1 / 25

Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems

Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems. Kazuhiro Minami , Nikita Borisov, and Carl A. Gunter University of Illinois at Urbana-Champaign. Aggregation in Publish-subscribe (pub-sub) system . Publish high-level events derived from raw sensor data

hazina
Download Presentation

Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safety in Discretionary Access Control for Logic-based Publish-subscribe Systems Kazuhiro Minami, Nikita Borisov, and Carl A. Gunter University of Illinois at Urbana-Champaign

  2. Aggregationin Publish-subscribe (pub-sub) system • Publish high-level events derived from raw sensor data • Eliminate duplicate tasks from multiple subscribers Location sensors Location event Location-tracker application Pub-sub system Motion sensors Intelligent building Management system Door sensors Aggregation Sensors

  3. Deriving high-level events based on logic • Represent events as logical statements • Maintains event derivation rulesin Datalog • Derive high-level events in a bottom-up way Inference engine occupied(L) ← location(P, L) Location(bob, room10) occupied(room10) Location(bob, room10) occupied(room10) Publisher Subscriber Knowledge base Publish-subscribe system

  4. Events in pervasive environments contain users’ private information • Concern with location privacy • Combination of low-level sensor data could reveal types of user activities (i.e., high-level events) • E.g., power usage in a household

  5. Protection with discretionary access control (DAC) policies is a good start • A pub-sub system defines discretionary access control policies dacl: E → 2P where: • E is a set of events that a pub-sub system could maintain • P is a set of subscriber principals • Event e is protected with an access control list dacl(e) • E.g.,dacl(location(alice, L)) = {bob, dave}

  6. However, a malicious subscriber could learn confidential events through inferences I dacl(occupied(L)) = {Tom} OR dacl(location(P,L)) = ϕ Subscriber (Tom) Knows PS’s derivation rules I and DACL policies dacl Pub-sub system PS[E, I, dacl]

  7. But, an adversary could learn confidential events through inferences I OR dacl = {Tom} AND dacl = ϕ dacl = {Tom} dacl = ϕ Infer Pub-sub system PS[E, I, dacl] Subscriber (Tom)

  8. Our approach • Additional protection with operational discretionary access control (OACL) policies oacl: E → 2Psuch that: • Subscriber pi receives eventeiffpi ∈oacl(e) • For every event e: oacl(e) ⊆ dacl(e) I infer the truth of e’ Question: Is system PS[E, I, dacl, oacl] safe w.r.t. subscriber pi? OACL policies Access on event e granted DACL policies Subscriber Events Access on event e denied

  9. Outline • Safety definition based on nondeducibility • Safety verification algorithm and its complexity analysis • Experiments with a SAT solver • Conclusion

  10. Nondeducibility considers information flow between two information functions regarding system configuration Non-confidential events that subscriber pi receives Function v1: 2E → 2E v1(EPS) = {e | e ∈ EPS ∧pi ∈oacl(e)} Events EPS ⊆ E Information flow Function v2: 2E → 2E Confidential events that subscriber pi is NOT authorized to receive PS[E, I, dacl, oacl] v2(EPS) = {e | e ∈ EPS ∧pi ∉ dacl(e)}

  11. Safety definition A pub-sub system PS[E, I, dacl, oacl] is safe if ∀EPS⊆E ∀e ∈ E where pi ∉ dacl(e) ∃E’PSandE’’PSsuch that: • v1(EPS) = v1(E’PS) = v1(E’’PS) • e ∈ v2(E’PS) • e ∉ v2(E’’PS)

  12. Example PS E = {loc(bob, bldg12), loc(alice, blde12), occupied(bldg12)} I = {occupied(B) ← loc(P, B)} dacl(loc(P, bldg)) = Φ, dacl(occupied, bldg12) = {dave} oacl(loc(P, bldg)) = Φ, oacl(occupied, bldg12) = {dave} {occupied(bldg12)} Events dave receives v1 EPS = {loc(bob, bldg12), occupied(bldg12)} v2 E’PS = {loc(alice, bldg12), occupied(bldg12)} {loc(bob, bldg12)} {loc(alice, bldg12)} 2E Events that should be protected from dave

  13. Outline • Safety definition based on nondeducibility • Safety verification algorithm and its complexity analysis • Experiments with a SAT solver • Conclusion

  14. We represent a subscriber’s inferences with s-inference rules • Represent a subscriber’s inferences with three-value logic with the function val: E → {T, F, U} where: • T is known to be true • F is known to be false • U is unknown • Capture both bottom-up and top-down inferences regarding a system’s derivation rules I

  15. Bottom-up inferences Consider an derivation rule: e ← e1, …, en (Bottom-up-T) If a subscriber knows that events e1,…,enis true, then he knows e is also true. (Bottom-up-F) If a subscriber knows that some event eiis false, then he knows e is also false.

  16. Top-down inferences Consider a set of derivation rules: (Top-down-T) If a subscriber knows that event eis true, then he knows there is some eiwhich is true. (Top-down-F) If a subscriber knows that event eis false, then he knows every ei is false.

  17. Verification algorithm with s-inference rules VerifySafety(E, I, dacl, oacl, pi) • For each T/F assignment A: {e | pi ∈ oacl(e)} → {T, F}, do the following: • Compute a fixpointfrom the initial state defined by A by applying s-inference rules • If there is event e∈Esuch that val(e) ≠ U and pi ∉ dacl(e), return FALSE 2. Return TRUE

  18. Analysis of verification algorithm • Sound and complete: • The algorithm returns TRUE if and only if a pub-sub system PS[E, I, dacl, oacl] is safe w.r.t. subscriber pi. • Running time is exponential because we need to check all the possible truth assignments to non-confidential events

  19. Complexity analysis UNSAFE = {(PS[E, I, dacl, oacl), pi) ⎢ VerifySafety(E, dacl, oacl, I, pi) = FALSE} • UNSAFE is in NP-complete; that is: • UNSAFE is in NP • 3-CNF-SAT is polynomially reducible to UNSAFE

  20. Basic idea: construct PS such that a confidential event s is known when formula Φ is satisfiable Φ= (x1 ∨ ¬x2 ∨ ¬x3) ∧ (¬x1 ∨ x2 ∨ x3) SAT y1 y2 S (≡y1∧y2) Either nx1, x2, or x3 is known to be true Either x1, nx2, or nx3 is known to be true Must be consistent val(x1) = T iff val(nx1) = F y1 ← x1 y2 ← nx1 y2← x2 y1 ← nx2 PS y2 ← x3 y1← nx3 (Bottom-up-T) y1 is known to true y2 is known to true s is known be true S ← y1, y2

  21. Truth assignment must be consistent • x1 and nx1 are consistent iffu1 is known to be true x1is known to be true pi ∈ dacl(u1) pi ∉ oacl(u1) x1 ← nx1, z1 x1 ← u1, z’1 nx1is known to be false (Top-down-T) val(nx1 ∧ z1) = T orval(u1 ∧ z’1) = T y1, y2are known to be true (S5) S ← y1 ∧ y2 ∧u1∧ .. u1 is known to be true sis known

  22. Experiments with a SAT solver • Convert PS[E, I, dacl, oacl] into a SAT formula Φj such that there is a safety violation w.r.t. principal pjiff Φj is satisfiable • Encode in Φj a sequence of s-inference rule applications leading to a safety violation • Measure latency for solving converted SAT problems using SAT4J SAT solver

  23. Latency results #events #rules 8 20 16 30 24 40 32 50 40 60 48 70 56 Parameters

  24. Conclusion • Define safety in a logic-based pub-sub system formally • Capture a subscriber’s inferences with a set of s-inference rules • Prove that the safety problem is in co-NP-complete • Show the feasibility of safety verification with moderate number of events and rules using a SAT solver

  25. Any questions?

More Related