A Formal Framework for Provenance Security

Cheney, James

doi:10.1109/csf.2011.26

Cited by 53 publications

(49 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In this article, we build on, and refine, the provenance security framework previously introduced by Cheney [15]. We introduce a core language with replayable execution traces for a call-by-value, higher-order functional language, and make the following technical contributions:…”

Section: Discussionmentioning

confidence: 99%

“…There is also some work directly addressing security for provenance [20,32,15,23,6,24]. Chong [20] gave (to our knowledge) the first candidate formal definitions of data security and provenance security using a trace semantics, based in part on earlier, unpublished work of ours on traces and provenance [16].…”

Section: Introductionmentioning

confidence: 99%

“…In their approach, the definition of privacy essentially says that for unknown components in a workflow (i.e. a simple dataflow diagram), an attacker should not be able to learn functional behavior; for example, should not be able to narrow down the possible output values for any input to less than a parameter k. Cheney [15] gave an abstract framework for provenance, proposed definitions of properties called obfuscation and disclosure, and discussed algorithms and complexity results for instances of this framework including finite automata, workflows, and the semiring model of database provenance [28]. Zhang et al [50] develop tamper-detection techniques for provenance in databases.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A core calculus for provenance

Acar

Ahmed

Cheney

et al. 2013

JCS

Self Cite

View full text Add to dashboard Cite

Provenance is an increasing concern due to the ongoing revolution in sharing and processing scientific data on the Web and in other computer systems. It is proposed that many computer systems will need to become provenanceaware in order to provide satisfactory accountability, reproducibility, and trust for scientific or other high-value data. To date, there is not a consensus concerning appropriate formal models or security properties for provenance. In previous work, we introduced a formal framework for provenance security and proposed formal definitions of properties called disclosure and obfuscation.In this article, we study refined notions of positive and negative disclosure and obfuscation in a concrete setting, that of a general-purpose programing language. Previous models of provenance have focused on special-purpose languages such as workflows and database queries. We consider a higher-order, functional language with sums, products, and recursive types and functions, and equip it with a tracing semantics in which traces themselves can be replayed as computations. We present an annotation-propagation framework that supports many provenance views over traces, including standard forms of provenance studied previously. We investigate some relationships among provenance views and develop some partial solutions to the disclosure and obfuscation problems, including correct algorithms for disclosure and positive obfuscation based on trace slicing.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A core calculus for provenance

Acar

Ahmed

Cheney

et al. 2013

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…Our paper [17] explored connections to programming languages, security, incremental, and bidirectional computation research [1,5,25]. More recently, we have investigated foundations for provenance security [14], building on work by Chong [19]. We believe language-based provenance security to be a fruitful area for future work, possibly extending the derivation trace model in this paper.…”

Section: Related Workmentioning

confidence: 99%

Toward a Theory of Self-explaining Computation

Cheney

Acar

Perera

2013

In Search of Elegance in the Theory and Practice of Computation

Self Cite

View full text Add to dashboard Cite

Abstract. Provenance techniques aim to increase the reliability of human judgments about data by making its origin and derivation process explicit. Originally motivated by the needs of scientific databases and scientific computation, provenance has also become a major issue for business and government data on the Web. However, so far provenance has been studied only in relatively restrictive settings: typically, for data stored in databases or scientific workflow systems, and processed by query or workflow languages of limited expressiveness. Long-term provenance solutions require an understanding of provenance in other settings, particularly the general-purpose programming or scripting languages that are used to glue different components such as databases, Web services and workflows together. Moreover, what is required is not only an account of mechanisms for recording provenance, but also a theory of what it means for provenance information to explain or justify a computation. In this paper, we begin to outline a such a theory of self-explaining computation. We introduce a model of provenance for a simple imperative language based on operational derivations and explore its properties.

show abstract

“…Several recent works have considered formal semantics of provenance [9,8]. Cheney [12] presents a framework for provenance, built on a notion of system traces. Recently, W3C has proposed a data model for provenance, called PROV [5], which enjoys a formal description of its specified constraints and inferences in first-order logic, [13], however the given semantics does not cover the relationship between the provenance record and the actual system behavior.…”

Section: Related Workmentioning

confidence: 99%

Correct Audit Logging: Theory and Practice

Amir-Mohammadian

Chong

Skalka

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Retrospective security has become increasingly important to the theory and practice of cyber security, with auditing a crucial component of it. However, in systems where auditing is used, programs are typically instrumented to generate audit logs using manual, ad-hoc strategies. This is a potential source of error even if log analysis techniques are formal, since the relation of the log itself to program execution is unclear. This paper focuses on provably correct program rewriting algorithms for instrumenting formal logging specifications. Correctness guarantees that the execution of an instrumented program produces sound and complete audit logs, properties defined by an information containment relation between logs and the program's logging semantics. We also propose a program rewriting approach to instrumentation for audit log generation, in a manner that guarantees correct log generation even for untrusted programs. As a case study, we develop such a tool for OpenMRS, a popular medical records management system, and consider instrumentation of break the glass policies.

show abstract

A Formal Framework for Provenance Security

Cited by 53 publications

References 36 publications

A core calculus for provenance

A core calculus for provenance

Toward a Theory of Self-explaining Computation

Correct Audit Logging: Theory and Practice

Contact Info

Product

Resources

About