EFFICIENT DATA PROTECTION BY NOISING, MASKING, AND METERING Qiuyu Xiao A Dissertation submitted to the faculty at the University of North Carolina at Chapel Hill in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Department of Computer Science. Chapel Hill 2019 Approved by: Michael K. Reiter Lujo Bauer Jasleen Kaur Jonathan M. McCune Donald E. Porter © 2019 Qiuyu Xiao ALL RIGHTS RESERVED ii ABSTRACT Qiuyu Xiao: Efficient Data Protection by Noising, Masking, and Metering (Under the direction of Michael K. Reiter) Protecting data secrecy is an important design goal of computing systems. Conventional tech- niques like access control mechanisms and cryptography are widely deployed, and yet security breaches and data leakages still occur. There are several challenges. First, sensitivity of the sys- tem data is not always easy to decide. Second, trustworthiness is not a constant property of the system components and users. Third, a system’s functional requirements can be at odds with its data protection requirements. In this dissertation, we show that efficient data protection can be achieved by noising, masking, or metering sensitive data. Specifically, three practical problems are addressed in the dissertation—storage side-channel attacks in Linux, server anonymity vio- lations in web sessions, and data theft by malicious insiders. To mitigate storage side-channel attacks, we introduce a differentially private system, dpprocfs, which injects noise into side- channel vectors and also reestablishes invariants on the noised outputs. Our evaluations show that dpprocfs mitigates known storage side channels while preserving the utility of the proc filesys- tem for monitoring and diagnosis. To enforce server anonymity, we introduce a cloud service, PoPSiCl, which masks server identifiers, including DNS names and IP addresses, with person- alized pseudonyms. PoPSiCl can defend against both passive and active network attackers with minimal impact to web-browsing performance. To prevent data theft from insiders, we introduce a system, Snowman, which restricts the user to access data only remotely and accurately meters the sensitive data output to the user by conducting taint analysis in a replica of the application execution without slowing the interactive user session. iii TABLE OF CONTENTS LIST OF TABLES . viii LIST OF FIGURES . ix LIST OF ABBREVIATIONS . xi CHAPTER 1: INTRODUCTION . 1 1.1 Noising . 2 1.2 Masking . 3 1.3 Metering . 4 CHAPTER 2: DPPROCFS: NOISING SIDE-CHANNEL VECTORS TO MITIGATE STORAGE SIDE CHANNELS1 .......................................... 6 2.1 Background . 9 2.1.1 Side Channel Attacks via PROCFS . 9 2.1.2 Differential Privacy . 10 2.1.3 d-Privacy................................................................ 11 2.2 Design of a d-Private Procfs . 13 2.2.1 Threat Model . 13 2.2.2 Design Overview . 14 2.2.3 d∗-Private Mechanism Design . 17 2.2.4 Consistency Enforcement . 22 2.3 Implementation . 23 2.3.1 d∗-Private Mechanism Implementation . 24 1This chapter is excerpted from previously published work [161] iv 2.3.2 Invariant Generation . 25 2.3.3 Reestablishing Invariants . 27 2.4 Evaluation . 28 2.4.1 Security Evaluation . 29 2.4.1.1 Defending Against Keystroke Timing Attacks . 29 2.4.1.2 Mitigating Website Inference . 30 2.4.2 Utility Evaluation . 32 2.4.2.1 Relative Error . 32 2.4.2.2 Rank Accuracy of top ......................................... 34 2.5 Discussion . 37 2.6 Summary . 39 CHAPTER 3: POPSICL: MASKING SERVER IDENTIFIERS TO ENFORCE SERVER ANONYMITY2 .......................................................... 40 3.1 Background . 43 3.2 Design Principles. 45 3.2.1 Security . 45 3.2.2 Usability . 48 3.3 Design . 50 3.3.1 Registering a PoPSiCl . 50 3.3.2 Connection Establishment . 52 3.3.3 HTTP-specific Mechanisms . 55 3.3.4 Design Principles, Revisited . 58 3.4 Implementation . 60 3.4.1 PoPSiCl Store . 60 3.4.2 Cloud SDN Controller . 62 3.4.3 Tenant HTTP Server . 62 2This chapter is excerpted from previously published work [162] v 3.5 Evaluation . 63 3.5.1 Performance . 64 3.5.2 Scalability . 66 3.6 Traffic Analysis . 70 3.6.1 Design . 71 3.6.2 Evaluation . 72 3.7 Discussion . 74 3.8 Summary . 76 CHAPTER 4: SNOWMAN: METERING GRAPHICAL DATA LEAKAGE TO DE- TECT SENSITIVE DATA EXFILTRATION. 77 4.1 Background . 80 4.2 System Design and Implementation . 83 4.2.1 Overview . ..