-
No Forking Way: Detecting Cloning Attacks on Intel SGX Applications
Authors:
Samira Briongos,
Ghassan Karame,
Claudio Soriente,
Annika Wilde
Abstract:
Forking attacks against TEEs like Intel SGX can be carried out either by rolling back the application to a previous state, or by cloning the application and by partitioning its inputs across the cloned instances. Current solutions to forking attacks require Trusted Third Parties (TTP) that are hard to find in real-world deployments. In the absence of a TTP, many TEE applications rely on monotonic…
▽ More
Forking attacks against TEEs like Intel SGX can be carried out either by rolling back the application to a previous state, or by cloning the application and by partitioning its inputs across the cloned instances. Current solutions to forking attacks require Trusted Third Parties (TTP) that are hard to find in real-world deployments. In the absence of a TTP, many TEE applications rely on monotonic counters to mitigate forking attacks based on rollbacks; however, they have no protection mechanism against forking attack based on cloning. In this paper, we analyze 72 SGX applications and show that approximately 20% of those are vulnerable to forking attacks based on cloning - including those that rely on monotonic counters. To address this problem, we present CloneBuster, the first practical clone-detection mechanism for Intel SGX that does not rely on a TTP and, as such, can be used directly to protect existing applications. CloneBuster allows enclaves to (self-) detect whether another enclave with the same binary is running on the same platform. To do so, CloneBuster relies on a cache-based covert channel for enclaves to signal their presence to (and detect the presence of) clones on the same machine. We show that CloneBuster is robust despite a malicious OS, only incurs a marginal impact on the application performance, and adds approximately 800 LoC to the TCB. When used in conjunction with monotonic counters, CloneBuster allows applications to benefit from a comprehensive protection against forking attacks.
△ Less
Submitted 4 October, 2023;
originally announced October 2023.
-
LISA: LIghtweight single-server Secure Aggregation with a public source of randomness
Authors:
Elina van Kempen,
Qifei Li,
Giorgia Azzurra Marson,
Claudio Soriente
Abstract:
Secure Aggregation (SA) is a key component of privacy-friendly federated learning applications, where the server learns the sum of many user-supplied gradients, while individual gradients are kept private. State-of-the-art SA protocols protect individual inputs with zero-sum random shares that are distributed across users, have a per-user overhead that is logarithmic in the number of users, and ta…
▽ More
Secure Aggregation (SA) is a key component of privacy-friendly federated learning applications, where the server learns the sum of many user-supplied gradients, while individual gradients are kept private. State-of-the-art SA protocols protect individual inputs with zero-sum random shares that are distributed across users, have a per-user overhead that is logarithmic in the number of users, and take more than 5 rounds of interaction. In this paper, we introduce LISA, an SA protocol that leverages a source of public randomness to minimize per-user overhead and the number of rounds. In particular, LISA requires only two rounds and has a communication overhead that is asymptotically equal to that of a non-private protocol -- one where inputs are provided to the server in the clear -- for most of the users. In a nutshell, LISA uses public randomness to select a subset of the users -- a committee -- that aid the server to recover the aggregated input. Users blind their individual contributions with randomness shared with each of the committee members; each committee member provides the server with an aggregate of the randomness shared with each user. Hence, as long as one committee member is honest, the server cannot learn individual inputs but only the sum of threshold-many inputs. We compare LISA with state-of-the-art SA protocols both theoretically and by means of simulations and present results of our experiments. We also integrate LISA in a Federated Learning pipeline and compare its performance with a non-private protocol.
△ Less
Submitted 4 August, 2023;
originally announced August 2023.
-
On the Storage Overhead of Proof-of-Work Blockchains
Authors:
Alessandro Sforzin,
Matteo Maso,
Claudio Soriente,
Ghassan Karame
Abstract:
Permissionless blockchains such as Bitcoin have long been criticized for their high computational and storage overhead. Unfortunately, while a number of proposals address the energy consumption of existing Proof-of-Work deployments, little attention has been given so far to remedy the storage overhead incurred by those blockchains. In fact, it seems widely acceptable that full nodes supporting the…
▽ More
Permissionless blockchains such as Bitcoin have long been criticized for their high computational and storage overhead. Unfortunately, while a number of proposals address the energy consumption of existing Proof-of-Work deployments, little attention has been given so far to remedy the storage overhead incurred by those blockchains. In fact, it seems widely acceptable that full nodes supporting the blockchains have to volunteer hundreds of GBs of their storage, to store and verify all transactions exchanged in the system.
In this paper, we explore the solution space to effectively reduce the storage footprint of Proof-of-Work based blockchains. To do so, we analyze, by means of thorough empirical measurements, how existing full blockchain nodes utilize data from the shared ledger to validate incoming transactions/blocks. Based on this analysis, we show that it is possible for full nodes to locally reduce their storage footprint to approximately 15 GB, without any modification to the underlying protocol. We also discuss other client-side strategies to further reduce the storage footprint while incurring negligible computational overhead on the nodes.
△ Less
Submitted 30 June, 2022; v1 submitted 9 May, 2022;
originally announced May 2022.
-
On the Challenges of Detecting Side-Channel Attacks in SGX
Authors:
Jianyu Jiang,
Claudio Soriente,
Ghassan Karame
Abstract:
Existing tools to detect side-channel attacks on Intel SGX are grounded on the observation that attacks affect the performance of the victim application. As such, all detection tools monitor the potential victim and raise an alarm if the witnessed performance (in terms of runtime, enclave interruptions, cache misses, etc.) is out of the ordinary.
In this paper, we show that monitoring the perfor…
▽ More
Existing tools to detect side-channel attacks on Intel SGX are grounded on the observation that attacks affect the performance of the victim application. As such, all detection tools monitor the potential victim and raise an alarm if the witnessed performance (in terms of runtime, enclave interruptions, cache misses, etc.) is out of the ordinary.
In this paper, we show that monitoring the performance of enclaves to detect side-channel attacks may not be effective. Our core intuition is that all monitoring tools are geared towards an adversary that interferes with the victim's execution in order to extract the most number of secret bits (e.g., the entire secret) in one or few runs. They cannot, however, detect an adversary that leaks smaller portions of the secret - as small as a single bit - at each execution of the victim. In particular, by minimizing the information leaked at each run, the impact of any side-channel attack on the application's performance is significantly lowered - ensuring that the detection tool does not detect an attack. By repeating the attack multiple times, each time on a different part of the secret, the adversary can recover the whole secret and remain undetected. Based on this intuition, we adapt known attacks leveraging page-tables and L3 cache to bypass existing detection mechanisms. We show experimentally how an attacker can successfully exfiltrate the secret key used in an enclave running various cryptographic routines of libgcrypt. Beyond cryptographic libraries, we also show how to compromise the predictions of enclaves running decision-tree routines of OpenCV. Our evaluation results suggest that performance-based detection tools do not deter side-channel attacks on SGX enclaves and that effective detection mechanisms are yet to be designed.
△ Less
Submitted 30 June, 2022; v1 submitted 30 November, 2020;
originally announced November 2020.
-
Towards Secure and Decentralized Sharing of IoT Data
Authors:
Hien Thi Thu Truong,
Miguel Almeida,
Ghassan Karame,
Claudio Soriente
Abstract:
The Internet of Things (IoT) bears unprecedented security and scalability challenges due to the magnitude of data produced and exchanged by IoT devices and platforms. Some of those challenges are currently being addressed by coupling IoT applications with blockchains. However, current blockchain-backed IoT systems simply use the blockchain to store access control policies, thereby underutilizing t…
▽ More
The Internet of Things (IoT) bears unprecedented security and scalability challenges due to the magnitude of data produced and exchanged by IoT devices and platforms. Some of those challenges are currently being addressed by coupling IoT applications with blockchains. However, current blockchain-backed IoT systems simply use the blockchain to store access control policies, thereby underutilizing the power of blockchain technology. In this paper, we propose a new framework named Sash that couples IoT platforms with blockchain that provides a number of advantages compared to state of the art. In Sash, the blockchain is used to store access control policies and take access control decisions. Therefore, both changes to policies and access requests are correctly enforced and publicly auditable. Further, we devise a ``data marketplace'' by leveraging the ability of blockchains to handle financial transaction and providing ``by design'' remuneration to data producers. Finally, we exploit a special flavor of identity-based encryption to cater for cryptography-enforced access control while minimizing the overhead to distribute decryption keys. We prototype Sash by using the FIWARE open source IoT platform and the Hyperledger Fabric framework as the blockchain back-end. We also evaluate the performance of our prototype and show that it incurs tolerable overhead in realistic deployment settings.
△ Less
Submitted 23 August, 2019;
originally announced August 2019.
-
Beyond content analysis: Detecting targeted ads via distributed counting
Authors:
Costas Iordanou,
Nicolas Kourtellis,
Juan Miguel Carrascosa,
Claudio Soriente,
Ruben Cuevas,
Nikolaos Laoutaris
Abstract:
Being able to check whether an online advertisement has been targeted is essential for resolving privacy controversies and implementing in practice data protection regulations like GDPR, CCPA, and COPPA. In this paper we describe the design, implementation, and deployment of an advertisement auditing system called iWnder that uses crowdsourcing to reveal in real time whether a display advertisemen…
▽ More
Being able to check whether an online advertisement has been targeted is essential for resolving privacy controversies and implementing in practice data protection regulations like GDPR, CCPA, and COPPA. In this paper we describe the design, implementation, and deployment of an advertisement auditing system called iWnder that uses crowdsourcing to reveal in real time whether a display advertisement has been targeted or not. Crowdsourcing simplifies the detection of targeted advertising, but requires reporting to a central repository the impressions seen by different users, thereby jeopardising their privacy. We break this deadlock with a privacy preserving data sharing protocol that allows iWnder to compute global statistics required to detect targeting, while kee** the advertisements seen by individual users and their browsing history private. We conduct a simulation study to explore the effect of different parameters and a live validation to demonstrate the accuracy of our approach. Unlike previous solutions, iWnder can even detect indirect targeting, i.e., marketing campaigns that promote a product or service whose description bears no semantic overlap with its targeted audience.
△ Less
Submitted 23 July, 2019; v1 submitted 3 July, 2019;
originally announced July 2019.
-
ReplicaTEE: Enabling Seamless Replication of SGX Enclaves in the Cloud
Authors:
Claudio Soriente,
Ghassan Karame,
Wenting Li,
Sergey Fedorov
Abstract:
With the proliferation of Trusted Execution Environments (TEEs) such as Intel SGX, a number of cloud providers will soon introduce TEE capabilities within their offering (e.g., Microsoft Azure). Although the integration of SGX within the cloud considerably strengthens the threat model for cloud applications, the current model to deploy and provision enclaves prevents the cloud operator from adding…
▽ More
With the proliferation of Trusted Execution Environments (TEEs) such as Intel SGX, a number of cloud providers will soon introduce TEE capabilities within their offering (e.g., Microsoft Azure). Although the integration of SGX within the cloud considerably strengthens the threat model for cloud applications, the current model to deploy and provision enclaves prevents the cloud operator from adding or removing enclaves dynamically - thus preventing elasticity for TEE-based applications in the cloud.
In this paper, we propose ReplicaTEE, a solution that enables seamless provisioning and decommissioning of TEE-based applications in the cloud. ReplicaTEE leverages an SGX-based provisioning layer that interfaces with a Byzantine Fault-Tolerant storage service to securely orchestrate enclave replication in the cloud, without the active intervention of the application owner. Namely, in ReplicaTEE, the application owner entrusts application secret to the provisioning layer; the latter handles all enclave commissioning and de-commissioning operations throughout the application lifetime. We analyze the security of ReplicaTEE and show that it is secure against attacks by a powerful adversary that can compromise a large fraction of the cloud infrastructure. We implement a prototype of ReplicaTEE in a realistic cloud environment and evaluate its performance. ReplicaTEE moderately increments the TCB by ~800 LoC. Our evaluation shows that ReplicaTEE does not add significant overhead to existing SGX-based applications.
△ Less
Submitted 13 September, 2018;
originally announced September 2018.
-
There goes Wally: Anonymously sharing your location gives you away
Authors:
Apostolos Pyrgelis,
Nicolas Kourtellis,
Ilias Leontiadis,
Joan SerrĂ ,
Claudio Soriente
Abstract:
With current technology, a number of entities have access to user mobility traces at different levels of spatio-temporal granularity. At the same time, users frequently reveal their location through different means, including geo-tagged social media posts and mobile app usage. Such leaks are often bound to a pseudonym or a fake identity in an attempt to preserve one's privacy. In this work, we inv…
▽ More
With current technology, a number of entities have access to user mobility traces at different levels of spatio-temporal granularity. At the same time, users frequently reveal their location through different means, including geo-tagged social media posts and mobile app usage. Such leaks are often bound to a pseudonym or a fake identity in an attempt to preserve one's privacy. In this work, we investigate how large-scale mobility traces can de-anonymize anonymous location leaks. By mining the country-wide mobility traces of tens of millions of users, we aim to understand how many location leaks are required to uniquely match a trace, how spatio-temporal obfuscation decreases the matching quality, and how the location popularity and time of the leak influence de-anonymization. We also study the mobility characteristics of those individuals whose anonymous leaks are more prone to identification. Finally, by extending our matching methodology to full traces, we show how large-scale human mobility is highly unique. Our quantitative results have implications for the privacy of users' traces, and may serve as a guideline for future policies regarding the management and publication of mobility data.
△ Less
Submitted 15 November, 2018; v1 submitted 7 June, 2018;
originally announced June 2018.
-
DoubleEcho: Mitigating Context-Manipulation Attacks in Copresence Verification
Authors:
Hien Thi Thu Truong,
Juhani Toivonen,
Thien Duc Nguyen,
Claudio Soriente,
Sasu Tarkoma,
N. Asokan
Abstract:
Copresence verification based on context can improve usability and strengthen security of many authentication and access control systems. By sensing and comparing their surroundings, two or more devices can tell whether they are copresent and use this information to make access control decisions. To the best of our knowledge, all context-based copresence verification mechanisms to date are suscept…
▽ More
Copresence verification based on context can improve usability and strengthen security of many authentication and access control systems. By sensing and comparing their surroundings, two or more devices can tell whether they are copresent and use this information to make access control decisions. To the best of our knowledge, all context-based copresence verification mechanisms to date are susceptible to context-manipulation attacks. In such attacks, a distributed adversary replicates the same context at the (different) locations of the victim devices, and induces them to believe that they are copresent. In this paper we propose DoubleEcho, a context-based copresence verification technique that leverages acoustic Room Impulse Response (RIR) to mitigate context-manipulation attacks. In DoubleEcho, one device emits a wide-band audible chirp and all participating devices record reflections of the chirp from the surrounding environment. Since RIR is, by its very nature, dependent on the physical surroundings, it constitutes a unique location signature that is hard for an adversary to replicate. We evaluate DoubleEcho by collecting RIR data with various mobile devices and in a range of different locations. We show that DoubleEcho mitigates context-manipulation attacks whereas all other approaches to date are entirely vulnerable to such attacks. DoubleEcho detects copresence (or lack thereof) in roughly 2 seconds and works on commodity devices.
△ Less
Submitted 18 February, 2019; v1 submitted 19 March, 2018;
originally announced March 2018.
-
ProxyTorrent: Untangling the Free HTTP(S) Proxy Ecosystem
Authors:
Diego Perino,
Matteo Varvello,
Claudio Soriente
Abstract:
Free web proxies promise anonymity and censorship circumvention at no cost. Several websites publish lists of free proxies organized by country, anonymity level, and performance. These lists index hundreds of thousand of hosts discovered via automated tools and crowd-sourcing. A complex free proxy ecosystem has been forming over the years, of which very little is known. In this paper we shed light…
▽ More
Free web proxies promise anonymity and censorship circumvention at no cost. Several websites publish lists of free proxies organized by country, anonymity level, and performance. These lists index hundreds of thousand of hosts discovered via automated tools and crowd-sourcing. A complex free proxy ecosystem has been forming over the years, of which very little is known. In this paper we shed light on this ecosystem via ProxyTorrent, a distributed measurement platform that leverages both active and passive measurements. Active measurements discover free proxies, assess their performance, and detect potential malicious activities. Passive measurements relate to proxy performance and usage in the wild, and are collected by free proxies users via a Chrome plugin we developed. ProxyTorrent has been running since January 2017, monitoring up to 180,000 free proxies and totaling more than 1,500 users. Our analysis shows that less than 2% of the proxies announced on the web indeed proxy traffic on behalf of users; further, only half of these proxies have decent performance and can be used reliably. Around 10% of the working proxies exhibit malicious behaviors, e.g., ads injection and TLS interception, and these proxies are also the ones providing the best performance. Through the analysis of more than 2 Terabytes of proxied traffic, we show that web browsing is the primary user activity. Geo-blocking avoidance is not a prominent use-case, with the exception of countries hosting popular geo-blocked content.
△ Less
Submitted 2 November, 2017; v1 submitted 19 December, 2016;
originally announced December 2016.
-
SALVE: Server Authentication with Location VErification
Authors:
Der-Yeuan Yu,
Aanjhan Ranganathan,
Ramya Jayaram Masti,
Claudio Soriente,
Srdjan Capkun
Abstract:
The Location Service (LCS) proposed by the telecommunication industry is an architecture that allows the location of mobile devices to be accessed in various applications. We explore the use of LCS in location-enhanced server authentication, which traditionally relies on certificates. Given recent incidents involving certificate authorities, various techniques to strengthen server authentication w…
▽ More
The Location Service (LCS) proposed by the telecommunication industry is an architecture that allows the location of mobile devices to be accessed in various applications. We explore the use of LCS in location-enhanced server authentication, which traditionally relies on certificates. Given recent incidents involving certificate authorities, various techniques to strengthen server authentication were proposed. They focus on improving the certificate validation process, such as pinning, revocation, or multi-path probing. In this paper, we propose using the server's geographic location as a second factor of its authenticity. Our solution, SALVE, achieves location-based server authentication by using secure DNS resolution and by leveraging LCS for location measurements. We develop a TLS extension that enables the client to verify the server's location in addition to its certificate. Successful server authentication therefore requires a valid certificate and the server's presence at a legitimate geographic location, e.g., on the premises of a data center. SALVE prevents server impersonation by remote adversaries with mis-issued certificates or stolen private keys of the legitimate server. We develop a prototype implementation and our evaluation in real-world settings shows that it incurs minimal impact to the average server throughput. Our solution is backward compatible and can be integrated with existing approaches for improving server authentication in TLS.
△ Less
Submitted 16 August, 2016;
originally announced August 2016.
-
Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound
Authors:
Nikolaos Karapanos,
Claudio Marforio,
Claudio Soriente,
Srdjan Capkun
Abstract:
Two-factor authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only authentication. One reason why two-factor authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed two-factor authentication mechanisms require the user to interact with his phone to, for example, copy a verification…
▽ More
Two-factor authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only authentication. One reason why two-factor authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed two-factor authentication mechanisms require the user to interact with his phone to, for example, copy a verification code to the browser. Two-factor authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed.
In this paper we propose Sound-Proof, a usable and deployable two-factor authentication mechanism. Sound-Proof does not require interaction between the user and his phone. In Sound-Proof the second authentication factor is the proximity of the user's phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only authentication. Sound-Proof can be easily deployed as it works with current phones and major browsers without plugins. We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification. Participants ranked Sound-Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which two-factor authentication is optional.
△ Less
Submitted 3 August, 2015; v1 submitted 12 March, 2015;
originally announced March 2015.
-
Personalized Security Indicators to Detect Application Phishing Attacks in Mobile Platforms
Authors:
Claudio Marforio,
Ramya Jayaram Masti,
Claudio Soriente,
Kari Kostiainen,
Srdjan Capkun
Abstract:
Phishing in mobile applications is a relevant threat with successful attacks reported in the wild. In such attacks, malicious mobile applications masquerade as legitimate ones to steal user credentials. In this paper we categorize application phishing attacks in mobile platforms and possible countermeasures. We show that personalized security indicators can help users to detect phishing attacks an…
▽ More
Phishing in mobile applications is a relevant threat with successful attacks reported in the wild. In such attacks, malicious mobile applications masquerade as legitimate ones to steal user credentials. In this paper we categorize application phishing attacks in mobile platforms and possible countermeasures. We show that personalized security indicators can help users to detect phishing attacks and have very little deployment cost. Personalized security indicators, however, rely on the user alertness to detect phishing attacks. Previous work in the context of website phishing has shown that users tend to ignore the absence of security indicators and fall victim of the attacker. Consequently, the research community has deemed personalized security indicators as an ineffective phishing detection mechanism.
We evaluate personalized security indicators as a phishing detection solution in the context of mobile applications. We conducted a large-scale user study where a significant amount of participants that used personalized security indicators were able to detect phishing. All participants that did not use indicators could not detect the attack and entered their credentials to a phishing application. We found the difference in the attack detection ratio to be statistically significant. Personalized security indicators can, therefore, help phishing detection in mobile applications and their reputation as an anti-phishing mechanism should be reconsidered.
We also propose a novel protocol to setup personalized security indicators under a strong adversarial model and provide details on its performance and usability.
△ Less
Submitted 24 February, 2015;
originally announced February 2015.
-
Commune: Shared Ownership in an Agnostic Cloud
Authors:
Claudio Soriente,
Ghassan Karame,
Hubert Ritzdorf,
Srdjan Marinovic,
Srdjan Capkun
Abstract:
Although cloud storage platforms promise a convenient way for users to share files and engage in collaborations, they require all files to have a single owner who unilaterally makes access control decisions. Existing clouds are, thus, agnostic to shared ownership. This can be a significant limitation in many collaborations because one owner can, for example, delete files and revoke access without…
▽ More
Although cloud storage platforms promise a convenient way for users to share files and engage in collaborations, they require all files to have a single owner who unilaterally makes access control decisions. Existing clouds are, thus, agnostic to shared ownership. This can be a significant limitation in many collaborations because one owner can, for example, delete files and revoke access without consulting the other collaborators.
In this paper, we first formally define a notion of shared ownership within a file access control model. We then propose a solution, called Commune, to the problem of distributively enforcing shared ownership in agnostic clouds, so that access grants require the support of a pre-arranged threshold of owners. Commune can be used in existing clouds without requiring any modifications to the platforms. We analyze the security of our solution and evaluate its scalability and performance by means of an implementation integrated with Amazon S3.
△ Less
Submitted 25 November, 2013;
originally announced November 2013.
-
Extended Capabilities for a Privacy-Enhanced Participatory Sensing Infrastructure (PEPSI)
Authors:
Emiliano De Cristofaro,
Claudio Soriente
Abstract:
Participatory sensing is emerging as an innovative computing paradigm that targets the ubiquity of always-connected mobile phones and their sensing capabilities. In this context, a multitude of pioneering applications increasingly carry out pervasive collection and dissemination of information and environmental data, such as, traffic conditions, pollution, temperature, etc. Participants collect an…
▽ More
Participatory sensing is emerging as an innovative computing paradigm that targets the ubiquity of always-connected mobile phones and their sensing capabilities. In this context, a multitude of pioneering applications increasingly carry out pervasive collection and dissemination of information and environmental data, such as, traffic conditions, pollution, temperature, etc. Participants collect and report measurements from their mobile devices and entrust them to the cloud to be made available to applications and users. Naturally, due to the personal information associated to the reports (e.g., location, movements, etc.), a number of privacy concerns need to be taken into account prior to a large-scale deployment of these applications. Motivated by the need for privacy protection in Participatory Sensing, this work presents PEPSI: a Privacy-Enhanced Participatory Sensing Infrastructure. We explore realistic architectural assumptions and a minimal set of formal requirements aiming at protecting privacy of both data producers and consumers. We propose two instantiations that attain privacy guarantees with provable security at very low additional computational cost and almost no extra communication overhead.
△ Less
Submitted 13 August, 2013;
originally announced August 2013.
-
Participatory Privacy: Enabling Privacy in Participatory Sensing
Authors:
Emiliano De Cristofaro,
Claudio Soriente
Abstract:
Participatory Sensing is an emerging computing paradigm that enables the distributed collection of data by self-selected participants. It allows the increasing number of mobile phone users to share local knowledge acquired by their sensor-equipped devices, e.g., to monitor temperature, pollution level or consumer pricing information. While research initiatives and prototypes proliferate, their rea…
▽ More
Participatory Sensing is an emerging computing paradigm that enables the distributed collection of data by self-selected participants. It allows the increasing number of mobile phone users to share local knowledge acquired by their sensor-equipped devices, e.g., to monitor temperature, pollution level or consumer pricing information. While research initiatives and prototypes proliferate, their real-world impact is often bounded to comprehensive user participation. If users have no incentive, or feel that their privacy might be endangered, it is likely that they will not participate. In this article, we focus on privacy protection in Participatory Sensing and introduce a suitable privacy-enhanced infrastructure. First, we provide a set of definitions of privacy requirements for both data producers (i.e., users providing sensed information) and consumers (i.e., applications accessing the data). Then, we propose an efficient solution designed for mobile phone users, which incurs very low overhead. Finally, we discuss a number of open problems and possible research directions.
△ Less
Submitted 7 February, 2013; v1 submitted 20 January, 2012;
originally announced January 2012.
