1 / 29

Programming Trustworthy Provenance

Programming Trustworthy Provenance. Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago. Workshop on Principles of Provenance (PrOPr) Edinburgh, November 19-20, 2007. Commuter says "my train was delayed" Delay notice forged?

zarek
Télécharger la présentation

Programming Trustworthy Provenance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles of Provenance (PrOPr) Edinburgh, November 19-20, 2007

  2. Commuter says "my train was delayed" Delay notice forged? Provenance of notice needed for decisions Programming Trustworthy Provenance (Corin Pitcher)

  3. This Talk • Programming with provenance for security, privacy, & workflow in decentralized systems • Provenance and trust • When is provenance on data trustworthy? • How does data provenance impact trust in data? • Authorization logic policies • To relate provenance & trust • Validation of programs against such policies Programming Trustworthy Provenance (Corin Pitcher)

  4. Outline • Motivation: provenance for security • Programming with provenance and trust • Policies and program analysis Programming Trustworthy Provenance (Corin Pitcher)

  5. Existing Provenance in Access Control • Stack inspection (Java/.NET) - trusted & untrusted code • Code logging to file escalates privileges for thread • Shape of call stack determines access Activation Records Untrusted code Logging code Untrusted code Logging code File API File API File API ACCESS GRANTED ACCESS DENIED ACCESS GRANTED Programming Trustworthy Provenance (Corin Pitcher)

  6. Controls: Security, Privacy, Workflow Provenance used for identity in: • Authorization controls (access control) • Prevent unauthorized actions before harm occurs • Auditing controls (for accountability/recovery) • Discourage unauthorized actions • Recover from unauthorized actions • Privacy controls • Restrict use of private information • Workflow controls • Enforce compliance with patterns of activity Programming Trustworthy Provenance (Corin Pitcher)

  7. Account Aggregation Owner of account at financial institution • Direct access to account • Access via an approved account aggregator • Other principals providing confidentiality / integrity getBalance Owner Institution submitAggr Owner's VPN approveAggr getBalance Aggr's VPN getBalance Aggregator Other principals involved in request Programming Trustworthy Provenance (Corin Pitcher)

  8. Account Aggregation Properties Provenance of messages used throughout • Authorization • Use provenance of request to determine authorization • Auditing • Record provenance of request in audit log • Privacy • Detect privacy violations in provenance of response • Workflow • Enforce two-step approval of aggregator Recurring issue: Is the provenance trustworthy? Programming Trustworthy Provenance (Corin Pitcher)

  9. Outline • Motivation: provenance for security • Programming with provenance and trust • Policies and program analysis Programming Trustworthy Provenance (Corin Pitcher)

  10. Programming: Provenance and Trust • Dynamic support for provenance • Identities, origin of objects, and immediate provenance • Representation of provenance • Full histories, partial histories • Behaviour of programs w.r.t. provenance and trust • Creation & use of provenance • When is provenance trusted? Programming Trustworthy Provenance (Corin Pitcher)

  11. Dynamic Support for Provenance • Distributed objects & remote method invocation • E.g., Java-RMI • Explicit identities = locations • Objects are located and code runs at a location • Origin of objects • Remote object reference points to object's location • Immediate provenance • Caller's identity is known Programming Trustworthy Provenance (Corin Pitcher)

  12. User-Defined Provenance • Create & use full history of computation • Drawbacks to full history • Expensive • Confidentiality and privacy issues • Partial history • Remove history • With justification, e.g., after access control / auditing Programming Trustworthy Provenance (Corin Pitcher)

  13. User-Defined Provenance Immediate Provenance: Owner's VPN Aggr's VPN Aggregator Owner Owner Owner's VPN Aggr's VPN Aggregator Composite message stores provenance Owner's VPN Aggr's VPN "Account balance for customer #1234" "Account balance for customer #1234" Aggregator is location Owner Owner's VPN Object location Request Request Owner Aggregator Programming Trustworthy Provenance (Corin Pitcher) Messages

  14. Owner's VPN could omit additional intermediaries Aggregator code has to check: Owner's VPN permitted in path Owner's VPN is trusted to report provenance Mitigated by Owner location for original request Trustworthy Provenance? Owner's VPN Aggr's VPN Owner Owner's VPN Owner Intermediary Request Owner Programming Trustworthy Provenance (Corin Pitcher)

  15. Aggr's VPN may legitimately recreate (re-sign / relocate) objects Aggregator's recreation is similar Are the results trustworthy? No direct proof of participation by Owner or Owner's VPN Complex program behaviour High-level account of behaviour? Trustworthy Provenance? Owner's VPN Aggr's VPN Owner Owner's VPN Aggr's VPN Request Owner Aggr's VPN Programming Trustworthy Provenance (Corin Pitcher)

  16. Outline • Motivation: provenance for security • Programming with provenance and trust • Policies and program analysis Programming Trustworthy Provenance (Corin Pitcher)

  17. Policies and Program Analysis • Programs manipulating trust & provenance • Policies to describe behaviour enforced by programs? • Examples coming up • How can we express those policies? • Authorization logic • Validate program's behaviour against policies? • Static analysis via type/effect system Programming Trustworthy Provenance (Corin Pitcher)

  18. Propositional Effects - Statics A proposition P communicated from sender to receiver, e.g., "Access granted" Issue: Inconsistency of local states (of beliefs / knowledge) Need worlds / contexts INSIDE logic P known Sender Receiver P not known ... send message ... ... receive message ... P known (Sender says P) known P known Programming Trustworthy Provenance (Corin Pitcher)

  19. Mendler (Lax modal logic) Abadi, Plotkin, Lampson, Burrows, Wobber Garg, Pfenning Authorization Logic Programming Trustworthy Provenance (Corin Pitcher)

  20. Example: Simple Workflow Policy • Authorization logic represents submission & approval of data by two principals • Used for approval of aggregator Class hierarchy Initiator submits data Manager approves data Assertions appear in code as effects Programming Trustworthy Provenance (Corin Pitcher)

  21. Example: Aggregator's Policy Recall Aggregator's request rewriting behaviour Owner Owner's VPN Aggr's VPN Aggregator Owner's VPN Aggr's VPN Owner Owner's VPN Request Request Owner Aggregator Programming Trustworthy Provenance (Corin Pitcher)

  22. p Effects tgt: AggrVPN src: OwnerVPN payload: q AggrVPN q tgt: OwnerVPN src: Owner payload: r OwnerVPN r data: Owner Owner Policies Programming Trustworthy Provenance (Corin Pitcher)

  23. p tgt: AggrVPN src: OwnerVPN payload: q Effects AggrVPN q tgt: OwnerVPN src: Owner payload: r Justifies creation by aggregator OwnerVPN r s data: Owner data: Owner Aggregator Owner Policies Programming Trustworthy Provenance (Corin Pitcher)

  24. Results • Distributed object calculus with authorization logic policies in type/effect system • E.g., Aggregator code typechecks with respect to preceding policy • Guarantees that Aggregator's dynamic behaviour is constrained by policy • Draft technical report available • Email to cpitcher AT cs.depaul.edu Programming Trustworthy Provenance (Corin Pitcher)

  25. Summary • In decentralized systems: • Provenance use in security, privacy, workflow controls • User-programmable handling of provenance • Provenance trustworthy and impact on trust in data? • Authorization logic policies describe provenance and trust behaviour of programs • Validate programs against policies Programming Trustworthy Provenance (Corin Pitcher)

  26. The End Questions or comments? Programming Trustworthy Provenance (Corin Pitcher)

  27. Backup Slides Programming Trustworthy Provenance (Corin Pitcher)

  28. Object Creation Programming Trustworthy Provenance (Corin Pitcher)

  29. An opponent is any process located at the principal 1. Opponents are free to lie; thus, are completely free to construct any new objects. Well-typed trustworthy programs are safe when combined with arbitrary (typed but untrustworthy) opponents. Programming Trustworthy Provenance (Corin Pitcher)

More Related