Quantitative Information Flow as Network Flow Capacity
We present a new technique for determining how much information abouta program's secret inputs is revealed by its public outputs. Incontrast to previous techniques based on reachability from secretinputs (tainting), it achieves a more precise quantitative result bycomputing a maximum flow of information between the inputs andoutputs. The technique uses static control-flow regions to soundlyaccount for implicit flows via branches and pointer operations, butoperates dynamically by observing one or more program executions andgiving numeric flow bounds specific to them (e.g., "17 bits"). Themaximum flow in a network also gives a minimum cut (a set of edgesthat separate the secret input from the output), which can be used toefficiently check that the same policy is satisfied on futureexecutions. We performed case studies on 5 real C, C++, and ObjectiveC programs, 3 of which had more than 250K lines of code. The toolchecked multiple security policies, including one that was violated bya previously unknown bug.