CAREER: A Policy-Agnostic Programming Framework for Statistical Privacy

职业生涯：一个与策略无关的统计隐私编程框架

• 批准号: 1750669
• 负责人: Jean Yang
• 金额: $ 55万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-04-01 至 2024-03-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1750669&HistoricalAwards=false
• 关键词: CAREER; Policy; Agnostic; Programming; Framework

This project develops a new programming model that incorporates a theory of differential privacy. Differential privacy is a formulation of statistical privacy that protects individual data values while still allowing the release of results from privacy-preserving analyses. Prior work on language-based techniques for differential privacy has focused on preventing leaks, rejecting programs either statically, before they run, or dynamically, as they run, before they leak too much information. This project uses an approach that allows the compiler and runtime to enforce privacy requirements by construction. The objective is two-fold: to make it easier for programmers to implement privacy-preserving data analytics, and to provide provable privacy guarantees. The approach facilitates the programming of differentially algorithms, while allowing non-experts to build up intuitions about what makes programs differentially private. The project integrates research with education by developing a framework to educate non-experts about statistical privacy, by disseminating results to both the academic community and collaborators, and incorporating the techniques into the security curriculum.Central to the technical approach is the concept of policy-agnostic programming, where a programmer can write policy-enforcing code that looks similar to (simpler) policy-free code and relies on the runtime environment to customize program behavior to enforce policies. The project develops the theory and infrastructure for a new programming framework called Jostle that supports privacy-agnostic programming through exposing fine-grained algorithmic choices to the programmer. The compiler and runtime, rather than the programmer, is responsible for navigating the space of privacy and accuracy trade-offs. Making this work involves (1) a dynamic semantics for policy-agnostic differential privacy, (2) a decidable probabilistic relational type system, and (3) a compilation framework for policy-agnostic differential privacy that uses the results of (1) and (2) for statically and dynamically exploring privacy/accuracy tradeoffs. The resulting system supports implementations of complex machine learning algorithms that are agnostic to the differential privacy concerns, and allow the programmer to rely on the compiler and runtime to modify programs to satisfy privacy requirements. The approach is intended to be sufficiently general to support different formulations of statistical privacy.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该项目开发了一种新的编程模型，该模型结合了差分隐私理论。差异隐私是统计隐私的一种表述，它保护个人数据值，同时仍然允许发布隐私保护分析的结果。先前的工作基于语言的技术差异隐私的重点是防止泄漏，拒绝程序静态地，在他们运行之前，或动态地，因为他们运行，在他们泄漏太多的信息。这个项目使用了一种方法，允许编译器和运行时通过构造来强制执行隐私要求。目标有两个：使程序员更容易实现隐私保护数据分析，并提供可证明的隐私保证。这种方法有利于差分算法的编程，同时允许非专家建立关于是什么使程序差分私有的直觉。该项目将研究与教育结合起来，通过开发一个框架来教育非专家了解统计隐私，向学术界和合作者传播结果，并将技术纳入安全课程。其中程序员可以编写看起来类似于（更简单的）无策略代码的策略执行代码，并且依赖于运行时环境来定制程序行为以执行策略。该项目为一个名为Jostle的新编程框架开发了理论和基础设施，该框架通过向程序员公开细粒度的算法选择来支持隐私不可知的编程。编译器和运行时，而不是程序员，负责导航隐私和准确性权衡的空间。这项工作涉及（1）策略不可知的差分隐私的动态语义，（2）可判定的概率关系类型系统，以及（3）策略不可知的差分隐私的编译框架，该框架使用（1）和（2）的结果静态和动态地探索隐私/准确性权衡。由此产生的系统支持复杂的机器学习算法的实现，这些算法对差分隐私问题是不可知的，并允许程序员依靠编译器和运行时来修改程序以满足隐私要求。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。