Observing and Preventing Leakage in MapReduce

Ohrimenko, Olga; Costa, Manuel; Fournet, Cédric; Gkantsidis, Christos; Kohlweiss, Markulf; Sharma, Divya

doi:10.1145/2810103.2813695

Cited by 57 publications

(53 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In particular, for the types of data center analytics that would be performed by the ESA analyzer, there have been several proposals in the recent literature [20,57,67]. There has been relatively less proposed for protecting the client side, e.g., the encoders for ESA.…”

Section: Higher Assurance By Using Trustworthy Hardwarementioning

confidence: 99%

Prochlo

Bittau

Erlingsson

Maniatis

et al. 2017

Proceedings of the 26th Symposium on Operating Systems Principles

222

View full text Add to dashboard Cite

The large-scale monitoring of computer users' software activities has become commonplace, e.g., for application telemetry, error reporting, or demographic profiling. This paper describes a principled systems architecture-Encode, Shuffle, Analyze (ESA)-for performing such monitoring with high utility while also protecting user privacy. The ESA design, and its PROCHLO implementation, are informed by our practical experiences with an existing, large deployment of privacy-preserving software monitoring.With ESA, the privacy of monitored users' data is guaranteed by its processing in a three-step pipeline. First, the data is encoded to control scope, granularity, and randomness. Second, the encoded data is collected in batches subject to a randomized threshold, and blindly shuffled, to break linkability and to ensure that individual data items get "lost in the crowd" of the batch. Third, the anonymous, shuffled data is analyzed by a specific analysis engine that further prevents statistical inference attacks on analysis results.ESA extends existing best-practice methods for sensitivedata analytics, by using cryptography and statistical techniques to make explicit how data is elided and reduced in precision, how only common-enough, anonymous data is analyzed, and how this is done for only specific, permitted purposes. As a result, ESA remains compatible with the established workflows of traditional database analysis.Strong privacy guarantees, including differential privacy, can be established at each processing step to defend against malice or compromise at one or more of those steps. PROCHLO develops new techniques to harden those steps, including the Stash Shuffle, a novel scalable and efficient oblivious-shuffling algorithm based on Intel's SGX, and new applications of cryptographic secret sharing and blinding. We describe ESA and PROCHLO, as well as experiments that validate their ability to balance utility and privacy. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner /author(s).

show abstract

Section: Higher Assurance By Using Trustworthy Hardwarementioning

confidence: 99%

Prochlo

Bittau

Erlingsson

Maniatis

et al. 2017

Proceedings of the 26th Symposium on Operating Systems Principles

222

View full text Add to dashboard Cite

show abstract

“…Nevertheless, hardware-based solutions rely on the fact that the users must trust the hardware producers (e.g., Intel) who manage the master keys that are involved in some important protocols. Furthermore, even in the presence of trusted hardware, side-channel attacks based on memory and network access patterns have proven to be effective in many scenarios [29,37,47], which shows the immaturity of deploying such systems -at their current stage -to address critical challenges such as secure data sharing. Instead, UnLynx, is based on well-established cryptographic techniques that rely on a standard security model, and it provides a set of critical security features that none of previous contributions have achieved, such as proof of computation and decentralized trust.…”

Section: Related Workmentioning

confidence: 99%

UnLynx: A Decentralized System for Privacy-Conscious Data Sharing

Froelicher

Egger

Sousa

et al. 2017

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Current solutions for privacy-preserving data sharing among multiple parties either depend on a centralized authority that must be trusted and provides only weakest-link security (e.g., the entity that manages private/secret cryptographic keys), or leverage on decentralized but impractical approaches (e.g., secure multi-party computation). When the data to be shared are of a sensitive nature and the number of data providers is high, these solutions are not appropriate. Therefore, we present UnLynx, a new decentralized system for efficient privacypreserving data sharing. We consider m servers that constitute a collective authority whose goal is to verifiably compute on data sent from n data providers. UnLynx guarantees the confidentiality, unlinkability between data providers and their data, privacy of the end result and the correctness of computations by the servers. Furthermore, to support differentially private queries, UnLynx can collectively add noise under encryption. All of this is achieved through a combination of a set of new distributed and secure protocols that are based on homomorphic cryptography, verifiable shuffling and zero-knowledge proofs. UnLynx is highly parallelizable and modular by design as it enables multiple security/privacy vs. runtime tradeoffs. Our evaluation shows that UnLynx can execute a secure survey on 400,000 personal data records containing 5 encrypted attributes, distributed over 20 independent databases, for a total of 2,000,000 ciphertexts, in 24 minutes.

show abstract

“…However, these systems do not meet our security definition; i.e., they offer a weaker security guarantee. Recent systems [20,37] adopt a similar approach to this paper's to support privacy-preserving computation. However, they focus on the MapReduce computation model, and specifically use scrambling to ensure security for the shuffling phase (which is essentially a sorting algorithm).…”

Section: Related Workmentioning

confidence: 99%

“…While these works are ideal for applications that make few accesses in a large dataset, they may not necessarily be so for other applications that potentially require accessing the entire dataset multiple times, for example data management tasks. For such applications, customized algorithms are likely to perform better (e.g., [37]). StC offers a simple way for implementing those algorithms.…”

Section: Secure Computation By Data-obliviousmentioning

confidence: 99%

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute

Dang

Dinh

Chang

et al. 2017

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Abstract:We consider privacy-preserving computation of big data using trusted computing primitives with limited private memory. Simply ensuring that the data remains encrypted outside the trusted computing environment is insufficient to preserve data privacy, for data movement observed during computation could leak information. While it is possible to thwart such leakage using generic solution such as ORAM [42], designing efficient privacy-preserving algorithms is challenging. Besides computation efficiency, it is critical to keep trusted code bases lean, for large ones are unwieldy to vet and verify. In this paper, we advocate a simple approach wherein many basic algorithms (e.g., sorting) can be made privacy-preserving by adding a step that securely scrambles the data before feeding it to the original algorithms. We call this approach Scramblethen-Compute (StC), and give a sufficient condition whereby existing external memory algorithms can be made privacy-preserving via StC. This approach facilitates code-reuse, and its simplicity contributes to a smaller trusted code base. It is also general, allowing algorithm designers to leverage an extensive body of known efficient algorithms for better performance. Our experiments show that StC could offer up to 4.1× speedups over known, application-specific alternatives.

show abstract

Observing and Preventing Leakage in MapReduce

Cited by 57 publications

References 20 publications

Prochlo

Prochlo

UnLynx: A Decentralized System for Privacy-Conscious Data Sharing

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute

Contact Info

Product

Resources

About