111 research outputs found
Secure and Distributed Assessment of Privacy-Preserving Releases of GWAS
Genome-wide association studies (GWAS) identify correlations between the
genetic variants and an observable characteristic such as a disease. Previous
works presented privacy-preserving distributed algorithms for a federation of
genome data holders that spans multiple institutional and legislative domains
to securely compute GWAS results. However, these algorithms have limited
applicability, since they still require a centralized instance to decide
whether GWAS results can be safely disclosed, which is in violation to privacy
regulations, such as GDPR. In this work, we introduce GenDPR, a distributed
middleware that leverages Trusted Execution Environments (TEEs) to securely
determine a subset of the potential GWAS statistics that can be safely
released. GenDPR achieves the same accuracy as centralized solutions, but
requires transferring significantly less data because TEEs only exchange
intermediary results but no genomes. Additionally, GenDPR can be configured to
tolerate all-but-one honest-but-curious federation members colluding with the
aim to expose genomes of correct members
Collusions and Privacy in Rational-Resilient Gossip
Gossip-based content dissemination protocols are a scalable and cheap alternative to
centralized content sharing systems. However, it is well known that these protocols
suffer from rational nodes, i.e., nodes that aim at downloading the content without
contributing their fair share to the system. While the problem of rational nodes that act
individually has been well addressed in the literature, colluding rational nodes is still
an open issue. In addition, previous rational-resilient gossip-based solutions require
nodes to log their interactions with others, and disclose the content of their logs, which
may disclose sensitive information. Nowadays, a consensus exists on the necessity
of reinforcing the control of users on their personal information. Nonetheless, to the
best of our knowledge no privacy-preserving rational-resilient gossip-based content
dissemination system exists.
The contributions of this thesis are twofold.
First, we present AcTinG, a protocol that prevents rational collusions in gossip-based
content dissemination protocols, while guaranteeing zero false positive accusations.
AcTing makes nodes maintain secure logs and mutually check each othersâ correctness
thanks to verifiable but non predictable audits. As a consequence of its design, it is
shown to be a Nash-equilibrium. A performance evaluation shows that AcTinG is able
to deliver all messages despite the presence of colluders, and exhibits similar scalability
properties as standard gossip-based dissemination protocols.
Second, we describe P AG, the first accountable and privacy-preserving gossip pro-
tocol. P AG builds on a monitoring infrastructure, and homomorphic cryptographic
procedures to provide privacy to nodes while making sure that nodes forward the
content they receive. The theoretical evaluation of P AG shows that breaking the
privacy of interactions is difficult, even in presence of a global and active opponent.
We assess this protocol both in terms of privacy and performance using a deployment
performed on a cluster of machines, simulations involving up to a million of nodes, and
theoretical proofs. The bandwidth overhead is much lower than existing anonymous
communication protocols, while still being practical in terms of CPU usage
Liveness Checking of the HotStuff Protocol Family
Byzantine consensus protocols aim at maintaining safety guarantees under any
network synchrony model and at providing liveness in partially or fully
synchronous networks. However, several Byzantine consensus protocols have been
shown to violate liveness properties under certain scenarios. Existing testing
methods for checking the liveness of consensus protocols check for time-bounded
liveness violations, which generate a large number of false positives. In this
work, for the first time, we check the liveness of Byzantine consensus
protocols using the temperature and lasso detection methods, which require the
definition of ad-hoc system state abstractions. We focus on the HotStuff
protocol family that has been recently developed for blockchain consensus. In
this family, the HotStuff protocol is both safe and live under the partial
synchrony assumption, while the 2-Phase Hotstuff and Sync HotStuff protocols
are known to violate liveness in subtle fault scenarios. We implemented our
liveness checking methods on top of the Twins automated unit test generator to
test the HotStuff protocol family. Our results indicate that our methods
successfully detect all known liveness violations and produce fewer false
positives than the traditional time-bounded liveness checks.Comment: Preprint of a paper accepted at IEEE PRDC 202
I-GWAS: Privacy-Preserving Interdependent Genome-Wide Association Studies
Genome-wide Association Studies (GWASes) identify genomic variations that are
statistically associated with a trait, such as a disease, in a group of
individuals. Unfortunately, careless sharing of GWAS statistics might give rise
to privacy attacks. Several works attempted to reconcile secure processing with
privacy-preserving releases of GWASes. However, we highlight that these
approaches remain vulnerable if GWASes utilize overlapping sets of individuals
and genomic variations. In such conditions, we show that even when relying on
state-of-the-art techniques for protecting releases, an adversary could
reconstruct the genomic variations of up to 28.6% of participants, and that the
released statistics of up to 92.3% of the genomic variations would enable
membership inference attacks. We introduce I-GWAS, a novel framework that
securely computes and releases the results of multiple possibly interdependent
GWASes. I-GWAS continuously releases privacy-preserving and noise-free GWAS
results as new genomes become available
Intrusion Resilience Systems for Modern Vehicles
Current vehicular Intrusion Detection and Prevention Systems either incur
high false-positive rates or do not capture zero-day vulnerabilities, leading
to safety-critical risks. In addition, prevention is limited to few primitive
options like dropping network packets or extreme options, e.g., ECU Bus-off
state. To fill this gap, we introduce the concept of vehicular Intrusion
Resilience Systems (IRS) that ensures the resilience of critical applications
despite assumed faults or zero-day attacks, as long as threat assumptions are
met. IRS enables running a vehicular application in a replicated way, i.e., as
a Replicated State Machine, over several ECUs, and then requiring the
replicated processes to reach a form of Byzantine agreement before changing
their local state. Our study rides the mutation of modern vehicular
environments, which are closing the gap between simple and resource-constrained
"real-time and embedded systems", and complex and powerful "information
technology" ones. It shows that current vehicle (e.g., Zonal) architectures and
networks are becoming plausible for such modular fault and intrusion tolerance
solutions,deemed too heavy in the past. Our evaluation on a simulated
Automotive Ethernet network running two state-of-the-art agreement protocols
(Damysus and Hotstuff) shows that the achieved latency and throughout are
feasible for many Automotive applications
Practical Byzantine Reliable Broadcast on Partially Connected Networks
In this paper, we consider the Byzantine reliable broadcast problem on authenticated and partially connected networks. The state-of-the-art method to solve this problem consists in combining two algorithms from the literature. Handling asynchrony and faulty senders is typically done thanks to Gabriel Brachaâs authenticated double-echo broadcast protocol, which assumes an asynchronous fully connected network. Danny Dolevâs algorithm can then be used to provide reliable communications between processes in the global fault model, where up to f processes among N can be faulty in a communication network that is at least 2f+1-connected. Following recent works that showed how Dolevâs protocol can be made more practical thanks to several optimizations, we show that the state-of-the-art methods to solve our problem can be optimized thanks to layer-specific and cross-layer optimizations. Our simulations with the Omnet ++ network simulator show that these optimizations can be efficiently combined to decrease the total amount of information transmitted or the protocolâs latency (e.g., respectively, -25% and -50% with a 16B payload, N=31 and f=4) compared to the state-of-the-art combination of Brachaâs and Dolevâs protocols
PriLok:Citizen-protecting distributed epidemic tracing
Contact tracing is an important instrument for national health services to fight epidemics. As part of the COVID-19 situation, many proposals have been made for scaling up contract tracing capacities with the help of smartphone applications, an important but highly critical endeavor due to the privacy risks involved in such solutions. Extending our previously expressed concern, we clearly articulate in this article, the functional and non-functional requirements that any solution has to meet, when striving to serve, not mere collections of individuals, but the whole of a nation, as required in face of such potentially dangerous epidemics. We present a critical information infrastructure, PriLock, a fully-open preliminary architecture proposal and design draft for privacy preserving contact tracing, which we believe can be constructed in a way to fulfill the former requirements. Our architecture leverages the existing regulated mobile communication infrastructure and builds upon the concept of "checks and balances", requiring a majority of independent players to agree to effect any operation on it, thus preventing abuse of the highly sensitive information that must be collected and processed for efficient contact tracing. This is enforced with a largely decentralised layout and highly resilient state-of-the-art technology, which we explain in the paper, finishing by giving a security, dependability and resilience analysis, showing how it meets the defined requirements, even while the infrastructure is under attack
- âŠ