Lime: Data Lineage in the Malicious Environment

Intentional or unintentional leakage of confidential data is undoubtedly one of the most severe security threats that organizations face in the digital era. The threat now extends to our personal lives: a plethora of personal information is available to social networks and smartphone providers and is indirectly transferred to untrustworthy third party and fourth party applications. In this work, we present a generic data lineage framework LIME for data flow across multiple entities that take two characteristic, principal roles (i.e., owner and consumer). We define the exact security guarantees required by such a data lineage mechanism toward identification of a guilty entity, and identify the simplifying non repudiation and honesty assumptions. We then develop and analyze a novel accountable data transfer protocol between two entities within a malicious environment by building upon oblivious transfer, robust watermarking, and signature primitives. Finally, we perform an experimental evaluation to demonstrate the practicality of our protocol

PriCL: Creating a Precedent A Framework for Reasoning about Privacy Case Law

We introduce PriCL: the first framework for expressing and automatically reasoning about privacy case law by means of precedent. PriCL is parametric in an underlying logic for expressing world properties, and provides support for court decisions, their justification, the circumstances in which the justification applies as well as court hierarchies. Moreover, the framework offers a tight connection between privacy case law and the notion of norms that underlies existing rule-based privacy research. In terms of automation, we identify the major reasoning tasks for privacy cases such as deducing legal permissions or extracting norms. For solving these tasks, we provide generic algorithms that have particularly efficient realizations within an expressive underlying logic. Finally, we derive a definition of deducibility based on legal concepts and subsequently propose an equivalent characterization in terms of logic satisfiability.Comment: Extended versio

Examining Spillover Effects from Teach For America Corps Members in Miami-Dade County Public Schools

Despite a large body of evidence documenting the effectiveness of Teach For America (TFA) corps members at raising the math test scores of their students, little is known about the program's impact at the school level. TFA's recent placement strategy in the Miami-Dade County Public Schools (M-DCPS), where large numbers of TFA corps members are placed as clusters into a targeted set of disadvantaged schools, provides an opportunity to evaluate the impact of the TFA program on broader school performance. This study examines whether the influx of TFA corps members led to a spillover effect on other teachers' performance. We find that many of the schools chosen to participate in the cluster strategy experienced large subsequent gains in math achievement. These gains were driven in part by the composition effect of having larger numbers of effective TFA corps members. However, we do not find any evidence that the clustering strategy led to any spillover effect on school-wide performance. In other words, our estimates suggest that extra student gains for TFA corps members under the clustering strategy would be equivalent to the gains that would result from an alternate placement strategy where corps members were evenly distributed across schools

Introducing Accountability to Anonymity Networks

Many anonymous communication (AC) networks rely on routing traffic through proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes risk sanctions by law enforcement if users commit illegal actions through the AC network. We present BackRef, a generic mechanism for AC networks that provides practical repudiation for the proxy nodes by tracing back the selected outbound traffic to the predecessor node (but not in the forward direction) through a cryptographically verifiable chain. It also provides an option for full (or partial) traceability back to the entry node or even to the corresponding user when all intermediate nodes are cooperating. Moreover, to maintain a good balance between anonymity and accountability, the protocol incorporates whitelist directories at exit proxy nodes. BackRef offers improved deployability over the related work, and introduces a novel concept of pseudonymous signatures that may be of independent interest. We exemplify the utility of BackRef by integrating it into the onion routing (OR) protocol, and examine its deployability by considering several system-level aspects. We also present the security definitions for the BackRef system (namely, anonymity, backward traceability, no forward traceability, and no false accusation) and conduct a formal security analysis of the OR protocol with BackRef using ProVerif, an automated cryptographic protocol verifier, establishing the aforementioned security properties against a strong adversarial model

Towards Realizability Checking of Contracts using Theories

Virtual integration techniques focus on building architectural models of systems that can be analyzed early in the design cycle to try to lower cost, reduce risk, and improve quality of complex embedded systems. Given appropriate architectural descriptions and compositional reasoning rules, these techniques can be used to prove important safety properties about the architecture prior to system construction. Such proofs build from "leaf-level" assume/guarantee component contracts through architectural layers towards top-level safety properties. The proofs are built upon the premise that each leaf-level component contract is realizable; i.e., it is possible to construct a component such that for any input allowed by the contract assumptions, there is some output value that the component can produce that satisfies the contract guarantees. Without engineering support it is all too easy to write leaf-level components that can't be realized. Realizability checking for propositional contracts has been well-studied for many years, both for component synthesis and checking correctness of temporal logic requirements. However, checking realizability for contracts involving infinite theories is still an open problem. In this paper, we describe a new approach for checking realizability of contracts involving theories and demonstrate its usefulness on several examples.Comment: 15 pages, to appear in NASA Formal Methods (NFM) 201

Stealing Links from Graph Neural Networks

Graph data, such as chemical networks and social networks, may be deemed confidential/private because the data owner often spends lots of resources collecting the data or the data contains sensitive information, e.g., social relationships. Recently, neural networks were extended to graph data, which are known as graph neural networks (GNNs). Due to their superior performance, GNNs have many applications, such as healthcare analytics, recommender systems, and fraud detection. In this work, we propose the first attacks to steal a graph from the outputs of a GNN model that is trained on the graph. Specifically, given a black-box access to a GNN model, our attacks can infer whether there exists a link between any pair of nodes in the graph used to train the model. We call our attacks link stealing attacks. We propose a threat model to systematically characterize an adversary's background knowledge along three dimensions which in total leads to a comprehensive taxonomy of 8 different link stealing attacks. We propose multiple novel methods to realize these 8 attacks. Extensive experiments on 8 real-world datasets show that our attacks are effective at stealing links, e.g., AUC (area under the ROC curve) is above 0.95 in multiple cases. Our results indicate that the outputs of a GNN model reveal rich information about the structure of the graph used to train the model.Comment: To appear in the 30th Usenix Security Symposium, August 2021, Vancouver, B.C., Canad

Biodiversity protection: measurement of output

The term biodiversity conservation can be applied to efforts to conserve genetic diversity, species diversity and ecosystem diversity. This paper focuses on efforts to conserve species and ecosystem diversity. Efforts to reduce, or halt this rapid loss of species and ecosystems involve significant costs. Environment Department staff of the World Bank report that in Africa alone it has financed or managed for the Global Environmental Facility, 118 projects with biodiversity elements worth US $1.8 billion World Bank (1998). In New Zealand, 1997/98 expenditures on ecological management accounted for$72.5 million or 46.8% of the Department of Conservation budget Department of Conservation (1998a). These expenditures are argued to be insufficient to stem the losses of biodiversity. Globally, extrapolation of loss rates to numbers of species currently at risk, suggests that biodiversity losses will climb to 200-1500 times the background level and wipe out all currently threatened species (Pimm et al 1995 quoted in Ministry for the Environment 1997). The New Zealand Department of Conservation (1998a) judge that .. , "[w]hile there is a lack of detailed information .. , current conservation efforts are insufficient to stem the decline in the health of indigenous biodiversity on the publicly conserved estate." Annual expenditures on possum and feral goat control are only sufficient to cover two thirds and half respectively of the areas necessary to provide sustainable control of those pests Department of Conservation (1998a). The Draft Biodiversity Strategy released on 20 January 1999 outlines proposals to halt the decline of indigenous New Zealand biodiversity. The NPV of the proposed expenditures over 20 years is $412 million MFE/DOC (1999). Halting biodiversity decline will be costly. Because resources available for biodiversity protection are limited, economic efficiency questions are asked about biodiversity protection projects and programmes. A US ecologist Dr Jared Diamond, has offered high praise for some aspects of New Zealand's conservation management ... "The contributions of New Zealand's conservation biologists [have provided] the most imaginative and cost-effective conservation programme in the world" (Diamond 1990). Surprisingly little research appears to exist documenting the performance or the cost effectiveness of conservation programmes. But the quotations above illustrate that despite problems of data availability, judgments are made on the contribution and merit of biodiversity protection activities. Given the issue faced both nationally and globally - declining health of indigenous biodiversity - and recognizing the facts of resource constraints, and costly protection programmes, evaluation of efforts at biodiversity protection activities is essential. This paper reviews the methodologies available to judge the success and merit of biodiversity protection actions, briefly reviews the empirical work completed to date, and provides recommendations on directions for further development