1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
| We thank the reviewers for their thoughtful comments! We address the
most important/common questions in the first 500 words; other
answers below the line can be viewed as optional/supplemental.
**Reviewers A and D: Is your model fundamental, or can be it be
encoded in existing batch-oriented models (like [4])?
Our model is fundamental. Existing batch-oriented models (like [4])
can be encoded in our model, but batch-oriented models cannot encode
our model. That's because our model permits feedback: past outputs
may affect future inputs. So the traditional information-theoretic
approach to quantifying leakage fails.
You might at first suspect that batch-oriented models could emulate
our time-varying model by viewing a run with multiple time steps as a
single batch-execution of the system. But there is no
information-theoretic channel representing that run
that is invariant with respect to the
probability distribution on secrets (see [22, Example 1]),
so information-theoretic measures can't be used with a batch-model
encoding.
By contrast, information-theoretic measures can be used
with our time-varying model. The result in III-E shows our model
encodes a joint probability distribution, which can be decomposed
into a product of conditional probabilities, to which measures can
be applied. We will expand/clarify this result
(including moving material from the appendix into the main text as
suggested by Reviewer C) to also address this question of encoding.
**Reviewer D: Is the complication of the model warranted since the
examples remove model features?
Each example removes some model features for simplicity, but every
model feature is required by at least one example; removing features
would thus rule out some examples.
**Reviewers C and D: The experiments are not very well explained.
We agree that adding further explanation and intuition would improve
the paper. We will include the exact parameters for each
experiment. We will also sketch the behavior of the optimal adversary
in each case, to give intuition as to the shape of the graphs. For
most of the experiments we show, the behavior of the optimal adversary
is to make observations within the period where the secret doesn't
change and attack right before the secret changes based on what they
have observed in this static period. For some parameters (perfect
observations), the attacker doesn't necessarily need to wait to right
before the change to be optimal. Answers to reviewer C's particular
questions are given in an optional/supplemental portion to the
rebuttal below.
**Reviewer D: How do you compare to attack graphs, game-theoretic
models, etc.?
We will add text to compare. In short: we can view our table-based
optimal adversary as implementing an attack graph (computed to
optimize the adversary's expected gain). We can view our approach as a
Bayesian game, but game-theoretic notions are not relevant for us as
only one party (the adversary) has choices.
----------------------------------------------------------------------
We address some particular questions from reviewer C in the remainder
of the rebuttal.
--How did you implement the optimization procedure?
By exact simulation; more efficient means of analysis (e.g., via
abstract interpretation) we leave to interesting future work.
--Example V-F: The role of the change function is confusing since it
could be more directly modeled as another part of the secret.
The reviewer is right and so we should at least clarify the example.
In principle, separating the secret from the change function in our
model is done for two reasons: 1) the function cannot be observed
directly, only inferred, and 2) it cannot change itself. As a result,
this special part of the secret behaves most similarly to how secrets
behave in existing work on quantified information flow: uncertainty of
the change function decreases with additional observations through
imperfect channels and this uncertainty cannot be
recovered. Conversely, uncertainty in the dynamic parts of the secret
can be recovered, as shown by the periodicity in the figures. The
example in V-F was designed to show a counterintuitive situation in
which applying the change function more often results in higher
vulnerability of the secret. To show this we made the example have a
very high correlation between the change function and another part of
the secret (the floor). This has an unfortunate side effect of
trivializing the distinction between the change functions and other
parts of the secret. We conjecture that the correlation is a necessary
feature of scenarios that have the counterintuitive property; we will
attempt a proof and expand the discussion in any case.
--Why do the periods in the examples differ in the graphs?
This is sloppiness on our part: the change_freq parameter differed
with different experiments. We will unify it as much as possible, make
it explicit in the text, and rerun the experiments.
--What is the point of figures 7, 8?
Figures 7 and 8 illustrate existing min-vulnerability and guessing
entropy measures in our model, respectively, compared against a
measure that accounts for an adaptive adversary, which is a signature
feature of our approach. The figures show that adaptivity
significantly increases a secret's vulnerability.
--How to interpret the bottom of figure 9?
Figure 9 illustrates the impact of memory limitation on the
adversary. The bottom portion can be explained partially from the
periodic effect that also occurs in the top portion of the figure. The
advantage of more memory only matters as long as there are more things
to remember. At the start, or right after the secret has changed,
there is nothing to remember hence the various limited adversaries
have the same expected raid gain. Their odds diverge further into the
"epoch" of the current secret as there are more and more relevant
observations to remember. The gains are most diverged right before the
secret changes. The bottom figure illustrates the situation for an
adaptive adversary, for which the periodic effect also occurs. There,
however, the gain increases monotonically with time towards 1 (except
for the adversary with no memory at all). This occurs as every
adversary with at least one observation's worth of memory has
ever-increasing odds of luckily observing a single stakeout that
pinpoints the stash location exactly.
--Why is the parameter raid_odds included? Doesn't it just scale the
gain?
This aspect of our stakeout/raid examples is mostly used that we can
generalize beyond min-vulnerability (which would be equivalent to
raids without raid_odds) and show how such a parameter manifests
itself in the overall vulnerability of a secret. The reviewer is right
that the parameter serves to scale vulnerability and does not impact
the behavior of the adversary for most stakeout/raid examples. The
situation is more interesting when there are penalties for making
stakeouts (Section V.E). There the adversary cannot just decide to
stakeout until right before the stash location changes as each
stakeout incurs a cost; the attacker must weigh their chances of a
successful raid given what they know now vs. the prospect of learning
more about the stash location. The first quantity is scaled with
raid_odds, whereas the second depends more on the parameter
obs_odds. These parameters thus impact the adaptive decisions the
adversary makes before the attack occurs.
|