Previous TCS Dissertations
TCS Dissertations Fall 2016

10 Oct 2016 at 14:00 in room F3, Lindstedtsvägen 26, plan 2, KTH Campus
No Hypervisor Is an Island: Systemwide Isolation Guarantees for Low Level Code
(Oliver Schwarz, KTH Royal Institute of Technology)The times when malware was mostly written by curious teenagers are long gone. Nowadays, threats come from criminals, competitors, and government agencies. Some of them are very skilled and very targeted in their attacks. At the same time, our devices – for instance mobile phones and TVs – have become more complex, connected, and open for the execution of thirdparty software. Operating systems should separate untrusted software from confidential data and critical services. But their vulnerabilities often allow malware to break the separation and isolation they are designed to provide. To strengthen protection of select assets, security research has started to create complementary machinery such as security hypervisors and separation kernels, whose sole task is separation and isolation. The reduced size of these solutions allows for thorough inspection, both manual and automated. In some cases, formal methods are applied to create mathematical proofs on the security of these systems.
The actual isolation solutions themselves are carefully analyzed and included software is often even verified on binary level. The role of other software and hardware for the overall system security has received less attention so far. The subject of this thesis is to shed light on these aspects, mainly on (i) unprivileged thirdparty code and its ability to influence security, (ii) peripheral devices with direct access to memory, and (iii) boot code and how we can selectively enable and disable isolation services without compromising security.
The papers included in this thesis are both design and verification oriented, however, with an emphasis on the analysis of instruction set architectures. With the help of a theorem prover, we implemented various types of machinery for the automated information flow analysis of several processor architectures. The analysis is guaranteed to be both sound and accurate.
TCS Dissertations Fall 2015

04 Dec 2015 at 14:00 in room F3
Automatic Extraction of Program Models for Formal Software Verification
(Pedro de Carvalho Gomes, Theory Group, KTH)In this thesis we present a study of the generation of abstract program models from programs in realworld programming languages that are employed in the formal verification of software. The thesis is divided into three parts, which cover distinct types of software systems, programming languages, verification scenarios, program models and properties.The first part presents an algorithm for the extraction of control flow graphs from sequential Java bytecode programs. The graphs are tailored for a compositional technique for the verification of temporal control flow safety properties. We prove that the extracted models soundly overapproximate the program behaviour w.r.t. sequences of method invocations and exceptions. Therefore, the properties that are established with the compositional technique over the control flow graphs also hold for the programs. We implement the algorithm as ConFlEx, and evaluate the tool on a number of test cases.The second part presents a technique to generate program models from incomplete software systems, i.e., programs where the implementation of at least one of the components is not available. We first define a framework to represent incomplete Java bytecode programs, and extend the algorithm presented in the first part to handle missing code. Then, we introduce refinement rules, i.e., conditions for instantiating the missing code, and prove that the rules preserve properties established over control flow graphs extracted from incomplete programs. We have extended ConFlEx to support the new definitions, and reevaluate the tool, now over test cases of incomplete programs.The third part addresses the verification of multithreaded programs. We present a technique to prove the following property of synchronization with condition variables: "If every thread synchronizing under the same condition variables eventually enters its synchronization block, then every thread will eventually exit the synchronization". To support the verification, we first propose SyncTask, a simple intermediate language for specifying synchronized parallel computations. Then, we propose an annotation language for Java programs to assist the automatic extraction of SyncTask programs, and show that, for correctly annotated programs, the abovementioned property holds if and only if the corresponding SyncTask program terminates. We reduce the termination problem into a reachability problem on Coloured Petri Nets. We define an algorithm to extract nets from SyncTask programs, and show that a program terminates if and only if its corresponding net always reaches a particular set of dead configurations. The extraction of SyncTask programs and their translation into Petri nets is implemented as the STaVe tool. We evaluate the technique by feeding annotated Java programs to STaVe, then verifying the extracted nets with a standard Coloured Petri Net analysis tool

09 Oct 2015 at 14:00 in F3
Hardness of Constraint Satisfaction and Hypergraph Coloring: Constructions of Probabilistically Checkable Proofs with Perfect Completeness
(Sangxia huang, KTH TCS)A Probabilistically Checkable Proof (PCP) of a mathematical statement is a proof written in a special manner that allows for efficient probabilistic verification. The celebrated PCP Theorem states that for every family of statements in NP, there is a probabilistic verification procedure that checks the validity of a PCP proof by reading only 3 bits from it. This landmark theorem, and the works leading up to it, laid the foundation for many subsequent works in computational complexity theory, the most prominent among them being the study of inapproximability of combinatorial optimization problems.
This thesis focuses on a broad class of combinatorial optimization problems called Constraint Satisfaction Problems (CSPs). In an instance of a CSP problem of arity k, we are given a set of variables taking values from some finite domain, and a set of constraints each involving a subset of at most k variables. The goal is to find an assignment that simultaneously satisfies as many constraints as possible. An alternative formulation of the goal that is commonly used is GapCSP, where the goal is to decide whether a CSP instance is satisfiable or far from satisfiable, where the exact meaning of being far from satisfiable varies depending on the problems.We first study Boolean CSPs, where the domain of the variables is {0,1}. The main question we study is the hardness of distinguishing satisfiable Boolean CSP instances from those for which no assignment satisfies more than some epsilon fraction of the constraints. Intuitively, as the arity increases, the CSP gets more complex and thus the hardness parameter epsilon should decrease. We show that for Boolean CSPs of arity k, it is NPhard to distinguish satisfiable instances from those that are at most 2^{~O(k^{1/3})}/2^ksatisfiable.
We also study coloring of graphs and hypergraphs. Given a graph or a hypergraph, a coloring is an assignment of colors to vertices, such that all edges or hyperedges are nonmonochromatic. The gap problem is to distinguish instances that are colorable with a small number of colors, from those that require a large number of colors. For graphs, we prove that there exists a constant K_0>0, such that for any K >= K_0, it is NPhard to distinguish Kcolorable graphs from those that require 2^{Omega(K^{1/3})} colors. For hypergraphs, we prove that it is quasiNPhard to distinguish 2colorable 8uniform hypergraphs of size N from those that require 2^{(log N)^{1/4o(1)}} colors.
In terms of techniques, all these results are based on constructions of PCPs with perfect completeness, that is, PCPs where the probabilistic proof verification procedure always accepts a correct proof. Not only is this a very natural property for proofs, but it can also be an essential requirement in many applications. It has always been particularly challenging to construct PCPs with perfect completeness for NP statements due to limitations in techniques. Our improved hardness results build on and extend many of the current approaches. Our Boolean CSP result and GraphColoring result were proved by adapting the Direct Sum of PCPs idea by Siu On Chan to the perfect completeness setting. Our proof for hypergraph coloring hardness improves and simplifies the recent work by Khot and Saket, in which they proposed the notion of superposition complexity of CSPs.
TCS Dissertations Spring 2016

09 Jun 2015 at 14:00 in room E2, Lindstedsvägen 3
(licentiate thesis): Social Networks and Privacy
(Oleksandr Bodriagov, KTH)Centralized online social networks pose a threat to their users' privacy as social network providers have unlimited access to users' data. Decentralized social networks address this problem by getting rid of the provider and giving control to the users themselves, meaning that only the endusers themselves should be able to control access of other parties to their data. While there have been several proposals and advances in the development of privacypreserving decentralized social networks, the goal of secure, efficient, and available social network in a decentralized setting has not been fully achieved.
This thesis contributes to the research in the field of security for social networks with focus on decentralized social networks. It studies encryptionbased access control and management of cryptographic keys/credentials (required for this access control) via user accounts with passwordbased login in decentralized social networks.
First, this thesis explores the requirements of encryption for decentralized social networks and proposes a list of criteria for evaluation that is then used to assess existing encryptionbased access control systems. We find that all of them provide confidentiality guarantees (of the content itself), while privacy (of information about the content or access policies) is either not addressed at all or it is addressed at the expense of system's performance and flexibility.
We highlight the potential of two classes of privacy preserving schemes in the decentralized online social network (DOSN) context: broadcast encryption schemes with hidden access structures and predicate encryption (PE) schemes, and propose to use them. Both of these classes contain schemes that exhibit desirable properties and better fulfill the criteria.
Second, the thesis analyses predicate encryption and adapts it to the DOSN context as it is too expensive to use out of the box. We propose a univariate polynomial construction for access policies in PE that drastically increases performance of the scheme but leaks some part of the access policy to users with access rights. We utilize Bloom filters as a means of decreasing decryption time and indicate objects that can be decrypted by a particular user. The thesis demonstrates that adapted scheme shows good performance and thus user experience by making a newsfeed assembly experiment.
Third, the thesis presents a solution to the problem of management of cryptographic keys for authentication and communication between users in decentralized online social networks. We propose a passwordbased login procedure for the peertopeer (P2P) setting that allows a user who passes authentication to recover a set of cryptographic keys required for the application. In addition to password logins, we also present supporting protocols to provide functionality related to password logins, such as remembered logins, password change, and recovery of the forgotten password. The combination of these protocols allows emulating password logins in centralized systems. The results of performance evaluation indicate that time required for logging in operation is within acceptable bounds.

29 May 2015 at 14:00 in room E2
(licentiate thesis):Privacy Analysis and Protocols for Decentralized Online Social Networks
(Benjamin Greschbach, KTH)Decentralized Online Social Networks (DOSNs) are evolving as a promising approach to mitigate designinherent privacy flaws of logically centralized services such as Facebook, Google+ or Twitter. Common approaches to implement a DOSN build upon a peertopeer (P2P) architecture in order to avoid the central aggregation of sensitive user data at one providercontrolled location.
While the absence of a single point of data aggregation strikes the most powerful attacker from the list of adversaries, the decentralization also removes some privacy protection afforded by the provider's intermediation of all communication in a centralized Online Social Network (OSN). As content storage, access right management, retrieval and other administrative tasks of the service become the obligation of the users, it is nontrivial to hide the metadata of objects and information flows, even when the content itself is encrypted. Such metadata is, deliberately or as a side effect, hidden by the provider in a centralized system.
Implementing the different features of a privacypresvering DOSN does not only face these general challenges but must also cope with the absence of a trusted agent with full access to all data. For example user authentication should provide the same usabilty known from common centralized OSN services, such as ease of changing a password, revoking the access of a stolen device or resetting a forgotten password via email or security questions. All this without relying on a trusted third party such as an identity provider. Another example is user search, where the challenge is to protect user data while making user findable at the same time. An implementation of such a feature in a DOSN has to work without assuming a trusted provider having access to all user profiles maintaining a global search index.
In this work we analyze the general privacyproblems in a DOSN, especially those arising from metadata. Furthermore, we suggest two privacypreserving implementations of standard OSN features, i.e., user authentication via passwordlogin and user search via a knowledge threshold. Both implementations do not rely on a trusted, central provider and are therefore applicable in a DOSN cenario but can be applied in other P2P or lowtrust environments as well.

22 May 2015 at 14:00 in Kollegiesalen
(PhD thesis): Some aspects of cryptographic protocols : with applications in electronic voting and digital watermarking
(Björn Terelius, KTH)Cryptographic protocols are widely used on the internet, from relatively simple tasks such as keyagreement and authentication to much more complex problems like digital cash and electronic voting. Electronic voting in particular is a problem we investigate in this thesis.
In a typical election, the main goals are to ensure that the votes are counted correctly and that the voters remain anonymous, i.e. that nobody, not even the election authorities, can trace a particular vote back to the voter. There are several ways to achieve these properties, the most general being a mixnet with a proof of a shuffle to ensure correctness. We propose a new, conceptually simple, proof of a shuffle. We also investigate a mixnet which omits the proof of a shuffle in favor of a faster, heuristically secure verification. We demonstrate that this mixnet is susceptible to both attacks on correctness and anonymity. A version of this mixnet was tested in the 2011 elections in Norway.
We also look at a simple and widely used proof of knowledge of a discrete logarithm in groups of prime order. While the requirement of prime order is well known, we give a precise characterization of what the protocol proves in a group of composite order. Furthermore, we present attacks against a class of protocols of the same form, which shows that the protocol cannot easily be extended to groups where the order is composite or unknown.
We finally look at the problem of music and video piracy. Using a buyerseller watermark to embed a unique watermark in each sold copy has been proposed as a deterrent since it allows a seller who discovers a pirated copy to extract the watermark and find out which buyer released it. Existing buyerseller watermarking schemes assume that all copies are downloaded directly from the seller. In practice, however, the seller wants to save bandwidth by allowing a paying customer to download most of the content from other buyers. We introduce this as an interesting open research problem and present a proofofconcept protocol which allows transfer of content between buyers while keeping the seller's communication proportional to the size of the watermark rather than the size of the content.

20 Mar 2015 at 10:00 in E2, Lindstedtsvägen 3
(licentiate thesis):Efficient Use of Exponential Size Linear Programs
(Lukáš Poláček, TCS)In the past decades, linear programming (LP) has been successfully used to develop approximation algorithms for various optimization problems. In partic ular, the socalled assignment LP has lead to substantial progress for various allocation problems, including scheduling unrelated parallel machines. However, we have reached its limits for many problems, since the bestknown approx imation algorithms match the integrality gap of the assignment LP for these problems.
The natural question is then whether a different LP formulation can lead to better algorithms. We answer this question positively for variants of two alloca tion problems: maxmin fair allocation and maximum budgeted allocation. This is achieved by using a more powerful LP formulation called the configuration LP that has an exponential number of variables, but can be approximated in polynomial time.
The restricted maxmin fair allocation problem, also known as the restricted Santa Claus problem, is one of few problems that have a better polynomial estimation algorithm than approximation algorithm. An estimation algorithm estimates the value of the optimal solution, but is not necessarily able to find the optimal solution. The configuration LP can be used to estimate the optimal value within a factor of 1/(4 + ε) for any ε > 0, but it is only known how to efficiently find a solution achieving this value in exponential time. We give an approximation algorithm with the same approximation ratio but improve the running time to quasipolynomial: nO(log n). Our techniques also have the interesting property that although we use the rather complex configuration LP in the analysis, we never actually solve it and therefore the resulting algorithm is purely combinatorial.
For the maximum budgeted allocation (MBA) the integrality gap of the assignment LP is exactly 3/4. We prove that the integrality gap of the configuration LP is strictly better than 3/4 and provide corresponding polynomial time rounding algorithms for two variants of the problem: the restricted MBA and the graph MBA. Finally, we improve the bestknown upper bound on the √ integrality gap for the general case from 5/6 ≈ 0.833 to 2 2 − 2 ≈ 0.828 and also show hardness of approximation results for both variants studied.