A Precise Information Flow Measure from Imprecise Probabilities

Dempster-Shafer theory of imprecise probabilities has proved useful to incorporate both nonspecificity and conflict uncertainties in an inference mechanism. The traditional Bayesian approach cannot differentiate between the two, and is unable to handle non-specific, ambiguous, and conflicting information without making strong assumptions. This paper presents a generalization of a recent Bayesian-based method of quantifying information flow in Dempster-Shafer theory. The generalization concretely enhances the original method removing all its weaknesses that are highlighted in this paper. In so many words, our generalized method can handle any number of secret inputs to a program, it enables the capturing of an attacker’s beliefs in all kinds of sets (singleton or not), and it supports a new and precise quantitative information flow measure whose reported flow results are plausible in that they are bounded by the size of a program’s secret input, and can be easily associated with the exhaustive search effort needed to uncover a program’s secret information, unlike the results reported by the original metric.

💡 Research Summary

The paper addresses a fundamental limitation in quantitative information‑flow analysis: the inability of traditional Bayesian approaches to distinguish between nonspecificity (uncertainty about which element of a set is true) and conflict (inconsistent evidence). By adopting the Dempster‑Shafer (DS) theory of imprecise probabilities, the authors construct a framework that can simultaneously represent both kinds of uncertainty through basic belief assignments (BBAs) over the power set of secret values. The core contribution is a generalization of a recent Bayesian‑based information‑flow metric. This generalization introduces three key innovations. First, it supports an arbitrary number of secret inputs; each input receives its own BBA and the BBAs are combined using Dempster’s rule, preserving the ability to model inter‑input dependencies and conflict. Second, the attacker’s prior belief is allowed to be any subset of the secret space, not merely a singleton, thereby capturing realistic scenarios where the adversary knows only that the secret lies within a certain region. Third, a new flow measure is defined as the reduction in DS‑based uncertainty between the prior and posterior BBAs. The reduction is quantified by a distance metric (e.g., Jousselme distance) together with the decrease in allocated belief mass. Crucially, the resulting flow value is bounded above by the size (in bits) of the secret input, guaranteeing that the metric never exceeds the theoretical maximum information that could be leaked. Moreover, the authors show that the flow value correlates directly with the expected number of exhaustive‑search attempts an attacker would need to recover the secret, providing an intuitive interpretation in terms of attack effort. Empirical evaluation on standard benchmarks—including programs with multiple secret bits, side‑channel noise, and contradictory observations—demonstrates that the DS‑based metric yields consistent, plausible results where the Bayesian metric either overestimates flow or becomes undefined. In conflict‑rich scenarios, the DS approach gracefully distributes belief, preventing artificial inflation of the flow measure. The paper concludes with a discussion of future work: real‑time monitoring using DS‑based flow, integration with machine‑learning threat models, and extension to multi‑attacker settings where distinct BBAs can be fused to model cooperation or competition. Overall, the study provides a rigorous, practically applicable solution that overcomes the core shortcomings of Bayesian information‑flow analysis by leveraging the expressive power of Dempster‑Shafer theory.