Programming Trustworthy
Provenance
Andy Cirillo
Radha Jagadeesan
Corin Pitcher
James Riely
School of CTI, DePaul University, Chicago
Workshop on Principles of Provenance (PrOPr)
Edinburgh, November 19-20, 2007
Commuter says "my
train was delayed"
Delay notice forged?
Provenance of notice
needed for decisions
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
2
This Talk

Programming with provenance for security,
privacy, & workflow in decentralized systems

Provenance and trust
– When is provenance on data trustworthy?
– How does data provenance impact trust in data?

Authorization logic policies
– To relate provenance & trust
– Validation of programs against such policies
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
3
Outline

Motivation: provenance for security

Programming with provenance and trust

Policies and program analysis
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
4
Existing Provenance in Access Control
Stack inspection (Java/.NET) - trusted & untrusted code
Code logging to file escalates privileges for thread
Untrusted code
Logging code
Untrusted code
Logging code
File API
File API
File API
ACCESS
GRANTED
ACCESS
DENIED
ACCESS
GRANTED
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
Activation Records
Shape of call stack determines access
5
Controls: Security, Privacy, Workflow
Provenance used for identity in:

Authorization controls (access control)
– Prevent unauthorized actions before harm occurs

Auditing controls (for accountability/recovery)
– Discourage unauthorized actions
– Recover from unauthorized actions

Privacy controls
– Restrict use of private information

Workflow controls
– Enforce compliance with patterns of activity
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
6
Account Aggregation
Owner of account at financial institution
– Direct access to account
– Access via an approved account aggregator
– Other principals providing confidentiality / integrity
getBalance
Owner
submitAggr
Institution
Owner's VPN
approveAggr
Aggr's VPN
getBalance
getBalance
Aggregator
Other principals
involved in request
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
7
Account Aggregation Properties
Provenance of messages used throughout

Authorization
– Use provenance of request to determine authorization

Auditing
– Record provenance of request in audit log

Privacy
– Detect privacy violations in provenance of response

Workflow
– Enforce two-step approval of aggregator
Recurring issue: Is the provenance trustworthy?
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
8
Outline

Motivation: provenance for security

Programming with provenance and trust

Policies and program analysis
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
9
Programming: Provenance and Trust

Dynamic support for provenance
– Identities, origin of objects, and immediate provenance

Representation of provenance
– Full histories, partial histories

Behaviour of programs w.r.t. provenance and trust
– Creation & use of provenance
– When is provenance trusted?
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
10
Dynamic Support for Provenance

Distributed objects & remote method invocation
– E.g., Java-RMI

Explicit identities = locations
– Objects are located and code runs at a location

Origin of objects
– Remote object reference points to object's location

Immediate provenance
– Caller's identity is known
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
11
User-Defined Provenance

Create & use full history of computation

Drawbacks to full history
– Expensive
– Confidentiality and privacy issues

Partial history
– Remove history
– With justification, e.g., after access control / auditing
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
12
User-Defined Provenance
Immediate Provenance: Owner
Owner's
Aggr's
Aggregator
VPN
VPN
Owner
Owner's VPN
Owner's VPN
"Account balance for
customer #1234"
Owner
Request
November 2007
Aggr's VPN
Aggregator
Composite
Aggr's VPN
message stores
provenance
Owner's VPN
Owner
"Account balance
for
Aggregator
customer #1234"
is location
Object
location
Request
Messages
Programming Trustworthy
Provenance (Corin Pitcher)
Aggregator
13
Trustworthy Provenance?
Owner's VPN could omit additional
intermediaries
Aggregator code has to check:
 Owner's VPN permitted in path
 Owner's VPN is trusted to report
provenance
Mitigated by Owner location for
original request
November 2007
Owner's VPN
Aggr's VPN
Owner
Owner's VPN
Owner
Intermediary
Request
Programming Trustworthy Provenance (Corin Pitcher)
Owner
14
Trustworthy Provenance?
Aggr's VPN may legitimately recreate
(re-sign / relocate) objects
 Aggregator's recreation is similar
Are the results trustworthy?
 No direct proof of participation by
Owner or Owner's VPN
Owner's VPN
Owner
Aggr's VPN
Owner's VPN
Aggr's VPN
Request
Owner
Aggr's VPN
Complex program behaviour
 High-level account of behaviour?
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
15
Outline

Motivation: provenance for security

Programming with provenance and trust

Policies and program analysis
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
16
Policies and Program Analysis

Programs manipulating trust & provenance

Policies to describe behaviour enforced by programs?
– Examples coming up

How can we express those policies?
– Authorization logic

Validate program's behaviour against policies?
– Static analysis via type/effect system
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
17
Propositional Effects - Statics
A proposition P communicated from sender to receiver,
e.g., "Access granted"
P known
P known
Sender
Receiver
...
...
send message
receive message
...
...
(Sender says P) known
P not known
P known
Issue: Inconsistency of local states (of beliefs / knowledge)
Need worlds / contexts INSIDE logic
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
18
Authorization Logic
November 2007
Mendler (Lax modal logic)
Abadi, Plotkin, Lampson, Burrows, Wobber
Garg, Pfenning
Programming Trustworthy Provenance (Corin Pitcher)
19
Example: Simple Workflow Policy


Authorization logic represents
submission & approval of data
by two principals
Used for approval of aggregator
Initiator submits data
CellI
SubmittedCell
Class
hierarchy
ApprovedCell
Manager approves data
Assertions
appear in
code as
effects
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
20
Example: Aggregator's Policy
Recall Aggregator's request rewriting behaviour
Owner
Owner's VPN
Owner
Request
November 2007
Owner's VPN
Aggr's VPN
Aggregator
Aggr's VPN
Owner's VPN
Owner
Request
Programming Trustworthy Provenance (Corin Pitcher)
Aggregator
21
p
tgt: AggrVPN
src: OwnerVPN
payload: q
Effects
AggrVPN
q
tgt: OwnerVPN
src: Owner
payload: r
OwnerVPN
r
data: Owner
Owner
Policies
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
22
p
tgt: AggrVPN
src: OwnerVPN
payload: q
Effects
AggrVPN
q
tgt: OwnerVPN
src: Owner
payload: r
OwnerVPN
r
data: Owner
Justifies creation by aggregator
s
Owner
data: Owner
Aggregator
Policies
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
23
Results

Distributed object calculus with authorization
logic policies in type/effect system

E.g., Aggregator code typechecks with respect
to preceding policy

Guarantees that Aggregator's dynamic behaviour
is constrained by policy

Draft technical report available
– Email to cpitcher AT cs.depaul.edu
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
24
Summary

In decentralized systems:
– Provenance use in security, privacy, workflow controls
– User-programmable handling of provenance
– Provenance trustworthy and impact on trust in data?

Authorization logic policies describe provenance
and trust behaviour of programs

Validate programs against policies
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
25
The End
Questions or comments?
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
26
Backup Slides
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
27
Object Creation
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
28
An opponent is any process located at the principal 1.
Opponents are free to lie; thus, are completely free to construct any new
objects.
Well-typed trustworthy programs are safe when combined with arbitrary
(typed but untrustworthy) opponents.
November 2007
Programming Trustworthy Provenance (Corin Pitcher)
29