programming trustworthy provenance
DESCRIPTION
Programming Trustworthy Provenance. Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago. Workshop on Principles of Provenance (PrOPr) Edinburgh, November 19-20, 2007. Commuter says "my train was delayed" Delay notice forged? - PowerPoint PPT PresentationTRANSCRIPT
Programming Programming Trustworthy Trustworthy ProvenanceProvenance
Andy CirilloAndy CirilloRadha JagadeesanRadha Jagadeesan
Corin PitcherCorin PitcherJames RielyJames Riely
School of CTI, DePaul University, School of CTI, DePaul University, ChicagoChicago
Workshop on Principles of Provenance (PrOPr)
Edinburgh, November 19-20, 2007
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 22
Commuter says "my Commuter says "my train was delayed"train was delayed"
Delay notice forged?Delay notice forged?
Provenance of notice Provenance of notice needed for decisionsneeded for decisions
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 33
This TalkThis Talk Programming with provenance for security, Programming with provenance for security,
privacy, & workflow in decentralized privacy, & workflow in decentralized systemssystems
Provenance and trustProvenance and trust– When is provenance on data trustworthy?When is provenance on data trustworthy?– How does data provenance impact trust in data?How does data provenance impact trust in data?
Authorization logic policiesAuthorization logic policies– To relate provenance & trustTo relate provenance & trust– Validation of programs against such policiesValidation of programs against such policies
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 44
OutlineOutline
Motivation: provenance for securityMotivation: provenance for security
Programming with provenance and trustProgramming with provenance and trust
Policies and program analysisPolicies and program analysis
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 55
Existing Provenance in Access Existing Provenance in Access ControlControl
Logging code
File API
Untrusted code
File API
Untrusted code
Logging code
File API
ACCESSGRANTED
ACCESSDENIED
ACCESSGRANTED
Stack inspection (Java/.NET) - trusted & Stack inspection (Java/.NET) - trusted & untrusted codeuntrusted code
Code logging to file Code logging to file escalates privilegesescalates privileges for for threadthread
Shape of call stack determines accessShape of call stack determines access
Act
ivati
on
Reco
rds
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 66
Controls: Security, Privacy, Controls: Security, Privacy, WorkflowWorkflow
Provenance used for identity in:Provenance used for identity in:
Authorization controls (access control)Authorization controls (access control)– Prevent unauthorized actions before harm occursPrevent unauthorized actions before harm occurs
Auditing controls (for accountability/recovery)Auditing controls (for accountability/recovery)– Discourage unauthorized actionsDiscourage unauthorized actions– Recover from unauthorized actions Recover from unauthorized actions
Privacy controlsPrivacy controls– Restrict use of private informationRestrict use of private information
Workflow controlsWorkflow controls– Enforce compliance with patterns of activityEnforce compliance with patterns of activity
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 77
Account AggregationAccount Aggregation
Owner of account at financial institutionOwner of account at financial institution– Direct access to accountDirect access to account– Access via an Access via an approvedapproved account aggregator account aggregator – Other principals providing confidentiality / integrityOther principals providing confidentiality / integrity
Owner
Aggregator
submitAggr
getBalance getBalance
Institution
Other principals involved in
request
getBalance
Owner's VPN
Aggr's VPN
approveAggr
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 88
Account Aggregation Account Aggregation PropertiesProperties
Provenance of messages used throughoutProvenance of messages used throughout
AuthorizationAuthorization– Use provenance of request to determine authorizationUse provenance of request to determine authorization
AuditingAuditing– Record provenance of request in audit logRecord provenance of request in audit log
Privacy Privacy – Detect privacy violations in provenance of responseDetect privacy violations in provenance of response
WorkflowWorkflow– Enforce two-step approval of aggregatorEnforce two-step approval of aggregator
Recurring issue: Is the provenance trustworthy?Recurring issue: Is the provenance trustworthy?
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 99
OutlineOutline
Motivation: provenance for securityMotivation: provenance for security
Programming with provenance and trustProgramming with provenance and trust
Policies and program analysisPolicies and program analysis
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1010
Programming: Provenance and Programming: Provenance and TrustTrust
Dynamic support for provenanceDynamic support for provenance– Identities, origin of objects, and immediate provenanceIdentities, origin of objects, and immediate provenance
Representation of provenanceRepresentation of provenance– Full histories, partial historiesFull histories, partial histories
Behaviour of programs w.r.t. provenance and Behaviour of programs w.r.t. provenance and trusttrust– Creation & use of provenanceCreation & use of provenance– When is provenance trusted?When is provenance trusted?
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1111
Dynamic Support for Dynamic Support for ProvenanceProvenance
Distributed objects & remote method Distributed objects & remote method invocationinvocation– E.g., Java-RMIE.g., Java-RMI
Explicit identities = locationsExplicit identities = locations– Objects are located and code runs at a locationObjects are located and code runs at a location
Origin of objectsOrigin of objects– Remote object reference points to object's locationRemote object reference points to object's location
Immediate provenanceImmediate provenance– Caller's identity is knownCaller's identity is known
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1212
User-Defined ProvenanceUser-Defined Provenance
Create & use full history of computationCreate & use full history of computation
Drawbacks to full historyDrawbacks to full history– ExpensiveExpensive– Confidentiality and privacy issuesConfidentiality and privacy issues
Partial historyPartial history– Remove historyRemove history– With justification, e.g., after access control / With justification, e.g., after access control /
auditingauditing
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1313
Owner's VPNAggr's VPNAggregator
Aggr's VPN AggregatorOwner Owner's VPN
Request Owner
Owner Owner's VPN
Owner's VPN Aggr's VPN
Request Aggregator
Immediate Provenance:
Owner
User-Defined ProvenanceUser-Defined Provenance
"Account balance for customer
#1234"Object
location
Messages
Compositemessage
stores provenance
"Account balance for customer
#1234"
Aggregator is
location
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1414
Trustworthy Provenance?Trustworthy Provenance?
Owner's VPN could omit Owner's VPN could omit additional intermediariesadditional intermediaries
Aggregator code has to check:Aggregator code has to check: Owner's VPN permitted in Owner's VPN permitted in pathpath Owner's VPN is trusted to Owner's VPN is trusted to report provenancereport provenance
Mitigated by Owner location Mitigated by Owner location for original requestfor original request
Owner Intermediary
Owner Owner's VPN
Owner's VPN Aggr's VPN
Request Owner
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1515
Trustworthy Provenance?Trustworthy Provenance?
Aggr's VPN may legitimately Aggr's VPN may legitimately recreate (re-sign / relocate) objectsrecreate (re-sign / relocate) objects Aggregator's recreation is similarAggregator's recreation is similar
Are the results trustworthy?Are the results trustworthy? No direct proof of participation by No direct proof of participation by Owner or Owner's VPNOwner or Owner's VPN
Complex program behaviourComplex program behaviour High-level account of behaviour?High-level account of behaviour?
Request Owner
Owner Owner's VPN
Owner's VPN Aggr's VPN
Aggr's VPN
Aggr's VPN
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1616
OutlineOutline
Motivation: provenance for securityMotivation: provenance for security
Programming with provenance and trustProgramming with provenance and trust
Policies and program analysisPolicies and program analysis
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1717
Policies and Program Policies and Program AnalysisAnalysis
Programs manipulating trust & provenancePrograms manipulating trust & provenance
Policies to describe behaviour enforced by Policies to describe behaviour enforced by programs?programs?– Examples coming upExamples coming up
How can we express those policies?How can we express those policies?– Authorization logicAuthorization logic
Validate program's behaviour against policies?Validate program's behaviour against policies?– Static analysis via type/effect systemStatic analysis via type/effect system
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1818
...
send message
...
Propositional Effects - Propositional Effects - StaticsStatics
A proposition P communicated from sender to A proposition P communicated from sender to receiver, e.g., "Access granted"receiver, e.g., "Access granted"
Issue: Inconsistency of local states (of beliefs / Issue: Inconsistency of local states (of beliefs / knowledge)knowledge)
Need worlds / contexts INSIDE logicNeed worlds / contexts INSIDE logic
SenderSender
...
receive message
...
ReceivReceiverer
P known
P known
P not known
P known(Sender says P) known
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1919
Authorization LogicAuthorization LogicMendler (Lax modal logic)Mendler (Lax modal logic)
Abadi, Plotkin, Lampson, Burrows, Abadi, Plotkin, Lampson, Burrows, WobberWobber
Garg, PfenningGarg, Pfenning
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2020
Example: Simple Workflow Example: Simple Workflow PolicyPolicy
Authorization logic Authorization logic represents submission & represents submission & approval of data by two approval of data by two principalsprincipals
Used for approval of Used for approval of aggregatoraggregator
Initiator submits Initiator submits datadata
Manager approves Manager approves datadata
CellI
SubmittedCell ApprovedCell
Class Class hierarchyhierarchy
Assertions appear in code
as effects
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2121
Example: Aggregator's Example: Aggregator's PolicyPolicy
Recall Aggregator's request rewriting Recall Aggregator's request rewriting behaviourbehaviour
Aggr's VPN AggregatorOwner Owner's VPN
Request Owner
Owner Owner's VPN
Owner's VPN Aggr's VPN
Request Aggregator
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2222
tgt: OwnerVPNsrc: Ownerpayload: r
Owner
OwnerVPN
tgt: AggrVPNsrc: OwnerVPNpayload: q AggrVPN
q
p
data: Owner
r
EffectsEffects
PoliciesPolicies
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2323
tgt: OwnerVPNsrc: Ownerpayload: r
Owner
OwnerVPN
tgt: AggrVPNsrc: OwnerVPNpayload: q AggrVPN
q
p
data: Owner
r
EffectsEffects
PoliciesPolicies
data: Owner Aggregator
s
Justifies creation by Justifies creation by aggregatoraggregator
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2424
ResultsResults Distributed object calculus with Distributed object calculus with
authorization logic policies in type/effect authorization logic policies in type/effect systemsystem
E.g., Aggregator code typechecks with E.g., Aggregator code typechecks with respect to preceding policyrespect to preceding policy
Guarantees that Aggregator's dynamic Guarantees that Aggregator's dynamic behaviour is constrained by policybehaviour is constrained by policy
Draft technical report availableDraft technical report available– Email to cpitcher AT cs.depaul.eduEmail to cpitcher AT cs.depaul.edu
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2525
SummarySummary
In decentralized systems:In decentralized systems:– Provenance use in security, privacy, workflow Provenance use in security, privacy, workflow
controlscontrols– User-programmable handling of provenance User-programmable handling of provenance – Provenance trustworthy and impact on trust in data?Provenance trustworthy and impact on trust in data?
Authorization logic policies describe Authorization logic policies describe provenance and trust behaviour of programsprovenance and trust behaviour of programs
Validate programs against policiesValidate programs against policies
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2626
The EndThe End
Questions or comments?Questions or comments?
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2727
Backup SlidesBackup Slides
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2828
Object CreationObject Creation
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2929
An opponent is any process located at the principal An opponent is any process located at the principal 11. .
Opponents are free to lie; thus, are completely free to construct any Opponents are free to lie; thus, are completely free to construct any new objects. new objects.
Well-typed trustworthy programs are safe when combined with Well-typed trustworthy programs are safe when combined with arbitrary (typed but untrustworthy) opponents.arbitrary (typed but untrustworthy) opponents.