towards semantics for provenance security
play

Towards Semantics for Provenance Security Stephen Chong Harvard - PowerPoint PPT Presentation

Oct 25, 2023 •7 likes •277 views

Towards Semantics for Provenance Security Stephen Chong Harvard University TaPP 09 Provenance security Some data are sensitive Must ensure provenance does not reveal sensitive data E.g., John participated in medical study S reveals

  1. Towards Semantics for Provenance Security Stephen Chong Harvard University TaPP ’09

  2. Provenance security Some data are sensitive Must ensure provenance does not reveal sensitive data E.g., “John participated in medical study S” reveals “John has disease D” Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 2

  3. Provenance security Some data are sensitive Must ensure provenance does not reveal sensitive data E.g., “John participated in medical study S” reveals “John has disease D” Some provenance is sensitive Must ensure output does not reveal sensitive provenance E.g., Workshop referee reports should not contain name/email of referee Must ensure provenance does not reveal sensitive provenance E.g., If student in Disciplinary Hearing, then student’s advisor must attend. “Prof. Smith participated as an Advisor” may reveal “John participated as respondent” Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 2

  4. Provenance security Some data are sensitive Must ensure provenance does not reveal sensitive data E.g., “John participated in medical study S” reveals “John has disease D” Some provenance is sensitive Must ensure output does not reveal sensitive provenance E.g., Workshop referee reports should not contain name/email of referee Must ensure provenance does not reveal sensitive provenance E.g., If student in Disciplinary Hearing, then student’s advisor must attend. “Prof. Smith participated as an Advisor” may reveal “John participated as respondent” How do we know if we have security right? Complex interaction between information security and provenance Not well-understood Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 2

  5. Semantics for provenance security Goal: precise, useful, intuitive definitions of provenance security understand provenance security principles and mechanisms to apply in practice This work: Formal definitions for provenance security public data does not reveal sensitive provenance public provenance does not reveal sensitive provenance public provenance does not reveal sensitive data (public data does not reveal sensitive data) Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 3

  6. Semantics for provenance security Goal: precise, useful, intuitive definitions of provenance security understand provenance security principles and mechanisms to apply in practice This work: Formal definitions for provenance security public data does not reveal sensitive provenance public provenance does not reveal sensitive provenance public provenance does not reveal sensitive data (public data does not reveal sensitive data) Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 3

  7. Language model Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v E.g., 〈 l 1 =3, l 2 =5, l 3 =7 ; x = l 1 ; if (x) then l 2 else l 3 〉⇒ 5 Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 4

  8. Language model Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v Provenance T describes execution 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v ! T E.g., 〈 l 1 =3, l 2 =5, l 3 =7 ; x = l 1 ; if (x) then l 2 else l 3 〉⇒ 5 ! x= l 1 ; cond(x,true, l 2 ) Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 4

  9. Language model Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v Provenance T describes execution 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v ! T Partial provenance: allow parts of T to be elided E.g., 〈 l 1 =3, l 2 =5, l 3 =7 ; x = l 1 ; if (x) then l 2 else l 3 〉⇒ 5 cond(x,true, l 2 ) ! x= l 1 ; cond(x,true, l 2 ) Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 4

  10. Language model Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v Provenance T describes execution 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v ! T Partial provenance: allow parts of T to be elided E.g., 〈 l 1 =3, l 2 =5, l 3 =7 ; x = l 1 ; if (x) then l 2 else l 3 〉⇒ 5 cond(x,true, " ) ! x= l 1 ; cond(x,true, l 2 ) Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 4

  11. Language model Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v Provenance T describes execution 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v ! T Partial provenance: allow parts of T to be elided E.g., 〈 l 1 =3, l 2 =5, l 3 =7 ; x = l 1 ; if (x) then l 2 else l 3 〉⇒ 5 cond(x, " , " ) ! x= l 1 ; cond(x,true, l 2 ) Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 4

  12. Language model Simple language-based model (based on Cheney, Acar, Ahmed [2008]) Program c has input locations, produces single output 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v Provenance T describes execution 〈 l 1 = v 1 , …, l n = v n ; c 〉 � v ! T Partial provenance: allow parts of T to be elided E.g., 〈 l 1 =3, l 2 =5, l 3 =7 ; x = l 1 ; if (x) then l 2 else l 3 〉⇒ 5 ! x= l 1 ; cond(x,true, l 2 ) " Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 4

  13. Security policies Each input location has security policy for data and provenance e.g., � ( l 1 ) = LL � ( l 2 ) = LH � ( l 3 ) = HH Data security: Provenance security: H : High security (secret) H : High provenance (secret) L : Low security (public) L : Low provenance (public) Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 5

  14. Security policies Each input location has security policy for data and provenance e.g., � ( l 1 ) = LL � ( l 2 ) = LH � ( l 3 ) = HH User knows low security inputs, and is given output and partial provenance trace User should not learn high security data User should not learn which high provenance locations involved in computation What (partial) provenance can we give to user? Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 5

  15. First attempt We think T is secure for execution 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v if: 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v ! T and T does not contain any high provenance locations. Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 6

  16. First attempt We think T is secure for execution 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v if: 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v ! T and T does not contain any high provenance locations. E.g., 〈 … ; if ( l 1 ) then l 2 +l 3 else l 4 +l 5 〉⇒ 5 ! cond( l 1 ,true, l 2 +l 3 ) cond( l 1 ,true, l 2 +l 3 ) � ( l 1 ) = HL � ( l 2 ) = HH � ( l 3 ) = HL � ( l 4 ) = HH � ( l 5 ) = HL Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 6

  17. First attempt We think T is secure for execution 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v if: 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v ! T and T does not contain any high provenance locations. E.g., 〈 … ; if ( l 1 ) then l 2 +l 3 else l 4 +l 5 〉⇒ 5 ! cond( l 1 ,true, l 2 +l 3 ) cond( l 1 ,true, " +l 3 ) � ( l 1 ) = HL � ( l 2 ) = HH � ( l 3 ) = HL � ( l 4 ) = HH � ( l 5 ) = HL Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 6

  18. Provenance security T satisfies provenance security for execution 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v if: 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v ! T and for any high provenance l i , there is an execution 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v such that if l j is low security then v j = w j and 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v ! T and l i involved in 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v iff l i not involved in 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 7

  19. Provenance security T satisfies provenance security for execution 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v if: 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v ! T and for any high provenance l i , there is an execution 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v such that if l j is low security then v j = w j and 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v ! T and l i involved in 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v iff l i not involved in 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v Looks the same Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 7

  20. Provenance security T satisfies provenance security for execution 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v if: 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v ! T and for any high provenance l i , there is an execution 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v such that if l j is low security then v j = w j and 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v ! T and l i involved in 〈 l 1 = v 1 , …, l n = v n ; c 〉⇒ v iff l i not involved in 〈 l 1 = w 1 , …, l n = w n ; c 〉⇒ v Looks the same but l i not involved Towards Semantics for Provenance Security, Stephen Chong, Harvard University. 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provenance -Only Integration Ashish Gehani Dawood Tariq SRI Provenance -Only Integration p.

Provenance -Only Integration Ashish Gehani Dawood Tariq SRI Provenance -Only Integration p.

Provenance -Only Integration Ashish Gehani Dawood Tariq SRI Provenance -Only Integration p. 1/13 Integration Challenges Metadata variation: Abstraction levels Completeness Identifiers Semantics Querying requires: Record assembly

683 views • 13 slides
Mind Your Metadata Exploiting Semantics for Configuration, Adaptation, and Provenance in

Mind Your Metadata Exploiting Semantics for Configuration, Adaptation, and Provenance in

Mind Your Metadata Exploiting Semantics for Configuration, Adaptation, and Provenance in Scientific Workflows Yolanda Gil Tom Harmon Pedro Szekely Sandra Villamizar Craig Knoblock UC Merced Varun Ratnakar Shubham Gupta Maria Muslea Fabio

844 views • 36 slides
Scalable Uncertainty Management 03 Provenance Rainer Gemulla May 18, 2012 Overview In this

Scalable Uncertainty Management 03 Provenance Rainer Gemulla May 18, 2012 Overview In this

Scalable Uncertainty Management 03 Provenance Rainer Gemulla May 18, 2012 Overview In this lecture Introduction to datalog What is provenance? Which types of provenance do exist? Lineage Why-provenance How-provenance How to

466 views • 43 slides
Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan

Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan

Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan Cheng, Dang Nguyen, Khalid Bijon, Ram Krishnan, Jaehong Park and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September

256 views • 12 slides
Provenance from the data provider view constructing provenance information for the APPLAUSE

Provenance from the data provider view constructing provenance information for the APPLAUSE

Provenance from the data provider view constructing provenance information for the APPLAUSE archive Anastasia Galkin Ole Streicher Kristin Riebe Harry Enke EDP Forum Heidelberg 2018 6 Constructing the provenance Used Used for or the

610 views • 15 slides
VERSIONING, VERSIONING, PROVENANCE, AND PROVENANCE, AND REPRODUCABILITY REPRODUCABILITY

VERSIONING, VERSIONING, PROVENANCE, AND PROVENANCE, AND REPRODUCABILITY REPRODUCABILITY

VERSIONING, VERSIONING, PROVENANCE, AND PROVENANCE, AND REPRODUCABILITY REPRODUCABILITY Christian Kaestner Required reading: Halevy, Alon, Flip Korn, Natalya F. Noy, Christopher Olston, Neoklis Polyzotis, Sudip Roy, and Steven Euijong

755 views • 46 slides
Provenance of astronomical data The IVOA Provenance Working Group: Catherine Boisson Franois

Provenance of astronomical data The IVOA Provenance Working Group: Catherine Boisson Franois

Provenance Data Model Provenance of astronomical data The IVOA Provenance Working Group: Catherine Boisson Franois Bonnarel Johan Bregeon Pierre Le Sidaner Julien Lefaucheur Mireille Louys Markus Nullmeier Ana Palacios Kristin Riebe

360 views • 22 slides
Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
PASS PASS Provenance-Aware Storage System Provenance-Aware Storage System Margo Seltzer, David

PASS PASS Provenance-Aware Storage System Provenance-Aware Storage System Margo Seltzer, David

PASS PASS Provenance-Aware Storage System Provenance-Aware Storage System Margo Seltzer, David Holland, Kiran-Kumar Muniswamy-Reddy, Uri Braun, and Jonathan Ledlie Harvard University What is Provenance? What is Provenance? What did the

336 views • 12 slides
Fine Grain Provenance Using Temporal Databases Outline of the talk Use case: Classic

Fine Grain Provenance Using Temporal Databases Outline of the talk Use case: Classic

<Insert Picture Here> Fine Grain Provenance Using Temporal Databases Outline of the talk Use case: Classic management of patient data Data types, queries History Security and context information Fine grain provenance

401 views • 19 slides
Provenance for Interactive Visualizations Fotis Psallidas Eugene Wu fotis@cs.columbia.edu

Provenance for Interactive Visualizations Fotis Psallidas Eugene Wu fotis@cs.columbia.edu

Provenance for Interactive Visualizations Fotis Psallidas Eugene Wu fotis@cs.columbia.edu ewu@cs.columbia.edu Provenance Primer Fine-Grained Provenance (Connections between input and output tuples) Provenance Primer Fine-Grained Provenance

392 views • 20 slides
Secure Data Provenance in Home Energy Monitoring Networks Ming Hong Chia, Sye Loong Keoh, Zhaohui

Secure Data Provenance in Home Energy Monitoring Networks Ming Hong Chia, Sye Loong Keoh, Zhaohui

Secure Data Provenance in Home Energy Monitoring Networks Ming Hong Chia, Sye Loong Keoh, Zhaohui Tang 1 Outline Data Provenance and Smart Metering Security Threats and Requirements Proposed Architecture Threshold Cryptography

368 views • 22 slides
Provenance Analytics and Visualization Juliana Freire VisTrails Group & Web and Databases

Provenance Analytics and Visualization Juliana Freire VisTrails Group & Web and Databases

Provenance Analytics and Visualization Juliana Freire VisTrails Group & Web and Databases Lab Provenance Analytics: Opportunities Provenance beyond reproducibility Opportunity for knowledge discovery, sharing and re-use Query

475 views • 13 slides
Provenance Tracking in CXXR Chris A. Silles Andrew R. Runnalls Computing Laboratory, University

Provenance Tracking in CXXR Chris A. Silles Andrew R. Runnalls Computing Laboratory, University

Provenance Tracking in CXXR Chris A. Silles Andrew R. Runnalls Computing Laboratory, University of Kent, UK Introduction Provenance CXXR Provenance-Aware CXXR Conclusion Outline 1 Introduction 2 Provenance CXXR 3 Provenance-Aware

980 views • 97 slides
Whats the Problem? What does it mean to collect provenance when you dont control:

Whats the Problem? What does it mean to collect provenance when you dont control:

Provenance in the Wild Peter Macko, Margo Seltzer June 14, 2012 Whats the Problem? What does it mean to collect provenance when you dont control: The data (types, format, organization, structure) The operators The

445 views • 10 slides
Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is

Operational Semantics 1 / 14 Outline What is semantics? Operational Semantics What is semantics? 2 / 14 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the meaning of

588 views • 14 slides
Opening up Climate Research: a linked data approach to publishing data provenance Brian

Opening up Climate Research: a linked data approach to publishing data provenance Brian

Opening up Climate Research: a linked data approach to publishing data provenance Brian Matthews, STFC e-Science Arif Shaon (STFC ESC), Sarah Callaghan (STFC - CEDA), Bryan Lawrence (STFC - CEDA), Andrew Woolf (B. of Met, Aus),Tim Osborn (UEA

466 views • 17 slides
Tow ards a Model of Tow ards a Model of Provenance and User View s Provenance and User View s

Tow ards a Model of Tow ards a Model of Provenance and User View s Provenance and User View s

Tow ards a Model of Tow ards a Model of Provenance and User View s Provenance and User View s in Scientific W orkflow s in Scientific W orkflow s Shirley Cohen Sarah Cohen-Boulakia Susan Davidson University of Pennsylvania DILS06 July,

775 views • 20 slides
Provenance Yael Amsterdamer, Susan B. Davidson, Daniel Deutch Tova Milo, Julia Stoyanovich, Val

Provenance Yael Amsterdamer, Susan B. Davidson, Daniel Deutch Tova Milo, Julia Stoyanovich, Val

Putting Lipstick on Pig: Enabling Database-style Workflow Provenance Yael Amsterdamer, Susan B. Davidson, Daniel Deutch Tova Milo, Julia Stoyanovich, Val Tannen Presented by GuozhangWang DB Lunch, Apr. 23rd, 2012 A Story of How Research

847 views • 36 slides
Diagnosing Missing Events in Distributed Systems with Negative Provenance Yang Wu* Mingchen Zhao*

Diagnosing Missing Events in Distributed Systems with Negative Provenance Yang Wu* Mingchen Zhao*

Diagnosing Missing Events in Distributed Systems with Negative Provenance Yang Wu* Mingchen Zhao* Andreas Haeberlen* Wenchao Zhou + Boon Thau Loo* * University of Pennsylvania + Georgetown University 1 Motivation: Network debugging - Example:

503 views • 32 slides
Understanding and Exploring: Recommendations, Provenance, and Open Data Rachel Pottinger

Understanding and Exploring: Recommendations, Provenance, and Open Data Rachel Pottinger

Understanding and Exploring: Recommendations, Provenance, and Open Data Rachel Pottinger University of British Columbia Rachel Pottinger http://www.cs.ubc.ca/~rap About this talk This talk is a mix of an overview of what my students and

105 views • 10 slides
Privacy Issues of Privacy Issues of Provenance in Provenance in Electronic Healthcare

Privacy Issues of Privacy Issues of Provenance in Provenance in Electronic Healthcare

Tam s s Kifor Kifor, , Tam L szl szl Z. Z. Varga Varga, , L Sergio lvarez lvarez, , Sergio Javier V V zquez zquez- -Salceda Salceda, , Javier Steven Willmott Willmott Steven Privacy Issues of

470 views • 20 slides
Propagation and Provenance Need to go Beyond . . . Model Fusion: We . . . of Uncertainty in

Propagation and Provenance Need to go Beyond . . . Model Fusion: We . . . of Uncertainty in

Outline Need for Uncertainty . . . Case Study: Seismic . . . Propagation and Provenance Need to go Beyond . . . Model Fusion: We . . . of Uncertainty in Optimal Stationary . . . Dynamic Sensors: . . . Cyberinfrastructure-Related Home Page

391 views • 24 slides
Language-integrated Provenance Stefan Fehrenbach James Cheney PPDP 2016 A database Agencies

Language-integrated Provenance Stefan Fehrenbach James Cheney PPDP 2016 A database Agencies

Language-integrated Provenance Stefan Fehrenbach James Cheney PPDP 2016 A database Agencies oid name based_in phone 1 EdinTours Edinburgh 8740 2489 123 2 Burnss Glasgow 9307 2394 104 ExternalTours oid name destination type

737 views • 39 slides

More recommend