined such
that ∀σ,σ ′ ∈ Σ,σ Parx σ ′ ⇐⇒ σ (x) = σ ′(x) mod 2. This says that if the observer has no prior
information (i.e. cannot distinguish any pair of states since σ all σ ′ holds for all states), then the
observer is allowed to be able to distinguish at most the parity of x after the release.

The second part of Definition 1 shows how to enforce the information release policy R _ R′.
We start by the verification, through static analysis, of the program to determine the level of
information that it might release to the observer. The verification is based on the assumption
R, of the attacker’s initial knowledge. The program is deemed secure if the analysis result R′′,
which represents the information that the program might release is below R′ (the upper bound on

Proc. AVoCS 2010 8 / 15



ECEASST

information flow allowed by the policy). Because we specified id in ΓA ⊢ P ∶ (id,R) ⇒ (RY ,R′′),
the analysis is carried out over the total state space of P. Because of the ordering property PERs,
which means that R1 ⊑ R2 Ô⇒ dom(R2) ⊆ dom(R1), we need not use the identity relation id
over Σ, rather, we can restrict this to the identity relation over the actual space of inputs to P;
or, in the case that dom(R) is smaller than that input space, over dom(R). This results in some
analysis efficiencies.

5 Example: Password Timing Attacks

In this section we consider two password-checking programs, expressed in the While language.
This example is motivated by potential timing attacks that may be mounted against versions of
the OpenSSH with PAM (Pluggable Authentication Module) support distributed with various
Linux operating systems. In summary, depending on the behaviour (timing delay) of the authen-
tication module on invalid username-password combinations, the attacker may be able to infer
further information on whether a user exists or not, in addition to whether the supplied pass-
word matches the valid user’s password or not. Note that the timing delays are usually added to
failed authentication steps to reduce the effectiveness of dictionary attacks, however, wrongly-
implemented, can be exploited as we demonstrate in the following analyses.

The standard observational model AS cannot observe time delays in program execution. Hence,
for the examples below, we shall introduce an attacker model, AT , which can observe the passage
of time, or, more precisely, can model various delays during program execution by counting the
number of primitive commands executed. It can also observe read prompts, when the program
accepts either the username or password. The attacker model AT extends the standard observa-
tional capability of AS by introducing a capability to count the number of primitive commands
executed. The transition relation Ð→AT as seen by the attacker AT is defined, for any of the
small-step command-configuration transition in Ð→AS , as

⟨c,σ ⟩ aÐ→AS ⟨c′,σ ′⟩

⟨c,σ ⟩
⟨a,t+1⟩
Ð→ AT ⟨c′,σ ′⟩

[t]
⟨c,σ ⟩ aÐ→AS ⟨⋅,σ ′⟩

⟨c,σ ⟩
⟨a,t+1⟩
Ð→ AT ⟨⋅,σ ′⟩

[t]
⟨readx,σ ⟩ aÐ→AS ⟨⋅,σ ′⟩

⟨readx,σ ⟩
⟨in,t+1⟩
Ð→ AT ⟨⋅,σ ′⟩

[t] (3)

Thus, if the program makes a small step transition in the standard semantics at the “time” t,
the attacker observes the increment of counter t by 1, in addition to the action a performed in
the standard semantics. This capability constitutes the basis of the timing attacks demonstrated
below.

In a password authentication program we have to release the information that a user with the
correct password is valid (the case when authentication succeeds) and that a valid user with the
wrong password as well as invalid users regardless of the password are invalid (the case when
authentication fails). What we do not want to do is to further distinguish the cases between a
valid user with wrong password and a non-existent user. The intended information release policy
can be formalised as follows.

Let U be the set of all possible users, regardless of whether they exist or not on the target
system, and let U ⊆U be the valid ones, that exist on the target system. For each valid user u ∈ U ,
let pu be the user’s password. Similarly, let P be the set of all possible passwords, of which a

9 / 15 Volume 35 (2010)



Static Analysis of Information Release in Interactive Programs

subset of it is the set of legitimate users’ passwords. The set of valid users, with valid passwords
is thus V = {(u, pu) ∣ u ∈ U, pu ∈P}. Hence, we can define our username-password state space to
be Σ =U×P, and the equivalence relation which models precisely the information we intend to
release is Rv where ∀(u, p),(u′, p′) ∈ Σ,(u, p)Rv (u′, p′) ⇐⇒ (u, p),(u′, p′) ∈V ∨(u, p),(u′, p′) ∈
Σ/V . This equivalence relation only distinguishes legitimate users with correct passwords from
the rest of the world, and no more. Hence, our intended information release policy would be
all _ Rv, which allows the observer, which has no prior information, to gain the information Rv
(as required by a genuine authentication system).

Now consider the program on the left-hand-side of Figure 4. This program accepts both the
username and password at the beginning, and then outputs the value 1 on a successful authorisa-
tion, or:

• either produces a time delay1 of na units and outputs the value 2 to indicate an unsuccess-
ful attempt (the case of an invalid password),

• or produces a time delay of nb units and outputs the value 2 to indicate an unsuccessful
attempt (the case of an invalid username).

Clearly the values of na and nb are significant: if na=nb then an attacker observing time delays
will not be able to distinguish whether a delay has been caused by an incorrect username or an
incorrect password. If the attacker only observes program output he or she will not be able to
distinguish these cases, since both write out the same “error message” value of 2. Our static
analysis, under the attacker model AT , is able to distinguish between the case when na=nb,
and the case when na≠nb. Let the program be PA, which sets na=nb. Then applying the
analysis rule to PA, under the attacker model AT , gives ΓAT ⊢ PA ∶ (id,all) ⇒ (RY ,Rv) on the one
hand2. On the other hand, now consider another implementation PB where na≠nb. We obtain
the type analysis ΓAT ⊢ PB ∶ (id,all)⇒(RY ,R′v), where ∀(u, p),(u′, p′) ∈ Σ,(u, p)R′v (u′, p′) ⇐⇒
(u, p),(u′, p′) ∈ V,(u, p),(u′, p′) ∈ V ′,(u, p),(u′, p′) ∈ Σ/(V ∪V ′), and where V ′ = (U ×P)/V
is the set of valid users with invalid passwords. Clearly, since R′v /⊑ Rv,(in fact, Rv ⊏ R′v), PB
does not satisfy our information release policy, and should therefore be rejected. Generally, the
evaluation of expressions is not observable, and therefore the evaluation of the member and valid
expressions conditions is not visible to the attacker in these examples.

The password checking program on the right hand side of Figure 4 is differently structured to
that of the left, in that it first accepts only the username at the start and directly checks whether
it is valid or not, producing a delay nb in the latter case before reporting a failure. However, the
fact that the user is prompted to enter the password in the case that the username exists, and is
not in the case that the user does not exist already reveals information on the existence or not
of the specified user, even without further interaction. The static analysis of this program PC is
ΓAT ⊢ PC ∶ (id,all)⇒(RY ,R′v), where ∀(u, p),(u′, p′) ∈ Σ,(u, p) R′v (u′, p′) ⇐⇒ (u, p),(u′, p′) ∈
V,(u, p),(u′, p′) ∈ V ′,(u, p),(u′, p′) ∈ Σ/(V ∪V ′). This is exactly the same information released
by the program PB where the fact that na differs from nb helps the attacker to distinguish the

1 The delay n function may be implemented in the While language by looping over a skip statement n times, which
can be differentiated by the attacker model AT for different values of n.
2 The relation RY maps all initial states to a final state that contains the supplied username and password values.

Proc. AVoCS 2010 10 / 15



ECEASST

read user;
read pw;
if (member(user,U)) then

if (valid(user,pw)) then
write 1

else
delay na
write 2

else
delay nb
write 2

read user;
if (member(user,U)) then

read pw;
if (valid(user,pw)) then

write 1
else

delay na
write 2

else
delay nb
write 2

Figure 4: Password-checking programs (Version 1 on the left, and Version 2 on the right).

case between non-existent user and a valid user with invalid password. However, in the case of
PC, the same information is released regardless of the equality or not of na and nb.

The lesson learned from these analyses is that even non-malicious program can contain subtle
bugs or design flaws which violate information security policies and must therefore be checked
against such unintended information leakage. However, our approach is perfect for the malicious
code scenario, where apart from the possibility of unintentional information leakage, malicious
information release can be detected through static verification of programs. In the case of the
program on the left hand side of Figure 4, the implementation is correct, but the configuration
(i.e. how the values of na and nb are set relative to each other) can expose the timing flaw, which
our analysis detects. However, in the case of the right hand side program, it is an implementation
or design flaw to check the existence of the user before proceeding to prompt for a password.

6 Quantifying the Information Release

The analysis presented in this paper shows that deterministic programs may be viewed as agents
that release information by partitioning their input domains. Policies are then controls, which
specify to what extent a program is allowed to partition this domain. When the analysis is
furnished with a probability measure, which represents the attacker’s uncertainty over the input
space, our qualitative PER-based policy specification actually dictates the maximum quantitative
information, in an information-theoretic [13] sense, that the program in question is allowed to
release. Because of the determinism, any sort of probability distribution observed in the output
behaviour of the program is induced by the probability distribution of the input space, and hence
any reduction in the uncertainty of the attacker over the entropy of the input space obtained by
observing program execution is, in fact, as a result of the refinement of the partitioning of the
input space caused by the program. Hence, when we specify the policy R _ R′, where R ⊑ R′
are equivalence relations, we are effectively also specifying an upper bound on the quantitative
information that we allow to be released. Specifically, given a probability distribution µ over
the input space Σ, the equivalence relation R over Σ describes what the attacker is assumed to

11 / 15 Volume 35 (2010)



Static Analysis of Information Release in Interactive Programs

know before the execution of the program, and the qualitative information R can be quantified as
H(µ∣R) (see Definition 2), which measures the entropy of the input space under the distribution
µ , subject to the partitioning of the input space by R. Similarly, under the policy R _ R′, where
we allow the attacker to refine its knowledge about the input space from R up to a maximum of
R′, the policy effectively specifies the minimum entropy H(µ∣R′) over the input space that the
attacker is allowed to reach. Thus, under any given probability distribution of the input space,
the policy R _ R′ specifies an upper bound on the quantitative information that we allow to be
released: this is a maximum allowable reduction in entropy H(µ∣R _ R′) given below.

Definition 2 (Quantifying Information Release) Let µ be a probability measure over the set Σ
and let R,R′ ∈ PER(Σ) be equivalence relations over Σ such that R ⊑ R′. Define the entropy of the
space Σ, under µ , subject to the partitioning of R as

H(µ∣R) =H(µ)− ∑
X∈[Σ]R

µ(X)log2(µ(X)).

Define the entropy reduction over the space Σ under R _ R′ as

H(µ∣R _ R′) =H(µ∣R)−H(µ∣R′).

The definition of H(µ∣R) takes away from the entropy of µ , the entropy of the space of the
equivalence classes of R. Since Σ is assumed finite, recall that by the finite additivity property
of µ , we may compute µ(X), for any equivalence class X ∈ [Σ]R of R, as µ(X) = ∑σ∈X µ(σ ).
Now, the definition H(µ∣R _ R′) of quantitative information release is reasonable. For example,
the policy all _ id, which on the one hand allows the attacker to gain all information about the
input space quantitatively removes all the uncertainty of the attacker, because for any initial
uncertainty as modelled by the measure µ over the input space H(µ∣all _ id) =H(µ). On the
other hand, the non-interference [5] policy, all _ all, which prevents the attacker from refining
its knowledge through information release has the property that H(µ∣all _ all) = 0.

For the password authentication example of Section 5, the desired quantitative information
release under the assumption of the attacker’s initial probability distribution µ is H(µ∣all _ Rv).
Like under the qualitative PER-based policy, the programs PB and PC do not satisfy the quan-
titative information release requirement either under any assumption of µ . This is be because
Rv ⊏ R′v and Rv ⊏ R′′v and we can easily show that for any µ , and PERs RA and RB, RA ⊑ RB Ô⇒
H(µ∣RB) ≤ H(µ∣R). However, because the reverse implication does not necessarily hold, this
can lead to a false sense of security. In particular, because the entropy measure only uses the
probability distributions, and not the space itself, the values may not reflect which element has
become more likely as a result of information release. This is clear because, for example, permu-
tation of probability measures over the space will leave the entropy measure unaffected. To have
more control over about what elements of the input space information is released, we advocate
using qualitative policies, rather than only quantitative ones. Let us illustrate this with a final
example.

Now consider the following four programs, which processes the input parameter h ∈ {0,1,2,3},
which is a secret:

• P1 ≜ writeh−h

Proc. AVoCS 2010 12 / 15



ECEASST

• P2 ≜ writeh mod 2

• P3 ≜ if(h ≤ 1)thenwrite1elsewrite2

• P4 ≜ writeh.

Let us model the state space of these programs by H = {0,1,2,3}, where n ∈ H models the
state where the value of variable h is n. Our analysis shows the following results: ΓAS ⊢ P1 ∶
(id,all) ⇒ (RY ,all), ΓAS ⊢ P2 ∶ (id,all) ⇒ (RY ,κ), ΓAS ⊢ P3 ∶ (id,all) ⇒ (RY ,κ′), ΓAS ⊢ P4 ∶
(id,all) ⇒ (RY ,id), as depicted in Figure 5, where RY maps all states to the input value of h.
The equivalence relations are defined as follows: ∀h,h′ ∈ H, h κ h′ iff h = h′ mod 2, h κ′ h′ iff
h,h′ ∈ {0,1} or h,h′ ∈ {2,3}. The arrows in Figure 5 describe how the respective programs trans-
form the partition of their domains. For example, the arrow labelled P4 shows that given the
initial knowledge represented by all, the attacker’s final knowledge is modelled by id. By fol-
lowing the arrows labelled P2 and P3, we obtain the transformation of the attackers knowledge
from all via κ to id, which can be obtained by running the composed program P2; P3. Not all
possible arrows are shown.

Now suppose that we wish to release, at most, the parity of the secret h. The desired qual-
itative policy would be all _ κ , which releases the parity of h. Clearly P1 and P2 satisfy this
policy, but P3 and P4 do not because κ′ /⊑ κ and id /⊑ κ . Now, let us take a uniform probability
measure µ over h, such that ∀h ∈ H, µ(h) = 14 . The desired quantitative information release is
H(µ∣all _ κ) = 1: which allows 1-bit information over the space H to be released, since we are
effectively halving the uncertainty over the whole space, which is 2 bits. So, quantitatively, we
have for P1 and P2, the information release H(µ∣all _ all) = 0 and H(µ∣all _ κ) = 1, which
satisfies our requirement as usual. However, for P3, we have also that H(µ∣all _ κ′) = 1, which
satisfies our quantitative release requirement, but releases information other than the parity of h.
This is a class of the probability permutation problem, where elements with the same probabil-
ities in different equivalence classes are swapped between the equivalence classes of the PER.
This leads to a different PER but leaves the entropy measure intact.

7 Conclusions and Future Work

In this paper we have presented a general static analysis technique for the verification of infor-
mation release by programs written in a simple imperative language. The analysis technique is
defined parametric to an attackers’ observational power. By using various observational powers,
we can move the analysis from the standard semantics to other non-standard semantics, allow-
ing us to model aspects of the system that may be implicit in the design, or that are specific to
certain implementation environments, for example, multi-user environments where a program
may be interacted with locally or across a network - with different behaviours. To illustrate the
use of various attacker’s observational power model, we presented an attacker which can count
instruction execution, allowing this attacker to mount a “timing” attack on the system.

We have demonstrated the value of such an attacker model through the analysis of password
checking programs, which are inspired by the corresponding code in the OpenSSH with PAM
implementation found in various UNIX systems, including versions of OpenBSD, and Linux.

13 / 15 Volume 35 (2010)



Static Analysis of Information Release in Interactive Programs

P1

all
P2

κ

P3

κ
′

P4
P3

P2

id

0 1

2 3

0 1

2 3

0 1

2 3

0 1

2 3

Figure 5: How programs transform partitions of secret domain H = {0,1,2,3}.

The work presented here forms the basis of a wider programme to analyse information release
of operating system-level programs and code for mobile devices. Building on the ideas presented
here, we expect to be able to implement static code checking against information release policies:
the first step will be to incorporate the rules for static analysis into a type checker for While-like
programs. Extensions of the language will be considered, including constructs for procedure
invocation, object-oriented programming, and other features. If the verification of programs
against information release policies is to be done at operating system level (with the type checker
implemented as a kernel module, for example), then the analysis of binary executables may be
necessary, since the original source code may not be to hand. In this case, the static analysis
needs to be adapted for low-level language constructs. For mobile devices it may be sufficient
to apply the analysis to the instruction set of a virtual machine such as the JVM or the Dalvik
executable format of the Android platform, and this is a direction for further investigation. We
find the approach of [4] very interesting. There is significant interest in the Android platform for
mobile devices, and there is an opportunity to study information release in this setting.

Finally, in this paper we have considered specific attacker models (AS and AT ) - we hope to
be able to perform the analysis for attackers with different observational capabilities. While for
the password-checking problem it seems our model is sufficient, there are other possibilities to
consider, and we hope to do so in the light of further examples and case studies.

Bibliography

[1] Ádám Darvas, Reiner Hähnle, and Dave Sands. A theorem proving approach to analysis
of secure information flow. In Dieter Hutter and Markus Ullmann, editors, Proc. 2nd In-
ternational Conference on Security in Pervasive Computing, volume 3450 of LNCS, pages
193–209. Springer-Verlag, 2005.

[2] A. O. Adetoye and Atta Badii. A policy model for secure information flow. In Pierpaolo

Proc. AVoCS 2010 14 / 15



ECEASST

Degano and Luca Viganò, editors, ARSPA-WITS, volume 5511 of Lecture Notes in Com-
puter Science, pages 1–17. Springer, 2009.

[3] A. Bouajjani, Jean-Claude Fernandez, and Nicholas Halbwachs. Minimal model genera-
tion. In Edmund M. Clarke and Robert P. Kurshan, editors, Proceedings of Computer-Aided
Verification (CAV ’90), volume 531 of LNCS, pages 197–203, Berlin, Germany, June 1991.
Springer.

[4] Avik Chaudhuri. Language-based security on android. In PLAS ’09: Proceedings of the
ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security,
pages 1–7, New York, NY, USA, 2009. ACM.

[5] J. A. Goguen and J. Meseguer. Security policies and security models. In Proceedings of the
IEEE Symposium on Research in Security and Privacy, pages 11–20, Oakland, CA, April
1982. IEEE Computer Society Press.

[6] R. Joshi and K. R. M. Leino. A semantic approach to secure information flow. Science of
Computer Programming, 37(1-3):113–138, 2000.

[7] J. Landauer and T. Redmond. A lattice of information. In Proceedings of the Computer
Security Foundations Workshop VI (CSFW ’93), pages 65–70, Washington - Brussels -
Tokyo, June 1993. IEEE.

[8] Greg Morrisett, Karl Crary, Neal Glew, Dan Grossman, Richard Samuels, Frederick Smith,
David Walker, Stephanie Weirich, and Steve Zdancewic. Talx86: A realistic typed assembly
language. In In Second Workshop on Compiler Support for System Software, pages 25–35,
1999.

[9] G. C. Necula. Proof-carrying code. In Proceedings of the 24th ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Langauges (POPL ’97), pages 106–119, Paris,
January 1997.

[10] A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal
on Selected Areas in Communications, 21(1):5–19, January 2003.

[11] A. Sabelfeld and D. Sands. A per model of secure information flow in sequential programs.
Higher-Order and Symbolic Computation, 14(1):59–91, March 2001.

[12] A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. Journal of Com-
puter Security, 2007.

[13] C. E. Shannon. A mathematical theory of communication. The Bell System Technical
Journal, 27(3):379–423, 1948.

[14] Dachuan Yu and Nayeem Islam. A typed assembly language for confidentiality. In Peter
Sestoft, editor, ESOP, volume 3924 of Lecture Notes in Computer Science, pages 162–179.
Springer, 2006.

15 / 15 Volume 35 (2010)


	Introduction
	Analysis and Enforcement Framework
	Static Analysis
	Syntax and Semantics of the While Language.
	Attacker Models
	Information Release Typing Rules

	Information Flow Policies
	Example: Password Timing Attacks
	Quantifying the Information Release
	Conclusions and Future Work