lightweight consistency enforcement schemes for distributed proofs with hidden subtrees adam j. lee,...

Lightweight Consistency Enforcement Schemes for

Distributed Proofs with Hidden Subtrees

Adam J. Lee, Kazuhiro Minami, and Marianne Winslett

University of Illinois at Urbana-ChampaignJune 21, 2007

http://dais.cs.uiuc.edu/dais/security

2

Knowledgebase

Knowledgebase

Knowledgebase

Knowledgebase

P0 P1

P2

P3

Distributed proof system

Construct a proof in a peer-to-peer way Each peer maintains local security

policies

3

P0 P1

P2

P3

Distributed proof system

Construct a proof in a peer-to-peer way Each peer maintains local security

policies

4

Securitypolicies

Securitypolicies

Securitypolicies

Securitypolicies

P0 P1

P2

P3

Distributed proof system

Construct a proof in a peer-to-peer way Each peer maintains local security

policies

domain A domain Bdomain d

domain C

5

P0 P1

?grant(alice, database)

true

√Querier

P2

P3

?location(alice, hospital)

?role(alice,doctor)

true

true

Locationserver

Roleserver

Distributed proof system

Construct a proof in a peer-to-peer way Each peer maintains local security

policies

6

Policy Directed Proof Construction

Integrity trust Confidentiality trust

7

Policy Directed Proof Construction

Confidentiality trust

8

Projector

Room 2124

Temporal Consistency Issue in Distributed Proving

Show medical recordsif only Alice is in the roomand the door is locked.

Access control policy

9

Consistency Issue in Distributed Proving

P0 P1

P2

?occupancy_one(2124, alice)

P3

Locationserver

Doorsensor

?grant(alice, projector)

Alice

Bob

Door(open)

Time: T1

trueRoom 2124

Alice

10

Consistency Issue in Distributed Proving

P0 P1

P2

?occupancy_one(2124, alice)

P3

Locationserver

Doorsensor

?grant(alice, projector)

AliceBob

Door(locked)

Time: T2

trueRoom 2124

11

Consistency Issue in Distributed Proving

P0 P1

P2

?occupancy_one(2124, alice)

P3

?locked(2124)

Locationserver

Doorsensor

?grant(alice, projector)

Bob

Time: T3

true

true

true

Alice

Door(locked)

√

Medicalrecords

12

Incremental evaluation of fact validity may not be

enough

Only Aicein room 2124

Door locked

√

T1 T2

√

T3

13

View Consistency Problem

How to enforce temporal consistency based on the local view of a querier?

Challenges:• The validity of a statement fluctuates

dynamically• No clock synchronization across

different hosts• Possible hidden subproof from a querier

14

View V is a set of fact states Fact state s is a tuple that contains• fact id• time interval• Interval type: {Concrete, Fuzzy}

• Concrete: fact f is valid all the times t in the interval

• Fuzzy: fact f is valid at some (possibly unknown) time in the interval

View and fact state

15Three Levels of View Consistency

Incrementalconsistency

Query consistency

Intervalconsistency

View V

Restrictiveness

16

Each fact provider returns a pair (f, d) where d is the duration of fact’s validity

Enforcement Algorithm for Query Consistency

Querier Fact provider

17

Each fact provider returns a pair (f, d) where d is the duration of fact’s validity

Enforcement Algorithm for Query Consistency

Querier Fact provider

18

The algorithm of query consistency could miss lots of valid proofs if proof construction takes long

May want to keep track of authorization continuously

Motivation towards Interval Consistency Enforcement

19

The algorithm of query consistency could miss lots of valid proofs if proof construction takes long

May want to keep track of authorization continuously

Motivation towards Interval Consistency Enforcement

first responder

20

Approach for Interval Consistency

Querier Fact provider

Query

True

Verify

True

Fuzzyinterval

Fuzzyinterval

Concreteinterval

Recheck the validity of a constructed proof

21

Goals for Interval Consistency Enforcement

Recheck the validity of a proof efficiently

Preserve security policies of each peers

Querier

Proof

1. construct 2. verifyQuerier

Sub-proof

Leaf nodeentities

22

Leaf Node Exposure Strategy

Recheck fact validity directly with leaf node entities

√

23

Leaf Indirection Strategy

To preserve the privacy of leaf node entities, recheck fact validity by way of a trusted indirection entity

24

Evaluation

Measure overhead latency for enforcing interval consistency

System consists of 12,500 lines of Java code• Java Cryptographic Extension

framework to implement RSA and TDES operations

25 node cluster with 100Mbit Ethernet

25

Latency for Handling Queries

Number of nodes in a proof tree

Late

ncy

(ms)

Leaf indirectionLeaf exposureProof construction

10 - 15%overhead

26

Latency for Handling Queries

Number of nodes in a proof tree

Late

ncy

(ms)

Leaf indirectionLeaf exposureProof construction

25 - 30%overhead

27

Related Work

View consistency in automatic trust negotiation [Lee06]

Antigone Context Framework [McDaniel03]

Transaction management in distributed systems

Consistent snapshots [Chandy85]

28

Summary

Formal definitions of view consistency in distributed proving

Safe and efficient enforcement algorithm

Modest overhead of our enforcement scheme for interval consistency

29

Technical report: http://dais.cs.uiuc.edu/dais/security/tmcspubs.php

Questions?

30

Backup

31

Peer-to-Peer Proof Construction

Query Subproof

Peer

Peer Peer

Query

Subproof

Each peer consists of an inference engine and a knowledge base

Each peer constructs a part of a whole proof

32

Distributed Proof Construction Algorithm by Minami and Kotz

Use Datalog as a logical language Express trust among principals in

terms of integrity and confidentiality

Querier Handler

Correctness of an answer(integrity)

Secrecy of facts(confidentiality)

33Remote Query between Two principals

Host A Host B

grant(P, projector) location(P, room112)

?location(Bob, room112)

Integrity Policies

trust(location(P,L)) = {Host_B}

TRUE

request

User Bob Confidentiality Policies

acl(location(P,L)) = {Host_A}

F1 owner(bob, pda15)F2 deviceAt(pda15, room112)

R location(P,L) owner(P,D)deviceAt(D,L)

R

F1 F2

Prooftree

34

Enforcement of Confidentiality Policies

35

Hidden Leaf Nodes

Transparent from

Hidden leaf nodes

Leaf nodes transparent from the original querier

Example:

36

Requery Strategy

Construct the same proof twice

Need caching at intermediate nodes

Involves high communication overhead

Cache

37

Each fact provider returns a pair (f, d) where d is the duration of fact’s validity

Enforcement Algorithm for Query Consistency

Querier Fact provider

Query

Proofwhere is the maximum clock drift

f’s validityduration