Provenance. Provenance – From Dictionary the place of origin or earliest known history of...

Provenance

Provenance – From Dictionarythe place of origin or earliest known history of something.

the beginning of something's existence; something's origin.

a record of ownership of a work of art or an antique, used as a guide to authenticity or quality.

Provenance

Provenance, from the French provenir, "to come from", refers to the chronology of the ownership or location of a historical object

Who, what, when, where, confidence and original source, security labels

Weapons of Mass Destruction... not being in Iraq.

What Would Provenance Look Like

Make an Assertion....

Barack Obama is the 44th President of the United States....

Confidence = 100%

When – September 12, 2012

Security Label = Unclassified

Source = http://www.whitehouse.gov

Another Example

Assertion – Mitt Romney will be the 45th President of the United States on November 6, 2012

Confidence: .47

When: September 12, 2012

Security Label: Unclassfied

Source: rasmussenreports.com

We Wish to be ProveneAll data must be stored with Provenance

WhoWhatWhenOriginal SourceSecurity LabelsProbability

TriplesBecause the Semantic Web represents everything as triples (Statements) if we have provenance with every statement then:

All of our data is proveneWe have all of our data labelled.We can do MAC adjudication.

Reification for Provenance

We take every statement and add attributes.

All statements shall have these attributes.

We can now adjudicate using Provenance.

We can get to our original source using Provenance.

It is easy to prove the systems has labeling and continuous protection.

Take The Following Problem

We have data. The data has labels. The users have roles. Users may belong to many Groups and a Group may have many Users. We have Roles and a User many have many Roles and a Role may related to many Users. We can assign Roles to Groups as a way of getting the Roles to the Users.

What Does This Look Like?

.

User Role

Group

What Does This Mean

We do Roles at the User level. So we ask, is the User in a particular Role. What becomes interesting is...... how did the User get the Role. The answer is either directly as in a User has the Role Administrator, or indirectly as in the User is part of the Group DBAs and DBA's have the Role Database_Owner, so now all Users that are part of the Group DBAs have the role Database_Owner.

Users and Their Roles

So we say, that a User has Roles, either directly or through what we might call a Transitive Property of Group. Meaning the we take a User, look up its Groups and add in the Union of all the Roles for the Groups that the User has membership.

So the bottom line is Users have Roles.

Users Having Roles

So a given User having a finite set of Roles is just half the problem. But, let's talk about that half. It firmly dictates our rules for reading. That means if the Users Roles are a Superset of the Data Labels, the User may read the Data.

This is from the Bell-Lapadula Model we covered in Lecture 3.

Let's Move Outside of Reading

So when we move outside of Reading, we have other operations. The operation can be writing (Bell Lapadula), or executing, or anything a set of requirements will tell us to do. So how do we do this.

The Case of Writing

We know that if the User is working at a level say Administrator, then they can only write data out as Administrator and could not write out as say a Guest. This prohibits writing down. So that is easy.

But what if the User says you can write if you are an Administrator but you can Execute if you are a Guest. What do we have here?

Beyond Writing and Bell Lapadula

Bell Lapadula considers reading and writing. But what if we had something like a emailing list that a Group could not write, but could execute emails. How would we do this?

More Provenance to the Rescue

We need to take our labeling and do something like..... Group: Email-List-1

Group Guest

Both groups contain: Users: User1, User2, User3,

And now the group Email-List-1 has a label of Role Guest:Execute. So now with our Transitive property we get that User1, User2, User3 can execute if the have the Guest Role.

What Does this Look Like

User1, Guest, Email List 1

User2, Guest, Email List 1

User3, Guest, Email List 1

List Label Email List 1 Guest:Execute

Contains User1, User2, User3

So Relationally What Happens

TableTable Provenance

So Relationally

User:

scott@scottstreit.com Scott Streit, Woodbine, MD, 11/15/1962 555-XX-XXXX

Provenance

scott@scottstreit.com source drivers License. Img of my drivers License. Label: User.

What Is Wrong With Relationally

My SS-No requires a higher level of Role, but if we put the higher level with the Provenance, we have over classified by Name and the other attributes. We live with this. Or we do the following:

One Remedy

User_A

scott@scottstreit.com Scott Streit, Woodbine, MD, 11/15/1962

User_B

scott@scottstreit.com 555-XX-XXXX

Provenance

User_B=Ascott@scottstreit.com source drivers License. Img of my drivers License. Label: User.

User_B= Source SS-Card, Label:Administrator

What Happens Semantically?

Subject Predicate Object

scott@scottstreit.com Lives_In Woodbine

scott@scottstreit.com has_DOB 11/15/62

scott@scottstreit.com has_SSNO 555-XX....

Semantically With Provenance

Subject Predicate Object Label

scott@scottstreit.com Lives_In Woodbine User

scott@scottstreit.com has_DOB 11/15/62 User

scott@scottstreit.com has_SSNO 555-X Admin

Provenance - Detailed

Subject Predicate Object

R1 is StatementSubject scott@...

R1 is Statement Pred Lives In

R1 is Statement Object Woodbine

R1 Source Dl

Summary

Some things do not fit neatly into Bell Lapadula because it is a simple model. Simple is good, but we need more.

We extend the model through Provenance. We always match Roles against Labels. We may have more complex Roles, more Complex Labels, but Adjudication is still Roles vs. Labels.

What is the Tradeoff?

Semantically we have full provenance guaranteed. Every piece of data has it's own provenance. But, we require more storage.

Do we care?

Do We Care?

Most things we do today, if not all, rely on Disk storage as being so cheap that it is almost infinite. We see this in search where we index everything. If Disk is expensive, our whole world falls apart, so therefore, we assume disk is cheap. We actually, and intellectually consider disk to be free.

Summary

Provenance is a key component of Computer Security. All data must have Provenance and then all data has:

1) Original Source.

2) Probability.

3) When.

4) Security Labels.

5) Owner

6) etc.