Lecture Notes in Computer Science 6858 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Alessandro Aldini Roberto Gorrieri (Eds.) Foundations of Security Analysis and Design VI FOSAD Tutorial Lectures 1 3 VolumeEditors AlessandroAldini UniversitàdegliStudidiUrbino“CarloBo” DipartimentodiScienzediBaseeFondamenti PiazzadellaRepubblica13 61029Urbino,Italy E-mail:[email protected] RobertoGorrieri UniversitàdegliStudidiBologna DipartimentodiScienzedell’Informazione MuraAnteoZamboni7 40127Bologna,Italy E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-23081-3 e-ISBN978-3-642-23082-0 DOI10.1007/978-3-642-23082-0 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2011934268 CRSubjectClassification(1998):D.4.6,C.2,K.6.5,K.4,D.3,F.3,E.3 LNCSSublibrary:SL4–SecurityandCryptology ©Springer-VerlagBerlinHeidelberg2011 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) International School on Foundations of Security Analysis and Design This book is the sixth in a series of volumes collecting tutorialpapers accompa- nying lectures presented atFOSAD, the InternationalSummer School onFoun- dations of Security Analysis and Design, which has been held yearly since 2000 at the University Residential Center of Bertinoro, Italy. FOSAD has been one of the foremost educational events established with the goal of disseminating knowledge in the critical area of security in computer systems and networks. Everyyear,FOSADoffersagoodspectrumofcurrentresearchinfoundations ofsecurity–rangingfromprogramminglanguagestoanalysisofprotocols,from cryptographic algorithms to access control policies and trust/identity manage- ment – that can be of help for graduate students and young researchers from academia or industry who intend to approachthe field. The spirit of FOSAD is also characterized by the “open session”, which represents a series of presenta- tions given by selected participants about their ongoing work. The objective of this initiative is to encourage discussions, propose new ideas, comment on open problems, and favor novel scientific collaborations. Thetopicscoveredinthisbookincludeprivacyanddataprotection,security APIs, cryptographic verification by typing, model-driven security, noninterfer- enceanalysis,securityingovernance,risk,andcompliance,latticecryptography, quantitative information flow analysis, and risk analysis. The opening paper presented by Sabrina De Capitani di Vimercati, Sara Foresti, Giovanni Livraga, and Pierangela Samarati gives an overview of the techniquesdevelopedforprotectingdataandensuringprivacy.RiccardoFocardi, Flaminia Luccio, and Graham Steel discuss the subtleties behind the design of secure application programinterfaces (security APIs) and show that their anal- ysis through formal techniques has recently proved highly successful both in finding new flaws and verifying security properties of improveddesigns. The tu- torial paper by C´edric Fournet, Karthikeyan Bhargavan, and Andrew Gordon showstheuseoftypesforverifyingauthenticitypropertiesofcryptographicpro- tocols. The paper by David Basin, Manuel Clavel, Marina Egea, Miguel Garc´ıa deDios,CarolinaDania,GonzaloOrtiz,andJavierValdazoisasurveyofavery promising instance of model-driven security. The authors present an approach and a toolkit supporting the construction of security, data, and graphical user interface(GUI)modelstogetherwithrelatedWebapplications.RobertoGorrieri andMatteo Vernaliextend the notionofintransitivenoninterferenceby Rushby to the frameworksofdeterministic labelled transitionsystems,nondeterministic automata, and the class of Petri nets called elementary net systems. Yudistira AsnarandFabioMassaccidescribeamethodologytodesignsystemstradingin- formation security with governance, risk, and compliance (GRC) management. Daniele Micciancio givesanintroduction to the mathematical theory andappli- VI Foundations of Security Analysis and Design cationoflattice cryptography,whichis one ofthe hottestandfast-movingareas in mathematical cryptography today. M´ario Alvim, Miguel Andr´es, Konstanti- nosChatzikokolakis,andCatusciaPalamidessireviewtwoinformation-theoretic approaches to the quantitative analysis of information flows, namely, the one basedonShannon entropy,and the one based onR´enyimin-entropy.In the last paper,MassSoldalLunda,BjørnarSolhauga,andKetilStølenintroducegeneral techniques andguidelines for dealing with risk analysisin systems evolvingover time. In particular, the authors propose the CORAS approach to model-driven risk analysis. This year,FOSAD was organizedin cooperationwith the Network of Excel- lenceonEngineeringSecureFutureInternetSoftwareServicesandSystems(EU FP7 Project NESSoS). Obviously, we would like to thank all the institutions that have promoted and founded FOSAD in the last few years. Finally, we also wish to thank all the staff of the University Residential Center of Bertinoro for the organizationaland administrative support. August 2011 Alessandro Aldini Roberto Gorrieri Table of Contents Foundations of Security Analysis and Design Protecting Privacy in Data Release................................. 1 Sabrina De Capitani di Vimercati, Sara Foresti, Giovanni Livraga, and Pierangela Samarati An Introduction to Security API Analysis........................... 35 Riccardo Focardi, Flaminia L. Luccio, and Graham Steel Cryptographic Verification by Typing for a Sample Protocol Implementation.................................................. 66 C´edric Fournet, Karthikeyan Bhargavan, and Andrew D. Gordon Model-Driven Development of Security-Aware GUIs for Data-Centric Applications..................................................... 101 David Basin, Manuel Clavel, Marina Egea, Miguel A. Garc´ıa de Dios, Carolina Dania, Gonzalo Ortiz, and Javier Valdazo On Intransitive Non-interference in Some Models of Concurrency....... 125 Roberto Gorrieri and Matteo Vernali A Method for Security Governance, Risk, and Compliance (GRC): A Goal-Process Approach......................................... 152 Yudistira Asnar and Fabio Massacci The Geometry of Lattice Cryptography............................. 185 Daniele Micciancio Quantitative Information Flow and Applications to Differential Privacy......................................................... 211 Ma´rio S. Alvim, Miguel E. Andr´es, Konstantinos Chatzikokolakis, and Catuscia Palamidessi Risk Analysis of Changing and Evolving Systems Using CORAS ....... 231 Mass Soldal Lund, Bjørnar Solhaug, and Ketil Stølen Author Index.................................................. 275 Protecting Privacy in Data Release Sabrina De Capitani di Vimercati, Sara Foresti, Giovanni Livraga,and Pierangela Samarati Dipartimento diTecnologie dell’Informazione, Universit`a degli Studidi Milano, Via Bramante 65 - 26013 Crema, Italy [email protected] Abstract. TheevolutionoftheInformationandCommunicationTech- nology has radically changed our electronic lives, making information the key driver for today’s society. Every action we perform requires the collection, elaboration, and dissemination of personal information. This situation hasclearly brought atremendousexposureof privateand sen- sitive information to privacy breaches. Inthischapter,wedescribehowthetechniquesdevelopedforprotect- ing data have evolved in the years. We start by providing an overview of thefirst privacydefinitions(k-anonymity,(cid:2)-diversity,t-closeness, and theirextensions)aimedatensuringproperdataprotectionagainst iden- tity and attribute disclosures. We then illustrate how changes in the underlying assumptions lead to scenarios characterized by different and more complex privacy requirements. In particular, we show the impact on privacy when considering multiple releases of the same data or dy- namic data collections, fine-grained privacy definitions, generic privacy constraints, and theexternal knowledge that a potential adversary may exploit for inferring sensitive information. We also briefly present the concept of differential privacy that has recently emerged as an alterna- tiveprivacy definition. Keywords: Privacy,microdata protection, data release. 1 Introduction The advancements in the Information and Communication Technology (ICT) have revolutionizedour lives in a way that was unthinkable until few years ago. We live in the Globalization era, where everything we need to do is available within “one mouse click”. Global infrastructure, digital infrastructure, digital society are only few examples of terms used at different times for concisely referring to our “computer-based” society. The term that better represents the today’s society is however information society (or information age) since the information has a key role in the daily life activities of everyone. Every time we browse Internet, perform an online transaction,fill in forms to, for example, entercontestsorparticipateinonlinegames,andspendourtimeonlineinsocial networks, information about us is collected, stored, analyzed, and sometimes A.AldiniandR.Gorrieri(Eds.):FOSADVI,LNCS6858,pp.1–34,2011. (cid:2)c Springer-VerlagBerlinHeidelberg2011 2 S. DeCapitani di Vimercati et al. sharedwiththirdparties.Furthermore,publicandprivatecompanieshaveoften the need ofpublishing aggregatestatisticaldata (macrodata) as well as detailed data (microdata) for research or statistical purposes. Thecomplexityandvarietyofthetoday’sinformationsocietyintroducethere- forenew risksandposenew researchchallenges.Infact,the vastamountofper- sonal (user-generated) data collected, stored, and processed, the unclear data ownership, and the lack of control of the users on their own data are creating unprecedentedrisksofprivacybreaches.Theproblemofproperlyprotectingthe privacy of the users is clearly not new and has received (and receives) consider- able attentionfromthe researchanddevelopmentcommunities.In the past,the restrictedaccess to informationand its expensive processing representeda form of protection that does not hold anymore. In fact, with the rate at which tech- nologyisdeveloping,itisnowbecomingeasierandeasiertoaccesshugeamount ofdata by using,forexample,portable devices (e.g.,PDAs,mobile phones)and ubiquitous network resources. Also, the availability of powerful techniques for analyzingandcorrelatingdatacoming fromdifferentinformationsourcesmakes it simple to infer information that was not intended for disclosure. It is interesting to observe how the problem of guaranteeing privacy protec- tionis changingoverthe years,in line with the evolutionofthe ICT.Data were principallyreleasedintheformofmacrodata,thatis,tables(oftenoftwodimen- sions),whereeachcellcontainsaggregateinformationaboutusersorcompanies, calledrespondents.The macrodataprotectiontechniqueswereprincipallybased ontheidentificationandobfuscationofsensitivecells[11].Withthegrowingim- portance and use of microdata, the researchcommunity dedicated many efforts in designing microdataprotectiontechniques able to preservethe privacy ofthe respondentswhilelimitingthedisclosure risks.Traditionally,thedisclosurerisks arerelatedtothepossibility,foranadversary,tousethemicrodatafordetermin- ing confidential information on a specific individual (attribute disclosure) or for identifying the presence of an individual in the microdata table itself (identity disclosure). To limit the disclosurerisks,names,addresses,phone numbers,and other identifying information are removed (or encrypted) from the microdata. For instance, in the microdata table in Figure 1, which contains medical data, the names of the patients as well as their SocialSecurity Numbers areremoved, thus obtaining the de-identified medical data in Figure 2(a). Althougha de-identifiedmicrodatatable apparentlyprotectsthe identities of therespondentsrepresentedinthetable,thereisnoguaranteeofanonymity.The de-identified microdata may contain other information, called quasi-identifier, such as birth date and ZIP code that in combination can be linked to publicly availableinformationto re-identify individuals. As anexample,consider the de- identified medical data in Figure 2(a) and the voter list for the San Francisco area, publicly released by the local municipality, in Figure 2(b). It is easy to see that the values of attributes DoB, Sex, and ZIP can be exploited for link- ing the tuples in the microdata with the voter list, thus possibly re-identifying individuals and revealing their illnesses. For instance, in the microdata in Fig- ure 2(a) there is only one female born on 1958/12/11 living in the 94142 area. Protecting Privacy in Data Release 3 SSN Name DoB Sex ZIP Disease 123-45-6789 DianaSmith 1950/06/02 F 94141 H1N1 234-56-7890 NathanJohnson 1950/06/20 M 94132 Gastritis 345-67-8901 EricWilliams 1950/06/12 M 94137 Dyspepsia 456-78-9012 LizJones 1950/06/05 F 94144 Pneumonia 567-89-0123 JohnBrown 1940/04/01 M 94143 PepticUlcer 678-90-1234 LukeDavis 1940/04/02 M 94142 PepticUlcer 789-01-2345 BarbaraMiller 1940/04/10 F 94139 PepticUlcer 890-12-3456 FayWilson 1940/04/20 F 94130 PepticUlcer 901-23-4567 AnthonyMoore 1940/06/07 M 94130 BrokenLeg 012-34-5678 MattTaylor 1940/06/05 M 94131 ShortBreath 134-56-7890 JaneDoe 1958/12/11 F 94142 Pneumonia 245-67-8901 AnnaAnderson 1940/06/25 F 94142 BrokenLeg 356-78-9012 CarolThomas 1940/06/30 F 94145 StomachCancer 467-89-0123 GabrielleWhite 1950/05/02 F 94136 H1N1 578-90-1234 LornaHarris 1950/05/05 F 94134 Flu 689-01-2345 RobMartin 1950/05/10 M 94147 StomachCancer 790-12-3456 BobThompson 1950/05/30 M 94148 Gastritis Fig.1. Anexample of microdata table with identifyinginformation This combination,ifunique inthe externalworldaswell,uniquely identifies the corresponding tuple in the table as pertaining to Jane Doe, 300 Main St., San Francisco, revealing that she suffers from Pneumonia. From a study performed on the data collected for the 2000US Census, Golle showedthat 63% of the US populationcanbeuniquelyidentifiedcombiningtheirgender,ZIPcode,andfull date of birth [21]. This percentage decreases if the gender is combined with the County of residence instead of the ZIP code, and with the month/year of birth (see Figure 3). In the 1990s, several microdata protection techniques were developed [11]. Such techniques can be classified in two main categories: masking techniques that transform the original data in a way that some statistical analysis on the original and transformed data produce the same or similar results; synthetic data generation techniques that replace the original data with synthetic data that preserve some statistical properties of the original data. Among the mi- crodata protection techniques, k-anonymity [37] is probably one of the most popular, which has inspired the development of algorithms and techniques for both enforcing k-anonymity and for complementing it with other forms of pro- tection(e.g.,(cid:2)-diversity[29],andt-closeness[26]).Thesetechniquesarebasedon the assumptions that: quasi-identifiers are the only attributes that can be used for inferring the respondents to whom information refers; the same microdata table is published only once;and potential adversariesdo not haveany external knowledge. Clearly, such assumptions do not hold anymore in the today’s soci- ety,whereanyinformationcanbe usedto re-identifyanonymousdata[33].Two well-known examples of privacy violations, which testified how ensuring proper privacy protection is becoming a difficult task, are the America OnLine (AOL) and Netflix incidents [3,32]. AOL is an Internet services and media company that in 2006 released around 20 millions of search records of 650,000 of its cus- tomers. To protect the privacy of its customers, AOL de-identified such records by substituting personal identifiers with numerical identifiers. A sample of such data is the following: