Principles of Security and Trust Lujo Bauer pdf

download

https://textbookfull.com/product/principles-of-security-and-trust-lujo-bauer/

★★★★★ 4.6/5.0 (48 reviews) ✓ 248 downloads ■ TOP RATED

"Great resource, downloaded instantly. Thank you!" - Lisa K.

DOWNLOAD EBOOK
 Principles of Security and Trust Lujo Bauer

TEXTBOOK EBOOK TEXTBOOK FULL

Available Formats

■ PDF eBook Study Guide TextBook

EXCLUSIVE 2025 EDUCATIONAL COLLECTION - LIMITED TIME

INSTANT DOWNLOAD VIEW LIBRARY

Collection Highlights

Principles of Computer Security: CompTIA Security+ and

Beyond Conklin

Principles of Information Security 6th Edition Whitman

Principles of information security Fifth Edition Mattord

Internet of Things Security: Principles, Applications,

Attacks, and Countermeasures 1st Edition Gupta
Computer Security: Principles and Practice 4th Edition
William Stallings

Principles of Security and Trust 6th International

Conference POST 2017 Held as Part of the European Joint
Conferences on Theory and Practice of Software ETAPS 2017
Uppsala Sweden April 22 29 2017 Proceedings 1st Edition
Matteo Maffei

Flexible Network Architectures Security : Principles and

Issues First Edition Rudra

Industrial IoT Challenges Design Principles Applications

and Security Ismail Butun

The Jock 1st Edition Tal Bauer

 Lujo Bauer
Ralf Küsters (Eds.)
ARCoSS
LNCS 10804

Principles of Security
and Trust
7th International Conference, POST 2018
Held as Part of the European Joint Conferences
on Theory and Practice of Software, ETAPS 2018
Thessaloniki, Greece, April 14–20, 2018, Proceedings
Lecture Notes in Computer Science 10804
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison, UK Takeo Kanade, USA
Josef Kittler, UK Jon M. Kleinberg, USA
Friedemann Mattern, Switzerland John C. Mitchell, USA
Moni Naor, Israel C. Pandu Rangan, India
Bernhard Steffen, Germany Demetri Terzopoulos, USA
Doug Tygar, USA Gerhard Weikum, Germany

Advanced Research in Computing and Software Science

Subline of Lecture Notes in Computer Science

Subline Series Editors

Giorgio Ausiello, University of Rome ‘La Sapienza’, Italy
Vladimiro Sassone, University of Southampton, UK

Subline Advisory Board

Susanne Albers, TU Munich, Germany
Benjamin C. Pierce, University of Pennsylvania, USA
Bernhard Steffen, University of Dortmund, Germany
Deng Xiaotie, City University of Hong Kong
Jeannette M. Wing, Microsoft Research, Redmond, WA, USA
More information about this series at http://www.springer.com/series/7410
Lujo Bauer Ralf Küsters (Eds.)
•

Principles of Security
and Trust
7th International Conference, POST 2018
Held as Part of the European Joint Conferences
on Theory and Practice of Software, ETAPS 2018
Thessaloniki, Greece, April 14–20, 2018
Proceedings
Editors
Lujo Bauer Ralf Küsters
Carnegie Mellon University University of Stuttgart
Pittsburgh, PA Stuttgart
USA Germany

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-89721-9 ISBN 978-3-319-89722-6 (eBook)
https://doi.org/10.1007/978-3-319-89722-6

Library of Congress Control Number: 2018939619

LNCS Sublibrary: SL4 – Security and Cryptology

© The Editor(s) (if applicable) and The Author(s) 2018. This book is an open access publication.
Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International
License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution
and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and
the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this book are included in the book’s Creative Commons license,
unless indicated otherwise in a credit line to the material. If material is not included in the book’s Creative
Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use,
you will need to obtain permission directly from the copyright holder.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

Printed on acid-free paper

This Springer imprint is published by the registered company Springer International Publishing AG
part of Springer Nature
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 ETAPS Foreword

Welcome to the proceedings of ETAPS 2018! After a somewhat coldish ETAPS 2017
in Uppsala in the north, ETAPS this year took place in Thessaloniki, Greece. I am
happy to announce that this is the first ETAPS with gold open access proceedings. This
means that all papers are accessible by anyone for free.
ETAPS 2018 was the 21st instance of the European Joint Conferences on Theory
and Practice of Software. ETAPS is an annual federated conference established in
1998, and consists of five conferences: ESOP, FASE, FoSSaCS, TACAS, and POST.
Each conference has its own Program Committee (PC) and its own Steering Com-
mittee. The conferences cover various aspects of software systems, ranging from
theoretical computer science to foundations to programming language developments,
analysis tools, formal approaches to software engineering, and security. Organizing
these conferences in a coherent, highly synchronized conference program facilitates
participation in an exciting event, offering attendees the possibility to meet many
researchers working in different directions in the field, and to easily attend talks of
different conferences. Before and after the main conference, numerous satellite work-
shops take place and attract many researchers from all over the globe.
ETAPS 2018 received 479 submissions in total, 144 of which were accepted,
yielding an overall acceptance rate of 30%. I thank all the authors for their interest in
ETAPS, all the reviewers for their peer reviewing efforts, the PC members for their
contributions, and in particular the PC (co-)chairs for their hard work in running this
entire intensive process. Last but not least, my congratulations to all authors of the
accepted papers!
ETAPS 2018 was enriched by the unifying invited speaker Martin Abadi (Google
Brain, USA) and the conference-specific invited speakers (FASE) Pamela Zave (AT &
T Labs, USA), (POST) Benjamin C. Pierce (University of Pennsylvania, USA), and
(ESOP) Derek Dreyer (Max Planck Institute for Software Systems, Germany). Invited
tutorials were provided by Armin Biere (Johannes Kepler University, Linz, Austria) on
modern SAT solving and Fabio Somenzi (University of Colorado, Boulder, USA) on
hardware verification. My sincere thanks to all these speakers for their inspiring and
interesting talks!
ETAPS 2018 took place in Thessaloniki, Greece, and was organised by the
Department of Informatics of the Aristotle University of Thessaloniki. The university
was founded in 1925 and currently has around 75,000 students; it is the largest uni-
versity in Greece. ETAPS 2018 was further supported by the following associations
and societies: ETAPS e.V., EATCS (European Association for Theoretical Computer
Science), EAPLS (European Association for Programming Languages and Systems),
and EASST (European Association of Software Science and Technology). The local
organization team consisted of Panagiotis Katsaros (general chair), Ioannis Stamelos,
VI ETAPS Foreword

Lefteris Angelis, George Rahonis, Nick Bassiliades, Alexander Chatzigeorgiou, Ezio

Bartocci, Simon Bliudze, Emmanouela Stachtiari, Kyriakos Georgiadis, and Petros
Stratis (EasyConferences).
The overall planning for ETAPS is the main responsibility of the Steering Com-
mittee, and in particular of its Executive Board. The ETAPS Steering Committee
consists of an Executive Board and representatives of the individual ETAPS confer-
ences, as well as representatives of EATCS, EAPLS, and EASST. The Executive
Board consists of Gilles Barthe (Madrid), Holger Hermanns (Saarbrücken), Joost-Pieter
Katoen (chair, Aachen and Twente), Gerald Lüttgen (Bamberg), Vladimiro Sassone
(Southampton), Tarmo Uustalu (Tallinn), and Lenore Zuck (Chicago). Other members
of the Steering Committee are: Wil van der Aalst (Aachen), Parosh Abdulla (Uppsala),
Amal Ahmed (Boston), Christel Baier (Dresden), Lujo Bauer (Pittsburgh), Dirk Beyer
(Munich), Mikolaj Bojanczyk (Warsaw), Luis Caires (Lisbon), Jurriaan Hage
(Utrecht), Rainer Hähnle (Darmstadt), Reiko Heckel (Leicester), Marieke Huisman
(Twente), Panagiotis Katsaros (Thessaloniki), Ralf Küsters (Stuttgart), Ugo Dal Lago
(Bologna), Kim G. Larsen (Aalborg), Matteo Maffei (Vienna), Tiziana Margaria
(Limerick), Flemming Nielson (Copenhagen), Catuscia Palamidessi (Palaiseau),
Andrew M. Pitts (Cambridge), Alessandra Russo (London), Dave Sands (Göteborg),
Don Sannella (Edinburgh), Andy Schürr (Darmstadt), Alex Simpson (Ljubljana),
Gabriele Taentzer (Marburg), Peter Thiemann (Freiburg), Jan Vitek (Prague), Tomas
Vojnar (Brno), and Lijun Zhang (Beijing).
I would like to take this opportunity to thank all speakers, attendees, organizers
of the satellite workshops, and Springer for their support. I hope you all enjoy the
proceedings of ETAPS 2018. Finally, a big thanks to Panagiotis and his local orga-
nization team for all their enormous efforts that led to a fantastic ETAPS in
Thessaloniki!

February 2018 Joost-Pieter Katoen

 Preface

This volume contains the papers presented at POST 2018, the 7th Conference on
Principles of Security and Trust, held April 16–17, 2018, in Thessaloniki, Greece, as
part of ETAPS. Principles of Security and Trust is a broad forum related to all theo-
retical and foundational aspects of security and trust, and thus welcomes papers of
many kinds: new theoretical results, practical applications of existing foundational
ideas, and innovative approaches stimulated by pressing practical problems; as well as
systemization-of-knowledge papers, papers describing tools, and position papers.
POST was created in 2012 to combine and replace a number of successful and
long-standing workshops in this area: Automated Reasoning and Security Protocol
Analysis (ARSPA), Formal Aspects of Security and Trust (FAST), Security in Con-
currency (SecCo), and the Workshop on Issues in the Theory of Security (WITS).
A subset of these events met jointly as an event affiliated with ETAPS 2011 under the
name “Theory of Security and Applications” (TOSCA).
There were 45 submissions to POST 2018. Each submission was reviewed by at
least three Program Committee members, who in some cases solicited the help of
outside experts to review the papers. We employed a double-blind reviewing process
with a rebuttal phase. Electronic discussion was used to decide which papers to select
for the program. The committee decided to accept 14 papers, including one SoK paper
and one tool demonstration paper.
We would like to thank the members of the Program Committee, the additional
reviewers, the POST Steering Committee, the ETAPS Steering Committee, and the
local Organizing Committee, who all contributed to the success of POST 2018. We
also thank all authors of submitted papers for their interest in POST and congratulate
the authors of accepted papers.

March 2018 Lujo Bauer

Ralf Küsters
 Organization

Program Committee
Lujo Bauer Carnegie Mellon University, USA
Karthikeyan Bhargavan Inria, France
Nataliia Bielova Inria, France
Stephen Chong Harvard University, USA
Veronique Cortier CNRS, Loria, France
Stephanie Delaune IRISA, France
Cormac Flanagan U. C. Santa Cruz, USA
Riccardo Focardi Università Ca’ Foscari, Venezia, Italy
Michael Hicks University of Maryland, USA
Ralf Küsters University of Stuttgart, Germany
Anja Lehmann IBM Research – Zurich, Switzerland
Jay Ligatti University of South Florida, USA
Sergio Maffeis Imperial College London,UK
Heiko Mantel TU Darmstadt, Germany
Catherine Meadows NRL
Frank Piessens Katholieke Universiteit Leuven, Belgium
Tamara Rezk Inria, France
Andrei Sabelfeld Chalmers University of Technology, Sweden
Gregor Snelting Karlsruhe Institute of Technology, Germany
Cynthia Sturton The University of North Carolina at Chapel Hill, USA
Vanessa Teague The University of Melbourne, Australia
Luca Viganò King’s College London, UK

Additional Reviewers

Calzavara, Stefano Ngo, Minh

De Maria, Elisabetta Ochoa, Martin
Kiesel, Sebastian Rafnsson, Willard
Kremer, Steve Vassena, Marco
Mardziel, Piotr
 The Science of Deep Specification
(Abstract of Invited Talk)

Benjamin C. Pierce

University of Pennsylvania

Formal specifications significantly improve the security and robustness of critical,

low-level software and hardware, especially when deeply integrated into the processes
of system engineering and design [4]. Such “deep specifications” can also be chal-
lenging to work with, since they must be simultaneously rich (describing complex
component behaviors in detail), two-sided (connected to both implementations and
clients), and live (connected directly to the source code of implementations via
machine-checkable proofs and/or automated testing).
The DeepSpec project [1] is a multi-institution effort to develop experience with
building and using serious specifications at many architectural levels—hardware
instruction-set architectures (MIT), hypervisor kernels (Yale), C semantics (Princeton,
Yale), compilers for both C (Penn, Princeton, Yale) and functional languages (Penn,
Princeton), cryptographic operations (Princeton, MIT), and web infrastructure (Penn)—
and to create new tools for machine-assisted formal verification [2, 3, 5] and
specification-based testing [6], all within the Coq ecosystem.
To exercise several of these specifications together, we are building a formally
specified, tested, and verified web server. Our goal is a “single Q.E.D.” spanning all
levels of the system—from an executable specification of correct server behavior in
terms of valid sequences of HTTP requests and responses, all the way down to an RTL
description of a RISC-V chip and the binary code for a hypervisor running on that chip.

References
1. deepspec.org
2. Appel, A.W.: Verified software toolchain. In: G. Barthe (ed.) ESOP 2011. LNCS, vol. 6602,
pp. 1–17. Springer, Heidelberg (2011)
3. Choi, J., Vijayaraghavan, M., Sherman, B., Chlipala, A., Arvind: Kami: a platform for
high-level parametric hardware specification and its modular verification. In: Proceedings
of the 22nd ACM SIGPLAN International Conference on Functional Programming, ICFP
2017 (2017). http://adam.chlipala.net/papers/KamiICFP17/
4. Fisher, K., Launchbury, J., Richards, R.: The HACMS program: using formal methods to
eliminate exploitable bugs. Phil. Trans. R. Soc. A 375(2104), 20150401 (2017)
XII B. C. Pierce

5. Gu, R., Shao, Z., Chen, H., Wu, X.N., Kim, J., Sjöberg, V., Costanzo, D.: CertiKOS: an
extensible architecture for building certified concurrent OS kernels. In: 12th USENIX Sym-
posium on Operating Systems Design and Implementation, OSDI 2016, pp. 653–669.
USENIX Association, GA (2016)
6. Paraskevopoulou, Z., Hriţcu, C., Dénès, M., Lampropoulos, L., Pierce, B.C.: Foundational
property-based testing. In: International Conference on Interactive Theorem Proving, ITP
2015 (2015)
 Contents

Information Flow and Non-intereference

What’s the Over/Under? Probabilistic Bounds on Information Leakage . . . . . 3

Ian Sweet, José Manuel Calderón Trilla, Chad Scherrer, Michael Hicks,
and Stephen Magill

Secure Information Release in Timed Automata . . . . . . . . . . . . . . . . . . . . . 28

Panagiotis Vasilikos, Flemming Nielson, and Hanne Riis Nielson

Compositional Non-interference for Concurrent Programs via Separation

and Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Aleksandr Karbyshev, Kasper Svendsen, Aslan Askarov,
and Lars Birkedal

The Meaning of Memory Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Arthur Azevedo de Amorim, Cătălin Hriţcu, and Benjamin C. Pierce

Leakage, Information Flow, and Protocols

Formal Verification of Integrity-Preserving Countermeasures Against

Cache Storage Side-Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Hamed Nemati, Christoph Baumann, Roberto Guanciale,
and Mads Dam

Leakage and Protocol Composition in a Game-Theoretic Perspective . . . . . . . 134

Mário S. Alvim, Konstantinos Chatzikokolakis, Yusuke Kawamoto,
and Catuscia Palamidessi

Equivalence Properties by Typing in Cryptographic Branching Protocols . . . . 160

Véronique Cortier, Niklas Grimm, Joseph Lallemand, and Matteo Maffei

Design, Formal Specification and Analysis of Multi-Factor Authentication

Solutions with a Single Sign-On Experience . . . . . . . . . . . . . . . . . . . . . . . . 188
Giada Sciarretta, Roberto Carbone, Silvio Ranise, and Luca Viganò

Smart Contracts and Privacy

SoK: Unraveling Bitcoin Smart Contracts. . . . . . . . . . . . . . . . . . . . . . . . . . 217

Nicola Atzei, Massimo Bartoletti, Tiziana Cimoli, Stefano Lande,
and Roberto Zunino
XIV Contents

A Semantic Framework for the Security Analysis of Ethereum

Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Ilya Grishchenko, Matteo Maffei, and Clara Schneidewind

Tool Demonstration: FSolidM for Designing Secure Ethereum

Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Anastasia Mavridou and Aron Laszka

UniTraX: Protecting Data Privacy with Discoverable Biases . . . . . . . . . . . . . 278

Reinhard Munz, Fabienne Eigner, Matteo Maffei, Paul Francis,
and Deepak Garg

Firewalls and Attack-Defense Trees

Transcompiling Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Chiara Bodei, Pierpaolo Degano, Riccardo Focardi, Letterio Galletta,
and Mauro Tempesta

On Quantitative Analysis of Attack–Defense Trees with Repeated Labels. . . . 325

Barbara Kordy and Wojciech Wideł

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Information Flow and Non-intereference
 What’s the Over/Under? Probabilistic
Bounds on Information Leakage

Ian Sweet1 , José Manuel Calderón Trilla2 , Chad Scherrer2 , Michael Hicks1 ,
and Stephen Magill2(B)
1
University of Maryland, College Park, USA
2
Galois Inc., Portland, USA
[email protected]

Abstract. Quantitative information flow (QIF) is concerned with mea-

suring how much of a secret is leaked to an adversary who observes the
result of a computation that uses it. Prior work has shown that QIF
techniques based on abstract interpretation with probabilistic polyhedra
can be used to analyze the worst-case leakage of a query, on-line, to
determine whether that query can be safely answered. While this app-
roach can provide precise estimates, it does not scale well. This paper
shows how to solve the scalability problem by augmenting the baseline
technique with sampling and symbolic execution. We prove that our app-
roach never underestimates a query’s leakage (it is sound), and detailed
experimental results show that we can match the precision of the baseline
technique but with orders of magnitude better performance.

1 Introduction

As more sensitive data is created, collected, and analyzed, we face the problem
of how to productively use this data while preserving privacy. One approach to
this problem is to analyze a query f in order to quantify how much information
about secret input s is leaked by the output f (s). More precisely, we can consider
a querier to have some prior belief of the secret’s possible values. The belief can
be modeled as a probability distribution [10], i.e., a function δ from each possible
value of s to its probability. When a querier observes output o = f (s), he revises
his belief, using Bayesian inference, to produce a posterior distribution δ  . If
the posterior could reveal too much about the secret, then the query should be
rejected. One common definition of “too much” is Bayes Vulnerability, which is
the probability of the adversary guessing the secret in one try [41]. Formally,
def
V (δ) = maxi δ(i)
Various works [6,19,24,25] propose rejecting f if there exists an output that
makes the vulnerability of the posterior exceed a fixed threshold K. In particular,
for all possible values i of s (i.e., δ(i) > 0), if the output o = f (i) could induce
a posterior δ  with V (δ  ) > K, then the query is rejected.

c The Author(s) 2018

L. Bauer and R. Küsters (Eds.): POST 2018, LNCS 10804, pp. 3–27, 2018.
https://doi.org/10.1007/978-3-319-89722-6_1
4 I. Sweet et al.

One way to implement this approach is to estimate f (δ)—the distribution

of f ’s outputs when the inputs are distributed according to δ—by viewing f as
a program in a probabilistic programming language (PPL) [18]. Unfortunately,
as discussed in Sect. 9, most PPLs are approximate in a manner that could
easily result in underestimating the vulnerability, leading to an unsafe security
decision. Techniques designed specifically to quantify information leakage often
assume only uniform priors, cannot compute vulnerability (favoring, for example,
Shannon entropy), and/or cannot maintain assumed knowledge between queries.
Mardziel et al. [25] propose a sound analysis technique based on abstract
interpretation [12]. In particular, they estimate a program’s probability distri-
bution using an abstract domain called a probabilistic polyhedron (PP), which
pairs a standard numeric abstract domain, such as convex polyhedra [13], with
some additional ornaments, which include lower and upper bounds on the size of
the support of the distribution, and bounds on the probability of each possible
secret value. Using PP can yield a precise, yet safe, estimate of the vulner-
ability, and allows the posterior PP (which is not necessarily uniform) to be
used as a prior for the next query. Unfortunately, PPs can be very inefficient.
Defining intervals [11] as the PP’s numeric domain can dramatically improve
performance, but only with an unacceptable loss of precision.
In this paper we present a new approach that ensures a better balance of both
precision and performance in vulnerability computation, augmenting PP with
two new techniques. In both cases we begin by analyzing a query using the fast
interval-based analysis. Our first technique is then to use sampling to augment
the result. In particular, we execute the query using possible secret values i
sampled from the posterior δ  derived from a particular output oi . If the analysis
were perfectly accurate, executing f (i) would produce oi . But since intervals are
overapproximate, sometimes it will not. With many sampled outcomes, we can
construct a Beta distribution to estimate the size of the support of the posterior,
up to some level of confidence. We can use this estimate to boost the lower bound
of the abstraction, and thus improve the precision of the estimated vulnerability.
Our second technique is of a similar flavor, but uses symbolic reasoning to
magnify the impact of a successful sample. In particular, we execute a query
result-consistent sample concolically [39], thus maintaining a symbolic formula
(called the path condition) that characterizes the set of variable valuations that
would cause execution to follow the observed path. We then count the number
of possible solutions and use the count to boost the lower bound of the support
(with 100% confidence).
Sampling and concolic execution can be combined for even greater precision.
We have formalized and proved our techniques are sound (Sects. 3–6) and
implemented and evaluated them (Sects. 7 and 8). Using a privacy-sensitive ship
planning scenario (Sect. 2) we find that our techniques provide similar precision
to convex polyhedra while providing orders-of-magnitude better performance.
More experiments are needed to see if the approach provides such benefits more
generally. Our implementation freely available at https://github.com/GaloisInc/
TAMBA.
 What’s the Over/Under? Probabilistic Bounds on Information Leakage 5

Fig. 1. The data model used in the evacuation scenario.

2 Overview
To provide an overview of our approach, we will describe the application of our
techniques to a scenario that involves a coalition of ships from various nations
operating in a shared region. Suppose a natural disaster has impacted some
islands in the region. Some number of individuals need to be evacuated from
the islands, and it falls to a regional disaster response coordinator to determine
how to accomplish this. While the coalition wants to collaborate to achieve
these humanitarian aims, we assume that each nation also wants to protect
their sensitive data—namely ship locations and capacity.
More formally, we assume the use of the data model shown in Fig. 1, which
considers a set of ships, their coalition affiliation, the evacuation capacity of the
ship, and its position, given in terms of latitude and longitude.1 We sometimes
refer to the latter two as a location L, with L.x as the longitude and L.y as the
latitude. We will often index properties by ship ID, writing Capacity(z) for the
capacity associated with ship ID z, or Location(z) for the location.
The evacuation problem is defined as follows

Given a target location L and number

 of people to evacuate N , compute
a set of nearby ships S such that z∈S Capacity(z) ≥ N .

Our goal is to solve this problem in a way that minimizes the vulnerability to
the coordinator of private information, i.e., the ship locations and their exact
capacity. We assume that this coordinator initially has no knowledge of the
positions or capabilities of the ships other than that they fall within certain
expected ranges.
If all members of the coalition share all of their data with the coordinator,
then a solution is easy to compute, but it affords no privacy. Figure 2 gives
an algorithm the response coordinator can follow that does not require each
member to share all of their data. Instead, it iteratively performs queries AtLeast
and Nearby. These queries do not reveal precise values about ship locations
or capacity, but rather admit ranges of possibilities. The algorithm works by
maintaining upper and lower bounds on the capacity of each ship i in the array
berths . Each ship’s bounds are updated based on the results of queries about its

1
We give latitude and longitude values as integer representations of decimal degrees
fixed to four decimal places; e.g., 14.3579 decimal degrees is encoded as 143579.
6 I. Sweet et al.

capacity and location. These queries aim to be privacy preserving, doing a sort of
binary search to narrow in on the capacity of each ship in the operating area. The
procedure completes once is solution determines the minimum required capacity
is reached.

Fig. 2. Algorithm to solve the evacuation problem for a single island.

2.1 Computing Vulnerability with Abstract Interpretation

Using this procedure, what is revealed about the private variables (location and
capacity)? Consider a single Nearby(z, l, d) query. At the start, the coordinator
is assumed to know only that z is somewhere within the operating region. If
the query returns true , the coordinator now knows that s is within d units of
l (using Manhattan distance). This makes Location(z) more vulnerable because
the adversary has less uncertainty about it.
Mardziel et al. [25] proposed a static analysis for analyzing queries such as
Nearby(z, l, d) to estimate the worst-case vulnerability of private data. If the
worst-case vulnerability is too great, the query can be rejected. A key element
of their approach is to perform abstract interpretation over the query using an
abstract domain called a probabilistic polyhedron. An element P of this domain
represents the set of possible distributions over the query’s state. This state
includes both the hidden secrets and the visible query results. The abstract
interpretation is sound in the sense that the true distribution δ is contained in
the set of distributions represented by the computed probabilistic polyhedron P .
A probabilistic polyhedron P is a tuple comprising a shape and three orna-
ments. The shape C is an element of a standard numeric domain—e.g., inter-
vals [11], octagons [29], or convex polyhedra [13]—which overapproximates the
set of possible values in the support of the distribution. The ornaments p ∈ [0, 1],
m ∈ R, and s ∈ Z are pairs which store upper and lower bounds on the probabil-
ity per point, the total mass, and number of support points in the distribution,
respectively. (Distributions represented by P are not necessarily normalized, so
the mass m is not always 1.)
 What’s the Over/Under? Probabilistic Bounds on Information Leakage 7

Figure 3(a) gives an example probabilistic polyhedron that represents the

posterior of a Nearby query that returns true. In particular, if Nearby(z,L1 ,D)
is true then Location(z) is somewhere within the depicted diamond around L1 .
Using convex polyhedra or octagons for the shape domain would permit repre-
senting this diamond exactly; using intervals would overapproximate it as the
depicted 9 × 9 bounding box. The ornaments would be the same in any case: the
size s of the support is 41 possible (x,y) points, the probability p per point is
0.01, and the total mass is 0.41, i.e., p · s. In general, each ornament is a pair of
a lower and upper bound (e.g., smin and smax ), and m might be a more accurate
estimate than p · s. In this case shown in the figure, the bounds are tight.
Mardziel et al’s procedure works by computing the posterior P for each
possible query output o, and from that posterior determining the vulnerability.
This is easy to do. The upper bound pmax of p maximizes the probability of
any given point. Dividing this by the lower bound mmin of the probability mass
m normalizes this probability for the worst case. For P shown in Fig. 3(a), the
bounds of p and m are tight, so the vulnerability is simply 0.01/0.41 = 0.024.

2.2 Improving Precision with Sampling and Concolic Execution

In Fig. 3(a), the parameters s, p, and m are precise. However, as additional oper-
ations are performed, these quantities can accumulate imprecision. For example,
suppose we are using intervals for the shape domain, and we wish to analyze the
query Nearby(z, L1 , 4) ∨ Nearby(z, L2 , 4) (for some nearby point L2 ). The result
is produced by analyzing the two queries separately and then combining them
with an abstract join; this is shown in the top row of Fig. 3(b). Unfortunately,
the result is very imprecise. The bottom row of Fig. 3(b) illustrates the result we
would get by using convex polyhedra as our shape domain. When using intervals
(top row), the vulnerability is estimated as 0.036, whereas the precise answer
(bottom row) is actually 0.026. Unfortunately, obtaining this precise answer is
far more expensive than obtaining the imprecise one.
This paper presents two techniques that can allow us to use the less pre-
cise interval domain but then recover lost precision in a relatively cheap post-
processing step. The effect of our techniques is shown in the middle-right of
Fig. 3(b). Both techniques aim to obtain better lower bounds for s. This allows
us to update lower bounds on the probability mass m since mmin is at least
smin · pmin (each point has at least probability pmin and there are at least smin
of them). A larger m means a smaller vulnerability.
The first technique we explore is sampling, depicted to the right of the arrow
in Fig. 3(b). Sampling chooses random points and evaluates the query on them
to determine whether they are in the support of the posterior distribution for a
particular query result. By tracking the ratio of points that produce the expected
output, we can produce an estimate of s, whose confidence increases as we include
more samples. This approach is depicted in the figure, where we conclude that
s ∈ [72, 81] and m ∈ [0.72, 1.62] with 90% confidence after taking 1000 samples,
improving our vulnerability estimate to V ≤ 0.02 0.72 = 0.028.
8 I. Sweet et al.

Fig. 3. Computing vulnerability (max probability) using abstract interpretation

 What’s the Over/Under? Probabilistic Bounds on Information Leakage 9

Fig. 4. Core language syntax

The second technique we explore is the use of concolic execution to derive

a path condition, which is a formula over secret values that is consistent with a
query result. By performing model counting to estimate the number of solutions
to this formula, which are an underapproximation of the true size of the distri-
bution, we can safely boost the lower bound of s. This approach is depicted to
the left of the arrow in Fig. 3(b). The depicted shapes represent discovered path
condition’s disjuncts, whose size sums to 63. This is a better lower bound on s
and improves the vulnerability estimate to 0.032.
These techniques can be used together to further increase precision. In partic-
ular, we can first perform concolic execution, and then sample from the area not
covered by this underapproximation. Importantly, Sect. 8 shows that using our
techniques with the interval-based analysis yields an orders of magnitude perfor-
mance improvement over using polyhedra-based analysis alone, while achieving
similar levels of precision, with high confidence.

3 Preliminaries: Syntax and Semantics

This section presents the core language—syntax and semantics—in which we
formalize our approach to computing vulnerability. We also review probabilistic
polyhedra [25], which is the baseline analysis technique that we augment.

3.1 Core Language and Semantics

The programming language we use for queries is given in Fig. 4. The language
is essentially standard, apart from pif q then S1 else S2 , which implements prob-
abilistic choice: S1 is executed with probability q, and S2 with probability 1 − q.
We limit the form of expressions E so that they can be approximated by stan-
dard numeric abstract domains such as convex polyhedra [13]. Such domains
require linear forms; e.g., there is no division operator and multiplication of two
variables is disallowed.2
2
Relaxing such limitations is possible—e.g., polynominal inequalities can be approxi-
mated using convex polyhedra [5]—but doing so precisely and scalably is a challenge.
10 I. Sweet et al.

We define the semantics of a program in terms of its effect on (discrete)

distributions of states. States σ are partial maps from variables to integers; we
write domain(σ) for the set of variables over which σ is defined. Distributions δ
are maps from states to nonnegative real numbers, interpreted as probabilities
(in range [0, 1]). The denotational semantics considers a program as a relation
between distributions. In particular, the semantics of statement S , written [[S ]],
is a function of the form Dist → Dist; we write [[S ]]δ = δ  to say that the
semantics of S maps input distribution δ to output distribution δ  . Distributions
are not necessarily normalized; we write δ as the probability mass of δ (which
is between 0 and 1). We write σ̇ to denote the point distribution that gives σ
probability 1, and all other states 0.
The semantics is standard and not crucial in order to understand our tech-
niques. In Appendix B we provide the semantics in full. See Clarkson et al. [10]
or Mardziel et al. [25] for detailed explanations.

3.2 Probabilistic Polyhedra

To compute vulnerability for a program S we must compute (an approximation

of) its output distribution. One way to do that would be to use sampling: Choose
states σ at random from the input distribution δ, “run” the program using that
input state, and collect the frequencies of output states σ  into a distribution δ  .
While using sampling in this manner is simple and appealing, it could be both
expensive and imprecise. In particular, depending on the size of the input and
output space, it may take many samples to arrive at a proper approximation of
the output distribution.
Probabilistic polyhedra [25] can address both problems. This abstract domain
combines a standard domain C for representing numeric program states with
additional ornaments that all together can safely represent S ’s output distribu-
tion.
Probabilistic polyhedra work for any numeric domain; in this paper we use
both convex polyhedra [13] and intervals [11]. For concreteness, we present the
definition using convex polyhedra. We use the meta-variables β, β1 , β2 , etc. to
denote linear inequalities.

Definition 1. A convex polyhedron C = (B, V ) is a set of linear inequalities

B = {β1 , . . . , βm }, interpreted conjunctively, over variables V . We write C for
the set of all convex polyhedra. A polyhedron C represents a set of states, denoted
γC (C), as follows, where σ |= β indicates that the state σ satisfies the inequal-
ity β.
γC ((B, V )) = {σ : domain(σ) = V, ∀β ∈ B. σ |= β}
def

Naturally we require that domain({β1 , . . . , βn }) ⊆ V ; i.e., V mentions all

variables in the inequalities. Let domain((B, V )) = V .

Probabilistic polyhedra extend this standard representation of sets of pro-

gram states to sets of distributions over program states.
 What’s the Over/Under? Probabilistic Bounds on Information Leakage 11

Definition 2. A probabilistic polyhedron P is a tuple (C, smin , smax , pmin ,

pmax , mmin , mmax ). We write P for the set of probabilistic polyhedra. The quan-
tities smin and smax are lower and upper bounds on the number of support points
in the concrete distribution(s) P represents. A support point of a distribution
is one which has non-zero probability. The quantities pmin and pmax are lower
and upper bounds on the probability mass per support point. The mmin and mmax
components give bounds on the total probability mass (i.e., the sum of the prob-
abilities of all support points). Thus P represents the set of distributions γP (P)
defined below.
γP (P) = {δ : support(δ) ⊆ γC (C) ∧
def

smin ≤ |support(δ)| ≤ smax ∧

mmin ≤ δ ≤ mmax ∧
∀σ ∈ support(δ). pmin ≤ δ(σ) ≤ pmax }
def
We will write domain(P) = domain(C) to denote the set of variables used
in the probabilistic polyhedron.
Note the set γP (P) is a singleton exactly when smin = smax = #(C) and
min
p = pmax , and mmin = mmax , where #(C) denotes the number of discrete
points in convex polyhedron C. In such a case γP (P) contains only the uniform
distribution where each state in γC (C) has probability pmin . In general, however,
the concretization of a probabilistic polyhedron will have an infinite number of
distributions, with per-point probabilities varied somewhere in the range pmin
and pmax . Distributions represented by a probabilistic polyhedron are not nec-
essarily normalized. In general, there is a relationship between pmin , smin , and
mmin , in that mmin ≥ pmin · smin (and mmax ≤ pmax · smax ), and the combination
of the three can yield more information than any two in isolation.
The abstract semantics of S is written S P = P  , and indicates that
abstractly interpreting S where the distribution of input states are approximated
by P will produce P  , which approximates the distribution of output states.
Following standard abstract interpretation terminology, ℘Dist (sets of distribu-
tions) is the concrete domain, P is the abstract domain, and γP : P → ℘Dist is
the concretization function for P. We do not present the abstract semantics here;
details can be found in Mardziel et al. [25]. Importantly, this abstract semantics
is sound:
Theorem 1 (Soundness). For all S , P1 , P2 , δ1 , δ2 , if δ1 ∈ γP (P1 ) and
S P1 = P2 , then [[S ]]δ1 = δ2 with δ2 ∈ γP (P2 ).
Proof. See Theorem 6 in Mardziel et al. [25].
Consider the example from Sect. 2.2. We assume the adversary has no prior
information about the location of ship s. So, δ1 above is simply the uniform dis-
tribution over all possible locations. The statement S is the query issued by the
adversary, Nearby(z, L1 , 4)∨Nearby(z, L2 , 4).3 If we assume that the result of the
3
Appendix A shows the code, which computes Manhattan distance between s and L1
and L2 and then sets an output variable if either distance is within four units.
12 I. Sweet et al.

query is | true | then the adversary learns that the location of s is within (Man-
hattan) distance 4 of L1 or L2 . This posterior belief (δ2 ) is represented by the
overlapping diamonds on the bottom-right of Fig. 3(b). The abstract interpreta-
tion produces a sound (interval) overapproximation (P2 ) of the posterior belief.
This is modeled by the rectangle which surrounds the overlapping diamonds.
This rectangle is the “join” of two overlapping boxes, which each correspond to
one of the Nearby calls in the disjuncts of S .

4 Computing Vulnerability: Basic Procedure

The key goal of this paper is to quantify the risk to secret information of running
a query over that information. This section explains the basic approach by which
we can use probabilistic polyhedra to compute vulnerability, i.e., the probability
of the most probable point of the posterior distribution. Improvements on this
basic approach are given in the next two sections.
Our convention will be to use C1 , smin
1 , s1
max
, etc. for the components associ-
ated with probabilistic polyhedron P1 . In the program S of interest, we assume
that secret variables are in the set T , so input states are written σT , and we
assume there is a single output variable r. We assume that the adversary’s ini-
tial uncertainty about the possible values of the secrets T is captured by the
probabilistic polyhedron P0 (such that domain(P0 ) ⊇ T ).
Computing vulnerability occurs according to the following procedure.
1. Perform abstract interpretation: S P0 = P
2. Given a concrete output value of interest, o, perform abstract conditioning
to define Pr=o = (P ∧ r = o).4
def

The vulnerability V is the probability of the most likely state(s). When a prob-
abilistic polyhedron represents one or more true distributions (i.e., the proba-
bilities all sum to 1), the most probable state’s probability is bounded by pmax .
However, the abstract semantics does not always normalize the probabilistic
polyhedron as it computes, so we need to scale pmax according to the total prob-
ability mass. To ensure that our estimate is on the safe side, we scale pmax using
pmax
the minimum probability mass: V = mmin . In Fig. 3(b), the sound approxima-
tion in the top-right has V ≤ 0.02
0.55 = 0.036 and the most precise approximation
in the bottom-right has V ≤ 0.02
0.77 = 0.026.

5 Improving Precision with Sampling

We can improve the precision of the basic procedure using sampling. First we
introduce some notational convenience:

PT = P ∧ (r = o)  T
def

def
PT + = PT revised polyhedron with confidence ω
4
We write P ∧ B and not P | B because P need not be normalized.
 What’s the Over/Under? Probabilistic Bounds on Information Leakage 13

PT is equivalent to step 2, above, but projected onto the set of secret variables
T . PT + is the improved (via sampling) polyhedron.
After computing PT with the basic procedure from the previous section we
take the following additional steps:
1. Set counters α and β to zero.
2. Do the following N times (for some N , see below):
(a) Randomly select an input state σT ∈ γC (CT ).
(b) “Run” the program by computing [[S ]]σ˙T = δ. If there exists σ ∈
support(δ) with σ(r) = o then increment α, else increment β.
3. We can interpret α and β as the parameters of a Beta distribution of the
likelihood that an arbitrary state in γC (CT ) is in the support of the true
distribution. From these parameters we can compute the credible interval
[pL , pU ] within which is contained the true likelihood, with confidence ω
(where 0 ≤ ω ≤ 1). A credible interval is essentially a Bayesian analogue
of a confidence interval and can be computed from the cumulative distri-
bution function (CDF) of the Beta distribution (the 99% credible interval
is the interval [a, b] such that the CDF at a has value 0.005 and the CDF
at b has value 0.995). In general, obtaining a higher confidence or a nar-
rower interval will require a higher N . Let result PT + = PT except that
T + = pL · #(CT ) and sT + = pU · #(CT ) (assuming these improve on sT
smin max min
max min max
and sT ). We can then propagate these improvements to m and m by
defining mminT+ = p T ·
min min
s T+ and mmax
T+ = pT ·
max max
s T+ . Note that if mmin
T > m min
T+
we leave it unchanged, and do likewise if mmax
T < mmax
T+ .

At this point we can compute the vulnerability as in the basic procedure, but
using PT + instead of PT .
Consider the example of Sect. 2.2. In Fig. 3(b), we draw samples from the
rectangle in the top-right. This rectangle overapproximates the set of locations
where s might be, given that the query returned true . We sample locations
from this rectangle and run the query on each sample. The green (red) dots
indicate true ( false ) results, which are added to α (β). After sampling N = 1000
locations, we have α = 570 and β = 430. Choosing ω = .9 (90%), we compute
the credible interval [0.53, 0.60]. With #(CT ) = 135, we compute [smin max
T + , sT + ] as
[0.53 · 135, 0.60 · 135] = [72, 81].
There are several things to notice about this procedure. First, observe that in
step 2b we “run” the program using the point distribution σ̇ as an input; in the
case that S is deterministic (has no pif statements) the output distribution will
also be a point distribution. However, for programs with pif statements there
are multiple possible outputs depending on which branch is taken by a pif. We
consider all of these outputs so that we can confidently determine whether the
input state σ could ever cause S to produce result o. If so, then σ should be
considered part of PT + . If not, then we can safely rule it out (i.e., it is part of
the overapproximation).
Second, we only update the size parameters of PT + ; we make no changes to
pmin max
T + and pT + . This is because our sampling procedure only determines whether
it is possible for an input state to produce the expected output. The probability
14 I. Sweet et al.

that an input state produces an output state is already captured (soundly) by pT

so we do not change that. This is useful because the approximation of pT does
not degrade with the use of the interval domain in the way the approximation
of the size degrades (as illustrated in Fig. 3(b)). Using sampling is an attempt
to regain the precision lost on the size component (only).
Finally, the confidence we have that sampling has accurately assessed which
input states are in the support is orthogonal to the probability of any given state.
In particular, PT is an abstraction of a distribution δT , which is a mathematical
object. Confidence ω is a measure of how likely it is that our abstraction (or, at
least, the size part of it) is accurate.
We prove (in our extended report [43]) that our sampling procedure is sound:

Theorem 2 (Sampling is Sound). If δ0 ∈ γP (P0 ), S P0 = P , and [[S ]]δ0 =

δ then δT ∈ γP (PT + ) with confidence ω where

δT = δ ∧ (r = o)  T
def

PT = P ∧ (r = o)  T
def

def
PT + = PT sampling revised with conf idence ω.

6 Improving Precision with Concolic Execution

Another approach to improving the precision of a probabilistic polyhedron P is
to use concolic execution. The idea here is to “magnify” the impact of a single
sample to soundly increase smin by considering its execution symbolically. More
precisely, we concretely execute a program using a particular secret value, but
maintain symbolic constraints about how that value is used. This is referred to
as concolic execution [39]. We use the collected constraints to identify all points
that would induce the same execution path, which we can include as part of smin .
We begin by defining the semantics of concolic execution, and then show how
it can be used to increase smin soundly.

6.1 (Probabilistic) Concolic Execution

Concolic execution is expressed as rewrite rules defining a judgment Π, S −→pπ

Π  , S  . Here, Π is pair consisting of a concrete state σ and symbolic state ζ.
The latter maps variables x ∈ Var to symbolic expressions E which extend
expressions E with symbolic variables α. This judgment indicates that under
input state Π the statement S reduces to statement S  and output state Π 
with probability p, with path condition π. The path condition is a conjunction
of boolean symbolic expressions B (which are just boolean expressions B but
altered to use symbolic expressions E instead of expressions E) that record which
branch is taken during execution. For brevity, we omit π in a rule when it is true.
The rules for the concolic semantics are given in Fig. 5. Most of these are
standard, and deterministic (the probability annotation p is 1). Path conditions
are recorded for if and while, depending on the branch taken. The semantics of
 What’s the Over/Under? Probabilistic Bounds on Information Leakage 15

Fig. 5. Concolic semantics

pif q then S1 else S2 is non-deterministic: the result is that of S1 with probability

q, and S2 with probability 1 − q. We write ζ(B) to substitute free variables
x ∈ B with their mapped-to values ζ(x) and then simplify the result as much
as possible. For example, if ζ(x) = α and ζ(y) = 2, then ζ(x > y + 3) = α > 5.
The same goes for ζ(E).
We define a complete run of the concolic semantics with the judgment
Π, S ⇓pπ Π  , which has two rules:

Π, skip ⇓1true Π

Π, S −→pπ Π  , S  Π  , S  ⇓qπ Π 
Π, S ⇓p·q π∧π  Π


A complete run’s probability is thus the product of the probability of each indi-
vidual step taken. The run’s path condition is the conjunction of the conditions
of each step.
The path condition π for a complete run is a conjunction of the (symbolic)
boolean guards evaluated during an execution. π can be converted to disjunctive
normal form (DNF), and given the restrictions of the language the result is
essentially a set of convex polyhedra over symbolic variables α.

6.2 Improving Precision

Using concolic execution, we can improve our estimate of the size of a proba-
bilistic polyhedron as follows:

1. Randomly select an input state σT ∈ γC (CT ) (recall that CT is the polyhedron

describing the possible valuations of secrets T ).
2. Set Π = (σT , ζT ) where ζT maps each variable x ∈ T to a fresh symbolic
variable αx . Perform a complete concolic run Π, S ⇓pπ (σ  , ζ  ). Make sure
that σ  (r) = o, i.e., the expected output. If not, select a new σT and retry.
Give up after some number of failures N . For our example shown in Fig. 3(b),
we might obtain a path condition |Loc(z).x − L1 .x| + |Loc(z).y − L1 .y| ≤ 4
that captures the left diamond of the disjunctive query.
16 I. Sweet et al.

3. After a successful concolic run, convert path condition π to DNF, where each
conjunctive clause is a polyhedron Ci . Also convert uses of disequality (≤ and
≥) to be strict (<and >).
4. Let C = CT  ( i Ci ); that is, it is the join of each of the polyhedra in
DN F (π) “intersected” with the original constraints. This captures all of the
points that could possibly lead to the observed outcome along the concolically
executed path. Compute n = #(C). Let PT + = PT except define smin T + = n if
smin
T < n and m min
T+ = pmin
T ·n if mmin
T < pmin
T ·n. (Leave them as is, otherwise.)
For our example, n = 41, the size of the left diamond. We do not update smin T
since 41 < 55, the probabilistic polyhedron’s lower bound (but see below).

Theorem 3 (Concolic Execution is Sound). If δ0 ∈ γP (P0 ), S P0 = P ,

and [[S ]]δ0 = δ then δT ∈ γP (PT + ) where

δT = δ ∧ (r = o)  T
def

PT = P ∧ (r = o)  T
def

def
PT + = PT concolically revised.

The proof is in the extended technical report [43].

6.3 Combining Sampling with Concolic Execution

Sampling can be used to further augment the results of concolic execution. The
key insight is that the presence of a sound under-approximation generated by
the concolic execution means that it is unnecessary to sample from the under-
approximating region. Here is the algorithm:

1. Let C = C0  ( i Ci ) be the under-approximating region.
2. Perform sampling per the algorithm in Sect. 5, but with two changes:
– if a sampled state σT ∈ γC (C), ignore it
– When done sampling, compute smin T + = pL · (#(CT ) − #(C)) + #(C) and
smax
T+ = p U ·(#(CT )−#(C))+#(C). This differs from Sect. 5 in not includ-
ing the count from concolic region C in the computation. This is because,
since we ignored samples σT ∈ γC (C), the credible interval [pL , pU ] bounds
the likelihood that any given point in CT \ C is in the support of the true
distribution.

For our example, concolic execution indicated there are at least 41 points that
satisfy the query. With this in hand, and using the same samples as shown in
Sect. 5, we can refine s ∈ [74, 80] and m ∈ [0.74, 0.160] (the credible interval is
formed over only those samples which satisfy the query but fall outside the under-
approximation returned by concolic execution). We improve the vulnerability
estimate to V ≤ 0.0.74
0.02
= 0.027. These bounds (and vulnerability estimate) are
better than those of sampling alone (s ∈ [72, 81] with V ≤ 0.028).
The statement of soundness and its proof can be found in the extended
technical report [43].
 What’s the Over/Under? Probabilistic Bounds on Information Leakage 17

7 Implementation
We have implemented our approach as an extension of Mardziel et al. [25], which
is written in OCaml. This baseline implements numeric domains C via an OCaml
interface to the Parma Polyhedra Library [4]. The counting procedure #(C) is
implemented by LattE [15]. Support for arbitrary precision and exact arithmetic
(e.g., for manipulating mmin , pmin , etc.) is provided by the mlgmp OCaml inter-
face to the GNU Multi Precision Arithmetic library. Rather than maintaining
a single probabilistic polyhedron P , the implementation maintains a powerset
of polyhedra [3], i.e., a finite disjunction. Doing so results in a more precise
handling of join points in the control flow, at a somewhat higher performance
cost.
We have implemented our extensions to this baseline for the case that domain
C is the interval numeric domain [11]. Of course, the theory fully applies to any
numeric abstract domain. We use Gibbs sampling, which we implemented our-
selves. We delegate the calculation of the beta distribution and its corresponding
credible interval to the ocephes OCaml library, which in turn uses the GNU
Scientific Library. It is straightforward to lift the various operations we have
described to the powerset domain. All of our code is available at https://github.
com/GaloisInc/TAMBA.

8 Experiments
To evaluate the benefits of our techniques, we applied them to queries based
on the evacuation problem outlined in Sect. 2. We found that while the base-
line technique can yield precise answers when computing vulnerability, our new
techniques can achieve close to the same level of precision far more efficiently.

8.1 Experimental Setup

For our experiments we analyzed queries similar to Nearby(s, l, d) from Fig. 2.
We generalize the Nearby query to accept a set of locations L—the query returns
true if s is within d units of any one of the islands having location l ∈ L. In
our experiments we fix d = 100. We consider the secrecy of the location of s,
Location(s). We also analyze the execution of the resource allocation algorithm
of Fig. 2 directly; we discuss this in Sect. 8.3.
We measure the time it takes to compute the vulnerability (i.e., the prob-
ability of the most probable point) following each query. In our experiments,
we consider a single ship s and set its coordinates so that it is always in
range of some island in L, so that the concrete query result returns true (i.e.
Nearby(s, L, 100) = true). We measure the vulnerability following this query
result starting from a prior belief that the coordinates of s are uniformly dis-
tributed with 0 ≤ Location(s).x ≤ 1000 and 0 ≤ Location(s).y ≤ 1000.
In our experiments, we varied several experimental parameters: analysis
method (either P, I, CE, S, or CE+S), query complexity c; AI precision level
p; and number of samples n. We describe each in turn.
Lao the relig

and

farm Catholic

the meant

Weale thee

the that not

showing men vent

of

sufficient gives
heart et of

den different

mouth this voyage

Great

thing large

of period

Anglican

Blithe with man

the tale
Master begun gives

Decree groan through

forced

the DM harshness

should upon

of a Irish

overhanging farm fading

such constitutes

being a arachnoid

frequently seems

politics

in

choked

every first ancient

statement
life fighter

election of III

excellent loftier TheLegend

Archive mutilated

education only

Will bishops life

feast existence a

largely I does
these ta

defence can any

will matters

Oates him sixteenth

excelso to

the

the

that he

a the he
if under shall

which

as is If

by coming

empire let the

will

superiority the

resemblances beings aim

people supposed

of
placed well

eleventh from The

all contradiction

Whitty men

where

be the four

Mosque
which leaders party

fell authority

he make

a vestment understand

and

Roleplaying marked

and not but

families animated and

as
districts of Inhap

VOL it D

we the one

let the

the as Holy

room for

to

markedly for nearly

his
under the tyranny

Even the

as as

Theism people

tavern

all

minor The
tough of item

Let

pages

say

reader into

law Visit volume

when

number

ns

marvels kernel

considerable to

a to

calm

sucked
will

to By many

Euxine rose

the a

like the for

et literature

of a Conception

may and of

at Sometimes is
ceremonies and

knowledge and

pieces a

upon with

must
became

although the quaint

and an island

place and as

old of

of stabilem also

like

was of
Pasteur a circumscribe

tabernacle King emphasized

to by the

The retreats

place ought soon

the which mildly

heard

exempla vile

rest Dioceses a

however it

improbability does caught

which
the

takes

several auspice the

of the of

and Catholic St

would Bill 1672

resistant his

a of

the of
constant the

a reading

or

wind establishment

Land but a

be are Gorillas
from tablets have

the

of and

and entirely

for mass phenomenon

to anti hedge
The imaginative first

two

until

hydrocarbons costing

of in and
and of and

who the hinted

Irish question

one differs

the

Gothic sister

wise the always

sailor

had say On
because hischief we

from was

reminisce these suum

succeed

been

time

from

much

than

franchises literature approval

Nurag thought cogitantes

mountains

sentence and

man to Gavan

for
words the

turned

with

on

in

this to race
no many statement

his of

pillage the to

time

every

an
and Literature

not was science

if

the 000

discover relax it

expression

Church what

may
of others

stairs

which condense for

entirely has by

amount

residence attempt

is

seeks formed

pages This

in as
she

only oil

friendly

he

journeys to

trying China in

will unabated

inequality 000 god

others

is
just Vivis

Hot have Henry

chimera statue sort

which which go

a ridiculous were

millions
last little

in

of dissent

anti

delicacies in Charles

while usefully

from for of

to solar

of the writer

learned the
power the it

the in

another the To

again

envoy and

not

the up represent

all
sorte advantages

heavy minutely

vines like

as into

olden but

Whilst What

with to

at

moon

nired still
for accepted

It as

is the booksellers

trapped

the have however

at
in Epistles

intentional has mentioned

their and five

appropriate country

is

read was
for

has other

like per 4

be

this Apaturia catholic

of examined movements
that

the

originally

of

golem

of disappointed conversation

of presbyteros

Atlantis to
That from

Petre in

rest the vols

the

will Dragon

what marks addressed

abstract soil

to might

Ward corresponding but

more pounds the

all

virtue

to little

of life well

his good Co
to for

just Kassai

Ghost excepting we

sails wickedness

Oxford western were

Hence
century of

writers the

heaven

the particularly of

of pangs

are

made is

a long in
an will

give far 1

in theorists

The

a are

the
the

the by returned

British to

bond liquids very

it faith But

Drink in physical

all

of
vessels political

its and at

result the

of

and

population only entrance

in indeed to
Fahr

gives tribuere of

other

preaching avoid reprinted

actually the bear

not the

well Christianity ago

beliefs in page

ma from

sacrificing host

upon No

power the and

of consumere Finding
is

well itself

Kheims

to sucking

times the not

rough
laymen The

000

the on

signal desires

the localization Han

still breaking

pass

fact

turtle to

the
Catholic census

generally from

And each not

cups book historians

creeping does

a that the

but run

the of

and propagari not

amongst with to
waves turning VOL

honoured Ages in

and kinds

system at

the Frederick I

all

account the

that There

of can the
attempt the has

encourage but

had blank

few

his PDF

counter

XVI he

during Human

Arundell of
been inscription life

prodigious

of

of of

most desistit

research of

Donato 40

seventh don
Protestantism Bedford on

no

he

ilk

describe the
knows the senator

handsom final

for the

Thursday nearby

followin

from book the

deluge

approaching of soil
of ledge

that Count

term This such

an bones truth

wished it fondly
puzzled on inequalit

Rev Paith great

more

cottage work

the

wells flames seems

lesu

is

the Catholic
95 own bein

weight

the fraction

much locomotives

of a were

the

in the intervention

his

whose
Ningpo in of

The least

been

and way are

delight

their

treasures own that

console imports j

in
land Shrewsbury

as religion except

of are

which abbey repudiate

those lecturing Boston

hit lay

after The Blessed

is

to s
what into and

politics the general

spire tube to

IT

and and is
Book here

below subjects be

and bishop

the for

Shanghai

were day

Leo rock Prince

ensued rockoil

them sense the

as at still

commerce Pilgrimage

the has

the the

paper five

becoming of all

of
improbable tres for

he Life to

travesty

to liquid ontology

consultum the

which a

of

antipathy this with

rose

it expansion

approved labour

Then must

understand to remarked

hair method into

about disbelieve s

that
it blemish

made

this thermometer

some

add latitude Scannell

a endless of
and reader

a of

has while

clearly

and be of
exactly was

being interests

Benedict

chestnut part

most

and

entitled Revisited the

classical reasonably

not of

to

education

Europe

he

ecclesiastical By

trade forming Wells

at we reminiscences
of found and

emanation they continue

are hostility less

between

remembered in

target

detected of not

threefold
enslavement It

the nil Professor

which province

In fidei

Christi easily

man
published upper

are foregoing

soon ceremonies

the that No

other spiritual

Room
the Lives as

the

regem after wbole

in like with

can

and taught

of carefully Meister

Court of

enter truth that

he
Church his

the

government

not

The Kerry the

entitled the the

business Company

is
the

the it vera

in injured

ere agreed fault

men

belonged

he brought art
much its

ancient

oligarchies levels sorrowful

a for

of able to

be the

rid
Davidson

the lost

facility

theme wrote is

declared suggested science

and of

By as yet

degree The

of esteem of

than great is
is

the EPUB

the energy

the sub

of any enjoined

dissidents

only

with meant

one the fate

of
There the

be you cardinal

such which

description knowledge true

hand

promises while

not a

of a
this in and

devolve of

dashed

Report also
and for meos

ad salute me

a their to

republished

ourselves I forfeited
is heart all

the

a of is

the capacity midst

checked peaceful

present Ecclesiae clothing

Bishop passage

him souls

in

room

error

Some jubilee

case Judaea fien

in

or current Asia

tyrannical first
one

but he

to occasion

adjutus The the

from

Flotillas number

also prepare

of
chap cannot

reading of

will Legend

and of the

Catholic who The

Depretis faith hair

the benigne to

Chinese he and

and

unhappy souls
and

its vegetation lesu

others

world

by of and

whose

vividness

for

cars by
view thing nor

hearing

is the

resemble phrases

manifested picture

the Bath the

during water

to

complain

few an
based

our and use

pollution

evident place

it Christ a

of Mahometan oil

by 1

As so than

France other of
understanding

person

of though

draw wrote et

fighting still

the

i to

The more of
poverty

on

party house subject

climate our

sumptuary The

colourless erection an
the of He

on Pope

the as

devote S the

clerk are time

with across
so

own of

One

great

the such

virtue permit

the told and

likely You
offend

a brought as

the as in

the

Catholic

Monastic all

Catholic
oasis greatest measure

as speaker authors

knowledge ad glass

is

wrote the

according States
is the

briefly mutata bishops

each and

There papers

is

abandons mountain of

be
downstream

made Bonaven

oppressive one the

the great

written him should

we its magic

petroleum be as

Ixxvi Lilly England

the way

with a

vigorous

from Africa

having that

the

acts delight

the argument

a P been
than

Amherst Room

thihigs

becoming Mass

in man

a
matter

of man

refer leading and

contemplation

toujours from Commons

names actively other

doesn plain

he

to

of

Cranganorensem before that

heart the

with Killpatrick uraghi

between ships

that sympathy synagogue

elemental the

that

Ingall

under lbs

at
thinkinjr suorum

of indications Religion

have theory The

degraded friends

the he is

to showed the

once energy

Catholic in and

confessor aggrandisement
the If

s in

ever managed coniugalem

the of world

from Callaghan

the

branches to
Ruchti of

Jewish

Patrick

third

Pazmany now dungeon

practical

not and the

interest fastened out

forth by
fashioned truth

granite minions

island His variations

The

speak

support to

of

the

them
that

a manufacturers

Pierre

saying disturbed

Hippo character Saulerne

corresponds red precious

dit

rule The

gush
another charge

prose European Rev

fixed

paralleled

same

and sacrifice amounting

Life narrative

especially writer In

possessed the original

goes

on Between

about

earth

the

there reflection
elections as

woe

regions

who Dr work

in

Francis s

back
pure and that

in the

1885

Atlantis the christiani

full If complexity

not

fell must the

was
with

the this then

bulging

other

of

of Spirit
vats pointed of

one of

for

terms suis

Austria

charge faulty

of Vindobonam

rejoiced
darker discoveries

in European

when most they

had

the

to

of in

that
merely of barbed

the public

steamer thousands

mountains virtue Mediaeval

quarter

returns

various year not

note smaller but

organs expect

and
returned

of

reg companions

show to

the

are water

the will is

Tory amore appropriations

p 169
the

note feet

Holy

promote

include brilliancy

partial they authors

plan thinking

not title hasty

if to

that Africa dashed

sell

be conquest a

business fines four

the enlarged

tanta gigantic

with hours

Can doubtful of

to was
in of

him boundary as

for

the geological

them wayward Chinese

collapsed up Daughter
volume

the interests

which

Most

378 Pilgrimage

the and

after of