Quantifying Information Leakage in Finite Order Deterministic Programs

Information flow analysis is a powerful technique for reasoning about the sensitive information exposed by a program during its execution. While past work has proposed information theoretic metrics (e.g., Shannon entropy, min-entropy, guessing entropy, etc.) to quantify such information leakage, we argue that some of these measures not only result in counter-intuitive measures of leakage, but also are inherently prone to conflicts when comparing two programs P1 and P2 -- say Shannon entropy predicts higher leakage for program P1, while guessing entropy predicts higher leakage for program P2. This paper presents the first attempt towards addressing such conflicts and derives solutions for conflict-free comparison of finite order deterministic programs.Comment: 14 pages, 1 figure. A shorter version of this paper is submitted to ICC 201

Result Integrity Check for MapReduce Computation on Hybrid Clouds

Abstract — Large scale adoption of MapReduce computations on public clouds is hindered by the lack of trust on the participat-ing virtual machines, because misbehaving worker nodes can compromise the integrity of the computation result. In this paper, we propose a novel MapReduce framework, Cross Cloud MapRe-duce (CCMR), which overlays the MapReduce computation on top of a hybrid cloud: the master that is in control of the entire computation and guarantees result integrity runs on a private and trusted cloud, while normal workers run on a public cloud. In order to achieve high accuracy, CCMR proposes a result integrity check scheme on both the map phase and the reduce phase, which combines random task replication, random task verification, and credit accumulation; and CCMR strives to reduce the overhead by reducing cross-cloud communication. We implement our ap-proach based on Apache Hadoop MapReduce and evaluate our implementation on Amazon EC2. Both theoretical and experi-mental analysis show that our approach can guarantee high result integrity in a normal cloud environment while incurring non-negligible performance overhead (e.g., when 16.7 % workers are malicious, CCMR can guarantee at least 99.52 % of accuracy with 33.6 % of overhead when replication probability is 0.3 and the credit threshold is 50)

Privacy enforcement through policy extension

Successful coalition operations require contributions from the coalition partners which might have hidden goals and desiderata in addition to the shared coalition goals. Therefore, there is an inevitable risk-utility trade-off for information producers due to the need-to-know vs. need-to-hide tension, which must take into account the trustworthiness of the other coalition partners. A balance is often achieved by deliberate obfuscation of the shared information. In this paper, we show how to integrate obfuscation capabilities within the current OASIS standard for access control policies, namely XACML

A metadata calculus for secure information sharing,”

ABSTRACT In both commercial and defense sectors a compelling need is emerging for rapid, yet secure, dissemination of information to the concerned actors. Traditional approaches to information sharing that rely on security labels (e.g., Multi-Level Security (MLS)) suffer from at least two major drawbacks. First, static security labels do not account for tactical information whose value decays over time. Second, MLS-like approaches have often ignored information transform semantics when deducing security labels (e.g., output security label = max over all input security labels). While MLS-like label deduction appears to be conservative, we argue that this approach can result in both underestimation and overestimation of security labels. We contend that overestimation may adversely throttle information flows, while underestimation incites information misuse and leakage. In this paper we present a novel calculus approach to securely share tactical information. We model security metadata as a vector half-space (as against a lattice in a MLS-like approach) that supports three operators: Γ, + and ·. The value operator Γ maps a metadata vector into a time sensitive scalar value. The operators + and · support arithmetic on the metadata vector space that are homomorphic with the semantics of information transforms. We show that it is unfortunately impossible to achieve strong homomorphism without incurring exponential metadata expansion. We use B-splines (a class of compact parametric curves) to develop concrete realizations of our metadata calculus that satisfy weak homomorphism without suffering from metadata expansion and quantify the tightness of values estimates in the proposed approach