Debmalya Biswas

Performance Comparison of Secure Comparison Protocols

Secure Multiparty Computation (SMC) has gained tremendous importance with the growth of the Internet and E-commerce, where mutually untrusted parties need to jointly compute a function of their private inputs. However, SMC protocols usually have very high computational complexities, rendering them practically unusable. In this paper, we tackle the problem of comparing two input values in a secure distributed fashion. We propose efficient secure comparison protocols for both the homomorphic encryption and secret sharing schemes. We also give experimental results to show their practical relevance.

Privacy policies change management for smartphones

The ever increasing popularity of apps stems from their ability to provide highly customized services for the user. The flip side is that to provide such customized services, apps need access to very sensitive personal user information. This has led to a lot of rogue apps that e.g. pass personal information to 3rd party Ad servers in the background. Studies have shown that current app vetting processes which are mainly restricted to install time verification mechanisms are incapable of detecting and preventing such attacks. We argue that the missing fundamental aspect here is the inability to capture and control runtime characteristics of apps, e.g. we need to know not only the list of sensors that need to be accessed by an app but also their frequency of access. This leads to the need for an expressive policy language that in addition to the list of sensors, also allows specifying when, where and how frequently can they be accessed. An expressive policy language has the disadvantage of making the task of an average user more difficult in setting and analyzing the consequences of his privacy settings. Further, privacy polices evolve over time. Over time, users are likely to change their privacy settings, as a response to a recently discovered vulnerability, or to be able to install that “much desired” app, etc. Such a policy change affects both already installed (may no longer be compliant) and previously rejected apps (may be compliant now). In this paper, we propose an integrated privacy add-on that (i) compares the apps profiles vs. users privacy settings, outlining the points of conflict as well as the different ways in which they can be resolved. And (ii) provides efficient change management with respect to any changes in user privacy settings.

Privacy Preserving Profiling for Mobile Services

Abstract The many sensors embedded in phones nowadays provide advanced sensing capabilities that make it possible to capture real-time information about the user and his surroundings. There are already examples of apps that use this information to provide highly useful and contextual services to the users. However, users are still reluctant to share their personal data with service providers due to their privacy implications (if misused). In this work, we provide protocols that allow users to store their sensor data on third party (untrusted) cloud servers. The data is stored in encrypted form (so protected from the cloud providers) with access only to service providers explicitly pre-approved by the users. The protocols simultaneously also ensure that the data accessed by service providers is in fact ‘current’ and consistent. This is achieved by integrating transactional and cryptographic primitives, such as atomic uploads, optimistic concurrency control, proxy re-encryption and homomorphic encryption, among others. Finally, experimental results are given to illustrate the practical feasibility and scalability of the proposed protocols.

Small Logs for Transactional Services: Distinction is Much More Accurate than (Positive) Discrimination

For complex services, logging is an integral part of many middleware aspects, especially, transactions and monitoring. In the event of a failure, the log allows us to deduce the cause of failure (diagnosis), recover by compensating the logged actions (atomicity), etc. However, for heterogeneous services, logging all the actions is often impracticable due to privacy/security constraints. Also, logging is expensive in terms of both time and space. Thus, we are interested in determining a small number of actions that needs to be logged, to know with certainty the actual sequence of executed actions from any given partial log. We propose two heuristics to determine such a small set of transitions, with services modeled as finite state machines. The first one is based on (Positive) discrimination of transitions, using every observation to know (discriminate) that a maximal number of transitions occurred. We characterize it algebraically, giving a very fast algorithm. The second algorithm, the distinguishing algorithm, uses every observation to maximize the number of transitions which are ensured not to have occurred. We show experimentally that the second algorithm gives much more accurate results than the first one, although it is also slower (but still fast enough).

Transforming Privacy Policies to Auditing Specifications

With more and more personal data being collected and stored by service providers, there is an increasing need to ensure that their usage is compliant with privacy regulations. We consider the specific scenario where policies are defined in metric temporal logic and audited against the database usage logs. Previous works have shown that this can indeed be achieved in an efficient manner for a very expressive set of policies. One of the main ingredients of such an auditing process is the availability of sufficient database logs. Currently, it is a manual process to first determine the logs needed, and then come up with the necessary auditing specifications to generate them. This is not only a time consuming process but can be erroneous as well, leading to either insufficient or redundant logging. Logging in general is costly as it is an overhead on the real-time database performance, and hence redundant logging is not an alternative either. Our contribution in this work is to streamline the log generation process by deriving the auditing specifications directly from the policies to be audited. We also show how the required logging can be minimized based on the temporal constraints specified in the policies. Given privacy policies as input, the output of the proposed tool is the corresponding auditing specifications that can be installed directly in the databases, to produce logs that are both minimal and sufficient to audit the given policies. The tool has been implemented and tested in a real-life scenario.

Optimal Compensation for Hierarchical Web Services Compositions Under Restricted Visibility

Over the years, the notion of transactions has become synonymous with providing fault-tolerance, reliability and robustness to database systems. The idea then is to extend the same transactional guarantees to new and evolving paradigms, such as Web services. To achieve this, we first need to adapt the transactional mechanisms to the distinguishing characteristics of Web services, mainly composability, long-running nature, and privacy and security concerns. Composability refers to the ability to form new composite services by combining the functionalities of existing services. The existing services may themselves be composite, and this leads to a hierarchical composition. Due to their long-running nature, compensation based mechanisms are usually preferred to provide transactional guarantees for Web services. Compensation consists of semantically undoing the execution effects until failure, and as such requires access (visibility) over the execution details of the services in the composition. However, such visibility may not always be feasible in a compositional context where component services are provided by different providers across organizational boundaries, with very strong privacy and security constraints. Another aspect missing from current Web services composition models is the fact that, in a hierarchical composition, multiple compensation options may be possible at different levels at different costs. Thus, for a hierarchical composition, we show how to find an optimal compensation option under restricted visibility in this paper.

Privacy-Preserving Outsourced Profiling

Personalized services attract high-value customers. Knowing the preferences and habits of an individual customer, it is possible to offer to that customer well customized and adapted services, matching his needs and desires. This is advantageous for the entity offering the service (e.g., a retailer) as well, as it helps in creating additional sales or improve customer retention. The main unsolved problem today is that the profile of each individual customer would be necessary in order to create such services, posing severe risks regarding privacy and data protection. This paper proposes efficient encryption schemes that allow profiling to be outsourced while preserving privacy. The schemes ensure that the customer is always in control of his profile data, at the same time making shopping data across multiple retailers available to third party service providers to be able to provide targeted services.

Conflict Detection and Lifecycle Management for Access Control in Publish/Subscribe Systems

In todays collaborative business environment there is a need to share information across organizational boundaries. Publish/Subscribe systems are ideal for such scenarios as they allow real-time information to be shared in an asynchronous fashion. In this work, we focus on the access control aspect. While access control in general for publish/subscribe systems has been studied before, their usage in a multi-organizational scenario leads to some novel challenges. Here a publisher might wish to enforce restrictions w.r.t. not only subscribers, but also other publishers publishing certain event types due to competitive or regulatory reasons. With different publishers and subscribers having their own preferences and restrictions, conflicts are evident w.r.t. both publishing and subscribing to specific event types. Given this, the first contribution of this work is to provide efficient conflict detection and resolution algorithms The other important (and often ignored) aspect of large scale and evolving systems is that of efficiently handling modifications to existing policies, e.g. a rule may become invalid after a certain period of time. Our approach in handling such modifications is two-fold: (i) to maintain consistency and (ii) to automatically detect and enforce rules which could not have been enforced earlier due to conflicts. The second contribution of our work is thus to provide lifecycle management for access control rules, which is tightly coupled with the conflict detection and resolution algorithms.

Formalizing visibility characteristics in hierarchical systems

We consider hierarchical systems where nodes represent entities and edges represent binary relationships among them. An example is a hierarchical composition of Web services where the nodes denote services and the edges represent the parent-child relationship of a service invoking another service. A fundamental issue to address in such systems is, for two nodes X and Y in the hierarchy, whether X can see Y, that is, whether X has visibility over Y. The visibility could be with respect to certain attributes like operational details, execution logs and security related issues. In a general setting, X seeing Y may depend on (i) X wishing to see Y, (ii) Y wishing to be seen by X, and (iii) other nodes not objecting to X seeing Y. In this paper, we develop a generic conceptual model to express visibility. We study two complementary notions: sphere of visibility of a node X that includes all the nodes in the hierarchy that X can see; and sphere of noticeability of X that includes all the nodes that can see X. We also identify dual properties, coherence and correlation, that relate the spheres of different nodes in special ways and also relate the visibility and noticeability notions. We study some variants of coherence and correlation also. These properties give rise to interesting and useful visibility and noticeability assignments, and their representations.

Privacy preserving and transactional advertising for mobile services

The many sensors embedded in phones nowadays provide advanced sensing capabilities that make it possible to capture real-time information about the user and his surroundings. There are already examples of apps/services that use this information to provide highly useful and contextual advertisements to the users. However, users are still reluctant to share their personal data with advertisers due to their privacy implications (if misused). In this work, we provide protocols that allow users to store their sensor data on third party (untrusted) cloud servers. The data is stored in encrypted form, hence protected from the cloud provider. The advertisements are also stored on the server. They are customized to potential users. The server selects the advertisements appropriate to the users, based on their sensor values, and forwards them to the users. We consider two cases: (i) appropriate advertisements are sent to individual users automatically; and (ii) advertisements are sent to groups of users after getting permission from the group members. In both cases, the concurrency control protocols performed by the cloud provider ensure that the data and advertisements are ‘fresh and consistent’. This is to avoid situations where served advertisements are not in sync with the user’s current context or the advertisements have already expired. The above is achieved by integrating transactional and cryptographic primitives, such as atomic uploads, optimistic concurrency control, searchable encryption and homomorphic encryption. Finally, experimental results are given to illustrate the practical feasibility and scalability of the proposed protocols.