Formal Verification of Differential Privacy in Concurrent Systems. (Ve'rification formelle de la vie prive'e dans les systèmes concurrents)

The verification of systems for protecting sensitive and confidential information is becoming an increasingly important issue in the modern world. Many protocols for protecting confidential information have used randomized mechanisms, to obfuscate the link between the secret and the public information. Typical examples are DCNets, Crowds, Onion Routing, Freenet and Tor. Another common denominator of them is that various entities involved in the system to verify occur as concurrent processes, and present typically nondeterministic behavior. This dissertation is devoted to the development of novel reasoning techniques for verifying differential privacy in concurrent systems. Differential privacy is a promising notion of privacy originated from the community of statistical databases, and now widely adopted in various models of computation. We use the principle of differential privacy as a criterion to measure the level of privacy that a concurrent system satisfies. The first part of the present thesis is focused on modular reasoning about differential privacy in a probabilistic variant of Robin Milner’s Calculus of Communicating Systems (CCS). We show that the calculus operators such as non-deterministic choice, probabilistic choice, restriction and a restricted form of parallel composition are safe, in the sense that combining components with these operators does not compromise the privacy of the entire system. The second part focuses on the applicability of bisimulation - a fundamental technique in Concurrency Theory - for characterizing differentially private behavior. We borrow the idea of amortisation, which was initially applied on some bisimulations with cost-based actions, and coin an amortised probabilistic bisimulation. We show that it allows us to verify differential privacy and it is a more liberal notion than the work of Tschantz et al. In the third part the focus is shifted to the development of proof systems - an axiomatic way for proving properties of concurrent systems. We provide sound and complete proof systems for our amortised bisimulation and its weak counterpart. The proof systems make it possible to reason about long-term (observable) differentially private behavior by syntactic manipulation. The last part presents an extension of the bisimulation metric based on the Kantorovich distance. This is a metric that has become very popular in Concurrency Theory, thanks to its principled and solid mathematical foundations. While the standard notion is additive in nature and therefore not suitable to prove the property of differential privacy (which is multiplicative), the extension developed in the thesis is parametric with respect to the underlying distance, and therefore suitable to capture a vast range of properties, including differential privacy.

[1]  Andreas Haeberlen,et al.  Linear dependent types for differential privacy , 2013, POPL.

[2]  Kim G. Larsen,et al.  Computing Behavioral Distances, Compositionally , 2013, MFCS.

[3]  Fernando Rosa-Velardo,et al.  New Bisimulation Semantics for Distributed Systems , 2007, FORTE.

[4]  James Worrell,et al.  The Complexity of Computing a Bisimilarity Pseudometric on Probabilistic Automata , 2014, Horizons of the Mind.

[5]  Prateek Mittal,et al.  Re3: relay reliability reputation for anonymity systems , 2014, AsiaCCS.

[6]  François Laviolette,et al.  Approximate Analysis of Probabilistic Processes: Logic, Simulation and Games , 2008, 2008 Fifth International Conference on Quantitative Evaluation of Systems.

[7]  Kim G. Larsen,et al.  Bisimulation through Probabilistic Testing , 1991, Inf. Comput..

[8]  Astrid Kiehn,et al.  Amortised Bisimulations , 2005, FORTE.

[9]  Krishnendu Chatterjee,et al.  Algorithms for Game Metrics , 2008, FSTTCS.

[10]  Doina Precup,et al.  Metrics for Markov Decision Processes with Infinite State Spaces , 2005, UAI.

[11]  Xiaojuan Cai,et al.  Measuring Anonymity , 2009, ISPEC.

[12]  Mathieu Tracol,et al.  Computing Distances between Probabilistic Automata , 2011, QAPL.

[13]  Adam D. Smith,et al.  Efficient, Differentially Private Point Estimators , 2008, ArXiv.

[14]  Dilsun Kirli Kaynar,et al.  Formal Verification of Differential Privacy for Interactive Systems , 2011, ArXiv.

[15]  Radha Jagadeesan,et al.  The metric analogue of weak bisimulation for probabilistic processes , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[16]  Catuscia Palamidessi,et al.  Making Random Choices Invisible to the Scheduler , 2007, CONCUR.

[17]  Matthew Hennessy,et al.  Compositional reasoning for weighted Markov decision processes , 2013, Sci. Comput. Program..

[18]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[19]  Jun Pang,et al.  Weak Probabilistic Anonymity , 2007, SecCO@CONCUR.

[20]  Kim G. Larsen,et al.  On-the-Fly Exact Computation of Bisimilarity Distances , 2013, TACAS.

[21]  Lili Xu,et al.  Modular Reasoning about Differential Privacy in a Probabilistic Process Calculus , 2012, TGC.

[22]  Huimin Lin,et al.  PAM: A process algebra manipulator , 1991, Formal Methods Syst. Des..

[23]  Vladimiro Sassone,et al.  Trust in Anonymity Networks , 2010, CONCUR.

[24]  Matthew Hennessy,et al.  Proof systems for message-passing process algebras , 2005, Formal Aspects of Computing.

[25]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[26]  Ashwin Machanavajjhala,et al.  Privacy: Theory meets Practice on the Map , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[27]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[28]  Catuscia Palamidessi,et al.  Probabilistic Anonymity , 2005, CONCUR.

[29]  Pasquale Malacaria,et al.  Assessing security threats of looping constructs , 2007, POPL '07.

[30]  Radha Jagadeesan,et al.  Metrics for labelled Markov processes , 2004, Theor. Comput. Sci..

[31]  James Worrell,et al.  Approximating and computing behavioural distances in probabilistic transition systems , 2006, Theor. Comput. Sci..

[32]  Michele Boreale Quantifying information leakage in process calculi , 2009, Inf. Comput..

[33]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[34]  A. Tarski A LATTICE-THEORETICAL FIXPOINT THEOREM AND ITS APPLICATIONS , 1955 .

[35]  George Danezis,et al.  Verified Computational Differential Privacy with Applications to Smart Metering , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[36]  Geoffrey Smith,et al.  Computing the Leakage of Information-Hiding Systems , 2010, TACAS.

[37]  E. Klavins,et al.  Approximating stochastic biochemical processes with Wasserstein pseudometrics. , 2010, IET systems biology.

[38]  Matias David Lee,et al.  Axiomatizing Bisimulation Equivalences and Metrics from Probabilistic SOS Rules , 2014, FoSSaCS.

[39]  Moni Naor,et al.  Our Data, Ourselves: Privacy Via Distributed Noise Generation , 2006, EUROCRYPT.

[40]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[41]  Jan A. Bergstra,et al.  Process Algebra for Synchronous Communication , 1984, Inf. Control..

[42]  Li-Li Xu,et al.  Complete Proof Systems for Amortised Probabilistic Bisimulations , 2016, Journal of Computer Science and Technology.

[43]  Roger Dingledine,et al.  Building Incentives into Tor , 2010, Financial Cryptography.

[44]  Cynthia Dwork,et al.  Differential privacy and robust statistics , 2009, STOC '09.

[45]  Vitaly Shmatikov,et al.  Airavat: Security and Privacy for MapReduce , 2010, NSDI.

[46]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[47]  Gethin Norman,et al.  Bisimulation for Demonic Schedulers , 2009, FoSSaCS.

[48]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[49]  Vladimiro Sassone,et al.  Probable Innocence in the Presence of Independent Knowledge , 2009, Formal Aspects in Security and Trust.

[50]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[51]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[52]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[53]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[54]  Chunyan Mu,et al.  Measuring Information Flow in Reactive Processes , 2009, ICICS.

[55]  Radha Jagadeesan,et al.  Metrics for Labeled Markov Systems , 1999, CONCUR.

[56]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[57]  Yuxin Deng,et al.  The Kantorovich Metric in Computer Science: A Brief Survey , 2009, QAPL.

[58]  Joseph Y. Halpern,et al.  Anonymity and information hiding in multiagent systems , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[59]  Doina Precup,et al.  Metrics for Finite Markov Decision Processes , 2004, AAAI.

[60]  Jun Pang,et al.  Measuring Anonymity with Relative Entropy , 2006, Formal Aspects in Security and Trust.

[61]  Catuscia Palamidessi,et al.  Compositional methods for information-hiding † , 2008, Mathematical Structures in Computer Science.

[62]  Steve Cheng,et al.  A Crash Course on the Lebesgue Integral and Measure Theory , 2008 .

[63]  Bengt Jonsson,et al.  A calculus for communicating systems with time and probabilities , 1990, [1990] Proceedings 11th Real-Time Systems Symposium.

[64]  Catuscia Palamidessi,et al.  Probable Innocence Revisited , 2005, Formal Aspects in Security and Trust.

[65]  James Worrell,et al.  An Algorithm for Quantitative Verification of Probabilistic Transition Systems , 2001, CONCUR.

[66]  Matthew Hennessy A calculus for costed computations , 2011, Log. Methods Comput. Sci..

[67]  Scott A. Smolka,et al.  Equivalences, Congruences, and Complete Axiomatizations for Probabilistic Processes , 1990, CONCUR.

[68]  Roberto Segala,et al.  Axiomatizations for Probabilistic Bisimulation , 2001, ICALP.

[69]  Vladimiro Sassone,et al.  Trust in Crowds: Probabilistic Behaviour in Anonymity Protocols , 2010, TGC.

[70]  Ana Sokolova,et al.  Information Hiding in Probabilistic Concurrent Systems , 2010, 2010 Seventh International Conference on the Quantitative Evaluation of Systems.

[71]  Paul F. Syverson,et al.  LIRA: Lightweight Incentivized Routing for Anonymity , 2013, NDSS.

[72]  David Clark,et al.  Quantitative Information Flow, Relations and Polymorphic Types , 2005, J. Log. Comput..

[73]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[74]  Gilles Barthe,et al.  Probabilistic Relational Reasoning for Differential Privacy , 2012, TOPL.

[75]  Ian Clarke,et al.  Freenet: A Distributed Anonymous Information Storage and Retrieval System , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[76]  James Worrell,et al.  Towards Quantitative Verification of Probabilistic Transition Systems , 2001, ICALP.

[77]  Wang Yi,et al.  A Proof System for Timed Automata , 2000, FoSSaCS.

[78]  Erik P. de Vink,et al.  Probabilistic Automata: System Types, Parallel Composition and Comparison , 2004, Validation of Stochastic Systems.

[79]  Huimin Lin,et al.  Metrics for Differential Privacy in Concurrent Systems , 2014, FORTE.

[80]  James Worrell,et al.  A behavioural pseudometric for probabilistic transition systems , 2005, Theor. Comput. Sci..

[81]  Yuxin Deng,et al.  Axiomatizations for probabilistic finite-state behaviors , 2007, Theor. Comput. Sci..

[82]  Catuscia Palamidessi,et al.  Broadening the Scope of Differential Privacy Using Metrics , 2013, Privacy Enhancing Technologies.

[83]  Bernhard Steffen,et al.  Reactive, generative, and stratified models of probabilistic processes , 1990, [1990] Proceedings. Fifth Annual IEEE Symposium on Logic in Computer Science.

[84]  James Worrell,et al.  On the Complexity of Computing Probabilistic Bisimilarity , 2012, FoSSaCS.

[85]  Roberto Segala,et al.  Modeling and verification of randomized distributed real-time systems , 1996 .

[86]  Doina Precup,et al.  Bisimulation Metrics for Continuous Markov Decision Processes , 2011, SIAM J. Comput..

[87]  Doina Precup,et al.  Basis Function Discovery Using Spectral Clustering and Bisimulation Metrics , 2011, AAAI.