Belief in Information Flow

Abstract

Measurement of information flow requires a definition of leakage, which traditionally has been defined to occur when an attacker's uncertainty about secret data is reduced. We show that this uncertainty-based approach is inadequate for measuring information flow when an attacker is making assumptions about secret inputs and these assumptions might be incorrect. Moreover, we show that such attacker beliefs are an unavoidable aspect of any satisfactory definition of leakage. To reason about information flow based on beliefs, we develop a model that describes how an attacker's belief changes due to the attacker's observation of the execution of a probabilistic (or deterministic) program. The model leads to a new metric for quantitative information flow that measures accuracy rather than uncertainty of beliefs.