Understanding and Enforcing Opacity

Abstract—This paper puts a spotlight on the specification and enforcement of opacity, a security policy for protecting sensitive properties of system behavior. We illustrate the fine granularity of the opacity policy by location privacy and privacy-preserving aggregation scenarios. We present a frame-work for opacity and explore its key differences and formal connections with such well-known information-flow models as noninterference, knowledge-based security, and declassifica-tion. Our results are machine-checked and parameterized in the observational power of the attacker, including progress-insensitive, progress-sensitive, and timing-sensitive attackers. We present two approaches to enforcing opacity: a whitebox monitor and a blackbox sampling-based enforcement. We report on experiments with prototypes that utilize state-of-the-art Satisfiability Modulo Theories (SMT) solvers and the random testing tool QuickCheck to establish opacity for the location and aggregation-based scenarios. I

Flexible Information-Flow Control

As more and more sensitive data is handled by software, its trustworthinessbecomes an increasingly important concern. This thesis presents work on ensuringthat information processed by computing systems is not disclosed to thirdparties without the user\u27s permission; i.e. to prevent unwanted flows ofinformation. While this problem is widely studied, proposed rigorousinformation-flow control approaches that enforce strong securityproperties like noninterference have yet to see widespread practical use.Conversely, lightweight techniques such as taint tracking are more prevalent inpractice, but lack formal underpinnings, making it unclear what guarantees theyprovide.This thesis aims to shrink the gap between heavyweight information-flow controlapproaches that have been proven sound and lightweight practical techniqueswithout formal guarantees such as taint tracking. This thesis attempts toreconcile these areas by (a) providing formal foundations to taint trackingapproaches, (b) extending information-flow control techniques to more realisticlanguages and settings, and (c) exploring security policies and mechanisms thatfall in between information-flow control and taint tracking and investigating whattrade-offs they incur

An Event-Based Digital Time Difference Encoder Model Implementation for Neuromorphic Systems

Neuromorphic systems are a viable alternative to conventional systems for real-time tasks with constrained resources. Their low power consumption, compact hardware realization, and low-latency response characteristics are the key ingredients of such systems. Furthermore, the event-based signal processing approach can be exploited for reducing the computational load and avoiding data loss due to its inherently sparse representation of sensed data and adaptive sampling time. In event-based systems, the information is commonly coded by the number of spikes within a specific temporal window. However, the temporal information of event-based signals can be difficult to extract when using rate coding. In this work, we present a novel digital implementation of the model, called time difference encoder (TDE), for temporal encoding on event-based signals, which translates the time difference between two consecutive input events into a burst of output events. The number of output events along with the time between them encodes the temporal information. The proposed model has been implemented as a digital circuit with a configurable time constant, allowing it to be used in a wide range of sensing tasks that require the encoding of the time difference between events, such as optical flow-based obstacle avoidance, sound source localization, and gas source localization. This proposed bioinspired model offers an alternative to the Jeffress model for the interaural time difference estimation, which is validated in this work with a sound source lateralization proof-of-concept system. The model was simulated and implemented on a field-programmable gate array (FPGA), requiring 122 slice registers of hardware resources and less than 1 mW of power consumption.Ministerio de Economía y Competitividad TEC2016-77785-P (COFNET)Agencia Estatal de Investigación PID2019-105556GB-C33/AEI/10.13039/501100011033 (MINDROB

Closed-loop sound source localization in neuromorphic systems

Sound source localization (SSL) is used in various applications such as industrial noise-control, speech detection in mobile phones, speech enhancement in hearing aids and many more. Newest video conferencing setups use SSL. The position of a speaker is detected from the difference in the audio waves received by a microphone array. After detection the camera focuses onto the location of the speaker. The human brain is also able to detect the location of a speaker from auditory signals. It uses, among other cues, the difference in amplitude and arrival time of the sound wave at the two ears, called interaural level and time difference. However, the substrate and computational primitives of our brain are different from classical digital computing. Due to its low power consumption of around 20 W and its performance in real time the human brain has become a great source of inspiration for emerging technologies. One of these technologies is neuromorphic hardware which implements the fundamental principles of brain computing identified until today using complementary metal-oxide-semiconductor technologies and new devices. In this work we propose the first neuromorphic closed-loop robotic system that uses the interaural time difference for SSL in real time. Our system can successfully locate sound sources such as human speech. In a closed-loop experiment, the robotic platform turned immediately into the direction of the sound source with a turning velocity linearly proportional to the angle difference between sound source and binaural microphones. After this initial turn, the robotic platform remains at the direction of the sound source. Even though the system only uses very few resources of the available hardware, consumes around 1 W, and was only tuned by hand, meaning it does not contain any learning at all, it already reaches performances comparable to other neuromorphic approaches. The SSL system presented in this article brings us one step closer towards neuromorphic event-based systems for robotics and embodied computing

Flexible and Practical Information-Flow Control

As more and more sensitive data is handled by software, itstrustworthiness becomes an increasingly important concern. This thesispresents work on ensuring that information that is processed bycomputing systems is not disclosed to third parties without the user\u27spermission; i.e. to prevent unwanted flows of information. Since mostapproaches to information-flow control have not seen widespread use inpractice, this work explores flexible policies and enforcementtechniques to guarantee that information is not leaked by a program. Thethesis consists of three parts:The first chapter explores opacity, a security policy for protectingsensitive system properties, motivated by location privacy andprivacy-preserving aggregation scenarios. We present a general,parametric framework for opacity and relate it to noninterference.Moreover, we present two approaches to enforcement: a dynamic monitormaking use of SMT solving, and a blackbox sampling-based approachbased on the random testing tool QuickCheck.The second chapter discusses taint tracking, a popular securitymechanism for tracking data-flow dependencies, which is widely usedfor both high-level languages and machine code. However, the questionof what, exactly, tainting means - what security policy it embodies -remains largely unexplored. We propose explicit secrecy, a genericframework capturing the essence of explicit flows, i.e., the dataflows tracked by tainting. We illustrate our approach by instantiatingexplicit secrecy to both, a high-level imperative language and machinecode. Additionally, we prove soundness with respect to explicitsecrecy for the cores of dynamic and static taint trackers.Lastly, we present JSLINQ, a framework providing end-to-endinformation-flow control for multi-tiered web applications; i.e. webapplications consisting of a database, server-side code, andclient-side JavaScript code. To prevent information flows at componentboundaries, we leverage homogeneous meta-programming features in F#to provide a unified language for programming all components. Wepresent a security type system for a core of F# and prove that allwell-typed programs are noninterfering. We evaluate our approach usingvarious case studies indicating that JSLINQ is suitable forimplementing practical web applications

Flexible and Practical Information-Flow Control

As more and more sensitive data is handled by software, itstrustworthiness becomes an increasingly important concern. This thesispresents work on ensuring that information that is processed bycomputing systems is not disclosed to third parties without the user\u27spermission; i.e. to prevent unwanted flows of information. Since mostapproaches to information-flow control have not seen widespread use inpractice, this work explores flexible policies and enforcementtechniques to guarantee that information is not leaked by a program. Thethesis consists of three parts:The first chapter explores opacity, a security policy for protectingsensitive system properties, motivated by location privacy andprivacy-preserving aggregation scenarios. We present a general,parametric framework for opacity and relate it to noninterference.Moreover, we present two approaches to enforcement: a dynamic monitormaking use of SMT solving, and a blackbox sampling-based approachbased on the random testing tool QuickCheck.The second chapter discusses taint tracking, a popular securitymechanism for tracking data-flow dependencies, which is widely usedfor both high-level languages and machine code. However, the questionof what, exactly, tainting means - what security policy it embodies -remains largely unexplored. We propose explicit secrecy, a genericframework capturing the essence of explicit flows, i.e., the dataflows tracked by tainting. We illustrate our approach by instantiatingexplicit secrecy to both, a high-level imperative language and machinecode. Additionally, we prove soundness with respect to explicitsecrecy for the cores of dynamic and static taint trackers.Lastly, we present JSLINQ, a framework providing end-to-endinformation-flow control for multi-tiered web applications; i.e. webapplications consisting of a database, server-side code, andclient-side JavaScript code. To prevent information flows at componentboundaries, we leverage homogeneous meta-programming features in F#to provide a unified language for programming all components. Wepresent a security type system for a core of F# and prove that allwell-typed programs are noninterfering. We evaluate our approach usingvarious case studies indicating that JSLINQ is suitable forimplementing practical web applications

SeLINQ: Tracking information across application-database boundaries

The root cause for confidentiality and integrity attacks against computing systems is insecure information flow. The complexity of modern systems poses a major challenge to secure end-to-end information flow, ensuring that the insecurity of a single component does not render the entire system insecure. While information flow in a variety of languages and settings has been thoroughly studied in isolation, the problem of tracking information across component boundaries has been largely out of reach of the work so far. This is unsatisfactory because tracking information across component boundaries is necessary for end-to-end security. This paper proposes a framework for uniform tracking of information flow through both the application and the underlying database. Key enabler of the uniform treatment is recent work by Cheney et al., which studies database manipulation via an embedded language-integrated query language (with Microsoft\u27s LINQ on the backend). Because both the host language and the embedded query languages are functional F#-like languages, we are able to leverage information-flow enforcement for functional languages to obtain information-flow control for databases "for free", synergize it with information-flow control for applications and thus guarantee security across application-database boundaries. We develop the formal results in the form of a security type system that includes a treatment of algebraic data types and pattern matching, and establish its soundness. On the practical side, we implement the framework and demonstrate its usefulness in a case study with a realistic movie rental database

SeLINQ: Tracking information across application-database boundaries

The root cause for confidentiality and integrity attacks against computing systems is insecure information flow. The complexity of modern systems poses a major challenge to secure end-to-end information flow, ensuring that the insecurity of a single component does not render the entire system insecure. While information flow in a variety of languages and settings has been thoroughly studied in isolation, the problem of tracking information across component boundaries has been largely out of reach of the work so far. This is unsatisfactory because tracking information across component boundaries is necessary for end-to-end security. This paper proposes a framework for uniform tracking of information flow through both the application and the underlying database. Key enabler of the uniform treatment is recent work by Cheney et al., which studies database manipulation via an embedded language-integrated query language (with Microsoft\u27s LINQ on the backend). Because both the host language and the embedded query languages are functional F#-like languages, we are able to leverage information-flow enforcement for functional languages to obtain information-flow control for databases "for free", synergize it with information-flow control for applications and thus guarantee security across application-database boundaries. We develop the formal results in the form of a security type system that includes a treatment of algebraic data types and pattern matching, and establish its soundness. On the practical side, we implement the framework and demonstrate its usefulness in a case study with a realistic movie rental database