Sunday, March 08, 2009

On Secure Provenance and the logic behind the threat model

In our USENIX FAST 2009 paper (the "Picasso" paper), we discussed a scheme for providing integrity and confidentiality assurances to provenance of files. While this is a good first step towards securing provenance, I think there are many more issues we need to resolve.

These days, I see many security related papers advocating this or that scheme to secure objects. However, I really don't buy anything that claims to solve problems by having access control or policies. Here is why: access control works fine if the system is centralized, or the sysadmin of the system is incorruptible. However, when you have a distributed system with no control over other principals/their systems, OR when even sysadmins may become an attacker, there is no guarantee that access control constraints will be honored.

So, in the "REAL World", we can't claim to have a system that will prevent attacks from happening. With enough money, even trusted hardware devices can be breached (my co-advisor Radu Sion likes to stress on this point ... nothing is invincible). So, what can we do? We can't prevent someone from lying about themselves, or from deleting / changing things in their possession. What we CAN do is to prevent people from lying about others (i.e. "honest" others). This is exactly what guarantee we provide in our Secure Provenance work ... we prevent people from undetectably "invent" history involving other honest people.

To give a real life analogy, suppose a forger has painted a fake Picasso painting. The forger benefits here by taking his fake Picasso, and then inventing a fake history / provenance record involving his painting. He must have some honest buyers / art galleries listed in the provenance, otherwise, if the provenance only lists his cronies, it won't be believed.

The forger will NEVER do the opposite thing, i.e. take a real Picasso, and then remove its provenance and claim it to be painted by him. :)

The analogy applies to many scenarios involving data. I won't claim that it applies to all cases ... there are scenarios where the adversary might want to claim something as his own. An example would be the case of copyright disputes ... imagine two scientists bickering over who discovered something. But in most cases, the forger's goal with data is just like real life objects ... the forger wants to pass off something as what it's not ... so he needs a fake history, and that fake history must involve "honest" principals.

There are tons of issues to solve in order to have secure provenance ... but I'll write more about them later.

BTW, the painting shown above is a "real" Picasso, it is the painting titled "Dora Maar au Chat" (Dora Maar with cat). It is one of the most expensive paintings in the world; it was auctioned off in 2004 for $95 million!! Now, that has got to be the costliest painting of a cat!!

3 comments:

Srikanto Bormon said...

Bill Gates and Steve Jobs have changed Computer history completely. But the interesting part is who is known as father of computers- Charles Baggage did not know that he would make an important place in history with his invention. Modern computers based on integrated circuits are millions to billions of times more capable than the early machines, and occupy a fraction of the space. Simple computers are small enough to fit into mobile device, and mobile computer can be powered by small batteries. Personal computers in their various forms are icon of the Information Age and are what most people think of as "computers". It was a great invention of world history.
hydro electric
hydro electric power
what is hydro electric
inventhistory
power generator
wind power generator
solar and power
electric transportation

Srikanto Bormon said...

Most Pen Drive use a ordinary type-A USB connection allowing plugging into a port on a personal computer, but drives for other interfaces also exist. In 1999 – 2000, pen drives ware invented by Amir Ban, Dov Moran and Oron Ogdan, all of the Israeli company M-Systems. The first Pen Drive was manufactured in early 2000 by a company called Trek with product Thumbkey, shortly followed by M-systems (now SanDisk) with their DiskonKey drive. Pen Drive combines a number of older technologies, among subordinate cost, subordinate power expenditure and tiny size made possible by advances in C.P.U technology. In 2000, IBM and Trek Technology began selling the first USB flash drives. Starting commercially at memory levels in the kilobyte range, memory capacity skyrocketed over the next several years into the multi-gigabyte level. Now a day’s Pen Drive / USB flash drives is a most popular device of all around the world. Every computer expert or under expert use it for data transfer and data storage. It has made the world a very different place. Latest uses and adaptations come almost each year, and the demand is increasing with each new technology.
hydro electric
hydro electric power
what is hydro electric
inventhistory
power generator
wind power generator
solar and power
electric transportation

Geeksfix said...

Hi, Your think is really true. there are many more issues we need to resolve & Thanks for sharing your precious comprehension with me.