23
Conformance Verification of Privacy Policies Xiang Fu Assistant Professor Department of Computer Science Hofstra University
Conformance Verification of Privacy PoliciesXiang Fu
Assistant ProfessorDepartment of Computer ScienceHofstra University
Outline•Motivation•PV Framework•Privacy Properties in Temporal Logic•Verification using Alloy•Conclusion
Introduction
Web App: Consumer and Producerof INFORMATION
Web AppSSNCredit CardMedical RecordAddressShopping Preference
Online Marketin
gEmail
Identity Collection
SSN
BusinessPartners
Shopping Habits
Privacy Verification Problem
Web App
Your SSN never be forwarde
d
CC destroyed
after transaction
Function as PROMISED?
ChallengesBusiness
Procedures
DB Ops
Servlets
Servlets
P3P Privacy Policy
Model Checker
PV Framework•Privacy Verification Framework
1. Servlet Control/Data Flow
2. Information Flow
3. Data Operations
Data Model
•Entity
•Data Item
OperatorServletDatabaseBusiness OrganizationStakeholder
Atomic Real-Being
Countable Set
CC CardSSNMed RecordTransaction IDName
Primitive Type System
Flattened Model
Example: Bookstore AppEntities
Example: Bookstore AppData Types
Actions•Know(e, d)
entity data
At any moment for any e and d, Know(e,d) is defined
Action: transition system expressed using first order on Know predicates
Example: Charge Credit Card CCcc
)(know' )(know' Bank,ccDB,cc
Free var, input variable
)(know' )(know' : },{ x,dx,dDdBANKDBx
All entities All data
)know( )(know' )know( )(know' :}{
Bank,dBank,dDB,dDB,dccDd
Modeling Privacy Policy•Typical Examples: P3P and EPAL•Defines:
▫(1) What to protect?▫(2) Who can receive it?▫(3) How long?
P3P Example
Temporal Logic for P3P•CTL-FO = CTL + First Order Quantifiers
Credit Card Info Regularly Purged from DB & is not leaked
)),know(:AF( )),know(AG( :CC dxExdDBd
for any credit card for any entities
Verification•(1) Translate from PV to Alloy•(2) Translate CTL-FO to Alloy
Predicates•(3) Verification using Alloy
Modeling World Schemamodule bookstore
//1. world schemaabstract sig Object {}abstract sig WA, Env, Data extends Object {}abstract sig Actions, Entities extends WA {}…
Web App.Set of All Data Items
Servlets
Modeling System State•Model the transition relation
sig State{ know: (WA + Env) -> Data, prev: one State, actstate: Actions -> actionStatus}{ all x: Actions | some status: actionStatus |
x -> status in actstate}
Modeling Actionpred pChargeCC[s,s’: State, d:CC]{ChargeCC->READY in s.actstate and
(s’.know = s.know + {DB->d} +
{Bank->d} &&s’.prev=s &&s’.actstate = s.actstate - ..
)}
Modeling CTL-FO Formula
pred ef[s:State, d:Data]{some s’: State | (CEO->d in s’.know)&& s in s’.*prev
}
pred fa[s:State]{all d: Data | (DB->d in s.know) => ef[s,d]
}
assert AGProperty{all s: State | fa[s]
}
Initial Experiments
State Clauses Constr. Time (ms)
Solver Time (ms)
5 431k 2203 78110 1928k 7984 626615 4504k 18782 4082820 - - -
20 Objects
Conclusion•PV Framework for Reasoning about
Privacy•Verification Paradigm using Alloy•Problems …
Future Directions•(1) Static Program Analysis •Path Transducer Model (Servlet)• Information Flow (Business Rules,
Access Right Policies)
•(2) Customized Relational Constraint Solvers
