Authorization, Audit, and Provenance in the AURA System

Similar documents
AURA: A language with authorization and audit

Aura: Programming with Authorization and Audit

Chapter 23. Database Security. Security Issues. Database Security

Chapter 23. Database Security. Security Issues. Database Security

1 Construction of CCA-secure encryption

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Sharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment

Module 7 Security CS655! 7-1!

Lecture 9 - Message Authentication Codes

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

CPSC 467b: Cryptography and Computer Security

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Introduction to Cryptography

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

First Semester Examinations 2011/12 INTERNET PRINCIPLES

An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud

OpenAutonomy Authentication

1 Message Authentication

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography: Authentication, Blind Signatures, and Digital Cash

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Database Security. The Need for Database Security

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

THE UNIVERSITY OF TRINIDAD & TOBAGO

Chapter 37. Secure Networks

2 Protocol Analysis, Composability and Computation

Certificate Based Signature Schemes without Pairings or Random Oracles

Electronic Voting Protocol Analysis with the Inductive Method

Secure cloud access system using JAR ABSTRACT:

Provable-Security Analysis of Authenticated Encryption in Kerberos

Overview of Public-Key Cryptography

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Princeton University Computer Science COS 432: Information Security (Fall 2013)

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

CSE/EE 461 Lecture 23

SECURITY ENHANCEMENT OF GROUP SHARING AND PUBLIC AUDITING FOR DATA STORAGE IN CLOUD

How To Encrypt Data With Encryption

E-Democracy and e-voting

CS Computer Security Third topic: Crypto Support Sys

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Crypho Security Whitepaper

1 Signatures vs. MACs

Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Network Security Technology Network Management

Cyber Security Workshop Encryption Reference Manual

Journal of Electronic Banking Systems

Shor s algorithm and secret sharing

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

How To Use A College Computer System Safely

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

The application of prime numbers to RSA encryption

Concepts of Database Management Seventh Edition. Chapter 7 DBMS Functions

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Authentication Types. Password-based Authentication. Off-Line Password Guessing

A Secure Decentralized Access Control Scheme for Data stored in Clouds

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

SHARED DATA & INDENTITY PRIVACY PRESERVING IN CLOUD AND PUBLIC AUDITING

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Trust but Verify: Authorization for Web Services. The University of Vermont

What is network security?

G.J. E.D.T.,Vol.3(1):43-47 (January-February, 2014) ISSN: SUODY-Preserving Privacy in Sharing Data with Multi-Vendor for Dynamic Groups

DNS security: poisoning, attacks and mitigation

Advanced Topics in Cryptography and Network Security

MACs Message authentication and integrity. Table of contents

CS 758: Cryptography / Network Security

COSC 472 Network Security

Cryptography: RSA and Factoring; Digital Signatures; Ssh

Lecture 5 - CPA security, Pseudorandom functions

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

CIS 551 / TCOM 401 Computer and Network Security

7 Key Management and PKIs

Lecture 2: Complexity Theory Review and Interactive Proofs

Improving data integrity on cloud storage services

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

Chapter 6 Electronic Mail Security

Combined Proxy Re-Encryption

Network Security. HIT Shimrit Tzur-David

Cryptography and Network Security: Summary

IT Networks & Security CERT Luncheon Series: Cryptography

Snare System Version Release Notes

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Kerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service

Transcription:

Authorization, Audit, and Provenance in the AURA System Jeff Vaughan Department of Computer and Information Science University of Pennsylvania Symposium on Provenance in Software Systems March 30, 2009

1/27

Who am I? What do I do? My thesis research is on the AURA programming system. Proof carrying access control Principled audit logging Analysis of decryption failures (in progress) Key idea Proof checking ensures systems only service high integrity (authentic, high quality) requests Audit logs comprise a documented record of this. 2/27

Who am I? What do I do? My thesis research is on the AURA programming system. Proof carrying access control Principled audit logging Analysis of decryption failures (in progress) Key idea Proof checking ensures systems only service high integrity (authentic, high quality) requests Audit logs comprise a documented record of this. What I ll talk about today. 2/27

Who am I? What do I do? My thesis research is on the AURA programming system. Proof carrying access control Principled audit logging Analysis of decryption failures (in progress) Key idea Proof checking ensures systems only service high integrity (authentic, high quality) requests Audit logs comprise a documented record of this. What I ll talk about today. 2/27

What am I doing here? 3/27

What am I doing here? A Definition Provenance:... 3. The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this. The Oxford English Dictionary 3/27

What am I doing here? A Definition Provenance:... 3. The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this. The Oxford English Dictionary 3/27

What am I doing here? A Definition Provenance:... 3. The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this. The Oxford English Dictionary What I d like to learn about this week. 3/27

Outline 1 An overview of AURA 2 Auditing access control 3 Auditing and confidentiality 4 Conclusion 4/27

A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

A distributed access control example (DancingQueen, Alice) Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

The Record Company s (RecCo) Music Policy Policy Statement (Simple): Songs have one or more owners. An owner may authorize principals to play songs he owns. 6/27

The Record Company s (RecCo) Music Policy Policy Statement (Simple): Songs have one or more owners. An owner may authorize principals to play songs he owns. Policy Enforcement Problems (Hard): distributed decision making mutual distrust prominent use of delegation 6/27

AURA: Enforce policy with proof carrying access control. Programs build proofs attesting to their access rights. Proof components standard rules of inference evidence capturing principal intent (e.g. signatures) Hypothesis: Proofs are provenance metadata! AURA runtime: checks proof structure (well-typedness) logs appropriate proofs for later audit Proof Carrying Authentication [Appel+ 93], Grey Project [Bauer+ 05], Aura [CSF 08, ICFP 08] 7/27

AURA s says constructor represents affirmation. Notation p : P means p is a proof of P. The proposition principal Alice affirms proposition P. Alice says P Principals actively affirm propositions with signatures. sign(alice, P): Alice says P Principals are rational. When p: P, return Alice p: Alice says P DCC [Abadi+ 06], Logic with Explicit Time [DeYoung+ 08] 8/27

Says + dependent types allow for expressive rules. Example (Bob acts for Alice) Alice says ((P: Prop) Bob says P P) 9/27

Says + dependent types allow for expressive rules. Example (Bob acts for Alice) Alice says ((P: Prop) Bob says P P) Example (Bob acts for Alice only regarding jazz) Alice says ((s: Song) isjazz s Bob says (MayPlay Bob s) MayPlay Bob s) 9/27

Says + dependent types allow for expressive rules. Example (Bob acts for Alice) Alice says ((P: Prop) Bob says P P) Example (Bob acts for Alice only regarding jazz) Alice says ((s: Song) isjazz s Bob says (MayPlay Bob s) MayPlay Bob s) Example (Kernel allows RPC calls on endorsed strings) (A: prin) (x: string ) A says (valid x) Kernel says (oktorpc x) 9/27

Encoding music policy using says. sharerule RecCo says ( (o: prin) (s: Song) (r: prin) (Owns o s) (o says (MayPlay r s)) (MayPlay r s))) playfor: (s: Song) (p: prin) pf (RecCo says (MayPlay p s)) Unit 10/27

Encoding music policy using says. sharerule RecCo says ( (o: prin) (s: Song) (r: prin) (Owns o s) (o says (MayPlay r s)) (MayPlay r s))) playfor: (s: Song) (p: prin) pf (RecCo says (MayPlay p s)) Unit Key Property A program can only call playfor when it has an appropriate access control proof. 10/27

Using the RecCo policy. 11/27

Using the RecCo policy. RecCo Server (Aura Code) Server Log 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. sign(recco, sharerule): RecCo says sharerule 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. sign(recco, say (Owns Alice TakeFive) Owns Alice TakeFive) 11/27

Using the RecCo policy. sign(recco,...) sign(recco,...) 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. RecCo says... sharerule...... Alice says... RecCo says (MayPlay Bob, TakeFive) p 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. Auditor 11/27

Using the RecCo policy. 11/27

Using the RecCo policy. Signatures used to grant Bob access to TakeFive: sign(recco,sharerule): RecCo says sharerule sign(alice,...) sign(recco,...) 11/27

Auditing access control 12/27

When something unexpected happens: look at the log. System design guarantees a one-to-one correspondence between log entries and resource state changes. If a A s signature does not appear in a log entry, she could not have caused the associated action. Problem: Malicious principals can try to hinder audit with confusing proofs and irrelevant signatures. 13/27

Sample proofs, clear and convoluted. Assume we have signatures sign(a, P) and sign(b, Q). Example (A convoluted proof of A says P). A says P B says Q A says P B says Q A says P A says P A says P B says Q Proposition B says Q is logically irrelevant. 14/27

Sample proofs, clear and convoluted. Assume we have signatures sign(a, P) and sign(b, Q). Example (A convoluted proof of A says P). A says P B says Q A says P B says Q A says P A says P A says P B says Q Proposition B says Q is logically irrelevant. Example (A clear proof of A says P) A says P (By signature.) 14/27

Proof reduction eliminates irrelevant information. Proof reduction schemes transform complicated proofs to simple ones. [Gentzen 35] Reduction can easily be stated by writing proofs in lambda-calculus notation. [Curry 58], [Howard 80] Example (λ x.λ y.y) (sign(a, P)) (sign(b, Q)) convoluted sign(a, P) clear 15/27

Proof reduction is a total, deterministic algorithm. AURA 0 is a model of AURA proofs and propositions. Theorem (Confluence for AURA 0 ) If p p 1, and p p 2, then there exists p 3 such that p 1 p 3 and p 2 p 3. That is, different reduction strategies can always reconverge. Theorem (Strong Normalization for AURA 0 ) If Γ 0 p : s, then p is strongly normalizing. That is, reduction sequences starting with p halt. 16/27

Auditing and confidentiality 17/27

AURA conf extends AURAfor handling confidential data. The real-world contains lots of confidential information. Financial, medical, social data... Data leaks have consequences: legal, financial.... Goals of AURA conf Establish a natural connection between confidential expressions and cryptography. Minimize disruptive changes to AURA s design. Provide for relevant auditing decryption failures are interesting. Work in progress. 18/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 19/27

Thinking about decryption failures. 1000101 1000101 1111111 1111111 1111111 Bob lacks sufficient information to analyze decryption failures. 19/27

AURA conf will assign blame using evidence. Ciphertexts can be represented as bit strings Bit Strings B ::= 0 1 00 01 10... Justified cast: Assign types to bit strings using evidence. p : pf B says (B isa t for A) B p : t for A Key Idea Principal A, can check if B decrypts properly, yielding a t. If not, she assigns blame to B using proof p. 20/27

Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice 1111111 21/27

Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice 1111111 21/27

Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice 1111111 21/27

Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice 1111111 21/27

Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice 1111111 21/27

Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice 1111111 21/27

Auditing crypto. failures improves reliability & security. Understanding decryption failures can help answer the following questions. Is a host or a network error the source of invalid ciphertexts? Which host is sending bad data? Are hosts endorsing ciphertexts against policy? Where was B isa t signed? Are unexpected messages due to bugs, or an attack? 22/27

Conclusion 23/27

Questions and half-baked ideas. 24/27

Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? 24/27

Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related? 24/27

Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related? Key/signature revocation are tricky in AURA s setting. Can we treat revocation by associating keys (signatures) with provenance metadata? 24/27

Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related? Key/signature revocation are tricky in AURA s setting. Can we treat revocation by associating keys (signatures) with provenance metadata? There is a tension between preserving privacy of encrypted data and maintaining a full account of its provenance. How can this be resolved? 24/27

Conclusion AURA proofs describe how why and how events occur. Provenance describes why and how results are included in a query. I m looking forward to learning from everyone here! Interpreter, Coq scripts, and papers available from http://www.cis.upenn.edu/~stevez/sol/aura.html 25/27

Acknowledgments Thank you to all my collaborators on this work! Limin Jia Karl Mazurak Joseph Schorr Luke Zarko Steve Zdancewic Jianzhou Zhao 26/27

Access control and audit replace trust with scrutiny.

Access control and audit replace trust with scrutiny.

Access control and audit replace trust with scrutiny. sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Log

Access control and audit replace trust with scrutiny. sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Typed Interface Typed Interface Log

Access control and audit replace trust with scrutiny. sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Trusted Computing Base Log

Access control and audit replace trust with scrutiny. Custom Code and Policy sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Log

Access control and audit replace trust with scrutiny.

Access control and audit replace trust with scrutiny. Custom & Trusted sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Log

Access control and audit replace trust with scrutiny. Custom & Trusted sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource All evidence used for access grants is logged. Log

Strong normalization proof sketch Fact The Calculus of Constructions with dependent pairs is SN. [Geuvers 95] Proof Idea Show AURA 0 reductions can be simulated in a terminating system based on Constructions. p 0 p 1 p 2 [[ ]] [[ ]] [[ ]] t 0 cc t 1 cc t 1 cc t 2 cc

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information