Parv Venkitasubramaniam

Mitigating timing based information leakage in shared schedulers

In this work, we study information leakage in timing side channels that arise in the context of shared event schedulers. Consider two processes, one of them an innocuous process (referred to as Alice) and the other a malicious one (referred to as Bob), using a common scheduler to process their jobs. Based on when his jobs get processed, Bob wishes to learn about the pattern (size and timing) of jobs of Alice. Depending on the context, knowledge of this pattern could have serious implications on Alices privacy and security. For instance, shared routers can reveal traffic patterns, shared memory access can reveal cloud usage patterns, and suchlike. We present a formal framework to study the information leakage in shared resource schedulers using the pattern estimation error as a performance metric. In this framework, a uniform upper bound is derived to benchmark different scheduling policies. The first-come-first-serve scheduling policy is analyzed, and shown to leak significant information when the scheduler is loaded heavily. To mitigate the timing information leakage, we propose an “Accumulate-and-Serve” policy which trades in privacy for a higher delay. The policy is analyzed under the proposed framework and is shown to leak minimum information to the attacker, and is shown to have comparatively lower delay than a fixed scheduler that preemptively assigns service times irrespective of traffic patterns.

Designing Router Scheduling Policies: A Privacy Perspective

We study the privacy compromise due to a queuing side channel which arises when a resource is shared between two users in the context of packet networks. The adversary tries to learn about the legitimate users activities by sending a small but frequent probe stream to the shared resource (e.g., a router). We show that for current frequently used scheduling policies, the waiting time of the adversary is highly correlated with traffic pattern of the legitimate user, thus compromising user privacy. Through precise modeling of the constituent flows and the scheduling policy of the shared resource, we develop a dynamic program to compute the optimal privacy preserving policy that minimizes the correlation between users traffic and adversarys waiting times. While the explosion of state-space for the problem prohibits us from characterizing the optimal policy, we derive a suboptimal policy using a myopic approximation to the problem. Through simulation results, we show that indeed the suboptimal policy does very well in the high traffic regime. Adapting the intuition from the myopic policy, we propose scheduling policies that demonstrate good tradeoff between privacy and delay in the low and medium traffic regime as well.

Information theoretic analysis of side channel information leakage in FCFS schedulers

The information leakage of a queuing side channel in two-user-shared scheduling system is studied from an information theoretic perspective. In the queueing side channel, a malicious attacker can learn the pattern of jobs from a legitimate user using the queuing delays experienced at the shared buffer. An analytical framework is proposed to quantify information leakage using Shannons equivocation, and the information leakage of the standard First-come-First-serve scheduler is studied in a slotted system with geometric arrivals. The analysis of the FCFS scheduler demonstrates that the policy provides “good privacy” when arrival rates are very low; the leaked information increases with the rate of the attackers jobs and approaches the maximum retrievable information as the sum-rate of arrivals approaches the boundary of the stability region of the queue.

The Privacy Analysis of Battery Control Mechanisms in Demand Response: Revealing State Approach and Rate Distortion Bounds

Perfect knowledge of a users power consumption profile by a utility is a violation of privacy and can be detrimental to the successful implementation of demand response systems. It has been shown that an in-home energy storage system which provides a viable means to achieve the cost savings of instantaneous electricity pricing without inconvenience can also be used to maintain the privacy of a users power profile. The optimization of the tradeoff between privacy, as measured by Shannon entropy, and cost savings that can be provided by a finite capacity battery with zero tolerance for delay is known to be equivalent to a Partially Observable Markov Decision Process with non linear belief dependent rewards- solutions to such systems suffer from high computational complexity. In this paper, we propose a “revealing state” approach to enable computation of a class of battery control policies that aim to maximize the achievable privacy of in-home demands. In addition, a rate-distortion approach is presented to derive upper bounds on the privacy-cost savings tradeoff of battery control policies. These bounds are derived for a discrete model, where demand and price follow i.i.d uniform distributions. Numerical results show that the derived bounds are quite close to each other demonstrating the efficacy of the proposed class of strategies.

Scheduling with privacy constraints

In multi-tasking systems where a finite resource is to be shared, a scheduler dictates how the resource is divided among competing processes. Examples of systems which have schedulers include, a computer where the CPU needs to be shared between the different threads running, a cloud computing infrastructure with shared computing resources, a network router serving packets from different streams etc. In such situations, when a processor is shared by multiple users, the delays experienced by jobs from one user are a function of the arrival pattern of jobs from other users, and the scheduling policy of the server. Consequently, a scheduling system creates a timing side channel in which information about arrival pattern from one user is inadvertently leaked to another. In this work, this information leakage is studied for a two user scheduling system. We first introduce a measure of privacy and then demonstrate that no scheduler can provide maximum privacy without idling/taking vacations, and consequently no policy can simultaneously be delay and privacy optimal.

Source anonymity in fair scheduling: A case for the proportional method

Fairness amongst multiple users sharing a common resource has been an important criterion in the evaluation of scheduling algorithms in networks. Anonymous networking, where sources of transmitted packets are undecipherable to an eavesdropper, requires that packets from multiple sources are randomly reordered prior to transmission which works against the notion of fair scheduling. Consequently, it is important to understand the relationship between fairness and achievable anonymity in networking. In this paper, this relationship is characterized for the class of fair scheduling axioms defined by considering the equal treatment ex ante and demand mono-tonicity, under which the proportional method is known to be the unique scheduling algorithm that achieves the desired fairness. Using an information theoretic quantitative framework, the anonymity of this scheduling algorithm is characterized and proven to be asymptotically optimal with increase in buffer size. The anonymity achieved by the proportional method is also shown to be significantly better than conventional fair scheduling algorithms such as first come first serve and round robin, thus making a case for its application in data networks.

Information-Theoretic Security in Stochastic Control Systems

Infrastructural systems such as the electricity grid, healthcare, and transportation networks today rely increasingly on the joint functioning of networked information systems and physical components, in short, on cyber-physical architectures. Despite tremendous advances in cryptography, physical-layer security and authentication, information attacks, both passive such as eavesdropping, and active such as unauthorized data injection, continue to thwart the reliable functioning of networked systems. In systems with joint cyber-physical functionality, the ability of an adversary to monitor transmitted information or introduce false information can lead to sensitive user data being leaked or result in critical damages to the underlying physical system. This paper investigates two broad challenges in information security in cyber-physical systems (CPSs): preventing retrieval of internal physical system information through monitored external cyber flows, and limiting the modification of physical system functioning through compromised cyber flows. A rigorous analytical framework grounded on information-theoretic security is developed to study these challenges in a general stochastic control system abstraction-a theoretical building block for CPSs-with the objectives of quantifying the fundamental tradeoffs between information security and physical system performance, and through the process, designing provably secure controller policies. Recent results are presented that establish the theoretical basis for the framework, in addition to practical applications in timing analysis of anonymous systems, and demand response systems in a smart electricity grid.

The privacy analysis of battery control mechanisms in demand response: Revealing state approach and rate distortion bounds

Demand response systems in the electricity grid, which rely on two way communication between the consumers and utility, require the transmission of instantaneous energy consumption to utilities. Perfect knowledge of a users power consumption profile by a utility is a violation of privacy and can be detrimental to the successful implementation of demand response systems. It has been shown that an in-home energy storage system (such as a battery/inverter) that provides a viable means to achieve the cost savings of instantaneous electricity pricing without inconvenience can also be used to hide a users power usage pattern. A fundamental tradeoff exists between the costs saved and the degree of privacy achievable, and in this paper, the tradeoff achievable by a finite capacity battery assuming a zero tolerance for activity delay is studied using a Markov process model for users demands and instantaneous electricity prices. Due to high computational complexity (continuous state-action space) of the stochastic control model, inner and upper bounds are presented on the optimal tradeoff. In particular, a class of battery charging policies based on minimizing revealing states is proposed to derive achievable privacy-cost savings tradeoff. The performance of this algorithm is compared with lower bounds derived using a greedy heuristic and upper bounds derived using an information theoretic rate distortion approach. The framework proposed is shown to be applicable even when users only desire partial information protection, such as presence/absence of activity or specific appliances they wish to hide. Numerical results based on real electricity and pricing data show that the proposed algorithm performs close to the upper bound demonstrating its efficacy.

Privacy in stochastic control: A Markov Decision Process perspective

Cyber physical systems, which rely on the joint functioning of information and physical systems, are vulnerable to information leakage through the actions of the controller. In particular, if an external observer has access to observations in the system exposed through cyber communication links, then critical information can be inferred about the internal states of the system and consequently compromise the privacy in system operation. In this work, a mathematical framework based on a Markov Process model is proposed to investigate the design of controller actions when a privacy requirement is imposed as part of the system objective. Quantifying privacy using information theoretic equivocation, the tradeoff between achievable privacy and system utility is studied analytically. Specifically, for a sub-class of Markov Decision Processes (MDP), where the system output is independent of present and future states, the optimization is expressed as a solution to a Bellman equation with convex reward functions. Further, when the state evolution is a deterministic function of the states, actions and inputs, the Bellman equation is reduced to a series of recurrence relations. For the general MDP with privacy constraints, the optimization is expressed as a Partially Observable Markov Decision Process with belief dependent rewards (ρ-POMDP). Computable inner and outer bounds are provided on the achievable privacy utility tradeoff using greedy policies and rate distortion optimizations respectively.

Mitigating timing side channel in shared schedulers

In this work, we study information leakage in timing side channels that arise in the context of shared event schedulers. Consider two processes, one of them an innocuous process (referred to as Alice) and the other a malicious one (referred to as Bob), using a common scheduler to process their jobs. There are other innocuous users in addition to Alice and Bob using the scheduler to process their jobs. Based on when his jobs get processed, Bob wishes to learn about the pattern (size and timing) of Alices jobs. Depending on the context, knowledge of this pattern could have serious implications on Alices privacy and security. For instance, shared routers can reveal traffic patterns, shared memory access can reveal cloud usage patterns, and suchlike. We present a formal framework to study the information leakage in shared resource schedulers using the pattern estimation error as a performance metric. The first-come-first-serve (FCFS) scheduling policy and time-division-multiple-access (TDMA) are identified as two extreme policies on the privacy metric, FCFS has the least, and TDMA has the highest. However, on performance-based metrics, such as throughput and delay, it is well known that FCFS significantly outperforms TDMA. We then derive two parameterized policies, accumulate and serve, and proportional TDMA, which take two different approaches to offer a tunable trade-off between privacy and performance.