Lightweight Consistency Enforcement Schemes for Distributed Proofs with Hidden Subtrees
description
Transcript of Lightweight Consistency Enforcement Schemes for Distributed Proofs with Hidden Subtrees
Lightweight Consistency Enforcement Schemes for
Distributed Proofs with Hidden Subtrees
Adam J. Lee, Kazuhiro Minami, and Marianne Winslett
University of Illinois at Urbana-ChampaignJune 21, 2007
http://dais.cs.uiuc.edu/dais/security
2
Knowledgebase
Knowledgebase
Knowledgebase
Knowledgebase
P0 P1
P2
P3
Distributed proof system
Construct a proof in a peer-to-peer way Each peer maintains local security
policies
3
P0 P1
P2
P3
Distributed proof system
Construct a proof in a peer-to-peer way Each peer maintains local security
policies
4
Securitypolicies
Securitypolicies
Securitypolicies
Securitypolicies
P0 P1
P2
P3
Distributed proof system
Construct a proof in a peer-to-peer way Each peer maintains local security
policies
domain A domain Bdomain d
domain C
5
P0 P1
?grant(alice, database)
true
√Querier
P2
P3
?location(alice, hospital)
?role(alice,doctor)
true
true
Locationserver
Roleserver
Distributed proof system
Construct a proof in a peer-to-peer way Each peer maintains local security
policies
6
Policy Directed Proof Construction
Integrity trust Confidentiality trust
7
Policy Directed Proof Construction
Confidentiality trust
8
Projector
Room 2124
Temporal Consistency Issue in Distributed Proving
Show medical recordsif only Alice is in the roomand the door is locked.
Access control policy
9
Consistency Issue in Distributed Proving
P0 P1
P2
?occupancy_one(2124, alice)
P3
Locationserver
Doorsensor
?grant(alice, projector)
Alice
Bob
Door(open)
Time: T1
trueRoom 2124
Alice
10
Consistency Issue in Distributed Proving
P0 P1
P2
?occupancy_one(2124, alice)
P3
Locationserver
Doorsensor
?grant(alice, projector)
AliceBob
Door(locked)
Time: T2
trueRoom 2124
11
Consistency Issue in Distributed Proving
P0 P1
P2
?occupancy_one(2124, alice)
P3
?locked(2124)
Locationserver
Doorsensor
?grant(alice, projector)
Bob
Time: T3
true
true
true
Alice
Door(locked)
√
Medicalrecords
12
Incremental evaluation of fact validity may not be
enough
Only Aicein room 2124
Door locked
√
T1 T2
√
T3
13
View Consistency Problem
How to enforce temporal consistency based on the local view of a querier?
Challenges:• The validity of a statement fluctuates
dynamically• No clock synchronization across
different hosts• Possible hidden subproof from a querier
14
View V is a set of fact states Fact state s is a tuple that contains• fact id• time interval• Interval type: {Concrete, Fuzzy}
• Concrete: fact f is valid all the times t in the interval
• Fuzzy: fact f is valid at some (possibly unknown) time in the interval
View and fact state
15Three Levels of View Consistency
Incrementalconsistency
Query consistency
Intervalconsistency
View V
Restrictiveness
16
Each fact provider returns a pair (f, d) where d is the duration of fact’s validity
Enforcement Algorithm for Query Consistency
Querier Fact provider
17
Each fact provider returns a pair (f, d) where d is the duration of fact’s validity
Enforcement Algorithm for Query Consistency
Querier Fact provider
18
The algorithm of query consistency could miss lots of valid proofs if proof construction takes long
May want to keep track of authorization continuously
Motivation towards Interval Consistency Enforcement
19
The algorithm of query consistency could miss lots of valid proofs if proof construction takes long
May want to keep track of authorization continuously
Motivation towards Interval Consistency Enforcement
first responder
20
Approach for Interval Consistency
Querier Fact provider
Query
True
Verify
True
Fuzzyinterval
Fuzzyinterval
Concreteinterval
Recheck the validity of a constructed proof
21
Goals for Interval Consistency Enforcement
Recheck the validity of a proof efficiently
Preserve security policies of each peers
Querier
Proof
1. construct 2. verifyQuerier
Sub-proof
Leaf nodeentities
22
Leaf Node Exposure Strategy
Recheck fact validity directly with leaf node entities
√
23
Leaf Indirection Strategy
To preserve the privacy of leaf node entities, recheck fact validity by way of a trusted indirection entity
24
Evaluation
Measure overhead latency for enforcing interval consistency
System consists of 12,500 lines of Java code• Java Cryptographic Extension
framework to implement RSA and TDES operations
25 node cluster with 100Mbit Ethernet
25
Latency for Handling Queries
Number of nodes in a proof tree
Late
ncy
(ms)
Leaf indirectionLeaf exposureProof construction
10 - 15%overhead
26
Latency for Handling Queries
Number of nodes in a proof tree
Late
ncy
(ms)
Leaf indirectionLeaf exposureProof construction
25 - 30%overhead
27
Related Work
View consistency in automatic trust negotiation [Lee06]
Antigone Context Framework [McDaniel03]
Transaction management in distributed systems
Consistent snapshots [Chandy85]
28
Summary
Formal definitions of view consistency in distributed proving
Safe and efficient enforcement algorithm
Modest overhead of our enforcement scheme for interval consistency
29
Technical report: http://dais.cs.uiuc.edu/dais/security/tmcspubs.php
Questions?
30
Backup
31
Peer-to-Peer Proof Construction
Query Subproof
Peer
Peer Peer
Query
Subproof
Each peer consists of an inference engine and a knowledge base
Each peer constructs a part of a whole proof
32
Distributed Proof Construction Algorithm by Minami and Kotz
Use Datalog as a logical language Express trust among principals in
terms of integrity and confidentiality
Querier Handler
Correctness of an answer(integrity)
Secrecy of facts(confidentiality)
33Remote Query between Two principals
Host A Host B
grant(P, projector) location(P, room112)
?location(Bob, room112)
Integrity Policies
trust(location(P,L)) = {Host_B}
TRUE
request
User Bob Confidentiality Policies
acl(location(P,L)) = {Host_A}
F1 owner(bob, pda15)F2 deviceAt(pda15, room112)
R location(P,L) owner(P,D)deviceAt(D,L)
R
F1 F2
Prooftree
34
Enforcement of Confidentiality Policies
35
Hidden Leaf Nodes
Transparent from
Hidden leaf nodes
Leaf nodes transparent from the original querier
Example:
36
Requery Strategy
Construct the same proof twice
Need caching at intermediate nodes
Involves high communication overhead
Cache
37
Each fact provider returns a pair (f, d) where d is the duration of fact’s validity
Enforcement Algorithm for Query Consistency
Querier Fact provider
Query
Proofwhere is the maximum clock drift
f’s validityduration