Policy Compliance in Online Services
In response to incidents of unintended disclosure and misuse of user data by online services, modern data protection regulations require service providers to restrict their collection, processing, sharing and storage of sensitive user data. However, ensuring compliance with such regulation in today's complex and rapidly evolving systems is technically challenging. In my research, I have developed practical systems to prevent unintended disclosures and misuse of data in the face of two broad classes of threats: software bugs and misconfiguration, and side channels.
In this talk, I will describe Pacer, a compliance system designed to prevent indirect inference of sensitive data via side channels in shared network links in the Cloud. Pacer shapes the outbound traffic of a Cloud tenant to make it independent of the tenant's secrets. At the same time, Pacer does allow variations in the traffic shape based only on public (non-secret) aspects of the tenants' workloads, thus enabling efficient sharing of network resources and incurring moderate overhead. Implementing Pacer requires modest changes to the Cloud hypervisor and the guest OS, and minimal changes to the guest application.
Aastha Mehta is a Ph.D. student at the Max Planck Institute for Software Systems (MPI-SWS) in Germany. She is expecting to graduate by mid 2020. Prior to joining MPI-SWS, she worked at NetApp. She received her Bachelors degree from BITS Pilani in India. She is interested in building practical systems that solve security problems. Most recently, she has been focusing on systems for mitigating side channels in Cloud environments. She was invited to attend the 4th Heidelberg Laureate Forum in 2015 and the Rising Stars in EECS Workshop in 2018.