Quantifying Information Leak Vulnerabilities

Leakage of confidential information represents a serious security risk. Despite a number of novel, theoretical advances, it has been unclear if and how quantitative approaches to measuring leakage of confidential information could be applied to substantial, real-world programs. This is mostly due to the high complexity of computing precise leakage quantities. In this paper, we introduce a technique which makes it possible to decide if a program conforms to a quantitative policy which scales to large state-spaces with the help of bounded model checking. Our technique is applied to a number of officially reported information leak vulnerabilities in the Linux Kernel. Additionally, we also analysed authentication routines in the Secure Remote Password suite and of a Internet Message Support Protocol implementation. Our technique shows when there is unacceptable leakage; the same technique is also used to verify, for the first time, that the applied software patches indeed plug the information leaks. This is the first demonstration of quantitative information flow addressing security concerns of real-world industrial programs.

💡 Research Summary

The paper tackles the long‑standing gap between quantitative information‑flow (QIF) theory and its practical application to large, real‑world software. While numerous theoretical advances have defined precise leakage metrics—such as Shannon entropy, min‑entropy, and channel capacity—computing these quantities for industrial code has been infeasible because of state‑space explosion. The authors propose a novel technique that leverages bounded model checking (BMC) to decide whether a program conforms to a user‑defined quantitative policy, i.e., whether the amount of information leaked stays below a prescribed threshold.

The methodology begins by translating the target program into an intermediate representation (e.g., LLVM IR) and explicitly marking secret inputs and observable outputs. The relationship between secrets and observables is encoded as logical constraints. A quantitative policy is expressed as a bound on a chosen leakage metric; the existence of a policy‑violating execution is then reduced to a SAT/SMT query. BMC systematically explores all execution paths up to a configurable depth, using a SAT/SMT solver to find concrete inputs that satisfy the policy‑violation constraints. If such inputs exist, the tool reports the offending path and the exact amount of leaked information; otherwise, it proves that the program respects the policy within the explored bound.

To demonstrate scalability, the authors applied the framework to several officially reported information‑leak vulnerabilities in the Linux kernel. For each CVE, the analysis identified the precise number of secret bits that could be inferred from the observable behavior (e.g., a system call return value). In one case, a kernel flag leaked three bits, exceeding a policy limit of one bit. The technique was also used on authentication code from the Secure Remote Password (SRP) suite and an Internet Message Access Protocol (IMAP) implementation. In SRP, a partial exposure of the server’s secret during the verification phase was quantified, while in IMAP the unencrypted exposure of mailbox identifiers was measured.

Crucially, the same BMC‑based analysis was rerun after the official patches for each vulnerability had been applied. In every instance, the tool found no policy‑violating paths, confirming that the patches eliminated the quantified leaks. This constitutes the first formal, quantitative verification that a software fix truly plugs an information‑flow hole.

The paper discusses limitations: BMC’s bounded depth may miss leaks that manifest only after deeper recursion or unbounded loops, and setting an appropriate quantitative policy threshold requires domain expertise. Future work is suggested in integrating abstract interpretation to adaptively increase the bound, and in extending the framework to probabilistic models for tighter leakage upper bounds.

Overall, the contribution is twofold: (1) a practical, automated pipeline that brings rigorous QIF measurement to large, industrial codebases, and (2) empirical evidence that quantitative analysis can both discover real‑world leaks and certify the effectiveness of patches. This work bridges theory and practice, offering a new paradigm for security assessment and remediation in complex software systems.