Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles.

Slides:



Advertisements
Similar presentations
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Advertisements

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Interaction of RFID Technology and Public Policy Presentation at RFID Privacy MIT 15 TH November 2003 By Rakesh Kumar
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Access Control Methodologies
A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC.
2009 Architecture Plan Overview 2009 Architecture Plan Overview.
8.2 Discretionary Access Control Models Weiling Li.
Information Security Policies and Standards
PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)
A Type System for Expressive Security Policies David Walker Cornell University.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Computer Security: Principles and Practice
THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.
INTERNET and CODE OF CONDUCT
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
A Brief Taxonomy of Firewalls
Sage CRM Developers Course
Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Service Organization Control (SOC) Reporting Options and Information
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
3/16/2004Biba Model1 Biba Integrity Model Presented by: Nathan Balon Ishraq Thabet.
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
Issues Relevant To Distributed Security CSC 8320 Nidhi Gahlot.
Cryptography, Authentication and Digital Signatures
Use of U.T. Austin Property Computers: Security & Acceptable Use The University of Texas at Austin General Compliance Training Program.
Auditing Information Systems (AIS)
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Andy Cirillo James Riely Radha Jagadeesan Corin Pitcher School of CTI, DePaul University. Chicago. Trust and Authorization via Provenance and Integrity.
A Holistic Security Architecture for Distributed Information Systems – A Categorical Approach.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.
Containment and Integrity for Mobile Code End-to-end security, untrusted hosts Andrew Myers Fred Schneider Department of Computer Science Cornell University.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Chapter 6: Integrity Policies  Overview  Requirements  Biba’s models  Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
Chapter 2 Securing Network Server and User Workstations.
Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University.
The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Data Protection Officer’s Overview of the GDPR
Chap 4. Security Policies
Threat Modeling for Cloud Computing
SE-1021 Software Engineering II
Software Security II Karl Lieberherr.
Chapter 17 Risks, Security and Disaster Recovery
SAMMS Secure Authorized Monitored Messaging System
Computer Security CS May, 2018.
Chapter 4: Security Policies
Presentation transcript:

Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles of Provenance (PrOPr) Edinburgh, November 19-20, 2007

November 2007Programming Trustworthy Provenance (Corin Pitcher)2 Commuter says "my train was delayed" Delay notice forged? Provenance of notice needed for decisions

November 2007Programming Trustworthy Provenance (Corin Pitcher)3 This Talk Programming with provenance for security, privacy, & workflow in decentralized systems Programming with provenance for security, privacy, & workflow in decentralized systems Provenance and trust Provenance and trust –When is provenance on data trustworthy? –How does data provenance impact trust in data? Authorization logic policies Authorization logic policies –To relate provenance & trust –Validation of programs against such policies

November 2007Programming Trustworthy Provenance (Corin Pitcher)4 Outline Motivation: provenance for security Motivation: provenance for security Programming with provenance and trust Programming with provenance and trust Policies and program analysis Policies and program analysis

November 2007Programming Trustworthy Provenance (Corin Pitcher)5 Existing Provenance in Access Control Logging code File API Untrusted code File API Untrusted code Logging code File API ACCESS GRANTED ACCESS DENIED ACCESS GRANTED Stack inspection (Java/.NET) - trusted & untrusted code Code logging to file escalates privileges for thread Shape of call stack determines access Activation Records

November 2007Programming Trustworthy Provenance (Corin Pitcher)6 Controls: Security, Privacy, Workflow Provenance used for identity in: Authorization controls (access control) Authorization controls (access control) –Prevent unauthorized actions before harm occurs Auditing controls (for accountability/recovery) Auditing controls (for accountability/recovery) –Discourage unauthorized actions –Recover from unauthorized actions Privacy controls Privacy controls –Restrict use of private information Workflow controls Workflow controls –Enforce compliance with patterns of activity

November 2007Programming Trustworthy Provenance (Corin Pitcher)7 Account Aggregation Owner of account at financial institution –Direct access to account –Access via an approved account aggregator –Other principals providing confidentiality / integrity Owner Aggregator submitAggr getBalance Institution Other principals involved in request getBalance Owner's VPN Aggr's VPN approveAggr

November 2007Programming Trustworthy Provenance (Corin Pitcher)8 Account Aggregation Properties Provenance of messages used throughout Authorization Authorization –Use provenance of request to determine authorization Auditing Auditing –Record provenance of request in audit log Privacy Privacy –Detect privacy violations in provenance of response Workflow Workflow –Enforce two-step approval of aggregator Recurring issue: Is the provenance trustworthy?

November 2007Programming Trustworthy Provenance (Corin Pitcher)9 Outline Motivation: provenance for security Motivation: provenance for security Programming with provenance and trust Programming with provenance and trust Policies and program analysis Policies and program analysis

November 2007Programming Trustworthy Provenance (Corin Pitcher)10 Programming: Provenance and Trust Dynamic support for provenance Dynamic support for provenance –Identities, origin of objects, and immediate provenance Representation of provenance Representation of provenance –Full histories, partial histories Behaviour of programs w.r.t. provenance and trust Behaviour of programs w.r.t. provenance and trust –Creation & use of provenance –When is provenance trusted?

November 2007Programming Trustworthy Provenance (Corin Pitcher)11 Dynamic Support for Provenance Distributed objects & remote method invocation Distributed objects & remote method invocation –E.g., Java-RMI Explicit identities = locations Explicit identities = locations –Objects are located and code runs at a location Origin of objects Origin of objects –Remote object reference points to object's location Immediate provenance Immediate provenance –Caller's identity is known

November 2007Programming Trustworthy Provenance (Corin Pitcher)12 User-Defined Provenance Create & use full history of computation Create & use full history of computation Drawbacks to full history Drawbacks to full history –Expensive –Confidentiality and privacy issues Partial history Partial history –Remove history –With justification, e.g., after access control / auditing

November 2007Programming Trustworthy Provenance (Corin Pitcher)13 Owner's VPNAggr's VPNAggregator Aggr's VPNAggregatorOwnerOwner's VPN Request Owner Owner's VPN Aggr's VPN Request Aggregator Immediate Provenance:Owner User-Defined Provenance "Account balance for customer #1234" Object location Messages Composite message stores provenance "Account balance for customer #1234" Aggregator is location

November 2007Programming Trustworthy Provenance (Corin Pitcher)14 Trustworthy Provenance? Owner's VPN could omit additional intermediaries Aggregator code has to check: Owner's VPN permitted in path Owner's VPN permitted in path Owner's VPN is trusted to report provenance Owner's VPN is trusted to report provenance Mitigated by Owner location for original request Owner Intermediary Owner Owner's VPN Aggr's VPN Request Owner

November 2007Programming Trustworthy Provenance (Corin Pitcher)15 Trustworthy Provenance? Aggr's VPN may legitimately recreate (re-sign / relocate) objects Aggregator's recreation is similar Aggregator's recreation is similar Are the results trustworthy? No direct proof of participation by Owner or Owner's VPN No direct proof of participation by Owner or Owner's VPN Complex program behaviour High-level account of behaviour? High-level account of behaviour? Request Owner Owner's VPN Aggr's VPN

November 2007Programming Trustworthy Provenance (Corin Pitcher)16 Outline Motivation: provenance for security Motivation: provenance for security Programming with provenance and trust Programming with provenance and trust Policies and program analysis Policies and program analysis

November 2007Programming Trustworthy Provenance (Corin Pitcher)17 Policies and Program Analysis Programs manipulating trust & provenance Programs manipulating trust & provenance Policies to describe behaviour enforced by programs? Policies to describe behaviour enforced by programs? –Examples coming up How can we express those policies? How can we express those policies? –Authorization logic Validate program's behaviour against policies? Validate program's behaviour against policies? –Static analysis via type/effect system

November 2007Programming Trustworthy Provenance (Corin Pitcher)18... send message... Propositional Effects - Statics A proposition P communicated from sender to receiver, e.g., "Access granted" Issue: Inconsistency of local states (of beliefs / knowledge) Need worlds / contexts INSIDE logic Sender... receive message... Receiver P known P not known P known (Sender says P) known

November 2007Programming Trustworthy Provenance (Corin Pitcher)19 Authorization Logic Mendler (Lax modal logic) Abadi, Plotkin, Lampson, Burrows, Wobber Garg, Pfenning

November 2007Programming Trustworthy Provenance (Corin Pitcher)20 Example: Simple Workflow Policy Authorization logic represents submission & approval of data by two principals Authorization logic represents submission & approval of data by two principals Used for approval of aggregator Used for approval of aggregator Initiator submits data Manager approves data CellI SubmittedCellApprovedCell Class hierarchy Assertions appear in code as effects

November 2007Programming Trustworthy Provenance (Corin Pitcher)21 Example: Aggregator's Policy Recall Aggregator's request rewriting behaviour Aggr's VPNAggregatorOwnerOwner's VPN Request Owner Owner's VPN Aggr's VPN Request Aggregator

November 2007Programming Trustworthy Provenance (Corin Pitcher)22 tgt: OwnerVPN src: Owner payload: r Owner OwnerVPN tgt: AggrVPN src: OwnerVPN payload: q AggrVPN q p data: Owner r Effects Policies

November 2007Programming Trustworthy Provenance (Corin Pitcher)23 tgt: OwnerVPN src: Owner payload: r Owner OwnerVPN tgt: AggrVPN src: OwnerVPN payload: q AggrVPN q p data: Owner r Effects Policies Aggregator s Justifies creation by aggregator

November 2007Programming Trustworthy Provenance (Corin Pitcher)24 Results Distributed object calculus with authorization logic policies in type/effect system Distributed object calculus with authorization logic policies in type/effect system E.g., Aggregator code typechecks with respect to preceding policy E.g., Aggregator code typechecks with respect to preceding policy Guarantees that Aggregator's dynamic behaviour is constrained by policy Guarantees that Aggregator's dynamic behaviour is constrained by policy Draft technical report available Draft technical report available – to cpitcher AT cs.depaul.edu

November 2007Programming Trustworthy Provenance (Corin Pitcher)25 Summary In decentralized systems: In decentralized systems: –Provenance use in security, privacy, workflow controls –User-programmable handling of provenance –Provenance trustworthy and impact on trust in data? Authorization logic policies describe provenance and trust behaviour of programs Authorization logic policies describe provenance and trust behaviour of programs Validate programs against policies Validate programs against policies

November 2007Programming Trustworthy Provenance (Corin Pitcher)26 The End Questions or comments?

November 2007Programming Trustworthy Provenance (Corin Pitcher)27 Backup Slides

November 2007Programming Trustworthy Provenance (Corin Pitcher)28 Object Creation

November 2007Programming Trustworthy Provenance (Corin Pitcher)29 An opponent is any process located at the principal 1. Opponents are free to lie; thus, are completely free to construct any new objects. Well-typed trustworthy programs are safe when combined with arbitrary (typed but untrustworthy) opponents.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.