Shai: Enforcing Data-Specific Policies with Near-Zero Runtime Overhead

Data retrieval systems such as online search engines and online social networks must comply with the privacy policies of personal and selectively shared data items, regulatory policies regarding data retention and censorship, and the provider's own policies regarding data use. Enforcing these policies is difficult and error-prone. Systematic techniques to enforce policies are either limited to type-based policies that apply uniformly to all data of the same type, or incur significant runtime overhead. This paper presents Shai, the first system that systematically enforces data-specific policies with near-zero overhead in the common case. Shai's key idea is to push as many policy checks as possible to an offline, ahead-of-time analysis phase, often relying on predicted values of runtime parameters such as the state of access control lists or connected users' attributes. Runtime interception is used sparingly, only to verify these predictions and to make any remaining policy checks. Our prototype implementation relies on efficient, modern OS primitives for sandboxing and isolation. We present the design of Shai and quantify its overheads on an experimental data indexing and search pipeline based on the popular search engine Apache Lucene

Introducing Accountability to Anonymity Networks

Many anonymous communication (AC) networks rely on routing traffic through proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes risk sanctions by law enforcement if users commit illegal actions through the AC network. We present BackRef, a generic mechanism for AC networks that provides practical repudiation for the proxy nodes by tracing back the selected outbound traffic to the predecessor node (but not in the forward direction) through a cryptographically verifiable chain. It also provides an option for full (or partial) traceability back to the entry node or even to the corresponding user when all intermediate nodes are cooperating. Moreover, to maintain a good balance between anonymity and accountability, the protocol incorporates whitelist directories at exit proxy nodes. BackRef offers improved deployability over the related work, and introduces a novel concept of pseudonymous signatures that may be of independent interest. We exemplify the utility of BackRef by integrating it into the onion routing (OR) protocol, and examine its deployability by considering several system-level aspects. We also present the security definitions for the BackRef system (namely, anonymity, backward traceability, no forward traceability, and no false accusation) and conduct a formal security analysis of the OR protocol with BackRef using ProVerif, an automated cryptographic protocol verifier, establishing the aforementioned security properties against a strong adversarial model

Finding Safety in Numbers with Secure Allegation Escrows

For fear of retribution, the victim of a crime may be willing to report it only if other victims of the same perpetrator also step forward. Common examples include 1) identifying oneself as the victim of sexual harassment, especially by a person in a position of authority or 2) accusing an influential politician, an authoritarian government, or ones own employer of corruption. To handle such situations, legal literature has proposed the concept of an allegation escrow: a neutral third-party that collects allegations anonymously, matches them against each other, and de-anonymizes allegers only after de-anonymity thresholds (in terms of number of co-allegers), pre-specified by the allegers, are reached. An allegation escrow can be realized as a single trusted third party; however, this party must be trusted to keep the identity of the alleger and content of the allegation private. To address this problem, this paper introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group of parties with independent interests and motives, acting jointly as an escrow for collecting allegations from individuals, matching the allegations, and de-anonymizing the allegations when designated thresholds are reached. By design, SAEs provide a very strong property: No less than a majority of parties constituting a SAE can de-anonymize or disclose the content of an allegation without a sufficient number of matching allegations (even in collusion with any number of other allegers). Once a sufficient number of matching allegations exist, the join escrow discloses the allegation with the allegers' identities. We describe how SAEs can be constructed using a novel authentication protocol and a novel allegation matching and bucketing algorithm, provide formal proofs of the security of our constructions, and evaluate a prototype implementation, demonstrating feasibility in practice.Comment: To appear in NDSS 2020. New version includes improvements to writing and proof. The protocol is unchange

A statistical approach to understanding microcosm methods for microbially mediated dechlorination of trichloroethene in bedrock aquifers

Microcosms were evaluated using statistical methods to advance the measurement and characterization abilities for in situ reductive dechlorination of trichloroethene (TCE) in fractured rock aquifers. Microcosms constructed with unincubated crushed rock in groundwater provided the best microcosm model of in situ TCE degradation, when prepared and incubated to simulate the in situ environment. Microcosms constructed with only groundwater were effective at modeling the TCE degradation only when the microcosms were amended with (total) organic carbon (TOC). Incubation of crushed rock core within the residual TCE plume caused a substantial decline in TCE degradation for biotic intrinsic microcosms, suggesting an effect that is inhibitory to TCE degrading microbes. Glass beads were found to be an inadequate substitute for rock media because their corrosion (i.e., hydrolysis and ion exchange) increased pH and dissolved oxygen beyond in situ ranges. Addition of incubated granular material to sterilized groundwater provided insufficient microbial population or metabolic activity in the microcosms to achieve TCE degradation. The ability of microcosms to discern slow rates of TCE degradation was evaluated, with specific application to bedrock aquifers. A method was developed to determine whether TCE biodegradation is occurring, assuming first order kinetics, and to estimate what is the longest half-life (i.e., the smallest biodegradation rate) that can be predicted by microcosm experiments for a reasonable incubation period, an acceptable statistical confidence and the fewest replicates when evaluating natural attenuation of TCE in fractured bedrock aquifers. A factorial experiment of biostimulated anaerobic TCE dechlorination in fractured bedrock aquifers using microcosms evaluated several potential biostimulants (i.e., nutrients, vitamins, sterile groundwater). Optimum TCE degradation occurred with biotic crushed rock microcosms with sterile groundwater that resupplied in situ nutrients to the microcosm. The procedures and methods developed in this study substantially enhance the ability to evaluate biotic fate of TCE in fractured rock aquifers, providing an effective approach for remedial design at low to moderate cost

Geomicrobiology and Microbial Geochemistry

Geomicrobiology and microbial geochemistry (GMG) investigates the interaction between Earth, environmental systems, and microbial life. Microbes shape their geochemical surroundings through their metabolic and growth needs and thereby exert significant geochemical and mineralogical control on their local environments. In turn, local geochemical conditions dictate what metabolic processes are possible. These mutual influences mean that microbial evolution has occurred in concert with changing geosphere conditions and that microbes have driven major shifts in ocean, continent and atmospheric chemistry. If one wishes to understand element cycling in any system containing water, one must realize that microbes are critical to the story

Elemental sulfur coarsening kinetics

BACKGROUND: Elemental sulfur exists is a variety of forms in natural systems, from dissolved forms (noted as S8(diss) or in water as S8(aq)) to bulk elemental sulfur (most stable as α-S8). Elemental sulfur can form via several biotic and abiotic processes, many beginning with small sulfur oxide or polysulfidic sulfur molecules that coarsen into S8 rings that then coalesce into larger forms: [Formula: see text] Formation of elemental sulfur can be possible via two primary techniques to create an emulsion of liquid sulfur in water called sulfur sols that approximate some mechanisms of possible elemental sulfur formation in natural systems. These techniques produce hydrophobic (S8(Weimarn)) and hydrophilic (S8(polysulfide)) sols that exist as nanoparticle and colloidal suspensions. These sols begin as small sulfur oxide or polysulfidic sulfur molecules, or dissolved S8(aq) forms, but quickly become nanoparticulate and coarsen into micron sized particles via a combination of classical nucleation, aggregation processes, and/or Ostwald ripening. RESULTS: We conducted a series of experiments to study the rate of elemental sulfur particle coarsening using dynamic light scattering (DLS) analysis under different physical and chemical conditions. Rates of nucleation and initial coarsening occur over seconds to minutes at rates too fast to measure by DLS, with subsequent coarsening of S8(nano) and S8(sol) being strongly temperature dependent, with rates up to 20 times faster at 75°C compared to 20°C. The addition of surfactants (utilizing ionic and nonionic surfactants as model compounds) results in a significant reduction of coarsening rates, in addition to known effects of these molecules on elemental sulfur solubility. DLS and cryo-SEM results suggest coarsening is largely a product of ripening processes rather than particle aggregation, especially at higher temperatures. Fitting of the coarsening rate data to established models for Ostwald ripening additionally support this as a primary mechanism of coarsening. CONCLUSIONS: Elemental sulfur sols coarsen rapidly at elevated temperatures and experience significant effects on both solubility and particle coarsening kinetics due to interaction with surfactants. Growth of elemental sulfur nanoparticles and sols is largely governed by Ostwald ripening processes

Advancing Geomicrobiology and Microbial Geochemistry

Peer Reviewedhttp://deepblue.lib.umich.edu/bitstream/2027.42/106754/1/eost2014EO100008.pd

Influence of Environmental Factors on the Production of MIB and Geosmin Metabolites by Bacteria in a Eutrophic Reservoir

Occurrences of odorous bacterial metabolites, 2‐methylisoborneol (MIB) and geosmin (GSM), in drinking water supply reservoirs are considered as a nuisance by the water industry and a source of complaints from customers. In Eagle Creek Reservoir, routine monitoring programs of MIB and GSM highlight intense odorous outbreaks during the spring season when high inflow discharges occur. Cyanobacteria have always been assumed to be source of these metabolites even if no known producers are present in raw water. A copper‐based algaecide is often used to terminate the metabolite production and the algal growth in the reservoir. The current study was designed to investigate and identify other biological sources involved in the biosynthesis of MIB and GSM metabolites as well as environmental factors that could be important triggers for the growth of bacterial producers. The community structure of the bacterioplankton was determined using a 16S rRNA gene sequencing technique, which showed that not only Cyanobacteria but Actinobacteria also were involved in the reservoir internal production. Planktothrix species was identified as the main source of GSM (p < 0.001) while Streptomyces (Actinobacteria) was very likely responsible of MIB (p < 0.01). Application of an algaecide disrupted GSM and the growth of Planktothrix but was less effective against MIB and Streptomyces . Statistical analyses revealed that MIB‐ and GSM‐causing bacteria were found abundant when the water was enriched with nitrogen, temperature cooler, and the water column mixed

Geochemistry and speciation of Fe(II) and Fe(III) in natural geothermal water, Iceland

The geochemistry of Fe(II) and Fe(III) was studied in natural geothermal waters in Iceland. Samples of surface and spring water and sub-boiling geothermal well water were collected and analyzed for Fe(II), Fe(III) and Fetotal concentrations. The samples had discharge temperatures in the range 27–99 °C, pH between 2.46 and 9.77 and total dissolved solids 155–1090 mg/L. The concentrations of Fe(II) and Fe(III) were determined in the <0.2 μm filtered and acidified fraction using a field-deployed ion chromatography spectrophotometry (IC-Vis) method within minutes to a few hours of sampling in order to prevent post-sampling changes. The concentrations of Fe(II) and Fe(III) were <0.1–130 μmoL/L and <0.2–42 μmoL/L, respectively. In-situ dialysis coupled with Fe(II) and Fe(III) determinations suggest that in some cases a significant fraction of Fe passing the standard <0.2 μm filtration method may be present in colloidal/particulate form. Therefore, such filter size may not truly represent the dissolved fraction of Fe but also nano-sized particles. The Fe(II) and Fe(III) speciation and Fetotal concentrations are largely influenced by the water pH, which in turn reflects the water type formed through various processes. In water having pH of ∼7–9, the total Fe concentrations were <2 μmoL/L with Fe(III) predominating. With decreasing pH, the total Fe concentrations increased with Fe(II) becoming increasingly important and predominating at pH < 3. In particular in waters having pH ∼6 and above, iron redox equilibrium may be approached with Fe(II) and Fe(III) possibly being controlled by equilibrium with respect to Fe minerals. In many acid waters, the Fe(II) and Fe(III) distribution may not have reached equilibrium and be controlled by the source(s), reaction kinetics or microbial reactions