Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems Kazuhiro Minami, Nikita Borisov, and Carl A. Gunter University of Illinois.

Published byCurtis Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems Kazuhiro Minami, Nikita Borisov, and Carl A. Gunter University of Illinois."— Presentation transcript:

1 Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems Kazuhiro Minami, Nikita Borisov, and Carl A. Gunter University of Illinois at Urbana-Champaign

2 Aggregation in Publish-subscribe (pub-sub) system Pub-sub system Location-tracker application Intelligent building Management system Sensors Location sensors Motion sensors Door sensors Publish high-level events derived from raw sensor data Eliminate duplicate tasks from multiple subscribers Location event Aggregation

3 Deriving high-level events based on logic Represent events as logical statements Maintains event derivation rules in Datalog Derive high-level events in a bottom-up way PublisherSubscriber occupied(L) ← location(P, L) Knowledge base Inference engine Location(bob, room10) occupied(room10) Publish-subscribe system

4 Events in pervasive environments contain users’ private information Concern with location privacy Combination of low-level sensor data could reveal types of user activities (i.e., high-level events) – E.g., power usage in a household

5 Protection with discretionary access control (DAC) policies is a good start A pub-sub system defines discretionary access control policies dacl: E → 2 P where: – E is a set of events that a pub-sub system could maintain – P is a set of subscriber principals Event e is protected with an access control list dacl(e) – E.g., dacl(location(alice, L)) = {bob, dave}

6 I However, a malicious subscriber could learn confidential events through inferences Pub-sub system PS[E, I, dacl] Subscriber (Tom) OR dacl(location(P,L)) = ϕ dacl(occupied(L)) = {Tom} Knows PS’s derivation rules I and DACL policies dacl

7 But, an adversary could learn confidential events through inferences Pub-sub system PS[E, I, dacl] Subscriber (Tom) dacl = {Tom} OR Infer AND dacl = {Tom} I dacl = ϕ

8 Our approach Additional protection with operational discretionary access control (OACL) policies oacl: E → 2 P such that: – Subscriber p i receives event e iff p i ∈ oacl(e) – For every event e: oacl(e) ⊆ dacl(e) Events DACL policies OACL policies Subscriber Access on event e denied Access on event e granted Question: Is system PS[E, I, dacl, oacl] safe w.r.t. subscriber p i ? Question: Is system PS[E, I, dacl, oacl] safe w.r.t. subscriber p i ? I infer the truth of e’

9 Outline Safety definition based on nondeducibility Safety verification algorithm and its complexity analysis Experiments with a SAT solver Conclusion

10 Nondeducibility considers information flow between two information functions regarding system configuration Events E PS ⊆ E PS[E, I, dacl, oacl] Non-confidential events that subscriber p i receives Function v 1 : 2 E → 2 E v 1 (E PS ) = {e | e ∈ E PS ∧ p i ∈ oacl(e)} Confidential events that subscriber p i is NOT authorized to receive Function v 2 : 2 E → 2 E v 2 (E PS ) = {e | e ∈ E PS ∧ p i ∉ dacl(e)} Information flow

11 Safety definition A pub-sub system PS[E, I, dacl, oacl] is safe if ∀ E PS ⊆ E ∀ e ∈ E where p i ∉ dacl(e) ∃ E’ PS and E’’ PS such that: 1. v 1 (E PS ) = v 1 (E’ PS ) = v 1 (E’’ PS ) 2. e ∈ v 2 (E’ PS ) 3. e ∉ v 2 (E’’ PS )

12 Example E = {loc(bob, bldg12), loc(alice, blde12), occupied(bldg12)} I = {occupied(B) ← loc(P, B)} dacl(loc(P, bldg)) = Φ, dacl(occupied, bldg12) = {dave} oacl(loc(P, bldg)) = Φ, oacl(occupied, bldg12) = {dave} E PS = {loc(bob, bldg12), occupied(bldg12)} 2E2E Events dave receives Events that should be protected from dave {occupied(bldg12)} {loc(bob, bldg12)} v1v1 v2v2 {loc(alice, bldg12)} E’ PS = {loc(alice, bldg12), occupied(bldg12)} PS

13 Outline Safety definition based on nondeducibility Safety verification algorithm and its complexity analysis Experiments with a SAT solver Conclusion

14 We represent a subscriber’s inferences with s-inference rules Represent a subscriber’s inferences with three-value logic with the function val: E → {T, F, U} where: T is known to be true F is known to be false U is unknown Capture both bottom-up and top-down inferences regarding a system’s derivation rules I

15 Bottom-up inferences Consider an derivation rule: e ← e 1, …, e n (Bottom-up-T) If a subscriber knows that events e 1,…,e n is true, then he knows e is also true. (Bottom-up-F) If a subscriber knows that some event e i is false, then he knows e is also false.

16 Top-down inferences Consider a set of derivation rules: (Top-down-T) If a subscriber knows that event e is true, then he knows there is some e i which is true. (Top-down-F) If a subscriber knows that event e is false, then he knows every e i is false.

17 Verification algorithm with s-inference rules 1.For each T/F assignment A: {e | p i ∈ oacl(e)} → {T, F}, do the following: 1)Compute a fixpoint from the initial state defined by A by applying s-inference rules 2)If there is event e ∈ E such that val(e) ≠ U and p i ∉ dacl(e), return FALSE 2. Return TRUE VerifySafety(E, I, dacl, oacl, p i )

18 Analysis of verification algorithm Sound and complete: – The algorithm returns TRUE if and only if a pub- sub system PS[E, I, dacl, oacl] is safe w.r.t. subscriber p i. Running time is exponential because we need to check all the possible truth assignments to non-confidential events

19 Complexity analysis UNSAFE = {(PS[E, I, dacl, oacl), p i ) VerifySafety(E, dacl, oacl, I, pi) = FALSE} UNSAFE is in NP-complete; that is: 1.UNSAFE is in NP 2.3-CNF-SAT is polynomially reducible to UNSAFE

20 Basic idea: construct PS such that a confidential event s is known when formula Φ is satisfiable Φ= (x 1 ∨ ¬x 2 ∨ ¬x 3 ) ∧ (¬x 1 ∨ x 2 ∨ x 3 ) y1y1 y2y2 S (≡y 1 ∧ y 2 ) SAT PS y 1 ← x 1 y 1 ← nx 2 y 1 ← nx 3 y 2 ← nx 1 y 2 ← x 2 y 2 ← x 3 S ← y 1, y 2 Either x 1, nx 2, or nx 3 is known to be true Either nx 1, x 2, or x 3 is known to be true y 1 is known to true y 2 is known to true (Bottom-up-T) s is known be true Must be consistent val(x 1 ) = T iff val(nx 1 ) = F

21 Truth assignment must be consistent x 1 ← nx 1, z 1 x 1 ← u 1, z’ 1 x 1 is known to be true x 1 and nx 1 are consistent iff u 1 is known to be true val(nx 1 ∧ z 1 ) = T or val(u 1 ∧ z’ 1 ) = T (Top-down-T) nx 1 is known to be false (S5) u 1 is known to be true S ← y 1 ∧ y 2 ∧ u 1 ∧.. s is known y 1, y 2 are known to be true p i ∈ dacl(u 1 ) p i ∉ oacl(u 1 ) p i ∈ dacl(u 1 ) p i ∉ oacl(u 1 )

22 Experiments with a SAT solver Convert PS[E, I, dacl, oacl] into a SAT formula Φ j such that there is a safety violation w.r.t. principal p j iff Φ j is satisfiable Encode in Φ j a sequence of s-inference rule applications leading to a safety violation Measure latency for solving converted SAT problems using SAT4J SAT solver

23 Latency results #events #rules 10 8 20 16 30 24 40 32 50 40 60 48 70 56 Parameters

24 Conclusion Define safety in a logic-based pub-sub system formally Capture a subscriber’s inferences with a set of s-inference rules Prove that the safety problem is in co-NP- complete Show the feasibility of safety verification with moderate number of events and rules using a SAT solver

25 Any questions?

Download ppt "Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems Kazuhiro Minami, Nikita Borisov, and Carl A. Gunter University of Illinois."

Similar presentations

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Methods of Proof Chapter 7, Part II. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound) generation.

Methods of Proof Chapter 7, Part II. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound) generation.
Logic.

Logic.
Secure Context-sensitive Authorization Kazuhiro Minami and David Kotz Dartmouth College.

Secure Context-sensitive Authorization Kazuhiro Minami and David Kotz Dartmouth College.
Polynomial-time reductions We have seen several reductions:

Polynomial-time reductions We have seen several reductions:
Complexity class NP Is the class of languages that can be verified by a polynomial-time algorithm. L = { x in {0,1}* | there exists a certificate y with.

Complexity class NP Is the class of languages that can be verified by a polynomial-time algorithm. L = { x in {0,1}* | there exists a certificate y with.
1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 

1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Logic in general Logics are formal languages for representing information such that conclusions can be drawn Syntax defines the sentences in the language.

Logic in general Logics are formal languages for representing information such that conclusions can be drawn Syntax defines the sentences in the language.
Logical Agents Chapter 7. Why Do We Need Logic? Problem-solving agents were very inflexible: hard code every possible state. Search is almost always exponential.

Logical Agents Chapter 7. Why Do We Need Logic? Problem-solving agents were very inflexible: hard code every possible state. Search is almost always exponential.
Methods of Proof Chapter 7, second half.

Methods of Proof Chapter 7, second half.
Analysis of Algorithms CS 477/677

Analysis of Algorithms CS 477/677
Knoweldge Representation & Reasoning

Knoweldge Representation & Reasoning
Chapter 11 Limitations of Algorithm Power Copyright © 2007 Pearson Addison-Wesley. All rights reserved.

Chapter 11 Limitations of Algorithm Power Copyright © 2007 Pearson Addison-Wesley. All rights reserved.
1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 22 Instructor: Paul Beame.

1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 22 Instructor: Paul Beame.
Proof by Deduction. Deductions and Formal Proofs A deduction is a sequence of logic statements, each of which is known or assumed to be true A formal.

Proof by Deduction. Deductions and Formal Proofs A deduction is a sequence of logic statements, each of which is known or assumed to be true A formal.
ASP vs. Prolog like programming ASP is adequate for: –NP-complete problems –situation where the whole program is relevant for the problem at hands èIf.

ASP vs. Prolog like programming ASP is adequate for: –NP-complete problems –situation where the whole program is relevant for the problem at hands èIf.
Themes of Presentations Rule-based systems/expert systems (Catie) Software Engineering (Khansiri) Fuzzy Logic (Mark) Configuration Systems (Sudhan) *

Themes of Presentations Rule-based systems/expert systems (Catie) Software Engineering (Khansiri) Fuzzy Logic (Mark) Configuration Systems (Sudhan) *
Inference is a process of building a proof of a sentence, or put it differently inference is an implementation of the entailment relation between sentences.

Inference is a process of building a proof of a sentence, or put it differently inference is an implementation of the entailment relation between sentences.
Logics for Data and Knowledge Representation Propositional Logic: Reasoning Originally by Alessandro Agostini and Fausto Giunchiglia Modified by Fausto.

Logics for Data and Knowledge Representation Propositional Logic: Reasoning Originally by Alessandro Agostini and Fausto Giunchiglia Modified by Fausto.

Similar presentations

Ads by Google