programming trustworthy provenance andy cirillo radha jagadeesan corin pitcher james riely school of...
TRANSCRIPT
![Page 1: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/1.jpg)
Programming Programming Trustworthy Trustworthy ProvenanceProvenance
Andy CirilloAndy CirilloRadha JagadeesanRadha Jagadeesan
Corin PitcherCorin PitcherJames RielyJames Riely
School of CTI, DePaul University, School of CTI, DePaul University, ChicagoChicago
Workshop on Principles of Provenance (PrOPr)
Edinburgh, November 19-20, 2007
![Page 2: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/2.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 22
Commuter says "my Commuter says "my train was delayed"train was delayed"
Delay notice forged?Delay notice forged?
Provenance of notice Provenance of notice needed for decisionsneeded for decisions
![Page 3: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/3.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 33
This TalkThis Talk Programming with provenance for security, Programming with provenance for security,
privacy, & workflow in decentralized privacy, & workflow in decentralized systemssystems
Provenance and trustProvenance and trust– When is provenance on data trustworthy?When is provenance on data trustworthy?– How does data provenance impact trust in data?How does data provenance impact trust in data?
Authorization logic policiesAuthorization logic policies– To relate provenance & trustTo relate provenance & trust– Validation of programs against such policiesValidation of programs against such policies
![Page 4: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/4.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 44
OutlineOutline
Motivation: provenance for securityMotivation: provenance for security
Programming with provenance and trustProgramming with provenance and trust
Policies and program analysisPolicies and program analysis
![Page 5: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/5.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 55
Existing Provenance in Access Existing Provenance in Access ControlControl
Logging code
File API
Untrusted code
File API
Untrusted code
Logging code
File API
ACCESSGRANTED
ACCESSDENIED
ACCESSGRANTED
Stack inspection (Java/.NET) - trusted & Stack inspection (Java/.NET) - trusted & untrusted codeuntrusted code
Code logging to file Code logging to file escalates privilegesescalates privileges for for threadthread
Shape of call stack determines accessShape of call stack determines access
Act
ivati
on
Reco
rds
![Page 6: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/6.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 66
Controls: Security, Privacy, Controls: Security, Privacy, WorkflowWorkflow
Provenance used for identity in:Provenance used for identity in:
Authorization controls (access control)Authorization controls (access control)– Prevent unauthorized actions before harm occursPrevent unauthorized actions before harm occurs
Auditing controls (for accountability/recovery)Auditing controls (for accountability/recovery)– Discourage unauthorized actionsDiscourage unauthorized actions– Recover from unauthorized actions Recover from unauthorized actions
Privacy controlsPrivacy controls– Restrict use of private informationRestrict use of private information
Workflow controlsWorkflow controls– Enforce compliance with patterns of activityEnforce compliance with patterns of activity
![Page 7: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/7.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 77
Account AggregationAccount Aggregation
Owner of account at financial institutionOwner of account at financial institution– Direct access to accountDirect access to account– Access via an Access via an approvedapproved account aggregator account aggregator – Other principals providing confidentiality / integrityOther principals providing confidentiality / integrity
Owner
Aggregator
submitAggr
getBalance getBalance
Institution
Other principals involved in
request
getBalance
Owner's VPN
Aggr's VPN
approveAggr
![Page 8: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/8.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 88
Account Aggregation Account Aggregation PropertiesProperties
Provenance of messages used throughoutProvenance of messages used throughout
AuthorizationAuthorization– Use provenance of request to determine authorizationUse provenance of request to determine authorization
AuditingAuditing– Record provenance of request in audit logRecord provenance of request in audit log
Privacy Privacy – Detect privacy violations in provenance of responseDetect privacy violations in provenance of response
WorkflowWorkflow– Enforce two-step approval of aggregatorEnforce two-step approval of aggregator
Recurring issue: Is the provenance trustworthy?Recurring issue: Is the provenance trustworthy?
![Page 9: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/9.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 99
OutlineOutline
Motivation: provenance for securityMotivation: provenance for security
Programming with provenance and trustProgramming with provenance and trust
Policies and program analysisPolicies and program analysis
![Page 10: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/10.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1010
Programming: Provenance and Programming: Provenance and TrustTrust
Dynamic support for provenanceDynamic support for provenance– Identities, origin of objects, and immediate provenanceIdentities, origin of objects, and immediate provenance
Representation of provenanceRepresentation of provenance– Full histories, partial historiesFull histories, partial histories
Behaviour of programs w.r.t. provenance and Behaviour of programs w.r.t. provenance and trusttrust– Creation & use of provenanceCreation & use of provenance– When is provenance trusted?When is provenance trusted?
![Page 11: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/11.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1111
Dynamic Support for Dynamic Support for ProvenanceProvenance
Distributed objects & remote method Distributed objects & remote method invocationinvocation– E.g., Java-RMIE.g., Java-RMI
Explicit identities = locationsExplicit identities = locations– Objects are located and code runs at a locationObjects are located and code runs at a location
Origin of objectsOrigin of objects– Remote object reference points to object's locationRemote object reference points to object's location
Immediate provenanceImmediate provenance– Caller's identity is knownCaller's identity is known
![Page 12: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/12.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1212
User-Defined ProvenanceUser-Defined Provenance
Create & use full history of computationCreate & use full history of computation
Drawbacks to full historyDrawbacks to full history– ExpensiveExpensive– Confidentiality and privacy issuesConfidentiality and privacy issues
Partial historyPartial history– Remove historyRemove history– With justification, e.g., after access control / With justification, e.g., after access control /
auditingauditing
![Page 13: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/13.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1313
Owner's VPNAggr's VPNAggregator
Aggr's VPN AggregatorOwner Owner's VPN
Request Owner
Owner Owner's VPN
Owner's VPN Aggr's VPN
Request Aggregator
Immediate Provenance:
Owner
User-Defined ProvenanceUser-Defined Provenance
"Account balance for customer
#1234"Object
location
Messages
Compositemessage
stores provenance
"Account balance for customer
#1234"
Aggregator is
location
![Page 14: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/14.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1414
Trustworthy Provenance?Trustworthy Provenance?
Owner's VPN could omit Owner's VPN could omit additional intermediariesadditional intermediaries
Aggregator code has to check:Aggregator code has to check: Owner's VPN permitted in Owner's VPN permitted in pathpath Owner's VPN is trusted to Owner's VPN is trusted to report provenancereport provenance
Mitigated by Owner location Mitigated by Owner location for original requestfor original request
Owner Intermediary
Owner Owner's VPN
Owner's VPN Aggr's VPN
Request Owner
![Page 15: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/15.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1515
Trustworthy Provenance?Trustworthy Provenance?
Aggr's VPN may legitimately Aggr's VPN may legitimately recreate (re-sign / relocate) objectsrecreate (re-sign / relocate) objects Aggregator's recreation is similarAggregator's recreation is similar
Are the results trustworthy?Are the results trustworthy? No direct proof of participation by No direct proof of participation by Owner or Owner's VPNOwner or Owner's VPN
Complex program behaviourComplex program behaviour High-level account of behaviour?High-level account of behaviour?
Request Owner
Owner Owner's VPN
Owner's VPN Aggr's VPN
Aggr's VPN
Aggr's VPN
![Page 16: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/16.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1616
OutlineOutline
Motivation: provenance for securityMotivation: provenance for security
Programming with provenance and trustProgramming with provenance and trust
Policies and program analysisPolicies and program analysis
![Page 17: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/17.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1717
Policies and Program Policies and Program AnalysisAnalysis
Programs manipulating trust & provenancePrograms manipulating trust & provenance
Policies to describe behaviour enforced by Policies to describe behaviour enforced by programs?programs?– Examples coming upExamples coming up
How can we express those policies?How can we express those policies?– Authorization logicAuthorization logic
Validate program's behaviour against policies?Validate program's behaviour against policies?– Static analysis via type/effect systemStatic analysis via type/effect system
![Page 18: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/18.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1818
...
send message
...
Propositional Effects - Propositional Effects - StaticsStatics
A proposition P communicated from sender to A proposition P communicated from sender to receiver, e.g., "Access granted"receiver, e.g., "Access granted"
Issue: Inconsistency of local states (of beliefs / Issue: Inconsistency of local states (of beliefs / knowledge)knowledge)
Need worlds / contexts INSIDE logicNeed worlds / contexts INSIDE logic
SenderSender
...
receive message
...
ReceivReceiverer
P known
P known
P not known
P known(Sender says P) known
![Page 19: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/19.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 1919
Authorization LogicAuthorization LogicMendler (Lax modal logic)Mendler (Lax modal logic)
Abadi, Plotkin, Lampson, Burrows, Abadi, Plotkin, Lampson, Burrows, WobberWobber
Garg, PfenningGarg, Pfenning
![Page 20: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/20.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2020
Example: Simple Workflow Example: Simple Workflow PolicyPolicy
Authorization logic Authorization logic represents submission & represents submission & approval of data by two approval of data by two principalsprincipals
Used for approval of Used for approval of aggregatoraggregator
Initiator submits Initiator submits datadata
Manager approves Manager approves datadata
CellI
SubmittedCell ApprovedCell
Class Class hierarchyhierarchy
Assertions appear in code
as effects
![Page 21: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/21.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2121
Example: Aggregator's Example: Aggregator's PolicyPolicy
Recall Aggregator's request rewriting Recall Aggregator's request rewriting behaviourbehaviour
Aggr's VPN AggregatorOwner Owner's VPN
Request Owner
Owner Owner's VPN
Owner's VPN Aggr's VPN
Request Aggregator
![Page 22: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/22.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2222
tgt: OwnerVPNsrc: Ownerpayload: r
Owner
OwnerVPN
tgt: AggrVPNsrc: OwnerVPNpayload: q AggrVPN
q
p
data: Owner
r
EffectsEffects
PoliciesPolicies
![Page 23: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/23.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2323
tgt: OwnerVPNsrc: Ownerpayload: r
Owner
OwnerVPN
tgt: AggrVPNsrc: OwnerVPNpayload: q AggrVPN
q
p
data: Owner
r
EffectsEffects
PoliciesPolicies
data: Owner Aggregator
s
Justifies creation by Justifies creation by aggregatoraggregator
![Page 24: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/24.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2424
ResultsResults Distributed object calculus with Distributed object calculus with
authorization logic policies in type/effect authorization logic policies in type/effect systemsystem
E.g., Aggregator code typechecks with E.g., Aggregator code typechecks with respect to preceding policyrespect to preceding policy
Guarantees that Aggregator's dynamic Guarantees that Aggregator's dynamic behaviour is constrained by policybehaviour is constrained by policy
Draft technical report availableDraft technical report available– Email to cpitcher AT cs.depaul.eduEmail to cpitcher AT cs.depaul.edu
![Page 25: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/25.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2525
SummarySummary
In decentralized systems:In decentralized systems:– Provenance use in security, privacy, workflow Provenance use in security, privacy, workflow
controlscontrols– User-programmable handling of provenance User-programmable handling of provenance – Provenance trustworthy and impact on trust in data?Provenance trustworthy and impact on trust in data?
Authorization logic policies describe Authorization logic policies describe provenance and trust behaviour of programsprovenance and trust behaviour of programs
Validate programs against policiesValidate programs against policies
![Page 26: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/26.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2626
The EndThe End
Questions or comments?Questions or comments?
![Page 27: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/27.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2727
Backup SlidesBackup Slides
![Page 28: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/28.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2828
Object CreationObject Creation
![Page 29: Programming Trustworthy Provenance Andy Cirillo Radha Jagadeesan Corin Pitcher James Riely School of CTI, DePaul University, Chicago Workshop on Principles](https://reader036.vdocument.in/reader036/viewer/2022062515/56649d145503460f949e8333/html5/thumbnails/29.jpg)
November 2007November 2007 Programming Trustworthy Provenance (Corin Pitcher)Programming Trustworthy Provenance (Corin Pitcher) 2929
An opponent is any process located at the principal An opponent is any process located at the principal 11. .
Opponents are free to lie; thus, are completely free to construct any Opponents are free to lie; thus, are completely free to construct any new objects. new objects.
Well-typed trustworthy programs are safe when combined with Well-typed trustworthy programs are safe when combined with arbitrary (typed but untrustworthy) opponents.arbitrary (typed but untrustworthy) opponents.