Quantitative Information Flow Metrics

Information flow analysis is a powerful technique for reasoning about sensitive information that may be exposed during program execution. One promising approach is to adopt a program as a communication channel model and leverage information theoretic metrics (e.g., mutual information between the sensitive input and the public output) to quantify such information flows. However, recent research has shown discrepancies in such information theoretic metrics: for example, Smith et. al. [5] showed examples wherein using the classical Shannon entropy measure for quantifying information flows may be counter-intuitive. Smith et. al. [5] proposed a vulnerability measure in an attempt to resolve this problem; this measure was subsequently enhanced by Hamadou et. al. [2] into a belief-vulnerability metric (in Oakland 2010). However, we point out that the vulnerability measure may also lead to counter-intuitive results on several other programs. In fact, we show that one can construct infinitely many programs wherein different information leakage measures (proposed in past work) are in conflict. This paper presents the first attempt towards addressing such conflicts and derives solutions for an optimal conflict-free comparison of programs over a class of entropy measures (called Renyi entropy − a well known generalization of the classical Shannon entropy).