Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium最新文献

英文中文

Summation-based Private Segmented Membership Test from Threshold-Fully Homomorphic Encryption. 阈值全同态加密中基于求和的私有分段隶属度检验。

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2024-01-01 DOI: 10.56553/popets-2024-0114

Nirajan Koirala, Jonathan Takeshita, Jeremy Stevens, Taeho Jung

In many real-world scenarios, there are cases where a client wishes to check if a data element they hold is included in a set segmented across a large number of data holders. To protect user privacy, the client's query and the data holders' sets should remain encrypted throughout the whole process. Prior work on Private Set Intersection (PSI), Multi-Party PSI (MPSI), Private Membership Test (PMT), and Oblivious RAM (ORAM) falls short in this scenario in many ways. They either require data holders to possess the sets in plaintext, incur prohibitively high latency for aggregating results from a large number of data holders, leak the information about the party holding the intersection element, or induce a high false positive. This paper introduces the primitive of a Private Segmented Membership Test (PSMT). We give a basic construction of a protocol to solve PSMT using a threshold variant of approximate-arithmetic homomorphic encryption and show how to overcome existing challenges to construct a PSMT protocol without leaking information about the party holding the intersection element or false positives for a large number of data holders ensuring IND-CPA ^D security. Our novel approach is superior to existing state-of-the-art approaches in scalability with regard to the number of supported data holders. This is enabled by a novel summation-based homomorphic membership check rather than a product-based one, as well as various novel ideas addressing technical challenges. Our PSMT protocol supports many more parties (up to 4096 in experiments) compared to prior related work that supports only around 100 parties efficiently. Our experimental evaluation shows that our method's aggregation of results from data holders can run in 92.5s for 1024 data holders and a set size of 2²⁵, and our method's overhead increases very slowly with the increasing number of senders. We also compare our PSMT protocol to other state-of-the-art PSI and MPSI protocols and discuss our improvements in usability with a better privacy model and a larger number of parties.

在许多实际场景中，客户端都希望检查其持有的数据元素是否包含在跨大量数据持有者分段的集合中。为了保护用户隐私，客户端的查询和数据持有者的集合应该在整个过程中保持加密。先前在私有集交叉（PSI）、多方PSI （MPSI）、私有成员测试（PMT）和遗忘内存（ORAM）方面的工作在许多方面都存在不足。它们要么要求数据持有者以明文形式拥有这些集合，要么在聚合来自大量数据持有者的结果时产生过高的延迟，要么泄露有关持有交集元素的一方的信息，要么导致高误报。本文介绍了私有分段隶属度测试（PSMT）的原语。我们给出了一个使用近似算法同态加密的阈值变体来解决PSMT的协议的基本结构，并展示了如何克服现有的挑战来构建PSMT协议，而不会泄露持有交集元素的一方的信息或为大量数据持有者提供假阳性，从而确保IND-CPA - D安全。就支持的数据持有者的数量而言，我们的新方法在可伸缩性方面优于现有的最先进的方法。这是通过一种新颖的基于求和的同态成员检查（而不是基于产品的检查），以及解决技术挑战的各种新颖想法来实现的。我们的PSMT协议支持更多的参与方（实验中多达4096个），而之前的相关工作仅有效地支持大约100个参与方。我们的实验评估表明，对于1024个数据持有者和225个集合大小，我们的方法对来自数据持有者的结果的聚合可以在92.5s内运行，并且我们的方法开销随着发送者数量的增加而缓慢增加。我们还将我们的PSMT协议与其他最先进的PSI和MPSI协议进行了比较，并通过更好的隐私模型和更多的参与方讨论了我们在可用性方面的改进。

{"title":"Summation-based Private Segmented Membership Test from Threshold-Fully Homomorphic Encryption.","authors":"Nirajan Koirala, Jonathan Takeshita, Jeremy Stevens, Taeho Jung","doi":"10.56553/popets-2024-0114","DOIUrl":"10.56553/popets-2024-0114","url":null,"abstract":"In many real-world scenarios, there are cases where a client wishes to check if a data element they hold is included in a set segmented across a large number of data holders. To protect user privacy, the client's query and the data holders' sets should remain encrypted throughout the whole process. Prior work on Private Set Intersection (PSI), Multi-Party PSI (MPSI), Private Membership Test (PMT), and Oblivious RAM (ORAM) falls short in this scenario in many ways. They either require data holders to possess the sets in plaintext, incur prohibitively high latency for aggregating results from a large number of data holders, leak the information about the party holding the intersection element, or induce a high false positive. This paper introduces the primitive of a Private Segmented Membership Test (PSMT). We give a basic construction of a protocol to solve PSMT using a threshold variant of approximate-arithmetic homomorphic encryption and show how to overcome existing challenges to construct a PSMT protocol without leaking information about the party holding the intersection element or false positives for a large number of data holders ensuring IND-CPA D security. Our novel approach is superior to existing state-of-the-art approaches in scalability with regard to the number of supported data holders. This is enabled by a novel summation-based homomorphic membership check rather than a product-based one, as well as various novel ideas addressing technical challenges. Our PSMT protocol supports many more parties (up to 4096 in experiments) compared to prior related work that supports only around 100 parties efficiently. Our experimental evaluation shows that our method's aggregation of results from data holders can run in 92.5s for 1024 data holders and a set size of 225, and our method's overhead increases very slowly with the increasing number of senders. We also compare our PSMT protocol to other state-of-the-art PSI and MPSI protocols and discuss our improvements in usability with a better privacy model and a larger number of parties.","PeriodicalId":74556,"journal":{"name":"Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium","volume":"2024 4","pages":"209-225"},"PeriodicalIF":0.0,"publicationDate":"2024-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12063338/pdf/","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144037803","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Compact and Divisible E-Cash with Threshold Issuance 具有阈值发行的紧凑可分割电子现金

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-10-01 DOI: 10.56553/popets-2023-0116

Alfredo Rial, Ania M. Piotrowska

Decentralized, offline, and privacy-preserving e-cash could fulfil the need for both scalable and byzantine fault-resistant payment systems. Existing offline anonymous e-cash schemes are unsuitable for distributed environments due to a central bank. We construct a distributed offline anonymous e-cash scheme, in which the role of the bank is performed by a quorum of authorities, and present its two instantiations. Our first scheme is compact, i.e. the cost of the issuance protocol and the size of a wallet are independent of the number of coins issued, but the cost of payment grows linearly with the number of coins spent. Our second scheme is divisible and thus the cost of payments is also independent of the number of coins spent, but the verification of deposits is more costly. We provide formal security proof of both schemes and compare the efficiency of their implementations.

分散、离线和保护隐私的电子现金可以满足可扩展和拜占庭式防故障支付系统的需求。由于中央银行的存在，现有的离线匿名电子现金方案不适合分布式环境。我们构造了一个分布式离线匿名电子现金方案，其中银行的角色由法定机构执行，并给出了它的两个实例。我们的第一个方案是紧凑的，即发行协议的成本和钱包的大小与发行的硬币数量无关，但支付成本随着花费的硬币数量线性增长。我们的第二种方案是可分割的，因此支付成本也与花费的硬币数量无关，但对存款的验证成本更高。我们提供了这两种方案的正式安全证明，并比较了它们的实现效率。

引用次数: 0

On the Robustness of Topics API to a Re-Identification Attack 主题API对重新识别攻击的鲁棒性研究

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-10-01 DOI: 10.56553/popets-2023-0098

Nikhil Jha, Martino Trevisan, Emilio Leonardi, Marco Mellia

Web tracking through third-party cookies is considered a threat to users' privacy and is supposed to be abandoned in the near future. Recently, Google proposed the Topics API framework as a privacy-friendly alternative for behavioural advertising. Using this approach, the browser builds a user profile based on navigation history, which advertisers can access. The Topics API has the possibility of becoming the new standard for behavioural advertising, thus it is necessary to fully understand its operation and find possible limitations. This paper evaluates the robustness of the Topics API to a re-identification attack where an attacker reconstructs the user profile by accumulating user's exposed topics over time to later re-identify the same user on a different website. Using real traffic traces and realistic population models, we find that the Topics API mitigates but cannot prevent re-identification to take place, as there is a sizeable chance that a user's profile is unique within a website's audience. Consequently, the probability of correct re-identification can reach 15-17%, considering a pool of 1,000 users. We offer the code and data we use in this work to stimulate further studies and the tuning of the Topic API parameters.

通过第三方cookie进行网络跟踪被认为是对用户隐私的威胁，应该在不久的将来被放弃。最近，谷歌提出了主题API框架，作为行为广告的隐私友好替代方案。使用这种方法，浏览器根据导航历史建立用户档案，广告商可以访问这些档案。topic API有可能成为行为广告的新标准，因此有必要充分了解其运作并找出可能存在的局限性。本文评估了主题API对重新识别攻击的鲁棒性，攻击者通过积累用户暴露的主题来重建用户配置文件，以便稍后在不同的网站上重新识别同一用户。使用真实的流量跟踪和现实的人口模型，我们发现主题API减轻了但不能阻止重新识别的发生，因为用户的个人资料在网站受众中是唯一的可能性很大。因此，考虑到1,000个用户池，正确重新识别的概率可以达到15-17%。我们提供了在这项工作中使用的代码和数据，以促进进一步的研究和Topic API参数的调优。

{"title":"On the Robustness of Topics API to a Re-Identification Attack","authors":"Nikhil Jha, Martino Trevisan, Emilio Leonardi, Marco Mellia","doi":"10.56553/popets-2023-0098","DOIUrl":"https://doi.org/10.56553/popets-2023-0098","url":null,"abstract":"Web tracking through third-party cookies is considered a threat to users' privacy and is supposed to be abandoned in the near future. Recently, Google proposed the Topics API framework as a privacy-friendly alternative for behavioural advertising. Using this approach, the browser builds a user profile based on navigation history, which advertisers can access. The Topics API has the possibility of becoming the new standard for behavioural advertising, thus it is necessary to fully understand its operation and find possible limitations. This paper evaluates the robustness of the Topics API to a re-identification attack where an attacker reconstructs the user profile by accumulating user's exposed topics over time to later re-identify the same user on a different website. Using real traffic traces and realistic population models, we find that the Topics API mitigates but cannot prevent re-identification to take place, as there is a sizeable chance that a user's profile is unique within a website's audience. Consequently, the probability of correct re-identification can reach 15-17%, considering a pool of 1,000 users. We offer the code and data we use in this work to stimulate further studies and the tuning of the Topic API parameters.","PeriodicalId":74556,"journal":{"name":"Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135010612","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DP-SIPS: A simpler, more scalable mechanism for differentially private partition selection DP-SIPS:用于区分私有分区选择的更简单、更可扩展的机制

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-10-01 DOI: 10.56553/popets-2023-0109

Marika Swanberg, Damien Desfontaines, Samuel Haney

Partition selection, or set union, is an important primitive in differentially private mechanism design: in a database where each user contributes a list of items, the goal is to publish as many of these items as possible under differential privacy. In this work, we present a novel mechanism for differentially private partition selection. This mechanism, which we call {DP-SIPS}, is very simple: it consists of iterating the naive algorithm over the data set multiple times, removing the released partitions from the data set while increasing the privacy budget at each step. This approach preserves the scalability benefits of the naive mechanism, yet its utility compares favorably to more complex approaches developed in prior work.

分区选择(或集合联合)是差异私有机制设计中的一个重要原语:在每个用户贡献一个项列表的数据库中，目标是在差异隐私下发布尽可能多的这些项。在这项工作中，我们提出了一种新的差分私有分区选择机制。这种机制，我们称之为{DP-SIPS}，非常简单:它包括在数据集上多次迭代朴素算法，从数据集中删除释放的分区，同时在每一步增加隐私预算。这种方法保留了原始机制的可伸缩性优势，但它的实用性比以前工作中开发的更复杂的方法要好。

引用次数: 0

Privacy-Preserving Federated Recurrent Neural Networks 隐私保护联邦递归神经网络

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-10-01 DOI: 10.56553/popets-2023-0122

Sinem Sav, Abdulrahman Diaa, Apostolos Pyrgelis, Jean-Philippe Bossuat, Jean-Pierre Hubaux

We present RHODE, a novel system that enables privacy-preserving training of and prediction on Recurrent Neural Networks (RNNs) in a cross-silo federated learning setting by relying on multiparty homomorphic encryption. RHODE preserves the confidentiality of the training data, the model, and the prediction data; and it mitigates federated learning attacks that target the gradients under a passive-adversary threat model. We propose a packing scheme, multi-dimensional packing, for a better utilization of Single Instruction, Multiple Data (SIMD) operations under encryption. With multi-dimensional packing, RHODE enables the efficient processing, in parallel, of a batch of samples. To avoid the exploding gradients problem, RHODE provides several clipping approximations for performing gradient clipping under encryption. We experimentally show that the model performance with RHODE remains similar to non-secure solutions both for homogeneous and heterogeneous data distributions among the data holders. Our experimental evaluation shows that RHODE scales linearly with the number of data holders and the number of timesteps, sub-linearly and sub-quadratically with the number of features and the number of hidden units of RNNs, respectively. To the best of our knowledge, RHODE is the first system that provides the building blocks for the training of RNNs and its variants, under encryption in a federated learning setting.

我们提出了RHODE，这是一种新的系统，通过依赖多方同态加密，可以在跨竖井联邦学习设置中对循环神经网络(rnn)进行隐私保护训练和预测。RHODE对训练数据、模型和预测数据保密;它还减轻了在被动对手威胁模型下针对梯度的联合学习攻击。为了更好地利用加密下的单指令多数据(SIMD)操作，我们提出了一种多维打包方案。凭借多维包装，RHODE能够并行高效地处理一批样品。为了避免梯度爆炸问题，RHODE提供了几种在加密下执行梯度裁剪的裁剪近似。我们通过实验表明，对于数据持有者之间的同构和异构数据分布，使用RHODE的模型性能仍然类似于非安全解决方案。我们的实验评估表明，RHODE与数据持有者数量和时间步长数量呈线性关系，与rnn的特征数量和隐藏单元数量分别呈亚线性和亚二次关系。据我们所知，RHODE是第一个在联邦学习设置下加密为rnn及其变体的训练提供构建块的系统。

{"title":"Privacy-Preserving Federated Recurrent Neural Networks","authors":"Sinem Sav, Abdulrahman Diaa, Apostolos Pyrgelis, Jean-Philippe Bossuat, Jean-Pierre Hubaux","doi":"10.56553/popets-2023-0122","DOIUrl":"https://doi.org/10.56553/popets-2023-0122","url":null,"abstract":"We present RHODE, a novel system that enables privacy-preserving training of and prediction on Recurrent Neural Networks (RNNs) in a cross-silo federated learning setting by relying on multiparty homomorphic encryption. RHODE preserves the confidentiality of the training data, the model, and the prediction data; and it mitigates federated learning attacks that target the gradients under a passive-adversary threat model. We propose a packing scheme, multi-dimensional packing, for a better utilization of Single Instruction, Multiple Data (SIMD) operations under encryption. With multi-dimensional packing, RHODE enables the efficient processing, in parallel, of a batch of samples. To avoid the exploding gradients problem, RHODE provides several clipping approximations for performing gradient clipping under encryption. We experimentally show that the model performance with RHODE remains similar to non-secure solutions both for homogeneous and heterogeneous data distributions among the data holders. Our experimental evaluation shows that RHODE scales linearly with the number of data holders and the number of timesteps, sub-linearly and sub-quadratically with the number of features and the number of hidden units of RNNs, respectively. To the best of our knowledge, RHODE is the first system that provides the building blocks for the training of RNNs and its variants, under encryption in a federated learning setting.","PeriodicalId":74556,"journal":{"name":"Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135010614","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Editors' Introduction 编辑的介绍

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-10-01 DOI: 10.56553/popets-2023-0094

Michelle Mazurek, Micah Sherr

引用次数: 0

Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA) VCR修复课程:Android应用程序开发人员与加州消费者隐私法案(CCPA)的合规性

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-07-01 DOI: 10.56553/popets-2023-0072

Nikita Samarin, Shayna Kothari, Zaina Siyed, Oscar Bjorkman, Reena Yuan, Primal Wijesekera, Noura Alomar, Jordan Fischer, Chris Hoofnagle, Serge Egelman

The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to "verifiable consumer requests" (VCRs) by disclosing personal information that they have collected, used, or shared about consumers for a business or commercial purpose. We compared the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies and the data contained in responses to "right to know" requests that we submitted to the app's developers. Of the 69 app developers who substantively replied to our requests, all but one provided specific pieces of personal data (as opposed to only categorical information). However, a significant percentage of apps collected information that was not disclosed, including identifiers (55 apps, 80%), geolocation data (21 apps, 30%), and sensory data (18 apps, 26%) among other categories. We discuss improvements to the CCPA that could help app developers comply with "right to know" requests and other related regulations.

《加州消费者隐私法》(CCPA)为加州居民提供了一系列增强的隐私保护和权利。我们的研究调查了Android应用程序开发人员遵守CCPA规定的程度，这些规定要求他们向消费者提供准确的隐私通知，并通过披露他们为商业或商业目的收集、使用或共享的消费者个人信息来响应“可验证的消费者请求”(vcr)。我们将109个我们认为必须遵守CCPA的应用程序的实际网络流量与应用程序在其隐私政策中声明收集的数据以及我们提交给应用程序开发人员的“知情权”请求的响应中包含的数据进行了比较。在69个回复我们请求的应用程序开发者中，除了一个之外，所有人都提供了具体的个人数据(而不是只提供分类信息)。然而，相当大比例的应用程序收集的信息没有公开，包括标识符(55个应用程序，80%)、地理位置数据(21个应用程序，30%)和其他类别的感官数据(18个应用程序，26%)。我们讨论了对CCPA的改进，以帮助应用程序开发人员遵守“知情权”要求和其他相关法规。

{"title":"Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)","authors":"Nikita Samarin, Shayna Kothari, Zaina Siyed, Oscar Bjorkman, Reena Yuan, Primal Wijesekera, Noura Alomar, Jordan Fischer, Chris Hoofnagle, Serge Egelman","doi":"10.56553/popets-2023-0072","DOIUrl":"https://doi.org/10.56553/popets-2023-0072","url":null,"abstract":"The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to \"verifiable consumer requests\" (VCRs) by disclosing personal information that they have collected, used, or shared about consumers for a business or commercial purpose. We compared the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies and the data contained in responses to \"right to know\" requests that we submitted to the app's developers. Of the 69 app developers who substantively replied to our requests, all but one provided specific pieces of personal data (as opposed to only categorical information). However, a significant percentage of apps collected information that was not disclosed, including identifiers (55 apps, 80%), geolocation data (21 apps, 30%), and sensory data (18 apps, 26%) among other categories. We discuss improvements to the CCPA that could help app developers comply with \"right to know\" requests and other related regulations.","PeriodicalId":74556,"journal":{"name":"Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135111117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Editors' Introduction 编辑的介绍

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-07-01 DOI: 10.56553/popets-2023-0066

Michelle Mazurek, Micah Sherr

引用次数: 0

Story Beyond the Eye: Glyph Positions Break PDF Text Redaction 超越眼睛的故事:字形位置打破PDF文本编校

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-07-01 DOI: 10.56553/popets-2023-0069

Maxwell Bland, Anushya Iyer, Kirill Levchenko

In this work we find that many current redactions of PDF text are insecure due to non-redacted character positioning information. In particular, subpixel-sized horizontal shifts in redacted and non-redacted characters can be recovered and used to effectively deredact first and last names. Unfortunately these findings affect redactions where the text underneath the black box is removed from the PDF. We demonstrate these findings by performing a comprehensive vulnerability assessment of common PDF redaction types. We examine 11 popular PDF redaction tools, including Adobe Acrobat, and find that they leak information about redacted text. We also effectively deredact hundreds of real-world PDF redactions, including those found in OIG investigation reports and FOIA responses. To correct the problem, we have released open source algorithms to fix vulnerable redactions and reduce the amount of information leaked by nonexcising redactions (where the text underneath the redaction is copy-pastable). We have also notified the developers of the studied redaction tools. We have notified the Office of Inspector General, the Free Law Project, PACER, Adobe, Microsoft, and the US Department of Justice. We are working with several of these groups to prevent our discoveries from being used for malicious purposes.

在这项工作中，我们发现许多当前的PDF文本编校是不安全的，由于未编校字符定位信息。特别是，在编辑和未编辑的字符中，亚像素级大小的水平位移可以恢复并用于有效地删除名字和姓氏。不幸的是，这些发现影响了编辑，黑盒子下面的文本被从PDF中删除。我们通过对常见的PDF编校类型进行全面的漏洞评估来证明这些发现。我们检查了11种流行的PDF编校工具，包括Adobe Acrobat，并发现它们会泄露有关编校文本的信息。我们还有效地删除了数百份真实世界的PDF版本，包括OIG调查报告和《信息自由法》回应中发现的内容。为了纠正这个问题，我们发布了开源算法来修复易受攻击的编校，并减少非删节编校(其中编校下面的文本是可复制粘贴的)泄露的信息数量。我们还通知了所研究的编校工具的开发人员。我们已经通知了监察长办公室、自由法律项目、PACER、Adobe、微软和美国司法部。我们正在与其中几个组织合作，以防止我们的发现被用于恶意目的。

{"title":"Story Beyond the Eye: Glyph Positions Break PDF Text Redaction","authors":"Maxwell Bland, Anushya Iyer, Kirill Levchenko","doi":"10.56553/popets-2023-0069","DOIUrl":"https://doi.org/10.56553/popets-2023-0069","url":null,"abstract":"In this work we find that many current redactions of PDF text are insecure due to non-redacted character positioning information. In particular, subpixel-sized horizontal shifts in redacted and non-redacted characters can be recovered and used to effectively deredact first and last names. Unfortunately these findings affect redactions where the text underneath the black box is removed from the PDF. We demonstrate these findings by performing a comprehensive vulnerability assessment of common PDF redaction types. We examine 11 popular PDF redaction tools, including Adobe Acrobat, and find that they leak information about redacted text. We also effectively deredact hundreds of real-world PDF redactions, including those found in OIG investigation reports and FOIA responses. To correct the problem, we have released open source algorithms to fix vulnerable redactions and reduce the amount of information leaked by nonexcising redactions (where the text underneath the redaction is copy-pastable). We have also notified the developers of the studied redaction tools. We have notified the Office of Inspector General, the Free Law Project, PACER, Adobe, Microsoft, and the US Department of Justice. We are working with several of these groups to prevent our discoveries from being used for malicious purposes.","PeriodicalId":74556,"journal":{"name":"Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium","volume":"95 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135960827","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Blocking JavaScript Without Breaking the Web: An Empirical Investigation 在不破坏网络的情况下阻止JavaScript:一项实证调查

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

Pub Date : 2023-07-01 DOI: 10.56553/popets-2023-0087

Abdul Haddi Amjad, Zubair Shafiq, Muhammad Ali Gulzar

Modern websites heavily rely on JavaScript (JS) to implement legitimate functionality as well as privacy-invasive advertising and tracking. Browser extensions such as NoScript block any script not loaded by a trusted list of endpoints, thus hoping to block privacy-invasive scripts while avoiding breaking legitimate website functionality. In this paper, we investigate whether blocking JS on the web is feasible without breaking legitimate functionality. To this end, we conduct a large-scale measurement study of JS blocking on 100K websites. We evaluate the effectiveness of different JS blocking strategies in tracking prevention and functionality breakage. Our evaluation relies on quantitative analysis of network requests and resource loads as well as manual qualitative analysis of visual breakage. First, we show that while blocking all scripts is quite effective at reducing tracking, it significantly degrades functionality on approximately two-thirds of the tested websites. Second, we show that selective blocking of a subset of scripts based on a curated list achieves a better trade-off. However, there remain approximately 15% “mixed” scripts, which essentially merge tracking and legitimate functionality and thus cannot be blocked without causing website breakage. Finally, we show that fine-grained blocking of a subset of JS methods, instead of scripts, reduces major breakage by 3.8× while providing the same level of tracking prevention. Our work highlights the promise and open challenges in fine-grained JS blocking for tracking prevention without breaking the web.

现代网站严重依赖JavaScript (JS)来实现合法功能以及侵犯隐私的广告和跟踪。像NoScript这样的浏览器扩展会阻止任何未被可信端点加载的脚本，从而希望阻止侵犯隐私的脚本，同时避免破坏合法的网站功能。在本文中，我们研究了在不破坏合法功能的情况下在web上阻止JS是否可行。为此，我们对10万个网站进行了JS屏蔽的大规模测量研究。我们评估了不同JS阻塞策略在跟踪、预防和功能破坏方面的有效性。我们的评估依赖于对网络请求和资源负载的定量分析，以及对视觉破坏的手工定性分析。首先，我们表明，虽然阻止所有脚本在减少跟踪方面非常有效，但它在大约三分之二的测试网站上显着降低了功能。其次，我们展示了基于策划列表的脚本子集的选择性阻塞实现了更好的权衡。然而，仍然有大约15%的“混合”脚本，基本上合并了跟踪和合法功能，因此无法在不导致网站崩溃的情况下阻止。最后，我们展示了JS方法子集的细粒度阻塞，而不是脚本，减少了3.8倍的主要中断，同时提供了相同级别的跟踪预防。我们的工作突出了细粒度JS阻塞在不破坏网络的情况下进行跟踪预防的希望和开放的挑战。

{"title":"Blocking JavaScript Without Breaking the Web: An Empirical Investigation","authors":"Abdul Haddi Amjad, Zubair Shafiq, Muhammad Ali Gulzar","doi":"10.56553/popets-2023-0087","DOIUrl":"https://doi.org/10.56553/popets-2023-0087","url":null,"abstract":"Modern websites heavily rely on JavaScript (JS) to implement legitimate functionality as well as privacy-invasive advertising and tracking. Browser extensions such as NoScript block any script not loaded by a trusted list of endpoints, thus hoping to block privacy-invasive scripts while avoiding breaking legitimate website functionality. In this paper, we investigate whether blocking JS on the web is feasible without breaking legitimate functionality. To this end, we conduct a large-scale measurement study of JS blocking on 100K websites. We evaluate the effectiveness of different JS blocking strategies in tracking prevention and functionality breakage. Our evaluation relies on quantitative analysis of network requests and resource loads as well as manual qualitative analysis of visual breakage. First, we show that while blocking all scripts is quite effective at reducing tracking, it significantly degrades functionality on approximately two-thirds of the tested websites. Second, we show that selective blocking of a subset of scripts based on a curated list achieves a better trade-off. However, there remain approximately 15% “mixed” scripts, which essentially merge tracking and legitimate functionality and thus cannot be blocked without causing website breakage. Finally, we show that fine-grained blocking of a subset of JS methods, instead of scripts, reduces major breakage by 3.8× while providing the same level of tracking prevention. Our work highlights the promise and open challenges in fine-grained JS blocking for tracking prevention without breaking the web.","PeriodicalId":74556,"journal":{"name":"Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135111118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

下一页尾页

类型

全部化学•材料生命科学医学物理工程技术环境•农林材料科学地球科学法学管理学化学环境科学与生态学计算机科学教育学经济学农林科学人文科学生物学数学物理与天体物理心理学综合性期刊其他工业工程理学历史学农学文学信息工程

数据库

全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley

期刊

Proceedings on Privacy Enhancing Technologies. Privacy Enhancing Technologies Symposium

全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.

﹀