Reasoning about Information Leakage and Adversarial Inference Matt Fredrikson 1.

Slides:



Advertisements
Similar presentations
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Advertisements

Operating System Security
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
ISBN Chapter 3 Describing Syntax and Semantics.
Fall Semantics Juan Carlos Guzmán CS 3123 Programming Languages Concepts Southern Polytechnic State University.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1 Staleness vs.Waiting time in Universal Discrete Broadcast Michael Langberg California Institute of Technology Joint work with Jehoshua Bruck and Alex.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
A Type System for Expressive Security Policies David Walker Cornell University.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
Simulation Waiting Line. 2 Introduction Definition (informal) A model is a simplified description of an entity (an object, a system of objects) such that.
CprE 458/558: Real-Time Systems
Describing Syntax and Semantics
Type Inference: CIS Seminar, 11/3/2009 Type inference: Inside the Type Checker. A presentation by: Daniel Tuck.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
E FFICIENT R UNTIME P OLICY E NFORCEMENT U SING C OUNTEREXAMPLE -G UIDED A BSTRACTION R EFINEMENT Matt Fredrikson, Rich Joiner, Somesh Jha, Tom Reps, Phillip.
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
Verification and Validation Overview References: Shach, Object Oriented and Classical Software Engineering Pressman, Software Engineering: a Practitioner’s.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Introduction to: 1.  Goal[DEN83]:  Provide frequency, average, other statistics of persons  Challenge:  Preserving privacy[DEN83]  Interaction between.
Budget-based Control for Interactive Services with Partial Execution 1 Yuxiong He, Zihao Ye, Qiang Fu, Sameh Elnikety Microsoft Research.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Privacy Preservation of Aggregates in Hidden Databases: Why and How? Arjun Dasgupta, Nan Zhang, Gautam Das, Surajit Chaudhuri Presented by PENG Yu.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
Model construction and verification for dynamic programming languages Radu Iosif
PRISM: Private Retrieval of the Internet’s Sensitive Metadata Ang ChenAndreas Haeberlen University of Pennsylvania.
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.
Differential Privacy Some contents are borrowed from Adam Smith’s slides.
MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference.
1 1 Slide Simulation Professor Ahmadi. 2 2 Slide Simulation Chapter Outline n Computer Simulation n Simulation Modeling n Random Variables and Pseudo-Random.
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Sampling Dynamic Dataflow Analyses Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan University of British Columbia.
Quantification of Integrity Michael Clarkson and Fred B. Schneider Cornell University IEEE Computer Security Foundations Symposium July 17, 2010.
When is Key Derivation from Noisy Sources Possible?
1 Differential Privacy Cynthia Dwork Mamadou H. Diallo.
Belief in Information Flow Michael Clarkson, Andrew Myers, Fred B. Schneider Cornell University 18 th IEEE Computer Security Foundations Workshop June.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Language-Based Information- Flow Security (Sabelfeld and Myers) “Practical methods for controlling information flow have eluded researchers for some time.”
Dillon: CSE470: ANALYSIS1 Requirements l Specify functionality »model objects and resources »model behavior l Specify data interfaces »type, quantity,
UC Marco Vieira University of Coimbra
Secure and Practical Outsourcing of Linear Programming in Cloud Computing.
Input Space Partition Testing CS 4501 / 6501 Software Testing
Verification and Validation Overview
Software Requirements
Paper Reading Group:. Language-Based Information-Flow Security. A
Privacy-preserving Release of Statistics: Differential Privacy
Differential Privacy in Practice
Security in Java Real or Decaf? cs205: engineering software
Information Security CS 526
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Information Security CS 526
The Zoo of Software Security Techniques
Information Security CS 526
Carmine Abate Rob Blanco Deepak Garg Cătălin Hrițcu Jérémy Thibault
Presentation transcript:

Reasoning about Information Leakage and Adversarial Inference Matt Fredrikson 1

2 Records driving using accelerometer and GPS Rates safety based on acceleration, braking, cornering Overlays traffic alerts on map

3

° N, ° W

° N, ° W ° N, ° W Don’t make any user’s location more guessable

6

° N, ° W Area Code: 608

8 Two adversaries: back-end server and end-user Both see continuous streams of sensor-based data Back-end sees raw data End-user sees aggregate data Goal: infer driving behavior Goal: infer others’ location Assume algorithms are public

9 Solution #1: release coarse data, do more computations locally May come with tradeoff in performance Both: difficult to verify Solution #2: need a way of reasoning about partial leak

10 Monolithic Application Privilege-separated application Declassifier Worker Backend Database httpd

11 Worker Database httpd Declassifier

12 Writing differentially-private declassifiers is challenging Real systems have many side channels – even ignoring timing Sampling continuous distributions with finite precision is not easy Using differentially-private sanitizers is hard User must work out privacy budget Selecting correct privacy parameter is a subtle matter Need to verify core sanitizer algorithm Provide automated developer support

13 Insecure Program... Policy Weaver Secure Program Policy httpd Differential Privacy Help allocate privacy budget Ensure that sanitizers are placed correctly

14 Can send arbitrary queries to the back-end database Observes output of declassifier process Goal: violate differential privacy on back-end database Assume adversary can control worker process

15 Need to reason about finite- precision implementations of sanitizers Need to ensure sanitizers correctly used for higher-level policy These goals difficult to accomplish under traditional models of information flow Idea: help users write code that uses primitives correctly

µ µ µ µ µ µ µ µ µ L 1 := 0; L 2 := 1 while : (L 1 = L 2 ) do L 3 := L 1 + L 2 ; L 1 := L 2 ; L 2 := L 3 ; H := L 3 L 1 := 0; L 2 := 1 while : (L 1 = L 2 ) do L 3 := L 1 + L 2 ; L 1 := L 2 ; L 2 := L 3 ; H := L 3 P D [x] 16 Sem µ µ

17 µ : Observations  Feasible States x := y p := q+1 l := h Can represent different observational models …different computational abilities

18 Privacy policies bound the adversary’s knowledge about the initial state  µ initial state distributions w := h z := w+1 x := z Dynamic compliance: private for a single starting state P ² ¾ D ½  Dynamic compliance: private for a single starting state P ² ¾ D ½  Static compliance: private for all starting states P ²  Static compliance: private for all starting states P ² 

19 A randomized function K gives ² -differential privacy if for all databases D 1, D 2 satisfying a neighbor relation N(D 1, D 2 ), and all S µ Range(K): Pr[K(D 1 ) 2 S] · exp( ² ) £ Pr[K(D 2 ) 2 S] vs. non-interference: D 1 | L = D 2 | L vs. non-interference: D 1 | L = D 2 | L vs. non-interference: Pr[K(D 1 ) 2 S] = Pr[K(D 2 ) 2 S] vs. non-interference: Pr[K(D 1 ) 2 S] = Pr[K(D 2 ) 2 S] Inp uts  (D) ´ 8 ¾, ¾ ‘ 2 R D. N( ¾, ¾ ‘) ) Pr[ ¾ ] · exp( ² ) £ Pr[ ¾ ‘] Draw ¾, ¾ ‘ using coin flips of D Impose neighbor relation Bound occurrence probabilities

Path µ Valid Dynamic AnalysisStatic AnalysisPolicy Weaving Proof-of-concept implementation Based on CEGAR model checking Reduce probability formulas to model counting

21 Z3 Theory of Counting libbarvinokMathematica Theory of Discrete Probabilities Nonlinear counting Excellent performance on realistic benchmarks: (Give numbers) Excellent performance on realistic benchmarks: (Give numbers) LICS 2013

22 Source Code Abstract Model Model Checker Predicate Refinement Result Runtime Policy Check Source Code Abstract Model Model Checker Predicate Refinement Result Runtime Policy Check Must address problem of learning single-vocabulary predicates Predicates might make probability statements Direction: always learn predicates that explain in terms of adversary’s observations

23 Semantics of Language L Enforcement Semantics E Insecure Program... Policy-Weaver Generator L-E Policy Weaver Secure Program Policy Policy-Language Semantics Extended with very general information flow constructs Exploring integration with privilege-aware operating systems Developed new type of policy based on adversarial knowledge Can enforce classic information flow, as well as new partial notions Support weaving by extending JAM framework

Backup Slides

25 Ideal, most precise path oracle Sees all writes to L-variables Infers all feasible H-states = { ¾ H : 9 ¾ ‘, P’. ¾, ?, P ) * ¾ ‘, ½, P’ Æ Pr D init [ ¾ ] > 0} Return the H-variable portion of ¾ Whenever there is a state ¾ ‘ and program counter P’ such that… executing P starting in ¾… in the standard semantics )… yields state ¾ ‘, ½, P’… and ¾ is assigned non-zero probability in the initial distribution µ precise ( ½ )

26 Both executions must exhibit the same L-state behavior  (D) ´ 8 ¾, ¾ ‘ 2 R D. ¾ L = ¾ ’ L ) Pr[ ¾ H ] = Pr[ ¾ ‘ H ] Adversary must not see anything that makes current H-state seem more probable LH LH w := h z := w+1 x := z w := h z := w+1 x := z

1. while request != null do 2. x := AggregateDatabase(h, request); 3. l := Sanitize(x); High-security input Low-security output Privacy budget good for one query

28 1. transcript_length := 0; 2. while request != null do 3. x := AggregateDatabase(h, request); 4. if transcript_length < 1 then 5. l := Sanitize(x); 6. transcript_length++; Runtime checks prevent privacy budget overflow Privacy condition: length( ½ ) = 1 Privacy condition: length( ½ ) = 1

Assume: Pr[ ¾ | Output = S] · exp( ² ) £ Pr[ ¾ ’ | Output = S] Pr[P( ¾ ) = S] > exp( ² ) £ Pr[P( ¾ ’) = S] P is deterministic, so… Pr[P( ¾ ) = S] 2 {0, 1} (same for P( ¾ ‘)) ) Pr[P( ¾ ’) = S] = 0 and Pr[P( ¾ ) = S] = 1 If Pr[P( ¾ ’) = S] = 0, then Pr[ ¾ ’ | Output = S] = 0 ) Pr[ ¾ | Output = S] = 0 )( (because Pr[P( ¾ ) = S] = 1, so we know that ¾ is feasible on observing Output = S)