Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Cloud-assisted Services

Published byAnnabella Anthony Modified over 5 years ago

Similar presentations

Presentation on theme: "Securing Cloud-assisted Services"— Presentation transcript:

1 Securing Cloud-assisted Services
11:50 – 12:15 (25 mins) N. Asokan @nasokan 14 June

2 Helsinki, Finland Innovation hub Home to leading universities
University of Helsinki (top 100 overall) Aalto1 University (top 100 in Computer Science) Innovation hub Local giants: Nokia, Ericsson Security innovators: F-Secure, SSH, ... Recent arrivals: Intel, Samsung, Huawei, ... New tigers: Rovio, Supercell, ..., lots of startups 1. Aalto: Library at the Mount Angel Abbey

3 Software Made in Finland
Larry Ewing, By Source, Fair use,

4 Services are moving to “the cloud”

5 Services are moving to “the cloud”
Example: cloud storage Example: cloud-based malware scanning service

6 Securing cloud storage
Client-side encryption of user data is desirable But naïve client-side encryption conflicts with Storage provider business requirement: deduplication ([LPA15] ACM CCS ’15, [LDLA18] CT RSA ‘18) End user usability requirement: multi-device access ([P+AS18] IEEE IC ‘18, CeBIT ‘16)

7 Malware checking On-device checking
User APK data Malware DB On-device checking High communication and computation costs Database changes frequently Database is revealed to everyone Cloud-based checking Minimal communication and computation costs Database can change frequently Database is not revealed to everyone User privacy at risk!

8 Cloud-based malware scanning service
Needs to learn about apps installed on client devices Can therefore infer personal characteristics of users

9 Oblivious Neural Network Predictions via MiniONN Transformations
Thanks for the introduction. I am glad to present our work about oblivious neural network predictions. N. Asokan @nasokan (Joint work with Jian Liu, Mika Juuti, Yao Lu) By Source, Fair use,

10 Machine learning as a service (MLaaS)
Input Predictions Nowadays, *machine learning as a service* is a popular paradigm to provide *online predictions*. The server usually trains a *model* and receives inputs from clients. The server runs the model on the input and returns the predictions. Let’s take *google translate* as an example. The server uses a model to translate the *sentences* submitted by the clients. In this case, clients have to *reveal* their input and predictions to the server. In some scenarios like *online medical diagnosis*, the input data can be very *sensitive*. If the server is malicious, it can *misuse* the data. For example, instead of using the input for diagnosis, it can use it to profile the users or sell the data. violation of clients’ privacy

11 Oblivious Neural Networks (ONN)
Given a neural network, is it possible to make it oblivious? server learns nothing about clients' input clients learn nothing about the model To this end, we ask the question: given *any* existing neural network model whether is it possible to make it *oblivious*. What I mean by oblivious is that during the prediction, … (stress nothing)

12 Example: CryptoNets FHE-encrypted input FHE-encrypted predictions
We are not the first one to consider this problem. For example last year, Microsoft research proposed a solution called *CryptoNets*. It has clients encrypt their input using fully homomorphic encryption and the server runs its model on the encrypted data returns the encrypted predictions. It provides *high throughput* for batch queries from the *same* client, but it has two problems First, it has *high overhead*. For example in the MNIST dataset that contains handwritten digits, it takes *5 min* to identify one character. For comparison, without privacy, it takes less than *1 millisecond*. Second, it can only support *limited* neural networks because homomorphic encryption cannot deal with *comparison operations* and *high-degree polynomials* which are commonly used in neural networks. For instance, in their experiments, they used a model with *square* activation function, which is not typically used. High throughput for batch queries from same client High overhead for single queries: 297.5s and 372MB (MNIST dataset) Cannot support: high-degree polynomials, comparisons, … [GDLLNW16] CryptoNets, ICML 2016 FHE: Fully homomorphic encryption (

13 MiniONN: Overview Blinded input Blinded predictions Low overhead: ~1s
By Source, Fair use, Blinded input oblivious protocols Blinded predictions We present a solution called MiniONN, which stands for minimizing the overhead for oblivious neural networks. We minimize overhead by only using lightweight primitives such as additively homomorphic encryption and secure two-party computation As a result, we achieves a *low* overhead with around *1s* for a single prediction. In additions, we support *all* commonly operations in neural networks. Low overhead: ~1s Support all common neural networks

14 All operations are in a finite field
Skip to performance Example It only has three layers: some layers represents linear transformation that consists multiplication by weight matrices and additions of biased vectors. These alternate with layers representing non-linear transformations that are called *activation layers* or *pooling layers*. Notice that X, z are sensitive to the client, whereas W and b are sensitive to the server. In order to transform all neural networks we need to be able transform linear transformations, activation functions and pooling operations This is what I am going to do in the next a few slides. For now, I assume all operations are in a finite field. Later I will show how to deal with floating-point numbers. All operations are in a finite field

15 Core idea: use secret sharing for oblivious computation
Skip to performance Core idea: use secret sharing for oblivious computation [LJLA17] MiniONN, ACM CCS 2017 client & server have shares and s.t. That is, at the beginning of each layer, each party will hold a share which is indistinguishable from random to that party, and which: if added together, can recover the original input. They will do the same thing for *all* layers and combine the shares in the end. This guarantees that if we can securely evaluate each layer, the *combination of all layers* will be secure as well. Next, I will show how to do this for each layer. In other words, I will show how to do this for linear transformation, activation function and pooling operation. client & server have shares and s.t. Use efficient cryptographic primitives (2PC, additively homomorphic encryption)

16 Secret sharing initial input
Skip to performance Secret sharing initial input To share the initial input, the client just randomly generates its own share x^c and calculates server’s share x^s as x minus x^c. Note that x^c is independent of x. So it can be pre-chosen. Note that xc is independent of x. Can be pre-chosen

17 Oblivious linear transformation
Skip to performance Oblivious linear transformation For the oblivious linear transformation layer, we start from the basic matrix multiplication. We can expand it and re-arrange it into this format. The key observation here is that this part can be computed locally by the server. The tricky part is here: W is only known by the server and x^c is only known by the client. They need to obliviously calculate the dot-product. Compute locally by the server Dot-product

18 Oblivious linear transformation: dot-product
Skip to performance Oblivious linear transformation: dot-product Homomorphic Encryption with SIMD Server decrypts the ciphertexts and adds together those plaintexts that corresponds to each row. Let’s call the result the vector *U*. Similarly, the client adds the r values that corresponds to each row. Let’s call the result the vector *V*. Notice that when you add the vectors U and V, the randomness will get cancelled. The result is exactly Wx^c. Notice that if we add together u and v, the random numbers got cancel out. Also notice that u v w x^c are indpendent Therefore the triplet U V x^c can be computed in a precomputation phase. We use SIMD technique to further improve the performance. SIMD represents single instruction multiple data. Since the ciphertext is much larger than the plaintext, so we batch multiple elements into one ciphertext. u + v = W•xc; Note: u, v, and W•xc are independent of x. <u,v,xc > generated/stored in a precomputation phase

19 Oblivious linear transformation
Skip to performance Oblivious linear transformation Now, this tricky part can be easily calculated by u plus v. Then the server just outputs this part to the next layer and the client outputs this part.

20 Oblivious linear transformation
Skip to performance Oblivious linear transformation We re-write them as y^s and y^c. Now, we have seen how to convert linear transformations into oblivious forms.

21 Recall: use secret sharing for oblivious computation
Skip to performance Recall: use secret sharing for oblivious computation client & server have shares and s.t. That is, at the beginning of each layer, each party will hold a share which is indistinguishable from random to that party, and which: if added together, can recover the original input. They will do the same thing for *all* layers and combine the shares in the end. This guarantees that if we can securely evaluate each layer, the *combination of all layers* will be secure as well. Next, I will show how to do this for each layer. In other words, I will show how to do this for linear transformation, activation function and pooling operation. client & server have shares and s.t.

22 Oblivious activation/pooling functions
Skip to performance Oblivious activation/pooling functions Piecewise linear functions e.g., ReLU: Oblivious ReLU: easily computed obliviously by a garbled circuit Next, let’s see how to do this for activation functions and pooling operations which are typically non-linear. We classify all such functions into two categories.

23 Oblivious activation/pooling functions
Skip to performance Oblivious activation/pooling functions Smooth functions e.g., Sigmoid: Oblivious sigmoid: approximate by a piecewise linear function then compute obliviously by a garbled circuit empirically: ~14 segments sufficient As we all know, it can be approximated by high-degree polynomials using Taylor series. However, it involves a large performance overhead and accuracy loss. Instead, we approximate it by a piecewise linear function. We first divided it into multiple segments That means given an input we first find the segment it belongs to and then calculate the corresponding garbled circuit and multiply with one. For other segments, we also calculate the garbled circuit but multiply with zero. Then we add together the results for all segments.

24 Combining the final result
They can jointly calculate max(y1,y2) (for minimizing information leakage)

25 Recall: use secret sharing for oblivious computation
Now, we have seen how to compute each layer obliviously

26 Performance (for single queries)
Skip to End Performance (for single queries) Model Latency (s) Msg sizes (MB) Loss of accuracy MNIST/Square 0.4 (+ 0.88) 44 (+ 3.6) none CIFAR-10/ReLU 472 (+ 72) 6226 (+ 3046) none PTB/Sigmoid 4.39 (+ 13.9) 474 (+ 86.7) Less than 0.5% (cross-entropy loss) We first want to do a head-to-head comparison with CryptoNets. We transform the same model trained from the MNIST dataset using square as the activation function. It uses 1.3 seconds for a single prediction, which is 300 times faster than CryptoNets. If we don‘t include the precomputaion time, it is 700 times faster. In addition, we want to show that our method can be applied to more challenging datasets. We trained a more complex model from the CIFAR-10 dataset. It uses ReLU as the activation function and consists of 20 layers. Even though the cost is high, but as far as we know, this is the first attempt for transforming such a complex network. We also trained a model from the Penn Treebank (PTB) dataset, which is a standard dataset for language modeling. The goal of the model is to predict the next words in a sentence given the previous words. We used Sigmoid as the activation function to train the model. During prediction, we replace sigmoid with our approximated version, and the cross-entropy loss only increase with 0.5%. Pre-computation phase timings in parentheses PTB = Penn Treebank

27 Skip to End MiniONN pros and cons x faster than CryptoNets Can transform any given neural network to its oblivious variant Still ~1000x slower than without privacy Server can no longer filter requests or do sophisticated metering Reveals structure (but not params) of NN

28 Hardware-security mechanisms are pervasive
Skip to End Hardware-security mechanisms are pervasive Other Software Trusted Software Protected Storage Root of Trust Hardware support for Isolated execution: Isolated Execution Environment Protected storage: Sealing Ability to convince remote verifiers: Remote Attestation Trusted Execuction Environments (TEEs) Operating in parallel with “rich execution environments” (REEs) Cryptocards Trusted Platform Modules ARM TrustZone Intel Software Guard Extensions [A+14] “Mobile Trusted Computing”, Proceedings of the IEEE, 102(8) (2014) [EKA14] “Untapped potential of trusted execution environments”, IEEE S&P Magazine, 12:04 (2014)

29 Using a server-side TEE to run the model
Skip to End Using a server-side TEE to run the model 3. Provision model configuration, filtering policy 1. Attest server’s NN Engine (in TEE) (model-independent) Neural Network Engine 2. Input 4. Prediction 2. Input MiniONN + policy filtering + advanced metering + performance + better model secrecy - harder to reason about client input privacy

30 ML is very fragile in adversarial settings
MiniONN: Efficiently transform any given neural network into oblivious form with no/negligible accuracy loss Try at: Trusted Computing can help realize improved security and privacy for ML ML is very fragile in adversarial settings [LJLA17] MiniONN, ACM CCS 2017, [KNLAS19] Private Decision Trees, PETS 2019 @nasokan

31 Securing cloud-assisted services
Cloud-assisted services raise new security/privacy concerns But naïve solutions may conflict with privacy, usability, deployability, … Solutions using Trusted hardware + cryptography Security Usability Deployability/Cost @nasokan [TLPEPA17] Circle Game, ACM ASIACCS 2017 [LJLA17] MiniONN, ACM CCS 2017, [KNLAS19] Private Decision Trees, PETS 2019

32 Supplementary material

33 Background: Kinibi on ARM TrustZone
Trusted Untrusted *Kinibi: Trusted OS from Trustonic Rich Execution Environment (REE) Trusted Execution Environment (TEE) Kinibi Trusted OS from Trustonic Remote attestation Establish a trusted channel Private memory Confidentiality Integrity Obliviousness Adversary Observe On-Chip Memory Client App Shared Memory Trusted App Rich OS Trusted OS (Kinibi) TrustZone Hardware Extensions

34 Background: Intel SGX CPU enforced TEE (enclave) Remote attestation
Trusted Untrusted OS System Memory CPU enforced TEE (enclave) Remote attestation Secure memory Confidentiality Integrity Obliviousness only within 4 KB page granularity Adversary Observe User Process Enclave Page Cache Enclave Enclave Code TEE (Encrypted & integrity-protected) App Data Enclave Data App Code Physical address space REE

35 Android app landscape On average a user installs 95 apps (Yahoo Aviate) Yahoo Aviate study Source: Unique new Android malware samples Source: G Data 2015: 2018: Current dictionary size < 224 entries Even comparatively “high” FPR (e.g., ~2-10) may have negligible impact on privacy

36 Cloud-scale PMT Verify Apps: cloud-based service to check for harmful Android apps prior to installation “… over 1 billion devices protected by Google’s security services, and over 400 million device security scans were conducted per day” Android Security 2015 Year in Review “2 billion+ Android devices checked per day” (c.f. < 17 million malware samples)

37 Performance: batch queries
Kinibi on ARM TrustZone Intel SGX

Download ppt "Securing Cloud-assisted Services"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Operating System Security

Operating System Security
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Twin Clouds: An Architecture for Secure Cloud Computing Term Paper Presented by: Komala Priya Chitturi.

Twin Clouds: An Architecture for Secure Cloud Computing Term Paper Presented by: Komala Priya Chitturi.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CSCI 347 / CS 4206: Data Mining Module 07: Implementations Topic 03: Linear Models.

CSCI 347 / CS 4206: Data Mining Module 07: Implementations Topic 03: Linear Models.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Computer System Architectures Computer System Software

Computer System Architectures Computer System Software
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.

Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
CE01000-3 Operating Systems Lecture 3 Overview of OS functions and structure.

CE Operating Systems Lecture 3 Overview of OS functions and structure.
Database Laboratory Regular Seminar 2013-07-22 TaeHoon Kim Article.

Database Laboratory Regular Seminar TaeHoon Kim Article.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.

PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
CMSC 818J: Privacy enhancing technologies Lecture 2.

CMSC 818J: Privacy enhancing technologies Lecture 2.
Chapter 6: Securing the Cloud

Chapter 6: Securing the Cloud
Searchable Encryption in Cloud

Searchable Encryption in Cloud

Similar presentations

Ads by Google