Policy Auditing over Incomplete Logs: Theory, Implementation and Applications

Deepak Garg1, Limin Jia2 and Anupam Datta2

1MPI-SWS (work done at Carnegie Mellon University)2Carnegie Mellon University

Privacy

Personal information collected and used to provide services (census statistics, health care & financial services, targeted advertisements, social network services)

Organizational goals and individual privacy goals conflict

Privacy Legislation

Regulate use and disclosure of personal information, but allow organizational work to proceed

Examples: HIPAA (medical information), GLBA (financial information)

Research Goal

Build a principled system for enforcing practical privacy

policies

Non-trivial due to complexity of practical

privacy policies

Example from HIPAA Privacy RuleA covered entity may disclose an individual’s protected

health information (phi) to law-enforcement officials for the

purpose of identifying an individual if the individual made a

statement admitting participating in a violent crime that the

covered entity believes may have caused serious physical

harm to the victim

Concepts in privacy policies◦ Actions: send(p1, p2, m)◦ Roles: inrole(p2, law-enforcement)◦ Data attributes: attr_in(prescription, phi)◦ Temporal constraints: in-the-past(state(q, m))

◦ Purposes: purp_in(u, id-criminal)) ◦ Beliefs: believes-crime-caused-serious-harm(p, q, m)

Black-and-white

concepts

Grey concepts

Pre-emptive enforcement (access control or runtime monitoring) does not suffice

Must rely on after-the-fact audit

Audit-Based Approach

Privacy law

Computer-readable privacy policy

in first-order logic

Organizational audit log Detect

policy violations

Audit

Prior work

This paper

Collected by organizational

databases

Outline of TalkIntroductionOverview of Audit AlgorithmDetails of Audit AlgorithmFormal PropertiesConclusion

Challenge for Enforcement

Audit Logs are Incomplete

Future: store only past and current events

Example: Timely data breach notification refers to future event

Subjective: no “grey” informationExample: May not records evidence for purposes and beliefs

Spatial: remote logs may be inaccessible

Example: Logs distributed across different departments of a hospital

Abstract Model of Incomplete Logs

Model all incomplete logs uniformly as 3-valued structures

Define semantics (meanings of formulas) over 3-valued structures

An Iterative Algorithm

Check as much policy as possible on

current log and output a residual policy.

Iterate when log is extended with more information.

Grey concepts checked by human auditor at any time.

Reduce: The Iterative Algorithm

reduce (L, φ) = φ'

φ0 φ1 φ2

reduce

reduce

Logs

Policy

Time

12

φ =

∀p1, p2, m, u, q, t.

(send(p1, p2, m) ∧ tagged(m, q, t, u) ∧ attr_in(t, phi))

⊃ inrole(p2, law-enforcement)

∧ purp_in(u, id-criminal)

∧ m’. ( state(q, m’)

∧ is-admission-of-crime(m’)

∧ believes-crime-caused-serious-harm(p1, m’))

Example{ p1 UPMC, p2 allegeny-police, m M2, q Bob, u id-bank-robber, t date-of-treatment}

∧ purp_in(id-bank-robber, id-criminal)

{ m’ M1 }

∧ is-admission-of-crime(M1)

∧ believes-crime-caused-serious-harm(UPMC, M1)

Log

Jan 1, 2011state(Bob, M1)

Jan 5, 2011send(UPMC, allegeny-police, M2)tagged(M2, Bob, date-of-treatment, id-bank-robber)

Tφ' =

Reduce: Formal Definition

c is a formula for which satisfying substitutions of x can be computed

Initial policy must also pass a one-time, linear check called a mode check

We have verified that the entire HIPAA and GLBA Privacy Rules pass this check

Formal Properties of Reduce

Correctness

Formal Properties of Reduce

Complexity

Formal Properties of Reduce

Minimality of Output

Implementation and evaluation over simulated audit logs for compliance with all disclosure-related clauses of HIPAA Privacy Rule

Performance:◦ Average time for checking compliance of each

disclosure of protected health information is 0.16s for a 15MB log

Mechanical enforcement:◦ Reduce can automatically check 80% of all the

atomic predicates

Implementation and Case Study

Other Applications of ReduceRuntime monitoring

For policies that do not mention future obligations or grey concepts

Advisory tool: Is an action allowed?

Run reduce on hypothetical log containing the action

Closely Related WorkRuntime monitoring in MFOTL [Basin et al ’10]

Pre-emptive enforcementEfficient implementationAssumes past-completeness of logsLess expressive mode checking

Closely Related Work

Iterative Model Checking [Thati, Rosu ’05]

Propositional logicCannot express privacy legislation

ConclusionIterative, interactive algorithm for

policy audit◦Checks as much policy as possible◦Outputs residual policy

Provably correct, efficient, optimal

Works with incomplete logsExpressive for real privacy laws

Questions?

The Case for AuditRun-time access control

mechanisms are not sufficient to enforce privacy policies◦Purposes & beliefs (“grey” concepts

on previous slide)◦And also future obligations (e.g.,

notice of data breach should go out within 30 days)

Human input is essential for resolving grey concepts