MLCapsule: Guarded Offline Deployment of Machine Learning as a Service

With the widespread use of machine learning (ML) techniques, ML as a service has become increasingly popular. In this setting, an ML model resides on a server and users can query it with their data via an API. However, if the user's input is sensitive, sending it to the server is undesirable and sometimes even legally not possible. Equally, the service provider does not want to share the model by sending it to the client for protecting its intellectual property and pay-per-query business model. In this paper, we propose MLCapsule, a guarded offline deployment of machine learning as a service. MLCapsule executes the model locally on the user's side and therefore the data never leaves the client. Meanwhile, MLCapsule offers the service provider the same level of control and security of its model as the commonly used server-side execution. In addition, MLCapsule is applicable to offline applications that require local execution. Beyond protecting against direct model access, we couple the secure offline deployment with defenses against advanced attacks on machine learning models such as model stealing, reverse engineering, and membership inference

Migrating SGX Enclaves with Persistent State

Hardware-supported security mechanisms like Intel Software Guard Extensions (SGX) provide strong security guarantees, which are particularly relevant in cloud settings. However, their reliance on physical hardware conflicts with cloud practices, like migration of VMs between physical platforms. For instance, the SGX trusted execution environment (enclave) is bound to a single physical CPU. Although prior work has proposed an effective mechanism to migrate an enclave's data memory, it overlooks the migration of persistent state, including sealed data and monotonic counters; the former risks data loss whilst the latter undermines the SGX security guarantees. We show how this can be exploited to mount attacks, and then propose an improved enclave migration approach guaranteeing the consistency of persistent state. Our software-only approach enables migratable sealed data and monotonic counters, maintains all SGX security guarantees, minimizes developer effort, and incurs negligible performance overhead

BISEN: Efficient Boolean Searchable Symmetric Encryption with Verifiability and Minimal Leakage

The prevalence and availability of cloud infrastructures has made them the de facto solution for storing and archiving data, both for organizations and individual users. Nonetheless, the cloud’s wide spread adoption is still hindered by dependability and security concerns, particularly in applications with large data collections where efficient search and retrieval services are also major requirements. This leads to an increased tension between security, efficiency, and search expressiveness, which current state of the art solutions try to balance through complex cryptographic protocols that tradeoff efficiency and expressiveness for near optimal security. In this paper we tackle this tension by proposing BISEN, a new provably-secure boolean searchable symmetric encryption scheme that improves these three complementary dimensions byexploring the design space of isolation guarantees offered by novel commodity hardware such as Intel SGX, abstracted as Isolated Execution Environments (IEEs). BISEN is the first scheme to enable highly expressive and arbitrarily complex boolean queries, with minimal information leakage regarding performed queries and accessed data, and verifiability regarding fully malicious adversaries. Furthermore, by exploiting trusted hardware and the IEE abstraction, BISEN reduces communication costs between the client and the cloud, boosting query execution performance. Experimental validation and comparison with the state of art shows that BISEN provides better performance with enriched search semantics and security properties

Witness Authenticating NIZKs and Applications

We initiate the study of witness authenticating NIZK proof systems (waNIZKs), in which one can use a witness $w$ of a statement $x$ to identify whether a valid proof for $x$ is indeed generated using $w$. Such a new identification functionality enables more diverse applications, and it also puts new requirements on soundness that: (1) no adversary can generate a valid proof that will not be identified by any witness; (2) or forge a proof using some valid witness to frame others. To work around the obvious obstacle towards conventional zero-knowledgeness, we define entropic zero-knowledgeness that requires the proof to leak no partial information, if the witness has sufficient computational entropy. We give a formal treatment of this new primitive. The modeling turns out to be quite involved and multiple subtle points arise and particular cares are required. We present general constructions from standard assumptions. We also demonstrate three applications in non-malleable (perfectly one-way) hash, group signatures with verifier-local revocations and plaintext-checkable public-key encryption. Our waNIZK provides a new tool to advance the state of the art in all these applications

Privacy and security protection in cloud integrated sensor networks

Wireless sensor networks have been widely deployed in many social settings to monitor human activities and urban environment. In these contexts, they acquire and collect sensory data, and collaboratively fuse the data. Due to resource constraint, sensor nodes however cannot perform complex data processing. Hence, cloud-integrated sensor networks have been proposed to leverage the cloud computing capabilities for processing vast amount of heterogeneous sensory data. After being processed, the sensory data can then be accessed and shared among authorized users and applications pervasively. Various security and privacy threats can arise when the people-centric sensory data is collected and transmitted within the sensor network or from the network to the cloud; security and privacy remain a big concern when the data is later accessed and shared among different users and applications after being processed. Extensive research has been conducted to address the security and privacy issues without sacrificing resource efficiency. Unfortunately, the goals of security/privacy protection and resource efficiency may not be easy to accomplish simultaneously, and may even be sharply contrary to each other. Our research aims to reconcile the conflicts between these goals in several important contexts. Specifically, we first investigate the security and privacy protection of sensory data being transmitted within the sensor network or from the sensor network to the cloud, which includes: (1) efficient, generic privacy preserving schemes for sensory data aggregation; (2) a privacy-preserving integrity detection scheme for sensory data aggregation; (3) an efficient and source-privacy preserving scheme for catching packet droppers and modifiers. Secondly, we further study how to address people\u27s security and privacy concerns when accessing sensory data from the cloud. To preserve privacy for sensory data aggregation, we propose a set of generic, efficient and collusion-resilient privacy-preserving data aggregation schemes. On top of these privacy preserving schemes, we also develop a scheme to simultaneously achieve privacy preservation and detection of integrity attack for data aggregation. Our approach outperforms existing solutions in terms of generality, node compromise resilience, and resource efficiency. To remove the negative effects caused by packet droppers and modifiers, we propose an efficient scheme to identify and catch compromised nodes which randomly drop packets and/or modify packets. The scheme employs an innovative packet marking techniques, with which selective packet dropping and modification can be significantly alleviated while the privacy of packet sources can be preserved. To preserve the privacy of people accessing the sensory data in the cloud, we propose a new efficient scheme for resource constrained devices to verify people\u27s access privilege without exposing their identities in the presence of outsider attacks or node compromises; to achieve the fine-grained access control for data sharing, we design privacy-preserving schemes based on users\u27 affiliated attributes, such that the access policies can be flexibly specified and enforced without involving complicated key distribution and management overhead. Extensive analysis, simulations, theoretical proofs and implementations have been conducted to evaluate the effectiveness and efficiency of our proposed schemes. The results show that our proposed schemes resolve several limitations of existing work and achieve better performance in terms of resource efficiency, security strength and privacy preservation