3)? 18 ±700 Noise ; add a certain amount of noise to results ?!?"> 3)? 18 ±700 Noise ; add a certain amount of noise to results ?!?">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

A. Haeberlen Differential Privacy Under Fire 1 USENIX Security (August 12, 2011) Andreas Haeberlen Benjamin C. Pierce Arjun Narayan University of Pennsylvania.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A. Haeberlen Differential Privacy Under Fire 1 USENIX Security (August 12, 2011) Andreas Haeberlen Benjamin C. Pierce Arjun Narayan University of Pennsylvania."— Presentation transcript:

1 A. Haeberlen Differential Privacy Under Fire 1 USENIX Security (August 12, 2011) Andreas Haeberlen Benjamin C. Pierce Arjun Narayan University of Pennsylvania

2 A. Haeberlen Motivation: Protecting privacy Lots of potentially useful data exists But: Releasing it can violate privacy! We can try to anonymize/scrub it… … but this can go horribly wrong (see Netflix, AOL, …) 2 USENIX Security (August 12, 2011) Alice (Star Wars, 5)(Alien, 4) Bob (Godfather, 1)(Porn, 5) Cindy(Die Hard, 4)(Toy Story, 2) Dave(Avatar, 5)(Gandhi, 4) Eva(Amélie, 4)(Rocky, 1)... Better recom- mendations? Does Bob watch porn? Data #1 #2 #3 #4 #5 I know Bob hates 'Godfather'

3 A. Haeberlen Promising approach: Differential privacy Idea: Use differential privacy [Dwork et al.] Only allow queries [lots of mathematical details omitted] Result: Strong, provable privacy guarantees Implemented, e.g., by PINQ [McSherry] and Airavat [Roy et al.] 3 USENIX Security (August 12, 2011) Alice (Star Wars, 5)(Alien, 4) Bob (Godfather, 1)(Porn, 5) Cindy(Die Hard, 4)(Toy Story, 2) Dave(Avatar, 5)(Gandhi, 4) Eva(Amélie, 4)(Rocky, 1)... Private data N(Star Wars>3, Alien>3)? 826,392 ±100 N("Bob", Porn>3)? 18 ±700 Noise ; add a certain amount of noise to results ?!?

4 A. Haeberlen Differential Privacy under Fire What if the adversary uses a covert channel? Devastating effect on privacy guarantees Usual defenses are not strong enough (can't leak even one bit!) We show: Working attacks An effective (domain-specific) defense 4 USENIX Security (August 12, 2011) Alice (Star Wars, 5)(Alien, 4) Bob (Godfather, 1)(Porn, 5) Cindy(Die Hard, 4)(Toy Story, 2) Dave(Avatar, 5)(Gandhi, 4) Eva(Amélie, 4)(Rocky, 1)... Private data (special query) (noised response) YES Does Bob watch porn?

5 A. Haeberlen Outline Motivation Differential Privacy primer Attacks on PINQ and Airavat Our defense The Fuzz system Evaluation 5 USENIX Security (August 12, 2011) NEXT

6 A. Haeberlen ? Background: Queries Queries are programs PINQ is based on C#, Airavat on MapReduce These programs have a specific structure Some overall program logic, e.g., aggregation Some computation on each database row (microquery) 6 USENIX Security (August 12, 2011) noisy sum, foreach r in db, of { } Data if (r.score("Godfather")>4) then return 1 else return 0 Microquery

7 A. Haeberlen Background: Sensitivity How much noise should we add to results? Depends on how much the output can change if we add or remove a single row (the sensitivity of the query) 7 USENIX Security (August 12, 2011) noisy sum,  r in db, of { if (r.score("Godfather")>4) then return 1200 else return 200 } noisy sum,  r in db, of { if (r.score("Godfather")>4) then return 1 else return 0 } Sensitivity 1 Sensitivity 1,000

8 A. Haeberlen Background: Privacy budget How many queries should we answer? Set up a privacy 'budget' for answering queries Deduct a 'cost' for each query, depending on 'how private' it is 8 USENIX Security (August 12, 2011) Data Privacy budget noisy sum,  r in db, of { if (r.score("Godfather")>4) then return 1 else return 0 } Query Answer

9 A. Haeberlen Covert-channel attacks The above query...... is differentially private (sensitivity zero)... takes 1 second longer if the database contains Bob's data Result: Adversary can learn private information with certainty! Other channels we have exploited: Privacy budget Global state 9 USENIX Security (August 12, 2011) noisy sum, foreach r in db, of { if (r.name=="Bob" && r.hasRating("Porn")) then { loop(1 second); }; return 0 } expensive_subquery(); b=1; b

10 A. Haeberlen Our attacks work in practice Both PINQ and Airavat are vulnerable What went wrong? The authors were aware of this attack vector Both papers discuss some ideas for possible defenses But: Neither system has a defense that is fully effective 10 USENIX Security (August 12, 2011)

11 A. Haeberlen Threat model Too many channels!! Is it hopeless? Reasonable assumption: Querier is remote This leaves just three channels: The actual answer to the query The time until the answer arrives The decision whether the remaining budget is sufficient 11 USENIX Security (August 12, 2011) Memory consumption Electromagnetic radiation Power Cache usage Sound Light Query completion time Privacy budget Answer Query Short-range channels

12 A. Haeberlen Our approach We can close the remaining channels completely through a combination of systems and PL techniques Language design rules out state attacks etc. Example: Simply don't allow global variables! Program analysis closes the budget channel Idea: Statically determine the 'cost' of a query before running it Uses a novel type system [Reed and Pierce] Special runtime to close the timing channel 12 USENIX Security (August 12, 2011) Details in the paper NEXT

13 A. Haeberlen Plugging the timing channel How to avoid leaking information via query completion time? Could treat time as an additional output But: Unclear how to determine sensitivity Our approach: Make timing predictable If time does not depend on the contents of the database, it cannot leak information 13 USENIX Security (August 12, 2011)

14 A. Haeberlen Timeouts and default values Querier specifies for each microquery: a timeout T, and a default value d Each time the microquery processes a row: If completed in less than T, wait If not yet complete at T, abort and proceed to next row 14 USENIX Security (August 12, 2011)

15 A. Haeberlen Example: Timeouts and default values 15 USENIX Security (August 12, 2011) noisy sum,  r  db, of { if r.name=="Bob" then loop(1 sec); return 0 } Alice (Star Wars, 5)(Alien, 4) Bob (Godfather, 1)(Porn, 5) Cindy(Die Hard, 4)(Toy Story, 2) Dave(Avatar, 5)(Gandhi, 4) Eva(Amélie, 4)(Rocky, 1) 0 Time 0, T=20  s, d=1 00 0 Bob not in db: Bob in db: Rob 000 0 Observable 0 Time Bob not in db: Bob in db: 000 0 000 0 0 sum=0 sum=1 1 20  s

16 A. Haeberlen Default values do not violate privacy Don't default values change the query's answer? Yes, but that's okay: Remember that the answer is still noised before it is returned Noise depends on the sensitivity, which is now 1 It's just as if we had written "If r.name=='Bob', return 1" Impact on non-adversarial queriers? Default value is never included if timeout is sufficiently high 16 USENIX Security (August 12, 2011) noisy sum,  r  db, of { if r.name=="Bob" then loop(1 sec); return 0 }, T=20  s, d=1 Bob not in db: Bob in db: 000 0 000 0 0 1

17 A. Haeberlen Outline Motivation Differential Privacy primer Attacks on PINQ and Airavat Our defense The Fuzz system Evaluation 17 USENIX Security (August 12, 2011) NEXT

18 A. Haeberlen The Fuzz system Fuzz: A programming language for writing differentially private queries Designed from scratch  Easier to secure Functionality roughly comparable to PINQ/Airavat Novel type system for statically checking sensitivity Runtime supports timeouts + default values Turns out to be highly nontrivial Problem: How to make a potentially adversarial computation take exactly a given amount of time? Uses a new primitive called predictable transactions 18 USENIX Security (August 12, 2011)

19 A. Haeberlen Predictable transactions Isolation: Microquery must not interfere with the rest of the computation in any way Examples: Trigger garbage collector, change runtime state,... Preemptability: Must be able to abort microqueries at any time Even in the middle of memory allocation,... Bounded deallocation: Must be able to free any allocated resources within bounded time Example: Microquery allocates lots of memory, acquires locks... Details are in the paper 19 USENIX Security (August 12, 2011)

20 A. Haeberlen Outline Motivation Differential Privacy primer Attacks on Differential Privacy Defenses The Fuzz system Evaluation Is Fuzz expressive enough to handle realistic queries? Is Fuzz fast enough to be practical? Does Fuzz effectively prevent side-channel attacks? More experiments are described in the paper 20 USENIX Security (August 12, 2011) NEXT

21 A. Haeberlen Experimental setup Implemented three queries from prior work: K-means clustering (inspired by Blum et al., PODS'05) Census query (inspired by Chawla et al., TCC'05) Web server log analysis (inspired by Dwork et al., TCC'06) Fuzz is expressive enough to run all three queries Also crafted several adversarial queries Using different variants of our attacks Evaluated on a commodity system 3GHz Core 2 Duo running Linux 2.6.38 Synthetic database with 10,000 rows 21 USENIX Security (August 12, 2011)

22 A. Haeberlen Performance: Non-adversarial queries Query completion time increased by 2.5x-6.8x But: Most expensive query took 'only' 12.7s Most of the increase was due to time padding Timeouts were set conservatively More detailed results are in the paper 22 USENIX Security (August 12, 2011) Original runtime Fuzz (no padding) Fuzz Query completion time (s) kmeans census weblog 14 12 10 8 6 4 2 0 6.8x 3.4x 2.5x Due to padding

23 A. Haeberlen #Attack type Protection disabled Hit Miss  Protected Hit Miss  1Memory allocation 2Garbage collection 3Artificial delay 4Early termination 5Artificial delay Performance: Adversarial queries Evaluated five adversarial queries Unprotected runtime: Attacks cause large timing variation Protected runtime: Completion times are extremely stable Timing channel now too narrow to be useful! Remember: State and budget channels closed by design 23 USENIX Security (August 12, 2011) 0.32s 26.38s 0.90s 1.96s 1.57s 1.62s 26.37s 2.17s 1.6s 1.2s 1.3s 6ms 1.3s 1.10s 2.40s 1.10s 2.40s <1  s

24 A. Haeberlen Summary Differentially private query processors must be protected against covert-channel attacks Leaking even a single bit can destroy the privacy guarantees Vulnerabilities exist in PINQ and Airavat Proposed defense: Fuzz Uses static analysis and predictable transactions Specific to differential privacy, but very strong: Closes all remotely measurable channels completely 24 USENIX Security (August 12, 2011) More information at: http://privacy.cis.upenn.edu/

Download ppt "A. Haeberlen Differential Privacy Under Fire 1 USENIX Security (August 12, 2011) Andreas Haeberlen Benjamin C. Pierce Arjun Narayan University of Pennsylvania."

Similar presentations

Paging: Design Issues. Readings r Silbershatz et al: 8.4-8.5, 9.5-9.10.

Paging: Design Issues. Readings r Silbershatz et al: ,
I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.
Relaxed Consistency Models. Outline Lazy Release Consistency TreadMarks DSM system.

Relaxed Consistency Models. Outline Lazy Release Consistency TreadMarks DSM system.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.
Free Space and Allocation Issues

Free Space and Allocation Issues
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Parallel and Distributed Simulation Time Warp: Other Mechanisms.

Parallel and Distributed Simulation Time Warp: Other Mechanisms.
/ PSWLAB Concurrent Bug Patterns and How to Test Them by Eitan Farchi, Yarden Nir, Shmuel Ur published in the proceedings of IPDPS’03 (PADTAD2003)

/ PSWLAB Concurrent Bug Patterns and How to Test Them by Eitan Farchi, Yarden Nir, Shmuel Ur published in the proceedings of IPDPS’03 (PADTAD2003)
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.

Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.
Hit or Miss ? !!!.  Small size.  Simple and fast.  Implementable with hardware.  Does not need too much power.  Does not predict miss if we have.

Hit or Miss ? !!!.  Small size.  Simple and fast.  Implementable with hardware.  Does not need too much power.  Does not predict miss if we have.
CMPT 401 2008 Dr. Alexandra Fedorova Lecture X: Transactions.

CMPT Dr. Alexandra Fedorova Lecture X: Transactions.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
CSC1016 Coursework Clarification Derek Mortimer March 2010.

CSC1016 Coursework Clarification Derek Mortimer March 2010.
Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.

Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.

Similar presentations

Ads by Google