Why provenance needs its
own security model
Uri Braun
PASS Team
Harvard University
Workshop on Principles of Provenance
November 19-20, ‘07
Provenance needs security

Many provenance applications involve
sensitive data:



Regulatory Compliance
Electronic Medical Records
National Security Intelligence
January 8, '07
Slide 2 (of 22)
National Intelligence Estimate
Data v. Provenance Sensitivity
Vice Chair
Chair
Special Advisor
cp vice.txt /shared/
cp chair.txt /shared/
cp advisor.txt /shared/
Public: cannot read
Public: cannot read
Public: cannot read
National Intelligence Estimate
cat /shared/*.txt | uniq
Public: cannot read
January 8, '07
Slide 3 (of 22)
Outline




Motivation
Provenance needs its own security
model
Related Work
Recap
January 8, '07
Slide 4 (of 22)
Provenance needs its own
security model


Sensitivity(Provenance) ≠
Sensitivity(Data)
Can have cases where sensitivity of:


Data > Provenance
Provenance > Data
January 8, '07
Slide 5 (of 22)
Performance Review
Data v. Provenance Sensitivity
Manager’s email
Employee: cannot read
mail –s “Joe’s Review” peer1, peer2
Employee: cannot read
Employee: cannot read
Email to Peer1
Email to Peer2
mail –s “RE: Joe’s Review” manager
mail –s “RE: Joe’s Review” manager
Employee: cannot read
Employee: cannot read
Email from Peer1
Email from Peer2
X
X
cp peer1 & 2’s emails and edit
Employee: can read
January 8, '07
Slide 6 (of 22)
National Intelligence Estimate
Data v. Provenance Sensitivity
Vice Chair
Chair
Special Advisor
cp vice.txt /shared/
cp chair.txt /shared/
cp advisor.txt /shared/
Public: cannot read
Public: cannot read
Public: cannot read
National Intelligence Estimate
cat /shared/*.txt | uniq
Public: cannot read
January 8, '07
Slide 7 (of 22)
Different from traditional
security models

Requires attributes different from
existing security models


Relationships fundamentally different
Leak information differently
January 8, '07
Slide 8 (of 22)
Performance Review
Relationship Leak
Manager’s email
Employee: cannot read
mail –s “Joe’s Review” peer1, peer2
Employee: cannot read
Employee: cannot read
Email to Peer1
Email to Peer2
mail –s “RE: Joe’s Review” manager
mail –s “RE: Joe’s Review” manager
Employee: cannot read
Employee: cannot read
Email from Peer1
Email from Peer2
X
X
cp peer1 & 2’s emails and edit
Employee: can read
January 8, '07
Slide 9 (of 22)
Relationships leak information
in combination with



Seemingly unrelated other relationships
World knowledge
Mere existence of a relationship
January 8, '07
Slide 10 (of 22)
Outline



Motivation
Provenance needs its own security
model
Related Work




Provenance Projects
Aggregation
Applications
Recap
January 8, '07
Slide 11 (of 22)
PASOA

Does




Ensure non-repudiation
Federate identity
Obscure portions of records
Does not


Consider relationships
Provide fine grained access control
[Groth, et. al. D3.1.1: An Architecture for Provenance Systems]
January 8, '07
Slide 12 (of 22)
myGrid

Does



Authentication
Access Control per repository
Does not


Consider relationships
Fine grained access control
[Miles: myGrid Security Issues]
[Egglestone: Security in the myGrid project]
January 8, '07
Slide 13 (of 22)
Aggregate queries



May help understand interaction among
relationships
Does not have a model for relationships
No answers for:


Existence providing data
Combining with world knowledge
January 8, '07
Slide 14 (of 22)
Information Flow


Similar to aggregate queries in
applicability
How do we model:



Relationships
World knowledge
Existence
January 8, '07
Slide 15 (of 22)
Audit logs



Audit logs useful for security
Security also useful for audit logs
Current security is still binary


Total access
No access
[Radack: NIST SP 800-92: Guide to Computer Log Management]
January 8, '07
Slide 16 (of 22)
Metadata security



Metadata embedded in documents
Word change history has lead to many
unintentional well publicized leaks
Current solution is to remove metadata
before publishing externally
January 8, '07
Slide 17 (of 22)
Compliance


Increasing interest in tightening
financial oversight
Growing focus on tracking the history of
decisions
[Johnson: Intersections of Law and Technology in Balancing
Privacy Rights with Free Information Flow]
January 8, '07
Slide 18 (of 22)
Electronic Medical Records


Medical records include provenance
HIPAA laws mandates access controls
[Agrawal: Hippocratic Databases]
January 8, '07
Slide 19 (of 22)
Outline




Motivation
Provenance needs its own security
model
Related Work
Recap
January 8, '07
Slide 20 (of 22)
Recap



Provenance needs security
Security needs are different
No known directly applicable model
January 8, '07
Slide 21 (of 22)
Questions?