Embed Size (px)
Citation preview
Provenance
Provenance – From Dictionarythe place of origin or earliest known history of something.
the beginning of something's existence; something's origin.
a record of ownership of a work of art or an antique, used as a guide to authenticity or quality.
Provenance
Provenance, from the French provenir, "to come from", refers to the chronology of the ownership or location of a historical object
Who, what, when, where, confidence and original source, security labels
Weapons of Mass Destruction... not being in Iraq.
What Would Provenance Look Like
Make an Assertion....
Barack Obama is the 44th President of the United States....
Confidence = 100%
When – September 12, 2012
Security Label = Unclassified
Source = http://www.whitehouse.gov
Another Example
Assertion – Mitt Romney will be the 45th President of the United States on November 6, 2012
Confidence: .47
When: September 12, 2012
Security Label: Unclassfied
Source: rasmussenreports.com
We Wish to be ProveneAll data must be stored with Provenance
WhoWhatWhenOriginal SourceSecurity LabelsProbability
TriplesBecause the Semantic Web represents everything as triples (Statements) if we have provenance with every statement then:
All of our data is proveneWe have all of our data labelled.We can do MAC adjudication.
Reification for Provenance
We take every statement and add attributes.
All statements shall have these attributes.
We can now adjudicate using Provenance.
We can get to our original source using Provenance.
It is easy to prove the systems has labeling and continuous protection.
Take The Following Problem
We have data. The data has labels. The users have roles. Users may belong to many Groups and a Group may have many Users. We have Roles and a User many have many Roles and a Role may related to many Users. We can assign Roles to Groups as a way of getting the Roles to the Users.
What Does This Look Like?
.
User Role
Group
What Does This Mean
We do Roles at the User level. So we ask, is the User in a particular Role. What becomes interesting is...... how did the User get the Role. The answer is either directly as in a User has the Role Administrator, or indirectly as in the User is part of the Group DBAs and DBA's have the Role Database_Owner, so now all Users that are part of the Group DBAs have the role Database_Owner.
Users and Their Roles
So we say, that a User has Roles, either directly or through what we might call a Transitive Property of Group. Meaning the we take a User, look up its Groups and add in the Union of all the Roles for the Groups that the User has membership.
So the bottom line is Users have Roles.
Users Having Roles
So a given User having a finite set of Roles is just half the problem. But, let's talk about that half. It firmly dictates our rules for reading. That means if the Users Roles are a Superset of the Data Labels, the User may read the Data.
This is from the Bell-Lapadula Model we covered in Lecture 3.
Let's Move Outside of Reading
So when we move outside of Reading, we have other operations. The operation can be writing (Bell Lapadula), or executing, or anything a set of requirements will tell us to do. So how do we do this.
The Case of Writing
We know that if the User is working at a level say Administrator, then they can only write data out as Administrator and could not write out as say a Guest. This prohibits writing down. So that is easy.
But what if the User says you can write if you are an Administrator but you can Execute if you are a Guest. What do we have here?
Beyond Writing and Bell Lapadula
Bell Lapadula considers reading and writing. But what if we had something like a emailing list that a Group could not write, but could execute emails. How would we do this?
More Provenance to the Rescue
We need to take our labeling and do something like..... Group: Email-List-1
Group Guest
Both groups contain: Users: User1, User2, User3,
And now the group Email-List-1 has a label of Role Guest:Execute. So now with our Transitive property we get that User1, User2, User3 can execute if the have the Guest Role.
What Does this Look Like
User1, Guest, Email List 1
User2, Guest, Email List 1
User3, Guest, Email List 1
List Label Email List 1 Guest:Execute
Contains User1, User2, User3
So Relationally What Happens
TableTable Provenance
So Relationally
User:
[email protected] Scott Streit, Woodbine, MD, 11/15/1962 555-XX-XXXX
Provenance
[email protected] source drivers License. Img of my drivers License. Label: User.
What Is Wrong With Relationally
My SS-No requires a higher level of Role, but if we put the higher level with the Provenance, we have over classified by Name and the other attributes. We live with this. Or we do the following:
One Remedy
User_A
[email protected] Scott Streit, Woodbine, MD, 11/15/1962
User_B
[email protected] 555-XX-XXXX
Provenance
[email protected] source drivers License. Img of my drivers License. Label: User.
User_B= Source SS-Card, Label:Administrator
What Happens Semantically?
Subject Predicate Object
[email protected] Lives_In Woodbine
[email protected] has_DOB 11/15/62
[email protected] has_SSNO 555-XX....
Semantically With Provenance
Subject Predicate Object Label
[email protected] Lives_In Woodbine User
[email protected] has_DOB 11/15/62 User
[email protected] has_SSNO 555-X Admin
Provenance - Detailed
Subject Predicate Object
R1 is StatementSubject scott@...
R1 is Statement Pred Lives In
R1 is Statement Object Woodbine
R1 Source Dl
Summary
Some things do not fit neatly into Bell Lapadula because it is a simple model. Simple is good, but we need more.
We extend the model through Provenance. We always match Roles against Labels. We may have more complex Roles, more Complex Labels, but Adjudication is still Roles vs. Labels.
What is the Tradeoff?
Semantically we have full provenance guaranteed. Every piece of data has it's own provenance. But, we require more storage.
Do we care?
Do We Care?
Most things we do today, if not all, rely on Disk storage as being so cheap that it is almost infinite. We see this in search where we index everything. If Disk is expensive, our whole world falls apart, so therefore, we assume disk is cheap. We actually, and intellectually consider disk to be free.
Summary
Provenance is a key component of Computer Security. All data must have Provenance and then all data has:
1) Original Source.
2) Probability.
3) When.
4) Security Labels.
5) Owner
6) etc.
