Publications
Toward improving EN adoption: Bridging the gap between stated intention and actual use
June 3, 2022
Project Report
Published in:
MIT Lincoln Laboratory Report ACTA-7
Summary
As the COVID-19 pandemic swept the globe in the spring of 2020, technologists looked to enlist technology to assist public health authorities (PHAs) and help stem the tide of infections. As part of this technology push, experts in health care, cryptography, and other related fields developed the Private Automated Contact Tracing (PACT) protocol and related projects to assist the public health objective of slowing the spread of SARS-CoV-2 through digital contact tracing. The joint Google and Apple deployed protocol (Google-Apple Exposure Notifications, also known as GAEN or EN), which became the de facto standard in the U.S., employs the same features as detailed by PACT. The protocol leverages smartphone Bluetooth communications to alert users of potential contact with those carrying the COVID-19 virus in a way that preserves the privacy of both the known-infected individual, and the users receiving the alert. Contact tracing and subsequent personal precautions are more effective at reducing disease spread when more of the population participates, but there are known difficulties with the adoption of novel technology. In order to help the U.S. Centers for Disease Control and Prevention (CDC) and U.S. state-level public health teams address these difficulties, a team of staff from MIT's Lincoln Laboratory (MIT LL) and Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) focused on studying user perception and information needs.
Summary
As the COVID-19 pandemic swept the globe in the spring of 2020, technologists looked to enlist technology to assist public health authorities (PHAs) and help stem the tide of infections. As part of this technology push, experts in health care, cryptography, and other related fields developed the Private Automated Contact...
READ MORE
Modeling probability of alert of Bluetooth low energy-based automatic exposure notifications
April 27, 2022
Project Report
Published in:
MIT Lincoln Laboratory Report ACTA-4
Summary
BLEMUR, or Bluetooth Low Energy Model of User Risk, is a model of the probability of alert at a given duration and distance of an index case for a specific configuration of settings for an Exposure Notification (EN) system.The Google-Apple EN framework operates in the duration and Bluetooth Low Energy (BLE) signal attenuation domains. However, many public health definitions of "exposure" to a disease are based upon the distance between an index case and another person. To bridge the conceptual gap for public health authorities (PHAs) from the familiar distance-and-duration space to the signal attenuation-and-duration space, BLEMUR uses BLE signal attenuation as a proxy for distance between people, albeit an imprecise one. This paper will discuss the EN settings that can be manipulated, the BLE data collected, how data support a model of the relationship between measured attenuation and distance between phones, and how BLEMUR calculates the probability of alert for a distance and duration based on the settings and data.
Summary
BLEMUR, or Bluetooth Low Energy Model of User Risk, is a model of the probability of alert at a given duration and distance of an index case for a specific configuration of settings for an Exposure Notification (EN) system.The Google-Apple EN framework operates in the duration and Bluetooth Low Energy...
READ MORE
Nearfield anechoic chamber and farfield on-site antenna calibration pattern comparison of an S-band planar phased array radar
April 27, 2022
Conference Paper
Published in:
IEEE Annual Conf. on Wireless and Microwave Technology, WAMICON, 27-28 April 2022.
Topic:
R&D area:
R&D group:
Summary
The Advanced Technology Demonstrator (ATD) is an active, S-band, dual-polarization phased array radar developed for weather sensing. The ATD is an active electronically scanned array (AESA) with a 4-m aperture comprised of 4,864 individual transmit/receive (T/R) modules. The antenna was calibrated at the element, subarray, and array levels. Calibration, validation, and verification testing was completed in two main stages, first in an anechoic chamber and second after it was installed on site in its permanent location. This paper describes the procedure used to collect antenna patterns at each stage and compares three key performance metrics: beamwidth, mean-squared sidelobe level (MSSL), and integrated sidelobe level (ISL).
Summary
The Advanced Technology Demonstrator (ATD) is an active, S-band, dual-polarization phased array radar developed for weather sensing. The ATD is an active electronically scanned array (AESA) with a 4-m aperture comprised of 4,864 individual transmit/receive (T/R) modules. The antenna was calibrated at the element, subarray, and array levels. Calibration, validation...
READ MORE
Graph-guided network for irregularly sampled multivariate time series
April 25, 2022
Conference Paper
Published in:
International Conference on Learning Representations, ICLR 2022.
Summary
In many domains, including healthcare, biology, and climate science, time series are irregularly sampled with varying time intervals between successive readouts and different subsets of variables (sensors) observed at different time points. Here, we introduce RAINDROP, a graph neural network that embeds irregularly sampled and multivariate time series while also learning the dynamics of sensors purely from observational data. RAINDROP represents every sample as a separate sensor graph and models time-varying dependencies between sensors with a novel message passing operator. It estimates the latent sensor graph structure and leverages the structure together with nearby observations to predict misaligned readouts. This model can be interpreted as a graph neural network that sends messages over graphs that are optimized for capturing time-varying dependencies among sensors. We use RAINDROP to classify time series and interpret temporal dynamics on three healthcare and human activity datasets. RAINDROP outperforms state-of-the-art methods by up to 11.4% (absolute F1-score points), including techniques that deal with irregular sampling using fixed discretization and set functions. RAINDROP shows superiority in diverse setups, including challenging leave-sensor-out settings.
Summary
In many domains, including healthcare, biology, and climate science, time series are irregularly sampled with varying time intervals between successive readouts and different subsets of variables (sensors) observed at different time points. Here, we introduce RAINDROP, a graph neural network that embeds irregularly sampled and multivariate time series while also...
READ MORE
Cross-language attacks
April 22, 2022
Conference Paper
Published in:
Network and Distributed System Security (NDSS) Symposium 2022.
Topic:
R&D area:
R&D group:
Summary
Memory corruption attacks against unsafe programming languages like C/C++ have been a major threat to computer systems for multiple decades. Various sanitizers and runtime exploit mitigation techniques have been shown to only provide partial protection at best. Recently developed ‘safe’ programming languages such as Rust and Go hold the promise to change this paradigm by preventing memory corruption bugs using a strong type system and proper compile-time and runtime checks. Gradual deployment of these languages has been touted as a way of improving the security of existing applications before entire applications can be developed in safe languages. This is notable in popular applications such as Firefox and Tor. In this paper, we systematically analyze the security of multi-language applications. We show that because language safety checks in safe languages and exploit mitigation techniques applied to unsafe languages (e.g., Control-Flow Integrity) break different stages of an exploit to prevent control hijacking attacks, an attacker can carefully maneuver between the languages to mount a successful attack. In essence, we illustrate that the incompatible set of assumptions made in various languages enables attacks that are not possible in each language alone. We study different variants of these attacks and analyze Firefox to illustrate the feasibility and extent of this problem. Our findings show that gradual deployment of safe programming languages, if not done with extreme care, can indeed be detrimental to security.
Summary
Memory corruption attacks against unsafe programming languages like C/C++ have been a major threat to computer systems for multiple decades. Various sanitizers and runtime exploit mitigation techniques have been shown to only provide partial protection at best. Recently developed ‘safe’ programming languages such as Rust and Go hold the promise...
READ MORE
Preventing Kernel Hacks with HAKCs
April 22, 2022
Conference Paper
Published in:
Network and Distributed System Security (NDSS) Symposium 2022.
Topic:
R&D area:
R&D group:
Summary
Commodity operating system kernels remain monolithic for practical and historical reasons. All kernel code shares a single address space, executes with elevated processor privileges, and has largely unhindered access to all data, including data irrelevant to the completion of a specific task. Applying the principle of least privilege, which limits available resources only to those needed to perform a particular task, to compartmentalize the kernel would realize major security gains, similar to microkernels yet without the major redesign effort. Here, we introduce a compartmentalization design, called a Hardware-Assisted Kernel Compartmentalization (HAKC), that approximates least privilege separation, while minimizing both developer effort and performance overhead. HAKC divides code and data into separate partitions, and specifies an access policy for each partition. Data is owned by a single partition, and a partition’s access-control policy is enforced at runtime, preventing unauthorized data access. When a partition needs to transfer control flow to outside itself, data ownership is transferred to the target, and transferred back upon return. The HAKC design allows for isolating code and data from the rest of the kernel, without utilizing any additional Trusted Computing Base while compartmentalized code is executing. Instead, HAKC relies on hardware for enforcement. Loadable kernel modules (LKMs), which dynamically load kernel code and data providing specialized functionality, are the single largest part of the Linux source base. Unfortunately, their collective size and complexity makes LKMs the cause of the majority of CVEs issued for the Linux kernel. The combination of a large attack surface in kernel modules, and the monolithic design of the Linux kernel, make LKMs ideal candidates for compartmentalization. To demonstrate the effectiveness of our approach, we implement HAKC in Linux v5.10 using extensions to the Arm v8.5-A ISA, and compartmentalize the ipv6.ko LKM, which consists of over 55k LOC. The average overhead measured in Apachebench tests was just 1.6%–24%. Additionally, we compartmentalize the nf_tables.ko packet filtering LKM, and measure the combined impact of using both LKMs. We find a reasonable linear growth in overhead when both compartmentalized LKMs are used. Finally, we measure no significant difference in performance when using the compartmentalized ipv6.ko LKM over the unmodified LKM during real-world web browsing experiments on the Alexa Top 50 websites.
Summary
Commodity operating system kernels remain monolithic for practical and historical reasons. All kernel code shares a single address space, executes with elevated processor privileges, and has largely unhindered access to all data, including data irrelevant to the completion of a specific task. Applying the principle of least privilege, which limits...
READ MORE
System analysis for responsible design of modern AI/ML systems
April 19, 2022
Journal Article
Published in:
arXiv, April 19, 2022.
Summary
The irresponsible use of ML algorithms in practical settings has received a lot of deserved attention in the recent years. We posit that the traditional system analysis perspective is needed when designing and implementing ML algorithms and systems. Such perspective can provide a formal way for evaluating and enabling responsible ML practices. In this paper, we review components of the System Analysis methodology and highlight how they connect and enable responsible practices of ML design.
Summary
The irresponsible use of ML algorithms in practical settings has received a lot of deserved attention in the recent years. We posit that the traditional system analysis perspective is needed when designing and implementing ML algorithms and systems. Such perspective can provide a formal way for evaluating and enabling responsible...
READ MORE
COVID-19 exposure notification in simulated real-world environments
April 15, 2022
Project Report
Published in:
MIT Lincoln Laboratory Report ACTA-3
Summary
Privacy-preserving contact tracing mobile applications, such as those that use the Google-Apple Exposure Notification (GAEN) service, have the potential to limit the spread of COVID-19 in communities, but the privacy-preserving aspects of the protocol make it difficult to assess the performance of the apps in real-world populations. To address this gap, we exercised the CovidWatch app on both Android and iOS phones in a variety of scripted realworld scenarios, relevant to the lives of university students and employees. We collected exposure data from the app and from the lower-level Android service, and compared it to the phones' actual distances and durations of exposure, to assess the sensitivity and specificity of the GAEN service configuration as of February 2021. Based on the app's reported ExposureWindows and alerting thresholds for Low and High alerts, our assessment is that the chosen configuration is highly sensitive under a range of realistic scenarios and conditions. With this configuration, the app is likely to capture many long-duration encounters, even at distances greater than six feet, which may be desirable under conditions with increased risk of airborne transmission.
Summary
Privacy-preserving contact tracing mobile applications, such as those that use the Google-Apple Exposure Notification (GAEN) service, have the potential to limit the spread of COVID-19 in communities, but the privacy-preserving aspects of the protocol make it difficult to assess the performance of the apps in real-world populations. To address this...
READ MORE
The Simulation of Automated Exposure Notification (SimAEN) Model
April 15, 2022
Project Report
Published in:
MIT Lincoln Laboratory Report ACTA-5
Summary
Automated Exposure Notication (AEN) was implemented in 2020 to supplement traditional contact tracing for COVID-19 by estimating "too close for too long" proximities of people using the service. AEN uses Bluetooth messages to privately label and recall proximity events, so that persons who were likely exposed to SARS-CoV-2 can take the appropriate steps recommended by their health care authority. This paper describes an agent-based model that estimates the effects of AEN deployment on COVID-19 caseloads and public health workloads in the context of other critical public health measures available during the COVID-19 pandemic. We selected simulation variables pertinent to AEN deployment options, varied them in accord with the system dynamics available in 2020-2021, and calculated the outcomes of key metrics across repeated runs of the stochastic multi-week simulation. SimAEN's parameters were set to ranges of observed values in consultation with public health professionals and the rapidly accumulating literature on COVID-19 transmission; the model was validated against available population-level disease metrics. Estimates from SimAEN can help public health officials determine what AEN deployment decisions (e.g., configuration, workflow integration, and targeted adoption levels) can be most effective in their jurisdiction, in combination with other COVID-19 interventions (e.g., mask use, vaccination, quarantine and isolation periods).
Summary
Automated Exposure Notication (AEN) was implemented in 2020 to supplement traditional contact tracing for COVID-19 by estimating "too close for too long" proximities of people using the service. AEN uses Bluetooth messages to privately label and recall proximity events, so that persons who were likely exposed to SARS-CoV-2 can take...
READ MORE
Bluetooth Low Energy (BLE) Data Collection for COVID-19 Exposure Notification
April 13, 2022
Project Report
Published in:
MIT Lincoln Laboratory Report ACTA-2
Summary
Privacy-preserving contact tracing mobile applications, such as those that use the Google-Apple Exposure Notification (GAEN) service, have the potential to limit the spread of COVID-19 in communities; however, the privacy-preserving aspects of the protocol make it difficult to assess the performance of the Bluetooth proximity detector in real-world populations. The GAEN service configuration of weights and thresholds enables hundreds of thousands of potential configurations, and it is not well known how the detector performance of candidate GAEN configurations maps to the actual "too close for too long" standard used by public health contact tracing staff. To address this gap, we exercised a GAEN app on Android phones at a range of distances, orientations, and placement configurations (e.g., shirt pocket, bag, in hand), using RF-analogous robotic substitutes for human participants. We recorded exposure data from the app and from the lower-level Android service, along with the phones' actual distances and durations of exposure.
Summary
Privacy-preserving contact tracing mobile applications, such as those that use the Google-Apple Exposure Notification (GAEN) service, have the potential to limit the spread of COVID-19 in communities; however, the privacy-preserving aspects of the protocol make it difficult to assess the performance of the Bluetooth proximity detector in real-world populations. The...
READ MORE