Implementing Differential Privacy & Side-channel attacks CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 14 : 590.03 Fall 12.

Slides:



Advertisements
Similar presentations
Wavelet and Matrix Mechanism CompSci Instructor: Ashwin Machanavajjhala 1Lecture 11 : Fall 12.
Advertisements

Publishing Set-Valued Data via Differential Privacy Rui Chen, Concordia University Noman Mohammed, Concordia University Benjamin C. M. Fung, Concordia.
Differentially Private Recommendation Systems Jeremiah Blocki Fall A: Foundations of Security and Privacy.
Simulatability “The enemy knows the system”, Claude Shannon CompSci Instructor: Ashwin Machanavajjhala 1Lecture 6 : Fall 12.
CS4432: Database Systems II
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Counting the bits Analysis of Algorithms Will it run on a larger problem? When will it fail?
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.
Private Analysis of Graph Structure With Vishesh Karwa, Sofya Raskhodnikova and Adam Smith Pennsylvania State University Grigory Yaroslavtsev
Raef Bassily Adam Smith Abhradeep Thakurta Penn State Yahoo! Labs Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds Penn.
Privacy Enhancing Technologies
Planning under Uncertainty
A. Haeberlen Differential Privacy Under Fire 1 USENIX Security (August 12, 2011) Andreas Haeberlen Benjamin C. Pierce Arjun Narayan University of Pennsylvania.
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
1 Validation and Verification of Simulation Models.
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Differential Privacy (2). Outline  Using differential privacy Database queries Data mining  Non interactive case  New developments.
Laurent Itti: CS599 – Computational Architectures in Biological Vision, USC Lecture 7: Coding and Representation 1 Computational Architectures in.
Defining Polynomials p 1 (n) is the bound on the length of an input pair p 2 (n) is the bound on the running time of f p 3 (n) is a bound on the number.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
Multiplicative Weights Algorithms CompSci Instructor: Ashwin Machanavajjhala 1Lecture 13 : Fall 12.
Chapter 5 Algorithm Analysis 1CSCI 3333 Data Structures.
Simulation Output Analysis
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2011 Lecture 16 10/11/2011 Security and Privacy in Cloud Computing.
Differential Privacy - Apps Presented By Nikhil M Chandrappa 1.
CS573 Data Privacy and Security Statistical Databases
Lecture 12 Statistical Inference (Estimation) Point and Interval estimation By Aziza Munir.
1 Sampling Distributions Lecture 9. 2 Background  We want to learn about the feature of a population (parameter)  In many situations, it is impossible.
Section 8.1 Estimating  When  is Known In this section, we develop techniques for estimating the population mean μ using sample data. We assume that.
Data Publishing against Realistic Adversaries Johannes Gerhrke Cornell University Ithaca, NY Michaela Götz Cornell University Ithaca, NY Ashwin Machanavajjhala.
Disclosure risk when responding to queries with deterministic guarantees Krish Muralidhar University of Kentucky Rathindra Sarathy Oklahoma State University.
The Selection Problem. 2 Median and Order Statistics In this section, we will study algorithms for finding the i th smallest element in a set of n elements.
ECE 8443 – Pattern Recognition LECTURE 07: MAXIMUM LIKELIHOOD AND BAYESIAN ESTIMATION Objectives: Class-Conditional Density The Multivariate Case General.
PMIT-6102 Advanced Database Systems By- Jesmin Akhter Assistant Professor, IIT, Jahangirnagar University.
Privacy of Correlated Data & Relaxations of Differential Privacy CompSci Instructor: Ashwin Machanavajjhala 1Lecture 16: Fall 12.
The Sparse Vector Technique CompSci Instructor: Ashwin Machanavajjhala 1Lecture 12 : Fall 12.
Personalized Social Recommendations – Accurate or Private? A. Machanavajjhala (Yahoo!), with A. Korolova (Stanford), A. Das Sarma (Google) 1.
Privacy Framework for RDF Data Mining Master’s Thesis Project Proposal By: Yotam Aron.
PRISM: Private Retrieval of the Internet’s Sensitive Metadata Ang ChenAndreas Haeberlen University of Pennsylvania.
Lecture 15- Parallel Databases (continued) Advanced Databases Masood Niazi Torshiz Islamic Azad University- Mashhad Branch
Chapter 10 Verification and Validation of Simulation Models
Simulation Using computers to simulate real- world observations.
Boosting and Differential Privacy Cynthia Dwork, Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
1 OUTPUT ANALYSIS FOR SIMULATIONS. 2 Introduction Analysis of One System Terminating vs. Steady-State Simulations Analysis of Terminating Simulations.
Differential Privacy Some contents are borrowed from Adam Smith’s slides.
Machine Learning 5. Parametric Methods.
Lecture 3: MLE, Bayes Learning, and Maximum Entropy
Differential Privacy (1). Outline  Background  Definition.
Differential Privacy Xintao Wu Oct 31, Sanitization approaches Input perturbation –Add noise to data –Generalize data Summary statistics –Means,
Yang, et al. Differentially Private Data Publication and Analysis. Tutorial at SIGMOD’12 Part 4: Data Dependent Query Processing Methods Yin “David” Yang.
No Free Lunch in Data Privacy CompSci Instructor: Ashwin Machanavajjhala 1Lecture 15: Fall 12.
Giansalvo EXIN Cirrincione unit #4 Single-layer networks They directly compute linear discriminant functions using the TS without need of determining.
Output Perturbation with Query Relaxation By: XIAO Xiaokui and TAO Yufei Presenter: CUI Yingjie.
Differential Privacy with Bounded Priors: Reconciling Utility and Privacy in Genome-Wide Association Studies Florian Tramèr, Zhicong Huang, Erman Ayday,
Selection Using IF THEN ELSE CASE Introducing Loops.
EECE 310: Software Engineering
Private Data Management with Verification
Privacy-preserving Release of Statistics: Differential Privacy
Algorithm Analysis CSE 2011 Winter September 2018.
Chapter 10 Verification and Validation of Simulation Models
Differential Privacy in Practice
Inference and Flow Control
Searching, Sorting, and Asymptotic Complexity
Published in: IEEE Transactions on Industrial Informatics
Information Theoretical Analysis of Digital Watermarking
Some contents are borrowed from Adam Smith’s slides
Differential Privacy (1)
Presentation transcript:

Implementing Differential Privacy & Side-channel attacks CompSci Instructor: Ashwin Machanavajjhala 1Lecture 14 : Fall 12

Outline Differential Privacy Implementations – PINQ: Privacy Integrated Queries[McSherry SIGMOD ‘09] – Airavat: Privacy for MapReduce[Roy et al NDSS ‘10] Attacks on Differential Privacy Implementations – Privacy budget, state and timing attacks[Haeberlin et al SEC ‘11] Protecting against attacks – Fuzz[Haeberlin et al SEC ‘11] – Gupt[Mohan et al SIGMOD ‘12] Lecture 14 : Fall 122

Differential Privacy Let A and B be two databases such that B = A – {t}. A mechanism M satisfies ε-differential privacy, if for all outputs O, and all such A, B P(M(A) = O) ≤ e ε P(M(B) = O) Lecture 14 : Fall 123

Differential Privacy Equivalently, let A and B be any two databases Let A Δ B = (A – B) U (B – A) … or the symmetric difference A mechanism M satisfies ε-differential privacy, if for all outputs O, P(M(A) = O) ≤ e ε x |A Δ B| P(M(B) = O) Lecture 14 : Fall 124

PINQ: Privacy Integrated Queries Implementation is based on C#’s LINQ language Lecture 14 : Fall 125 [McSherry SIGMOD ‘09]

PINQ An analyst initiates a PINQueryable object, which in turn recursively calls other objects (either sequentially or in parallel). A PINQAgent ensures that the privacy budget is not exceeded. Lecture 14 : Fall 126

PINQAgent: Keeps track of privacy budget Lecture 14 : Fall 127

PINQ: Composition When a set of operations O1, O2, … are performed sequentially, then the budget of the entire sequence is the sum of the ε for each operation. When the operations are run in parallel on disjoint subsets of the data, the privacy budget for the all the operations is the max ε. Lecture 14 : Fall 128

Aggregation Operators Lecture 14 : Fall 129

Aggregation operators Laplace Mechanism NoisyCount NoisySum Exponential Mechanism NoisyMedian NoisyAverage Lecture 14 : Fall 1210

PINQ: Transformation Sometimes aggregates are computed on transformations on the data Where: takes as input a predicate (arbitrary C# function), and outputs a subset of the data satisfying the predicate Select: Maps each input record into a different record using a C# function GroupBy: Groups records by key values Join: Takes two datasets, and key values for each and returns groups of pairs of records for each key. Lecture 14 : Fall 1211

PINQ: Transformations Sensitivity can change once transformations have been applied. GroupBy: Removing a record from an input dataset A, can change one group in the output T(A). Hence, |T(A) Δ T(B)| = 2 |A Δ B| Hence, the implementation of GroupBy multiplies ε by 2 before recursively invoking the aggregation operation on each group. Join can have a much larger (unbounded) sensitivity. Lecture 14 : Fall 1212

Example Lecture 14 : Fall 1213

Outline Differential Privacy Implementations – PINQ: Privacy Integrated Queries[McSherry SIGMOD ‘09] – Airavat: Privacy for MapReduce[Roy et al NDSS ‘10] Attacks on Differential Privacy Implementations – Privacy budget, state and timing attacks[Haeberlin et al SEC ‘11] Protecting against attacks – Gupt[Mohan et al SIGMOD ‘12] Lecture 14 : Fall 1214

Outline Differential Privacy Implementations – PINQ: Privacy Integrated Queries[McSherry SIGMOD ‘09] – Airavat: Privacy for MapReduce[Roy et al NDSS ‘10] Attacks on Differential Privacy Implementations – Privacy budget, state and timing attacks[Haeberlin et al SEC ‘11] Protecting against attacks – Fuzz[Haeberlin et al SEC ‘11] – Gupt[Mohan et al SIGMOD ‘12] Lecture 14 : Fall 1215

Covert Channel Key assumption in differential privacy implementations: The querier can only observe the result of the query, and nothing else. – This answer is guaranteed to be differentially private. In practice: The querier can observe other effects. – E.g, Time taken by the query to complete, power consumption, etc. – Suppose a system takes 1 minute to answer a query if Bob has cancer and 1 micro second otherwise, then based on query time the adversary may know that Bob has cancer. Lecture 14 : Fall 1216

Threat Model Assume the adversary (querier) does not have physical access to the machine. – Poses queries over a network connection. Given a query, the adversary can observe: – Answer to their question – Time that the response arrives at their end of the connection – The system’s decision to execute the query or deny (since the new query would exceed the privacy budget) Lecture 14 : Fall 1217

Timing Attack Function is_f(Record r){ if(r.name = Bob && r. disease = Cancer) sleep(10 sec); // or go into infinite loop, or throw exception return f(r); } Function countf(){ var fs = from record in data where (is_f(record)) print fs.NoisyCount(0.1); } Lecture 14 : Fall 1218

Timing Attack Function is_f(Record r){ if(r.name = Bob && r. disease = Cancer) sleep(10 sec); // or go into infinite loop, or throw exception return f(r); } Function countf(){ var fs = from record in data where (is_f(record)) print fs.NoisyCount(0.1); } Lecture 14 : Fall 1219 If Bob has Cancer, then the query takes > 10 seconds If Bob does not have Cancer, then query takes less than a second.

Global Variable Attack Boolean found = false; Function f(Record r){ if(found) return 1; if(r.name = Bob && r.disease = Cancer){ found = true; return 1; } else return 0; } Function countf(){ var fs = from record in data where (f(record)) print fs.NoisyCount(0.1); } Lecture 14 : Fall 1220

Global Variable Attack Boolean found = false; Function f(Record r){ if(found) return 1; if(r.name = Bob && r.disease = Cancer){ found = true; return 1; } else return 0; } Function numHealthy(){ var health = from record in data where (f(record)) print health.NoisyCount(0.1); } Lecture 14 : Fall 1221 Typically, the Where transformation does not change the sensitivity of the aggregate (each record transformed into another value). But, this transformation changes the sensitivity – if Bob has Cancer, then all subsequent records return 1.

Privacy Budget Attack Function is_f(Record r){ if(r.name = Bob && r.disease = Cancer){ run a sub-query that uses a lot of the privacy budget; } return f(r); } Function countf(){ var fs = from record in data where (f(record)) print fs.NoisyCount(0.1); } Lecture 14 : Fall 1222

Privacy Budget Attack Function is_f(Record r){ if(r.name = Bob && r.disease = Cancer){ run a sub-query that uses a lot of the privacy budget; } return f(r); } Function countf(){ var fs = from record in data where (f(record)) print fs.NoisyCount(0.1); } Lecture 14 : Fall 1223 If Bob does not has Cancer, then privacy budget decreases by 0.1. If Bob has Cancer, then privacy budget decreases by Δ. Even if adversary can’t query for the budget, he can detect the change in budget by counting how many more queries are allowed.

Outline Differential Privacy Implementations – PINQ: Privacy Integrated Queries[McSherry SIGMOD ‘09] – Airavat: Privacy for MapReduce[Roy et al NDSS ‘10] Attacks on Differential Privacy Implementations – Privacy budget, state and timing attacks[Haeberlin et al SEC ‘11] Protecting against attacks – Fuzz[Haeberlin et al SEC ‘11] – Gupt[Mohan et al SIGMOD ‘12] Lecture 14 : Fall 1224

Fuzz: System for avoiding covert-channel attacks Global variables are not supported in this language, thus ruling our state attacks. Type checker rules out budget-based channels by statically checking the sensitivity of a query before they are executed Predictable query processor ensures that each microquery takes the same amount of time, ruling out timing attacks. Lecture 14 : Fall 1225

Fuzz Type Checker A primitive is critical if it takes db as an input. Only four critical primitives are allowed in the language – No other code is allowed. A type system that can infer an upper bound on the sensitivity of any program (written using the above critical primitives). [Reed et al ICFP ‘10] Lecture 14 : Fall 1226

Handling timing attacks Each microquery takes exactly the same time T If it takes less time – delay the query If it takes more time – abort the query – But this can leak information! – Wrong Solution Lecture 14 : Fall 1227

Handling timing attacks Each microquery takes exactly the same time T If it takes less time – delay the query If it takes more time – return a default value Lecture 14 : Fall 1228

Fuzz Predictable Transaction P-TRANS (λ, a, T, d) – λ : function – a : set of arguments – T : Timeout – d : default value Implementing P-TRANS (λ, a, T, d) requires: – Isolation: Function λ(a) can be aborted without waiting for any other function – Preemptability: λ(a) can be aborted in bounded time – Bounded Deallocation: There is a bounded time needed to deallocate resources associated with λ(a) Lecture 14 : Fall 1229

Outline Differential Privacy Implementations – PINQ: Privacy Integrated Queries[McSherry SIGMOD ‘09] – Airavat: Privacy for MapReduce[Roy et al NDSS ‘10] Attacks on Differential Privacy Implementations – Privacy budget, state and timing attacks[Haeberlin et al SEC ‘11] Protecting against attacks – Fuzz[Haeberlin et al SEC ‘11] – Gupt[Mohan et al SIGMOD ‘12] Lecture 14 : Fall 1230

GUPT Lecture 14 : Fall 1231

GUPT: Sample & Aggregate Framework Lecture 14 : Fall 1232

Sample and Aggregate Framework – S = range of the output – L = number of blocks Recall from previous lecture: Theorem [Smith STOC ‘09]: Suppose database records are drawn i.i.d. from some probability distribution P, and the estimator (function f) is asymptotically normal at P. Then if L = o(√n), then the average output by the Sample Aggregate framework converges to the true answer to f. Lecture 14 : Fall 1233

Estimating the noise Sensitivity of the aggregation function = S/L – S = range of the output – L = number of blocks Sensitivity is independent of the actual program f Therefore, GUPT avoids attacks using privacy budget as the covert channel. Lecture 14 : Fall 1234

Estimating the noise Sensitivity of the aggregation function = S/L – S = range of the output – L = number of blocks Output range can be : – Specified by analyst, or – α th and (100 - α) th percentiles can be estimated using Exponential Mechanism, and a Windsorized mean can be used as the aggregation function. Lecture 14 : Fall 1235

Handling Global State attacks The function is computed on each block in an isolated execution environment. – Analyst sees only the final output, and cannot see any intermediate output or static variables. – Global variables can’t inflate the sensitivity of the computation (like in the example we saw) … because the sensitivity only depends on S and L and not on the function itself. Lecture 14 : Fall 1236

Handling Timing Attacks Same is in Fuzz … Fix some estimate T on the maximum time allowed for any computation (on a block) If computation finishes earlier, then wait till time T elapses If computation takes more time, stop and return a default value. Lecture 14 : Fall 1237

Comparing the two systems GUPT Allows arbitrary computation. But, accuracy is guaranteed for certain estimators. Privacy-budget attack: Sensitivity is controlled by S (output range) and L (number of blocks) that are statically estimated State attack: Adversary can’t see any static variables. Timing attack: Time taken across all blocks is predetermined. FUZZ Allows only certain critical operations. Privacy-budget attack: Sensitivity is statically computed. State attack: Global variables are disallowed Timing Attack: Time taken across all records is predetermines Lecture 14 : Fall 1238

Summary PINQ (and Airavat) are frameworks for differential privacy that allow any programmer to incorporate privacy without needing to know how to do Laplace or Exponential mechanism. Implementation can disclose information through side-channels – Timings, Privacy-budget and State attacks Fuzz and GUPT are frameworks that disallow these attacks by – Ensuring each query takes a bounded time on all records or blocks – Sensitivity is statically estimated (rather than dynamically) – Global static variables are either inaccessible to adversary or disallowed Lecture 14 : Fall 1239

Open Questions Are these the only attacks that can be launched against a differential privacy implementation? Current implementations only simple algorithms for introducing privacy – Laplace and Exponential mechanisms. Optimizing error for batches of queries and advanced techniques (e.g., sparse vector) are not implemented. Can these lead to other attacks? Does differential privacy always protect against disclosure of sensitive information in all situations? – NO … not when individuals in the data are correlated. More in the next class. Lecture 14 : Fall 1240

References F. McSherry, “PINQ: Privacy Integrated Queries”, SIGMOD 2009 I. Roy, S. Setty, A. Kilzer, V. Shmatikov, E. Witchel, “Airavat: Security and Privacy for MapReduce”, NDSS 2010 A. Haeberlin, B. Pierce, A. Narayan, “Differential Privacy Under Fire”, SEC 2011 J. Reed, B. Pierce, M. Gaboardi, “Distance makes types grow stronger: A calculus for differential privacy”, ICFP 2010 P. Mohan, A. Thakurta, E. Shi, D. Song, D. Culler, “Gupt: Privacy Preserving Data Analysis Made Easy”, SIGMOD 2012 A. Smith, "Privacy-preserving statistical estimation with optimal convergence rates", STOC 2011 Lecture 14 : Fall 1241

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.