Presentation is loading. Please wait.

Presentation is loading. Please wait.

A formal study of collaborative access control in distributed datalog Serge Abiteboul – Inria & ENS Cachan Pierre Bourhis CNRS & Lille Univ. & Inria Victor.

Published byMatthew Hamilton Modified over 8 years ago

Similar presentations

Presentation on theme: "A formal study of collaborative access control in distributed datalog Serge Abiteboul – Inria & ENS Cachan Pierre Bourhis CNRS & Lille Univ. & Inria Victor."— Presentation transcript:

1 A formal study of collaborative access control in distributed datalog Serge Abiteboul – Inria & ENS Cachan Pierre Bourhis CNRS & Lille Univ. & Inria Victor Vianu UCSD & Inria Serge Abiteboul – Inria & ENS Cachan Pierre Bourhis CNRS & Lille Univ. & Inria Victor Vianu UCSD & Inria

2 Plan Motivation and Webdamlog Distributed datalog with access control Results Conclusion ICDT16 - Abiteboul-Bourhis-Vianu2

3 Motivation and Webdamlog ICDT16 - Abiteboul-Bourhis-Vianu3

4 Controlling your own data A Web user has more and more data distributed in many distinct systems Distributed data management Webdam project [ERC 2008-14] Personal information management systems [Abiteboul-André-Kaplan, CACM’15] [Abiteboul-Marian tutorial EBDT’2015] Missing: access control Allowing control when data is disseminated on the Web 4ICDT16 - Abiteboul-Bourhis-Vianu

5 The Webdamlog language Extends datalog with negation, updates, distribution, delegation, time For a world that is distributed: autonomous and asynchronous peers dynamic: knowledge evolves; peers come and go Influenced by Active XML (INRIA) Dedalus (UC Berkeley) ICDT16 - Abiteboul-Bourhis-Vianu5

6 The Webdamlog system Webdamlog+AC ⇒ Webdamlog ⇒ Bloom (the language of Bud developed at UC Berkeley) Main issues 1. Variable relation/peer names 2. Delegations 3. Update propagation 4. Access control 6ICDT16 - Abiteboul-Bourhis-Vianu

7 Main access control features Data access: Users would like to control who can read and modify their information Data dissemination: Users would like to control how their data are transferred from one participant to another, and how they are combined, with the owner of each piece of data keeping some control over it Application control: Users would like to control which applications can run on their behalf, and what information these applications can access ICDT16 - Abiteboul-Bourhis-Vianu7

8 Principles The privileges: read, write, grant For extensional data, coarse grained access control For intentional data, fine grained access control At the tuple level Access privileges based on the provenance of the data Security assumptions Secure communication channel Non-adversarial peer behavior ICDT16 - Abiteboul-Bourhis-Vianu8

9 Main works on Webdamlog Language: Serge Abiteboul, Meghyn Bienvenu, Alban Galland, Emilien Antoine, A rule-based language for web data management. PODS 2011 Open-source system: Serge Abiteboul, Emilien Antoine, Gerome Miklau, Julia Stoyanovich, Jules Testard, Rule-based application development using Webdamlog. Demo in SIGMOD 2013 Access control: Vera Zaychik Moffitt, Julia Stoyanovich, Serge Abiteboul, Gerome Miklau, Collaborative Access Control in WebdamLog. SIGMOD 2015 ☜ ICDT16 - Abiteboul-Bourhis-Vianu9

10 Distributed datalog with access control To simplify, we consider distributed datalog instead of Webdamlog – no negation, no nesting, no update… To simplify, we consider only read privilege (not write/grant) ICDT16 - Abiteboul-Bourhis-Vianu10

11 Facts Facts are of the form m@p(a 1,..., a n ) where m is a relation name p is a peer name a 1,..., a n are data values (arity(m@p)= n) Examples friends@Alice(Bob) tag@Bob(Picture 456, Alice) ICDT16 - Abiteboul-Bourhis-Vianu11

12 Rules Rules are of the form $r@$P($Û) :– $r 1 @$P 1 ($Û 1 ),..., $r n @$P 1 ($Û n ) $r, $r i are relation terms $P, $P 1 are peer terms $Û, $Û i are tuples of terms Safety condition Each peer/relation variable must be bound in some $Û i before being used in $r i,$P i,$r,$P ICDT16 - Abiteboul-Bourhis-Vianu12

13 Semantics Extensional relations occur only in bodies of rules Intentional relations Input: distributed instance over the extensional relations Output: distributed instance over the intentional ones (least model of the rules satisfying the input) Subtlety: peer and relation variables Delegation: blur distinction between data and program complexity ICDT16 - Abiteboul-Bourhis-Vianu13

14 Example [at Lili] album@Alice($f) :– pictures@Lili($f) [at Alice] album@$p($f) :– album@Alice($f), friends@Alice($p) [at Bob] album@Lili :– album@Bob($f) Access control? Alice Lili Bob friends@Alice(Bob) friends@Alice(Sue) 14 Sue

15 Access to extensional facts As standard: based on access control lists [Alice] acl@Alice(pictures,$p) :– friends@Alice($p) pictures is extensional friends@Alice(Bob) Bob is allowed to see all the pictures of Alice This defines an access control policy ICDT16 - Abiteboul-Bourhis-Vianu15

16 Access to intentional facts A peer p can read a fact R@q(a) iff p can read all the tuples that are used to derive R@q(a) (in some derivation) The definition is recursive & based on provenance [at Alice] album@Alice($f) :– pictures@Alice($f) [at Bob] album@Alice($f) :– pictures@Bob($f) Sue who has read privilege to album@Alice and pictures@Alice only, can see only the pictures of Alice in album@Alice Truman paradigm (from Truman Show) – different peers see different album@Alice ICDT16 - Abiteboul-Bourhis-Vianu16

17 Paranoiac access control [at Alice] album@$p($f) :– pictures@Alice($f), friends@Alice($p) Alice shares her pictures in all her friends’ albums Issue: works only for friends who have read privilege on pictures@Alice & friends@Alice ICDT16 - Abiteboul-Bourhis-Vianu17

18 Hiding provenance to relax access control [at Alice] album@$p($f) :– pictures@Alice($f), [hide friends@Alice($p)] Hide: blocks the provenance from friends@Alice Works also for friends who have read privilege only on pictures@Alice This contributes to specifying the access control policy ICDT16 - Abiteboul-Bourhis-Vianu18

19 Results ICDT16 - Abiteboul-Bourhis-Vianu19

20 Is this feasible? Proof: can be computed in distributed datalog In practice: With some optimization [MoffittStoyanovichAbiteboulMiklau, SIGMOD 2015], Modest performance overhead in realistic scenarios Theorem: Data complexity of Webdamlog +Access Control is PTIME ICDT16 - Abiteboul-Bourhis-Vianu20

21 Is a program leaking information? (no hide) Can a peer infer information beyond what it is allowed according to some access control policy? Implicit visibility: Given P, an access control policy, a peer p, an instance I p seen at p, can p infer a fact R@q(u) (that it does not see)? Simple: no intentional relations in bodies of AC-rules Theorem: Undecidable Decidable for simple AC policies ICDT16 - Abiteboul-Bourhis-Vianu21

22 Is a program leaking information? (hide) acl@q(Q, p) :– R1@p(X) :– Q@q(), [ hide R@q(X, Y ) ] R2@p(Y ) :– Q@q(), [ hide R@q(X, Y ) ] Suppose p sees {R1@q(a),R2@q(b)} p does not have access to R@q R@q(a, b) is implicitly-visible at p ICDT16 - Abiteboul-Bourhis-Vianu22 Results: Undecidability is more rapidly reached (even for simple AC policies)

23 Achieving some dissemination goals (no hide) Context: a particular AC policy Goal: achieve a particular dissemination Dissemination specified by a datalog program Who sees what Not always possible: can violate the AC Theorem: Undecidable ICDT16 - Abiteboul-Bourhis-Vianu23

24 The best you can (no hide): Policy acl@p(R1, r) :– Program R@q(x) :– R1@p(x) acl@p(R2, r) :– R@q(x) :– R2@p(x) acl@p(R1, q) :– R@r(x) :– R@q(x) Another program that does better under that policy R@q(x) :– R1@p(x) R@r(x) :– R@q(x) R@r(x) :– R2@p(x) Theorem: Also undecidable Algorithm for static policies (independent of instance) 24

25 Achieving some dissemination goals (with hide) Note: but leaks by definition To some extent: accepted leaks Theorem: Can always be achieved ICDT16 - Abiteboul-Bourhis-Vianu25

26 What if we carry provenance? When we send data, we attach provenance Of course, we impose no leak of information Peers {p0, p1, p2, p3, p4} Extensional instance { R@p0, R@p1 } AC policy acl@p0(R, p2) :– acl@p0(R, p4) :– acl@p1(R, p3) :– acl@p1(R, p4) :– ProgramS@p2 :– R@p0S@p2 :– R@p1 S@p3 :– S@p2S@p4 :– S@p3 26

27 acl@p0(R, p2) :– acl@p0(R, p4) :– acl@p1(R, p3) :– acl@p1(R, p4) :– S@p2 :– R@p0 S@p2 :– R@p1 S@p3 :– S@p2 S@p4 :– S@p3 S@p4 is derived with this AC policy p4 is not allowed to see any provenance of S@p4 27 Deciding whether a peer can see a fact has higher complexity S@p4 :- S@p3 S@p4 S@p3 :- S@p2 S@p3 S@p2 :- R@p1 S@p2 R@p1 S@p4 :- S@p3 S@p4 S@p3 :- S@p2 S@p3 S@p2 :- R@p1 S@p2 R@p0

28 Conclusion Formal study of collaborative access control Reasonable complexity Results on leaking Results of goal achievement Highlights interactions between access control and provenance ICDT16 - Abiteboul-Bourhis-Vianu28

29

Download ppt "A formal study of collaborative access control in distributed datalog Serge Abiteboul – Inria & ENS Cachan Pierre Bourhis CNRS & Lille Univ. & Inria Victor."

Similar presentations

Viewing the Web as a Distributed Knowledge Base Serge Abiteboul INRIA Saclay, Collège de France and ENS Cachan ICDE 2012Mai 30, 2012.

Viewing the Web as a Distributed Knowledge Base Serge Abiteboul INRIA Saclay, Collège de France and ENS Cachan ICDE 2012Mai 30, 2012.
Agents & Mobile Agents.

Agents & Mobile Agents.
ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS

ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Lecture 11: Datalog Tuesday, February 6, 2001. Outline Datalog syntax Examples Semantics: –Minimal model –Least fixpoint –They are equivalent Naive evaluation.

Lecture 11: Datalog Tuesday, February 6, Outline Datalog syntax Examples Semantics: –Minimal model –Least fixpoint –They are equivalent Naive evaluation.
WIMS 2014, June 2-4Thessaloniki, Greece1 Optimized Backward Chaining Reasoning System for a Semantic Web Hui Shi, Kurt Maly, and Steven Zeil Contact:

WIMS 2014, June 2-4Thessaloniki, Greece1 Optimized Backward Chaining Reasoning System for a Semantic Web Hui Shi, Kurt Maly, and Steven Zeil Contact:
Implementing Reflective Access Control in SQL Lars E. Olson 1, Carl A. Gunter 1, William R. Cook 2, and Marianne Winslett 1 1 University of Illinois at.

Implementing Reflective Access Control in SQL Lars E. Olson 1, Carl A. Gunter 1, William R. Cook 2, and Marianne Winslett 1 1 University of Illinois at.
Database Theory: Back to the Future Victor Vianu UC San Diego / INRIA.

Database Theory: Back to the Future Victor Vianu UC San Diego / INRIA.
ICDT'2001, London, UK1 On Answering Queries in the Presence of Limited Access Patterns Chen Li Stanford University joint work with Edward Chang, UC Santa.

ICDT'2001, London, UK1 On Answering Queries in the Presence of Limited Access Patterns Chen Li Stanford University joint work with Edward Chang, UC Santa.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
1 WebdamExchange and WebdamLog: some models for web data management Emilien Antoine, Meghyn Bienvenu, Alban Galland Webdam WS, 04/03/2011.

1 WebdamExchange and WebdamLog: some models for web data management Emilien Antoine, Meghyn Bienvenu, Alban Galland Webdam WS, 04/03/2011.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 WebdamExchange and WebdamLog: some models for web data management Alban Galland INRIA Saclay & ENS Cachan Grenoble, 10/12/2010.

1 WebdamExchange and WebdamLog: some models for web data management Alban Galland INRIA Saclay & ENS Cachan Grenoble, 10/12/2010.
Compiler Challenges, Introduction to Data Dependences Allen and Kennedy, Chapter 1, 2.

Compiler Challenges, Introduction to Data Dependences Allen and Kennedy, Chapter 1, 2.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Strict Bidirectional Type Checking Adam Chlipala, Leaf Petersen, and Robert Harper.

Strict Bidirectional Type Checking Adam Chlipala, Leaf Petersen, and Robert Harper.
1 Computational Complexity CPSC 468b, Spring 2007 Time: Tu & Th, 1:00-2:15 pm Room: AKW 500 Dist. Group: IV (not Natural Sci.) Satisfies “QR”

1 Computational Complexity CPSC 468b, Spring 2007 Time: Tu & Th, 1:00-2:15 pm Room: AKW 500 Dist. Group: IV (not Natural Sci.) Satisfies “QR”
Distributed Combinatorial Optimization

Distributed Combinatorial Optimization
Anonymizing Web Services Through a Club Mechanism With Economic Incentives Mamata Jenamani Leszek Lilien Bharat Bhargava Department of Computer Sciences.

Anonymizing Web Services Through a Club Mechanism With Economic Incentives Mamata Jenamani Leszek Lilien Bharat Bhargava Department of Computer Sciences.

Similar presentations

Ads by Google