-
No Vandalism: Privacy-Preserving and Byzantine-Robust Federated Learning
Authors:
Zhibo Xing,
Zijian Zhang,
Zi'ang Zhang,
Jiamou Liu,
Liehuang Zhu,
Giovanni Russello
Abstract:
Federated learning allows several clients to train one machine learning model jointly without sharing private data, providing privacy protection. However, traditional federated learning is vulnerable to poisoning attacks, which can not only decrease the model performance, but also implant malicious backdoors. In addition, direct submission of local model parameters can also lead to the privacy lea…
▽ More
Federated learning allows several clients to train one machine learning model jointly without sharing private data, providing privacy protection. However, traditional federated learning is vulnerable to poisoning attacks, which can not only decrease the model performance, but also implant malicious backdoors. In addition, direct submission of local model parameters can also lead to the privacy leakage of the training dataset. In this paper, we aim to build a privacy-preserving and Byzantine-robust federated learning scheme to provide an environment with no vandalism (NoV) against attacks from malicious participants. Specifically, we construct a model filter for poisoned local models, protecting the global model from data and model poisoning attacks. This model filter combines zero-knowledge proofs to provide further privacy protection. Then, we adopt secret sharing to provide verifiable secure aggregation, removing malicious clients that disrupting the aggregation process. Our formal analysis proves that NoV can protect data privacy and weed out Byzantine attackers. Our experiments illustrate that NoV can effectively address data and model poisoning attacks, including PGD, and outperforms other related schemes.
△ Less
Submitted 3 June, 2024;
originally announced June 2024.
-
Zero-knowledge Proof Meets Machine Learning in Verifiability: A Survey
Authors:
Zhibo Xing,
Zijian Zhang,
Jiamou Liu,
Ziang Zhang,
Meng Li,
Liehuang Zhu,
Giovanni Russello
Abstract:
With the rapid advancement of artificial intelligence technology, the usage of machine learning models is gradually becoming part of our daily lives. High-quality models rely not only on efficient optimization algorithms but also on the training and learning processes built upon vast amounts of data and computational power. However, in practice, due to various challenges such as limited computatio…
▽ More
With the rapid advancement of artificial intelligence technology, the usage of machine learning models is gradually becoming part of our daily lives. High-quality models rely not only on efficient optimization algorithms but also on the training and learning processes built upon vast amounts of data and computational power. However, in practice, due to various challenges such as limited computational resources and data privacy concerns, users in need of models often cannot train machine learning models locally. This has led them to explore alternative approaches such as outsourced learning and federated learning. While these methods address the feasibility of model training effectively, they introduce concerns about the trustworthiness of the training process since computations are not performed locally. Similarly, there are trustworthiness issues associated with outsourced model inference. These two problems can be summarized as the trustworthiness problem of model computations: How can one verify that the results computed by other participants are derived according to the specified algorithm, model, and input data? To address this challenge, verifiable machine learning (VML) has emerged. This paper presents a comprehensive survey of zero-knowledge proof-based verifiable machine learning (ZKP-VML) technology. We first analyze the potential verifiability issues that may exist in different machine learning scenarios. Subsequently, we provide a formal definition of ZKP-VML. We then conduct a detailed analysis and classification of existing works based on their technical approaches. Finally, we discuss the key challenges and future directions in the field of ZKP-based VML.
△ Less
Submitted 23 October, 2023;
originally announced October 2023.
-
SoK: Access Control Policy Generation from High-level Natural Language Requirements
Authors:
Sakuna Harinda Jayasundara,
Nalin Asanka Gamagedara Arachchilage,
Giovanni Russello
Abstract:
Administrator-centered access control failures can cause data breaches, putting organizations at risk of financial loss and reputation damage. Existing graphical policy configuration tools and automated policy generation frameworks attempt to help administrators configure and generate access control policies by avoiding such failures. However, graphical policy configuration tools are prone to huma…
▽ More
Administrator-centered access control failures can cause data breaches, putting organizations at risk of financial loss and reputation damage. Existing graphical policy configuration tools and automated policy generation frameworks attempt to help administrators configure and generate access control policies by avoiding such failures. However, graphical policy configuration tools are prone to human errors, making them unusable. On the other hand, automated policy generation frameworks are prone to erroneous predictions, making them unreliable. Therefore, to find ways to improve their usability and reliability, we conducted a Systematic Literature Review analyzing 49 publications, to identify those tools, frameworks, and their limitations. Identifying those limitations will help develop effective access control policy generation solutions while avoiding access control failures.
△ Less
Submitted 4 October, 2023;
originally announced October 2023.
-
Mostree : Malicious Secure Private Decision Tree Evaluation with Sublinear Communication
Authors:
Jianli Bai,
Xiangfu Song,
Xiaowu Zhang,
Qifan Wang,
Shujie Cui,
Ee-Chien Chang,
Giovanni Russello
Abstract:
A private decision tree evaluation (PDTE) protocol allows a feature vector owner (FO) to classify its data using a tree model from a model owner (MO) and only reveals an inference result to the FO. This paper proposes Mostree, a PDTE protocol secure in the presence of malicious parties with sublinear communication. We design Mostree in the three-party honest-majority setting, where an (untrusted)…
▽ More
A private decision tree evaluation (PDTE) protocol allows a feature vector owner (FO) to classify its data using a tree model from a model owner (MO) and only reveals an inference result to the FO. This paper proposes Mostree, a PDTE protocol secure in the presence of malicious parties with sublinear communication. We design Mostree in the three-party honest-majority setting, where an (untrusted) computing party (CP) assists the FO and MO in the secure computation. We propose two low-communication oblivious selection (OS) protocols by exploiting nice properties of three-party replicated secret sharing (RSS) and distributed point function. Mostree combines OS protocols with a tree encoding method and three-party secure computation to achieve sublinear communication. We observe that most of the protocol components already maintain privacy even in the presence of a malicious adversary, and what remains to achieve is correctness. To ensure correctness, we propose a set of lightweight consistency checks and seamlessly integrate them into Mostree. As a result, Mostree achieves sublinear communication and malicious security simultaneously. We implement Mostree and compare it with the state-of-the-art. Experimental results demonstrate that Mostree is efficient and comparable to semi-honest PDTE schemes with sublinear communication. For instance, when evaluated on the MNIST dataset in a LAN setting, Mostree achieves an evaluation using approximately 768 ms with communication of around 168 KB.
△ Less
Submitted 29 September, 2023;
originally announced September 2023.
-
CryptoMask : Privacy-preserving Face Recognition
Authors:
Jianli Bai,
Xiaowu Zhang,
Xiangfu Song,
Hang Shao,
Qifan Wang,
Shujie Cui,
Giovanni Russello
Abstract:
Face recognition is a widely-used technique for identification or verification, where a verifier checks whether a face image matches anyone stored in a database. However, in scenarios where the database is held by a third party, such as a cloud server, both parties are concerned about data privacy. To address this concern, we propose CryptoMask, a privacy-preserving face recognition system that em…
▽ More
Face recognition is a widely-used technique for identification or verification, where a verifier checks whether a face image matches anyone stored in a database. However, in scenarios where the database is held by a third party, such as a cloud server, both parties are concerned about data privacy. To address this concern, we propose CryptoMask, a privacy-preserving face recognition system that employs homomorphic encryption (HE) and secure multi-party computation (MPC). We design a new encoding strategy that leverages HE properties to reduce communication costs and enable efficient similarity checks between face images, without expensive homomorphic rotation. Additionally, CryptoMask leaks less information than existing state-of-the-art approaches. CryptoMask only reveals whether there is an image matching the query or not, whereas existing approaches additionally leak sensitive intermediate distance information. We conduct extensive experiments that demonstrate CryptoMask's superior performance in terms of computation and communication. For a database with 100 million 512-dimensional face vectors, CryptoMask offers ${\thicksim}5 \times$ and ${\thicksim}144 \times$ speed-ups in terms of computation and communication, respectively.
△ Less
Submitted 22 July, 2023;
originally announced July 2023.
-
GTree: GPU-Friendly Privacy-preserving Decision Tree Training and Inference
Authors:
Qifan Wang,
Shujie Cui,
Lei Zhou,
Ye Dong,
Jianli Bai,
Yun Sing Koh,
Giovanni Russello
Abstract:
Decision tree (DT) is a widely used machine learning model due to its versatility, speed, and interpretability. However, for privacy-sensitive applications, outsourcing DT training and inference to cloud platforms raise concerns about data privacy. Researchers have developed privacy-preserving approaches for DT training and inference using cryptographic primitives, such as Secure Multi-Party Compu…
▽ More
Decision tree (DT) is a widely used machine learning model due to its versatility, speed, and interpretability. However, for privacy-sensitive applications, outsourcing DT training and inference to cloud platforms raise concerns about data privacy. Researchers have developed privacy-preserving approaches for DT training and inference using cryptographic primitives, such as Secure Multi-Party Computation (MPC). While these approaches have shown progress, they still suffer from heavy computation and communication overheads. Few recent works employ Graphical Processing Units (GPU) to improve the performance of MPC-protected deep learning. This raises a natural question: \textit{can MPC-protected DT training and inference be accelerated by GPU?}
We present GTree, the first scheme that uses GPU to accelerate MPC-protected secure DT training and inference. GTree is built across 3 parties who securely and jointly perform each step of DT training and inference with GPU. Each MPC protocol in GTree is designed in a GPU-friendly version. The performance evaluation shows that GTree achieves ${\thicksim}11{\times}$ and ${\thicksim}21{\times}$ improvements in training SPECT and Adult datasets, compared to the prior most efficient CPU-based work. For inference, GTree shows its superior efficiency when the DT has less than 10 levels, which is $126\times$ faster than the prior most efficient work when inferring $10^4$ instances with a tree of 7 levels. GTree also achieves a stronger security guarantee than prior solutions, which only leaks the tree depth and size of data samples while prior solutions also leak the tree structure. With \textit{oblivious array access}, the access pattern on GPU is also protected.
△ Less
Submitted 30 April, 2023;
originally announced May 2023.
-
Zero-Knowledge Proof-based Practical Federated Learning on Blockchain
Authors:
Zhibo Xing,
Zijian Zhang,
Meng Li,
Jiamou Liu,
Liehuang Zhu,
Giovanni Russello,
Muhammad Rizwan Asghar
Abstract:
Since the concern of privacy leakage extremely discourages user participation in sharing data, federated learning has gradually become a promising technique for both academia and industry for achieving collaborative learning without leaking information about the local data. Unfortunately, most federated learning solutions cannot efficiently verify the execution of each participant's local machine…
▽ More
Since the concern of privacy leakage extremely discourages user participation in sharing data, federated learning has gradually become a promising technique for both academia and industry for achieving collaborative learning without leaking information about the local data. Unfortunately, most federated learning solutions cannot efficiently verify the execution of each participant's local machine learning model and protect the privacy of user data, simultaneously. In this article, we first propose a Zero-Knowledge Proof-based Federated Learning (ZKP-FL) scheme on blockchain. It leverages zero-knowledge proof for both the computation of local data and the aggregation of local model parameters, aiming to verify the computation process without requiring the plaintext of the local data. We further propose a Practical ZKP-FL (PZKP-FL) scheme to support fraction and non-linear operations. Specifically, we explore a Fraction-Integer mapping function, and use Taylor expansion to efficiently handle non-linear operations while maintaining the accuracy of the federated learning model. We also analyze the security of PZKP-FL. Performance analysis demonstrates that the whole running time of the PZKP-FL scheme is approximately less than one minute in parallel execution.
△ Less
Submitted 24 April, 2023; v1 submitted 11 April, 2023;
originally announced April 2023.
-
What You See is Not What You Get: The Role of Email Presentation in Phishing Susceptibility
Authors:
Sijie Zhuo,
Robert Biddle,
Lucas Betts,
Nalin Asanka Gamagedara Arachchilage,
Yun Sing Koh,
Danielle Lottridge,
Giovanni Russello
Abstract:
Phishing is one of the most prevalent social engineering attacks that targets both organizations and individuals. It is crucial to understand how email presentation impacts users' reactions to phishing attacks. We speculated that the device and email presentation may play a role, and, in particular, that how links are shown might influence susceptibility. Collaborating with the IT Services unit of…
▽ More
Phishing is one of the most prevalent social engineering attacks that targets both organizations and individuals. It is crucial to understand how email presentation impacts users' reactions to phishing attacks. We speculated that the device and email presentation may play a role, and, in particular, that how links are shown might influence susceptibility. Collaborating with the IT Services unit of a large organization doing a phishing training exercise, we conducted a study to explore the effects of the device and the presentation of links. Our findings indicate that mobile device and computer users were equally likely to click on unmasked links, however mobile device users were more likely to click on masked links compared to computer users. These findings suggest that link presentation plays a significant role in users' susceptibility to phishing attacks.
△ Less
Submitted 2 April, 2023;
originally announced April 2023.
-
Scalable Private Decision Tree Evaluation with Sublinear Communication
Authors:
Jianli Bai,
Xiangfu Song,
Shujie Cui,
Ee-Chien Chang,
Giovanni Russello
Abstract:
Private decision tree evaluation (PDTE) allows a decision tree holder to run a secure protocol with a feature provider. By running the protocol, the feature provider will learn a classification result. Nothing more is revealed to either party. In most existing PDTE protocols, the required communication grows exponentially with the tree's depth $d$, which is highly inefficient for large trees. This…
▽ More
Private decision tree evaluation (PDTE) allows a decision tree holder to run a secure protocol with a feature provider. By running the protocol, the feature provider will learn a classification result. Nothing more is revealed to either party. In most existing PDTE protocols, the required communication grows exponentially with the tree's depth $d$, which is highly inefficient for large trees. This shortcoming motivated us to design a sublinear PDTE protocol with $O(d)$ communication complexity. The core of our construction is a shared oblivious selection (SOS) functionality, allowing two parties to perform a secret-shared oblivious read operation from an array. We provide two SOS protocols, both of which achieve sublinear communication and propose optimizations to further improve their efficiency. Our sublinear PDTE protocol is based on the proposed SOS functionality and we prove its security under a semi-honest adversary. We compare our protocol with the state-of-the-art, in terms of communication and computation, under various network settings. The performance evaluation shows that our protocol is practical and more scalable over large trees than existing solutions.
△ Less
Submitted 2 May, 2022;
originally announced May 2022.
-
EnclaveTree: Privacy-preserving Data Stream Training and Inference Using TEE
Authors:
Qifan Wang,
Shujie Cui,
Lei Zhou,
Ocean Wu,
Yonghua Zhu,
Giovanni Russello
Abstract:
The classification service over a stream of data is becoming an important offering for cloud providers, but users may encounter obstacles in providing sensitive data due to privacy concerns. While Trusted Execution Environments (TEEs) are promising solutions for protecting private data, they remain vulnerable to side-channel attacks induced by data-dependent access patterns. We propose a Privacy-p…
▽ More
The classification service over a stream of data is becoming an important offering for cloud providers, but users may encounter obstacles in providing sensitive data due to privacy concerns. While Trusted Execution Environments (TEEs) are promising solutions for protecting private data, they remain vulnerable to side-channel attacks induced by data-dependent access patterns. We propose a Privacy-preserving Data Stream Training and Inference scheme, called EnclaveTree, that provides confidentiality for user's data and the target models against a compromised cloud service provider. We design a matrix-based training and inference procedure to train the Hoeffding Tree (HT) model and perform inference with the trained model inside the trusted area of TEEs, which provably prevent the exploitation of access-pattern-based attacks. The performance evaluation shows that EnclaveTree is practical for processing the data streams with small or medium number of features. When there are less than 63 binary features, EnclaveTree is up to ${\thicksim}10{\times}$ and ${\thicksim}9{\times}$ faster than naïve oblivious solution on training and inference, respectively.
△ Less
Submitted 2 March, 2022;
originally announced March 2022.
-
SoK: Human-Centered Phishing Susceptibility
Authors:
Sijie Zhuo,
Robert Biddle,
Yun Sing Koh,
Danielle Lottridge,
Giovanni Russello
Abstract:
Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be su…
▽ More
Phishing is recognised as a serious threat to organisations and individuals. While there have been significant technical advances in blocking phishing attacks, people remain the last line of defence after phishing emails reach their email client. Most of the existing literature on this subject has focused on the technical aspects related to phishing. However, the factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and we propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are involved in phishing detection and prevention, and we systematically investigate the phishing susceptibility variables studied in the literature and taxonomize them using our model. This model reveals several research gaps that need to be addressed to improve users' detection performance. We also propose a practical impact assessment of the value of studying the phishing susceptibility variables, and quality of evidence criteria. These can serve as guidelines for future research to improve experiment design, result quality, and increase the reliability and generalizability of findings.
△ Less
Submitted 16 February, 2022;
originally announced February 2022.
-
Towards a Theory of Special-purpose Program Obfuscation
Authors:
Muhammad Rizwan Asghar,
Steven Galbraith,
Andrea Lanzi,
Giovanni Russello,
Lukas Zobernig
Abstract:
Most recent theoretical literature on program obfuscation is based on notions like Virtual Black Box (VBB) obfuscation and indistinguishability Obfuscation (iO). These notions are very strong and are hard to satisfy. Further, they offer far more protection than is typically required in practical applications. On the other hand, the security notions introduced by software security researchers are s…
▽ More
Most recent theoretical literature on program obfuscation is based on notions like Virtual Black Box (VBB) obfuscation and indistinguishability Obfuscation (iO). These notions are very strong and are hard to satisfy. Further, they offer far more protection than is typically required in practical applications. On the other hand, the security notions introduced by software security researchers are suitable for practical designs but are not formal or precise enough to enable researchers to provide a quantitative security assurance. Hence, in this paper, we introduce a new formalism for practical program obfuscation that still allows rigorous security proofs. We believe our formalism will make it easier to analyse the security of obfuscation schemes. To show the flexibility and power of our formalism, we give a number of examples. Moreover, we explain the close relationship between our formalism and the task of providing obfuscation challenges.
This is the full version of the paper. In this version, we also give a new rigorous analysis of several obfuscation techniques and we provide directions for future research.
△ Less
Submitted 4 November, 2020;
originally announced November 2020.
-
Privacy-preserving Searchable Databases with Controllable Leakage
Authors:
Shujie Cui,
Xiangfu Song,
Muhammad Rizwan Asghar,
Steven D Galbraith,
Giovanni Russello
Abstract:
Searchable Encryption (SE) is a technique that allows Cloud Service Providers (CSPs) to search over encrypted datasets without learning the content of queries and records. In recent years, many SE schemes have been proposed to protect outsourced data from CSPs. Unfortunately, most of them leak sensitive information, from which the CSPs could still infer the content of queries and records by mounti…
▽ More
Searchable Encryption (SE) is a technique that allows Cloud Service Providers (CSPs) to search over encrypted datasets without learning the content of queries and records. In recent years, many SE schemes have been proposed to protect outsourced data from CSPs. Unfortunately, most of them leak sensitive information, from which the CSPs could still infer the content of queries and records by mounting leakage-based inference attacks, such as the count attack and file injection attack.
In this work, first we define the leakage in searchable encrypted databases and analyse how the leakage is leveraged in existing leakage-based attacks. Second, we propose a Privacy-preserving Multi-cloud based dynamic symmetric SE (SSE) scheme for relational Database (P-McDb). P-McDb has minimal leakage, which not only ensures confidentiality of queries and records, but also protects the search, access, and size patterns from CSPs. Moreover, P-McDb ensures both forward and backward privacy of the database. Thus, P-McDb could resist existing leakage-based attacks, e.g., active file/record-injection attacks. We give security definition and analysis to show how P-McDb hides the aforementioned patterns. Finally, we implemented a prototype of P-McDb and test it using the TPC-H benchmark dataset. Our evaluation results show the feasibility and practical efficiency of P-McDb.
△ Less
Submitted 26 September, 2019; v1 submitted 25 September, 2019;
originally announced September 2019.
-
A Review of Privacy and Consent Management in Healthcare: A Focus on Emerging Data Sources
Authors:
Muhammad Rizwan Asghar,
TzeHowe Lee,
Mirza Mansoor Baig,
Ehsan Ullah,
Giovanni Russello,
Gillian Dobbie
Abstract:
The emergence of New Data Sources (NDS) in healthcare is revolutionising traditional electronic health records in terms of data availability, storage, and access. Increasingly, clinicians are using NDS to build a virtual holistic image of a patient's health condition. This research is focused on a review and analysis of the current legislation and privacy rules available for healthcare professiona…
▽ More
The emergence of New Data Sources (NDS) in healthcare is revolutionising traditional electronic health records in terms of data availability, storage, and access. Increasingly, clinicians are using NDS to build a virtual holistic image of a patient's health condition. This research is focused on a review and analysis of the current legislation and privacy rules available for healthcare professionals. NDS in this project refers to and includes patient-generated health data, consumer device data, wearable health and fitness data, and data from social media.
This project reviewed legal and regulatory requirements for New Zealand, Australia, the European Union, and the United States to establish the ground reality of existing mechanisms in place concerning the use of NDS. The outcome of our research is to recommend changes and enhancements required to better prepare for the 'tsunami' of NDS and applications in the currently evolving data-driven healthcare area and precision or personalised health initiatives such as Precision Driven Health (PDH) in New Zealand.
△ Less
Submitted 1 November, 2017;
originally announced November 2017.
-
ACTORS: A Goal-driven Approach for Capturing and Managing Consent in e-Health Systems
Authors:
Muhammad Rizwan Asghar,
Giovanni Russello
Abstract:
The notion of patient's consent plays a major role in granting access to medical data. In typical healthcare systems, consent is captured by a form that the patient has to fill in and sign. In e-Health systems, the paper-form consent is being replaced by the integration of the notion of consent in the mechanisms that regulate the access to the medical data. This helps in empowering the patient wit…
▽ More
The notion of patient's consent plays a major role in granting access to medical data. In typical healthcare systems, consent is captured by a form that the patient has to fill in and sign. In e-Health systems, the paper-form consent is being replaced by the integration of the notion of consent in the mechanisms that regulate the access to the medical data. This helps in empowering the patient with the capability of granting and revoking consent in a more effective manner. However, the process of granting and revoking consent greatly varies according to the situation in which the patient is. Our main argument is that such a level of detail is very difficult and error-prone to capture as a set of authorisation policies. In this paper, we present ACTORS, a goal-driven approach to manage consent. The main idea behind ACTORS is to leverage the goal-driven approach of Teleo-Reactive (TR) programming for managing consent that takes into account changes regarding the domains and contexts in which the patient is providing her consent.
△ Less
Submitted 11 September, 2013;
originally announced September 2013.
-
ESPOON$_{ERBAC}$: Enforcing Security Policies In Outsourced Environments
Authors:
Muhammad Rizwan Asghar,
Mihaela Ion,
Giovanni Russello,
Bruno Crispo
Abstract:
Data outsourcing is a growing business model offering services to individuals and enterprises for processing and storing a huge amount of data. It is not only economical but also promises higher availability, scalability, and more effective quality of service than in-house solutions. Despite all its benefits, data outsourcing raises serious security concerns for preserving data confidentiality. Th…
▽ More
Data outsourcing is a growing business model offering services to individuals and enterprises for processing and storing a huge amount of data. It is not only economical but also promises higher availability, scalability, and more effective quality of service than in-house solutions. Despite all its benefits, data outsourcing raises serious security concerns for preserving data confidentiality. There are solutions for preserving confidentiality of data while supporting search on the data stored in outsourced environments. However, such solutions do not support access policies to regulate access to a particular subset of the stored data.
For complex user management, large enterprises employ Role-Based Access Controls (RBAC) models for making access decisions based on the role in which a user is active in. However, RBAC models cannot be deployed in outsourced environments as they rely on trusted infrastructure in order to regulate access to the data. The deployment of RBAC models may reveal private information about sensitive data they aim to protect. In this paper, we aim at filling this gap by proposing \textbf{$\mathit{ESPOON_{ERBAC}}$} for enforcing RBAC policies in outsourced environments. $\mathit{ESPOON_{ERBAC}}$ enforces RBAC policies in an encrypted manner where a curious service provider may learn a very limited information about RBAC policies. We have implemented $\mathit{ESPOON_{ERBAC}}$ and provided its performance evaluation showing a limited overhead, thus confirming viability of our approach.
△ Less
Submitted 15 August, 2013;
originally announced August 2013.
-
ESPOON: Enforcing Encrypted Security Policies in Outsourced Environments
Authors:
Muhammad Rizwan Asghar,
Mihaela Ion,
Giovanni Russello,
Bruno Crispo
Abstract:
The enforcement of security policies in outsourced environments is still an open challenge for policy-based systems. On the one hand, taking the appropriate security decision requires access to the policies. However, if such access is allowed in an untrusted environment then confidential information might be leaked by the policies. Current solutions are based on cryptographic operations that embed…
▽ More
The enforcement of security policies in outsourced environments is still an open challenge for policy-based systems. On the one hand, taking the appropriate security decision requires access to the policies. However, if such access is allowed in an untrusted environment then confidential information might be leaked by the policies. Current solutions are based on cryptographic operations that embed security policies with the security mechanism. Therefore, the enforcement of such policies is performed by allowing the authorised parties to access the appropriate keys. We believe that such solutions are far too rigid because they strictly intertwine authorisation policies with the enforcing mechanism.
In this paper, we want to address the issue of enforcing security policies in an untrusted environment while protecting the policy confidentiality. Our solution ESPOON is aiming at providing a clear separation between security policies and the enforcement mechanism. However, the enforcement mechanism should learn as less as possible about both the policies and the requester attributes.
△ Less
Submitted 20 June, 2013;
originally announced June 2013.