������������������ ���������������������� � � �������������������������������� ����������������������������������������� �������������������������������������������� CMPSC443 - Introduction to Computer and Network Security Module: Provenance Professor Patrick McDaniel Spring 2009 CMPSC443 - Introduction to Computer and Network Security Page 1
NASA/KSC • During a launch window, the pad infrastructure collects and evaluates 50k sensor samples/sec ... ‣ ... sensors measure the heat, stress, vibration, etc. of the superstructure. ‣ ... “state” of the launch is computed by a complex model whose inputs are continuous (sometimes faulty) sensors. ‣ ... launch aborted (or potentially worse, not aborted) based on the launch state. Thus, the safety of the launch mission relies on the pedigree of singular, aggregated, and synthesized cyber-physical sensor data. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2
Provenance • A human scale problem: ‣ Data often comes from many sources ... ‣ ... is synthesized by often complex/hidden processes ... ‣ ... thus, how do you really know what the data means? • Data provenance immutably identifies how data came to be in the state it is. ‣ Who/what contributed to it? ‣ What was it based on? ‣ When was it generated? ‣ Why was it generated? ‣ How was it generated? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3
Practical Provenance • Medical data management - HIPAA requires tight controls on the dissemination, generation and storage of patient including cyber-physical sensors and control systems. ‣ security questions raised on this of late • SCADA/sensor-nets - Understanding pedigree of sensed information is key to properly reacting to changes in physical system state. ‣ manufacturing, power grids, utilities, airport security, transportation, ... • Voting systems - one of the central countermeasures to the pervasive problems is better tracking of election artifacts, logging. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4
Why provenance? • Error handling ‣ Detection, isolation, and recovery • Source attribution ‣ Forensics, consistency, believability • Evidentiary ‣ Evidence that data is legitimate/legal • Data revision ‣ Updates, correction, extension, refinement • The value of data can only be judged in light of how, when and where it comes from (veracity/timeliness/quality) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5
Tracking provenance SHALI, Russia — The men who set fire to Valentina Basargina’s house GPS-tracking arrived in the stillness of 3 a.m. There were three of them. Each wore a camouflage uniform and carried a rifle. One held a can of gasoline. They wore masks. Field Agent A They led Ms. Basargina and her son outside and splashed gasoline in their two rooms, she and her relatives said. One man produced a T- Station shirt, knotted onto a stick. It was damp with gas. “This is for the one who is gone,” he said in thickly accented Russian. Chief Ms. Basargina’s nephew had recently disappeared; the police had said he joined the small but smoldering insurgency fighting for Chechnya’s independence from Russia. The man lit the torch and tossed it inside. Analyst D The air whooshed. Flames shot through the house. The attack, late last month, was part of what Chechens described as an intensified government effort to stamp out the remnants of a war that has continued, at varying levels of ferocity, for nearly 15 years. Analyst C In a campaign to punish families with sons suspected of supporting the insurgency, at least a dozen homes have been set ablaze since midsummer, residents and a local human rights organization said. The burnings have been accompanied by a program, embraced by Field Agent B Ramzan A. Kadyrov, Chechnya’s president, that has forced visibly frightened parents of insurgents to appear on television and beg their sons to return home. “If you do not come back I will never forgive you,” one father, Ruslan Bachalov, said to his son on a recent broadcast. “I will forgive the man who will kill you.” “I have no other way out,” he added. “The authorities and the president demand that I bring my son back.” Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6
Tracking provenance SHALI, Russia — The men who set fire to Valentina Basargina’s house Analyst D GPS Field Agent A arrived in the stillness of 3 a.m. There were three of them. Each wore a camouflage uniform and carried a rifle. One held a can of gasoline. They wore masks. They led Ms. Basargina and her son outside and splashed gasoline in their two rooms, she and her relatives said. One man produced a T- d1 d2 d3 shirt, knotted onto a stick. It was damp with gas. “This is for the one who is gone,” he said in thickly accented Russian. Ms. Basargina’s nephew had recently disappeared; the police had said he joined the small but smoldering insurgency fighting for Chechnya’s Analyst C independence from Russia. The man lit the torch and tossed it inside. Field Agent A The air whooshed. Flames shot through the house. The attack, late last month, was part of what Chechens described as an intensified government effort to stamp out the remnants of a war that has continued, at varying levels of ferocity, for nearly 15 years. d4 d5 In a campaign to punish families with sons suspected of supporting the insurgency, at least a dozen homes have been set ablaze since midsummer, residents and a local human rights organization said. Station Manager The burnings have been accompanied by a program, embraced by Ramzan A. Kadyrov, Chechnya’s president, that has forced visibly frightened parents of insurgents to appear on television and beg their sons to return home. “If you do not come back I will never forgive you,” one father, Ruslan d6 Bachalov, said to his son on a recent broadcast. “I will forgive the man who will kill you.” “I have no other way out,” he added. “The authorities and the president demand that I bring my son back.” Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7
Provenance approaches ... • Annotations describe data provenance ‣ Can be manual or automated f − 1 ( y ) = x ‣ Collects “log” of data transitions ‣ Pro : complete record ‣ Con : potentially large state (scalability?) • Inversion infers provenance by reversing processes ‣ Reverse processes to recover data preimage, e.g., query inv. ‣ Save all processing back to creation/import of data ‣ Pro : small representation ‣ Con : incomplete/cannot invert all processes (e.g., aggregation) • Orthogonal : data vs. process oriented provenance Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8
Provenance and Security • One could argue the genesis of provenance lies in the early MLS systems . These systems track and constrain information based on labels (public, secret, top-secret). ‣ The standard for intelligence and military for a generation • Integrity models track and constrain the modification of information by labels (low integrity, high integrity). ‣ BIBA, Clark-Wilson, Clark-Wilson Light ‣ These are formal security models (fundamental science) • A recent revival of label based security ... ‣ Security-typed languages ‣ MAC-based policy, operating systems ‣ Labeled communication Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9
Ongoing efforts ... • Service-Oriented Architectures (Scientific/GRID comp.) ‣ Chimera & and Virtual Data Grid (data regeneration) ‣ my GRID , CMCS, PASOA, ESSW, Tioga, Trio, ... • Network systems ‣ IP/Accountable Internet Protocol (AIP) ‣ Forensics: relating users to behavior, hosts to malicious activity ‣ Sensor networks -- aggregation, caching, spacial organization • System: Programming languages and operating systems ‣ Tainting, process and data coloring, blame tracking ‣ PASS - provenance enabled storage (filesystem) • Data: Proof carrying data ‣ proofs with data of creation condition (evaluation) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10
Challenges/Open Problems • The key design issues of provenance: ‣ What to record (scope)? ‣ How to represent it? ‣ How to store it? ‣ How query it? ‣ How to secure it? • Authenticity, integrity, timeliness • Problems: ‣ Mixing paint - aggregation, synthesis, and compression can muddle the pedigree of data (vs. meta data explosion) ‣ Privacy - there is a lot of semantic information in provenance, even more can be inferred (statistical inferences effective) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11
Recommend
More recommend