Archive for the 'Privacy' Category

Peter Chapman’s CCS talk on Side-Channel Analysis (and Guinness!)

Thursday, October 20th, 2011


Peter Chapman presented our work on side-channel analysis for web applications at CCS yesterday. His slides are available here: [PPTX] [PDF].

It provides an automated way to analyze a web application for side-channel vulnerabilities, as well as a better metric for quantifying those vulnerabilities (that may have applications to many other areas where it is important to know how well states can be distinguished). It is described in more detail in this paper: Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications (and earlier post), but for the important connection to Guinness you need to view the slides. The tool is also freely available at http://www.cs.virginia.edu/sca/ (with a tutorial explaining how to use it!)

UVa Today Story on Secure Computation

Friday, October 14th, 2011

UVa Today has a story about our secure computation project: U.Va. Team Awarded $3 Million NSF Secure Computation Grant, Fariss Samarrai, UVa Today, 14 October 2011.


Photo: Cole Geddy


“Secure computation is the idea that you can have two people compute a function that depends on things that each one knows individually and wants to keep private without exposing their private data to the other person, or to anyone else,” Evans said.

The research has applications in everyday life, from private medical information, such as personal genomics, to privacy-preserving face recognition and electronic commerce.

As a simple example of how it works, consider two people who each have smartphones with personal address books. They would like to know if they know any of the same people by comparing their address books. But, they may not want to share their address books, which include potentially sensitive private information. So how can they find the common entries, without revealing anything about their other contacts?

Read More …

Faster Secure Two-Party Computation Using Garbled Circuits Talk

Sunday, August 14th, 2011

Yan Huang’s talk on Faster Secure Two-Party Computation Using Garbled Circuits at USENIX Security 2011 is now available: [PPTX] [PDF].

You can also download our framework and try our Android demo application.



Private Editing Talk

Friday, June 24th, 2011

Yan Huang presented Private Editing Using Untrusted Cloud Services at the Second International Workshop on Security and Privacy in Cloud Computing in Minneapolis this morning.

Here are the slides from his talk: [PPTX, PDF].
The full paper is also available: [PDF, 10 pages].

Protecting Private Web Content from Embedded Scripts

Thursday, June 16th, 2011

Our paper on protecting private web content from embedded scripts is now available:

Yuchen Zhou and David Evans. Protecting Private Web Content from Embedded Scripts. European Symposium on Research in Computer Security (ESORICS 2011). Lueven, Belguim. 12-14 September 2011. [PDF, 20 pages]

The paper addresses the problem of when web pages embed scripts from third parties (such as advertising networks or analytics tools) in their pages that contain user’s personal content. Since many such scripts must be embedded directly (that is, not in a separate iframe), they have access to the full page DOM and can access and manipulate this data. Our solution adopts the isolated worlds mechanism to isolate embedded scripts and provide a policy-limited access model. We also present a technique for automatically learning which nodes in a web page may contain sensitive data that should be protected from third-party scripts.

Yuchen will present the paper at ESORICS in Belgium in September.



Source Code

Modified Chromium: https://github.com/Treeeater/Chromium_on_windows

Policy Learner Proxy: https://github.com/Treeeater/GreasySpoon-proxy-script

Secure Computation Framework

Monday, June 13th, 2011


Today, we are releasing our secure computation framework. Our Java-based framework and library enable programmers to build efficient and scalable privacy-preserving applications using Yao’s garbled circuit techniques.

This paper describes the framework in more detail:

Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits, 20th USENIX Security Symposium, San Francisco, CA. 8-12 August 2011. [PDF, 16 pages]

Abstract. Secure two-party computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function’s output. The garbled-circuit technique, a generic approach to secure two-party computation for semi-honest participants, was developed by Yao in the 1980s, but has been viewed as being of limited practical significance due to its inefficiency. We demonstrate several techniques for improving the running time and memory requirements of the garbled-circuit technique, resulting in an implementation of generic secure two-party computation that is significantly faster than any previously reported while also scaling to arbitrarily large circuits. We validate our approach by demonstrating secure computation of circuits with over 109 gates at a rate of roughly 10 microseconds per garbled gate, and showing order-of-magnitude improvements over the best previous privacy-preserving protocols for computing Hamming distance, Levenshtein distance, Smith-Waterman genome alignment, and AES.

The framework and applications are available under the MIT open source license: Download Fast Garbled Circuits Framework.

Yan Huang will present the paper at USENIX Security Symposium in San Francisco this August.

Secure Computation on Smartphones

Thursday, May 26th, 2011

Yan Huang and Peter Chapman presented a poster and demo at Oakland 2011 conference on Secure Computation on Smartphones.

Private Editing Using Untrusted Cloud Services

Wednesday, May 4th, 2011

Our paper on how to use untrusted cloud services like Google Docs to edit and manage documents, without trusting them with your content, is now available:

Yan Huang and David Evans. Private Editing Using Untrusted Cloud Services. Second International Workshop on Security and Privacy in Cloud Computing. Minneapolis, Minnesota. 24 June 2011. [PDF, 10 pages]

Yan will present the paper at the workshop on June 24.

Abstract

We present a general methodology for protecting the confidentiality and integrity of user data for a class of on-line editing applications. The key insight is that many of these applications are designed to perform most of their data-dependent computation on the client side, so it is possible to maintain their functionality while only exposing an encrypted version of the document to the server. We apply our methodology to Google Documents and describe a prototype extension tool that enables users to use a cloud application to manage their documents without sacrificing confidentiality or integrity. To provide adequate performance, we employ an incremental encryption scheme and extend it to support variable-length blocks. We analyze the security of our scheme and report on experiments that show our extension preserves most of the cloud application’s functionality with less than 10% overhead for typical use.

http://www.mightbeevil.com/securedocs/

BBC on Karsten’s GSM Hacks

Sunday, April 24th, 2011

Karsten Nohl and Sylvain Munaut demonstrated their GSM hack for the BBC: Mobiles fall prey to hack attacks [follow link to see video], BBC News, 20 April 2011.

Who could possibly eavesdrop on your modern, digitally encrypted handset?

It should take the kind of technology and resources only available to the security services.

Yet two men wearing hoodie tops have managed to crack the system.

Karsten Nohl and Sylvain Munaut don’t look like secret agents, sitting behind their fold-out table next to a pile of old Motorola phones.

But these two security researchers have discovered a cheap, relatively simple way of intercepting mobile calls.

“We have been looking at GSM technology for a while and we find it to be pretty much outdated in every aspect of security and privacy,” said Mr Nohl.

UVERS Poster

Monday, April 4th, 2011

Congratulations to Yan Huang for winning an Honorable Mention at the University of Virginia Engineering Research Symposium (UVERS) for his poster on privacy-preserving biometric matching.

The poster is here: [PDF (13MB)]