Declarative secure distributed information systems
Authors: 
Wenchao Zhou, Tao Tao, Boon Thau Loo, and Yun MaoAuthors Info & Claims
Wenchao Zhou, Tao Tao, Boon Thau Loo, and Yun MaoAuthors Info & ClaimsPages 1 - 24
Abstract
We present a unified declarative platform for specifying, implementing, and analyzing secure networked information systems. Our work builds upon techniques from logic-based trust management systems and declarative networking. We make the following contributions. First, we propose the Secure Network Datalog (SeNDlog) language that unifies Binder, a logic-based language for access control in distributed systems, and Network Datalog, a distributed recursive query language for declarative networks. SeNDlogenables network routing, information systems, and their security policies to be specified and implemented within a common declarative framework. Second, we extend existing distributed recursive query processing techniques to execute SeNDlogprograms that incorporate secure communication via authentication and encryption among untrusted nodes. Third, we demonstrate the use of user-defined cryptographic functions for customizing the authentication and encryption mechanisms used for securing protocols. Finally, using a local cluster and the PlanetLab testbed, we perform a detailed performance study of a variety of secure networked systems implemented using our platform.
References
[1]
Laskowski P, Chuang J. Network monitors and contracting systems: competition and innovation. In: Proceedings of ACM SIGCOMM conference on data communication; 2007.
[2]
Savage S, Wetherall D, Karlin A, Anderson T. Practical network support for IP traceback. In: Proceedings of ACM SIGCOMM conference on data communication; 2000.
[3]
Xie Y, Sekar V, Reiter M, Zhang H. Forensic analysis for epidemic attacks in federated networks. In: Proceedings of IEEE international conference on network protocols; 2006.
[4]
Jim T. SD3: a trust management system with certified evaluation. In: Proceedings of IEEE symposium on security and privacy; 2001.
[5]
Li N, Grosof BN, Feigenbaum J. Delegation logic: a logic-based approach to distributed authorization. ACM Transactions on Information and System Security 2003;6(1).
[6]
Becker MY, Fournet C, Gordon AD. SecPAL: design and semantics of a decentralized authorization language. Technical Report MSR-TR-2006-120, Microsoft Research; 2006.
[7]
DeTreville J. Binder: a logic-based security language. In: Proceedings of IEEE symposium on security and privacy; 2002.
[8]
Li N, Winsborough WH, Mitchell JC. Distributed credential chain discovery in trust management. Journal of Computer Security 2003;11(1).
[9]
Becker MY, Sewell P. Cassandra: distributed access control policies with tunable expressiveness. In: Proceedings of IEEE international workshop on policies for distributed systems and networks; 2004.
[10]
Loo BT, Hellerstein JM, Stoica I, Ramakrishnan R. Declarative routing: extensible routing with declarative queries. In: Proceedings of ACM SIGCOMM conference on data communication; 2005.
[11]
Loo BT, Condie T, Hellerstein JM, Maniatis P, Roscoe T, Stoica I. Implementing declarative overlays. In: Proceedings of ACM symposium on operating systems principles; 2005.
[12]
Loo BT, Condie T, Garofalakis M, Gay DE, Hellerstein JM, Maniatis P, et al. Declarative networking: language, execution and optimization. In: Proceedings of ACM SIGMOD international conference on management of data; 2006.
[13]
Ramakrishnan R, Ullman JD. A survey of research on deductive database systems. Journal of Logic Programming 1993;23(2).
[14]
Abadi M. On access control, data integration and their languages, computer systems: theory, technology and applications. A Tribute to Roger Needham Springer-Verlag; 2004.
[15]
Zhou W, Cronin E, Loo BT. Provenance-aware secure networks. In: Proceedings of international workshop on networking meets databases; 2008.
[16]
Zhou W, Sherr M, Tao T, Li X, Loo BT, Mao Y. Efficient querying and maintenance of network provenance at internet-scale. In: Proceedings of ACM SIGMOD international conference on management of data; 2010.
[17]
Buneman P, Khanna S, Tan WC. Why and where: a characterization of data provenance. In: Proceedings of international conference on database theory; 2001.
[18]
Wang A, Jia L, Liu C, Loo BT, Sokolsky O, Basu P. Formally verifiable networking. In: Proceedings of ACM SIGCOMM hot topics in networks; 2009.
[19]
Wang A, Basu P, Loo BT, Sokolsky O. Declarative network verification. In: Proceedings of international symposium on practical aspects of declarative languages (PADL); 2009.
[20]
Stoica I, Morris R, Karger D, Kaashoek MF, Balakrishnan H. Chord: a scalable peer-to-peer lookup service for internet applications. In: Proceedings of ACM SIGCOMM conference on data communication; 2001.
[21]
Huebsch R, Hellerstein JM, Lanham N, Loo BT, Shenker S, Stoica I. Querying the internet with PIER. In: Proceedings of international conference on very large data bases; 2003.
[22]
Dean J, Ghemawat S. Mapreduce: simplified data processing on large clusters. In: Proceedings of USENIX symposium on operating systems design and implementation; 2004.
[23]
P2: Declarative Networking {http://p2.cs.berkeley.edu}.
[24]
PlanetLab, Global testbed {http://www.planet-lab.org/}.
[25]
Balbin I, Ramamohanarao K. A generalization of the differential approach to recursive query evaluation. Journal of Logic Programming 1987;4(3).
[26]
Bancilhon F. Naive evaluation of recursively defined relations. On knowledge base management systems: integrating AI and DB technologies Springer-Verlag; 1986.
[27]
Foundations of databases. 1995. Addison-Wesley.
[28]
Lampson B, Abadi M, Burrows M, Wobber E. Authentication in distributed systems: theory and practice. ACM Transactions on Computer Systems 1992;10(4).
[29]
Liu M, Zhou W, Taylor N, Ives Z, Loo BT. Recursive computation of regions and connectivity in networks. In: Proceedings of IEEE international conference on data engineering; 2009.
[30]
Loo BT, Condie T, Garofalakis M, Gay DE, Hellerstein JM, Maniatis P, et al. Declarative networking. In: Communications of the ACM; 2009.
[31]
Krishnamurthy R, Ramakrishnan R, Shmueli O. A framework for testing safety and effective computability. Journal of Computer and System Sciences 1996;52(1):100-124.
[32]
Bancilhon F, Maier D, Sagiv Y, Ullman JD. Magic sets and other strange ways to implement logic programs. In: Proceedings of ACM SIGMOD international conference on management of data; 1986.
[33]
Kohler E, Morris R, Chen B, Jannotti J, Kaashoek MF. The click modular router. ACM Transactions on Computer Systems 2000;18(3).
[34]
Mao Y, Loo BT, Ives Z, Smith JM. MOSAIC: unified platform for dynamic overlay selection and composition. In: Proceedings of ACM international conference on emerging networking experiments and technologies; 2008.
[35]
Sherr M, Mao A, Marczak WR, Zhou W, Loo BT, Blaze M. A3: an extensible platform for application-aware anonymity. In: Proceedings of annual network and distributed system security symposium (NDSS); 2010.
[36]
Dingledine R, Mathewson N, Syverson P. Tor: the second-generation onion router. In: Proceedings of USENIX security symposium; 2004.
[37]
Secure BGP {http://www.ir.bbn.com/sbgp/}.
[38]
Castro M, Drushel P, Ganesh A, Rowstron A, Wallach DS. Secure routing for structured peer-to-peer overlay networks. In: Proceedings of USENIX symposium on operating systems design and implementation; 2002.
[39]
Wang L, Wijesekera D, Jajodia S. A logic-based framework for attribute based access control. In: Proceedings of the ACM workshop on formal methods in security engineering; 2004.
[40]
Bobba R, Fatemieh O, Khan F, Gunter CA, Khurana H. Using attribute-based access control to enable attribute-based messaging. In: Proceedings of the annual computer security applications conference; 2006.
[41]
Loo BT. The design and implementation of declarative networks. PhD dissertation, Technical report. UCB/EECS-2006-177, University of California at Berkeley; 2006.
[42]
Muthukumar SC, Li X, Liu C, Kopena JB, Oprea M, Loo BT. Declarative toolkit for rapid network protocol simulation and experimentation. In: Proceedings of ACM SIGCOMM conference on data communication (demonstration); 2009.
[43]
Nigam V, Jia L, Loo BT, Scedrov A. Maintaining distributed logic programs incrementally. In: 13th International ACM SIGPLAN symposium on principles and practice of declarative programming (PPDP); 2011.
[44]
Abadi DJ, Ahmad Y, Balazinska M, Cetintemel U, Cherniack M, Hwang J-H, et al. The design of the borealis stream processing engine. In: Proceedings of biennial conference on innovative data systems research (CIDR); 2005.
[45]
Gupta A, Mumick IS, Subrahmanian VS. Maintaining views incrementally. In: Proceedings of ACM SIGMOD international conference on management of data; 1993.
[46]
Raman S, McCanne S. A model, analysis, and protocol framework for soft state-based communication. In: Proceedings of ACM SIGCOMM conference on data communication; 1999.
[47]
Balakrishnan H, Kaashoek MF, Karger D, Morris R, Stoica I. Looking up data in P2P systems. Communications of the ACM 2003;46(2).
[48]
WebBase S. {http://www-diglib.stanford.edu/estbed/doc2/WebBase/}.
[49]
Zhou W, Mao Y, Loo BT, Abadi M. Unified declarative platform for secure networked information systems. In: Proceedings of IEEE international conference on data engineering; 2009.
[50]
Gurevich Y, Neeman I. DKAL: distributed-knowledge authorization language. In: Proceedings of IEEE computer security foundations symposium; 2008.
[51]
Gunter CA, Jim T. Design of an application-level security infrastructure. In: DIMACS workshop on design and formal verification of security protocols; 1997.
[52]
Gunter CA, Jim T. Generalized certificate revocation. In: ACM symposium on principles of programming languages; 2000.
[53]
Loo BT, Hellerstein JM, Stoica I. Customizable routing with declarative queries. In: Proceedings of the ACM workshop on hot topics in networks (HotNets-II); 2004.
[54]
Singh A, Das T, Maniatis P, Druschel P, Roscoe T. BFT protocols under fire. In: Proceedings of the USENIX symposium on networked systems design and implementation (NSDI); 2008.
[55]
Alvaro P, Condie T, Conway N, Elmeleegy K, Hellerstein JM, Sears R. Boom analytics: exploring data-centric, declarative programming for the cloud. In: Proceedings of the ACM SIGOPS/EuroSys European conference on computer systems (EuroSys); 2010.
[56]
Chu DC, Popa L, Tavakoli A, Hellerstein JM, Levis P, Shenker S, et al. The design and implementation of a declarative sensor network system. In: Proceedings of ACM conference on embedded networked sensor systems (SenSys); 2007.
[57]
Mao Y, Loo BT, Ives Z, Smith JM. MOSAIC: unified platform for dynamic overlay selection and composition. In: Proceedings of ACM international conference on emerging networking experiments and technologies (CoNEXT), 2008.
[58]
Sherr M, Mao A, Marczak WR, Zhou W, Loo BT, Blaze M. a3: an extensible platform for application-aware anonymity. In: Proceedings of network and distributed system security (NDSS); 2010.
[59]
Liu C, Correa R, Li X, Basu P, Loo BT, Mao Y. Declarative policy-based adaptive mobile adhoc networking. IEEE/ACM Transactions on Networking (TON), 2012;20(3)
[60]
Liu C, Correa R, Gill H, Gill T, Li X, Muthukumar S, et al. PUMA: policy-based unified multi-radio architecture for agile mesh networking. In: Proceedings of international conference on communication systems and networks (COMSNETS); 2012.
[61]
Chen X, Mao Y, Mao ZM, van der Merwe J. Declarative configuration management for complex and dynamic networks. In: Proceedings of ACM international conference on emerging networking experiments and technologies (CoNEXT); 2010.
[62]
Ren Y, Zhou W, Wang A, Jia L, Gurney AJ, Loo BT, et al. FSR: formal analysis and implementation toolkit for safe inter-domain routing. In: Proceedings of ACM SIGCOMM conference on data communication (SIGCOMM)-demonstration; 2011.
[63]
Wang A, Jia L, Zhou W, Ren Y, Loo BT, Rexford J, et al. FSR: formal analysis and implementation toolkit for safe inter-domain routing. IEEE/ACM Transactions on Networking(TON). 10.1109/TNET.2012.2187924, in press
[64]
Nehme RV, Rundensteiner EA, Bertino E. A security punctuation framework for enforcing access control on streaming data. In: Proceedings of IEEE international conference on data engineering; 2008.
[65]
Carminati B, Ferrari E, Tan K-L. Specifying access control policies on data streams. In: Proceedings of international conference on database systems for advanced applications (DAFSAA); 2007.
Index Terms
- Declarative secure distributed information systems
Index terms have been assigned to the content through auto-classification.
Recommendations
Unified Declarative Platform for Secure Netwoked Information Systems
ICDE '09: Proceedings of the 2009 IEEE International Conference on Data EngineeringWe present a unified declarative platform for specifying, implementing, and analyzing secure networked information systems. Our work builds upon techniques from logic-based trust management systems, declarative networking, and data analysis via ...
Operational Semantics for Declarative Networking
PADL '09: Proceedings of the 11th International Symposium on Practical Aspects of Declarative LanguagesDeclarative Networking has been recently promoted as a high-level programming paradigm to more conveniently describe and implement systems that run in a distributed fashion over a computer network. It has already been used to implement various networked ...
Comments
Information & Contributors
Information
Published In
Copyright © Elsevier Ltd © 2012.
Publisher
Elsevier Science Publishers B. V.
Netherlands
Publication History
Published: 01 April 2013
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in