Towards Semantics for Provenance Security Stephen Chong Harvard - - PowerPoint PPT Presentation

Towards Semantics for Provenance Security

Stephen Chong Harvard University TaPP ’09

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Provenance security

Some data are sensitive

Must ensure provenance does not reveal sensitive data

E.g., “John participated in medical study S” reveals “John has disease D”

2

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Provenance security

Some data are sensitive

Must ensure provenance does not reveal sensitive data

E.g., “John participated in medical study S” reveals “John has disease D”

Some provenance is sensitive

Must ensure output does not reveal sensitive provenance

E.g., Workshop referee reports should not contain name/email of referee

Must ensure provenance does not reveal sensitive provenance

E.g., If student in Disciplinary Hearing, then student’s advisor must attend. “Prof. Smith participated as an Advisor” may reveal “John participated as respondent”

2

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Provenance security

Some data are sensitive

Must ensure provenance does not reveal sensitive data

E.g., “John participated in medical study S” reveals “John has disease D”

Some provenance is sensitive

Must ensure output does not reveal sensitive provenance

E.g., Workshop referee reports should not contain name/email of referee

Must ensure provenance does not reveal sensitive provenance

E.g., If student in Disciplinary Hearing, then student’s advisor must attend. “Prof. Smith participated as an Advisor” may reveal “John participated as respondent”

How do we know if we have security right?

Complex interaction between information security and provenance Not well-understood

2

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Semantics for provenance security

Goal:

precise, useful, intuitive definitions of provenance security understand provenance security principles and mechanisms to apply in practice

This work: Formal definitions for provenance security

public data does not reveal sensitive provenance public provenance does not reveal sensitive provenance public provenance does not reveal sensitive data (public data does not reveal sensitive data)

3

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Semantics for provenance security

Goal:

precise, useful, intuitive definitions of provenance security understand provenance security principles and mechanisms to apply in practice

This work: Formal definitions for provenance security

public data does not reveal sensitive provenance public provenance does not reveal sensitive provenance public provenance does not reveal sensitive data (public data does not reveal sensitive data)

3

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output

〈l1=v1, …, ln=vn ; c〉 v

Language model

4

E.g.,

〈l1=3,l2=5, l3=7 ; x = l1; if (x) then l2 else l3〉⇒ 5

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output

〈l1=v1, …, ln=vn ; c〉 v

Provenance T describes execution

〈l1=v1, …, ln=vn ; c〉 v ! T

〈l1=3,l2=5,l3=7 ; x = l1; if (x) then l2 else l3〉⇒ 5

! x=l1 ; cond(x,true,l2)

E.g.,

Language model

4

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output

〈l1=v1, …, ln=vn ; c〉 v

Provenance T describes execution

〈l1=v1, …, ln=vn ; c〉 v ! T

Partial provenance: allow parts of T to be elided

〈l1=3,l2=5,l3=7 ; x = l1; if (x) then l2 else l3〉⇒ 5 ! x=l1 ; cond(x,true,l2)

E.g.,

cond(x,true,l2)

Language model

4

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output

〈l1=v1, …, ln=vn ; c〉 v

Provenance T describes execution

〈l1=v1, …, ln=vn ; c〉 v ! T

Partial provenance: allow parts of T to be elided

〈l1=3,l2=5,l3=7 ; x = l1; if (x) then l2 else l3〉⇒ 5 ! x=l1 ; cond(x,true,l2)

E.g.,

cond(x,true,")

Language model

4

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output

〈l1=v1, …, ln=vn ; c〉 v

Provenance T describes execution

〈l1=v1, …, ln=vn ; c〉 v ! T

Partial provenance: allow parts of T to be elided

〈l1=3,l2=5,l3=7 ; x = l1; if (x) then l2 else l3〉⇒ 5 ! x=l1 ; cond(x,true,l2)

E.g.,

cond(x,",")

Language model

4

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output

〈l1=v1, …, ln=vn ; c〉 v

Provenance T describes execution

〈l1=v1, …, ln=vn ; c〉 v ! T

Partial provenance: allow parts of T to be elided

〈l1=3,l2=5,l3=7 ; x = l1; if (x) then l2 else l3〉⇒ 5 ! x=l1 ; cond(x,true,l2)

E.g.,

"

Language model

4

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Security policies

Each input location has security policy for data and provenance

e.g., (l1) = LL (l2) = LH (l3) = HH

5

Data security: H : High security (secret) L : Low security (public) Provenance security: H : High provenance (secret) L : Low provenance (public)

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Security policies

Each input location has security policy for data and provenance

e.g., (l1) = LL (l2) = LH (l3) = HH

User knows low security inputs, and is given output and partial provenance trace

User should not learn high security data User should not learn which high provenance locations involved in computation

What (partial) provenance can we give to user?

5

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

First attempt

We think T is secure for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and T does not contain any high provenance locations.

6

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

First attempt

We think T is secure for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and T does not contain any high provenance locations.

6

〈… ; if (l1) then l2 +l3 else l4 +l5〉⇒ 5 ! cond(l1,true, l2+l3) (l1) = HL (l2) = HH (l3) = HL (l4) = HH (l5) = HL

E.g.,

cond(l1,true, l2+l3)

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

First attempt

We think T is secure for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and T does not contain any high provenance locations.

6

〈… ; if (l1) then l2 +l3 else l4 +l5〉⇒ 5 ! cond(l1,true, l2+l3) (l1) = HL (l2) = HH (l3) = HL (l4) = HH (l5) = HL

E.g.,

cond(l1,true, "+l3)

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Provenance security

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

7

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Provenance security

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

7

Looks the same

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Provenance security

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

7

but li not involved Looks the same

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Provenance security

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

7

Neither output v nor provenance T reveal which high provenance input locations were used.

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

Provenance security

8

〈… ; if (l1) then l2 +l3 else l4 +l5〉⇒ 5 ! cond(l1,true, l2+l3) (l1) = HL (l2) = HH (l3) = HL (l4) = HH (l5) = HL

E.g.,

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

Provenance security

8

〈… ; if (l1) then l2 +l3 else l4 +l5〉⇒ 5 ! cond(l1,true, l2+l3) (l1) = HL (l2) = HH (l3) = HL (l4) = HH (l5) = HL

E.g.,

cond(l1,true, l2+l3)

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

Provenance security

8

〈… ; if (l1) then l2 +l3 else l4 +l5〉⇒ 5 ! cond(l1,true, l2+l3) (l1) = HL (l2) = HH (l3) = HL (l4) = HH (l5) = HL

E.g.,

cond(l1,true, "+l3)

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

Provenance security

8

〈… ; if (l1) then l2 +l3 else l4 +l5〉⇒ 5 ! cond(l1,true, l2+l3) (l1) = HL (l2) = HH (l3) = HL (l4) = HH (l5) = HL

E.g.,

cond(l1,true, ")

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

T satisfies provenance security for execution 〈l1=v1, …, ln=vn ; c〉⇒ v if:

〈l1=v1, …, ln=vn ; c〉⇒ v ! T and for any high provenance li, there is an execution 〈l1=w1, …, ln=wn ; c〉⇒ v such that if lj is low security then vj = wj and 〈l1=w1, …, ln=wn ; c〉⇒ v ! T and li involved in 〈l1=v1, …, ln=vn ; c〉⇒ v iff li not involved in 〈l1=w1, …, ln=wn ; c〉⇒ v

Provenance security

8

〈… ; if (l1) then l2 +l3 else l4 +l5〉⇒ 5 ! cond(l1,true, l2+l3) (l1) = HL (l2) = HH (l3) = HL (l4) = HH (l5) = HL

E.g.,

cond(l1, ", ")

Towards Semantics for Provenance Security, Stephen Chong, Harvard University.

Conclusion

Need to understand provenance security, and interactions with data security This work: Formal definitions for provenance security

public data does not reveal sensitive provenance public provenance does not reveal sensitive provenance public provenance does not reveal sensitive data

Practical implications:

determining access control for provenance consistency of security policies for data and provenance

Future work:

Moving from the T towards the P of TaPP

9