Accountability, Deterrence, and Identifiability Aaron D. Jaggard U.S. Naval Research Laboratory.

Slides:

Advertisements

Similar presentations

TAKING PART CONFERENCE: OPEN SPACES: SUMMARY Taking Part Conference Venues: Southbank Centre and Goldsmiths, University of London Dates: October 29th and.

Advertisements

Immanuel Kant ( ) Theory of Aesthetics

D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.

Legal Options to Secure Community-Based Property Rights. Fernanda Almeida.

4/30/20151 Quality Assurance Overview. 4/30/20152 Quality Assurance System Overview FY 04/05- new Quality Assurance tools implemented, taking into consideration.

Auditing Concepts.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

1 1 What Is Economics? Why does public discussion of economic policy so often show the abysmal ignorance of the participants? Whey do I so often want.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

1 Accountability and Deterrence in Online Life Joan Feigenbaum 3 rd Web Sciences Conf.; June 16, 2011 Joint work with.

OASIS Reference Model for Service Oriented Architecture 1.0

Towards a Better Understanding of Accountability Work in progress (joint with Joan Feigenbaum and Rebecca Wright) 10 December 2010 Security & Privacy Day.

QR 38 4/10 and 4/12/07 Bayes’ Theorem I. Bayes’ Rule II. Updating beliefs in deterrence III. Hegemonic policy.

Psychological Aspects of Risk Management and Technology – G. Grote ETHZ, Fall09 Psychological Aspects of Risk Management and Technology – Overview.

Specifying a Purpose, Research Questions or Hypothesis

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

The Architecture Design Process

Determinants of Judgment Performance By: Lea Sulaiman Saputra D1555.

Specifying a Purpose, Research Questions or Hypothesis

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

11 Accountability in International Data Exchange JOAN FEIGENBAUM May 4, 2010; NSF Inco-Trust.

Control of Personal Information in a Networked World Rebecca Wright Boaz Barak Jim Aspnes Avi Wigderson Sanjeev Arora David Goodman Joan Feigenbaum ToNC.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Specifying a Purpose, Research Questions or Hypothesis

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

Building a Corporate Risk Culture Shane Troyer, CPA, CIA, CFE, CISSP Principal Operational Advisory Joost Houwen, CISA,

Information Can Preserve Structure Across Scientific Revolutions John Collier Philosophy and Ethics University of KwaZulu-Natal

Ch. 2: Planning a Study (cont’d) pp THE RESEARCH PROPOSAL  In all empirical research studies, you systematically collect and analyze data 

Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.

 An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network.

HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.

A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.

 Three-Schema Architecture Three-Schema Architecture  Internal Level Internal Level  Conceptual Level Conceptual Level  External Level External Level.

Combining Theory and Systems Building Experiences and Challenges Sotirios Terzis University of Strathclyde.

Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

+ Chapter 9: Management of Business Intelligence © Sabherwal & Becerra-Fernandez.

The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.

Requirement engineering Good Practices for Requirements Engineering

CHAPTER 9 HARDENING SERVERS. C REATING A BASELINE POLICY Security parameters used to create a baseline installation can be configured using a Group Policy.

Automated Mechanism Design Tuomas Sandholm Presented by Dimitri Mostinski November 17, 2004.

Egocentric Context-Aware Programming in Ad Hoc Mobile Environments Christine Julien Gruia-Catalin Roman Mobile Computing Laboratory Department of Computer.

M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized Trust Management. In Proc. of the 17 th Symposium on Security and Privacy, pages IEEE Computer.

Academic Reading ENG 115.

Academic Year 2014 Spring Academic Year 2014 Spring.

1 Joint work with Claudio Antares Mezzina and Jean-Bernard Stefani Controlled Reversibility and Compensations Ivan Lanese Focus research group Computer.

MDA & RM-ODP. Why? Warehouses, factories, and supply chains are examples of distributed systems that can be thought of in terms of objects They are all.

Foundations of Information Systems in Business. System ® System  A system is an interrelated set of business procedures used within one business unit.

International Conference on Fuzzy Systems and Knowledge Discovery, p.p ,July 2011.

Protection & Security Greg Bilodeau CS 5204 October 13, 2009.

OOD OO Design. OOD-2 OO Development Requirements Use case analysis OO Analysis –Models from the domain and application OO Design –Mapping of model.

Chapter 6 Coordination of Resources, Programs, and Services.

Initial Project Aims To increase the capacity of primary schools in partnership with parents to implement a sustainable health and sexuality education.

Company LOGO Chapter4 Internal control systems. Internal control  It is any action taken by management to enhance the likelihood that established objectives.

Outcomes By the end of our sessions, participants will have…  an understanding of how VAL-ED is used as a data point in developing professional development.

OOAD Using the UML - Use-Case Analysis, v 4.2 Copyright  Rational Software, all rights reserved 1 Use Case Analysis – Part 4 Analysis Mechanisms.

1 The XMSF Profile Overlay to the FEDEP Dr. Katherine L. Morse, SAIC Mr. Robert Lutz, JHU APL

Auditing Concepts.

Ch. 2: Planning a Study.

Community Development

McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved.

3D Transformation CS380: Computer Graphics Sung-Eui Yoon (윤성의)

Proposed ISQC 1 (Revised)

Module 2 OBJECTIVE 14: Compare various security mechanisms.

Welcome to the CSBM workshop: Managing the school environment

Customer Empowerment Working Group

Chapter 5 Computer Security

Presentation transcript:

Accountability, Deterrence, and Identifiability Aaron D. Jaggard U.S. Naval Research Laboratory

Collaborators Joint with Joan Feigenbaum, Rebecca Wright – Parts also with Jim Hendler, Danny Weitzner, and Hongda Xiao

Overview “Accountability” is used in lots of ways – Complements preventive security – Is generally viewed as good – This space needs formal definitions What are the goals? Formalize accountability and related notions – Facilitate reasoning about this – Enable comparison (and discussion) across sytems What is the role of identity/identifiability?

What Are the End Goals? Deterrence – Focus here Others – Comply with requirements on processes With an eye on these, don’t make things implicit that don’t need to be

Temporal Spectrum [FJWX’12] PreventionDetectionEvidenceJudgmentPunishment Violation Many systems focus on various (different) aspects of evidence/judgment/punishment – E.g., accountable blacklistable credentials, accountable signatures, e-cash, reputation schemes,...

Focus on Punishment Shift focus – At least if end goal is deterrence – Effect on violator instead of information about Reduce the built-in identity assumptions – May still want to use evidence, etc., but don’t want this (and especially identity) implicit in definitions

Comments on Accountability “Accountability is a protean concept, a placeholder for multiple contemporary anxieties.” [Mashaw] “[A]ccountability has not yet had time to accumulate a substantial tradition of academic analysis.... [T]here has been little agreement, or even common ground of disagreement, over the general nature of accountability or its various mechanisms.” [Mulgan]

A CS Definition of Accountability “Accountability is the ability to hold an entity, such as a person or organization, responsible for its actions.” [Lampson]

Working Definition [FJW’11] An entity is accountable with respect to some policy (or accountable for obeying the policy) if, whenever the entity violates the policy, then, with some non-zero probability, it is, or could be, punished.

Working Definition of Accountability Builds on definition of Lampson – Avoids “hold... responsible”---explicitly don’t require external action Shift focus from evidence and judgment to punishment – Reduce need for identity – May want to reserve “accountable” for when violator is identified [Weitzner] Need to be able to distinguish those cases

Punishment Desiderata Unrelated things events shouldn’t affect whether a violator is viewed as being punished – “Luck” shouldn’t affect things – Punishment should be related to violation in question

Automatic and Mediated Punishment Intuitively: – Punishment should be connected to the violation – Punishment could be mediated by the action(s) of some authority responding to the violation (or a conviction) – Punishment could happen without any punishing act being done This might reduce need for identifiability!

Formal Model (Outline) [FJW’11] System behavior as event traces Utility functions for participants – Maybe only know distribution or “typical” utility Principal(s) associated to events What qualifies as “punishment” for a violation?

Mediated Punishment Punishing event must be caused by the fact of the violation Compare outcomes after punishment with those without the punishment – Need to remove other events caused by the violation Punishing event Subtrace Violation

Approach: Automatic Punishment The violation is automatically punished if the violator’s utility is lower in the outcomes extending the violating trace Te than in the outcomes extending T but not Te. Violation e T

Example: Three Strikes Using “typical” utilities, we capture the idea that even sociopaths are punished – Expected utilities might be skewed What is “effective” punishment?

Open/Closed Systems Degree to which a system is “open” or “closed” appears to be important Principals, identities/nyms, and systems – What does system boundary require of mapping between principals and identities Computational or algebraic restrictions Example potential tradeoff – Deterrence may be effective if we punish the nym Contexts where being able to act using that identity is important Wouldn’t need to be able to invert mapping – Other times, may need more (computable) information about mapping

Primitives Temporal spectrum (evidence, judgment, punishment) – What do these need to provide abstractly? E.g., to what extent must evidence be independently verifiable? Blame/violation Causality Identity-related – Binding between principals and identities; linkages between actions

Other Dimensions [FJWX’12] Information – Is identity required to participate in the system? – Are violations disclosed? How broadly? – Is the violator identified? How broadly? Action – Centralized v. decentralized (generally and in response to violations) – Automatic v. mediated – Requires continued access to violator?

Social Aspects Should we reserve “accountability” for approaches that require identification? That might be consistent with common uses of “to hold someone accountable.” – This may not be the fundamental goal; we may really be after deterrence. – One can be deterred even if one will not be identified Possible approach: Allay user concerns by promoting “deterrence” instead of “accountability”

Questions Are these the right notions to formalize? – Will this framework be useful for proving things? – Capturing identity? What about related notions – Compensation, detection/diagnostics, authorization Open/closed systems – Compare with international-relations example of non-accountability Subset/delegated accountability – Don’t (immediately) have individual punishment – Reduce level of identifiability – How to induce participation?