Sunday, March 08, 2009

On Secure Provenance and the logic behind the threat model

In our USENIX FAST 2009 paper (the "Picasso" paper), we discussed a scheme for providing integrity and confidentiality assurances to provenance of files. While this is a good first step towards securing provenance, I think there are many more issues we need to resolve.

These days, I see many security related papers advocating this or that scheme to secure objects. However, I really don't buy anything that claims to solve problems by having access control or policies. Here is why: access control works fine if the system is centralized, or the sysadmin of the system is incorruptible. However, when you have a distributed system with no control over other principals/their systems, OR when even sysadmins may become an attacker, there is no guarantee that access control constraints will be honored.

So, in the "REAL World", we can't claim to have a system that will prevent attacks from happening. With enough money, even trusted hardware devices can be breached (my co-advisor Radu Sion likes to stress on this point ... nothing is invincible). So, what can we do? We can't prevent someone from lying about themselves, or from deleting / changing things in their possession. What we CAN do is to prevent people from lying about others (i.e. "honest" others). This is exactly what guarantee we provide in our Secure Provenance work ... we prevent people from undetectably "invent" history involving other honest people.

To give a real life analogy, suppose a forger has painted a fake Picasso painting. The forger benefits here by taking his fake Picasso, and then inventing a fake history / provenance record involving his painting. He must have some honest buyers / art galleries listed in the provenance, otherwise, if the provenance only lists his cronies, it won't be believed.

The forger will NEVER do the opposite thing, i.e. take a real Picasso, and then remove its provenance and claim it to be painted by him. :)

The analogy applies to many scenarios involving data. I won't claim that it applies to all cases ... there are scenarios where the adversary might want to claim something as his own. An example would be the case of copyright disputes ... imagine two scientists bickering over who discovered something. But in most cases, the forger's goal with data is just like real life objects ... the forger wants to pass off something as what it's not ... so he needs a fake history, and that fake history must involve "honest" principals.

There are tons of issues to solve in order to have secure provenance ... but I'll write more about them later.

BTW, the painting shown above is a "real" Picasso, it is the painting titled "Dora Maar au Chat" (Dora Maar with cat). It is one of the most expensive paintings in the world; it was auctioned off in 2004 for $95 million!! Now, that has got to be the costliest painting of a cat!!

11 comments:

Unknown said...

Bill Gates and Steve Jobs have changed Computer history completely. But the interesting part is who is known as father of computers- Charles Baggage did not know that he would make an important place in history with his invention. Modern computers based on integrated circuits are millions to billions of times more capable than the early machines, and occupy a fraction of the space. Simple computers are small enough to fit into mobile device, and mobile computer can be powered by small batteries. Personal computers in their various forms are icon of the Information Age and are what most people think of as "computers". It was a great invention of world history.
hydro electric
hydro electric power
what is hydro electric
inventhistory
power generator
wind power generator
solar and power
electric transportation

Geeksfix said...

Hi, Your think is really true. there are many more issues we need to resolve & Thanks for sharing your precious comprehension with me.

mikon said...

Picasso was the real hero in the pattern of painting who gave you the new way of life. You can see more data for this purpose of painting and and get the statement of purpose for engineering management in your life.

Mark Snodown said...

This is one of the most eminent work in the field of computer sciences as it caste light over the security of the data in the contemporary times and also illustrates security needs and resolutions which makes the work too knowledgeable and compulsive for the reader. http://www.fellowshippersonalstatement.com/neonatology-fellowship-personal-statement/

Anonymous said...

You have done a great job. Thank you for this great post. Here you share On Secure Provenance and the logic behind the threat model this is really a great title selected by you. Here are some useful link visit this.

Christopher Blevins said...

You've got accomplished a terrific employment. Thanks a lot just for this wonderful article. Below anyone talks about In Risk-free Provenance plus the judgment guiding your hazard style this specific is usually a wonderful concept decided on by simply anyone. Here are several http://www.motivationletterwriting.com/ pay a visit to this specific.

Anonymous said...

Interesting blog. The dedication towards your project is what you must have in future. The goal you set is all about your interest and hardwork so never give up in the life. http://www.personalstatementeditors.com/hire-a-dedicated-personal-statement-editor/

good service said...

This is something great services which must be taken as help. Writing dissertation is different task so now you can hire a person for this project. This writing should be best or like professionals.

JanetPrince said...

Computer programming are always on threat as the hackers or technical issues are many. The most important thing is your writing you should be very acreful about it.
http://www.cspersonalstatements.com/pulmonary-critical-care-fellowship-personal-statement-writing-tips/

Christopher Blevins said...

This really is some thing excellent here providers that should be used because assist. Composing dissertation differs job therefore you can now employ an individual with this task. This particular composing ought to be greatest or even such as experts.

RobertKY said...

Interesting. over at this website i have see terrific information about the Picasso. Your research is quite authentic and easy to understand. Thanks for sharing valuable material with us.