Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems
description
Transcript of Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems
Safety in Discretionary Access Control for Logic-based
Publish-subscribe Systems
Kazuhiro Minami, Nikita Borisov, and Carl A. Gunter
University of Illinois at Urbana-Champaign
Aggregationin Publish-subscribe (pub-sub) system
Pub-subsystem
Location-trackerapplication
Intelligent building
Managementsystem
Sensors
Locationsensors
Motionsensors
Doorsensors
• Publish high-level events derived from raw sensor data• Eliminate duplicate tasks from multiple subscribers
Locationevent
Aggregation
Deriving high-level events based on logic• Represent events as logical statements• Maintains event derivation rules in Datalog• Derive high-level events in a bottom-up way
Publisher Subscriber
occupied(L) ← location(P, L)
Knowledge base
Inference engine
Location(bob, room10)Location(bob, room10)
occupied(room10)
occupied(room10)
Publish-subscribe system
Events in pervasive environments contain users’ private information
• Concern with location privacy• Combination of low-level sensor data could
reveal types of user activities (i.e., high-level events)– E.g., power usage in a household
Protection with discretionary access control (DAC) policies is a good start
• A pub-sub system defines discretionary access control policies dacl: E → 2P where:– E is a set of events that a pub-sub system could
maintain– P is a set of subscriber principals
• Event e is protected with an access control list dacl(e)– E.g., dacl(location(alice, L)) = {bob, dave}
I
However, a malicious subscriber could learn confidential events through inferences
Pub-sub system PS[E, I, dacl]
Subscriber (Tom)
OR
dacl(location(P,L)) = ϕ
dacl(occupied(L)) = {Tom}
Knows PS’s derivation rules I and DACL policies dacl
But, an adversary could learn confidential events through inferences
Pub-sub system PS[E, I, dacl] Subscriber (Tom)
dacl = {Tom}
OR
Infer
AND
dacl = {Tom}
I
dacl = ϕ
dacl = ϕ
Our approach• Additional protection with operational
discretionary access control (OACL) policies oacl: E → 2P such that:– Subscriber pi receives event e iff pi oacl(e) ∈– For every event e: oacl(e) dacl(e)⊆
Events
DACLpolicies
OACL policies
Subscriber
Access on event e denied
Access on event e granted
Question: Is system PS[E, I, dacl, oacl]
safe w.r.t. subscriber pi?
I infer the truth
of e’
Outline
• Safety definition based on nondeducibility• Safety verification algorithm and its
complexity analysis• Experiments with a SAT solver• Conclusion
Nondeducibility considers information flow between two information functions regarding system configuration
Events EPS E⊆
PS[E, I, dacl, oacl]
Non-confidential events that subscriber pi receivesFunction v1: 2
E → 2E
v1(EPS) = {e | e E∈ PS p∧ i oacl(e)}∈
Confidential events that subscriber pi is NOT authorized to receive
Function v2 : 2 E → 2 E
v2(EPS) = {e | e E∈ PS p∧ i dacl(e)}∉
Informationflow
Safety definition
A pub-sub system PS[E, I, dacl, oacl] is safe if∀EPS E ⊆ ∀ e E∈ where pi dacl(e)∉
∃E’PS and E’’PS such that:
1. v1(EPS) = v1(E’PS) = v1(E’’PS)2. e v∈ 2(E’PS)3. e v∉ 2(E’’PS)
ExampleE = {loc(bob, bldg12), loc(alice, blde12), occupied(bldg12)}I = {occupied(B) ← loc(P, B)}dacl(loc(P, bldg)) = Φ, dacl(occupied, bldg12) = {dave}oacl(loc(P, bldg)) = Φ, oacl(occupied, bldg12) = {dave}
EPS = {loc(bob, bldg12), occupied(bldg12)}
2E
Events dave receives
Events that should be protected from dave
{occupied(bldg12)}
{loc(bob, bldg12)}
v1
v2
{loc(alice, bldg12)}
E’PS = {loc(alice, bldg12), occupied(bldg12)}
PS
Outline
• Safety definition based on nondeducibility• Safety verification algorithm and its
complexity analysis• Experiments with a SAT solver• Conclusion
We represent a subscriber’s inferences with s-inference rules
• Represent a subscriber’s inferences with three-value logic with the function val: E → {T, F, U} where:
• T is known to be true• F is known to be false• U is unknown
• Capture both bottom-up and top-down inferences regarding a system’s derivation rules I
Bottom-up inferencesConsider an derivation rule: e ← e1, …, en
(Bottom-up-T) If a subscriber knows that events e1,…,en is true, then he knows e is also true.
(Bottom-up-F) If a subscriber knows that some event ei is false, then he knows e is also false.
Top-down inferences
Consider a set of derivation rules:
(Top-down-T) If a subscriber knows that event e is true, then he knows there is some ei which is true.
(Top-down-F) If a subscriber knows that event e is false, then he knows every ei is false.
Verification algorithm with s-inference rules
1. For each T/F assignment A: {e | pi oacl(e)} → ∈{T, F}, do the following:
1) Compute a fixpoint from the initial state defined by A by applying s-inference rules
2) If there is event e E ∈ such that val(e) ≠ U and pi ∉dacl(e), return FALSE
2. Return TRUE
VerifySafety(E, I, dacl, oacl, pi)
Analysis of verification algorithm
• Sound and complete:– The algorithm returns TRUE if and only if a pub-
sub system PS[E, I, dacl, oacl] is safe w.r.t. subscriber pi.
• Running time is exponential because we need to check all the possible truth assignments to non-confidential events
Complexity analysis
UNSAFE = {(PS[E, I, dacl, oacl), pi) ⎢ VerifySafety(E, dacl, oacl, I, pi) = FALSE}
• UNSAFE is in NP-complete; that is:1. UNSAFE is in NP2. 3-CNF-SAT is polynomially reducible to UNSAFE
Basic idea: construct PS such that a confidential event s is known when formula Φ is satisfiable
Φ= (x1 ¬x∨ 2 ¬x∨ 3) (¬x∧ 1 x∨ 2 x∨ 3)y1 y2
S (≡y1 y∧ 2)
SAT
PSy1 ← x1 y1 ← nx2
y1← nx3
y2 ← nx1y2← x2y2 ← x3
S ← y1, y2
Either x1, nx2, or nx3 is known to be true
Either nx1, x2, or x3 is known to be true
y1 is known to true y2 is known to true(Bottom-up-T)
s is known be true
Must be consistentval(x1) = T iff val(nx1) = F
Truth assignment must be consistent
x1 ← nx1, z1
x1 ← u1, z’1
x1 is known to be true
x1 and nx1 are consistent iff u1 is known to be true
val(nx1 z∧ 1) = T or val(u1 z’∧ 1) = T
(Top-down-T)nx1 is known to be false
(S5)
u1 is known to be true S ← y1 y∧ 2 ∧u1 ..∧s is known
y1, y2 are known to be true
pi dacl(u∈ 1)pi oacl(u∉ 1)
Experiments with a SAT solver
• Convert PS[E, I, dacl, oacl] into a SAT formula Φj such that there is a safety violation w.r.t. principal pj iff Φj is satisfiable
• Encode in Φj a sequence of s-inference rule applications leading to a safety violation
• Measure latency for solving converted SAT problems using SAT4J SAT solver
Latency results
#events #rules
10 820 1630 2440 3250 4060 4870 56
Parameters
Conclusion
• Define safety in a logic-based pub-sub system formally
• Capture a subscriber’s inferences with a set of s-inference rules
• Prove that the safety problem is in co-NP-complete
• Show the feasibility of safety verification with moderate number of events and rules using a SAT solver
Any questions?