privacy and computer science eci 2015 day 3 non
play

Privacy and Computer Science (ECI 2015) Day 3 - Non Interference - PowerPoint PPT Presentation

Dec 13, 2023 •124 likes •1.16k views

Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup Privacy and Computer Science

  1. NI in a Purely Functional Setting Pure Terms and Simple Types Dead code in simply typed λ -calculus Th´ eor` eme ([Berardi, 1996]) If t , t ′ : A and t � t ′ then t and t ′ are obervationnaly equivalent. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 13 / 73

  2. NI in a Purely Functional Setting Pure Terms and Simple Types Dead code in simply typed λ -calculus Th´ eor` eme ([Berardi, 1996]) If t , t ′ : A and t � t ′ then t and t ′ are obervationnaly equivalent. Proof. If A = N then by subject reduction, strong normalization and monotonicity we have t → ∗ v and t ′ → v ′ with v � v ′ , but closed nf of type N are either 0 or ( S . . . ( S 0) . . . ), hence v ≡ v ′ . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 13 / 73

  3. NI in a Purely Functional Setting Pure Terms and Simple Types Dead code in simply typed λ -calculus Th´ eor` eme ([Berardi, 1996]) If t , t ′ : A and t � t ′ then t and t ′ are obervationnaly equivalent. Proof. If A = N then by subject reduction, strong normalization and monotonicity we have t → ∗ v and t ′ → v ′ with v � v ′ , but closed nf of type N are either 0 or ( S . . . ( S 0) . . . ), hence v ≡ v ′ . For any other type A take any closing context C [ . A ] : N . Then C [ t ] � C [ t ′ ], and C [ t ] , C [ t ′ ] : N , hence we can apply the previous reasonning. An example: ( λ x : U . 5 ∅ ) � ( λ x : N . 5 t ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 13 / 73

  4. NI in a Purely Functional Setting Pure Terms and Simple Types Problems linked with the unicity of typing Type unicity + Conservative approximation = less accurate analyzis t = ( λ f : N → N . ( g f ( f 5)) λ x : N . 4) We would like to type tye first occurrence of f with N → N and the second one with U → N . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 14 / 73

  5. NI in a Purely Functional Setting Higher-order Types Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 15 / 73

  6. NI in a Purely Functional Setting Higher-order Types Variable sorts “ A is a type” is a judgment: Γ ⊢ A : ∗ We introduce judgments of the form: Γ ⊢ A : α where α is a sort variable ranging over ∗ ⊥ , ∗ ⊤ . The two different ∗ s are used to denote separated universes. We add axiom ∗ i : � for i ∈ {⊤ , ⊥} F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 16 / 73

  7. NI in a Purely Functional Setting Higher-order Types Sort abstraction Abstracting sorts w.r.t. terms: Γ , α : � , Γ ′ ⊢ t : B Γ , Γ ′ ⊢ ok Γ , Γ ′ ⊢ ( λα : � . t ) : (Π α : � . B ) sort application: Γ ⊢ t : (Π α : � . A ) Γ ⊢ k : � Γ ⊢ ( t k ) : A [ α := k ] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 17 / 73

  8. NI in a Purely Functional Setting Higher-order Types Examples N α def = Π X : α. X → ( X → X ) → X n � �� � n α def = λ X : α.λ x : X .λ f : X → X . ( f . . . ( f x ) . . . ) α : � , β : � , y : N α ⊢ 5 β : N β α : � , β : � ⊢ λ y : N α . 5 β : ( N α → N β ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 18 / 73

  9. NI in a Purely Functional Setting Higher-order Types k -types, k -constants k -type: Type where the only occuring sort is k . Example of ∗ ⊥ -type: Π X : ∗ ⊥ . Π Y : ∗ ⊥ . X → Y → (Π Z : ∗ ⊥ . Z → X ) For all k -type A , we define a constant d A of type A . We define an order ≤ k w.r.t. k -constants: ( λ x : N ∗ ⊥ . 5 ∗ ⊥ d N ∗⊥ ) ≤ ∗ ⊥ ( λ x : N ∗ ⊥ . 5 ∗ ⊥ t ) if t is of type N ∗ ⊥ , for instance. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 19 / 73

  10. NI in a Purely Functional Setting Higher-order Types Non-interference and types A first result: Theorem (Non-interference) Let x : A ⊢ t : B, A a ∗ ⊥ -type, B a ∗ ⊤ -type then for all <> ⊢ t 1 , t 2 : A one has: t [ x := t 1 ] = obs t [ x := t 2 ] A corollary: Theorem (Dead-code) If <> ⊢ t 1 , t 2 : A, and A a ∗ ⊤ -type, and t 1 ≤ ∗ ⊥ t 2 , then t 1 = obs t 2 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 20 / 73

  11. NI in a Purely Functional Setting Higher-order Types Example 1 Let t be such that <> ⊢ t : N ∗ ⊥ , then terms t 1 = ( λ y : N ∗ ⊥ . 5 ∗ ⊤ t ) , t 2 = ( λ y : N ∗ ⊥ . 5 ∗ ⊤ d N ∗⊥ ) are both of type N ∗ ⊤ . t 2 ≤ ∗ ⊥ t 1 . Then from theorem 2, we conclude t 1 = obs t 2 . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 21 / 73

  12. NI in a Purely Functional Setting Higher-order Types Example 2 The ability to abstract over sorts introduces flexibility : t = ( λ f : Π α, β : � . N α → N β ( g ( f ∗ ⊤ ∗ ⊤ ) ∗ ⊤ ) t ′ ) (( f ∗ ⊥ λα, β : � .λ x : N α . 5 β ) with g of type ( N ∗ ⊤ → N ∗ ⊤ ) → N ∗ ⊤ → N ∗ ⊤ , and t ′ of type N ∗ ⊥ . t is of type N ⊤ , and t ′ analyzed as dead-code. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 22 / 73

  13. NI in a Purely Functional Setting Higher-order Types The λ -cube [Barendregt, 1991] Terms: T ::= V | C | ( T T ) | λ V : T . T | Π V : T . T Parameters: S : sorts, A , axioms of the form c : s , R , rules of the form ( s 1 , s 2 , s 3 ). We write ( s 1 , s 2 ) when s 3 = s 2 . Rules define valid product: Γ ⊢ A : s 1 Γ , x : A ⊢ B : s 2 Γ ⊢ Π x : A . B : s 3 Computation rule: ( λ x : A . B C ) → β B [ x := C ] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 23 / 73

  14. NI in a Purely Functional Setting Higher-order Types The λ -cube Take sorts: {∗ , � } , and axiom ( ∗ : � ). We consider only rules of the form ( s 1 , s 2 ). We have four possible rules: { ( ∗ , ∗ ) , ( � , ∗ ) , ( ∗ , � ) , ( � , � ) } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 24 / 73

  15. NI in a Purely Functional Setting Higher-order Types Intuitions behind rules ( ∗ , ∗ ): simply typed λ -calculus. ( � , ∗ ): polymorphism. ( � , � ): possiblity to build connective. ( ∗ , � ): dependent types. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 25 / 73

  16. NI in a Purely Functional Setting Higher-order Types λ C λω ✚ ✚ ✚✚ ✚✚ System Historical name λ 2 λ P 2 λ → Simply typed λ -calculus [Church, 1940] λ 2 System F [Girard, 1972] λ P AUT-QE; LF [Bruijn, 1970] λω λ P ω ✚ ✚ λ P 2 [Longo and Moggi, 1988] ✚✚ ✚✚ λω POLYREC λ → λ P [de Lavalette, 1992] F ω [Girard, 1972] λω ( � , ∗ ) ( � , � ) λ C Calculus of Constructions ✻ [Coquand and Huet, 1988] ✒ � � � ✲ ( ∗ , � ) λ -cube [Barendregt, 1991] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 26 / 73

  17. NI in a Purely Functional Setting Higher-order Types Sort abstraction in “cube” style Addition of sort: △ ; Addition of axiom: � : △ ; Addition of rule: ( △ , ∗ ); Γ ⊢ � : △ Γ , α : � ⊢ A : ∗ Γ ⊢ (Π α : � . A ) : ∗ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 27 / 73

  18. NI in a Purely Functional Setting Higher-order Types ( � , ∗ ) ( � , � ) ✻ ✒ � � Hyper λ -cube � � ✲ ( ∗ , � ) ✲ ( △ , ∗ ) λ C λω E λ C E λω ✚ ✚ ✚ ✚ ✚✚ ✚✚ ✚✚ ✚✚ λ 2 E E λ 2 λ P 2 λ P 2 λω E P ω E λω λ P ω λ ✚ ✚ ✚ ✚ ✚✚ ✚✚ ✚✚ ✚✚ λ → λ P λ → E λ P E F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 28 / 73

  19. NI in a Purely Functional Setting Higher-order Types Results It is possible to prove theorems 1 and 2 in the E -cube: a non-interference result for the Calculus of Constructions. The rule ( △ , ∗ ) expresses the logical content of type-based analyses. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 29 / 73

  20. NI in a Purely Functional Setting Higher-order Types Technical considerations Original formalism has been extended in order to have judgments like x : X : α : � where x , X , α are variables. In λα : � . A , α is a weak variable, i.e. it stands either for ∗ ⊤ or ∗ ⊥ . The work done is of theoretical nature. Hint for an algorithm: ML unification modified (not complete). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 30 / 73

  21. NI in an Imperative Setting Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 31 / 73

  22. NI in an Imperative Setting Interferences in imperative programs [Volpano and Smith, 1997] Programs input and output are classified at different security levels. We would like to allow the information to go up but never down w.r.t. security levels. The security can be expressed by comparing the memory of the computer regarding the different levels of security (different from the functional approach in which there are no variables). Simple imperative programming language with procedures. Type soundness result: if a program is well typed, then non-interference is enforced. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 32 / 73

  23. NI in an Imperative Setting Some Information Leaking Programs and Non-Termination for i = 0 to secret output i on public_channel F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 33 / 73

  24. NI in an Imperative Setting Some Information Leaking Programs and Non-Termination for i = 0 to secret output i on public_channel for i = 0 to secret output i on public_channel while true do skip F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 33 / 73

  25. NI in an Imperative Setting Some Information Leaking Programs and Non-Termination for i = 0 to secret output i on public_channel for i = 0 to secret output i on public_channel while true do skip for i = 0 to maxNat { output i on public_channel if (i = secret) then (while true do skip) } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 33 / 73

  26. NI in an Imperative Setting Types in the Smith-Volpano System Three kinds of types τ -types: security levels. π -types: expressions and commands. ρ -types: types of phrases. For instance τ ∈ { h , l } with l ≤ h . command types have form τ cmd. A command of type h cmd says it does not contain assignment to low variables. Phrase types are of the form τ var or τ acc The subtype relation is contravariant in command and acceptor types. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 34 / 73

  27. NI in an Imperative Setting Information flow Direct information flow: l:=h F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 35 / 73

  28. NI in an Imperative Setting Information flow Direct information flow: l:=h Indirect information flow While h>0 do l:=l+1; h:=h-1; od F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 35 / 73

  29. NI in an Imperative Setting Information flow Direct information flow: l:=h Indirect information flow While h>0 do l:=l+1; h:=h-1; od We must have typing rules forbidding such programs: γ ⊢ e : τ γ ⊢ c : τ cmd γ ⊢ while e do c : τ cmd F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 35 / 73

  30. NI in an Imperative Setting Type Soundnes and Non-Interference One needs to define the operational semantics of the programming ⇒ µ ′ language: µ ⊢ c = One needs to define a notion of “equivalent” memories µ ≃ l ν if µ and ν agree on the value of low-level variables. The non-interference property can be stated as: suppose that λ ⊢ c : π suppose that µ ⊢ c = ⇒ µ ′ suppose that ν ⊢ c = ⇒ ν ′ suppose that µ ≃ τ ν ≃ τ λ then ν ′ ( l ) = µ ′ ( l ) for all l such that λ ( l ) ≤ τ . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 36 / 73

  31. NI and concurrency Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 37 / 73

  32. NI and concurrency Process interlock and information leakage ⇐ [ c α = 0 ⇒ SPY := 0 ; c β := 0 ]; θ α F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 38 / 73

  33. NI and concurrency Process interlock and information leakage ⇐ [ c α = 0 ⇒ SPY := 0 ; c β := 0 ]; θ α ⇐ [ c β = 0 ⇒ SPY := 1 ; c α := 0 ]; θ β F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 39 / 73

  34. NI and concurrency Process interlock and information leakage ⇐ [ c α = 0 ⇒ SPY := 0 ; c β := 0 ]; θ α ⇐ [ c β = 0 ⇒ SPY := 1 ; c α := 0 ]; θ β � � ⇐ [ PIN = 1 ⇒ c α := 0 ]; θ γ + � � [ PIN = 0 ⇒ c β := 0 ]; θ α � β � γ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 40 / 73

  35. NI and concurrency λ ar [Prost, 2005]: λ -calculus with adressed resources Variation of the blue-calculus of G. Boudol (variant of Milner’s polyadic π -calculus). Terms: t ::= x , a | ( t t ) | λ x . t | t � t | ν a ( t ) | ( t | s) | (s | t ) Adressed ressources : s ::= � a ⇐ t � | � a = t � | (s | s) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 41 / 73

  36. NI and concurrency Operational Semantics Definition (Reduction rules) ( λ x . t u ) → β t { x := u } t | � a ⇐ u � → ρ t { a := u } Communication example: � a ⇐ λ x . t � | ( a v ) → ρ ( λ x . t v ) → β t { x := v } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 42 / 73

  37. NI and concurrency λ ar Typing It is possible to have a fine-grained typing of λ ar : Γ ⊢ t : τ Γ ⊢ u : σ [ PPAR ] Γ ⊢ t � u : Pa( τ, σ )( τ, σ � = ◦ ) Sort abstraction “` a la” [Prost00] leads to similar result than in λ -calculus. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 43 / 73

  38. Relaxing Non-Interference Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 44 / 73

  39. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  40. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  41. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  42. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  43. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose: A “security profile” for each operator: rewrite rules over privacy lattice. 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  44. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose: A “security profile” for each operator: rewrite rules over privacy lattice. 1 Rewrite rules may have actions modifying the policy. 2 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  45. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose: A “security profile” for each operator: rewrite rules over privacy lattice. 1 Rewrite rules may have actions modifying the policy. 2 Definition of high/low bisimulation with dynamic policies. 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  46. Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose: A “security profile” for each operator: rewrite rules over privacy lattice. 1 Rewrite rules may have actions modifying the policy. 2 Definition of high/low bisimulation with dynamic policies. 3 Program safety verification by abstract execution on privacy levels. 4 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 45 / 73

  47. Relaxing Non-Interference Programming framework Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 46 / 73

  48. Relaxing Non-Interference Programming framework WHILE programming language Minimalistic programming language: v ::= x | 0 | 1 | 0 | 1 | . . . v | f ( x 1 , . . . , x n ) t , b ::= P ::= x := t | P ; P | if b then P else P | while b do P | skip It can be seen as an intermediate language: x := f (345 , g ( x 1 , x 2 )) ≡ ( x 0 := 345; x 3 := g ( x 2 , x 3 ); x := f ( x 3 ) Natural semantics � µ, P � → os � µ ′ , P ′ � F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 47 / 73

  49. Relaxing Non-Interference Dynamic interference policy Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 48 / 73

  50. Relaxing Non-Interference Dynamic interference policy Interference policy Program variables are attributed privacy levels. Privacy levels are elements of a lattice L . Interference policies are based on authorised behavior of operators. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 49 / 73

  51. Relaxing Non-Interference Dynamic interference policy Interference policy Program variables are attributed privacy levels. Privacy levels are elements of a lattice L . Interference policies are based on authorised behavior of operators. Usually it is done through types but it is too rigid. ⇒ We use term rewriting system on privacy levels in order to deal with = concrete privacy levels used at evaluation time. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 49 / 73

  52. Relaxing Non-Interference Dynamic interference policy Static interference policy For each operator f we consider f DIP . Σ DIP = ( V DIP , V ∪ Ω DIP ∪ L ) Encryption policy, SP : encrypt DIP ( π 128 , x ) → π 1 encrypt DIP ( π 256 , x ) → ⊥ SPY DIP → ⊥ PIN DIP → ⊤ . . . In the program: SPY := encrypt( K , PIN ) The security level of encrypt( K , PIN ) is computed using rules of SP . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 50 / 73

  53. Relaxing Non-Interference Dynamic interference policy Dynamicity Privacy levels may change during computation. Rewriting rules with actions : l → r ; a a ::= x �→ π | x �→ π | x �→ y | x �→ y | a; a The interference policy changes through the evaluation of operator security level computation: � t [ σ ( l )] , SP� � � t [ σ ( r )] , SP ′ � F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 51 / 73

  54. Relaxing Non-Interference Dynamic interference policy Three strikes, out Aim: account suspended after 3 unsuccessful login attempts. In the program: ckpwd( g , pwd ) For each operator f of arity n we consider f DIP of arity 2 n . ⇒ = distinction between the name of a program variable and its privacy level. Privacy level of ckpwd( g , pwd ) is computed by the evaluation of: ckpwd DIP ( π g , g , π pwd , pwd ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 52 / 73

  55. Relaxing Non-Interference Dynamic interference policy Three strikes, out ⊤ t 0 t 1 t 2 t 3 ⊥ ckpwd( ⊥ , g , t 0 , p ) → ⊥ ; p → t 1 ckpwd( ⊥ , g , t 1 , p ) → ⊥ ; p → t 2 ckpwd( ⊥ , g , t 2 , p ) → ⊥ ; p → t 3 ckpwd( ⊥ , ( g , t 3 , p ) → ⊤ ckok( x , y ) → ⊥ ; y → t 0 g → ⊥ PIN 1 → t 0 PIN 2 → t 0 . . . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 53 / 73

  56. Relaxing Non-Interference Dynamic interference policy Three strikes, out ⊤ t 0 t 1 t 2 t 3 ⊥ ckpwd( ⊥ , g , t 0 , p ) → ⊥ ; p → t 1 ckpwd( ⊥ , g , t 1 , p ) → ⊥ ; p → t 2 ckpwd( ⊥ , g , t 2 , p ) → ⊥ ; p → t 3 ckpwd( ⊥ , ( g , t 3 , p ) → ⊤ ckok( x , y ) → ⊥ ; y → t 0 g → ⊥ PIN 1 → t 0 PIN 2 → t 0 . . . In the program: if ckpwd( g , PIN 1 ) then blah else next try F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 53 / 73

  57. Relaxing Non-Interference Dynamic interference policy Dynamic interference policy Definition A DIP, SP , is a confluent terminating rewrite system with actions with: 1 For every x ∈ V there is a rule x → π in SP . 2 For each rule l → r such that l is in V then r is in L . 3 SP introduces no junk into L . I.e., for all ground terms, t , over Σ ∪ L , the normal form of t , is in L . 4 SP introduces no confusion into L . I.e., ⇒ τ 1 � ∗ ∀ τ 1 , τ 2 ∈ L , τ 1 � = τ 2 = ↔ τ 2 . 5 functions in Σ are monotonic w.r.t. privacy levels: ∀ π i , π ′ i ∈ L , π i ⊑ π ′ ⇒ nf SP ( f ( π 1 , . . . , π n )) ⊑ nf SP ( f ( π ′ 1 , . . . , π ′ i = n )). � t , SP� � ∗ � π SP ( t ) , SP t � F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 54 / 73

  58. Relaxing Non-Interference Dynamic interference policy Privacy level of a term wrt SP to compute the privacy level of f ( x , y ) we consider t = f DIP ( nf SP ( x ) , x , nf SP ( y ) , y ) The evaluation of this term in SP gives the privacy level and a new interference policy: � t , SP� � ∗ � π SP ( t ) , SP t � F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 55 / 73

  59. Relaxing Non-Interference Program safety w.r.t. DIP Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 56 / 73

  60. Relaxing Non-Interference Program safety w.r.t. DIP Program safety Traditionally: a program is safe if every modification of a value above π cannot be observed below π : � µ 1 , P � → ∗ os µ ′ 1 � µ 2 , P � → ∗ os µ ′ 2 µ ′ 1 ≡ π µ ′ 2 What to do with the policy: encrypt( π 1024 , ⊤ ) → ⊥ making possible program as: SPY := encrypt( key 1024 , PIN ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 57 / 73

  61. Relaxing Non-Interference Program safety w.r.t. DIP Program safety Traditionally: a program is safe if every modification of a value above π cannot be observed below π : � µ 1 , P � → ∗ os µ ′ 1 � µ 2 , P � → ∗ os µ ′ 2 µ ′ 1 ≡ π µ ′ 2 What to do with the policy: encrypt( π 1024 , ⊤ ) → ⊥ making possible program as: SPY := encrypt( key 1024 , PIN ) = ⇒ Use an alternate op. sem. declared leaks are treated specifically. Notion of declassified operational semantics. µ d ⇒ � µ ′ 1 , P ′ � � µ 1 , P � = F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 57 / 73

  62. Relaxing Non-Interference Program safety w.r.t. DIP declassifying terms A term is declassifying if its privacy level is lower than one of its arguments. Such terms will be subjected to specific rules in the declassified operational semantics. Definition (Declassifying terms and assignments) t = f ( x 1 , . . . , x n ) is declassifying wrt SP , written SP ⊢ f ( x 1 , . . . , x n ) ↓ if: � n π SP ( t ) ⊑ ( i =1 π SP ( t i )) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 58 / 73

  63. Relaxing Non-Interference Program safety w.r.t. DIP Declassified evaluation µ d ⇒ � P ′ , µ ′ , SP ′ � � P , µ � = Declassifying assignment: SP ⊢ f DIP (( π SP ( x ) , x ) ↓ f ( π SP ( x ) , x ) � � f ( π SP ( x ) , x ) , SP� � ∗ � π, SP [ [ f ( x )] ] µ d = v AS f ( π SP ( x ) , x ) � µ d � y := f ( x ) , µ, SP� = ⇒ � skip , µ [ y := v ] , SP F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 59 / 73

  64. Relaxing Non-Interference Program safety w.r.t. DIP High/low bisimulation and DIPs Definition (Bisimulation) A π -bisimulation is a symetric relation R such that: If � P 1 , SP 1 �R� P 2 , SP 2 � and µ 1 ⇒ � µ ′ 1 , P ′ 1 , SP ′ � µ 1 , P 1 , SP 1 � = 1 � and µ 1 ≃ SP 1 ⊔SP 2 µ 2 π F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 60 / 73

  65. Relaxing Non-Interference Program safety w.r.t. DIP High/low bisimulation and DIPs Definition (Bisimulation) A π -bisimulation is a symetric relation R such that: If � P 1 , SP 1 �R� P 2 , SP 2 � and µ 1 ⇒ � µ ′ 1 , P ′ 1 , SP ′ = ⇒ � µ 1 , P 1 , SP 1 � = 1 � and µ 1 ≃ SP 1 ⊔SP 2 µ 2 π  2 , SP ′ ∃ P ′ 2 and µ ′ 2 s.t.      ∗ � µ ′   µ 1 2 , P ′ 2 , SP ′  � µ 2 , P 2 , SP 2 � = ⇒ 2 �   1 ≃ SP ′ 1 ⊔SP ′  and µ ′ µ ′  2  π 2        and � P ′ 1 , SP ′ 1 �R� P ′ 2 , SP ′ 2 � F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 60 / 73

  66. Relaxing Non-Interference Program safety w.r.t. DIP Program safety w.r.t. a DIP The union of two π -bisimulation is a π -bisimulation. The biggest π -bisimulation is written ≃ and is the union of all π -bisimulation. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 61 / 73

  67. Relaxing Non-Interference Program safety w.r.t. DIP Program safety w.r.t. a DIP The union of two π -bisimulation is a π -bisimulation. The biggest π -bisimulation is written ≃ and is the union of all π -bisimulation. Definition (Safe program) A program P is safe with relation DIP SP , written SP | = P , if for all privacy level π � P , SP� ≃ π � P , SP� . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 61 / 73

  68. Relaxing Non-Interference Program Verification Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 62 / 73

  69. Relaxing Non-Interference Program Verification Abstract execution principle (1) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 63 / 73

  70. Relaxing Non-Interference Program Verification Abstract execution principle (1) Idea: to execute the program on L . An abstract memory record associates variables with their privacy levels. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 63 / 73

  71. Relaxing Non-Interference Program Verification Abstract execution principle (1) Idea: to execute the program on L . An abstract memory record associates variables with their privacy levels. Record of the highest privacy level encountered in if-then-else and while guards to avoid indirect leaks, e.g.: if PIN = 0 then while 0 do skip else skip; SPY := 0 Check assignments wrt SP and : x := f ( . . . ) implies π SP ( x ) ⊆ ( π SP ( f ( . . . )) ⊔ π g ) raises a failure if the inequality is not satisfied. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 63 / 73

  72. Relaxing Non-Interference Program Verification Abstract execution principle (2) Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches of an if-then-else construct. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 64 / 73

  73. Relaxing Non-Interference Program Verification Abstract execution principle (2) Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches of an if-then-else construct. = ⇒ Creation of a DIP list recording DIP’s for each execution paths. Fixpoint problem for the while construct. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 64 / 73

  74. Relaxing Non-Interference Program Verification Abstract execution principle (2) Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches of an if-then-else construct. = ⇒ Creation of a DIP list recording DIP’s for each execution paths. Fixpoint problem for the while construct. ⇒ = Finite number of DIP lists. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 64 / 73

  75. Relaxing Non-Interference Program Verification Abstract execution result Theorem → ∗ L ) = ∃L . ( �{�SP , ⊥�} , P � ֒ ⇒ SP | = P F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 65 / 73

  76. Relaxing Non-Interference Program Verification Abstract execution result Theorem → ∗ L ) = ∃L . ( �{�SP , ⊥�} , P � ֒ ⇒ SP | = P Converse implication does not hold: if PIN = 0 then SPY := 1 else SPY := 1 this safe program raises a failure in the abstract operational semantics. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 65 / 73

  77. Conclusion Plan NI in a Purely Functional Setting 1 Pure Terms and Simple Types Higher-order Types NI in an Imperative Setting 2 NI and concurrency 3 Relaxing Non-Interference 4 Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification Conclusion 5 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 66 / 73

  78. Conclusion Conclusion Non-Interference is a very abstract and powerful, but strict, approach to privacy in programming languages. It is very different from the traditional cryptographic approach and relies on completely different techniques: programming semantics. There has been a lot of work in order to cope with different paradigms and subtle variations around the notion of strict non-interference. Differential privacy is a relatively new way to approach non-interference. In a nutshell : the idea is to manipulate data of a data-base in such a way that statistical properties of interest are unchanged while having indistinguishability properties (kind of non-interference) insuring the privacy (e.g. [Dwork, 2008]). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 67 / 73

  79. Conclusion Bibliography I Abadi, M., Lampson, B. W., and L´ evy, J. (1996). Analysis and caching of dependencies. In Proceedings of the 1996 ACM SIGPLAN International Conference on Functional Programming (ICFP ’96), Philadelphia, Pennsylvania, May 24-26, 1996. , pages 83–91. Askarov, A., Hunt, S., Sabelfeld, A., and Sands, D. (2008). Termination-insensitive noninterference leaks more than just a bit. In Computer Security - ESORICS 2008, 13th European Symposium on Research in Computer Security, M´ alaga, Spain, October 6-8, 2008. Proceedings , pages 333–348. Barendregt, H. (1991). Introduction to generalized type systems. J. Funct. Program. , 1(2):125–154. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 68 / 73

  80. Conclusion Bibliography II Berardi, S. (1996). Pruning simply typed lambda-terms. J. Log. Comput. , 6(5):663–681. Bruijn, N. G. D. (1970). The mathematical language AUTOMATH, its usage and some of its extensions (iria, versailles 1968). In Symposium on automatic demonstration , volume 125 of Lecture Notes in Mathematics , pages 29–61. Springer-Verlag. Church, A. (1940). A formulation of the simple theory of types. Journal of Symbolic Logic , 5(1). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 69 / 73

  81. Conclusion Bibliography III Coquand, T. and Huet, G. (1988). The calculus of constructions. Information and Computation , 76:95–120. de Lavalette, G. R. (1992). Strictness analysis via abstract interpretation for recursively defined types. Information and Computation , 99(2):154–177. Dwork, C. (2008). Differential privacy: A survey of results. In Theory and Applications of Models of Computation, 5th International Conference, TAMC 2008, Xi’an, China, April 25-29, 2008. Proceedings , pages 1–19. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes erieure de Lyon) July 2015 70 / 73

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic Point of View F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale

1.55k views • 117 slides
Privacy in D.A.T.A. Latanya Sweeney, Ph.D. Assistant Professor of Computer Science, Technology

Privacy in D.A.T.A. Latanya Sweeney, Ph.D. Assistant Professor of Computer Science, Technology

Privacy in D.A.T.A. Latanya Sweeney, Ph.D. Assistant Professor of Computer Science, Technology &amp; Policy Carnegie Mellon University latanya@privacy.cs.cmu.edu http://privacy.cs.cmu.edu/ The Question in this Talk Can computer scientists

801 views • 77 slides
Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough F.

Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough F.

Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup Privacy

1.51k views • 115 slides
2020 Vision For Web Privacy Eric Chan-Tin Assistant Professor Department of Computer Science

2020 Vision For Web Privacy Eric Chan-Tin Assistant Professor Department of Computer Science

2020 Vision For Web Privacy Eric Chan-Tin Assistant Professor Department of Computer Science Loyola University Chicago SNTA20 Keynote What does Privacy mean to you? What does Privacy mean to you? Personal What you buy What you

1.12k views • 58 slides
Privacy through Accountability: A Computer Science Perspective Anupam Datta Associate Professor

Privacy through Accountability: A Computer Science Perspective Anupam Datta Associate Professor

Privacy through Accountability: A Computer Science Perspective Anupam Datta Associate Professor Computer Science, ECE, CyLab Carnegie Mellon University February 2014 Personal Information is Everywhere 2 Research Challenge Programs and

682 views • 57 slides
Privacy Does Matter! Haojin Zhu Professor Computer Science &amp; Engineering Shanghai Jiao Tong

Privacy Does Matter! Haojin Zhu Professor Computer Science &amp; Engineering Shanghai Jiao Tong

Privacy Does Matter! Haojin Zhu Professor Computer Science &amp; Engineering Shanghai Jiao Tong University Scope of Privacy in This Talk Data about individuals Collection, using, and sharing of such data Privacy is primarily a

1.18k views • 98 slides
Data Science: Statistics or Computer Science? 9/15/2015 DATA SCIENCE: STATISTICS OR COMPUTER

Data Science: Statistics or Computer Science? 9/15/2015 DATA SCIENCE: STATISTICS OR COMPUTER

Data Science: Statistics or Computer Science? 9/15/2015 DATA SCIENCE: STATISTICS OR COMPUTER SCIENCE? DATA SCIE DA SCIENCE: ST STATIS ISTICS TICS OR OR CO COMPU MPUTER ER SCIEN SCIENCE? IMPLICATIONS FOR STATISTICS EDUCATION IMPLIC ICATION

608 views • 24 slides
Privacy &amp; Social Media Lisa Singh, PhD Department of Computer Science Georgetown University

Privacy &amp; Social Media Lisa Singh, PhD Department of Computer Science Georgetown University

Privacy &amp; Social Media Lisa Singh, PhD Department of Computer Science Georgetown University Outline Our world on the Internet Data privacy in a public profile world Methods for determining our web footprints Taking control of

717 views • 33 slides
Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science Department Worcester Polytechnic Institute Worcester, MA USA W3C Workshop on Web Tracking and User Privacy April, 2011 1 Its Not Just Tracking

474 views • 4 slides
Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Do Computer Science Definitions of Privacy Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS LAW Kobbi Nissim Ben-Gurion University Center for Research on Computation and Society

865 views • 62 slides
CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory

CS573 Data Privacy and Security Li Xiong Department of Mathematics and Computer Science Emory University Today Meet everyone in class Course overview Why data privacy and security What is data privacy and security What we

810 views • 70 slides
CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

531 views • 31 slides
Network Attachment Privacy Piers OHanlon UKNOF33, London 19 th January 2016 Department of

Network Attachment Privacy Piers OHanlon UKNOF33, London 19 th January 2016 Department of

Department of Computer Science Network Attachment Privacy Piers OHanlon UKNOF33, London 19 th January 2016 Department of Computer Science Outline Introduction Link Layer (L2) addressing Privacy-based analysis of related

639 views • 18 slides
1 Data Mining and Privacy The primary task in data mining: Develop models about aggregated

1 Data Mining and Privacy The primary task in data mining: Develop models about aggregated

Privacy Breaches in Privacy-Preserving Data Mining Johannes Gehrke Department of Computer Science Cornell University Joint work with Sasha Evfimievski (Cornell), Ramakrishnan Srikant (IBM), and Rakesh Agrawal (IBM) Motivation: Information

310 views • 18 slides
Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal

Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal

Privacy Preserving Privacy Preserving Netw ork Flow Netw ork Flow Recording Recording Bilal Shebaro Shebaro (Computer Science (Computer Science- - UNM) UNM) Bilal Jedidiah R. Crandall R. Crandall (Computer Science (Computer Science- -

464 views • 33 slides
Privacy Swapneel Sheth Department of Computer Science, Columbia

Privacy Swapneel Sheth Department of Computer Science, Columbia

Privacy Swapneel Sheth Department of Computer Science, Columbia University swapneel@cs.columbia.edu Candidacy Exam IntroducAon and MoAvaAon June 28, 2010 2 IntroducAon and

481 views • 22 slides
The Well-Separated Pair Decomposition The Well-Separated M. Farshi Pair Decomposition Lab. of

The Well-Separated Pair Decomposition The Well-Separated M. Farshi Pair Decomposition Lab. of

The Well-Separated Pair Decomposition The Well-Separated M. Farshi Pair Decomposition Lab. of Combinatorial and Geometric Algorithms, M. Farshi Department of Computer Science, Definition of Yazd University WSPD Compute WSPD The Split

1.29k views • 84 slides
Protein Docking and 3D Ligand-Based Virtual Screening Modeling Protein Flexibility Using Elastic

Protein Docking and 3D Ligand-Based Virtual Screening Modeling Protein Flexibility Using Elastic

Protein Docking and 3D Ligand-Based Virtual Screening Modeling Protein Flexibility Using Elastic Network Models ENMs assume protein atoms (often just CAs) are coupled via a harmonic potential: Part 2 i&lt;j C ( d ij d 0 ij ) 2 V = H ij

899 views • 10 slides
s r

s r

s r Prtr t sts P t r t

763 views • 45 slides
Re Re-Imagine: Imagine: Real Estate Real Estate in the in the New Normal New Normal AHMAD

Re Re-Imagine: Imagine: Real Estate Real Estate in the in the New Normal New Normal AHMAD

Re Re-Imagine: Imagine: Real Estate Real Estate in the in the New Normal New Normal AHMAD SAIFUDIN MUTAQI IAI Professional Architect Indonesia Institute of Architect Chairman of IAI Chapter Jogjakarta Lecturer &amp; Researcher Study

934 views • 45 slides
A mixed-signal ic for managing power in 5G applications IPSOC 2018 Introduction

A mixed-signal ic for managing power in 5G applications IPSOC 2018 Introduction

A mixed-signal ic for managing power in 5G applications IPSOC 2018 Introduction Architecture of mixed-signal ics in handsets IPSOC 2018 2 MODEM architecture Protocol stack (RTOS) Transceiver soup letter TDMA, OFDM, CDMA

365 views • 15 slides
(Dust) Particles in Athena++ Chao-Chin Yang Zhaohuan Zhu University of Nevada, Las Vegas James

(Dust) Particles in Athena++ Chao-Chin Yang Zhaohuan Zhu University of Nevada, Las Vegas James

(Dust) Particles in Athena++ Chao-Chin Yang Zhaohuan Zhu University of Nevada, Las Vegas James Stone Princeton University Dust-Gas Dynamics Lagrangian formulation d Lagrangian vs. two fluids v p u g v p

680 views • 11 slides
Tracking System Detector and Front-End Electronics Weronika Zubrzycka, Krzysztof Kasiski

Tracking System Detector and Front-End Electronics Weronika Zubrzycka, Krzysztof Kasiski

Noise Performance Analysis for the Silicon Tracking System Detector and Front-End Electronics Weronika Zubrzycka, Krzysztof Kasiski zubrzycka@agh.edu.pl, kasinski@agh.edu.pl Department of Measurement and Electronics AGH University of Science

687 views • 19 slides
PPD At PPD, our purpose is to improve health, our mission is to help our customers deliver

PPD At PPD, our purpose is to improve health, our mission is to help our customers deliver

PPD At PPD, our purpose is to improve health, our mission is to help our customers deliver life-changing therapies and our strategy is to bend the cost and time curve of drug development and optimize value 1 PPD At PPD, our five Defining

336 views • 6 slides

More recommend