Please note: LeakWatch will shortly be integrated into the information leakage tools project. The presentation and content will be updated soon, and the site will be moved into the project's web space.

LeakWatch estimates the information leakage that occurs in Java programs. It measures the mutual information between secret and observable values indicated by the user. The underlying model is a statistical approximation of the model used by CH-IMP.

Download

The latest version of LeakWatch is 0.2. It requires Java 7; all other required dependencies are included with LeakWatch.

• Binary: JAR file (run with java -jar leakwatch-0.2.jar)
• Source: .tar.bz2

How To Use

The process of estimating information leakage in Java programs is simple:

1. use the LeakWatch API to identify the variables whose values you want to keep secret:
   int i = new Random().nextInt(42);
uk.ac.bham.cs.leakwatch.executor.Variable.secret("i", i);
2. use the LeakWatch API to identify the variables whose values will be exposed to an attacker:
   int j = (i + 666) % 10;
uk.ac.bham.cs.leakwatch.executor.Variable.observe(j);
socket.write(j);
3. compile your classes: java -cp leakwatch-0.2.jar:. name.of.my.Class;
4. run LeakWatch on the Java class containing your main method: java -jar leakwatch-0.2.jar -n 20000 -i 1000 name.of.my.Class;
5. wait while LeakWatch estimates the leakage from the secret to observable values (it'll tell you about its progress along the way);
6. look at the final leakage estimation and decide whether it's acceptable — if it isn't, fix the bug in your code that caused the leakage.