Speaker Archive: 2022

A look at the year just past

• 2021 was not a good year for privacy/security professionals
• 30 000 website hacks every day
• More DDOS

• Ransomware attacks rampant
• Largest ransom (that we know of) paid by Acer of $50M.

• Frequency of successful attacks has lowered slightly in the last couple of years

• People seem to be a common threat vector to exploit
• Ransomware
• Phishing
• Covid (800M emails daily)

• Business email compromise rising as a real phishing threat

• Ransomware
• 1/4 organizations are paying the ransom
• Only 1% of victims did not get their data back after paying
• Criminals are working hard to establish a reputation of being honest

• Western Europe/North America are not the regions the most affected by mobile malware
• Iran most affected (30% of phones)

• Cybercrime: $10 trillion in losses per year globally
• Phishing alone is $1.48 billion

• The defence/protect market is now $40B/year in revenue

• WhatÂ’s holding back from dealing with threats?
• Lack of budget
• Lack of skilled experts
• No 3rd party validation of how well the solutions are working

Fast fully oblivious compaction and shuffling

• What are oblivious algorithms
• An adversary looking at the execution cannot tell what the private data is
• Operate on private data, on machine controlled by adversary (even OS)

• SGX
• External and protected memory
• Protected memory not so protected
• Someone with OS/BIOS can see what pages/cache lines you access
• Memory is not so protected

• Obliviousness
• [External-memory, protected-memory, page, cache line, word]-oblivious + control flow oblivious
• All together: fully oblivious
• Full obliviousness is uncommon
• Key tools: OSWAPs, FOAV
• CanÂ’t have conditional branches dependent on private data

• Compaction: array of items
• Some of the items are marked (red)
• Put all the items marked on the left of the array, the rest (white) on the right
• OS shouldnÂ’t be able to say which items are marked and how many there are

• Shuffling
• OS should not know the original state

• Oblivious shuffle + Non-oblivious Sort = Oblivious Sort
• Random Labels + Oblivious Sort = Oblivious Shuffle

• Fully oblivious compaction
• ORCompact, covered by Sajin
• 2-4x better and parallelisms much better
• New: (1/2)nlog(n) vs Old: n(log(n)-2) OSWAPs
• Note: not order-preserving

• Fulling oblivious shuffling
• State-of-the-art: Bitonic Shuffle (1968)
• 2 new algorithms: Oblivious recursive shuffle (ORShuffle) and Streaming Bucket Oblivious Random Permutation (BORPStream)
• ORShuffle always outperforms Bitonic Shuffle (~2x for small block sizes)
• BORPStream outperforms both for large problem sizes (large N & large b)
• BORPStream is also very useful for streaming scenario, where Phase 2 time is much faster than Bitonic and ORShuffle.

• ORShuffle = Mark Half + ORCompact + Recurse Left and Right
• (1/4)nlog(n)(log(n)+1) OSWAPs
• Same as Bitonic Shuffles but donÂ’t need to add random labels
• So for small items, outperforms ~x2

• BORPStream
• Start with BORP
• Try to make it fully oblivious in the obvious way with ORCompact
• Terrible performance
• Different approach: stream data items through the butterfly network as they arrive
• Each buffer in the butterfly network is a Merge Split Node
• Alternates between either output streams
• Can use dummy packets
• Perform OSWAPs to send packets the right way in oblivious way
• When all items are in, flush buffers
• Each item ends up in a random output bucket
• Use ORCompact on each bucket to remove dummies
• Use ORShuffle on the reals to randomize the buckets
• Concatenate the buckets to get the output
• Analytical performance
• Phase 1: 2nsd
• Phase 2: funny long math formula: [flush buffers]+[compact]+[shuffle]

• Takeaways
• Fully oblivious algorithms are vital to SGX
• Need tools like FOAV
• New oblivious compaction (ORCompact) and shuffling (ORShuffle and BORPStream) outperform prior work.

Blinded Computation

• Scenario: outsourced computation
• Goal: runt he serverÂ’s confidential code over clientÂ’s confidential data
• Initial target: outsourced ML inference training

• How can client avoid revealing data to the service provider
• Fully-Homomorphic Encryption: slow
• MPC: slow

• Hardware-based isolation

• Trusted Execution Environment
• Side channel attacks are a challenge
• Integrity guarantees
• Limited confidentiality guarantees
• Sealed-glass model of computation
• Can look inside but not interfere

• Solutions
• Second TEE
• Can protect system data
• Can be fixed-function
• Confidential processing on isolated processor

• Cloud service, current TEEs: High performance, low confidentiality
• FHE: High confidentiality, low performance

• The approach
• “Safe” streams of instructions donÂ’t expose sensitive data
• Allowed:
• Computation on sensitive data
• Prohibited
• Writing to peripherals of sensitive data
• Leaking of sensitive data
• Method
• Use taint-tracking to limit sensitive data to safe places
• Use remote attestation to assure the client that taint-tracking is applied
• Taint-tracking policy
• Registers/memory have an associated “sensitive” bit
• Ideal rule:
• Sensitive (output) <- Sensitive (input) and depends (output on input)

• System model
• 1. Handshake (ind. remote attestation)
• 2. Shared secret key
• 3. Data import (inputs)
• Sensitivity=1
• Decrypt
• 4. Safe (“blinded”) computation
• Enforced by HW
• 5. Data export (result)
• Encrypt
• sensitivity=0

• Problem: So far, one sensitivity bit for many clients
• Data can be sent to the wrong client
• Need a different sensitivity domain for each client
• Solution 1 Isolation by honest-but-curious server OS (e.g. ScL 4)
• OS keep track of sensitivity domains
• Only needs 1 sensitivity bit
• Solution 2: Hardware support for multiple sensitivity domains
• Hardware keeps track of sensitivity domain
• Requires more memory & more complex

• Emulation & RTL
• Implemented in Spike and in Verilog (Ibex)
• Tagged Memory
• Approximation can be overridden for specific instructions

• Taint-propagation rule must consider many different observable outputs
• Not all these outputs can be marked as sensitive

• Exceptions
• Example: data-dependent exceptions
• Division by zero
• Instruction must not raise an exception on data-dependent conditions
• Solution
• Unconditional faults
• Set a sensitive error flag

• Flag-based error handling
• Challenge: common error-handling patterns have some leakage
• Solution: modify APIs to produce output and an error flag

• Generating compliant code with LLVM
• Creating compliant code by hand is error prone
• Solution: taint-tracking compiler

• Formal verification in F*
• Goal: changes in sensitive state never affect non-sensitive state

Color My World feat. ARM Memory Tagging Extension

• Tag memory to:
• Track sensitive data (1)
• Provide data-flow integrity (2)
• Prevent memory errors (3)

• (1) Prevent unsafe instructions from running
• Also track taint in registers
• (2) Check based on static information
• Data-flow graph, type information
• Writes/read instrumented to set/check tag
• (3) Assign tags to pointers
• Assign tags at run-time
• Can use random tagging

• ARM Memory Tagging Extension (MTE)
• 4-bit tags
• 16-byte tagging granularity
• Stores address tag in pointer
• Stores memory tag in tag memory

• MemTag Sanitizer
• Ostensibly the “intended use-case” of ARM MTE
• Assign random tag on allocation
• Mitigates both spacial and temporal memorial errors
• Prevents some buffer overflows
• Omits tagging of safe allocations based on static analysis
• Weak adversary model
• Relatively low entropy for statistical defence
• No verification of address tags

• Adversary Model
• Strong adversary
• Exploit a memory vulnerability
• Read arbitrary memory
• Implications
• Tags known and no need to guess
• Can repeat until tags match
• Memory tags can be forged
• PAuth can mitigate, but replay possible
• What about MemTagSanitizer
• Mostly statistical defence

• Their Work
• Deterministic tagging
• Based on static analysis
• Isolation of safe memory allocations
• No reliance on confidentiality
• Reserve default tag for safe allocations
• Unsafe allocations tagged/untagged
• Tag-forgery prevention
• Explicitly (re)tag any unsafe pointers

• Safety analysis
• Find allocations that are
• Memory safe
• Functionally safe with tagging
• Pointer safe
• Implemented as two analysis passes
• Local pre-function Function Pass
• Global Module Pass
• Extending Stack Safety Analysis

• Tag forgery prevention
• Explicitly unset safe tag when needed:
• Loading from unsafe memory
• Performing unsafe pointer arithmetic
• Detecting unsafe memory at run-time?
• Rely on tag forgery prevention
• Only pointer to safe can have safe tag

• Guarded allocations
• Functionally safe or crashing allocations
• Uses scalar-evolution
• Analysis checks overflow properties

• Pointer safe allocations
• Most apply tag forgery prevention to pointers corrupted in safe allocations

• Cost
• Strong isolation of safe allocations
• Performance overhead
• Memory overhead

• Future Work
• Optimize instrumentation
• Combine with different front-ends
• Support language annotations

Contrast between research interest and industry interest

• Five examples
• Optimistic Fair exchange -> doctoral research
• Generic Authentication Architecture
• Channel Binding in Protocol Composition
• Secure Device Pairing
• On-board credentials

• Fair Exchange
• How can two mutually distrusting parties exchange digital “items” on the Internet?
• Existing Solutions:
• Trusted Third Party protocols
• Gradual Exchange protocols
• Design Choices
• Common case: both want to complete the exchange
• Efficient in common case
• Allow recovery in case of exceptions
• Requirements
• Effectiveness
• Fairness
• Timeliness
• (Non-invasive)

• Optimistic fair exchange
• Exchange permit before the exchange of items in case one of the parties does not do its part
• Recovery protocol using the permits and the third party authority

• Verifiable Encryption
• Analogy: jewelry in a glass box: can see but canÂ’t touch
• Verifiable encryption of discrete logs

• From verifiable encryption to permits
• A-exp: desc of B_item
• A-permit: verifiable encryption A-exp + A-item

• Pre-paid coupons from the TTP to be used for every optimistic transaction

• The aftermath
• Someone has to run the third party
• Monetize every transaction!
• Two decades on, current status:
• Reputation systems
• In-line TTP (e.g., E-bay escrow service)
• Continuing “impact” in research circles!
• Impact in academy (success) vs real world impact (failure)

• Lessons learned
• DonÂ’t just guess security requirements: Ask stakeholders
• Desiderata for deployment and research can be different
• “The more (independent) parties you require for your scheme, the less likely it will be deployed”
• Capturing researcher interest does not always lead to a Tech Transfer Impact
• MANETs anyone?
• “90-10” rule applies to deploying security
• “Good enough beats perfect”

Non-Malleable Secret Sharing

• Secret Sharing
• Security: Any authorized set of parties can reconstruct the secret
• Privacy

• Robustness
• Adversary has access to a subset of the shares
• E.g. uses a combinatorial structure: difference sets

• Verifiability
• Introduces verify algorithm which can be used to verify the validity of the shares

• Non-malleable crypto
• ~ early 2000Â’s
• Impossible to generate a different cipher text such that the respective plaintext are related

• Definition #1
• Prevent any tampering of shares (verifiable by the shareholder)
• Not a formal definition
• Stronger notion than verifiability?
• Share concatenated to the public key are encrypted
• Provides the some level of confidentiality

• Definition #2
• Corrupt players cannot modify their shares without being caught during reconstruction
• IPS-Malleability game

• Definition #3
• Secret sharing scheme recovers the original or something entirely unrelated
• The adversary given t shares to modify wins if the reconstruction algorithm outputs a valid secret sÂ’ not equal to s such that sÂ’ ~ s
• Independent tampering: t-non-communicating adversaries are given a single share each they can modify

Towards meaningful consent for private computation

• What is privacy?
• Technical
• Conceptual
• Legal
• Usable

• Technical privacy risk?
• Define, what is being protected, from who and under what conditions this protection will hold

• Legal Privacy Risk
• Who, can do what, under what conditions
• Enforced by laws & sanctions

• Data Subject Privacy Risk?
• Financial
• Professional
• Societal
• Safety
• Right to privacy

• Data Sharing Literature
• Mobile permissions
• Purpose/Type
• Privacy Policies
• Dark Patterns
• Differential Privacy

• Companies can now claim somewhat ownership of the data they collect on you and sell it to other companies (Google & MasterCard)
• Building Private Computations
• Trade-offs between privacy, accuracy and efficiency

• Meaningful consent: three proposed perception vectors
• Privacy Mechanisms
• Sharing Structure
• Perceived risk

• Questions about sharing structures
• How does the overall acceptability vary across different types of multiparty collaborations?
• How does acceptability vary in multiparty data collaborations

• Survey Overview
• Participant set is N=916
• Each participant received 1 out of 12 scenarios
• 5-point semantic scale
• Wording of statements have a strong influence on the user reactions (indefinitely vs in-use)

• Lesson 1: Disambiguate third parties
• Qualitative beginning: Interview Studies
• Comprehension, consent and conditions
• Lesson 2: Determine the influence of privacy guarantees versus risk
• Lesson 3: Determine how to communicate to data subjects how their data is being protected

Backward Symbolic Execution

• Fast and Reliable Formal Verification of Smart Contract with the Move Prover
• Forward Symbolic Prover
• Path-based exploration
• Transforms a path into a logic expression
• Proves the logic expression
• Path explosion
• 2^l paths where l is the number of layers in the program

• Backward symbolic execution
• Why backwards?
• Hide the path explosion problem behind the SMT solver with an explosion of variables
• Convert program into a dynamic single assignment CDSAS
• Do a topological sort
• Walk-up process: recursive process
• Walk backwards up the chain to get back B0 and then send B0 to the solver

• Comparison
• Forward: less free variables and much more human readable. However you need to prove it for all paths

• Forward symbolic execution, again
• Learned from backwards
• Topological sorting is great
• SMT solvers are capable of handling large sets of fresh variables
• Can we use these to improve forward symbolic execution?
• Walk-down process

• For complex programs, SMT solver might not be able to process B0 -> go back to some Bk -> send it to the solver
• Concretize a portion of the free variables
• Repeat until B0 can be handled

• This workflow applies also to Automated Exploit Generation (AEG)

• Conclusion: SMT solvers are magic

Bad Characters: Imperceptible NLP attacks

• NLP Models
• Transformer-based encoder-decoder models: sequence-to-sequence

• Adversarial NLP
• Human Perceptible changes:
• Input swaps with synonyms
• Misspellings
• Paraphrasing
• Neighbours of input sequences in an embedded space
• Human imperceptible changes?
• Gap between visualization and NLP pipelines
• Exploit glyphs
• Invisible characters: characters with no visible glyph
• U+200B -> zero width space
• Homoglyphs: different characters that look similar
• Reordering
• Deletions

• Attack Methodology
• Black-box threat model
• Integrity Attack
• Availability Attack

• Generating Adversarial examples
• Differential genetic evolution

• Evaluations
• Machine Translation
• Integrity & availability attacks
• Toxic content detection
• Textual entailment attacks
• Named Entity Recognition Attack
• Sentiment Analysis Attack

• Search Engine Attack
• Attack on Searching
• Attack on Indexing

• Defenses:
• Optical Character Recognition
• Render Input
• Interpret input with OCR
• Feed output to NLP model

Privacy-preserving RNNs

• Privacy concern with user data when training ML models

• Privacy-preserving Machine Learning (PPML)
• Private
• Distributed
• Confidential
• Scenarios
• Clear training, private inference (#1)
• Private training, private inference (#2)

• Private Training approaches
• Differential Privacy
• Degraded utility
• SMPC
• Honest-majority assumptions
• High communication overhead

• Multiparty homomorphic encryption
• Public collective key
• Secret-shared secret-key
• Allows “all-but-one” collusion
• Enc2Share and Share2Enc functionality
• Achieves confidentiality

• RNN
• Recurrent Neural-Network
• Retains information through time
• Takes time sequences
• Problem: sequential repeated operation
• Blows up approximations

• Literature
• Crypto-RNN
• Scenario #1
• New ways to compute activation functions (approximations, Â…)
• Cipher text “refresh” frequency
• Split Learning (Fed-SL)
• Model cut in several consecutive segments
• Scenario #2
• Just intermediate computations are shared

• Design Challenges
• Non-linear activation function
• Minimax poly approximation
• Heavy homomorphic operations
• New cipher text packing scheme
• Exploding gradients
• Large circuit depth

ML-based adversarial example generation for Image Classification Deep-Learning Models

Proving the security of Schnorr

• Signature scheme
• 3 part protocol
• Secret key, public key
• Random Oracle Model
• Aka “programmable” random oracle model
• Simulation of Schnorr
• Want to show unforgreability of Schnorr Signatures
• Show that an adversary that can break it can break the Discrete Log problem
• Needs the forking lemma
• Shows reduction to Discrete Log
• Also been proved to be secure using the Algebraic Group Model (AGM)
• Also reduces to Discrete Log
• Reduction to one more discrete logarithm
• Take aways
• Schnorr signatures are simple, but proving their security has nuances
• Other models allow for tighter reductions but require non-standard assumptions

Recent work on ORAM

• MPC with Random Access
• Previous solution
• Touch every single element in the memory for every access
• O(n) memory complexity
• Floram (CCS2017)
• Read and write to private index i.
• Lay data linearly
• Use distributed point functions
• Access complexity O(n)
• MPC server
• From userÂ’s perspective O(sqrt(n))
• Point function:
• 0 everywhere except at one point
• Floram
• Store the database as XOR shares
• Read, write, refresh using XOR shares and DPF
• DuORAM
• More expensive DPF generation and expansion to “pre-processing”
• Avoid “refresh”
• Pre-processing
• Two main problems
• What to write
• Where to write
• Can we postpone what to write?
• Defoliated DPFs
• Postponing of where to write
• Use cyclic shifts
• Avoiding the refresh
• Can we re-use blinded shares?
• They are “wrong” only in one location
• Linear cost DPF generation
• New protocol with O(long) communication and computation
• Uses LowMC based block-cipher
• Conditional swaps
• Summary
• Constant amortized online communication cost
• Offline cost of O(long) is acquired in the MPC generation phase
• Use of computational PIR can turn that into a 2-party protocol

Obfuscated VN and UDP based PTs

• LEAN Encryption Access Project
• White label VPN
• Recent increase of usage in LeapVPN (Russia-Ukraine War)
• They are working on offs 4 over UDP and Snowflake
• Fingerprintability of Open VPN
• Op codes and ACK sequences are fingerprintable features
• Commercial VPNs fail to implement obfuscation to hide these features
• Mitigations
• Short-term
• No co-location
• Random padding
• Less predictable HS failure
• Long-term
• Standardized obfuscation solutions (PTs)
• Transparency around methods used
• UDP based pluggable transports (PTs)
• Excitement around HTTP/3 protocols (QUICK/KCP/SCTP)
• Paper: Web Censorship measurements of HTTP/3 over QUICK
• Obfuscation
• Obsf4
• Requires TCP

IHOP: Iteration Heuristic for (Quadratic) Optimization Problems

• Gonna present this talk at USENIX later this year
• Overview: Searchable Encryption
• Leakage of the access pattern
• Enough for serve to recover some contents from certain files
• Statistical attack
• Leakage & Adversary model
• Auxiliary Information
• Adv. builds volume co-occurrence matrix
• Adv. Goal: match keyword to tokens sent by Alice
• Quadratic Assignment Problem (QAP)
• Finding a permutation matrix
• NP-hard
• Simplification:
• Linear Assignment Problem (LAP)
• Lots of wasted of information, but it is efficient
• IHOP
• Solve LAP with a fixed/frozen row/column that are used as auxiliary information
• “Cats are in boxes” -> extra information
• Improves the estimations
• Significantly outperforms previous work
• Overview of Pancake
• Smoothens access frequency
• Makes it uniform
• Batch each query with 2 other queries
• What if there are query dependencies
• Transitions are not uniform anymore
• Pancake is still very effective but it can be attacked
• Accuracy against pancake under different settings/datasets ranges from ~20 to 60%
• Sneak Peek
• Using ML for SubGrap Matching

Towards Effective Measurement of Membership Privacy Risk for Machine Learning Models

• ML models are currently widely adopted
• Occasionally trained on sensitive data
• Membership Inference Attack
• Infer whether a data record sampled from data distribution was in the training data
• Cause: ML model memorizes some training data records making them vulnerable to inference attacks
• Model is more confident on seen training data than unseen testing data
• Why do we care about membership privacy risk?
• Regulatory requirements
• Membership inference attacks (MIAs) leak sensitive training data
• Desiderata for measuring risk:
• Fine-grained: privacy of individual training records
• Attack agnostic: independent of specific MIAs
• Effective
• Applicable
• No previous work satisfies all of the desiderata (some come close)
• Indistinguishability Game
• Distinguish between 2 settings (D vs D+x)
• Adversary queries the model and tries to identify the setting
• Inefficient
• Shapley Values: alternative to the leave-one-out approach
• Game-theoretic approach to equitably assign utility among different players
• Can they be an effective and efficient membership privacy risk measurement value
• Shapley Values Properties
• Semantic Meaning
• Additive
• Heterogeneous
• R1: fine-grained
• R2: attack-agnostic
• But not efficient
• SHAPr: Computing Shapley values via KNN
• R3: evaluating effectiveness of SHAPr
• Privacy risk over sensitive subgroups
• SHAPr inherits applicability to data valuation.
• Defences: effect of noise addition
• Add noise to training data records to lower their privacy risk
• Not a very effective defence
• Defences: Data removal of high risk records
• Does not improve privacy
• Defences: evaluating L2 Regularization
• Kind of works
• R5: SHAPrÂ’s efficiency
• Executing from 2 to 90 min (one-time cost)
• 100x faster than naive leave-one-out approach
• Summary
• SHAPr is a tool for model builders to asses the membership privacy risk

Privacy for Free: How does Dataset Condensation Help Privacy?

• Problem
• Privacy attacks on ML models
• Issues with DP-generators?
• Low utility induced by DP lowers model accuracy unless more data is available
• Solution
• Dataset Condensation
• Paper introduces DC as a replacement for the DP-generator
• Theoretical Analysis Results
• Prove that linear DC extractors follow the concept of DP that one element does not greatly change the model parameter distribution
• Empirical Results
• DC-synthesized data are not perceptually similar to the original data and cannot be reversed using similarity metrics
• Discussion
• Where is the trade-off? It sounds like free lunch.

SignalÂ’s Sealed Sender Service, Summarized:

Signatures Sent Secretly Simply Secure State

• SignalÂ’s metadata protection and the guarantees it provides.
• Metadata: data about data
• Example: WhatsApp: only encrypts the messages but not the metadata
• And it shares it to governments
• Protecting metadata:
• Sealed Sender
• Keep at little state as possible on their server
• Messages are end-to-end encrypted and metadata is usually not recorded
• Signal is working towards hiding another piece of metadata: who is messaging whom
• Also trying to provide provable guarantees around protecting metadata.
• Sealed Sender
• Encrypt the sender as part of the message content
• Signal checkmarks
• One when message is received by Signal
• Another one when the message is received by the intended recipient
• Statistical disclosure attack risk.
• Can create batches of people that receive message soon after Bob sent a message
• In the aggregate with random samples allows to distinguish who is talking to Bob.

Private Collaborative Data Cleaning

We introduce and investigate the privacy-preserving version of collaborative data cleaning. With collaborative data cleaning, two parties want to reconcile their data sets to filter out badly classified, misclassified data items. In the privacy-preserving (private) version of data cleaning, the additional security goal is that parties should only learn their misclassified data items, but nothing else about the other party's data set. The problem of private data cleaning is essentially a variation of private set intersection (PSI), and one could employ recent circuit-PSI techniques to compute misclassifications with privacy. However, we design, analyze, and implement three new protocols tailored to the specifics of private data cleaning that significantly outperform a circuit-PSI-based approach. With the first protocol, we exploit the idea that a small additional leakage (the size of the intersection of data items) allows for runtime and communication improvements of more than one order of magnitude over circuit-PSI. The other two protocols convert the problem of finding a mismatch in data classifications into finding a match, and then follow the standard technique of using oblivious pseudo-random functions (OPRF) for computing PSI. Depending on the number of data classes, this leads to either total runtime or communication improvements of up to two orders of magnitude over circuit-PSI.

Cryptographically authenticated in-memory data structures, or: How to build secure software without secure memory

Memory safety vulnerabilities continue to be a major issue for software today, and can give attackers read-write access to any data that a program stores in memory. In this talk I discuss how to cryptographically protect the data in memory and, more generally, the problem developing secure software when the contents of memory cannot be trusted.