Course Review

Course Review

Anupam Datta

CMUFall 2007-08

18739A: Foundations of Security and Privacy

Goals of course

Provide an overview of foundational work in security and privacy Self-contained introduction + State-of-the-art research

Fundamental questions What does being secure mean?

Model of system + attacker Is a given system secure?

Sound analysis methods

Goals of course (2)

Cover 4 central research areas Security Protocols Distributed Access Control Privacy Language-based Security

An experiment – existing courses typically focus on one area

Goals of course (3)

Introduction to general analysis methods Model-checking Logics Process calculi Logic programming Type systems

Application to practical security mechanisms Industrial security protocols Grey system for distributed access control Specification and enforcement of privacy laws such as

HIPAA in LPU Cyclone (Safe C) and Jif (Java + information flow)

Goals of course (4)

Provide breadth in area Lectures and homeworks

Provide some depth in area Course project Largely successful!

Four broad topics

1. Security Protocols2. Distributed Access Control3. Privacy4. Language-based Security

Security Protocol Analysis

The Problem: Is a given network protocol secure?

First define: Model of protocol Model of attacker Security properties

Secrecy, confidentiality Authentication, integrity Denial of service

Methods

Bug finding Automated model-checking techniques Finite number of sessions

Security proofs Absence of bugs Unbounded number of sessions Many approaches

Paulson’s Inductive Method, Protocol Composition Logic, Applied Pi Calculus

Modeling Cryptography

Symbolic Model “Perfect crypto”: No attacker can break, e.g. can decrypt encrypted message iff has

decryption key Proof technique: Induction

Complexity-theoretic Model Primitives secure with high probability against

probabilistic polynomial time attackers Proof technique: Reduction

Recent work combining methods

Specifying security

Trace-based Every execution satisfies desired security

property Model-checking, inductive method, PCL

Equivalence-based Real protocol indistinguishable from “ideal”

protocol Applied pi calculus (observational

equivalence), cryptography (pseudorandomness, …)

Example: Authentication

Authentication protocolA B {i}k

B A {i+1}k

A B “Ok”

“Ideal” protocolA B {random1}k

B A {random2}k

B A random1, random2 on a magic secure channel

A B “Ok” if numbers on real & magic channels match

Real protocol is secure if it is observationally equivalent to ideal protocol

Course Projects

Rivest’s 3 Ballot Voting Protocol Ryan’s Pret-a-Voter Protocol Verified by Visa Tor Anonymity Protocol

Four broad topics


Access Control Picture

Distributed Access Control

•Requestor and monitor on different machines

•Policy distributed across different servers

We covered

Access control logics Lampson et al “speaks-for” logic Proof Carrying Authorization (PCA) and the

Grey System Constructive Authorization Logic

Trust Management RT – Role-based Trust Management

AliceEPub

StateUABU

StateU is a university

Alice is a student

Grants access to university students

Trusts universities to certify students

Trusts ABU to certify universities

Main issues

How to represent policies Naming, delegation Syntax of logic/language (Lampson+, PCA,

Constructive Logic, RT) How to reason by combining policies

Proof system for logics Algorithms for RT (decision procedures for Datalog)

How to collect relevant credentials Distributed proof-search using heuristics in Grey Provably correct credential chain discovery in RT

Four broad topics


Privacy Research Space

What is Privacy?[Philosophy, Law, Public Policy]

Formal Model, Policy Language,Compliance-check Algorithms

[Programming Languages, Logic]

Implementation-level Compliance[Software Engg, Formal Methods]

Data Privacy[Databases, Cryptography]

Privacy

Scenarios: Enterprises collect personal information – email

and postal addresses – in many cases through web sites

Organizations such as hospitals and financial institutions hold sensitive personal information

Fundamental questions: Policy: Under what conditions is the collected

information used and distributed? Enforcement: Do organizational processes actually

enforce the stated policy? Privacy Laws:

HIPAA, GLBA, COPPA

Privacy Policy Languages

P3P Privacy policy specification for web sites.

E-P3P/EPAL Enterprise privacy policy specification and

enforcement Contextual Integrity and LPU

Philosophical theory of privacy Formalization in temporal logic (specification and

enforcement) Expressing privacy laws, e.g. HIPAA, GLBA,

COPPA

Contextual Integrity [N2004]

Philosophical framework for privacy Central concept: Context

Examples: Healthcare, banking, education What is a context?

Set of interacting agents in roles Roles in healthcare: doctor, patient, …

Norms of transmission Doctors should share patient health information

as per the HIPAA rules Purpose

Improve health

Expressing Privacy in LPU

Allow message transmission if:•at least one positive norm is satisfied; and•all negative norms are satisfied

HIPAA – Healthcare Privacy

•HIPAA consists primarily of positive norms: share phi if some rule explicitly allows it (2), (3), (5), (6)•Exception: negative norm about psychotherapy notes (4)

COPPA – Children Online Privacy

•COPPA consists primarily of negative norms •children can share their protected info only if parents consent (7) (condition)•(8) (obligation – future requirements)

Sanitization of Databases

Real Database (RDB)

Sanitized Database (SDB)

• Health records• Census data

Add noise, delete names,

etc.

• Protect privacy• Provide useful

information (utility)

Re-identification by linking• Linking two sets of data on shared attributes may uniquely identify some individuals:

• Example [Sweeney] : De-identified medical data was released, purchased Voter Registration List of MA, re-identified Governor • 87 % of US population uniquely identifiable by 5-digit ZIP, sex, dob

K-anonymity (1)

Quasi-identifier: Set of attributes (e.g. ZIP, sex, dob) that can be linked with external data to uniquely identify individuals in the population

Make every record in the table indistinguishable from at least k-1 other records with respect to quasi-

identifiers

Linking on quasi-identifiers yields at least k records for each possible value of the quasi-identifier

K-anonymity and beyond

• Provides some protection: linking on ZIP, age, nationality yields 4 records• Limitations: lack of diversity in sensitive attributes, background knowledge, subsequent releases on the same data set • Utility: less suppression implies better utility

Four broad topics


Type Systems for Security

Focus on the use of type systems to improve software security

Two representative projects Cyclone: Memory safe dialect of C, i.e. no

buffer overflow attacks, format string vulnerabilities etc (or Ccured)

Jif: Enforcing information flow security properties (non-interference and variants)

Definition of Security

Non-interference (idea)

Program

HI

LI

HO

LO

HI’ HO’

No information flows from high inputs to low outputs

Example

if x = 1 then y:=1 else y:=0

NoLH

YesHL

YesLL

YesHH

NIyx

Language definition

Syntax Type system (static semantics) Operational semantics (dynamic

semantics)

Type safety (soundness) theorem

Soundness Theorem

What next?

Security courses@CMU 18730 – Introduction to Computer Security

Some overlap in topics; presentation focuses more on attacks and mechanisms, not security models and analysis

18731 – Network Security Not much overlap, except network security protocols

18732 - Secure Software Systems Complementary course on software security

18733 – Applied Cryptography Complementary course; details of crypto that we treated

as black boxes (offered next semester) 15-819 - Languages and Logics for Security

Reading seminar focused primarily on language-based security

The End

Documents

Course Review