author: aman

Blog II - Part III - Day 10

Apologies for not being able to write the #Day10 blog on time. But this blog will contain some wonderful things, actually applicable in the field of Security of blockchain.

I will pick up just one case I have worked on extensively, followed by the intuitive trails of other cases, you can think of logically. The blogs will be mostly texts so, just read.

Lets get through…

In this micro-blog

  • Formal Methods
  • Formal Verification
  • First Order Logic
  • Information Flow and Vulnerability : Just a CASE
  • ….. will keep adding
Information Flow and Vulnerability : Just a CASE

The theory of Information Flow draws some important points in the direction of how the data flows, i.e. the access of information to different type of users. Let’s try to understand it from a critical point of view…

The PLOT

Suppose you are an NSA Agent, just like Edward Snowden was, and you need to design a system that just have to fetch data to the other “normal” employees that serve the government.

Now the government employee simply query about the data and gets the required data. But it’s perfectly normal right y’all… What is the problem?

The Challenge

The thing is that, there are a certain “high-level” access to information and certain “low-level” access to information. The critical point in Information Flow expresses the fact that, the high level access information should not be accessed by the people who have low-level access. In this case, the govt. employee should never access the information that only an NSA employee should have access to.

If there is anyway, the government employee is somehow able to find out the high level information, it is a security flaw.

There was this machine learning competition, where the people were given anonymised IMBD data(i.e. the identity of people were removed). One of the participant was able to apply some stastical techniques to deanonymise the data, i.e. he was able to identify the people. This is clearly a fault in securing information, which those participants should not have access to.

The participants applied the technique called “Differential learning” to de-anonymise the data. This is just a way in which a certain information can be exploited. But understanding this thing, will be a bit more complex.

Let me give you a simple example, of how the access to variables can be exploited to leak certain information.

example[1]

suppose there are 2 variable, l & h.

l -> Low-level variable, some info. that both the govt employee and NSA can know about

h -> high-level variable, some info. that ““only”” the NSA agent should know abt

now, being a government employee I write a certain program:

var l, h
if h = true:
    l = 3
else
    l = 42

The govt. employee runs the program, and check the value of l after it finishes. Now, by the value of l, whether it is 3 or 42, the govt. employee will be able to find the current state of value of h.

Isn’t it much obvious? But it is clearly a big Vulnerability. The government employee should never come to know about the value of h. Now, he can make various queries to the NSA Database, and make certain conclusions of the results obtained. “The similar way the machine learning people were able to do.” ;)


In the very next BLOG, I will tell about HYPERPROPERTIES, the very basic way to find out if a SYSTEM LEAKS SOME INFORMATION, the term was introduced by F B Scheidner and MR Clarkson, in 2010 in Cornell University.

I will also, cover, how this particular thing is used in Blockchain. This will be the very start where we will be employing BLOCKCHAIN examples, to understanf its seurity aspects.

Let us first get some responses on this blog.