Towards a Theory of White-Box Security