首页 > 最新文献

2014 IEEE 27th Computer Security Foundations Symposium最新文献

英文 中文
Mignis: A Semantic Based Tool for Firewall Configuration Mignis:基于语义的防火墙配置工具
Pub Date : 2014-07-19 DOI: 10.1109/CSF.2014.32
P. Adão, Claudio Bozzato, G. Rossi, R. Focardi, F. Luccio
The management and specification of access control rules that enforce a given policy is a non-trivial, complex, and time consuming task. In this paper we aim at simplifying this task both at specification and verification levels. For that, we propose a formal model of Net filter, a firewall system integrated in the Linux kernel. We define an abstraction of the concepts of chains, rules, and packets existent in Net filter configurations, and give a semantics that mimics packet filtering and address translation. We then introduce a simple but powerful language that permits to specify firewall configurations that are unaffected by the relative ordering of rules, and that does not depend on the underlying Net filter chains. We give a semantics for this language and show that it can be translated into our Net filter abstraction. We then present Mignis, a publicly available tool that translates abstract firewall specifications into real Net filter configurations. Mignis is currently used to configure the whole firewall of the DAIS Department of Ca' Foscari University.
执行给定策略的访问控制规则的管理和规范是一项非常复杂且耗时的任务。在本文中,我们的目标是在规范和验证级别上简化这项任务。为此,我们提出了一个Net过滤器的形式化模型,Net过滤器是一个集成在Linux内核中的防火墙系统。我们定义了网络过滤器配置中存在的链、规则和包的抽象概念,并给出了一个模仿包过滤和地址转换的语义。然后,我们引入一种简单但功能强大的语言,它允许指定不受规则相对顺序影响的防火墙配置,并且不依赖于底层的Net过滤器链。我们给出了这种语言的语义,并表明它可以翻译成我们的Net过滤器抽象。然后介绍Mignis,这是一个公开可用的工具,可以将抽象的防火墙规范转换为真实的Net过滤器配置。目前使用migis来配置Ca' Foscari大学DAIS系的整个防火墙。
{"title":"Mignis: A Semantic Based Tool for Firewall Configuration","authors":"P. Adão, Claudio Bozzato, G. Rossi, R. Focardi, F. Luccio","doi":"10.1109/CSF.2014.32","DOIUrl":"https://doi.org/10.1109/CSF.2014.32","url":null,"abstract":"The management and specification of access control rules that enforce a given policy is a non-trivial, complex, and time consuming task. In this paper we aim at simplifying this task both at specification and verification levels. For that, we propose a formal model of Net filter, a firewall system integrated in the Linux kernel. We define an abstraction of the concepts of chains, rules, and packets existent in Net filter configurations, and give a semantics that mimics packet filtering and address translation. We then introduce a simple but powerful language that permits to specify firewall configurations that are unaffected by the relative ordering of rules, and that does not depend on the underlying Net filter chains. We give a semantics for this language and show that it can be translated into our Net filter abstraction. We then present Mignis, a publicly available tool that translates abstract firewall specifications into real Net filter configurations. Mignis is currently used to configure the whole firewall of the DAIS Department of Ca' Foscari University.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"92 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132453983","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 29
Provably Sound Browser-Based Enforcement of Web Session Integrity 可靠的基于浏览器的Web会话完整性强制
Pub Date : 2014-07-19 DOI: 10.1109/CSF.2014.33
M. Bugliesi, Stefano Calzavara, R. Focardi, Wilayat Khan, M. Tempesta
Enforcing protection at the browser side has recently become a popular approach for securing web authentication. Though interesting, existing attempts in the literature only address specific classes of attacks, and thus fall short of providing robust foundations to reason on web authentication security. In this paper we provide such foundations, by introducing a novel notion of web session integrity, which allows us to capture many existing attacks and spot some new ones. We then propose FF+, a security-enhanced model of a web browser that provides a full-fledged and provably sound enforcement of web session integrity. We leverage our theory to develop Sess Int, a prototype extension for Google Chrome implementing the security mechanisms formalized in FF+. Sess Int provides a level of security very close to FF+, while keeping an eye at usability and user experience.
在浏览器端加强保护最近成为一种流行的保护web身份验证的方法。虽然很有趣,但现有文献中的尝试只针对特定类别的攻击,因此无法为web身份验证安全性提供可靠的基础。在本文中,我们提供了这样的基础,通过引入一个新的web会话完整性概念,它允许我们捕获许多现有的攻击并发现一些新的攻击。然后我们提出FF+,一个安全增强的web浏览器模型,提供了一个成熟的和可证明的web会话完整性的健全执行。我们利用我们的理论来开发Sess Int,这是Google Chrome的一个原型扩展,实现了在FF+中形式化的安全机制。Sess Int提供了非常接近FF+的安全级别,同时关注可用性和用户体验。
{"title":"Provably Sound Browser-Based Enforcement of Web Session Integrity","authors":"M. Bugliesi, Stefano Calzavara, R. Focardi, Wilayat Khan, M. Tempesta","doi":"10.1109/CSF.2014.33","DOIUrl":"https://doi.org/10.1109/CSF.2014.33","url":null,"abstract":"Enforcing protection at the browser side has recently become a popular approach for securing web authentication. Though interesting, existing attempts in the literature only address specific classes of attacks, and thus fall short of providing robust foundations to reason on web authentication security. In this paper we provide such foundations, by introducing a novel notion of web session integrity, which allows us to capture many existing attacks and spot some new ones. We then propose FF+, a security-enhanced model of a web browser that provides a full-fledged and provably sound enforcement of web session integrity. We leverage our theory to develop Sess Int, a prototype extension for Google Chrome implementing the security mechanisms formalized in FF+. Sess Int provides a level of security very close to FF+, while keeping an eye at usability and user experience.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131207980","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 26
A Sound Abstraction of the Parsing Problem 解析问题的合理抽象
Pub Date : 2014-07-19 DOI: 10.1109/CSF.2014.26
S. Mödersheim, Georgios Katsoris
In formal verification, cryptographic messages are often represented by algebraic terms. This abstracts not only from the intricate details of the real cryptography, but also from the details of the non-cryptographic aspects: the actual formatting and structuring of messages. We introduce a new algebraic model to include these details and define a small, simple language to precisely describe message formats. We support fixed-length fields, variable-length fields with offsets, tags, and encodings into smaller alphabets like Base64, thereby covering both classical formats as in TLS and modern XML-based formats. We define two reasonable properties for a set of formats used in a protocol suite. First, each format should be un-ambiguous: any string can be parsed in at most one way. Second, the formats should be pair wise disjoint: a string can be parsed as at most one of the formats. We show how to easily establish these properties for many practical formats. By replacing the formats with free function symbols we obtain an abstract model that is compatible with all existing verification tools. We prove that the abstraction is sound for un-ambiguous, disjoint formats: there is an attack in the concrete message model if there is one in the abstract message model. Finally we present highlights of a practical case study on TLS.
在形式化验证中,密码消息通常用代数项表示。这不仅是从真实密码学的复杂细节中抽象出来的,而且是从非密码学方面的细节中抽象出来的:消息的实际格式和结构。我们引入了一个新的代数模型来包含这些细节,并定义了一个小而简单的语言来精确地描述消息格式。我们支持固定长度字段、带偏移量的可变长度字段、标记和编码成较小的字母(如Base64),从而涵盖TLS中的经典格式和现代基于xml的格式。我们为协议套件中使用的一组格式定义了两个合理的属性。首先,每种格式都应该是非二义性的:任何字符串最多只能以一种方式解析。其次,格式应该是对不相交的:一个字符串最多只能被解析为其中一种格式。我们将展示如何轻松地为许多实用格式建立这些属性。通过将格式替换为自由函数符号,我们获得了一个与所有现有验证工具兼容的抽象模型。我们证明了抽象对于非二义性、不相交的格式是合理的:如果抽象消息模型中存在攻击,则具体消息模型中存在攻击。最后,我们介绍了TLS的一个实际案例研究的重点。
{"title":"A Sound Abstraction of the Parsing Problem","authors":"S. Mödersheim, Georgios Katsoris","doi":"10.1109/CSF.2014.26","DOIUrl":"https://doi.org/10.1109/CSF.2014.26","url":null,"abstract":"In formal verification, cryptographic messages are often represented by algebraic terms. This abstracts not only from the intricate details of the real cryptography, but also from the details of the non-cryptographic aspects: the actual formatting and structuring of messages. We introduce a new algebraic model to include these details and define a small, simple language to precisely describe message formats. We support fixed-length fields, variable-length fields with offsets, tags, and encodings into smaller alphabets like Base64, thereby covering both classical formats as in TLS and modern XML-based formats. We define two reasonable properties for a set of formats used in a protocol suite. First, each format should be un-ambiguous: any string can be parsed in at most one way. Second, the formats should be pair wise disjoint: a string can be parsed as at most one of the formats. We show how to easily establish these properties for many practical formats. By replacing the formats with free function symbols we obtain an abstract model that is compatible with all existing verification tools. We prove that the abstraction is sound for un-ambiguous, disjoint formats: there is an attack in the concrete message model if there is one in the abstract message model. Finally we present highlights of a practical case study on TLS.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"68 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116938212","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 14
Portable Software Fault Isolation 可移植软件故障隔离
Pub Date : 2014-07-19 DOI: 10.1109/CSF.2014.10
Joshua A. Kroll, Gordon Stewart, A. Appel
We present a new technique for architecture portable software fault isolation (SFI), together with a prototype implementation in the Coq proof assistant. Unlike traditional SFI, which relies on analysis of assembly-level programs, we analyze and rewrite programs in a compiler intermediate language, the Cminor language of the Comp Cert C compiler. But like traditional SFI, the compiler remains outside of the trusted computing base. By composing our program transformer with the verified back-end of Comp Cert and leveraging Comp Cert's formally proved preservation of the behavior of safe programs, we can obtain binary modules that satisfy the SFI memory safety policy for any of Comp Cert's supported architectures (currently: Power PC, ARM, and x86-32). This allows the same SFI analysis to be used across multiple architectures, greatly simplifying the most difficult part of deploying trustworthy SFI systems.
提出了一种架构可移植软件故障隔离(SFI)的新技术,并在Coq验证助手中给出了一个原型实现。与传统的SFI依赖于汇编级程序的分析不同,我们使用编译器中间语言(Comp Cert C编译器的Cminor语言)来分析和重写程序。但是像传统的SFI一样,编译器仍然在可信计算基础之外。通过将我们的程序转换器与经过验证的Comp Cert后端组合在一起,并利用Comp Cert对安全程序行为的正式证明保存,我们可以获得满足任何Comp Cert支持的体系结构(目前:Power PC, ARM和x86-32)的SFI内存安全策略的二进制模块。这允许在多个体系结构中使用相同的SFI分析,极大地简化了部署可信SFI系统的最困难部分。
{"title":"Portable Software Fault Isolation","authors":"Joshua A. Kroll, Gordon Stewart, A. Appel","doi":"10.1109/CSF.2014.10","DOIUrl":"https://doi.org/10.1109/CSF.2014.10","url":null,"abstract":"We present a new technique for architecture portable software fault isolation (SFI), together with a prototype implementation in the Coq proof assistant. Unlike traditional SFI, which relies on analysis of assembly-level programs, we analyze and rewrite programs in a compiler intermediate language, the Cminor language of the Comp Cert C compiler. But like traditional SFI, the compiler remains outside of the trusted computing base. By composing our program transformer with the verified back-end of Comp Cert and leveraging Comp Cert's formally proved preservation of the behavior of safe programs, we can obtain binary modules that satisfy the SFI memory safety policy for any of Comp Cert's supported architectures (currently: Power PC, ARM, and x86-32). This allows the same SFI analysis to be used across multiple architectures, greatly simplifying the most difficult part of deploying trustworthy SFI systems.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"112 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128088607","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 26
On Dynamic Flow-Sensitive Floating-Label Systems 动态流敏感浮动标签系统
Pub Date : 2014-07-19 DOI: 10.1109/CSF.2014.13
Pablo Buiras, D. Stefan, Alejandro Russo
Flow-sensitive analysis for information-flow control (IFC) allows data structures to have mutable security labels, i.e., labels that can change over the course of the computation. This feature is often used to boost the permissiveness of the IFC monitor, by rejecting fewer programs, and to reduce the burden of explicit label annotations. However, when added naively, in a purely dynamic setting, mutable labels can expose a high bandwidth covert channel. In this work, we present an extension for LIO-a language-based floating-label system-that safely handles flow-sensitive references. The key insight to safely manipulating the label of a reference is to not only consider the label on the data stored in the reference, i.e., the reference label, but also the label on the reference label itself. Taking this into consideration, we provide an upgrade primitive that can be used to change the label of a reference in a safe manner. To eliminate the burden of determining when a reference should be upgraded, we additionally provide a mechanism for automatic upgrades. Our approach naturally extends to a concurrent setting, not previously considered by dynamic flow-sensitive systems. For both our sequential and concurrent calculi, we prove non-interference by embedding the flow-sensitive system into the flow-insensitive LIO calculus, a surprising result on its own.
信息流控制(IFC)的流敏感分析允许数据结构具有可变的安全标签,即可以在计算过程中更改的标签。该特性通常用于通过拒绝更少的程序来提高IFC监视器的容错性,并减少显式标签注释的负担。但是,如果在纯动态设置中天真地添加可变标签,则可能会暴露高带宽隐蔽通道。在这项工作中,我们提出了一个扩展的lio -一个基于语言的浮动标签系统,安全处理流敏感引用。安全操作引用标签的关键在于,不仅要考虑存储在引用中的数据上的标签,即引用标签,还要考虑引用标签本身上的标签。考虑到这一点,我们提供了一个升级原语,可用于以安全的方式更改引用的标签。为了消除确定何时应该升级引用的负担,我们还提供了自动升级的机制。我们的方法自然地扩展到并发设置,以前没有考虑到动态流量敏感系统。对于我们的顺序演算和并发演算,我们通过将流量敏感系统嵌入到流量不敏感的LIO演算中来证明不干扰,这本身就是一个令人惊讶的结果。
{"title":"On Dynamic Flow-Sensitive Floating-Label Systems","authors":"Pablo Buiras, D. Stefan, Alejandro Russo","doi":"10.1109/CSF.2014.13","DOIUrl":"https://doi.org/10.1109/CSF.2014.13","url":null,"abstract":"Flow-sensitive analysis for information-flow control (IFC) allows data structures to have mutable security labels, i.e., labels that can change over the course of the computation. This feature is often used to boost the permissiveness of the IFC monitor, by rejecting fewer programs, and to reduce the burden of explicit label annotations. However, when added naively, in a purely dynamic setting, mutable labels can expose a high bandwidth covert channel. In this work, we present an extension for LIO-a language-based floating-label system-that safely handles flow-sensitive references. The key insight to safely manipulating the label of a reference is to not only consider the label on the data stored in the reference, i.e., the reference label, but also the label on the reference label itself. Taking this into consideration, we provide an upgrade primitive that can be used to change the label of a reference in a safe manner. To eliminate the burden of determining when a reference should be upgraded, we additionally provide a mechanism for automatic upgrades. Our approach naturally extends to a concurrent setting, not previously considered by dynamic flow-sensitive systems. For both our sequential and concurrent calculi, we prove non-interference by embedding the flow-sensitive system into the flow-insensitive LIO calculus, a surprising result on its own.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117106739","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 24
Balancing Societal Security and Individual Privacy: Accountable Escrow System 平衡社会安全和个人隐私:负责任的托管系统
Pub Date : 2014-07-19 DOI: 10.1109/CSF.2014.37
Jia Liu, M. Ryan, Liqun Chen
Privacy is a core human need, but society sometimes has the requirement to do targeted, proportionate investigations in order to provide security. To reconcile individual privacy and societal security, we explore whether we can have surveillance in a form that is verifiably accountable to citizens. This means that citizens get verifiable proofs of the quantity and nature of the surveillance that actually takes place. In our scheme, governments are held accountable for the extent to which they exercise their surveillance power, and political parties can pledge in election campaigns their intention about reducing (or increasing) this figure. We propose a general idea of accountable escrow to reconciling and balancing the requirements of individual privacy and societal security. We design a balanced crypto system for asynchronous communication (e.g., email). We propose a novel method for escrowing the decryption capability in public-key cryptography. A government can decrypt it in order to conduct targeted surveillance, but doing so necessarily puts records in a public log against which the government is held accountable.
隐私是人类的核心需求,但社会有时需要进行有针对性的、相称的调查,以提供安全保障。为了协调个人隐私和社会安全,我们探索是否可以以一种可核实的对公民负责的形式进行监控。这意味着公民可以获得实际发生的监视的数量和性质的可核实证据。在我们的方案中,政府对其行使监督权的程度负责,政党可以在竞选活动中承诺减少(或增加)这一数字的意图。我们提出了一个负责任托管的总体概念,以协调和平衡个人隐私和社会安全的要求。我们为异步通信(如电子邮件)设计了一个平衡的加密系统。提出了一种新的托管公钥加密解密能力的方法。政府可以对其进行解密,以便进行有针对性的监视,但这样做必然会将记录放在公共日志中,政府要对其负责。
{"title":"Balancing Societal Security and Individual Privacy: Accountable Escrow System","authors":"Jia Liu, M. Ryan, Liqun Chen","doi":"10.1109/CSF.2014.37","DOIUrl":"https://doi.org/10.1109/CSF.2014.37","url":null,"abstract":"Privacy is a core human need, but society sometimes has the requirement to do targeted, proportionate investigations in order to provide security. To reconcile individual privacy and societal security, we explore whether we can have surveillance in a form that is verifiably accountable to citizens. This means that citizens get verifiable proofs of the quantity and nature of the surveillance that actually takes place. In our scheme, governments are held accountable for the extent to which they exercise their surveillance power, and political parties can pledge in election campaigns their intention about reducing (or increasing) this figure. We propose a general idea of accountable escrow to reconciling and balancing the requirements of individual privacy and societal security. We design a balanced crypto system for asynchronous communication (e.g., email). We propose a novel method for escrowing the decryption capability in public-key cryptography. A government can decrypt it in order to conduct targeted surveillance, but doing so necessarily puts records in a public log against which the government is held accountable.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122987675","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 11
Proving Differential Privacy in Hoare Logic Hoare逻辑中差分隐私的证明
Pub Date : 2014-07-10 DOI: 10.1109/CSF.2014.36
G. Barthe, Marco Gaboardi, E. J. G. Arias, Justin Hsu, César Kunz, Pierre-Yves Strub
Differential privacy is a rigorous, worst-case notion of privacy-preserving computation. Informally, a probabilistic program is differentially private if the participation of a single individual in the input database has a limited effect on the program's distribution on outputs. More technically, differential privacy is a quantitative 2-safety property that bounds the distance between the output distributions of a probabilistic program on adjacent inputs. Like many 2-safety properties, differential privacy lies outside the scope of traditional verification techniques. Existing approaches to enforce privacy are based on intricate, non-conventional type systems, or customized relational logics. These approaches are difficult to implement and often cumbersome to use. We present an alternative approach that verifies differential privacy by standard, non-relational reasoning on non-probabilistic programs. Our approach transforms a probabilistic program into a non-probabilistic program which simulates two executions of the original program. We prove that if the target program is correct with respect to a Hoare specification, then the original probabilistic program is differentially private. We provide a variety of examples from the differential privacy literature to demonstrate the utility of our approach. Finally, we compare our approach with existing verification techniques for privacy.
差分隐私是一种严格的、最坏情况下的隐私保护计算概念。非正式地说,如果单个人在输入数据库中的参与对程序在输出上的分布影响有限,那么一个概率计划就是差分私有的。从技术上讲,差分隐私是一种定量的2-安全属性,它限制了概率程序在相邻输入上的输出分布之间的距离。像许多双安全属性一样,差分隐私不在传统验证技术的范围之内。现有的增强隐私的方法是基于复杂的、非常规的类型系统或定制的关系逻辑。这些方法很难实现,而且通常使用起来很麻烦。我们提出了一种替代方法,通过非概率程序上的标准非关系推理来验证差分隐私。我们的方法将一个概率程序转换成一个非概率程序,模拟原始程序的两次执行。我们证明了如果目标程序对于Hoare规范是正确的,那么原始概率程序是差分私有的。我们从不同的隐私文献中提供了各种示例来演示我们的方法的实用性。最后,我们将我们的方法与现有的隐私验证技术进行了比较。
{"title":"Proving Differential Privacy in Hoare Logic","authors":"G. Barthe, Marco Gaboardi, E. J. G. Arias, Justin Hsu, César Kunz, Pierre-Yves Strub","doi":"10.1109/CSF.2014.36","DOIUrl":"https://doi.org/10.1109/CSF.2014.36","url":null,"abstract":"Differential privacy is a rigorous, worst-case notion of privacy-preserving computation. Informally, a probabilistic program is differentially private if the participation of a single individual in the input database has a limited effect on the program's distribution on outputs. More technically, differential privacy is a quantitative 2-safety property that bounds the distance between the output distributions of a probabilistic program on adjacent inputs. Like many 2-safety properties, differential privacy lies outside the scope of traditional verification techniques. Existing approaches to enforce privacy are based on intricate, non-conventional type systems, or customized relational logics. These approaches are difficult to implement and often cumbersome to use. We present an alternative approach that verifies differential privacy by standard, non-relational reasoning on non-probabilistic programs. Our approach transforms a probabilistic program into a non-probabilistic program which simulates two executions of the original program. We prove that if the target program is correct with respect to a Hoare specification, then the original probabilistic program is differentially private. We provide a variety of examples from the differential privacy literature to demonstrate the utility of our approach. Finally, we compare our approach with existing verification techniques for privacy.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128997573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 57
Differential Privacy: An Economic Method for Choosing Epsilon 差分隐私:选择Epsilon的一种经济方法
Pub Date : 2014-02-13 DOI: 10.1109/CSF.2014.35
Justin Hsu, Marco Gaboardi, Andreas Haeberlen, S. Khanna, Arjun Narayan, B. Pierce, Aaron Roth
Differential privacy is becoming a gold standard notion of privacy; it offers a guaranteed bound on loss of privacy due to release of query results, even under worst-case assumptions. The theory of differential privacy is an active research area, and there are now differentially private algorithms for a wide range of problems. However, the question of when differential privacy works in practice has received relatively little attention. In particular, there is still no rigorous method for choosing the key parameter ε, which controls the crucial tradeoff between the strength of the privacy guarantee and the accuracy of the published results. In this paper, we examine the role of these parameters in concrete applications, identifying the key considerations that must be addressed when choosing specific values. This choice requires balancing the interests of two parties with conflicting objectives: the data analyst, who wishes to learn something abou the data, and the prospective participant, who must decide whether to allow their data to be included in the analysis. We propose a simple model that expresses this balance as formulas over a handful of parameters, and we use our model to choose ε on a series of simple statistical studies. We also explore a surprising insight: in some circumstances, a differentially private study can be more accurate than a non-private study for the same cost, under our model. Finally, we discuss the simplifying assumptions in our model and outline a research agenda for possible refinements.
差别隐私正成为隐私概念的黄金标准;即使在最坏的情况下,它也提供了由于发布查询结果而导致的隐私损失的保证范围。差分隐私理论是一个活跃的研究领域,目前已经出现了针对各种问题的差分隐私算法。然而,差别隐私在实践中何时起作用的问题受到的关注相对较少。特别是,仍然没有严格的方法来选择关键参数ε,该参数控制隐私保证强度和发布结果准确性之间的关键权衡。在本文中,我们研究了这些参数在具体应用中的作用,确定了在选择特定值时必须考虑的关键因素。这种选择需要平衡目标冲突的两方的利益:希望了解数据的数据分析师和必须决定是否允许将其数据包含在分析中的潜在参与者。我们提出了一个简单的模型,将这种平衡表达为几个参数的公式,并使用我们的模型在一系列简单的统计研究中选择ε。我们还探索了一个令人惊讶的发现:在某些情况下,在我们的模型下,在相同的成本下,不同的私人研究可能比非私人研究更准确。最后,我们讨论了模型中的简化假设,并概述了可能改进的研究议程。
{"title":"Differential Privacy: An Economic Method for Choosing Epsilon","authors":"Justin Hsu, Marco Gaboardi, Andreas Haeberlen, S. Khanna, Arjun Narayan, B. Pierce, Aaron Roth","doi":"10.1109/CSF.2014.35","DOIUrl":"https://doi.org/10.1109/CSF.2014.35","url":null,"abstract":"Differential privacy is becoming a gold standard notion of privacy; it offers a guaranteed bound on loss of privacy due to release of query results, even under worst-case assumptions. The theory of differential privacy is an active research area, and there are now differentially private algorithms for a wide range of problems. However, the question of when differential privacy works in practice has received relatively little attention. In particular, there is still no rigorous method for choosing the key parameter ε, which controls the crucial tradeoff between the strength of the privacy guarantee and the accuracy of the published results. In this paper, we examine the role of these parameters in concrete applications, identifying the key considerations that must be addressed when choosing specific values. This choice requires balancing the interests of two parties with conflicting objectives: the data analyst, who wishes to learn something abou the data, and the prospective participant, who must decide whether to allow their data to be included in the analysis. We propose a simple model that expresses this balance as formulas over a handful of parameters, and we use our model to choose ε on a series of simple statistical studies. We also explore a surprising insight: in some circumstances, a differentially private study can be more accurate than a non-private study for the same cost, under our model. Finally, we discuss the simplifying assumptions in our model and outline a research agenda for possible refinements.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-02-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116686567","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 267
A Peered Bulletin Board for Robust Use in Verifiable Voting Systems 在可验证投票系统中健壮使用的对等公告板
Pub Date : 2014-01-16 DOI: 10.1109/CSF.2014.20
C. Culnane, Steve A. Schneider
The Secure Web Bulletin Board (WBB) is a key component of verifiable election systems. However, there is very little in the literature on their specification, design and implementation, and there are no formally analysed designs. The WBB is used in the context of election verification to publish evidence of voting and tallying that voters and officials can check, and where challenges can be launched in the event of malfeasance. In practice, the election authority has responsibility for implementing the web bulletin board correctly and reliably, and will wish to ensure that it behaves correctly even in the presence of failures and attacks. To ensure robustness, an implementation will typically use a number of peers to be able to provide a correct service even when some peers go down or behave dishonestly. In this paper we propose a new protocol to implement such a Web Bulletin Board, motivated by the needs of the vVote verifiable voting system. Using a distributed algorithm increases the complexity of the protocol and requires careful reasoning in order to establish correctness. Here we use the Event-B modelling and refinement approach to establish correctness of the peered design against an idealised specification of the bulletin board behaviour. In particular we have shown that for n peers, a threshold of t > 2n/3 peers behaving correctly is sufficient to ensure correct behaviour of the bulletin board distributed design. The algorithm also behaves correctly even if honest or dishonest peers temporarily drop out of the protocol and then return. The verification approach also establishes that the protocols used within the bulletin board do not interfere with each other. This is the first time a peered secure web bulletin board suite of protocols has been formally verified.
安全网络公告板(WBB)是可验证选举系统的关键组成部分。然而,关于它们的规范、设计和实现的文献很少,也没有正式分析过的设计。WBB用于选举核查,公布投票和点票证据,供选民和官员核查,并在出现渎职行为时提出质疑。在实践中,选举当局有责任正确和可靠地实施网络公告板,并希望确保它即使在出现故障和攻击的情况下也能正确运行。为了确保健壮性,实现通常会使用多个对等点,以便在某些对等点出现故障或行为不诚实时能够提供正确的服务。在本文中,我们提出了一种新的协议来实现这样一个Web公告板,这是由vVote可验证投票系统的需求驱动的。使用分布式算法增加了协议的复杂性,并且需要仔细的推理以建立正确性。在这里,我们使用Event-B建模和改进方法来根据公告板行为的理想化规范建立对等设计的正确性。特别是,我们已经表明,对于n个对等体,正确行为的2n/3个对等体的阈值足以确保公告板分布式设计的正确行为。即使诚实或不诚实的对等体暂时退出协议,然后再返回,该算法也能正常运行。验证方法还确定了布告栏内使用的协议不会相互干扰。这是第一次对等安全web公告板协议套件被正式验证。
{"title":"A Peered Bulletin Board for Robust Use in Verifiable Voting Systems","authors":"C. Culnane, Steve A. Schneider","doi":"10.1109/CSF.2014.20","DOIUrl":"https://doi.org/10.1109/CSF.2014.20","url":null,"abstract":"The Secure Web Bulletin Board (WBB) is a key component of verifiable election systems. However, there is very little in the literature on their specification, design and implementation, and there are no formally analysed designs. The WBB is used in the context of election verification to publish evidence of voting and tallying that voters and officials can check, and where challenges can be launched in the event of malfeasance. In practice, the election authority has responsibility for implementing the web bulletin board correctly and reliably, and will wish to ensure that it behaves correctly even in the presence of failures and attacks. To ensure robustness, an implementation will typically use a number of peers to be able to provide a correct service even when some peers go down or behave dishonestly. In this paper we propose a new protocol to implement such a Web Bulletin Board, motivated by the needs of the vVote verifiable voting system. Using a distributed algorithm increases the complexity of the protocol and requires careful reasoning in order to establish correctness. Here we use the Event-B modelling and refinement approach to establish correctness of the peered design against an idealised specification of the bulletin board behaviour. In particular we have shown that for n peers, a threshold of t > 2n/3 peers behaving correctly is sufficient to ensure correct behaviour of the bulletin board distributed design. The algorithm also behaves correctly even if honest or dishonest peers temporarily drop out of the protocol and then return. The verification approach also establishes that the protocols used within the bulletin board do not interfere with each other. This is the first time a peered secure web bulletin board suite of protocols has been formally verified.","PeriodicalId":285965,"journal":{"name":"2014 IEEE 27th Computer Security Foundations Symposium","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115623995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 72
期刊
2014 IEEE 27th Computer Security Foundations Symposium
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1