protecting informationncr.mae.ufl.edu/aa/files/spring2020/butlerrt5.pdf · 2020. 4. 15. ·...

Protecting Information

Protecting Information

• RT6 focuses on methods to protect against indirect vulnerabilities caused by adversarial observation of computation, communication, and mission execution

• Major initiatives this year:• Protecting information through

examination of entropy and Markov decision processes• Differential privacy• Systems approaches to privacy,

access control, and machine learning

system-theoretic principles (e.g., barrier certificates) for verifying privacy

Noise-adding mechanisms to tradeoff individual privacy and aggregate performance

1

3

2 4

5

6

x1 +

w1

x 2+w 2

x3 + w3

x2 + w2

x6 +

w6

wi ⇠ N (0,�2i )

�i ��`2G2✏

�K� +

pK2� + 2✏

�

Mission-Critical Information

• Entropy maximization in Markov decision processes subject to temporal logic constraints• Synthesize constrained, entropy-

maximizing strategies• The higher the entropy, the less

predictable• Convex-optimization-based synthesis

• Entropy maximization in partially observable Markov decision processes• Extension to decision making with

limited information at runtime

Policies and Information Leakage

• Least inferable policies in partially-observable Markov decision• Accounts for both the

amount and informativeness of the adversary’s observation

• Minimizing information leakage regarding high-level task specification

Differential Privacy

• Dirchlect mechanism for differential privacy on the user simplex• Provides differential privacy to Markov decision process

properties• Ensures recipient of data cannot learn anything

meaningful from privatized simplex data• Error bounds and guidelines for privacy calibration

in differentially-private Kalman Filtering• First control-theoretic guidelines for calibrating

differential privacy• Differentially private controller synthesis with metric

temporal logic specifications• Multi-agent control policies with differential privacy

Systems and Access Control

• Privacy-preserving secure localization• Extension of privacy-preserving local optimization to

embedded device processors• Framework for secure machine learning• Interpretable security reference monitor

design with applications to autonomous agents

• Access control policy• Framework for reasoning

about disparate access policies in embedded devices

Access Control Policy Analysis for

Embedded Devices

with Grant Hernandez, Dave Tian, Anurag Yadav, and Byron Williams

Embedded Devices

• Embedded agents and the operating systems that they run are subject to numerous methods for protecting on-device information• Example: Android OS – the world’s most popular

operating system (mobile and embedded devices)• Numerous ways of protecting access to on-device

critical information• Discretionary access controls • Mandatory access controls• Linux capabilities• Middleware protections/SECCOMP

• Many attack surfaces

Reasoning about Access Control

• Challenge: there is no way to currently reason about the myriad access control mechanisms• Consequence: access policies from different

mechanisms not in concert with each other, may be mutually conflicting• What objects and processes can be accessible to

untrusted processes?

BigMAC Design

• Examine, recover, simulate, fully instantiate files, process, IPC from an extracted firmware image• Simulate boot

process to recovertypes instantiatedat runtime• Process hierarchy

and processmetadata

0 1 0 0 0 0 1 1 0 1 1 1 0 0 0 0 1 1 0 0 1 0 1 0 0 0 1 0 0 1 0 1 1 1 0 0

1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 1 1 1 0 1 1 1 0 1 1

BigMAC

Instantiated Policy GraphQueryInput

SEPolicy Parsing

Policy Instantiation

Filesystem ExtractionDAC/CAP/Labels

Type Relations

Processes/Objects

File / Object IPC ObjectSubject / Process

FirmwareFilesystems

Real-System (Ideal)Processes/Files

Attack Graph Ground Truth Comparison

Runtime

ExtractionCtx.Ctx.

1 1

Process TreeCredentials

File DAC/MAC

Subject

DataflowFlat Dataflow

Process Tree

Fully InstantiatedAttack Graph

Backing Files Subjects

Objects

Processes

Instantiate

Extract

Parse Tag/Link

Recover Instantiate

SEPolicy

F S

Gd Gf

OverlayGs Gp

O

P

Ga

Policy Recovery

• Decompile binary SEPolicy into connected multi-edge directed graph using Access Vector rules• Subject graph includes all types and attributes used during

SELinux MAC type enforcement• Instantiate on filesystem through type enforcement rules

• Build dataflow graph from subject graph to examine paths and edges where privilege escalation may occur• Bipartite graph, worst case edges,

nodes

Cp : Si(Oj ,Cp)��! Sj

AAACCnicbVDLTsJAFJ3iC8FH1aWbKppgYkhrNBpXRDbuxCCPBJpmOgwwMO00M1OUNKzd+CtuXGCMS/0Cd36Irh0eCwVPcpOTc+7Nvfe4ASVCmuanFpubX1hcii8nkiura+v6xmZJsJAjXESMMl5xocCU+LgoiaS4EnAMPZfistvJDf1yF3NBmH8jewG2Pdj0SYMgKJXk6Ds5JzgvOKR2x0mzJSHn7DZKXzntQ2Uc9AtO29FTZsYcwZgl1oSksntfg7du8jvv6B+1OkOhh32JKBSiapmBtCPIJUEU9xO1UOAAog5s4qqiPvSwsKPRK31jXyl1o8G4Kl8aI/X3RAQ9IXqeqzo9KFti2huK/3nVUDbO7Ij4QSixj8aLGiE1JDOGuRh1wjGStKcIRJyoWw3UghwiqdJLqBCs6ZdnSekoYx1nTq5VGhdgjDjYBrsgDSxwCrLgEuRBESBwDx7BADxrD9qT9qK9jltj2mRmC/yB9v4DZieegQ==

O(|S| ⇤ |O|)

AAACE3icbVC7TgMxEPTxJrwClDQWCImHFN0hEJQRNDQoIAggJVHkc3xgYftO9h7i5Nw/UMCv0FCAEC0NHX+DL6HgNdVoZlc7O2EiuAHf//AGBoeGR0bHxksTk1PTM+XZuVMTp5qyOo1FrM9DYpjgitWBg2DniWZEhoKdhVd7hX92zbThsTqBLGEtSS4Ujzgl4KR2ea0J7AZsMzUsihXY2sFxbqk0WW5lblVey1e6x921bq272i4v+RW/B/yXBF9kqbrYXL/7qGaH7fJ7sxPTVDIFVBBjGoGfQMsSDZwKlpeKowmhV+SCNRxVRDLTsr2fcrzslA6OYo2LXLinft+wRBqTydBNSgKX5rdXiP95jRSinZblKkmBKdo/FKUCQ4yLgnCHa0ZBZI4QqrnLiukl0YSCq7HkSgh+v/yXnG5Ugs3K1pFrYxf1MYYW0CJaQQHaRlW0jw5RHVF0ix7QE3r27r1H78V77Y8OeF878+gHvLdPQpKinQ==

O(|S|+ |O|)

AAACE3icbVC7TgMxEPTxJrwClDQWCImHFN0hEJQRNDQoIAggJVHkc3xgYftO9h7i5Nw/UMCv0FCAEC0NHX+DL6HgNdVoZlc7O2EiuAHf//AGBoeGR0bHxksTk1PTM+XZuVMTp5qyOo1FrM9DYpjgitWBg2DniWZEhoKdhVd7hX92zbThsTqBLGEtSS4Ujzgl4KR2ea0J7AZsMzUsihXY2sFxbqk0WW5lblVey1e6x931bq272i4v+RW/B/yXBF9kqbrYXL/7qGaH7fJ7sxPTVDIFVBBjGoGfQMsSDZwKlpeKowmhV+SCNRxVRDLTsr2fcrzslA6OYo2LXLinft+wRBqTydBNSgKX5rdXiP95jRSinZblKkmBKdo/FKUCQ4yLgnCHa0ZBZI4QqrnLiukl0YSCq7HkSgh+v/yXnG5Ugs3K1pFrYxf1MYYW0CJaQQHaRlW0jw5RHVF0ix7QE3r27r1H78V77Y8OeF878+gHvLdPRBqing==

Evaluation/Case Study

• Over 98% of DAC and MAC data recovered• Approx. 75% of processes (mostly missing app level)

• Prolog-based query engine filterMAC,DAC, CAP, ext. surfaces• Found additional attack paths for

existing CVE

Recovered by BigMAC Ground truth, running device

process:zygote

process:crash dump process:vold

crash dump exec:transition

*:write

vold:ptrace

A Learning Mechanism for

Learning Systems

with Washington Garcia, Scott Clouse (AFRL/ACT3)

Motivation

• Secure solutions to learning problems requires cooperation between many research disciplines.

Motivation


• However, learning systems research tends to be conducted in an ad-hoc manner:• Threat modeling has only recently received attention from ML researchers. • If the threat model is known, choosing among seemingly competing

frameworks can be difficult.

Empirical risk minimization

Differentially Private Models

Certifiable Models

Adversarial Training

?

Motivation



frameworks can be difficult.• Lack of clarity mitigates cross-pollination between each research discipline,

causes external observers to question what progress has been made.

Motivation





Interpretable MLVerifiable MLPrivacy ML Adversarial MLML

Potential Output:Unified proposals

Motivation





Interpretable MLVerifiable MLPrivacy ML Adversarial MLML

Actual Output:Ad-hoc, Repeated work

External Observers

?

Motivation

Florida institute for Cybersecurity Research 24

Takeaway:• Lots of seemingly unrelated research disciplines

working on related problems• Unifying them is not immediately obvious• Has this problem been tackled before?

Anderson research model


Has this problem been tackled before?

In 1993, Anderson described cryptographic systems which faced similar issues:• Unclear threat models:

• what could happen vs. what was likely to happen.• Little communication due to centralized certification authority

• crypto systems mainly cared about passing certification

Unifying research in ML with systems security: • Adopt Anderson’s research model to design secure learning systems• Organize around system security strategies which manifest within ML

research

Proposed Research Model


JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 7

Theoretical Results

(ε, δ)-DP Bounds [95]

Geometry [116]

Decoupling [86]

Empirical Tests

Complete Verification

Incomplete Verification

Ad-Hoc Methods [3]

Analysis

Learning Primitives

Privacy ML

Gradient Shaping

Poison Detection

Interpretable ML

Global Interpretations

Local Interpretations

AML-D & Verifiable ML Machine Learning

Verification

Heuristic Optimization

Space Properties

Polytope Bounding

DP-Smoothing

End-to-End ML Tooling

End-to-End Learning

Emergent Language

Bayesian Modeling

Filtering

Adversarial Detection

System Security Strategies

Protection System [98]

Enforcement

Security Goals

Protection States

Reductionist Kernelization [64]

End-to-End Argument [112]

Root of Trust [96]

Functional Restrictions [8] Sense of Self [100]

Anderson Learning Mechanism [64]

Problem Setting

Correctness

Threat Model

+

Figure 2. Interaction of Anderson’s learning mechanism as it is instantiated through system security strategies. The system security strategies are implicitlymanifested within many works related to ML and AML. Anderson’s learning mechanism informs the constant feedback loop of security strategies, newconstructions, and analysis.

application, image recognition. The Train function outputs alinear classifier which is assumed to be well regularized, andthus originally satisfies the author’s notion of correctness. Inorder to correctly attack the integrity of the classifier C, Tanayet al. establish two properties with respect to the correctness ofC: 1) the performance on natural images remains unaffected,but 2) vulnerability to adversarial examples is increased. Thisis done in practice by “tilting” the decision boundary of C byan arbitrary tilting factor k 2 R. Tanay et al. extend this furtherto fully connected layers in an MLP by tilting in the lowestd 2 R principal components of movement in the layer’s featuremapping. The model is essentially forced to attend to the ddirections which align closest with its weights, even if otherdirections have higher magnitude. The alteration is designedby the adversary to be imperceptible by manual verification.The work by Tanay et al. is similar to other poisoning attacksreviewed by Biggio and Roli [2] and Papernot et al. [9]. The

threat model allows the adversary to either control the model’salgorithms (PreProcess, Train, Predict), or the data which isfed to Train for instantiating the model. We see that as inThompson’s example, the vulnerability is patched in by a re-training scheme.

Gradient Shaping & Poison Detection. Approaches totrust for learning systems rely on either detecting a poisoningattack, or bounding the effect of individual samples. Forexample, Ma et al. propose the use of differential privacyprimitives as a defense from synthetic data poisoning attacksfor simple Logistic Regression models [41]. Under the DP-learning framework, the model is trained such that no partic-ular sample influences the model beyond a particular clippingbound. Thus lineage of trust is effectively ignored in favorof simply distrusting all future samples and limiting theirinfluence by a provable bound. Hong et al. later showed that

Instantiation of model


Example using:“Brittle Features of Device Authentication”

Establish likely problem setting (device fingerprints)

Conditions for correctness (true positives/negatives)

Plausible threat model (hard label adversary)

The system captures:

• Forrest et al. sense of self: encode a probabilistic definition of normal and abnormal.

The system uses sense of self to:

• Protect the integrity of network resources, by offering physical authentication channel.

• Example: Encode the sense of self using machine learning models.

Analysis:

• Ad-hoc empirical test.

• Example: Information gain, fingerprinting accuracyModify adversary

(originally none for FP systems)

Re-analyze

Pattern Recognition




Modify adversary

(originally none for FP systems) ZOO

Zeroth Order Optimization framework

Hard label updates based on gradient approximation

Re-analyze




Modify adversary

(originally none for FP systems) ZOO

Re-analyze

GTID

WDTF

USB-F

High Fals

e

Positives




Modify adversary

(ZOO)

Re-analyze

Pattern Recognition

DP-based Randomized Smoothing Defense (Cohen et al.)

Modifies the system’s sense of self




Modify adversary

(ZOO)

Re-analyze

Pattern Recognition

DP-based Randomized Smoothing Defense (Cohen et al.)

Modifies the system’s sense of self

GTID



Example using:”Jack” Audi automated driving system

©BT Devices

Establish likely problem setting (sensor inputs)

Conditions for correctness (crash avoidance)

Plausible threat model (in this case, innocent)

The system captures:

• Saltzer et al. end-to-end agreements (i.e., measures of agreement between inputs and outputs)

The system uses end-to-end argument to:

• Offer robustness, through Bayesian modeling: probabilistic measure of uncertainty between inputs and outputs.

• Example: Jack can perform probabilistic reasoning from perception sensor uncertainties

Analysis:

• Ad-hoc empirical test.

• Example: Drive a 550-mile automated test drive.

Modify adversary

(originally none for Jack)

Re-analyze



High-level feedback loop helps visualize gaps in constructions or analysis.

Analysis:

Does the analysis capture every possible failure mode in the current threat model?

©BT Devices

Constructions:

Does the existing model of uncertainty completely capture each end of the system?

Structure informs of dependencies

If we change our threat model, we must re-visit our security strategies, primitives, and analysis.

Example: Analysis of Jack in the innocent setting says little about the adversarial setting

Next Steps

• Consider framework in the context of human-machine cooperation systems

• Verification of reinforcement learning agent policies

• Apply and implement on autonomous agents


protecting informationncr.mae.ufl.edu/aa/files/spring2020/butlerrt5.pdf · 2020. 4. 15. ·...

Documents