Unified Declarative Platform for Secure Netwoked Information Systems

We present a unified declarative platform for specifying, implementing, and analyzing secure networked information systems. Our work builds upon techniques from logic-based trust management systems, declarative networking, and data analysis via provenance. We make the following contributions. First, we propose the Secure Network Datalog (SeNDlog) language that unifies Binder, a logic-based language for access control in distributed systems, and Network Datalog, a distributed recursive query language for declarative networks. SeNDlog enables network routing, information systems, and their security policies to be specified and implemented within a common declarative framework. Second, we extend existing distributed recursive query processing techniques to execute SeNDlog programs that incorporate authenticated communication among untrusted nodes. Third, we demonstrate that distributed network provenance can be supported naturally within our declarative framework for network security analysis and diagnostics. Finally, using a local cluster and the PlanetLab testbed, we perform a detailed performance study of a variety of secure networked systems implemented using our platform.

[1]  Ying Xing,et al.  The Design of the Borealis Stream Processing Engine , 2005, CIDR.

[2]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[3]  David R. Karger,et al.  Looking up data in P2P systems , 2003, CACM.

[4]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[5]  Val Tannen,et al.  Provenance semirings , 2007, PODS.

[6]  Vyas Sekar,et al.  Forensic Analysis for Epidemic Attacks in Federated Networks , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[7]  G. Weikum Querying the Internet with PIER , 2005 .

[8]  Elisa Bertino,et al.  A Security Punctuation Framework for Enforcing Access Control on Streaming Data , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[9]  John C.-I. Chuang,et al.  Network monitors and contracting systems: competition and innovation , 2006, SIGCOMM.

[10]  Raghu Ramakrishnan,et al.  Review - Magic Sets and Other Strange Ways to Implement Logic Programs , 1999, ACM SIGMOD Digit. Rev..

[11]  Ion Stoica,et al.  Implementing declarative overlays , 2005, SOSP '05.

[12]  Sanjeev Khanna,et al.  Why and Where: A Characterization of Data Provenance , 2001, ICDT.

[13]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[14]  Martín Abadi,et al.  Analyzing security protocols with secrecy types and logic programs , 2002, POPL '02.

[15]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[16]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[17]  Jonathan M. Smith,et al.  MOSAIC: unified declarative platform for dynamic overlay composition , 2008, CoNEXT '08.

[18]  Ion Stoica,et al.  Declarative routing: extensible routing with declarative queries , 2005, SIGCOMM '05.

[19]  Martín Abadi On Access Control, Data Integration, and Their Languages , 2004 .

[20]  Miguel Castro,et al.  Secure routing for structured peer-to-peer overlay networks , 2002, OSDI '02.

[21]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[22]  Ion Stoica,et al.  Declarative networking: language, execution and optimization , 2006, SIGMOD Conference.

[23]  David Kotz,et al.  Secure Context-Sensitive Authorization , 2005, Third IEEE International Conference on Pervasive Computing and Communications.

[24]  Kian-Lee Tan,et al.  Specifying Access Control Policies on Data Streams , 2007, DASFAA.

[25]  Jeffrey D. Ullman,et al.  A Survey of Research in Deductive Database Systems , 1995 .

[26]  Boon Thau Loo,et al.  Provenance-aware secure networks , 2008, 2008 IEEE 24th International Conference on Data Engineering Workshop.

[27]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[28]  Jonathan M. Smith,et al.  MOSAIC: Unified Platform for Dynamic Overlay Selection and Composition , 2008 .

[29]  Steven McCanne,et al.  A model, analysis, and protocol framework for soft state-based communication , 1999, SIGCOMM '99.

[30]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[31]  Martín Abadi,et al.  Towards a Declarative Language and System for Secure Networking , 2007, NetDB.

[32]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[33]  Jeffrey D. Ullman,et al.  A survey of deductive database systems , 1995, J. Log. Program..

[34]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..