BZPEERPapers, people, evidence and research paths
Menu

Discover

SearchFind papers, people, topics, institutions and opportunities from one place.GraphSee how papers, authors, topics and evidence connect.

Research tools

HomeContinue from the papers, people and topics that matter now.CollectionsTurn saved papers into reading lists, evidence maps and shareable context.ResearchReconstruct the path that led you from search to paper to question.CollaborationMove from a paper, topic or expert request into a focused thread.PublishCreate full-text research articles with metadata, formulas and versions.

Network

ExpertsFind specialists whose work and reviews explain why they can help.CommunitiesJoin research groups organized around papers, topics and shared evidence.

Opportunities

ListingsBrowse roles, calls and collaborations connected to real research context.

Account

Log inReturn to your saved papers, graph views and active threads.Create accountStart saving papers, building a research trail and joining teams.
Log inCreate account

Source author record

David Sands

David Sands appears in the imported research catalog. Authorship, coauthor and topic links are available while profile ownership is still unclaimed.

ResearcherUnclaimed source record
Cryptography and Securityphysics.gen-phProgramming Languagesphysics.ed-ph

Catalog footprint

What is connected

9works
4topics
4close collaborators

Actions

Connect this record

Log in to claim
Open graphBrowse works

Research graph

See the researcher in context

Open full explorer

Inspect adjacent papers, topics, institutions and collaborators without losing the researcher page.

Building this map preview

BZPEER is loading the nearby papers, people, topics and institutions for this page.

Published work

9 published item(s)

preprint2016arXiv

Data Minimisation: a Language-Based Approach (Long Version)

Data minimisation is a privacy-enhancing principle considered as one of the pillars of personal data regulations. This principle dictates that personal data collected should be no more than necessary for the specific purpose consented by the user. In this paper we study data minimisation from a programming language perspective. We assume that a given program embodies the purpose of data collection, and define a data minimiser as a pre-processor for the input which reduces the amount of information available to the program without compromising its functionality. In this context we study formal definitions of data minimisation, present different mechanisms and architectures to ensure data minimisation, and provide a procedure to synthesise a correct data minimiser for a given program.

0 citations0 reviewsNo code linkedOpen access
preprint2015arXiv

Featherweight PINQ

Differentially private mechanisms enjoy a variety of composition properties. Leveraging these, McSherry introduced PINQ (SIGMOD 2009), a system empowering non-experts to construct new differentially private analyses. PINQ is an LINQ-like API which provides automatic privacy guarantees for all programs which use it to mediate sensitive data manipulation. In this work we introduce featherweight PINQ, a formal model capturing the essence of PINQ. We prove that any program interacting with featherweight PINQ's API is differentially private.

0 citations0 reviewsNo code linkedOpen access
preprint2015arXiv

The Anatomy and Facets of Dynamic Policies

Information flow policies are often dynamic; the security concerns of a program will typically change during execution to reflect security-relevant events. A key challenge is how to best specify, and give proper meaning to, such dynamic policies. A large number of approaches exist that tackle that challenge, each yielding some important, but unconnected, insight. In this work we synthesise existing knowledge on dynamic policies, with an aim to establish a common terminology, best practices, and frameworks for reasoning about them. We introduce the concept of facets to illuminate subtleties in the semantics of policies, and closely examine the anatomy of policies and the expressiveness of policy specification mechanisms. We further explore the relation between dynamic policies and the concept of declassification.

0 citations0 reviewsNo code linkedOpen access
preprint2015arXiv

Very Static Enforcement of Dynamic Policies

Security policies are naturally dynamic. Reflecting this, there has been a growing interest in studying information-flow properties which change during program execution, including concepts such as declassification, revocation, and role-change. A static verification of a dynamic information flow policy, from a semantic perspective, should only need to concern itself with two things: 1) the dependencies between data in a program, and 2) whether those dependencies are consistent with the intended flow policies as they change over time. In this paper we provide a formal ground for this intuition. We present a straightforward extension to the principal flow-sensitive type system introduced by Hunt and Sands (POPL '06, ESOP '11) to infer both end-to-end dependencies and dependencies at intermediate points in a program. This allows typings to be applied to verification of both static and dynamic policies. Our extension preserves the principal type system's distinguishing feature, that type inference is independent of the policy to be enforced: a single, generic dependency analysis (typing) can be used to verify many different dynamic policies of a given program, thus achieving a clean separation between (1) and (2). We also make contributions to the foundations of dynamic information flow. Arguably, the most compelling semantic definitions for dynamic security conditions in the literature are phrased in the so-called knowledge-based style. We contribute a new definition of knowledge-based termination insensitive security for dynamic policies. We show that the new definition avoids anomalies of previous definitions and enjoys a simple and useful characterisation as a two-run style property.

0 citations0 reviewsNo code linkedOpen access
preprint2014arXiv

Type-Directed Compilation for Fault-Tolerant Non-Interference

Environmental noise (e.g.heat, ionized particles, etc.) causes transient faults in hardware, which lead to corruption of stored values. Mission-critical devices require such faults to be mitigated by fault-tolerance --- a combination of techniques that aim at preserving the functional behaviour of a system despite the disruptive effects of transient faults. Fault-tolerance typically has a high deployment cost -- special hardware might be required to implement it -- and provides weak statistical guarantees. It is also based on the assumption that faults are rare. In this paper, we consider scenarios where security, rather than functional correctness, is the main asset to be protected. Our contribution is twofold. Firstly, we develop a theory for expressing confidentiality of data in the presence of transient faults. We show that the natural probabilistic definition of security in the presence of faults can be captured by a possibilistic definition. Furthermore, the possibilistic definition is implied by a known bisimulation-based property, called Strong Security. Secondly, we illustrate the utility of these results for a simple RISC architecture for which only the code memory and program counter are assumed fault-tolerant. We present a type-directed compilation scheme that produces RISC code from a higher-level language for which Strong Security holds --- i.e. well-typed programs compile to RISC code which is secure despite transient faults. In contrast with fault-tolerance solutions, our technique assumes relatively little special hardware, gives formal guarantees, and works in the presence of an active attacker who aggressively targets parts of a system and induces faults precisely.

0 citations0 reviewsNo code linkedOpen access
preprint2013arXiv

Reinterpreting Boltzmann's H-theorem in the light of Information Theory

Prompted by the realisation that the statistical entropy of an ideal gas in the micro-canonical ensemble should not fluctuate or change over time, the meaning of the H-theorem is re-interpreted from the perspective of information theory in which entropy is a measure of uncertainty. We propose that the Maxwellian velocity distribution should more properly be regarded as a limiting distribution which is identical with the distribution across particles in the asymptotic limit of large numbers. In smaller systems, the distribution across particles differs from the limiting distribution and fluctuates. Therefore the entropy can be calculated either from the actual distribution across the particles or from the limiting distribution. The former fluctuates with the distribution but the latter does not. However, only the latter represents uncertainty in the sense implied by information theory by accounting for all possible microstates. We also argue that the Maxwellian probability distribution for the velocity of a single particle should be regarded as a limiting distribution. Therefore the entropy of a single particle is well defined, as is the entropy of an N-particle system, regardless of the microstate. We argue that the meaning of the H-theorem is to reveal the underlying distribution in the limit of large numbers. Computer simulations of a hard-sphere fluid are used to demonstrate the ideas.

0 citations0 reviewsNo code linkedOpen access
preprint2012arXiv

Gender differences in conceptual understanding of Newtonian mechanics: a UK cross-institution comparison

We present results of a combined study from three UK universities where we investigate the existence and persistence of a performance gender gap in conceptual understanding of Newtonian mechanics. Using the Force Concept Inventory, we find that students at all three universities exhibit a statistically significant gender gap, with males outperforming females. This gap is narrowed but not eliminated after instruction, using a variety of instructional approaches. Furthermore, we find that before instruction the quartile with the lowest performance on the diagnostic instrument comprises a disproportionately high fraction (~50%) of the total female cohort. The majority of these students remain in the lowest-performing quartile post-instruction. Analysis of responses to individual items shows that male students outperform female students on practically all items on the instrument. Comparing the performance of the same group of students on end-of-course examinations, we find no statistically significant gender gaps.

0 citations0 reviewsNo code linkedOpen access
preprint2011arXiv

A Semantic Hierarchy for Erasure Policies

We consider the problem of logical data erasure, contrasting with physical erasure in the same way that end-to-end information flow control contrasts with access control. We present a semantic hierarchy for erasure policies, using a possibilistic knowledge-based semantics to define policy satisfaction such that there is an intuitively clear upper bound on what information an erasure policy permits to be retained. Our hierarchy allows a rich class of erasure policies to be expressed, taking account of the power of the attacker, how much information may be retained, and under what conditions it may be retained. While our main aim is to specify erasure policies, the semantic framework allows quite general information-flow policies to be formulated for a variety of semantic notions of secrecy.

0 citations0 reviewsNo code linkedOpen access
preprint2011arXiv

Confusion in Thermodynamics

For a long time now, confusion has existed in the minds of many over the meaning of various concepts in thermodynamics. Recently, this point has been brought to people's attention by two articles appearing on the well-known archive (arxiv) web site. The content of these two pieces serves to illustrate many of the problems and has occasioned the construction of this answer to at least some of them. The position of the axiom proposed by Carathéodory is central in this matter and here its position is clarified and secured within the framework of thermodynamics. In particular, its relation to the First Law is examined and justified.

0 citations0 reviewsNo code linkedOpen access