In this chapter, we have discussed our proposed method to protect the integrity of the provenance from the inconsistent claims and interpretations attacks. Our method combines the hash, the signature chain and also employing a Trusted Counter Server (TCS) to prevent the malicious attacker easily changes the prove-nance (to do the inconsistent claims and interpretations attacks) without being detected. We also performed some real experimentals to measure the performance and show the feasibility of our method.
An Access Control Model for the Provenance Recording System
Provenance is a documentation that describes the processes to produce the data.
The provenance is recorded in the form of assertions created by the process ex-ecutors. The parties who have access to provenance assertions may infers some information about the data. If the data is sensitive, the provenance of data may be also be sensitive. But it is possible, the data is sensitive while the provenance is not or vice versa.
For example, in the case of the letter of recommendation for application to uni-versities, the data is sensitive while the provenance is not, because the student who is recommended in the letter of recommendation does know the people who wrote the letter of recommendation, but the student is not allowed to open the envelope of the letter and read the letter . In an employee’s performance re-view, the provenance is sensitive while the data is not, because the employees are encouraged to read the data produced by the employee’s review process, but they are usually not told who had inputs in writing of the process.
To restrict the accesses to the sensitive provenance, the provenance system should implement an access control mechanism. A simple approach to implement the access control is by creating a program that checks access by any parties to each provenance assertion and define policy for each combination of the party and the
assertion. The access control program should store all information and access definition about each assertion and relationships between assertions. Using this method, we can implement almost all policies. However, because there is no struc-ture of the access, the administrator should decide the access policy manually for each provenance assertion. It means that the security administrator should ana-lyze the policy of all combinations of the parties who need to access the provenance (i.e., the auditors) and the provenance assertions and define the policy for all com-binations. For a large numbers of the parties and the provenance assertions, the policy also need a large data space to store.
The access control models normally have frameworks that can be used to help the administrator to define the access control policy consistently. A consistent policy means that the policy applies a common rule for all policies defined in the system. For example, in the Role Based Access Control (RBAC), each user should be assigned to roles . A group of access rights are assigned to permissions.
Access policies are mapping of the roles to the permissions. The access control model can also include the security model to decide the policy. For example, in the LaPadula Model, a lower security level of users cannot access access a higher security level of objects cite.
The main principle that should be followed by the access control policy is the minimum access policy principle. In this principle, the access is only granted to the party that really needs the access to do his/her job. The access that is not related to his/her job should be denied.
4.1.1 The Problem of Access Control to the Provenance
The main purpose of an access control system is to restrict the access by the auditors to the provenance. The access control to the provenance has different characteristics to the access control to the regular data.
In the provenance, the basic information is the assertion about process and origin of data. When an auditor accesses the provenance, he/she may access information about process to produce the data, the process executor, and also references to the origin/source of the data. These information may be sensitive because it describes the process to produce sensitive data or because the sources of the data are sensitive. So, the access control system to the provenance should be able to
restrict accesses by considering the sensitivity of information about the process and the origin/source of data.
When an auditor needs to check the processes that led to a data object, ideally, for a full traceability, the auditor needs to have access to the process and all direct/indirect origins. The access control system should be able to decide whether the auditor is granted to trace all of the origin/source of the data. It is possible that the access control policy states that parts of them are sensitive to specific auditor. So, the access control system to the provenance should be able to define the policies and implement access control to provenance by considering the direct and indirect relationships in the provenance assertions.
In this chapter, we propose a method to implement access control system to the provenance by considering the sensitivity of information about the process and the origin/source of data and also whether the auditor is allowed to access all direct/indirect relationships. We define the access right we call TRACE, that is rather than controlling access for each provenance assertion, we implement the access collectively to the assertion that describes a data object and all assertions that describe the origin of the data object. We combine TRACE with the multi-label method for efficient access control definition to support more granularity of the access restrictions. We propose the implementation by using trusted reference monitor and also alternative implementation by using encryption.