Programming Trustworthy Provenance

  • View
    28

  • Download
    1

Embed Size (px)

DESCRIPTION

Programming Trustworthy Provenance. Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago. Workshop on Principles of Provenance (PrOPr) Edinburgh, November 19-20, 2007. Commuter says "my train was delayed" Delay notice forged? - PowerPoint PPT Presentation

Text of Programming Trustworthy Provenance

  • Programming Trustworthy ProvenanceAndy CirilloRadha JagadeesanCorin PitcherJames Riely

    School of CTI, DePaul University, Chicago Workshop on Principles of Provenance (PrOPr)Edinburgh, November 19-20, 2007

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Commuter says "my train was delayed"

    Delay notice forged?

    Provenance of notice needed for decisions

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*This TalkProgramming with provenance for security, privacy, & workflow in decentralized systems

    Provenance and trustWhen is provenance on data trustworthy?How does data provenance impact trust in data?

    Authorization logic policiesTo relate provenance & trustValidation of programs against such policies

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Outline

    Motivation: provenance for security

    Programming with provenance and trust

    Policies and program analysis

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Existing Provenance in Access ControlLogging codeFile APIUntrusted codeFile APIUntrusted codeLogging codeFile APIACCESSGRANTEDACCESSDENIEDACCESSGRANTEDStack inspection (Java/.NET) - trusted & untrusted codeCode logging to file escalates privileges for threadShape of call stack determines accessActivation Records

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Controls: Security, Privacy, WorkflowProvenance used for identity in:

    Authorization controls (access control)Prevent unauthorized actions before harm occursAuditing controls (for accountability/recovery)Discourage unauthorized actionsRecover from unauthorized actions Privacy controlsRestrict use of private informationWorkflow controlsEnforce compliance with patterns of activity

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Account AggregationOwner of account at financial institutionDirect access to accountAccess via an approved account aggregator Other principals providing confidentiality / integrityOwnerAggregatorsubmitAggrgetBalancegetBalanceInstitutionOther principals involved in requestgetBalanceOwner's VPNAggr's VPNapproveAggr

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Account Aggregation PropertiesProvenance of messages used throughout

    AuthorizationUse provenance of request to determine authorizationAuditingRecord provenance of request in audit logPrivacy Detect privacy violations in provenance of responseWorkflowEnforce two-step approval of aggregator

    Recurring issue: Is the provenance trustworthy?

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Outline

    Motivation: provenance for security

    Programming with provenance and trust

    Policies and program analysis

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Programming: Provenance and TrustDynamic support for provenanceIdentities, origin of objects, and immediate provenance

    Representation of provenanceFull histories, partial histories

    Behaviour of programs w.r.t. provenance and trustCreation & use of provenanceWhen is provenance trusted?

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Dynamic Support for ProvenanceDistributed objects & remote method invocationE.g., Java-RMI

    Explicit identities = locationsObjects are located and code runs at a location

    Origin of objectsRemote object reference points to object's location

    Immediate provenanceCaller's identity is known

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*User-Defined ProvenanceCreate & use full history of computation

    Drawbacks to full historyExpensiveConfidentiality and privacy issues

    Partial historyRemove historyWith justification, e.g., after access control / auditing

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Owner's VPNAggr's VPNAggregatorAggr's VPNAggregatorOwnerOwner's VPNRequestOwnerOwnerOwner's VPNOwner's VPNAggr's VPNRequestAggregatorImmediate Provenance:OwnerUser-Defined Provenance"Account balance for customer #1234"ObjectlocationMessagesCompositemessage stores provenance"Account balance for customer #1234"Aggregator is location

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Trustworthy Provenance?Owner's VPN could omit additional intermediaries

    Aggregator code has to check: Owner's VPN permitted in path Owner's VPN is trusted to report provenance

    Mitigated by Owner location for original requestOwnerIntermediaryOwnerOwner's VPNOwner's VPNAggr's VPNRequestOwner

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Trustworthy Provenance?Aggr's VPN may legitimately recreate (re-sign / relocate) objects Aggregator's recreation is similar

    Are the results trustworthy? No direct proof of participation by Owner or Owner's VPN

    Complex program behaviour High-level account of behaviour?RequestOwnerOwnerOwner's VPNOwner's VPNAggr's VPNAggr's VPNAggr's VPN

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Outline

    Motivation: provenance for security

    Programming with provenance and trust

    Policies and program analysis

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Policies and Program AnalysisPrograms manipulating trust & provenance

    Policies to describe behaviour enforced by programs?Examples coming up

    How can we express those policies?Authorization logic

    Validate program's behaviour against policies?Static analysis via type/effect system

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*...send message...Propositional Effects - StaticsA proposition P communicated from sender to receiver, e.g., "Access granted"

    Issue: Inconsistency of local states (of beliefs / knowledge)

    Need worlds / contexts INSIDE logicSender...receive message...ReceiverP knownP knownP not knownP known(Sender says P) known

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Authorization LogicMendler (Lax modal logic)Abadi, Plotkin, Lampson, Burrows, WobberGarg, Pfenning

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Example: Simple Workflow PolicyAuthorization logic represents submission & approval of data by two principalsUsed for approval of aggregatorInitiator submits dataManager approves dataClass hierarchyAssertions appear in code as effects

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Example: Aggregator's PolicyRecall Aggregator's request rewriting behaviourAggr's VPNAggregatorOwnerOwner's VPNRequestOwnerOwnerOwner's VPNOwner's VPNAggr's VPNRequestAggregator

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*tgt: OwnerVPNsrc: Ownerpayload: rOwnerOwnerVPNtgt: AggrVPNsrc: OwnerVPNpayload: qAggrVPNqpdata: OwnerrEffectsPolicies

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*tgt: OwnerVPNsrc: Ownerpayload: rOwnerOwnerVPNtgt: AggrVPNsrc: OwnerVPNpayload: qAggrVPNqpdata: OwnerrEffectsPoliciesdata: OwnerAggregatorsJustifies creation by aggregator

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*ResultsDistributed object calculus with authorization logic policies in type/effect system

    E.g., Aggregator code typechecks with respect to preceding policy

    Guarantees that Aggregator's dynamic behaviour is constrained by policy

    Draft technical report availableEmail to cpitcher AT cs.depaul.edu

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*SummaryIn decentralized systems:Provenance use in security, privacy, workflow controlsUser-programmable handling of provenance Provenance trustworthy and impact on trust in data?

    Authorization logic policies describe provenance and trust behaviour of programs

    Validate programs against policies

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*The End

    Questions or comments?

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Provenance (Corin Pitcher)*Backup Slides

    Programming Trustworthy Provenance (Corin Pitcher)

  • November 2007Programming Trustworthy Pr