Safety in Discretionary Access Control for Logic-based

Publish-subscribe Systems

Kazuhiro Minami, Nikita Borisov, and Carl A. Gunter

University of Illinois at Urbana-Champaign

Aggregationin Publish-subscribe (pub-sub) system

Pub-subsystem

Location-trackerapplication

Intelligent building

Managementsystem

Sensors

Locationsensors

Motionsensors

Doorsensors

• Publish high-level events derived from raw sensor data• Eliminate duplicate tasks from multiple subscribers

Locationevent

Aggregation

Deriving high-level events based on logic• Represent events as logical statements• Maintains event derivation rules in Datalog• Derive high-level events in a bottom-up way

Publisher Subscriber

occupied(L) ← location(P, L)

Knowledge base

Inference engine

Location(bob, room10)Location(bob, room10)

occupied(room10)

occupied(room10)

Publish-subscribe system

Events in pervasive environments contain users’ private information

• Concern with location privacy• Combination of low-level sensor data could

reveal types of user activities (i.e., high-level events)– E.g., power usage in a household

Protection with discretionary access control (DAC) policies is a good start

• A pub-sub system defines discretionary access control policies dacl: E → 2P where:– E is a set of events that a pub-sub system could

maintain– P is a set of subscriber principals

• Event e is protected with an access control list dacl(e)– E.g., dacl(location(alice, L)) = {bob, dave}

I

However, a malicious subscriber could learn confidential events through inferences

Pub-sub system PS[E, I, dacl]

Subscriber (Tom)

OR

dacl(location(P,L)) = ϕ

dacl(occupied(L)) = {Tom}

Knows PS’s derivation rules I and DACL policies dacl

But, an adversary could learn confidential events through inferences

Pub-sub system PS[E, I, dacl] Subscriber (Tom)

dacl = {Tom}

OR

Infer

AND

dacl = {Tom}

I

dacl = ϕ

dacl = ϕ

Our approach• Additional protection with operational

discretionary access control (OACL) policies oacl: E → 2P such that:– Subscriber pi receives event e iff pi oacl(e) ∈– For every event e: oacl(e) dacl(e)⊆

Events

DACLpolicies

OACL policies

Subscriber

Access on event e denied

Access on event e granted

Question: Is system PS[E, I, dacl, oacl]

safe w.r.t. subscriber pi?

I infer the truth

of e’

Outline

• Safety definition based on nondeducibility• Safety verification algorithm and its

complexity analysis• Experiments with a SAT solver• Conclusion

Nondeducibility considers information flow between two information functions regarding system configuration

Events EPS E⊆

PS[E, I, dacl, oacl]

Non-confidential events that subscriber pi receivesFunction v1: 2

E → 2E

v1(EPS) = {e | e E∈ PS p∧ i oacl(e)}∈

Confidential events that subscriber pi is NOT authorized to receive

Function v2 : 2 E → 2 E

v2(EPS) = {e | e E∈ PS p∧ i dacl(e)}∉

Informationflow

Safety definition

A pub-sub system PS[E, I, dacl, oacl] is safe if∀EPS E ⊆ ∀ e E∈ where pi dacl(e)∉

∃E’PS and E’’PS such that:

1. v1(EPS) = v1(E’PS) = v1(E’’PS)2. e v∈ 2(E’PS)3. e v∉ 2(E’’PS)

ExampleE = {loc(bob, bldg12), loc(alice, blde12), occupied(bldg12)}I = {occupied(B) ← loc(P, B)}dacl(loc(P, bldg)) = Φ, dacl(occupied, bldg12) = {dave}oacl(loc(P, bldg)) = Φ, oacl(occupied, bldg12) = {dave}

EPS = {loc(bob, bldg12), occupied(bldg12)}

2E

Events dave receives

Events that should be protected from dave

{occupied(bldg12)}

{loc(bob, bldg12)}

v1

v2

{loc(alice, bldg12)}

E’PS = {loc(alice, bldg12), occupied(bldg12)}

PS

Outline

• Safety definition based on nondeducibility• Safety verification algorithm and its

complexity analysis• Experiments with a SAT solver• Conclusion

We represent a subscriber’s inferences with s-inference rules

• Represent a subscriber’s inferences with three-value logic with the function val: E → {T, F, U} where:

• T is known to be true• F is known to be false• U is unknown

• Capture both bottom-up and top-down inferences regarding a system’s derivation rules I

Bottom-up inferencesConsider an derivation rule: e ← e1, …, en

(Bottom-up-T) If a subscriber knows that events e1,…,en is true, then he knows e is also true.

(Bottom-up-F) If a subscriber knows that some event ei is false, then he knows e is also false.

Top-down inferences

Consider a set of derivation rules:

(Top-down-T) If a subscriber knows that event e is true, then he knows there is some ei which is true.

(Top-down-F) If a subscriber knows that event e is false, then he knows every ei is false.

Verification algorithm with s-inference rules

1. For each T/F assignment A: {e | pi oacl(e)} → ∈{T, F}, do the following:

1) Compute a fixpoint from the initial state defined by A by applying s-inference rules

2) If there is event e E ∈ such that val(e) ≠ U and pi ∉dacl(e), return FALSE

2. Return TRUE

VerifySafety(E, I, dacl, oacl, pi)

Analysis of verification algorithm

• Sound and complete:– The algorithm returns TRUE if and only if a pub-

sub system PS[E, I, dacl, oacl] is safe w.r.t. subscriber pi.

• Running time is exponential because we need to check all the possible truth assignments to non-confidential events

Complexity analysis

UNSAFE = {(PS[E, I, dacl, oacl), pi) ⎢ VerifySafety(E, dacl, oacl, I, pi) = FALSE}

• UNSAFE is in NP-complete; that is:1. UNSAFE is in NP2. 3-CNF-SAT is polynomially reducible to UNSAFE

Basic idea: construct PS such that a confidential event s is known when formula Φ is satisfiable

Φ= (x1 ¬x∨ 2 ¬x∨ 3) (¬x∧ 1 x∨ 2 x∨ 3)y1 y2

S (≡y1 y∧ 2)

SAT

PSy1 ← x1 y1 ← nx2

y1← nx3

y2 ← nx1y2← x2y2 ← x3

S ← y1, y2

Either x1, nx2, or nx3 is known to be true

Either nx1, x2, or x3 is known to be true

y1 is known to true y2 is known to true(Bottom-up-T)

s is known be true

Must be consistentval(x1) = T iff val(nx1) = F

Truth assignment must be consistent

x1 ← nx1, z1

x1 ← u1, z’1

x1 is known to be true

x1 and nx1 are consistent iff u1 is known to be true

val(nx1 z∧ 1) = T or val(u1 z’∧ 1) = T

(Top-down-T)nx1 is known to be false

(S5)

u1 is known to be true S ← y1 y∧ 2 ∧u1 ..∧s is known

y1, y2 are known to be true

pi dacl(u∈ 1)pi oacl(u∉ 1)

Experiments with a SAT solver

• Convert PS[E, I, dacl, oacl] into a SAT formula Φj such that there is a safety violation w.r.t. principal pj iff Φj is satisfiable

• Encode in Φj a sequence of s-inference rule applications leading to a safety violation

• Measure latency for solving converted SAT problems using SAT4J SAT solver

Latency results

#events #rules

10 820 1630 2440 3250 4060 4870 56

Parameters

Conclusion

• Define safety in a logic-based pub-sub system formally

• Capture a subscriber’s inferences with a set of s-inference rules

• Prove that the safety problem is in co-NP-complete

• Show the feasibility of safety verification with moderate number of events and rules using a SAT solver

Any questions?