policy auditing over incomplete logs: theory, implementation and applications deepak garg 1, limin...
TRANSCRIPT
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications
Deepak Garg1, Limin Jia2 and Anupam Datta2
1MPI-SWS (work done at Carnegie Mellon University)2Carnegie Mellon University
Privacy
Personal information collected and used to provide services (census statistics, health care & financial services, targeted advertisements, social network services)
Organizational goals and individual privacy goals conflict
Privacy Legislation
Regulate use and disclosure of personal information, but allow organizational work to proceed
Examples: HIPAA (medical information), GLBA (financial information)
Research Goal
Build a principled system for enforcing practical privacy
policies
Non-trivial due to complexity of practical
privacy policies
Example from HIPAA Privacy RuleA covered entity may disclose an individual’s protected
health information (phi) to law-enforcement officials for the
purpose of identifying an individual if the individual made a
statement admitting participating in a violent crime that the
covered entity believes may have caused serious physical
harm to the victim
Concepts in privacy policies◦ Actions: send(p1, p2, m)◦ Roles: inrole(p2, law-enforcement)◦ Data attributes: attr_in(prescription, phi)◦ Temporal constraints: in-the-past(state(q, m))
◦ Purposes: purp_in(u, id-criminal)) ◦ Beliefs: believes-crime-caused-serious-harm(p, q, m)
Black-and-white
concepts
Grey concepts
Pre-emptive enforcement (access control or runtime monitoring) does not suffice
Must rely on after-the-fact audit
Audit-Based Approach
Privacy law
Computer-readable privacy policy
in first-order logic
Organizational audit log Detect
policy violations
Audit
Prior work
This paper
Collected by organizational
databases
Outline of TalkIntroductionOverview of Audit AlgorithmDetails of Audit AlgorithmFormal PropertiesConclusion
Challenge for Enforcement
Audit Logs are Incomplete
Future: store only past and current events
Example: Timely data breach notification refers to future event
Subjective: no “grey” informationExample: May not records evidence for purposes and beliefs
Spatial: remote logs may be inaccessible
Example: Logs distributed across different departments of a hospital
Abstract Model of Incomplete Logs
Model all incomplete logs uniformly as 3-valued structures
Define semantics (meanings of formulas) over 3-valued structures
An Iterative Algorithm
Check as much policy as possible on
current log and output a residual policy.
Iterate when log is extended with more information.
Grey concepts checked by human auditor at any time.
Reduce: The Iterative Algorithm
reduce (L, φ) = φ'
φ0 φ1 φ2
reduce
reduce
Logs
Policy
Time
12
φ =
∀p1, p2, m, u, q, t.
(send(p1, p2, m) ∧ tagged(m, q, t, u) ∧ attr_in(t, phi))
⊃ inrole(p2, law-enforcement)
∧ purp_in(u, id-criminal)
∧ m’. ( state(q, m’)
∧ is-admission-of-crime(m’)
∧ believes-crime-caused-serious-harm(p1, m’))
Example{ p1 UPMC, p2 allegeny-police, m M2, q Bob, u id-bank-robber, t date-of-treatment}
∧ purp_in(id-bank-robber, id-criminal)
{ m’ M1 }
∧ is-admission-of-crime(M1)
∧ believes-crime-caused-serious-harm(UPMC, M1)
Log
Jan 1, 2011state(Bob, M1)
Jan 5, 2011send(UPMC, allegeny-police, M2)tagged(M2, Bob, date-of-treatment, id-bank-robber)
Tφ' =
Reduce: Formal Definition
c is a formula for which satisfying substitutions of x can be computed
Initial policy must also pass a one-time, linear check called a mode check
We have verified that the entire HIPAA and GLBA Privacy Rules pass this check
Formal Properties of Reduce
Correctness
Formal Properties of Reduce
Complexity
Formal Properties of Reduce
Minimality of Output
Implementation and evaluation over simulated audit logs for compliance with all disclosure-related clauses of HIPAA Privacy Rule
Performance:◦ Average time for checking compliance of each
disclosure of protected health information is 0.16s for a 15MB log
Mechanical enforcement:◦ Reduce can automatically check 80% of all the
atomic predicates
Implementation and Case Study
Other Applications of ReduceRuntime monitoring
For policies that do not mention future obligations or grey concepts
Advisory tool: Is an action allowed?
Run reduce on hypothetical log containing the action
Closely Related WorkRuntime monitoring in MFOTL [Basin et al ’10]
Pre-emptive enforcementEfficient implementationAssumes past-completeness of logsLess expressive mode checking
Closely Related Work
Iterative Model Checking [Thati, Rosu ’05]
Propositional logicCannot express privacy legislation
ConclusionIterative, interactive algorithm for
policy audit◦Checks as much policy as possible◦Outputs residual policy
Provably correct, efficient, optimal
Works with incomplete logsExpressive for real privacy laws
Questions?
The Case for AuditRun-time access control
mechanisms are not sufficient to enforce privacy policies◦Purposes & beliefs (“grey” concepts
on previous slide)◦And also future obligations (e.g.,
notice of data breach should go out within 30 days)
Human input is essential for resolving grey concepts