Solution of Exercise Sheet 11

Transcription

1 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 11 1 Breaking Privacy By Linking Data The following dataset (from a social network) has been released in a sanitized form (cf. Figure 1). Name Gender Age City of birth Favorite TV Series Relationship Status * male Saarbrücken Game of Thrones single * female Trier Game of Thrones in relationship * male München Friends! in relationship * female Berlin Big Bang Theory in relationship * female Hamburg Big Bang Theory single * female Saarbrücken Game of Thrones single * male Trier Game of Thrones single * female München Game of Thrones in relationship * male Berlin Big Bang Theory single Figure 1: Dataset for Exercise 3 However, there is additional information at your disposal (cf. Figure 2). Use this information to investigate how privacy can be leaked by cleverly linking data. Assume for all candidates that their are present in both databases. Name TV Show Rating (1=bad, 5=great) Alice alice1995@ .com Friends! 1 Bob bobbybob@ .com Friends! 4 Charlie s9charchar@ .com Friends! 2 Eve evelyn@myhighscool.com Friends! 1 Bob bobbybob@ .com Game of Thrones 1 Alice alice1995@ .com Game of Thrones 5 Charlie s9charchar@ .com Game of Thrones 5 Bob bobbybob@ .com Big Bang Theory 3 Charlie s9charchar@ .com Big Bang Theory 5 Alice alice1995@ .com Big Bang Theory 2 Eve evelyn@myhighscool.com Big Bang Theory 5 Figure 2: Additional Information for Exercise 3 (4 points) (a) Where is Alice most likely born and what is most likely her relationship status? Describe how you inferred this information about her. Hint: You can find enough evidence for a unique solution. (4 points) (b) Can you learn any personal information about Charlie as well? If so: describe how. If not: describe why. 1/6

2 (4 points) (c) Can you learn any personal information about Bob as well? If so: describe how. If not: describe why. Solution: (a) We observe that in our dataset with sensitive information, we can potentially deanonymize Alice by a combination of her age, her gender and her favorite TV show. Considering the ratings Alice submitted on the additional dataset, we guess that her favorite TV show is Game of Thrones. Since we can safely assume that Alice is female, this leaves us with the following three possibilities for Alice: Name Gender Age City of birth Favorite TV Series Relationship Status * female Trier Game of Thrones in relationship * female Saarbrücken Game of Thrones single * female München Game of Thrones in relationship We furthermore note that Alice s address alice1995@ .com indicates that she was born 1995 and thus falls into the age bracket. Consequently, we guess that Alice was born in Saarbrücken and her relationship status is single. (b) For Charlie, things are not that simple. We can assume that Charlie is male, but Charlie seems to enjoy both, Game of Thrones as well as Big Bang Theory, equally. Moreover, we do not have strong evidence for his age either (even if the s9 address would indicate that he is a student, there remain two possible age brackets and 19 25). However, since all male persons who enjoy either of the two shows are single, we can at least infer that Charlie is single. (c) For Bob, we know that he likes Friends!. Since there is only one person that likes Friends! in the Social Network Databse, we can completely de-anonymize Bob to being male, being in the age bracket 12 15, being born in München, and his relationship status being in a relationship. 2 Achieving K-Anonymity K-anonymity describes that for each person within the data, their information cannot be distinguished from at least k 1 other individuals whose information also appears in the data. Note that distinguishing is defined over quasi-identifiers. Assume that for this exercise, the attributes age and gender are the quasi-identifiers. (5 points) (a) Does Dataset 1 from Figure 3 satisfy k-anonymity? If so: what is the maximal k for which it satisfies k-anonymity? Explain your answer by giving the anonymity sets consisting of the equivalent identities! 2/6

3 Dataset 1 ID Age Gender Fav.Show female Friends! male Friends! male Friends! female Friends! male G.o.T male G.o.T male G.o.T. Dataset 2 ID Age Gender Fav.Show female Grey s A female Simpsons female Futurama female Friends! male G.o.T male C.Minds male Br.Ba. Dataset 3 ID Age Gender Fav.Show 1 19 male Friends! 2 19 male Friends! 3 19 male Friends! 4 19 female Friends! 5 20 male G.o.T male G.o.T male G.o.T. Figure 3: The datasets for Exercise 4 (5 points) (b) Does Dataset 2 from Figure 3 satisfy k-anonymity? If so: what is the maximal k for which it satisfies k-anonymity? Explain your answer as above! (5 points) (c) Does Dataset 3 from Figure 3 satisfy k-anonymity? If so: what is the maximal k for which it satisfies k-anonymity? Explain your answer as above! (8 points) (d) Assume that we have a dataset with 10 K rows (entries) and 5 columns of quasi-identifiers that satisfies K-Anonymity. What is the minimal number X of attributes we have to suppress (i.e., setting all values in these columns to *) to guarantee at least K + 1 anonymity? For showing that your solution for X is optimal, describe a counterexample (e.g. provide a sample database) which satisfies K-Anonymity, but no suppression of X 1 attributes leads to a dataset that satisfies K + 1-anonymity. Try to describe your counterexample in a general way, such that it holds for all values of K. Solution: We first note that every dataset satisfies the definition for k-anonymity with k = 1, which simply means that every person can hide in a set of at least size one (e.g., the set containing only themselves). Consequently, we only need to find out the maximal k for each dataset. However, we have to keep in mind that anonymity sets of size at least k (i.e., containing k people with the same quasi-identifiers) still have to exist for every person in the dataset. 3/6

4 (a) The first dataset provides k-anonymity for k = 2. The anonymity sets are {1, 4} and {2, 3, 5, 6, 7}. (b) The second data set provides k-anonymity for k = 3. The anonymity sets are {1, 2, 3, 4} and {5, 6, 7}. (c) The third dataset satisfies k-anonymity with k = 1, as entry 4 has a unique combination of quasi identifiers (age and gender). (d) We consider the following database, where QI1,..., QI5 are the quasiidentifiers and where some other data is only mentioned for completeness (and could span several columns) and where x i and y i mention variables with arbitrary values: QI 1 QI 2 QI 3 QI 4 QI 5 Some other data x 1 x 1 x 1 x 1 x 1 y 1 x 2 x 2 x 2 x 2 x 2 y 2 x 3 x 3 x 3 x 3 x 3 y 3 x 4 x 4 x 4 x 4 x 4 y 4 x 5 x 5 x 5 x 5 x 5 y We realize that all quasi identifiers are equal. Thus, removing any of them (if at least one remains) does not have an impact on k-anonymity. Consequently, if the database satisfies k-anonymity for any (maximal) value k, it can only satisfy k + 1 anonymity if we remove all quasi-identifiers. 4/6

5 3 Secure Information Flow Consider the following program: 01: low2 := 1 02: low3 := 0 03: if high2 > 0: 04: high3 := high3 * high3 05: high2 := high2 + high3 06: low3 := high3 / high2 07: endif 08: sum := high2 + high3 09: if high1 == 0: 10: low1 := low2 11: else 12: low1 := low2 13: endif 14: high2 := high : low2 := sum In this program, low1,low2,low3 are low variables and high1,high2,high3 are high variables. Hint: Assume for simplicity that each line in the program takes the same amount of time to execute. (6 points) (a) For the unspecified variable sum you may choose yourself whether it is a high or low variable. Choose one possibility (and state it). Which statements in the program lead to which information flow weaknesses? Identify and explain all weaknesses you find! (9 points) (b) Rewrite the program from above such that it does not contain any explicit flow weaknesses, implicit (conditional) flow weaknesses or timing weaknesses (partial points will be given for removing a subset of the weaknesses). Moreover, the program should always terminate and the values of the high variables high1,high2,high3 at the end of execution should be just as in the code above. You may introduce new (high and/or low) variables. Solution: (a) Within the code there are several information flow weaknesses: an explicit flow weakness, a conditional flow weakness and a timing weakness. If we set sum to be a high variable, we have an explicit flow weakness in line 15; if we set it to low, we have an explicit flow weakness in line 08. In either case, a calculation that depends on a high variable (sum 5/6

6 or high2+high3) is directly and explicitly assigned to a low variable and thus leaked at the end of execution. In lines 03 to 07 we have a conditional flow weakness as well as a timing flow weakness. At the end of execution, low3 is assigned high3 / high2 if and only if high2 > 0 holds, and 0 otherwise. Furthermore, this whole block is only executed if high2 > 0, thus increasing computation time slightly. Please note that in practice, real attacks based on timing might require that certain operations are performed: operations like addition or even bit-shifting are very cheap, whereas exponentiation is much slower and, thus, more dangerous. Finally, while there seems to be a conditional flow weakness in in lines 9 to 13, this is in fact not the case: the value of low1 is the same independent of how the if evaluation turns out. (b) We fix all these weaknesses by removing unnecessary explicit or implicit leaks. Note that the values of the low variables do not have to be preserved, so we can even leave them out of the code. In many practical scenarios, one wishes to (at least) preserve a subset of the computation on the low variables. We introduce a new high variable dummy. 01: if high2 > 0: 02: high3 := high3 * high3 03: high2 := high2 + high3 04: else 05: dummy := dummy + dummy 06: dummy := dummy * dummy 07: endif 08: sum := high2 + high3 09: high2 := high /6