A timing attack is an example of a resource consumption attack. In a timing attack, information is gleaned by the amount of time it takes a computer to process a query. For example, consider a computer that asks a user to log in before the user is allowed to access private documents. The user enters a username and password, and the computer checks them against a stored usemame and password.
One method for checking the username and password is to first check whether the first letter of the username is correct. If it is, the computer may proceed to check whether the second letter is correct. If the first letter of the username is not correct, the computer may stop the operation and notify the user that the username and/or password were incorrect.
An attacker may employ a timing attack in this setting to gain access to the true user's private documents. The attacker knows that if the first letter of an entered username is incorrect, the computer will take some very short amount of time to respond with an “access denied” message. However, if the first letter is correct, the computer will take slightly longer to respond. The attacker can go through the letters of the alphabet, and find which ones cause the computer to take extra time to respond. The same approach may then be used to discover the letters of the password.
Another resource consumption attack can be made to discover private data that may be stored in a database. For example, if certain data takes more of a resource, e.g. time or electric power, to process than other data, an attacker can find out whether such high-consumption data is present in a dataset that is queried.
In the case of timing attacks on databases, one solution has been to ensure that every query takes exactly n time to process, where n is the number of rows in a database. This solution is inelegant for a number of reasons. For example, if the predetermined query time is high, it can add too much time to every query. If the predetermined time is low, it can result in too many failures. For these and other reasons, the computing industry as well as consumers and other industries that may be subject to resource consumption attacks are in need of better techniques for obscuring resource consumption used when processing items.
In consideration of the above-identified shortcomings of the art, the present invention provides systems and methods for obscuring an amount of a resource, for example, an amount of time, used to process an item, for example, a database query. In general, contemplated techniques comprise assigning a maximum allowable amount of the resource for processing a sub-part of the item. In the time/database query setting, a subpart of the database query is a database row. If the maximum allowable amount of the resource is reached, processing the sub-part may be terminated. Once all sub-parts are processed, a noisy quantity of the resource that was consumed in processing the item may be released. The noisy quantity is determined by adding a positive amount of the resource, combined with a noise value, to an actual quantity of the resource that was consumed. Other advantages and features of the invention are described below.
The systems and methods for protection against timing and resource consumption attacks in accordance with the present invention are further described with reference to the accompanying drawings in which:
Certain specific details are set forth in the following description and figures to provide a thorough understanding of various embodiments of the invention. Certain well-known details often associated with computing and software technology are not set forth in the following disclosure, however, to avoid unnecessarily obscuring the various embodiments of the invention. Further, those of ordinary skill in the relevant art will understand that they can practice other embodiments of the invention without one or more of the details described below. Finally, while various methods are described with reference to steps and sequences in the following disclosure, the description as such is for providing a clear implementation of embodiments of the invention, and the steps and sequences of steps should not be taken as required to practice this invention.
The invention generally contemplates the use of noise to obscure resource consumption. The concept of adding noise in other contexts is discussed in U.S. patent application No. 11/244,800, filed Oct. 6, 2005 (attorney docket no. MSFT 5434/314792.01); U.S. patent application Ser. No. ______, filed Dec. 9, 2005 (attorney docket no. MSFT 5430/314795.01); U.S. patent application Ser. No. ______, filed Dec. 2, 2005 (attorney docket no. MSFT-5428/314794.01); U.S. patent application Ser. No. ______ (attorney docket no. MSFT 5432/314796.01); U.S. patent application Ser. No. ______, filed Nov. 30, 2005 (attorney docket no. MSFT 5425/314793.01); and U.S. patent application No. ______ (attorney docket no. MSFT 5429/314797.01). The above references are hereby incorporated by reference in their entirety.
Additional materials related to privacy preservation, including so-called secure function evaluation and other techniques, is available in the following references: Ben-Or, Goldwasser, and Wigderson, “Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation” (1988); Goldreich, Micali, and Wigderson, “How to Play Any Mental Game” (1987); Chawla, Dwork, McSherry, Smith, and Wee, “Toward Privacy in Public Databases,” Theory of Cryptography Conference, 2005; Dwork, Nissim, “Privacy-Preserving Data Mining in Vertically Partitioned Databases,” Crypto 2004; Blum, Dwork, McSherry, Nissim, “Practical Privacy: The SULQ Framework,” PODS 2005; and Chawla, Dwork, McSherry, Talwar, “On the Utility of Privacy-Preserving Histograms,” UAI 2005.
Dwork and Nissim 2004 and Blum, Dwork, McSherry, and Nissim 2005 show a method for preserving privacy in an interactive statistical database. The database comprises of a number of independent “rows”. Rows may contain anything: pictures, strings, sexual histories, medical records, etc. For the purpose of this specification, it is acknowledged that databases may be organized in a wide variety of ways, and may be N dimensional. Thus, the term “row” should be understood to comprise a column, row, or any other N dimensional correlation of data.
In the simplest form, query is a function that maps a row to a real number in the range [0,1]. We define the quantity obtained by applying the query function to each row and summing the results to be the “true answer”. The privacy-preserving database mechanism, denoted “K” in honor of Alfred Kinsey, adds a certain type of noise to the true answer, and releases this noisy value. Three privacy-preserving distributions on noise were discussed in Dwork and Nissim 2004 and Blum, Dwork, McSherry, and Nissim 2005. In particular, in Blum, Dwork, McSherry, and Nissim 2005 it is shown that the amount of noise necessary for privacy depends only on the total number of queries to which any row in the database is exposed (in the presentation above, this is just the total number of queries to which the database responds, in its lifetime). We denote this bound T.
The techniques referenced above can also be used to defend against resource consumption attacks. In the case of timing attacks, these are attacks that exploit the fact that different operations, e.g., a shift operation and a multiply operation, require different amounts of real time to carry out on a processor. In the context of cryptography, and exponentiation in particular, a shift corresponds to a zero bit in an exponent, while a multiply (+a shift) corresponds to a one bit; thus, detecting the difference in time required can be used to discover the secret exponent in, say, a Rivest, Shamir, and Adleman (“RSA”) decryption.
In one embodiment, a resource consumption attack would be a function that under certain circumstances, for example when a row matches a profile of a “target” person, whose privacy the attacker wishes to compromise, takes extra time to evaluate if confidential data in the row has certain content. For example an attack might specify a victim, and cause a query to take additional time to process if the victim is HIV positive.
Let the attacker's potentially malicious query function be denoted f′. We defend against this attack by viewing the time taken to evaluate the function f′ on a given row as a new query function, f, where:
f(row i)=time taken to evaluate f′0 on row i, for any row i in the database.
We then proceed with the following method, illustrated in
1. Assign a maximum allowable amount of resources for the evaluation of any item sub-part 101, after which the processing will be terminated. In the case of the timing attack, this comprises assigning a maximum allowable time for the evaluation of any row, after which the computation will be terminated. We call this maximum allowable time a single unit of time, so that the time taken to evaluate a given row is a number between 0 and 1 time units.
2. Choose a random noise value $N$ 102. The random noise value may be chosen according to the “K” algorithm as described in the above referenced publications. It may also be chosen by any other acceptable method. The noise value will be either a positive or negative number.
3. Release a noisy quantity of the resource that was consumed 103. In the case of time, releasing a noisy quantity of the resource consumed comprises waiting for a period, determined at least in part by the noise value, prior to releasing a query response. The response to a query can be released substantially $\sum_i f(row i)+D+N$ time units after the query issued. Here D is a fixed positive amount of the resource. It can depend on the size of the database, or the number or rows processed in the query, but in preferred embodiments remains independent of the data in the rows of the database. It is chosen to be sufficiently large that, with overwhelming probability over the randomness in the noise generation procedure, $|N|<D$.
Since this technique preserves resource consumption information independent of the size of the database, it can also be used to protect, for example, the steps in the evaluation of an exponentiation to a secret exponent. The length of the exponent corresponds to the size of the database. The size of the database is typically not secret. A time unit is the time to carry out the more expensive operation (multiply+shift). Note that in a cryptographic setting we may require stronger security than in the privacy setting, because the utility requirements of the privacy setting mandate the relaxation. Increased security can be accomplished by changing the parameters when computing the noise.
Time consumption begins when processing an item begins at 200. Time consumption due to processing the item ends at 210. Time consumption may end at 210 because processing the item is complete, or may end for some other reason, e.g. due to meeting or exceeding a time limit for processing a particular sub-part. However, a processor response is not returned at time 210. An additional amount of the resource—here, time—is consumed prior to returning the response.
The amount of additional time consumed is determined by the positive amount of time 220 combined with a noise value 260. The noise value is randomly selected from a distribution of noise values. An exemplary distribution is superimposed on
In
When time is the resource, as in this example, it will generally be advantageous to actually consume the additional time prior to releasing a response. In various embodiments, however, the additional quantity of the resource need not actually be consumed, so long as the released information about resource consumption is obscured using the techniques herein. For example, in the case of electrical power consumption, embodiments may actually consume some additional power, thereby obscuring the amount of power used, or may simply alter the information that is released about power consumption, without actually consuming the extra power, or for example by putting the additional electrical power to other uses.
The selected value of the max allowable amount of resource for processing a sub-part is determined on a case-by case basis. In general, this value is selected to allow for some variability in resource consumption, as it may occasionally take additional resources to process a sub-part, and it would be inefficient to terminate processing too often, simply because some additional resources are consumed. However, the max allowable amount of resource should be sufficiently restrictive to prevent significant resource consumption beyond the likely consumption associated with other sub-parts.
The question of how large the positive amount of a resource should be, and what noise distribution should be used, may be satisfied on a case-by-case basis depending upon the circumstances. FIGS. 4, 5A-5C, and 6 are generally directed to providing exemplary techniques for determining appropriate quantities. These figures provide general techniques and examples that will be implementable by those of skill in the art in the various fields to which the invention may be applied.
Next, a privacy parameter may be selected 401. The privacy parameter allows adjustment of a noise distribution to fit the privacy needs of a particular situation. If very little privacy loss is tolerable, the privacy parameter may be selected to cause a wider noise distribution, therefore better obscuring resource consumption. If privacy loss is less of a concern, the privacy parameter may be selected to cause a narrower noise distribution, resulting in less obscurity but also less additional resource consumption. As will be explained with reference to
Next, a noise distribution may be calculated using a selected noise distribution function 403. Exemplary noise distributions are the “exponential” distribution, depicted in
Returning to
Variability in resource consumption and a privacy parameter can be used in calculating width of each of the distributions in
An exemplary noise distribution equation for a distribution such as that of
noise˜exp(−\epsilon∥x∥/V)
An exemplary noise distribution equation for a distribution such as that of
noise˜exp(−\epsilon∥x∥ˆ2/V)
Where \epsilon is the privacy parameter, and ∥x∥ is an L1 norm. The mathematical definition of an L1 norm is the sum of absolute values of entries in a vector of values. Thus, for a vector x of n coordinates x1, x2, x3, . . . xn, the L1 norm ∥x∥=\sum—{1\le I\le n}|xi|. V is a measure of variability of resource consumption associated with processing of the sub-parts of an item. Further distributions such as that of
Here, the variability in resource consumption, V, is directly analogous to query diameter presented in U.S. Patent Application No. ______, filed ______ (attorney docket no. 314793.01/MSFT 5425), or change in the value of the output function. Thus, V can be determined using diameter techniques if desired. That is, V may be determined by taking the largest possible change in resources that a single element could induce on the entire computation. Note that it is only in these settings that there is a need to use norms ∥x∥, since in the “one dimensional” case they are just the absolute value.
Therefore, with reference to
The actual processing in system 920 may be carried out by any of a plurality of subsystems, such as a database 922, a server 921, a manufacturing system 923, or a service system 924. The processing by system 920 may be conducted to satisfy a request 901 sent by a requester 900, in which case the response to the request 902 reveals the noisy quantity of the resource and not the actual quantity of the resource that was consumed by the system 920 to satisfy the request 901. In the arrangement where the processing is conducted to satisfy a request, requester 900 is also a possible adversary, and in any event may communicate information learned to the world outside of system 920, and therefore it may be advantageous to release only noisy information to the requester 900.
The various systems and methods discussed herein may, in some embodiments, be carried out by one or more computing devices which are, in general, well understood. A computing device typically includes at least some form of computer readable media. Computer readable media can be any available media that can be accessed by the device. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a device. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media.
In addition to the specific implementations explicitly set forth herein, other aspects and implementations will be apparent to those skilled in the art from consideration of the specification disclosed herein. It is intended that the specification and illustrated implementations be considered as examples only, with a true scope and spirit of the following claims.