conformance verification of privacy policies
Post on 25-Feb-2016
41 Views
Preview:
DESCRIPTION
TRANSCRIPT
Conformance Verification of Privacy PoliciesXiang Fu
Assistant ProfessorDepartment of Computer ScienceHofstra University
Outline•Motivation•PV Framework•Privacy Properties in Temporal Logic•Verification using Alloy•Conclusion
Introduction
Web App: Consumer and Producerof INFORMATION
Web AppSSNCredit CardMedical RecordAddressShopping Preference
Online Marketin
gEmail
Identity Collection
SSN
BusinessPartners
Shopping Habits
Privacy Verification Problem
Web App
Your SSN never be forwarde
d
CC destroyed
after transaction
Function as PROMISED?
ChallengesBusiness
Procedures
DB Ops
Servlets
Servlets
P3P Privacy Policy
Model Checker
PV Framework•Privacy Verification Framework
1. Servlet Control/Data Flow
2. Information Flow
3. Data Operations
Data Model
•Entity
•Data Item
OperatorServletDatabaseBusiness OrganizationStakeholder
Atomic Real-Being
Countable Set
CC CardSSNMed RecordTransaction IDName
Primitive Type System
Flattened Model
Example: Bookstore AppEntities
Example: Bookstore AppData Types
Actions•Know(e, d)
entity data
At any moment for any e and d, Know(e,d) is defined
Action: transition system expressed using first order on Know predicates
Example: Charge Credit Card CCcc
)(know' )(know' Bank,ccDB,cc
Free var, input variable
)(know' )(know' : },{ x,dx,dDdBANKDBx
All entities All data
)know( )(know' )know( )(know' :}{
Bank,dBank,dDB,dDB,dccDd
Modeling Privacy Policy•Typical Examples: P3P and EPAL•Defines:
▫(1) What to protect?▫(2) Who can receive it?▫(3) How long?
P3P Example
Temporal Logic for P3P•CTL-FO = CTL + First Order Quantifiers
Credit Card Info Regularly Purged from DB & is not leaked
)),know(:AF( )),know(AG( :CC dxExdDBd
for any credit card for any entities
Verification•(1) Translate from PV to Alloy•(2) Translate CTL-FO to Alloy
Predicates•(3) Verification using Alloy
Modeling World Schemamodule bookstore
//1. world schemaabstract sig Object {}abstract sig WA, Env, Data extends Object {}abstract sig Actions, Entities extends WA {}…
Web App.Set of All Data Items
Servlets
Modeling System State•Model the transition relation
sig State{ know: (WA + Env) -> Data, prev: one State, actstate: Actions -> actionStatus}{ all x: Actions | some status: actionStatus |
x -> status in actstate}
Modeling Actionpred pChargeCC[s,s’: State, d:CC]{ChargeCC->READY in s.actstate and
(s’.know = s.know + {DB->d} +
{Bank->d} &&s’.prev=s &&s’.actstate = s.actstate - ..
)}
Modeling CTL-FO Formula
pred ef[s:State, d:Data]{some s’: State | (CEO->d in s’.know)&& s in s’.*prev
}
pred fa[s:State]{all d: Data | (DB->d in s.know) => ef[s,d]
}
assert AGProperty{all s: State | fa[s]
}
Initial Experiments
State Clauses Constr. Time (ms)
Solver Time (ms)
5 431k 2203 78110 1928k 7984 626615 4504k 18782 4082820 - - -
20 Objects
Conclusion•PV Framework for Reasoning about
Privacy•Verification Paradigm using Alloy•Problems …
Future Directions•(1) Static Program Analysis •Path Transducer Model (Servlet)• Information Flow (Business Rules,
Access Right Policies)
•(2) Customized Relational Constraint Solvers
top related