Formal Verification of Differential Privacy for Interactive Systems

Differential privacy is a promising approach to privacy preserving data analysis with a well-developed theory for functions. Despite recent work on implementing systems that aim to provide differential privacy, the problem of formally verifying that these systems have differential privacy has not been adequately addressed. We develop a formal probabilistic automaton model of differential privacy for systems by adapting prior work on differential privacy for functions. We present the first sound verification technique for proving differential privacy of interactive systems. The technique is based on a form of probabilistic bisimulation relation. The novelty lies in the way we track quantitative privacy leakage bounds using a relation family instead of a single relation. We illustrate the proof technique on a representative automaton motivated by PINQ, an implemented system that is intended to provide differential privacy. Surprisingly, our analysis yields a privacy leakage bound of ([email protected][email protected]) rather than ([email protected][email protected]) when @e-differentially private functions are called t times. The extra leakage arises from accounting for bounded memory constraints of real computers.

[1]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[2]  Aaron Roth,et al.  A learning theory approach to non-interactive database privacy , 2008, STOC.

[3]  Kunal Talwar,et al.  Mechanism Design via Differential Privacy , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[4]  Christel Baier,et al.  Probabilistic weak simulation is decidable in polynomial time , 2004, Inf. Process. Lett..

[5]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[6]  Nancy A. Lynch,et al.  Observing Branching Structure through Probabilistic Contexts , 2007, SIAM J. Comput..

[7]  Ran Canetti,et al.  Time-Bounded Task-PIOAs: A Framework for Analyzing Security Protocols , 2006, DISC.

[8]  Roberto Gorrieri,et al.  A Classification of Security Properties , 1993 .

[9]  Chris Hankin,et al.  Approximate non-interference , 2004 .

[10]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[11]  Riccardo Focardi,et al.  Bisimulation and Unwinding for Verifying Possibilistic Security Properties , 2002, VMCAI.

[12]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[13]  Pasquale Malacaria,et al.  Quantitative analysis of leakage for multi-threaded programs , 2007, PLAS '07.

[14]  Roberto Segala,et al.  Approximated Computationally Bounded Simulation Relations for Probabilistic Automata , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[15]  Frank McSherry,et al.  Privacy integrated queries: an extensible platform for privacy-preserving data analysis , 2009, SIGMOD Conference.

[16]  Aaron Roth,et al.  A learning theory approach to noninteractive database privacy , 2011, JACM.

[17]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[18]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[19]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[20]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[21]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..

[22]  Cynthia Dwork,et al.  The Differential Privacy Frontier (Extended Abstract) , 2009, TCC.

[23]  James W. Gray Toward a Mathematical Foundation for Information , 1992, J. Comput. Secur..

[24]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[25]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[26]  Geoffrey Smith,et al.  Computing the Leakage of Information-Hiding Systems , 2010, TACAS.

[27]  Daniel A. Spielman,et al.  Spectral Graph Theory and its Applications , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[28]  Sofya Raskhodnikova,et al.  Smooth sensitivity and sampling in private data analysis , 2007, STOC '07.

[29]  Stephen McCamant,et al.  A simulation-based proof technique for dynamic information flow , 2007, PLAS '07.

[30]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[31]  Christel Baier,et al.  Deciding Bisimilarity and Similarity for Probabilistic Processes , 2000, J. Comput. Syst. Sci..

[32]  D. Song,et al.  Influence : A Quantitative Approach for Data Integrity , 2008 .

[33]  Charles M. Grinstead,et al.  Introduction to probability , 1999, Statistics for the Behavioural Sciences.

[34]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[35]  Nancy A. Lynch,et al.  Analyzing Security Protocols Using Time-Bounded Task-PIOAs , 2008, Discret. Event Dyn. Syst..

[36]  Omer Reingold,et al.  Computational Differential Privacy , 2009, CRYPTO.

[37]  John N. Tsitsiklis,et al.  Introduction to Probability , 2002 .

[38]  Cynthia Dwork,et al.  Differential privacy in new settings , 2010, SODA '10.

[39]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[40]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[41]  Insup Lee,et al.  Weak Bisimulation for Probabilistic Systems , 2000, CONCUR.

[42]  Dawn Song,et al.  Influence: A Quantitative Approach for Data Integrity (CMU-CyLab-08-005) , 2008 .

[43]  Pasquale Malacaria,et al.  Assessing security threats of looping constructs , 2007, POPL '07.

[44]  Moni Naor,et al.  Differential privacy under continual observation , 2010, STOC '10.

[45]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[46]  Richard M. Karp,et al.  A n^5/2 Algorithm for Maximum Matchings in Bipartite Graphs , 1971, SWAT.

[47]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[48]  Andreas Haeberlen,et al.  Differential privacy for collaborative security , 2010, EUROSEC '10.

[49]  F. Vaandrager Forward and Backward Simulations Part I : Untimed Systems , 1993 .

[50]  Birgit Pfitzmann,et al.  Computational probabilistic noninterference , 2002, International Journal of Information Security.

[51]  Vitaly Shmatikov,et al.  Airavat: Security and Privacy for MapReduce , 2010, NSDI.

[52]  David Clark,et al.  A static analysis for quantifying information flow in a simple imperative language , 2007, J. Comput. Secur..

[53]  Roberto Segala,et al.  Decision Algorithms for Probabilistic Bisimulation , 2002, CONCUR.

[54]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[55]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[56]  Tim Roughgarden,et al.  Universally utility-maximizing privacy mechanisms , 2008, STOC '09.

[57]  Maritta Heisel,et al.  Confidentiality-preserving refinement , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..