Conformance Verification of Privacy PoliciesXiang Fu

Assistant ProfessorDepartment of Computer ScienceHofstra University

Outline•Motivation•PV Framework•Privacy Properties in Temporal Logic•Verification using Alloy•Conclusion

Introduction

Web App: Consumer and Producerof INFORMATION

Web AppSSNCredit CardMedical RecordAddressShopping Preference

Online Marketin

gEmail

Identity Collection

SSN

BusinessPartners

Shopping Habits

Privacy Verification Problem

Web App

Your SSN never be forwarde

d

CC destroyed

after transaction

Function as PROMISED?

ChallengesBusiness

Procedures

DB Ops

Servlets

Servlets

P3P Privacy Policy

Model Checker

PV Framework•Privacy Verification Framework

1. Servlet Control/Data Flow

2. Information Flow

3. Data Operations

Data Model

•Entity

•Data Item

OperatorServletDatabaseBusiness OrganizationStakeholder

Atomic Real-Being

Countable Set

CC CardSSNMed RecordTransaction IDName

Primitive Type System

Flattened Model

Example: Bookstore AppEntities

Example: Bookstore AppData Types

Actions•Know(e, d)

entity data

At any moment for any e and d, Know(e,d) is defined

Action: transition system expressed using first order on Know predicates

Example: Charge Credit Card CCcc

)(know' )(know' Bank,ccDB,cc

Free var, input variable

)(know' )(know' : },{ x,dx,dDdBANKDBx

All entities All data

)know( )(know' )know( )(know' :}{

Bank,dBank,dDB,dDB,dccDd

Modeling Privacy Policy•Typical Examples: P3P and EPAL•Defines:

▫(1) What to protect?▫(2) Who can receive it?▫(3) How long?

P3P Example

Temporal Logic for P3P•CTL-FO = CTL + First Order Quantifiers

Credit Card Info Regularly Purged from DB & is not leaked

)),know(:AF( )),know(AG( :CC dxExdDBd

for any credit card for any entities

Verification•(1) Translate from PV to Alloy•(2) Translate CTL-FO to Alloy

Predicates•(3) Verification using Alloy

Modeling World Schemamodule bookstore

//1. world schemaabstract sig Object {}abstract sig WA, Env, Data extends Object {}abstract sig Actions, Entities extends WA {}…

Web App.Set of All Data Items

Servlets

Modeling System State•Model the transition relation

sig State{ know: (WA + Env) -> Data, prev: one State, actstate: Actions -> actionStatus}{ all x: Actions | some status: actionStatus |

x -> status in actstate}

Modeling Actionpred pChargeCC[s,s’: State, d:CC]{ChargeCC->READY in s.actstate and

(s’.know = s.know + {DB->d} +

{Bank->d} &&s’.prev=s &&s’.actstate = s.actstate - ..

)}

Modeling CTL-FO Formula

pred ef[s:State, d:Data]{some s’: State | (CEO->d in s’.know)&& s in s’.*prev

}

pred fa[s:State]{all d: Data | (DB->d in s.know) => ef[s,d]

}

assert AGProperty{all s: State | fa[s]

}

Initial Experiments

State Clauses Constr. Time (ms)

Solver Time (ms)

5 431k 2203 78110 1928k 7984 626615 4504k 18782 4082820 - - -

20 Objects

Conclusion•PV Framework for Reasoning about

Privacy•Verification Paradigm using Alloy•Problems …

Future Directions•(1) Static Program Analysis •Path Transducer Model (Servlet)• Information Flow (Business Rules,

Access Right Policies)

•(2) Customized Relational Constraint Solvers