Enforcing policies with privacy guardians

AbstractReasoning about privacy in electronic environments populated with privacy-concerned agents that exchange personal data requires control of ownership and proving the right of possession of a piece of data. The privacy policy expressed by an individual for his personal data can be enforced by a context-aware mobile agent, called alter-ego, accompanying the personal data disclosed.We discuss the first steps towards a formal framework for expressing policies on information disclosure and their integration in the behavior specification of the alter-egos, that enables characterization of an environment manipulating personal data from the privacy perspective

CQE in OWL 2 QL: A "Longest Honeymoon" Approach (extended version)

Controlled Query Evaluation (CQE) has been recently studied in the context of Semantic Web ontologies. The goal of CQE is concealing some query answers so as to prevent external users from inferring confidential information. In general, there exist multiple, mutually incomparable ways of concealing answers, and previous CQE approaches choose in advance which answers are visible and which are not. In this paper, instead, we study a dynamic CQE method, namely, we propose to alter the answer to the current query based on the evaluation of previous ones. We aim at a system that, besides being able to protect confidential data, is maximally cooperative, which intuitively means that it answers affirmatively to as many queries as possible; it achieves this goal by delaying answer modifications as much as possible. We also show that the behavior we get cannot be intensionally simulated through a static approach, independent of query history. Interestingly, for OWL 2 QL ontologies and policy expressed through denials, query evaluation under our semantics is first-order rewritable, and thus in AC0 in data complexity. This paves the way for the development of practical algorithms, which we also preliminarily discuss in the paper.Comment: This paper is the extended version of "P.Bonatti, G.Cima, D.Lembo, L.Marconi, R.Rosati, L.Sauro, and D.F.Savo. Controlled query evaluation in OWL 2 QL: A "Longest Honeymoon" approach" accepted for publication at ISWC 202

Secrecy Logic: Protoalgebraic S-Secrecy Logics

In recent work the notion of a secrecy logic S over a given deductive system S was introduced. Secrecy logics capture the essential features of structures that are used in performing secrecy-preserving reasoning in practical applications. More precisely, they model knowledge bases that consist of information, part of which is considered known to the user and part of which is to remain secret from the user. S-secrecy structures serve as the models of secrecy logics. Several of the universal algebraic and model theoretic properties of the class of S-secrecy structures of a given S-secrecy logic have already been studied. In this paper, our goal is to show how techniques from the theory of abstract alge-braic logic may be used to analyze the structure of a secrecy logic and draw conclusions about its algebraic character. In particular, the notion of a protoalgebraic S-secrecy logic is introduced and several characterizing properties are provided. The relationship between protoalgebraic S-secrecy logics and the protoalgebraicity of their underlying deductive systems is also investigated

Topics in Knowledge Bases: Epistemic Ontologies and Secrecy-preserving Reasoning

Applications of ontologies/knowledge bases (KBs) in many domains (healthcare, national security, intelligence) have become increasingly important. In this dissertation, we focus on developing techniques for answering queries posed to KBs under the open world assumption (OWA). In the first part of this dissertation, we study the problem of query answering in KBs that contain epistemic information, i.e., knowledge of different experts. We study ALCKm, which extends the description logic ALC by adding modal operators of the basic multi-modal logic Km. We develop a sound and complete tableau algorithm for answering ALCKm queries w.r.t. an ALCKm knowledge base with an acyclic TBox. We then consider answering ALCKm queries w.r.t. an ALCKm knowledge base in which the epistemic operators correspond to those of classical multi-modal logic S4m and provide a sound and complete tableau algorithm. Both algorithms can be implemented in PSpace. In the second part, we study problems that allow autonomous entities or organizations (collectively called querying agents) to be able to selectively share information. In this scenario, the KB must make sure its answers are informative but do not disclose sensitive information. Most of the work in this area has focused on access control mechanisms that prohibit access to sensitive information (secrets). However, such an approach can be too restrictive in that it prohibits the use of sensitive information in answering queries against knowledge bases even when it is possible to do so without compromising secrets. We investigate techniques for secrecy-preserving query answering (SPQA) against KBs under the OWA. We consider two scenarios of increasing difficulty: (a) a KB queried by a single agent; and (b) a KB queried by multiple agents where the secrecy policies can differ across the different agents and the agents can selectively communicate the answers that they receive from the KB with each other subject to the applicable answer sharing policies. We consider classes of KBs that are of interest from the standpoint of practical applications (e.g., description logics and Horn KBs). Given a KB and secrets that need to be protected against the querying agent(s), the SPQA problem aims at designing a secrecy-preserving reasoner that answers queries without compromising secrecy under OWA. Whenever truthfully answering a query risks compromising secrets, the reasoner is allowed to hide the answer to the query by feigning ignorance, i.e., answering the query as Unknown . Under the OWA, the querying agent is not able to infer whether an Unknown answer to a query is obtained because of the incomplete information in the KB or because secrecy protection mechanism is being applied. In each scenario, we provide a general framework for the problem. In the single-agent case, we apply the general framework to the description logic EL and provide algorithms for answering queries as informatively as possible without compromising secrecy. In the multiagent case, we extend the general framework for the single-agent case. To model the communication between querying agents, we use a communication graph, a directed acyclic graph (DAG) with self-loops, where each node represents an agent and each edge represents the possibility of information sharing in the direction of the edge. We discuss the relationship between secrecy-preserving reasoners and envelopes (used to protect secrets) and present a special case of the communication graph that helps construct tight envelopes in the sense that removing any information from them will leave some secrets vulnerable. To illustrate our general idea of constructing envelopes, Horn KBs are considered

A framework for inference control in incomplete logic databases

Security in information systems aims at various, possibly conflicting goals, two of which are availablility and confidentiality. On the one hand, as much information as possible should be provided to the user. On the other hand, certain information may be confidential and must not be disclosed. In this context, inferences are a major problem: The user might combine a priori knowledge and public information gained from the answers in order to infer secret information. Controlled Query Evaluation (CQE) is a dynamic, policy-driven mechanism for the enforcement of confidentiality in information systems, namely by the distortion of certain answers, by means of either lying or refusal. CQE prevents harmful inferences, and tries to provide the best possible availability while still preserving confidentiality. In this thesis, we present a framework for Controlled Query Evaluation in incomplete logic databases. In the first part of the thesis, we consider CQE from a declarative point of view. We present three different types of confidentiality policy languages with different simplicity and expressibility – propositional potential secrets, confidentiality targets, and epistemic potential secrets – and show how they relate to each other. We also give a formal, declarative definition of the requirements for a method protecting these types of policies. As it turns out, epistemic potential secrets are the most expressive policies of the three types studied, so we concentrate on these policies in the second part of the thesis. In that second part, we show how to operationally enforce confidentiality policies based on epistemic potential secrets. We first present an abstract framework in which two parameters are left open: 1. Does the user know the elements of the confidentiality policy? 2. Do we allow only refusal, only lying, or both distortion methods? For five of the six resulting cases, we present instantiations of the framework and prove the confidentiality according to the declarative definition from the first part of the thesis. For the remaining case (combined lying and refusal under unknown policies), we show that no suitable enforcement method can be constructed using the naive heuristics. Finally, we compare the enforcement methods to those constructed for complete databases in earlier work, and we discuss the properties of our algorithms when relaxing the assumptions about the user’s computational abilities.Security in information systems aims at various, possibly conflicting goals, two of which are availablility and confidentiality. On the one hand, as much information as possible should be provided to the user. On the other hand, certain information may be confidential and must not be disclosed. In this context, inferences are a major problem: The user might combine a priori knowledge and public information gained from the answers in order to infer secret information. Controlled Query Evaluation (CQE) is a dynamic, policy-driven mechanism for the enforcement of confidentiality in information systems, namely by the distortion of certain answers, by means of either lying or refusal. CQE prevents harmful inferences, and tries to provide the best possible availability while still preserving confidentiality. In this thesis, we present a framework for Controlled Query Evaluation in incomplete logic databases. In the first part of the thesis, we consider CQE from a declarative point of view. We present three different types of confidentiality policy languages with different simplicity and expressibility – propositional potential secrets, confidentiality targets, and epistemic potential secrets – and show how they relate to each other. We also give a formal, declarative definition of the requirements for a method protecting these types of policies. As it turns out, epistemic potential secrets are the most expressive policies of the three types studied, so we concentrate on these policies in the second part of the thesis. In that second part, we show how to operationally enforce confidentiality policies based on epistemic potential secrets. We first present an abstract framework in which two parameters are left open: 1. Does the user know the elements of the confidentiality policy? 2. Do we allow only refusal, only lying, or both distortion methods? For five of the six resulting cases, we present instantiations of the framework and prove the confidentiality according to the declarative definition from the first part of the thesis. For the remaining case (combined lying and refusal under unknown policies), we show that no suitable enforcement method can be constructed using the naive heuristics. Finally, we compare the enforcement methods to those constructed for complete databases in earlier work, and we discuss the properties of our algorithms when relaxing the assumptions about the user’s computational abilities

Inference-proof materialized views

Obwohl die Veröffentlichung von Daten heutzutage allgegenwärtig ist, ist diese häufig nur dann gestattet, wenn dabei Vertraulichkeitsanforderungen beachtet werden. Vor diesem Hintergrund wird in dieser Arbeit ein Ansatz entwickelt, um abgeschwächte Sichten auf gegebene Datenbankinstanzen zu erzeugen. Eine solche abgeschwächte Sicht ist dabei inferenzsicher im Sinne der sogenannten "Kontrollierten Interaktionsauswertung" und verhindert damit beweisbar, dass ein Angreifer vertrauliche Information erlangen kann – selbst dann, wenn dieser Angreifer versucht, diese Information unter Zuhilfenahme seiner Kenntnis über den Sicherheitsmechanismus und etwaigem Vorwissen über die Datenbankinstanz oder allgemeine Sachverhalte logisch zu erschließen. Dieses Ziel wird innerhalb einer logik-orientierten Modellierung verwirklicht, in der alles sichere Wissen, das die Vertraulichkeitspolitik verletzt, (soweit möglich) durch schwächere, aber dennoch wahre Disjunktionen bestehend aus Elementen der Vertraulichkeitspolitik ersetzt wird. Auch wenn dieses disjunktive Wissen bewusst Unsicherheit über vertrauliche Information erzeugt, stellt es dennoch mehr Information als eine vollständige Geheimhaltung von vertraulicher Information bereit. Um dabei sicherzustellen, dass Disjunktionen im Hinblick auf ein betrachtetes Einsatzszenario sowohl glaubwürdig als auch aussagekräftig sind, kann ein Kriterium definiert werden, aus welchen Kombinationen von Elementen der Vertraulichkeitspolitik eine mögliche Disjunktion bestehen kann. Dieser Ansatz wird erst in einer generischen Variante entwickelt, in der nicht-triviale Disjunktionen jeder Länge ≥ 2 zum Einsatz kommen können und das erreichte Maß an Vertraulichkeit mit der Länge der Disjunktionen variiert. Dabei wird jegliches Wissen in einem eingeschränkten, aber dennoch vielfältig einsetzbaren Fragment der Prädikatenlogik modelliert, in dem die Gültigkeit von Implikationsbeziehungen effizient ohne den Einsatz von Theorembeweisern entschieden werden kann. Anschließend wird eine Variante dieses generischen Ansatzes vorgestellt, die die Verfügbarkeit maximiert, indem Disjunktionen der Länge 2 effizient mit Hilfe von Clustering auf Graphen konstruiert werden. Diese Variante wird daraufhin derart erweitert, dass sie auch dann effizient inferenzsichere Sichten erzeugen kann, wenn ein Angreifer Vorwissen in Form einer eingeschränkten Unterklasse von sogenannten "Tuple Generating Dependencies" hat. Um die Effizienz dieser (erweiterten) Verfügbarkeit maximierenden Variante zu demonstrieren, wird ein Prototyp unter verschiedenen Testszenarien erprobt. Dabei kommt ein Kriterium zur Konstruktion möglicher Disjunktionen zum Einsatz, das (lokal) die Verfügbarkeit innerhalb von Disjunktion maximiert, indem sich beide Disjunkte einer solchen Disjunktion nur in genau einer Konstante unterscheiden.Nowadays, publishing of data is ubiquitous, but usually only permitted when complying with a confidentiality policy to respect privacy or other secrecy concerns. To this end, this thesis proposes an approach to weaken an original database instance to a weakened view on this instance. This view is inference-proof in the sense of "Controlled Interaction Execution" and does hence provably not enable an adversary to infer confidential knowledge – even if this adversary tries to deduce confidential knowledge on the basis of a released weakened view, his general awareness of the protection mechanism and some a priori knowledge he might possibly have about the original database instance or the world in general. To achieve this goal within a logic-oriented modeling, all pieces of definite knowledge that compromise an element of a confidentiality policy are (whenever possible) replaced by weaker but true disjunctions of policy elements. Although this disjunctive knowledge deliberately introduces uncertainty about confidential knowledge, it still provides more information about the original database instance than complete refusals of confidential knowledge. To further guarantee that all of these weakening disjunctions are – with respect to a considered application scenario – both credible in terms of confidentiality and meaningful in terms of availability, a criterion specifying which policy elements might possibly be grouped together to an admissible weakening disjunction can be defined. This approach is first developed in a generic way in the sense that non-trivial disjunctions of any length ≥ 2 might be employed and the achieved level of confidentiality varies with the length of disjunctions. Thereby, all knowledge is modeled within a restricted but expressive subclass of first-order logic, which allows for efficient decisions on the validity of implication relationships without general theorem proving. Afterwards, an availability-maximizing instantiation of this generic approach is presented, which aims at constructing disjunctions of length 2 efficiently on the basis of graph clustering, and is then also extended to handle an adversary's a priori knowledge in the form of a restricted subclass of well-known "Tuple Generating Dependencies" without losing its inference-proofness or efficiency. To demonstrate the practical efficiency of this (extended) availability-maximizing approach, a prototype implementation is developed and evaluated under different experiment setups. Thereby, disjunctions are constructed on the basis of an admissibility criterion, which (locally) maximizes availability within a disjunction in the sense that both of its disjuncts differ in only one constant parameter and thereby generalizes this constant parameter to a wider set of possible values