real security for real provenance is really hard

© 2009 The MITRE Corporation. All rights reserved.For Public Release 09-1947

Dr. Adriane Chapman

Real Security for Real Provenance is Really Hard


■ Users are given roles (RBAC) or satisfy a set of privilege predicates (ABAC)

■ Access to the data is specified by role/privilege predicates■ Access is administered by data owners■ If data cannot be released, some systems allow surrogates

to stand in for the unreleaseable information – e.g. a Public version of a Classified document

■ Cryptographic techniques (secure hash functions, etc) maintain data integrity

Data Security 101





■ To heighten protection, data can be encrypted to ensure that it is not tampered with

Data Security 101

Scalable Access Controls for Lineage Arnon Rosenthal, Len Seligman, Adriane Chapman and Barbara Blaustein, Theory and Practice of Provenance 2009.


Who are the users?

EpidemicProjector, v3

CDCHistorical Disease Data

TrakTek, Inc.Disease Spread Monitor

Author: Prof. Jones

Invoker: Analyst Smith

Author: Agent 009

Bio-Threat Intelligence

EPO EpidemicForecast

PharmacyPrescriptionData

HospitalAdmissionsData

EPO EpidemicWarningReports

Animal Tests

The Public

Lineage Query Result :


Who are the users?




Author: Prof. Jones


Author: Agent 009






Animal Tests

The Hospital



Who are the users?




Author: Prof. Jones


Author: Agent 009






Animal Tests

Congress







Data Security 101



RBAC ABAC■ RBAC model the world with roles

– Form aggregates of users (groups) and privileges (roles)

– Admins authorize groups to use roles

■ Not expressive enough– Only user (group) is tested– Allowing hospitals access to

more information when threats are high is not allowed

■ Multi-factor policies– Every policy will create an

explosion in the number of roles, e.g.,

■ Group1: Director of Surgery at Hospital 123 where status=“emergency”

■ Group 2 : Director of Surgery at Hospital 123 where status=“normal”

■ Predicates on attributes are used to describe access

■ Instead of explicitly assigning users, decide based on U, R, E.

How do you specify access?

}){)(13)(()},13{)(13)(21(

}),13,{)(21)((),,(__

GrRatinguAgeGPGrRatinguAge

GPGRrRatinguAgeeruMovieSeecan


Even Classic ABAC doesn’t cut it




Author: Prof. Jones


Author: Agent 009






Animal Tests

Animal_Testing_Access(user, resource, environment) ≔[User.Division= Intelligence User.AssignedProject.Type=Epidemiology Request.SourceDomain is in {.gov, .mil} Experiment.ReleaseMarking = Intel (ExperSubject.Type = inanimate ExperSubject.Type = animal experimenterName.pseudonym=true ExperSubject.Type = human releaseOnFile(ExperSubject) [Request.HasApproval.Level ≥ 4 (Request.HasApproval.Level ≥ 2 threat.Status = Red)] [ …

Congress just passed a new Disclosure Act.What parts need to change to update this concern?


■ Stakeholder Concerns traceable and editable– HIPAA wants to protect patient privacy, how does the role

“doctor” protect patient privacy?

■ Named Concerns– Link directly to access predicates that embody these concerns

The Solution – Extend ABAC






Data Security 101



Who decides what to secure?




Author: Prof. Jones


Author: Agent 009






Animal Tests

Tell

everyone my

code was

used!

Tell

no one I ran

this code.


■ Stakeholders can have differing opinions!– Represent these explicitly– Represent their combo.– Let them be edited independently

■ Make Administration Manageable!

■ Sharing the Power– Unacceptable approaches:

■ A single administrator, or a global conflict-resolution rule■ A totally separate formalism for conflict resolution

– Share power by attribute ownership, derivation■ Combine as derived attribute; delegate right to define derivation rule

(See paper)

The Solution


Our Framework


Author: Prof. Jones


Tell

everyone my

code was

used!

Tell

no one I ran

this code.

Combiner: VETO

Stakeholder: Prof Jones

Stakeholder: Analyst Smith

)(),,(__

TRUEeruNodeSeecan

)Re..(

),,(__

dusthreatStatrlearancehasSecretCu

eruNodeSeecan

Who says

how this should

be combined?






Data Security 101

Surrogate Parenthood: Protected and Informative Lineage Graphs Barbara Blaustein, Adriane Chapman, Arnon Rosenthal, Len Seligman, M. David Allen, Michael Morse, In Preparation.


■ Replace nodes with less sensitive information

■ Obscure edge information

Provenance Surrogates

The Public




Author Prof. Jones

Invoker Analyst Smith

Author: Agent 009






Animal TestsLaboratory Results


But not straightforward for Provenance – Inference Threats■ Inferring edges from the rather strong clues, such as

– Parameter labels (role labels)– Results of non-graph queries

■ Inferring node information via edges from other nodes– e.g., ResultSize(N3) may reveal ResultSize(N1)– TimeReceived may reveal TimeProcessed at predecessor

Policy specifies which surrogates are releasable, i.e., what threats are “acceptable” (see Who owns it point).






Data Security 101

Do you know where your data’s been? Fine-Grained Tamper-Evident Data Provenance Jing Zhang, Adriane Chapman and Kristen LeFevre, In Submission..


■ Data “integrity” – encryption (e.g. SHA-1, MD5, etc)– w.r.t. query answers – provide enough extra information to

prove that query results are correct (usually Merkle Hash Trees)■ Provenance “integrity”

– Allow users of the data to verify that the provenance has not been tampered with

– AND that it accurately represents the state of the data

What does provenance “integrity” mean?


■ Objects are compound– Patient records contain several attributes which were obtained

via different methods and have different provenance■ Non-linear sequence of information

– Provenance is a DAG not a chain

Why is this difficult?

Collected by PCP Paul

Patient Ages And Weights

TrustUsRx AggregatorDataset 2

Dataset 3

Dataset 1Drug Efficacy

Report

Endocrine Activity

Pamela Updated 1 patient record

Interim DatasetCollected by Perfect SaintsClinic

Collected by Good Stewards Labs

White Blood Cell Count


■ A participant may alter data via insert, delete, update and aggregate

■ A provenance record consists of a sequenceID, participant, and the input/output values of the object

■ Developed an extended signature scheme– Create a checksum that verifies the integrity of provenance and

data

Solution Sketch


■ Provenance is a DAG and a node.– There are unique security inference problems!

■ Who gets to control what is released is not straightforward■ Using standard access control methods doesn’t work■ Provenance integrity is necessary to assure the veracity of

the information

Conclusions


MITRE University of Michigan■ Arnon Rosenthal■ Barbara Blaustein■ Len Seligman■ David Allen■ Michael Morse

■ Kristen LeFevre■ H.V. Jagadish■ Jing Zhang

Acknowledgements

real security for real provenance is really hard

Documents

data ownersif data

public release

data integrity data

mitre corporation

public version

unreleaseable information

roles rbac

scalable access controls