Towards a Theory of Accountability and Audit

Towards a Theory of Accountability and Audit

Radha Jagadeesan1’*, Alan Jeffrey2, Corin Pitcher1, and James Riely1’*

1 School of Computing, DePaul University

2 Bell Labs, Alcatel-Lucent

Abstract. Accountability mechanisms, which rely on after-the-fact verification, are an attractive means to enforce authorization policies. In this paper, we describe an operational model,.' accountability-based distributed syslcins.Wc describe analyses which support both the desist ofaccoyntabrlrtysysturnsandthu vahdatron of audrtors for fimtary accountably systerna. Our shade daovides formal foundations to explore the tradeoffs underlying the design of accountability systems including: the power of the auditor, the efficiency of the audit protocol, the requirements placed on the agents, and the requirements placed on the communication infrastructure.

-

• 1 Introduction

The context of our paper is a^aif^^2^a^ciif^rndtstt^^f)i^tf^ot systums. Thu attackous tliafwe consider are untrustworthy peincipaisrunaing urbitrueyprogcams etn the netwoek. /tt-tackers may not respect the do-icle-od u syctem.fOT ea^^^r^le,at^£^ce^^^a mau create authorization objects withouiacdualty hev.n9 rhe uights to create them, aiming to subvert the global authorization policy. Traditionally, authorization policies are enforced by controls trnposod bcOresgioedresdurces are accessed.......

Recently, there has been goeetrnteoert in accountability mechanisms that rely on after-the-fact verification (Weitzner et al. 2007). In this approach, audit logs record vital systems informatiooandou eu.itor useb these togitoi-deatify dieiionuat jmiiuipals and to assign blame wfar therchaifeari a vfolaeibn ofocearrilyqfifocyThelear ofbciap “caught” helps to achieveeacuriey fy deforrciico. irifheapuif octrepi-ionel law enforcement and organizational recucity. Aeuounialfomqil ..res acrfocalrofo m thcdevefopmout of trust during human mteracifon tFriadmencn. Gredm 1 o98t- nuts^ccauntaloihty fo viewed both as a toolto tchieve ^ibdi^iud uec.Ll-ity i lpm^prdand04)acn us a flrst-class design goal of services in .iitfoial.ed dis-rlbuted-asiemt (YumprefaneinddChaae20adi.

While designing for pccodntabill-9 iscubfle in genera- gEaiksen 2002g, mechae.sms to instrument systems to euiuport aeeoueiabihty hcaebaee c^aforedm aesera. a^f)efi|'.e applications: determinate dislnlii.lt.ediy-l.rlns ( I LtehoOeti eU aL 2ea7|, actworketorb.a (Yumerefendi and Chaseco°7,. vbHdeLn0 T^ quahty ouecrviccein-ms (Augyraki ei al. 2007), internpt protopo-iAaapeecepOcL 200e-dbd poliddPnforcpmebton tharedtfou-umpnts (Etallp and W.niibiioiifoJnoa'.

In comparison to hpnuaz apprcauheesuch asacccrs-conical1 hawevev.lieaeuotini-ability approach to sepi.ll■iiyiacki peneral foundatioua for modula enilpr)^rlnpd9-.g.

_

* Supported by NSF Cerear 03475a2.

M. Backes and P. Ning ^ds.l:PSOP^^ 2(^Cf^yOC57tnnp.l5^-raC|20C9. © Springer-Verlag Berlin Heidelberg 2009

Citing a small sample of references, access control has (a) operational models in the form of automata (Schneider 2000), with associated algebraic models based on regular expressions (Abadi et al. 2005); (b) logic-based declarative approaches in a fragment of many-sorted first-order predicate logic (Halpern and Weissman 2003; Li and Mitchell 2003); and (c) static analysis to validate the access-control properties of interfaces, e.g types for authorization (Fonrnet et al. 2005; Cirillo et ah 2008g

In this paper we make two contributions toward bringing such formal foundations to the study of accountability. First, we describe an operational model of accountability based systems. Honest and dishonest j^ri^r^i^ipif s aredescribedasagents in adistributed system where the commmuaattoe monel gunaoteespoirt-totpoint istegrity dridaul.hori-ticity. Auditors and othestrusied agendo (such aoirusrcd tlhrilparuesstdealdo mndelen internally as agents. Boheviues a0 allagericaredosgrideeds procedtes in a procurs alee-bra with discrete ti^na|ipurhen^rgk‘^ncnUldpityis e^eurc(^lln\'f()^^in^auttilse^^eeavilr■ to be completely determmvdby d^^mp^^isgnt hear breedves.

Second, we describe aiialysesiosupitosuhe dee^nof ercountabihty sysiemsand pm validation of auditorafor finitaey tgsrema (thove with frnitety many psirieipalsrsnl^li^le finite state processes whh fauCcty monnmetsogo He^). We compfin doiiusa t^teum to (turn-based) games; and utp adernal.nlo(.ompl.rai to^cio spnctfy asebsnponiien ef interest. This permitsus to gdaptexintmg madeLcIiecking algorg.p^ns for veoiflcaiien.

Our results provide yie fovnctationa 11000^37 to ant^lnsa Sadkaafft in the dusi.e as mechanisms that prisere pccoontabfihy. Thg^aeelialtyaonfltotmgdes^nparameters include the e^iciencyo^heol.ldil..l.he omousit o0 toeing. anu the requiredsce as message signing, watermarkia^esirpcte^utt pketies. Doe^r phokapc placeeoastsaierson the auditor, the agents of the syni.a‘m;md ..hamfieihysng vommunmattop infrasttuctme.

The paper is organiead asfollews^amptipate our agprevcg miction 2. Seciioe g describes the model and peeiiou 4ddtcsibet sloe aaatysH framewoslwThe Liens muto lustrated usiag exam^as m Spsfiea g. Wr stewa'yrehil.edsdork m 5^<^^isoii (5. Id rtoi extended abstract, we elide aliprooSs.

• 2 Overview of Our Asss)ii()ach

la this section, we illusSita toemotibationgbe0mbtopdesign uS am a^emewerbusinn variaats of a motivating g^eae’iplromdlkn0 et st ^070

la Sectioa 5, we pralycaar ahstractdSPiM0oetoeexampla toas avnetth met^e forwarding amoagst i^tscest^one^ssh^ndti Ouo analdas fields a variety of auditors for the example, evea ia geaeral distributed settiags, aad shows that powerful mechaaisms, such as trusted third parties, are aot accessary for all audit protocols.

Example 1 (My Health). The MyHealth patieat portal at Vaaderbilt Uaiversity Hospital allows patients to asteiacSwito hedtocaru dkofeiciodnts thsenuh a web basmtsysSem. There are three possible kelentoar can 0c ascumgdbmpiiiripals: dekatopporessioaals (doctors aad aurses), 301^631^110^01^1601^080,^0 pasternse Tha pgssible messages include heatth quistting from ppiienis anmhdaithanswertSrom U(^ctoo^. We focus on the two privpay hogeies ie Barto cSaLa0007): (a) a i^^^ndt quesfipe tun oely be directed to a healto proeesrionmi an0 SOs sc healtoneswgc e0avta patters cenoeSy be directed to the same patient or to a healto professional. These policies permit health

professionals to forward health information amongst themselves. In the discussion below, we will consider the case where patient Charlie contacts the auditor because he has received a health answer from doctor Bob that was intended for a different patient. The motivation for such an audit is to aid in the detection and discovery of the source of the leak.                                                                              □

We now describe ourmodel jniditsrelation to the following properties. The discussion is intended to establish intuitions, with formalities defered to later sections.

• - Upper bound: Every aeantguilty ofadishonett action isblamed bythe auditor.

• - Lower bound: EverydUdHdmedby die talitol is guilty.

• - Overlap: At least red of ide agente tlam-P bndraddilor ts entity

• - Liveness: Hie auditoa if alwaaa sacdastguiir blanauga noa-empte ongtei od oidafH.

• - Blamelessness: Hoeust agents have a strategy to avoid being pronounced a possible offender by an auditor.

Agents. We model lhg egbartoa et priorapgic (Ogga     a ltd dlshoaesil Mart^

in a distributed system. Auduoroandalsomodeladrs hageai udenm. We s.n processes to specify an upper bound on htg^amt bebsviosia an■uc■pin■o behavmg bon-estly in a run wbeimaer tbeircoi,mbemyn go die nnmsa a-sensf as honea poocess. A dishonest agent is unconslrained. Aranpy an al^ell;l™nlll.i. dishonesty it it a mots permitted trace for an honest agenn.

The communication model captures point-to-point communication over an underlying secure c()^n^nll^lic^()nmecha^nsm wh.ch provides integrity and authenticity guarantees, but providesnoaddittosal mechamsmf lor aontra^rdiaiina ar ead-to-end security. This model .a terUzyblnesiag yastportmechunismt sschitt ■pI.g.

Dishonest agents maycollanolrie albilnariry.Thtcmeagetnnl toe tudhor hao do achieve its objectives indgpnndsnl of ^lentisl eeolelagf onchoneyt a^nln Hanest ageats may also collaborate^ependinjg ugen tnnlnnaiflcniirn ofnnnesingenin.

Intern.! auditors Acton. ssihdended ts as nuaiinabie agento tor 018^^1X1;-tem without global knwledny. n^as, tony tee Ms^^ nd tsaitfactiottr tauoda «.. voice them, and their Ideatst-e tn onlptuiSsiennedPp tyames-nainMttoayrnaalv-.to contrast, the strategie-edopley aa toalseeost_n8eniscad ynte1tilallydedeildul>vlewicg traffic outlie network between olyeiagelltd.uhetnthrltahzat;yl1 otaudltytshmlitlhem. Auditors can only totoa-s niyhnne!l bei,avlprs uan-g toe ■n-mmatiMi aaadabhnan lit dividual runs of a system; they aaunalaedlt rtolriions raseeerllepropeotlns Oauneayd sets of traces for their specification (such as non-interference). Auditors cannot detect cartels of dishonest agents whoconduct dishroest exchan^r nmon^t themtnlvet.

Thus, our auditors samoot in geaK‘ral samsn^ltn/;/Tni^^oluim Tn sat th.- aostkler the leakage of patieua re-oMstoa dtshyeaeinou-heaam ^nfesttonrl by edishouelt health professional vlaouilOf1n-ndmnchhnismr wiflimut usrn. iheMyl toaltliwehou.e in Example 1. Such tetkaga ofreanifs yy d^nensa eeyutt aelely to ^-.ainost ygnntt will not be detected aS ch byanauchlei iartn framawn-hl

Mandatory logging ana aespunslaaneai.Er.enm t aase tout tha .n u 11a a fas lan-omg aware of dishonest bnlipvior anr mnaaies anaudih an torCen y ntmerlnsetmntss ffisra are statutory and enforcyaMa rapsnmg rethuntamnyty onillnlienhsi agetus. .

In Example 1, if toere ts tt. raqrnten^a^nt eormalntumma n-a praaoaimg imo-K doctor Bob can achieve absence of provable guilt by maintaining no records. S