updatable security views
play

Updatable Security Views Nate Foster Benjamin Pierce Steve - PowerPoint PPT Presentation

Mar 30, 2023 •319 likes •728 views

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania IBM PLDay 09 2 2 Pennsylvania yanks voter site after data leak Passport applicant finds massive privacy breach Privacy issue

  1. Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania IBM PLDay ’09

  2. 2

  3. 2

  4. “Pennsylvania yanks voter site after data leak” “Passport applicant finds massive privacy breach” “Privacy issue complicates push to link medical data” 3

  5. Security Views Regraded Confidential view source S V 4

  6. Security Views Regraded Confidential view source S V ✔ Robust: impossible to leak hidden data ✔ Flexible: enforce fine-grained confidentiality policies 4

  7. Security Views Regraded Confidential view source S V ✔ Robust: impossible to leak hidden data ✔ Flexible: enforce fine-grained confidentiality policies ✗ Not usually updatable ✗ No separate specification of confidentiality policy 4

  8. Updatable Security Views Regraded Confidential view source S V update Updated V ✔ Robust: impossible to leak hidden data ✔ Flexible: enforce fine-grained confidentiality policies ✗ Not usually updatable ✗ No separate specification of confidentiality policy 4

  9. Updatable Security Views Regraded Confidential view source S V Updated Updated S V ✔ Robust: impossible to leak hidden data ✔ Flexible: enforce fine-grained confidentiality policies ✗ Not usually updatable ✗ No separate specification of confidentiality policy 4

  10. This Talk A generic framework for building updatable security views. • Extends previous work on lenses. • New non-interference laws provide additional guarantees about confidentiality and integrity. A concrete instantiation of these ideas in Boomerang, a language for writing lenses on strings. • Annotated regular expressions express confidentiality and integrity policies. 5

  11. Lenses

  12. Bidirectional Transformations For a view to be updatable, the program that defines it needs to be bidirectional. 7

  13. Lenses In recent years, we have developed a number of bidirectional pro- gramming languages for describing certain well-behaved transfor- mations called lenses. lens 7

  14. Lenses: Terminology In recent years, we have developed a number of bidirectional pro- gramming languages for describing certain well-behaved transfor- mations called lenses. get 7

  15. Lenses: Terminology In recent years, we have developed a number of bidirectional pro- gramming languages for describing certain well-behaved transfor- mations called lenses. put 7

  16. Semantics A lens l mapping between a set S of sources and V of view is a pair of total functions ∈ S → V l . get ∈ V → S → S l . put obeying “round-tripping” laws l . get ( l . put v s ) = v ( PutGet ) l . put ( l . get s ) s = s ( GetPut ) for every s ∈ S and v ∈ V . 8

  17. Boomerang strings Data model: strings Computation model: based on finite-state transducers Types: regular expressions 9

  18. Example: Redacting Calendars (Get) 08:30 BUSY *08:30 Coffee with Sara (Starbucks) 12:15 PLClu 12:15 PLClu (Seminar room) 15:00 BUSY *15:00 Workout (Gym) 10

  19. Example: Redacting Calendars (Update) 08:30 BUSY *08:30 Coffee with Sara (Starbucks) 12:15 PLClu 12:15 PLClu (Seminar room) 15:00 BUSY *15:00 Workout (Gym) 08:30 BUSY 12:15 PLClub 15:00 BUSY 16:00 Meeting 11

  20. Example: Redacting Calendars (Put) 08:30 BUSY *08:30 Coffee with Sara (Starbucks) 12:15 PLClu 12:15 PLClu (Seminar room) 15:00 BUSY *15:00 Workout (Gym) 08:30 BUSY *08:30 Coffee with Sara (Starbucks) 12:15 PLClub 12:15 PLClub (Seminar room) 15:00 BUSY *15:00 Workout (Gym) 16:00 Meeting 16:00 Meeting (Unknown) 12

  21. Secure Lenses

  22. Requirements Regraded Confidential view source S V Updated Updated S V 1. Confidentiality: get does not leak secret data 2. Integrity: put does not taint endorsed data 14

  23. Example: Redacting Calendars (Get) 08:30 BUSY *08:30 Coffee with Sara (Starbucks) 12:15 PLClu 12:15 PLClu (Seminar room) 15:00 BUSY *15:00 Workout (Gym) 15

  24. Example: Redacting Calendars (Update II) 08:30 BUSY *08:30 Coffee with Sara (Starbucks) 12:15 PLClu 12:15 PLClu (Seminar room) 15:00 BUSY *15:00 Workout (Gym) 08:30 Meeting 12:15 PLClub 16

  25. Example: Redacting Calendars (Put II) 08:30 BUSY *08:30 Coffee with Sara (Starbucks) 12:15 PLClu 12:15 PLClu (Seminar room) 15:00 BUSY *15:00 Workout (Gym) 08:30 Meeting 08:30 Meeting (Unknown) 12:15 PLClub 12:15 PLClub (Seminar room) Observe that propagating the update to the view back to the source forces put to modify a lot of hidden source data: • The entire appointment at 3pm. • The description and location of the appointment at 8:30am. 17

  26. Integrity Question: should the (potentially untrusted) user of the view be allowed to modify hidden (potentially confidential) source data? Answer: It depends → we need to be able to formulate and choose between integrity policies like • “These appointments in the source may be altered” • “These appointments in the source may not be altered (and so the view must not be modified in certain ways)” 18

  27. Non-interference Both requirements can both be formulated as non-interference. High High Low Low A transformation is non-interfering if the low-security parts of the output do not depend on the high-security parts of the input. 19

  28. Non-interference Both requirements can both be formulated as non-interference. High High Low Low A transformation is non-interfering if the low-security parts of the output do not depend on the high-security parts of the input. E.g., if the data contains “tainted” and “endorsed” portions Tainted Tainted Endorsed Endorsed then non-interference says that the tainted parts of the input do not affect the endorsed parts of the output. 19

  29. Non-interference Both requirements can both be formulated as non-interference. High High Low Low A transformation is non-interfering if the low-security parts of the output do not depend on the high-security parts of the input. E.g., if the data contains both “secret” and “public” portions Secret Secret Public Public then non-interference says that the secret parts of the input do not affect the public parts of the output. 19

  30. Secure Lenses Secret Secret Public Public Endorsed Endorsed Tainted Tainted 20

  31. Secure Lenses Secret Public Public Endorsed Tainted Tainted 20

  32. Semantics of Secure Lenses Fix a family of equivalence relations on S and V • ∼ k — “agree on k -public data” • ≈ k — “agree on k -endorsed data” that capture notions of high and low-security data. 21

  33. Semantics of Secure Lenses Fix a family of equivalence relations on S and V • ∼ k — “agree on k -public data” • ≈ k — “agree on k -endorsed data” that capture notions of high and low-security data. A secure lens obeys refined behavioral laws: s ∼ k s ′ ( GetNoLeak ) l . get s ∼ k l . get s ′ v ≈ k ( l . get s ) ( GetPut ) l . put v s ≈ k s (as well as the original PutGet law). 21

  34. Protocol for Using a Secure Lens Before the owner of the source allows the user of the view to propagate an update using put , they check that the old and new views agree on endorsed data. The GetPut law v ≈ k ( l . get s ) l . put v s ≈ k s ensures that endorsed data in the source is preserved. Enforces high-level integrity policies such as • “These appointments in the source may be altered” • “These appointments in the source may not be altered...” 22

  35. For Experts: the PutPut Law The following law can be derived. v ′ ≈ k v ≈ k ( l . get s ) l . put v ′ ( l . put v s ) ≈ k l . put v ′ s It says that the put function must have no “side-effects” on endorsed source data. It relaxes the “constant complement” condition, which is the gold standard for correct view update in databases. 23

  36. Syntax for Secure Lenses In Boomerang, we describe the ∼ k and ≈ k equivalence relations using annotated regular expressions. R ::= ∅ | u | R·R | R|R | R∗ | R : k The relations are based on an intuitive notion of “erasing” characters inaccessible to a k -observer... 24

  37. Syntax for Secure Lenses In Boomerang, we describe the ∼ k and ≈ k equivalence relations using annotated regular expressions. R ::= ∅ | u | R·R | R|R | R∗ | R : k The relations are based on an intuitive notion of “erasing” characters inaccessible to a k -observer... See paper for: • A secure lens version of Boomerang’s type system that tracks information flow—in two directions! • An extension to this type system that uses a combination of static and dynamic checks to ensure integrity. 24

  38. Conclusion Summary: • Data processing is a fertile area for exploring language-based approaches to security. • Secure lenses provide a reliable framework for constructing updatable security views. • Mechanisms for ensuring the integrity of data are critical. Ongoing Work: • Type system implementation • Applications • Other semantics for annotated regular types • Investigate expressiveness vs. precision 25

  39. Thank You! Collaborators: Benjamin Pierce and Steve Zdancewic. Want to play? Boomerang is available for download. • Source code (LGPL) • Precompiled binaries • Research papers • Tutorial and demos http://www.seas.upenn.edu/~harmony/ 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure Updatable Encryption with Integrity Protection. EUROCRYPT 2019 M Klooss, A Lehmann, A Rupp Updatable Encryption with Post-Compromise Security. EUROCRYPT

1.08k views • 46 slides
Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM Research Zurich Motivation | Outsourced Storage Data owner stores encrypted data at (untrusted) data host symmetric encryption Proactive

763 views • 24 slides
Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

1.2k views • 109 slides
Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

1.5k views • 97 slides
Views 2 Designing the user interface Roy Scholten hi Views . Views 2 Views 2 have you heard

Views 2 Designing the user interface Roy Scholten hi Views . Views 2 Views 2 have you heard

Views 2 Designing the user interface Roy Scholten hi Views . Views 2 Views 2 have you heard of it? Views 2 have you heard of it? (views 1) Problem: How to avoid the humongous scrolling form of death? ping Huh? Inventory round 1:

952 views • 76 slides
Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth,

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth,

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs Jens Groth, Markulf Kohlweiss, Mary Maller, Sarah Meiklejohn, Ian Miers. Crypto - 23/08/2018 Our Goal Find a better method than trusted setups for generating the

889 views • 59 slides
Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and Technology (NTNU), Norway 2 Bergische Universitt Wuppertal, Germany 1 Colin Boyd 1 Gareth T. Davies 2 Kristian Gjsteen 1 Yao Jiang 1 Table of contents

578 views • 46 slides
Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency ASIACRYPT 2013 Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park and Moti Yung Korea University, US Naval Academy, Korea

993 views • 26 slides
Disclaimers My personal views and opinions may not represent the position(s) of my employers.

Disclaimers My personal views and opinions may not represent the position(s) of my employers.

How to stop worrying about Application Container Security (v2) Brian Andrzejewski Information System Security Architect Twitter: @DevSecOpsGeer LinkedIn: https://www.linkedin.com/in/bandrzej Disclaimers My personal views and opinions may

526 views • 24 slides
Quisquis: An Anonymous Cryptocurrency Based on Updatable Public Keys Prastudy Fauzi, Sarah

Quisquis: An Anonymous Cryptocurrency Based on Updatable Public Keys Prastudy Fauzi, Sarah

Quisquis: An Anonymous Cryptocurrency Based on Updatable Public Keys Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, Claudio Orlandi @claudiorlandi Blockchain Research Applications Smart Contracts Transaction Layer This talk Consensus

578 views • 29 slides
UC Updatable Databases and Applications AFRICACRYPT 2020 Aditya Damodaran and Alfredo Rial SnT,

UC Updatable Databases and Applications AFRICACRYPT 2020 Aditya Damodaran and Alfredo Rial SnT,

UC Updatable Databases and Applications AFRICACRYPT 2020 Aditya Damodaran and Alfredo Rial SnT, University of Luxembourg Supported by the Luxembourg National Research Fund (FNR) CORE project C17/11650748 Index 1. Signature Schemes in PPB

734 views • 26 slides
HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang, Heiner Litz, David R. Cheriton Stanford University DAMON14 Database Indexing Databases use precomputed indexes to speed up processing avoid

518 views • 18 slides
Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable

Tight Upper and Lower Bounds for Leakage-Resilient Locally Decodable and Updatable Non-Malleable Codes Dana Dachman-Soled University of Maryland Joint work with: Mukul Kulkarni and Aria Shahverdi, University of Maryland Talk is also based on

572 views • 35 slides
Delegation with Updatable Unambiguous Proofs and PPAD-Hardness Lisa Yang MIT Based on joint

Delegation with Updatable Unambiguous Proofs and PPAD-Hardness Lisa Yang MIT Based on joint

Delegation with Updatable Unambiguous Proofs and PPAD-Hardness Lisa Yang MIT Based on joint work with Yael Tauman Kalai and Omer Paneth time computation = ? Delegation () = y Proof checks in time

537 views • 18 slides
Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr-University, Bochum Security Researcher

550 views • 40 slides
XML Security Views Queries, Updates, and Schema Beno t Groz University of Lille, Mostrare

XML Security Views Queries, Updates, and Schema Beno t Groz University of Lille, Mostrare

XML Security Views Queries, Updates, and Schema Beno t Groz University of Lille, Mostrare INRIA PhD defense, October 2012 Beno t Groz (Mostrare) XML Security Views PhD defense, October 2012 1 / 45 Talk Outline Context 1

926 views • 76 slides
Learning in Robotic Systems Robotic Agents @ Allegheny College Janyl Jumadinova November 27,

Learning in Robotic Systems Robotic Agents @ Allegheny College Janyl Jumadinova November 27,

Learning in Robotic Systems Robotic Agents @ Allegheny College Janyl Jumadinova November 27, 2019 Janyl Jumadinova Learning in Robotic Systems November 27, 2019 1 / 13 Reinforcement Learning Basic idea: Receive feedback in the form of

442 views • 16 slides
Gym: A VNF Testing Framework - Design and Prototype Insights Prof. Christian Rothenberg Raphael

Gym: A VNF Testing Framework - Design and Prototype Insights Prof. Christian Rothenberg Raphael

Gym: A VNF Testing Framework - Design and Prototype Insights Prof. Christian Rothenberg Raphael Vicente Rosa Claudio Bertoldo Jan-2017 University of Campinas (UNICAMP), Brazil in technical collaboration with Ericsson Research Imagine an

452 views • 19 slides
2020 Budget Hearing 9/17/19 1 2020 Budgets 2020 Budgets advertised for the following four

2020 Budget Hearing 9/17/19 1 2020 Budgets 2020 Budgets advertised for the following four

2020 Budget Hearing 9/17/19 1 2020 Budgets 2020 Budgets advertised for the following four funds - o Education Fund o Operations Fund o Debt Service Fund o Rainy Day Fund Footer Text 9/17/19 2 Budget Process *Estimating expenditures

634 views • 19 slides
Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning

Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning

Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning Methods) Peter Henderson Statistical Society of Canada Annual Meeting 2018 Contributors Riashat Islam Phil Bachman Doina Precup David Meger Joelle

850 views • 37 slides
2019 Obstetrics and Gynecology Update: What Does the Evidence Tell Us? October 16-18, 2019

2019 Obstetrics and Gynecology Update: What Does the Evidence Tell Us? October 16-18, 2019

Department of Obstetrics, Gynecology, and Reproductive Sciences University of California, San Francisco School of Medicine presents 2019 Obstetrics and Gynecology Update: What Does the Evidence Tell Us? October 16-18, 2019 Marines Memorial

283 views • 11 slides
Process Mining in Healthcare Ronny Mans Introduction This talk: Applicability of Process

Process Mining in Healthcare Ronny Mans Introduction This talk: Applicability of Process

Process Mining in Healthcare Ronny Mans Introduction This talk: Applicability of Process Mining in the healthcare domain Challenges -> Results from applying Process Mining in the AMC 23-9-2010 PAGE 1 Overview Introduction

740 views • 45 slides
MITO 8; ENGOT Ov-1 A phase III international multicenter randomized study testing the effect on

MITO 8; ENGOT Ov-1 A phase III international multicenter randomized study testing the effect on

Closed Trial status update MITO 8; ENGOT Ov-1 A phase III international multicenter randomized study testing the effect on survival of prolonging platinum-free interval in patients with ovarian cancer recurring between 6 and 12 months after

93 views • 5 slides
Gynecologic Cancer Disparities Lee-may Chen, MD John A. Kerner Distinguished Professor in

Gynecologic Cancer Disparities Lee-may Chen, MD John A. Kerner Distinguished Professor in

Disclosures UCSF Helen Diller Family Comprehensive Cancer Center I have no financial disclosures Gynecologic Cancer Disparities Lee-may Chen, MD John A. Kerner Distinguished Professor in Gynecologic Oncology Department of Obstetrics,

240 views • 11 slides

More recommend