F. Li 05/15/06

Security & Privacy Preserved Information

Brokerage SystemFengjun Li

fli@ist.psu.eduCollege of IST, Penn State University

F. Li 05/15/06

1 2 3 4 5

Introduction

Information Brokerage

SystemsSecurity-preserved mechanism

Privacy-preserved

mechanism

Conclusion and Q&A

F. Li 05/15/06

content/location discovery

Universal Connectivity

security & privacy risks

poor usability

… …

F. Li 05/15/06

Data sources connected with the help of brokers

User send query to local broker that help route it to targeted data sources

Information Brokerage System

User

User

User

User

User

User

User

User

User

User

Security & privacy?

F. Li 05/15/06

Security Enforcement – from the perspective of performance

– Access Control– Traditional AC enforcement and IBS architecture– Any other choice

Brokerage System

AC

Broker

DBMS

AccessControl Broker

BrokerBroker

AC

ACAC

AC

AC

F. Li 05/15/06

If we could drag the AC out of DBMS …

Brokerage System

AccessControl AC AC

AC

ACAC

AC

BrokerBroker

BrokerBroker

DBMS

Brokerage System

BrokerAC

DBMS

Broker

AccessControl

BrokerAC

BrokerAC

Or further

F. Li 05/15/06

Why dragging security check out of DBMS and pushing it to the brokers?

– A performance based reason

tn3Broker

Broker

Indexer

tn1

Q ti tftn3

DBMS

AccessControl

tn2

(Q, Addr) (Q’, Addr)Indexer

tn1 tn2

Q tiDBMS

AccessControl(Q, Addr) tf Broker

Indexer

tn1 tn2

Q (Q, Addr)titf

tn3DBMS

AccessControl Q’

tp tp tp

F. Li 05/15/06

Preliminary

– XML Access Control Model• Role-based Access Control• 5-tuple access control rules (ACR)

– QFilter: enforcing AC via query written• Using Non-deterministic Finite Automata (NFA) to

hold ACR• Query either rejected or accepted (w/o rewritten)

{ , , , , }ACR subject object action sign type

F. Li 05/15/06

QFilter Example

R1: {`/site/people', 192.168.0.2}

R2: {`//africa/items', 192.168.0.15}

R3: {`//asia/items', 192.168.0.16}

2

categories

3ε *

*

4

item

*

1site0

5

regions

6

7

8

9

10

11

location

quantity

name

description

F. Li 05/15/06

Our Approach

– Merge the QFilters of several roles to an integrated Multi-Role QFilter

• A naïve approach – QFilter Array

– Use the similar NFA-based mechanism to represent the routing information (called index rules)

– Merge index rules into Multi-Role QFilter for further performance improvement

F. Li 05/15/06

site people person name0 1 2 3 4

site people person0 1 2 3

site people person name0 1 2 3 4

11

00

11

00

11

00

01

01

Access ListAccept ListRole 1:

Role 2:

Merged:

Rule 1: {role1, ``/site/people/person'', read, +, RC}

Rule 2: {role2, ``/site/people/person/name'', read, +, RC}

11

10

An Example of Multi-Role QFilter

An Example of Index Rules

R1: {`/site/people', 192.168.0.2}

R2: {`//africa/items', 192.168.0.15}

R3: {`//asia/items', 192.168.0.16}

0

1 2site

people

3ε africa

*4 5items

asia6 7items

192.168.0.2

192.168.0.15

192.168.0.16

F. Li 05/15/06

192.168.0.102

categories

3ε *

*

4

item

*

1site0

5

regions

6

7

8

9

10

11

location

quantity

name

description

192.168.0.102

categories

3ε *

*

4

item

*

1site0

5

regions

6

7

8

9

10

11

location

quantity

name

description

X

192.168.0.102

categories

3ε *

*

4

item

*

1site0

5

regions

6

7

8

9

10

11

location

quantity

name

description

192.168.0.11

192.168.0.12

192.168.0.13

192.168.0.14

192.168.0.102

categories

3ε *

*

4

item

*

1site0

5

regions

6

7

8

9

10

11

location

quantity

name

description

192.168.0.11

192.168.0.12

192.168.0.13

192.168.0.14

(a) The accept case.

(b) The reject case.

(c) Filtering process.

(d) Traversing process.

An Example of Indexed Multi-Role QFilter - Merging index rules into Multi-Role QFilter

F. Li 05/15/06

Why dragging security check out of DBMS and pushing it to the brokers?

– Previous example re-visit

Broker

Indexer

tn1

Q ti

tn3DBMS

tn2

(Q’, Addr)

tp

QFilter

QFilter

…...

Q’

tfBroker

Indexer

tn1

Q ti

tn3DBMS

tn2

(Q’, Addr)

tp

Q’tf

MultiRole QFIlter

Broker

tn1

Q

tfitn3

DBMS

tn2

(Q’, Addr)

tp

Indexed MultiRole QFIlter

F. Li 05/15/06

Performance Metrics 1 - Memory Consumption

Performance Metrics 2 – In-broker Query Response Time & Overall Query Response Time

Performance Metrics 3 –Network Traffic

- Save 87.5% (by analyzing)

F. Li 05/15/06

Privacy Preserving Mechanism

– Possible privacy breaches:• Privacy of the query location• Privacy of the query content• Privacy of the access control rule• Privacy of the data location• Privacy of the data content

F. Li 05/15/06

Information Brokerage System

– New architecture

Coordinator Network

1

43

6 7

2

8

5

9

10

1

3

5

7

6

2

4

Super Site

Broker

Coordinator

Data Source

User

User

User

User

User

User

User

User

User

UserUser

User

User

User

User

User

User

F. Li 05/15/06

Trust Relationship

Privacy UserBroke

rCoordinat

orData Server

Query Location

- Trust Trust Hide

Query Content

- HideTrust

(Partially)Trust

ACR Hide HideTrust

(Partially)

Trust (for double-checking)

Data Location

Hide HideHide

(Partially)-

Data ContentWith

authorizationHide Hide -

F. Li 05/15/06