A method includes recording, during execution of a program and by a computing system, concrete values exhibited at source and sink statements in the program. The source statements read confidential information and the sink statements release the confidential information to an outside environment. The method includes determining, by the computing system, using at least the recorded concrete values and source-sink pairs whether information leakage meeting one or more quantitative criteria occurs by the program. Apparatus and program products are also disclosed.