230 likes | 340 Views
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications. Deepak Garg 1 , Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie Mellon University) 2 Carnegie Mellon University. Privacy.
E N D
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg1, Limin Jia2 and Anupam Datta2 1MPI-SWS (work done at Carnegie Mellon University) 2Carnegie Mellon University
Privacy Personal information collected and used to provide services (census statistics, health care & financial services, targeted advertisements, social network services) Organizational goals and individual privacy goals conflict
Privacy Legislation Regulate use and disclosure of personal information, but allow organizational work to proceed Examples: HIPAA (medical information), GLBA (financial information)
Research Goal Build a principled system for enforcing practical privacy policies Non-trivial due to complexity of practical privacy policies
Example from HIPAA Privacy Rule A covered entity may disclose an individual’s protected health information (phi) to law-enforcement officials for the purpose of identifying an individual if the individual made a statement admitting participating in a violent crime that the covered entity believes may have caused serious physical harm to the victim Pre-emptive enforcement (access control or runtime monitoring) does not suffice Black-and-white concepts • Concepts in privacy policies • Actions:send(p1, p2, m) • Roles:inrole(p2, law-enforcement) • Data attributes:attr_in(prescription, phi) • Temporal constraints: in-the-past(state(q, m)) • Purposes:purp_in(u, id-criminal)) • Beliefs:believes-crime-caused-serious-harm(p, q, m) Must rely on after-the-fact audit Grey concepts
Audit-Based Approach This paper Collected by organizational databases Privacy law Organizational audit log Detect policy violations Prior work Computer-readable privacy policy in first-order logic Audit
Outline of Talk • Introduction • Overview of Audit Algorithm • Details of Audit Algorithm • Formal Properties • Conclusion
Challenge for Enforcement Audit Logs are Incomplete • Future: store only past and current events • Example: Timely data breach notification refers to future event • Subjective: no “grey” information • Example: May not records evidence for purposes and beliefs • Spatial: remote logs may be inaccessible • Example: Logs distributed across different departments of a hospital
Abstract Model of Incomplete Logs • Model all incomplete logs uniformly as 3-valued structures • Define semantics (meanings of formulas) over 3-valued structures
An Iterative Algorithm Check as much policy as possible on current logand output a residual policy. Iteratewhen log is extended with more information. Grey concepts checked by human auditor at any time.
Reduce: The Iterative Algorithm reduce (L, φ) = φ' Logs reduce reduce φ1 φ2 φ0 Policy Time
Example φ = ∀p1, p2, m, u, q, t. (send(p1, p2, m) ∧ tagged(m, q, t, u) ∧ attr_in(t, phi)) ⊃ inrole(p2, law-enforcement) ∧ purp_in(u, id-criminal) ∧ m’. (state(q, m’) ∧ is-admission-of-crime(m’) ∧ believes-crime-caused-serious-harm(p1, m’)) { p1 UPMC, p2 allegeny-police, m M2, q Bob, u id-bank-robber, t date-of-treatment } { m’ M1 } Log Jan 1, 2011 state(Bob, M1) Jan 5, 2011 send(UPMC, allegeny-police, M2) tagged(M2, Bob, date-of-treatment, id-bank-robber) φ' = T ∧ purp_in(id-bank-robber, id-criminal) ∧ is-admission-of-crime(M1) ∧ believes-crime-caused-serious-harm(UPMC, M1)
Reduce: Formal Definition Initial policy must also pass a one-time, linear check called a mode check We have verified that the entire HIPAA and GLBA Privacy Rules pass this check c is a formula for which satisfying substitutions of x can be computed
Formal Properties of Reduce Correctness
Formal Properties of Reduce Complexity
Formal Properties of Reduce Minimality of Output
Implementation and Case Study • Implementation and evaluation over simulated audit logs for compliance with all disclosure-related clauses of HIPAA Privacy Rule • Performance: • Average time for checking compliance of each disclosure of protected health information is 0.16s for a 15MB log • Mechanical enforcement: • Reduce can automatically check 80% of all the atomic predicates
Other Applications of Reduce • Runtime monitoring • For policies that do not mention future obligations or grey concepts • Advisory tool: Is an action allowed? • Run reduce on hypothetical log containing the action
Closely Related Work • Runtime monitoring in MFOTL • [Basin et al ’10] • Pre-emptive enforcement • Efficient implementation • Assumes past-completeness of logs • Less expressive mode checking
Closely Related Work • Iterative Model Checking • [Thati, Rosu ’05] • Propositional logic • Cannot express privacy legislation
Conclusion • Iterative, interactive algorithm for policy audit • Checks as much policy as possible • Outputs residual policy • Provably correct, efficient, optimal • Works with incomplete logs • Expressive for real privacy laws
The Case for Audit • Run-time access control mechanisms are not sufficient to enforce privacy policies • Purposes & beliefs (“grey” concepts on previous slide) • And also future obligations (e.g., notice of data breach should go out within 30 days) • Human input is essential for resolving grey concepts