Verifying and Synthesizing Constant-Resource Implementations with Types

We propose a novel type system for verifying that programs correctly implement constant-resource behavior. Our type system extends recent work on automatic amortized resource analysis (AARA), a set of techniques that automatically derive provable upper bounds on the resource consumption of programs. We devise new techniques that build on the potential method to achieve compositionality, precision, and automation. A strict global requirement that a program always maintains constant resource usage is too restrictive for most practical applications. It is sufficient to require that the program's resource behavior remain constant with respect to an attacker who is only allowed to observe part of the program's state and behavior. To account for this, our type system incorporates information flow tracking into its resource analysis. This allows our system to certify programs that need to violate the constant-time requirement in certain cases, as long as doing so does not leak confidential information to attackers. We formalize this guarantee by defining a new notion of resource-aware noninterference, and prove that our system enforces it. Finally, we show how our type inference algorithm can be used to synthesize a constant-time implementation from one that cannot be verified as secure, effectively repairing insecure programs automatically. We also show how a second novel AARA system that computes lower bounds on resource usage can be used to derive quantitative bounds on the amount of information that a program leaks through its resource use. We implemented each of these systems in Resource Aware ML, and show that it can be applied to verify constant-time behavior in a number of applications including encryption and decryption routines, database queries, and other resource-aware functionality.Comment: 30, IEEE S&P 201

Privacy-Aware Eye Tracking Using Differential Privacy

With eye tracking being increasingly integrated into virtual and augmented reality (VR/AR) head-mounted displays, preserving users' privacy is an ever more important, yet under-explored, topic in the eye tracking community. We report a large-scale online survey (N=124) on privacy aspects of eye tracking that provides the first comprehensive account of with whom, for which services, and to what extent users are willing to share their gaze data. Using these insights, we design a privacy-aware VR interface that uses differential privacy, which we evaluate on a new 20-participant dataset for two privacy sensitive tasks: We show that our method can prevent user re-identification and protect gender information while maintaining high performance for gaze-based document type classification. Our results highlight the privacy challenges particular to gaze data and demonstrate that differential privacy is a potential means to address them. Thus, this paper lays important foundations for future research on privacy-aware gaze interfaces.Comment: 9 pages, 8 figures, supplementary materia

A type III complement factor D deficiency: Structural insights for inhibition of the alternative pathway.

Abstract Background: Complement factor D (FD) is the rate-limiting enzyme of the alternative complement pathway. Previous reports of FD deficiency featured absent plasma FD (type I deficiency) and susceptibility to meningococcal infection. A new FD mutant, which is non-functional but fully expressed, was identified in a patient with invasive meningococcal disease. Objectives: We sought to investigate the molecular features of this novel FD mutant. Methods: We performed complement haemolytic assays, western blot analysis of serum FD and Sanger sequencing of the CFD gene. Recombinant mutant FD was assessed by in vitro catalytic assays, circular dichroism, thermal shift assays, esterolytic assays and surface plasmon resonance. Molecular dynamics simulation was used to visualise the structural changes in mutant FD. Results: A homozygous single-nucleotide variation of the CFD gene in the patient and their sibling resulted in an arginine to proline (R176P) substitution in FD. While R176P FD was stable and fully expressed in blood, it had minimal catalytic activity. Mutation R176P caused key FD-C3bB binding exosite loop 156-162 to lose its binding-competent conformation and stabilised the inactive conformation of FD. Consequently, R176P FD was unable to bind its natural substrate, C3bB. Neither patient nor sibling demonstrated the glucose homeostasis impairment that occurs in FD-null mice. Conclusions: Here, we report the first genetically confirmed functional, or type III, deficiency of an activating complement serine protease. This novel mechanism of FD inhibition can inform further development of alternative pathway inhibitors to treat common inflammatory diseases such as age-related macular degeneration

Using GANs for Sharing Networked Time Series Data: Challenges, Initial Promise, and Open Questions

Limited data access is a longstanding barrier to data-driven research and development in the networked systems community. In this work, we explore if and how generative adversarial networks (GANs) can be used to incentivize data sharing by enabling a generic framework for sharing synthetic datasets with minimal expert knowledge. As a specific target, our focus in this paper is on time series datasets with metadata (e.g., packet loss rate measurements with corresponding ISPs). We identify key challenges of existing GAN approaches for such workloads with respect to fidelity (e.g., long-term dependencies, complex multidimensional relationships, mode collapse) and privacy (i.e., existing guarantees are poorly understood and can sacrifice fidelity). To improve fidelity, we design a custom workflow called DoppelGANger (DG) and demonstrate that across diverse real-world datasets (e.g., bandwidth measurements, cluster requests, web sessions) and use cases (e.g., structural characterization, predictive modeling, algorithm comparison), DG achieves up to 43% better fidelity than baseline models. Although we do not resolve the privacy problem in this work, we identify fundamental challenges with both classical notions of privacy and recent advances to improve the privacy properties of GANs, and suggest a potential roadmap for addressing these challenges. By shedding light on the promise and challenges, we hope our work can rekindle the conversation on workflows for data sharing.Comment: Published in IMC 2020. 20 pages, 26 figure

ZØ: An Optimizing Distributing Zero-Knowledge Compiler

Applications increasingly rely on privacy-sensitive user data, but storing user’s data in the cloud creates challenges for the application provider, as concerns arise relating to the possibility of data leaks, responding to regulatory pressure, and initiatives such as DoNotTrack. However, storing data in the cloud is not the only option: a recent trend explored in several recent research projects has been to move functionality to the client. Because execution happens on the client, such as a mobile device or even in the browser, this alone provides a degree of privacy in the computation, with only relevant data disclosed to the server. However, in many cases moving functionality to the client conflicts with a need for computationa