Presentation is loading. Please wait.

Presentation is loading. Please wait.

Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles.

Published byGeorgia James Modified over 9 years ago

Similar presentations

Presentation on theme: "Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles."— Presentation transcript:

1 Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles of Provenance (PrOPr) Edinburgh, November 19-20, 2007

2 November 2007Programming Trustworthy Provenance (Corin Pitcher)2 Commuter says "my train was delayed" Delay notice forged? Provenance of notice needed for decisions

3 November 2007Programming Trustworthy Provenance (Corin Pitcher)3 This Talk Programming with provenance for security, privacy, & workflow in decentralized systems Programming with provenance for security, privacy, & workflow in decentralized systems Provenance and trust Provenance and trust –When is provenance on data trustworthy? –How does data provenance impact trust in data? Authorization logic policies Authorization logic policies –To relate provenance & trust –Validation of programs against such policies

4 November 2007Programming Trustworthy Provenance (Corin Pitcher)4 Outline Motivation: provenance for security Motivation: provenance for security Programming with provenance and trust Programming with provenance and trust Policies and program analysis Policies and program analysis

5 November 2007Programming Trustworthy Provenance (Corin Pitcher)5 Existing Provenance in Access Control Logging code File API Untrusted code File API Untrusted code Logging code File API ACCESS GRANTED ACCESS DENIED ACCESS GRANTED Stack inspection (Java/.NET) - trusted & untrusted code Code logging to file escalates privileges for thread Shape of call stack determines access Activation Records

6 November 2007Programming Trustworthy Provenance (Corin Pitcher)6 Controls: Security, Privacy, Workflow Provenance used for identity in: Authorization controls (access control) Authorization controls (access control) –Prevent unauthorized actions before harm occurs Auditing controls (for accountability/recovery) Auditing controls (for accountability/recovery) –Discourage unauthorized actions –Recover from unauthorized actions Privacy controls Privacy controls –Restrict use of private information Workflow controls Workflow controls –Enforce compliance with patterns of activity

7 November 2007Programming Trustworthy Provenance (Corin Pitcher)7 Account Aggregation Owner of account at financial institution –Direct access to account –Access via an approved account aggregator –Other principals providing confidentiality / integrity Owner Aggregator submitAggr getBalance Institution Other principals involved in request getBalance Owner's VPN Aggr's VPN approveAggr

8 November 2007Programming Trustworthy Provenance (Corin Pitcher)8 Account Aggregation Properties Provenance of messages used throughout Authorization Authorization –Use provenance of request to determine authorization Auditing Auditing –Record provenance of request in audit log Privacy Privacy –Detect privacy violations in provenance of response Workflow Workflow –Enforce two-step approval of aggregator Recurring issue: Is the provenance trustworthy?

9 November 2007Programming Trustworthy Provenance (Corin Pitcher)9 Outline Motivation: provenance for security Motivation: provenance for security Programming with provenance and trust Programming with provenance and trust Policies and program analysis Policies and program analysis

10 November 2007Programming Trustworthy Provenance (Corin Pitcher)10 Programming: Provenance and Trust Dynamic support for provenance Dynamic support for provenance –Identities, origin of objects, and immediate provenance Representation of provenance Representation of provenance –Full histories, partial histories Behaviour of programs w.r.t. provenance and trust Behaviour of programs w.r.t. provenance and trust –Creation & use of provenance –When is provenance trusted?

11 November 2007Programming Trustworthy Provenance (Corin Pitcher)11 Dynamic Support for Provenance Distributed objects & remote method invocation Distributed objects & remote method invocation –E.g., Java-RMI Explicit identities = locations Explicit identities = locations –Objects are located and code runs at a location Origin of objects Origin of objects –Remote object reference points to object's location Immediate provenance Immediate provenance –Caller's identity is known

12 November 2007Programming Trustworthy Provenance (Corin Pitcher)12 User-Defined Provenance Create & use full history of computation Create & use full history of computation Drawbacks to full history Drawbacks to full history –Expensive –Confidentiality and privacy issues Partial history Partial history –Remove history –With justification, e.g., after access control / auditing

13 November 2007Programming Trustworthy Provenance (Corin Pitcher)13 Owner's VPNAggr's VPNAggregator Aggr's VPNAggregatorOwnerOwner's VPN Request Owner Owner's VPN Aggr's VPN Request Aggregator Immediate Provenance:Owner User-Defined Provenance "Account balance for customer #1234" Object location Messages Composite message stores provenance "Account balance for customer #1234" Aggregator is location

14 November 2007Programming Trustworthy Provenance (Corin Pitcher)14 Trustworthy Provenance? Owner's VPN could omit additional intermediaries Aggregator code has to check: Owner's VPN permitted in path Owner's VPN permitted in path Owner's VPN is trusted to report provenance Owner's VPN is trusted to report provenance Mitigated by Owner location for original request Owner Intermediary Owner Owner's VPN Aggr's VPN Request Owner

15 November 2007Programming Trustworthy Provenance (Corin Pitcher)15 Trustworthy Provenance? Aggr's VPN may legitimately recreate (re-sign / relocate) objects Aggregator's recreation is similar Aggregator's recreation is similar Are the results trustworthy? No direct proof of participation by Owner or Owner's VPN No direct proof of participation by Owner or Owner's VPN Complex program behaviour High-level account of behaviour? High-level account of behaviour? Request Owner Owner's VPN Aggr's VPN

16 November 2007Programming Trustworthy Provenance (Corin Pitcher)16 Outline Motivation: provenance for security Motivation: provenance for security Programming with provenance and trust Programming with provenance and trust Policies and program analysis Policies and program analysis

17 November 2007Programming Trustworthy Provenance (Corin Pitcher)17 Policies and Program Analysis Programs manipulating trust & provenance Programs manipulating trust & provenance Policies to describe behaviour enforced by programs? Policies to describe behaviour enforced by programs? –Examples coming up How can we express those policies? How can we express those policies? –Authorization logic Validate program's behaviour against policies? Validate program's behaviour against policies? –Static analysis via type/effect system

18 November 2007Programming Trustworthy Provenance (Corin Pitcher)18... send message... Propositional Effects - Statics A proposition P communicated from sender to receiver, e.g., "Access granted" Issue: Inconsistency of local states (of beliefs / knowledge) Need worlds / contexts INSIDE logic Sender... receive message... Receiver P known P not known P known (Sender says P) known

19 November 2007Programming Trustworthy Provenance (Corin Pitcher)19 Authorization Logic Mendler (Lax modal logic) Abadi, Plotkin, Lampson, Burrows, Wobber Garg, Pfenning

20 November 2007Programming Trustworthy Provenance (Corin Pitcher)20 Example: Simple Workflow Policy Authorization logic represents submission & approval of data by two principals Authorization logic represents submission & approval of data by two principals Used for approval of aggregator Used for approval of aggregator Initiator submits data Manager approves data CellI SubmittedCellApprovedCell Class hierarchy Assertions appear in code as effects

21 November 2007Programming Trustworthy Provenance (Corin Pitcher)21 Example: Aggregator's Policy Recall Aggregator's request rewriting behaviour Aggr's VPNAggregatorOwnerOwner's VPN Request Owner Owner's VPN Aggr's VPN Request Aggregator

22 November 2007Programming Trustworthy Provenance (Corin Pitcher)22 tgt: OwnerVPN src: Owner payload: r Owner OwnerVPN tgt: AggrVPN src: OwnerVPN payload: q AggrVPN q p data: Owner r Effects Policies

23 November 2007Programming Trustworthy Provenance (Corin Pitcher)23 tgt: OwnerVPN src: Owner payload: r Owner OwnerVPN tgt: AggrVPN src: OwnerVPN payload: q AggrVPN q p data: Owner r Effects Policies Aggregator s Justifies creation by aggregator

24 November 2007Programming Trustworthy Provenance (Corin Pitcher)24 Results Distributed object calculus with authorization logic policies in type/effect system Distributed object calculus with authorization logic policies in type/effect system E.g., Aggregator code typechecks with respect to preceding policy E.g., Aggregator code typechecks with respect to preceding policy Guarantees that Aggregator's dynamic behaviour is constrained by policy Guarantees that Aggregator's dynamic behaviour is constrained by policy Draft technical report available Draft technical report available –Email to cpitcher AT cs.depaul.edu

25 November 2007Programming Trustworthy Provenance (Corin Pitcher)25 Summary In decentralized systems: In decentralized systems: –Provenance use in security, privacy, workflow controls –User-programmable handling of provenance –Provenance trustworthy and impact on trust in data? Authorization logic policies describe provenance and trust behaviour of programs Authorization logic policies describe provenance and trust behaviour of programs Validate programs against policies Validate programs against policies

26 November 2007Programming Trustworthy Provenance (Corin Pitcher)26 The End Questions or comments?

27 November 2007Programming Trustworthy Provenance (Corin Pitcher)27 Backup Slides

28 November 2007Programming Trustworthy Provenance (Corin Pitcher)28 Object Creation

29 November 2007Programming Trustworthy Provenance (Corin Pitcher)29 An opponent is any process located at the principal 1. Opponents are free to lie; thus, are completely free to construct any new objects. Well-typed trustworthy programs are safe when combined with arbitrary (typed but untrustworthy) opponents.

Download ppt "Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles."

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Interaction of RFID Technology and Public Policy Presentation at RFID Privacy MIT 15 TH November 2003 By Rakesh Kumar

Interaction of RFID Technology and Public Policy Presentation at RFID Privacy MIT 15 TH November 2003 By Rakesh Kumar
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee 2007. 04. 23.

Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Access Control Methodologies

Access Control Methodologies
A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC.

A NOTE ON THE CONFINEMENT PROBLEM Butler Lampson Xerox PARC.
2009 Architecture Plan Overview 2009 Architecture Plan Overview.

2009 Architecture Plan Overview 2009 Architecture Plan Overview.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
Information Security Policies and Standards

Information Security Policies and Standards
PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.

PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
Information Security of Embedded Systems 3.2.2010: Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 10 Jonathan Katz.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

Similar presentations

Ads by Google