Programming Trustworthy Provenance

Programming Programming Trustworthy Trustworthy ProvenanceProvenance

Andy CirilloAndy CirilloRadha JagadeesanRadha Jagadeesan

Corin PitcherCorin PitcherJames RielyJames Riely

School of CTI, DePaul University, School of CTI, DePaul University, ChicagoChicago

Workshop on Principles of Provenance (PrOPr)

Edinburgh, November 19-20, 2007

November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 22

Commuter says "my Commuter says "my train was delayed"train was delayed"

Delay notice forged?Delay notice forged?

Provenance of notice Provenance of notice needed for decisionsneeded for decisions


This TalkThis Talk Programming with provenance for security, Programming with provenance for security,

privacy, & workflow in decentralized privacy, & workflow in decentralized systemssystems

Provenance and trustProvenance and trust– When is provenance on data trustworthy?When is provenance on data trustworthy?– How does data provenance impact trust in data?How does data provenance impact trust in data?

Authorization logic policiesAuthorization logic policies– To relate provenance & trustTo relate provenance & trust– Validation of programs against such policiesValidation of programs against such policies


OutlineOutline

Motivation: provenance for securityMotivation: provenance for security

Programming with provenance and trustProgramming with provenance and trust

Policies and program analysisPolicies and program analysis


Existing Provenance in Access Existing Provenance in Access ControlControl

Logging code

File API

Untrusted code

File API

Untrusted code

Logging code

File API

ACCESSGRANTED

ACCESSDENIED

ACCESSGRANTED

Stack inspection (Java/.NET) - trusted & Stack inspection (Java/.NET) - trusted & untrusted codeuntrusted code

Code logging to file Code logging to file escalates privilegesescalates privileges for for threadthread

Shape of call stack determines accessShape of call stack determines access

Act

ivati

on

Reco

rds


Controls: Security, Privacy, Controls: Security, Privacy, WorkflowWorkflow

Provenance used for identity in:Provenance used for identity in:

Authorization controls (access control)Authorization controls (access control)– Prevent unauthorized actions before harm occursPrevent unauthorized actions before harm occurs

Auditing controls (for accountability/recovery)Auditing controls (for accountability/recovery)– Discourage unauthorized actionsDiscourage unauthorized actions– Recover from unauthorized actions Recover from unauthorized actions

Privacy controlsPrivacy controls– Restrict use of private informationRestrict use of private information

Workflow controlsWorkflow controls– Enforce compliance with patterns of activityEnforce compliance with patterns of activity


Account AggregationAccount Aggregation

Owner of account at financial institutionOwner of account at financial institution– Direct access to accountDirect access to account– Access via an Access via an approvedapproved account aggregator account aggregator – Other principals providing confidentiality / integrityOther principals providing confidentiality / integrity

Owner

Aggregator

submitAggr

getBalance getBalance

Institution

Other principals involved in

request

getBalance

Owner's VPN

Aggr's VPN

approveAggr


Account Aggregation Account Aggregation PropertiesProperties

Provenance of messages used throughoutProvenance of messages used throughout

AuthorizationAuthorization– Use provenance of request to determine authorizationUse provenance of request to determine authorization

AuditingAuditing– Record provenance of request in audit logRecord provenance of request in audit log

Privacy Privacy – Detect privacy violations in provenance of responseDetect privacy violations in provenance of response

WorkflowWorkflow– Enforce two-step approval of aggregatorEnforce two-step approval of aggregator

Recurring issue: Is the provenance trustworthy?Recurring issue: Is the provenance trustworthy?


OutlineOutline





Programming: Provenance and Programming: Provenance and TrustTrust

Dynamic support for provenanceDynamic support for provenance– Identities, origin of objects, and immediate provenanceIdentities, origin of objects, and immediate provenance

Representation of provenanceRepresentation of provenance– Full histories, partial historiesFull histories, partial histories

Behaviour of programs w.r.t. provenance and Behaviour of programs w.r.t. provenance and trusttrust– Creation & use of provenanceCreation & use of provenance– When is provenance trusted?When is provenance trusted?


Dynamic Support for Dynamic Support for ProvenanceProvenance

Distributed objects & remote method Distributed objects & remote method invocationinvocation– E.g., Java-RMIE.g., Java-RMI

Explicit identities = locationsExplicit identities = locations– Objects are located and code runs at a locationObjects are located and code runs at a location

Origin of objectsOrigin of objects– Remote object reference points to object's locationRemote object reference points to object's location

Immediate provenanceImmediate provenance– Caller's identity is knownCaller's identity is known


User-Defined ProvenanceUser-Defined Provenance

Create & use full history of computationCreate & use full history of computation

Drawbacks to full historyDrawbacks to full history– ExpensiveExpensive– Confidentiality and privacy issuesConfidentiality and privacy issues

Partial historyPartial history– Remove historyRemove history– With justification, e.g., after access control / With justification, e.g., after access control /

auditingauditing


Owner's VPNAggr's VPNAggregator

Aggr's VPN AggregatorOwner Owner's VPN

Request Owner

Owner Owner's VPN

Owner's VPN Aggr's VPN

Request Aggregator

Immediate Provenance:

Owner

User-Defined ProvenanceUser-Defined Provenance

"Account balance for customer

#1234"Object

location

Messages

Compositemessage

stores provenance

"Account balance for customer

#1234"

Aggregator is

location


Trustworthy Provenance?Trustworthy Provenance?

Owner's VPN could omit Owner's VPN could omit additional intermediariesadditional intermediaries

Aggregator code has to check:Aggregator code has to check: Owner's VPN permitted in Owner's VPN permitted in pathpath Owner's VPN is trusted to Owner's VPN is trusted to report provenancereport provenance

Mitigated by Owner location Mitigated by Owner location for original requestfor original request

Owner Intermediary

Owner Owner's VPN


Request Owner


Trustworthy Provenance?Trustworthy Provenance?

Aggr's VPN may legitimately Aggr's VPN may legitimately recreate (re-sign / relocate) objectsrecreate (re-sign / relocate) objects Aggregator's recreation is similarAggregator's recreation is similar

Are the results trustworthy?Are the results trustworthy? No direct proof of participation by No direct proof of participation by Owner or Owner's VPNOwner or Owner's VPN

Complex program behaviourComplex program behaviour High-level account of behaviour?High-level account of behaviour?

Request Owner

Owner Owner's VPN


Aggr's VPN

Aggr's VPN


OutlineOutline





Policies and Program Policies and Program AnalysisAnalysis

Programs manipulating trust & provenancePrograms manipulating trust & provenance

Policies to describe behaviour enforced by Policies to describe behaviour enforced by programs?programs?– Examples coming upExamples coming up

How can we express those policies?How can we express those policies?– Authorization logicAuthorization logic

Validate program's behaviour against policies?Validate program's behaviour against policies?– Static analysis via type/effect systemStatic analysis via type/effect system


...

send message

...

Propositional Effects - Propositional Effects - StaticsStatics

A proposition P communicated from sender to A proposition P communicated from sender to receiver, e.g., "Access granted"receiver, e.g., "Access granted"

Issue: Inconsistency of local states (of beliefs / Issue: Inconsistency of local states (of beliefs / knowledge)knowledge)

Need worlds / contexts INSIDE logicNeed worlds / contexts INSIDE logic

SenderSender

...

receive message

...

ReceivReceiverer

P known

P known

P not known

P known(Sender says P) known


Authorization LogicAuthorization LogicMendler (Lax modal logic)Mendler (Lax modal logic)

Abadi, Plotkin, Lampson, Burrows, Abadi, Plotkin, Lampson, Burrows, WobberWobber

Garg, PfenningGarg, Pfenning


Example: Simple Workflow Example: Simple Workflow PolicyPolicy

Authorization logic Authorization logic represents submission & represents submission & approval of data by two approval of data by two principalsprincipals

Used for approval of Used for approval of aggregatoraggregator

Initiator submits Initiator submits datadata

Manager approves Manager approves datadata

CellI

SubmittedCell ApprovedCell

Class Class hierarchyhierarchy

Assertions appear in code

as effects


Example: Aggregator's Example: Aggregator's PolicyPolicy

Recall Aggregator's request rewriting Recall Aggregator's request rewriting behaviourbehaviour

Aggr's VPN AggregatorOwner Owner's VPN

Request Owner

Owner Owner's VPN


Request Aggregator


tgt: OwnerVPNsrc: Ownerpayload: r

Owner

OwnerVPN

tgt: AggrVPNsrc: OwnerVPNpayload: q AggrVPN

q

p

data: Owner

r

EffectsEffects

PoliciesPolicies


tgt: OwnerVPNsrc: Ownerpayload: r

Owner

OwnerVPN

tgt: AggrVPNsrc: OwnerVPNpayload: q AggrVPN

q

p

data: Owner

r

EffectsEffects

PoliciesPolicies

data: Owner Aggregator

s

Justifies creation by Justifies creation by aggregatoraggregator


ResultsResults Distributed object calculus with Distributed object calculus with

authorization logic policies in type/effect authorization logic policies in type/effect systemsystem

E.g., Aggregator code typechecks with E.g., Aggregator code typechecks with respect to preceding policyrespect to preceding policy

Guarantees that Aggregator's dynamic Guarantees that Aggregator's dynamic behaviour is constrained by policybehaviour is constrained by policy

Draft technical report availableDraft technical report available– Email to cpitcher AT cs.depaul.eduEmail to cpitcher AT cs.depaul.edu


SummarySummary

In decentralized systems:In decentralized systems:– Provenance use in security, privacy, workflow Provenance use in security, privacy, workflow

controlscontrols– User-programmable handling of provenance User-programmable handling of provenance – Provenance trustworthy and impact on trust in data?Provenance trustworthy and impact on trust in data?

Authorization logic policies describe Authorization logic policies describe provenance and trust behaviour of programsprovenance and trust behaviour of programs

Validate programs against policiesValidate programs against policies


The EndThe End

Questions or comments?Questions or comments?


Backup SlidesBackup Slides


Object CreationObject Creation


An opponent is any process located at the principal An opponent is any process located at the principal 11. .

Opponents are free to lie; thus, are completely free to construct any Opponents are free to lie; thus, are completely free to construct any new objects. new objects.

Well-typed trustworthy programs are safe when combined with Well-typed trustworthy programs are safe when combined with arbitrary (typed but untrustworthy) opponents.arbitrary (typed but untrustworthy) opponents.

Programming Trustworthy Provenance

Documents

Transcript of Programming Trustworthy Provenance