research-article

Public Access

PolyStream: Cryptographically Enforced Access Controls for Outsourced Data Stream Processing

Authors:

Adam J. Lee, and

Alexandros LabrinidisAuthors Info & Claims

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

June 2016

Pages 227 - 238

https://doi.org/10.1145/2914642.2914660

Published: 06 June 2016 Publication History

Abstract

With data becoming available in larger quantities and at higher rates, new data processing paradigms have been proposed to handle high-volume, fast-moving data. Data Stream Processing is one such paradigm wherein transient data streams flow through sets of continuous queries, only returning results when data is of interest to the querier. To avoid the large costs associated with maintaining the infrastructure required for processing these data streams, many companies will outsource their computation to third-party cloud services. This outsourcing, however, can lead to private data being accessed by parties that a data provider may not trust. The literature offers solutions to this confidentiality and access control problem but they have fallen short of providing a complete solution to these problems, due to either immense overheads or trust requirements placed on these third-party services.

To address these issues, we have developed PolyStream, an enhancement to existing data stream management systems that enables data providers to specify attribute-based access control policies that are cryptographically enforced while simultaneously allowing many types of in-network data processing. We detail the access control models and mechanisms used by PolyStream, and describe a novel use of security punctuations that enables flexible, online policy management and key distribution. We detail how queries are submitted and executed using an unmodified Data Stream Management System, and show through an extensive evaluation that PolyStream yields a 550x performance gain versus the state-of-the-art system StreamForce in CODASPY 2014, while providing greater functionality to the querier.

References

[1]

D. Abadi et al. The design of the borealis stream processing engine. In CIDR, 2005.

[2]

D. J. Abadi, D. Carney, U. Çetintemel, M. Cherniack, C. Convey, S. Lee, M. Stonebraker, N. Tatbul, and S. Zdonik. Aurora: a new model and architecture for data stream management. The VLDB Journal-The International Journal on Very Large Data Bases, 12(2):120--139, 2003.

Digital Library

[3]

R. Adaikkalavan and T. Perez. Secure shared continuous query processing. In ACM SAC, pages 1000--1005, 2011.

Digital Library

[4]

T. Akidau, A. Balikov, K. Bekirouglu, S. Chernyak, J. Haberman, R. Lax, S. McVeety, D. Mills, P. Nordstrom, and S. Whittle. Millwheel: fault-tolerant stream processing at internet scale. Proceedings of the VLDB Endowment, 6(11):1033--1044, 2013.

Digital Library

[5]

D. T. T. Anh and A. Datta. Streamforce: outsourcing access control enforcement for stream data to the clouds. In Proceedings of the 4th ACM conference on Data and application security and privacy, pages 13--24, 2014.

Digital Library

[6]

L. Aniello, R. Baldoni, and L. Querzoni. Adaptive online scheduling in storm. In Proceedings of the 7th ACM DEBS, pages 207--218. ACM, 2013.

Digital Library

[7]

A. Arasu, S. Babu, and J. Widom. The cql continuous query language: semantic foundations and query execution. The VLDB Journal--The International Journal on Very Large Data Bases, 15(2):121--142, 2006.

Digital Library

[8]

A. Arasu, M. Cherniack, E. Galvez, D. Maier, A. S. Maskey, E. Ryvkina, M. Stonebraker, and R. Tibbetts. Linear road: a stream data management benchmark. In Proceedings of the Thirtieth international conference on Very large data bases-Volume 30, pages 480--491. VLDB Endowment, 2004.

Digital Library

[9]

S. Babu and J. Widom. Continuous queries over data streams. ACM Sigmod Record, 30(3):109--120, 2001.

Digital Library

[10]

J. Benthencourt, A. Sahai, and B. Waters. Advanced crypto software collection: Ciphertext-policy attribute-based encryption. 2011.

[11]

A. Boldyreva, N. Chenette, Y. Lee, and A. O'Neill. Order-preserving symmetric encryption. In Eurocrypt, pages 224--241. Springer, 2009.

[12]

A. Boldyreva, N. Chenette, and A. O'Neill. Order-preserving encryption revisited: Improved security analysis and alternative solutions. In Advances in Cryptology--CRYPTO 2011, pages 578--595. Springer, 2011.

Digital Library

[13]

B. Carminati, E. Ferrari, J. Cao, and K. L. Tan. A framework to enforce access control over data streams. ACM Transactions on Information and System Security (TISSEC), 13(3):28, 2010.

Digital Library

[14]

B. Carminati, E. Ferrari, and K. L. Tan. Enforcing access control over data streams. In Proceedings of the 12th ACM symposium on Access control models and technologies, pages 21--30, 2007.

Digital Library

[15]

B. Carminati, E. Ferrari, and K. L. Tan. Specifying access control policies on data streams. In Advances in Databases: Concepts, Systems and Applications, pages 410--421. Springer, 2007.

Digital Library

[16]

V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security, pages 89--98, 2006.

Digital Library

[17]

M. Green, S. Hohenberger, and B. Waters. Outsourcing the decryption of abe ciphertexts. In USENIX Security Symposium, 2011.

Digital Library

[18]

S. Halevi and P. Rogaway. A tweakable enciphering mode. In CRYPTO 2003, pages 482--499. Springer, 2003.

[19]

J. Hur and D. K. Noh. Attribute-based access control with efficient revocation in data outsourcing systems. Parallel and Distributed Systems, IEEE Transactions on, 22(7):1214--1221, 2011.

Digital Library

[20]

H. V. Jagadish et al. Big data and its technical challenges. Communications of the ACM, 57(7):86--94, Jul 2014.

Digital Library

[21]

S. Jahid, P. Mittal, and N. Borisov. Easier: Encryption-based access control in social networks with efficient revocation. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 411--415. ACM, 2011.

Digital Library

[22]

X. Jin, R. Krishnan, and R. Sandhu. A unified attribute-based access control model covering dac, mac and rbac. In Data and applications security and privacy XXVI, pages 41--55. Springer, 2012.

Digital Library

[23]

S. Kulkarni, N. Bhagat, M. Fu, V. Kedigehalli, C. Kellogg, S. Mittal, J. M. Patel, K. Ramasamy, and S. Taneja. Twitter heron: Stream processing at scale. In Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data, pages 239--250. ACM, 2015.

Digital Library

[24]

W. Lindner and J. Meier. Securing the borealis data stream engine. In Database Engineering and Applications Symposium, 2006. IDEAS'06. 10th International, pages 137--147. IEEE, 2006.

Digital Library

[25]

R. Nehme, E. A. Rundensteiner, and E. Bertino. A security punctuation framework for enforcing access control on streaming data. In IEEE 24th International Conference on Data Engineering (ICDE), pages 406--415, 2008.

Digital Library

[26]

R. V. Nehme, H.-S. Lim, and E. Bertino. Fence: Continuous access control enforcement in dynamic data stream environments. In Proceedings of the third ACM conference on Data and application security and privacy, pages 243--254, 2013.

Digital Library

[27]

W. S. Ng, H. Wu, W. Wu, S. Xiang, and K.-L. Tan. Privacy preservation in streaming data collection. In Proceedings of the 2012 IEEE 18th International Conference on Parallel and Distributed Systems, pages 810--815, 2012.

Digital Library

[28]

P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Proc. of Eurocrypt, pages 223--238, 1999.

Digital Library

[29]

R. A. Popa, C. Redfield, N. Zeldovich, and H. Balakrishnan. Cryptdb: protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pages 85--100, 2011.

Digital Library

[30]

StormProject. Storm: Distributed and fault-tolerant realtime computation. http://storm.incubator.apache.org/documentation/Home.html, 2014.

[31]

N. Tatbul, U. Çetintemel, S. Zdonik, M. Cherniack, and M. Stonebraker. Load shedding in a data stream manager. In Proceedings of the 29th international conference on Very large data bases-Volume 29, pages 309--320, 2003.

Digital Library

[32]

S. Tu, M. F. Kaashoek, S. Madden, and N. Zeldovich. Processing analytical queries over encrypted data. In Proceedings of the 39th international conference on Very Large Data Bases, pages 289--300, 2013.

Digital Library

[33]

B. Wang, M. Li, S. S. Chow, and H. Li. A tale of two clouds: Computing on data encrypted under multiple keys. In Communications and Network Security (CNS), 2014 IEEE Conference on, pages 337--345. IEEE, 2014.

[34]

S. Yu, C. Wang, K. Ren, and W. Lou. Attribute based data sharing with attribute revocation. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 261--270. ACM, 2010.

Digital Library

[35]

M. Zaharia, M. Chowdhury, M. J. Franklin, S. Shenker, and I. Stoica. Spark: cluster computing with working sets. In Proceedings of the 2nd USENIX conference on Hot topics in cloud computing, volume 10, page 10, 2010.

Digital Library

Cited By

Chen YZheng QYan ZLiu D(2021)QShield: Protecting Outsourced Cloud Data Queries With Multi-User Access Control Based on SGXIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2020.302488032:2(485-499)Online publication date: 1-Feb-2021
https://doi.org/10.1109/TPDS.2020.3024880
Russo Russo GCardellini VPresti FNardelli M(2021)Towards a Security-Aware Deployment of Data Streaming Applications in Fog ComputingFog/Edge Computing For Security, Privacy, and Applications10.1007/978-3-030-57328-7_14(355-385)Online publication date: 5-Jan-2021
https://doi.org/10.1007/978-3-030-57328-7_14
Zaki MLee AChrysanthis P(2020)Effective Access Control in Shared-Operator Multi-tenant Data Stream Management SystemsData and Applications Security and Privacy XXXIV10.1007/978-3-030-49669-2_7(118-136)Online publication date: 18-Jun-2020
https://doi.org/10.1007/978-3-030-49669-2_7
Show More Cited By

Index Terms

PolyStream: Cryptographically Enforced Access Controls for Outsourced Data Stream Processing
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

Streamforce: outsourcing access control enforcement for stream data to the clouds
CODASPY '14: Proceedings of the 4th ACM conference on Data and application security and privacy

In this paper, we focus on the problem of data privacy on the cloud, particularly on access controls over stream data. The nature of stream data and the complexity of sharing data make access control a more challenging issue than in traditional archival ...
Read More
MedSMan: a live multimedia stream querying system

Querying live media streams is a challenging problem that is becoming an essential requirement in a growing number of applications. Research in multimedia information systems has addressed and made good progress in dealing with archived data. Meanwhile, ...
Read More
CryptStream: Cryptographic Access Controls for Streaming Data
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

With data becoming available in larger quantities and at higher rates, new data processing paradigms have been proposed to handle large and fast data. Data Stream Processing is one such paradigm wherein transient data flows as streams through sets of ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

June 2016

248 pages

ISBN:9781450338028

DOI:10.1145/2914642

General Chair:
X. Sean Wang
Fudan University, China
,
Program Chairs:
Lujo Bauer
Carnegie Mellon University, USA
,
Florian Kerschbaum
SAP, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 June 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

SACMAT 2016

Sponsor:

SIGSAC

SACMAT 2016: The 21st ACM Symposium on Access Control Models and Technologies

June 6 - 8, 2016

Shanghai, China

Acceptance Rates

SACMAT '16 Paper Acceptance Rate 18 of 55 submissions, 33%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
389
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)10

Other Metrics

View Author Metrics

Citations

Cited By

Chen YZheng QYan ZLiu D(2021)QShield: Protecting Outsourced Cloud Data Queries With Multi-User Access Control Based on SGXIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2020.302488032:2(485-499)Online publication date: 1-Feb-2021
https://doi.org/10.1109/TPDS.2020.3024880
Russo Russo GCardellini VPresti FNardelli M(2021)Towards a Security-Aware Deployment of Data Streaming Applications in Fog ComputingFog/Edge Computing For Security, Privacy, and Applications10.1007/978-3-030-57328-7_14(355-385)Online publication date: 5-Jan-2021
https://doi.org/10.1007/978-3-030-57328-7_14
Zaki MLee AChrysanthis P(2020)Effective Access Control in Shared-Operator Multi-tenant Data Stream Management SystemsData and Applications Security and Privacy XXXIV10.1007/978-3-030-49669-2_7(118-136)Online publication date: 18-Jun-2020
https://doi.org/10.1007/978-3-030-49669-2_7
Xu CZhang CXu JBoncz PManegold SAilamaki ADeshpande AKraska T(2019)vChainProceedings of the 2019 International Conference on Management of Data10.1145/3299869.3300083(141-158)Online publication date: 25-Jun-2019
https://dl.acm.org/doi/10.1145/3299869.3300083
Thoma CLee ALabrinidis AAhn GThuraisingham BKantarcioglu MKrishnan R(2019)Behind Enemy LinesProceedings of the Ninth ACM Conference on Data and Application Security and Privacy10.1145/3292006.3300021(243-254)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3292006.3300021
Thoma CLabrinidis ALee A(2019)Shoal: Query Optimization and Operator Placement for Access Controlled Stream Processing SystemsData and Applications Security and Privacy XXXIII10.1007/978-3-030-22479-0_14(261-280)Online publication date: 11-Jun-2019
https://doi.org/10.1007/978-3-030-22479-0_14
Makkes MUta ADas RBozdog VBal H(2017)P^2-SWAN: Real-Time Privacy Preserving Computation for IoT Ecosystems2017 IEEE 1st International Conference on Fog and Edge Computing (ICFEC)10.1109/ICFEC.2017.11(1-10)Online publication date: May-2017
https://doi.org/10.1109/ICFEC.2017.11
Henze MHiller JSchmerling SZiegeldorf JWehrle KWeippl EKatzenbeisser SDe Capitani di Vimercati S(2016)CPPLProceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society10.1145/2994620.2994627(99-110)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2994620.2994627

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents