Automated Counterexample-Driven Audits of Authentic System Records

Automated Counterexample-Driven Audits of Authentic System Records

C November 2008

Dissertation zur Erlangung des Doktorgrades der Fakult¨at f¨ ur Angewandte Wissenschaften der Albert-Ludwigs-Universit¨at Freiburg im Breisgau

vorgelegt von Rafael Accorsi geboren in Porto Alegre, Brasilien

¨r Informatik und Gesellschaft, Abteilung Telematik Institut fu Friedrichstr. 50, D-79098 Freiburg i. Br., Deutschland

Dekan:

Prof. Dr. Hans Zappe, Uni-Freiburg

Erstreferent: Prof. Dr. G¨ unter M¨ uller, Uni-Freiburg Zweitreferent: Prof. Dr. David Basin, ETH-Z¨ urich Datum der Disputation: Freitag, den 07. November 2008

Contents Danksagung . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xi

Zusammenfassung . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv 1 Audit: An Approach to Generate Evidence . . . . . . . . . . . . . . . . . . . 1 1.1 IT Audits and their Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Audit and Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 Audit and System Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.3 Audit and Generated Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Contribution: An Architecture for Automated Audits . . . . . . . . . . . . 6 1.2.1 Assumptions Underlying the Audit Architecture . . . . . . . . . . . . 8 1.3 Application in Privacy Protection and Usage Control . . . . . . . . . . . . 9 1.3.1 Shortcoming of Current Privacy-Enhancing Technologies . . . . 10 1.3.2 Possible Application Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.4 Structure and Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2 A Characterisation of Auditable Policies . . . . . . . . . . . . . . . . . . . . . 2.1 The Elements of Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 The Authorisation Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2 The Obligation Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Trace-Based Semantics and Properties . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Policies as Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 On the Enforcement of Postconditional Rules . . . . . . . . . . . . . . . . . . . 2.4.1 Forbidding Postconditional Predicates . . . . . . . . . . . . . . . . . . . . . 2.4.2 Demanding Postconditional Predicates . . . . . . . . . . . . . . . . . . . . 2.4.3 Further Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 The Policy Language Praia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.1 Language Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.2 The Semantics of Praia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.3 Characteristics of Praia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17 17 18 19 20 22 23 24 25 27 28 28 31 33

Part I: Elements of the Audit Architecture

35

3 BBox: Secure Logging and Log Views . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 On the Authenticity of Log > [email protected] http://www.goo.com/Goo Inc. Access control policy of Foo.com. Any subject with an e-mail address in the goo.com namespace can perform any action on any resource. goo.com Fig. 8.5. Example of an XACML policy.

9

Background on Remote Attestation

chapter provides background information on remote attestation necT his essary to follow the discussion in §3.2.3. The crypto module of the BBox is a trusted computing module (TPM) that provides for three main functionalities, namely trusted measurement, trusted reporting and trusted storage. Trusted measurement consists of taking measurements of platform characteristics. The collected measurements, as well as the hash values, are stored in the TPM. In particular, hashes of measured values are stored in protected registers called platform configuration registers (PCR’s).1 In our setting, examples of PCR values include the secure logging mechanism and the code for integrity checks of incoming log messages. Analogous to a hash chain, in PCRs each new measurement hash is based on the of the current register contents and a new measurement value. This feature ensures that only a set of values loaded in the same sequence will result in the same PCR values. Trusted reporting is the main component for attestation of a node’s configuration. It is achieved by exposing trusted measurements and vouching for their authenticity. The TPM reports trusted measurements by returning the value of a PCR digitally signed with the TPM’s public attestation key (AIK). The AIK is created by the owner of after the platform’s credentials have been certified and the AIK is signed by numerous certifying authorities, e.g. TPM manufacturer, BBox owner or a certification officer. Together, the trusted measurement – expressed in terms of the PCR values representing a specific set and sequence of values – and the signature of the AIK provide the assurance that node, in our case the BBox, functions as expected. All a remote node needs to do is verify the digital signature on the trusted report using the public keys of the TPM and compare the PCR values against its set of trusted configurations it possesses. Finally, trusted storage protects the cryptographic keys and data. It contains a small amount of volatile memory used mainly for the storage of PCRs and associated values. (The concrete values depend on the producer and are not stipulated in the TPM specifications). It also contains the non-volatile AIK used by the trusted reporting component to sign trusted measurements.

1

Different specifications of trusted computing modules prescribe different numbers of PCR. While the TCG specification 1.1b accommodates 16 registers with 160bit, the specification 1.2 foresees at least 24 registers [115].

AVISPA Modelling of the NSPK+ Protocol

10

+

his chapter provides code modelling the NSPK protocol for the AVISPA T tool. It is based on the fixed version of the NSPK protocol already part of the AVISPA protocol library.

role alice (A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by A def= local State : nat, Na, Nb: text init State := 0 transition 0. State = 0 /\ RCV(start) =|> State’:= 2 /\ Na’ := new() /\ SND({Na’.A}_Kb) /\ secret(Na’,na,{A,B}) /\ witness(A,B,bob_alice_na,Na’) 2. State = 2 /\ RCV({Na.Nb’.B}_Ka) =|> State’:= 4 /\ SND({Nb’.A}_Kb) /\ request(A,B,alice_bob_nb,Nb’) end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% role bob(A, B: agent, Ka, Kb: public_key, SND, RCV: channel (dy)) played_by B def= local State : nat, Na, Nb: text init State := 1 transition 1.

State

= 1 /\ RCV({Na’.A}_Kb) =|>

§10 AVISPA Modelling of the NSPK+ Protocol

176

State’:= 3 /\ Nb’ := new() /\ SND({Na’.Nb’.B}_Ka) /\ secret(Nb’,nb,{A,B}) /\ witness(B,A,alice_bob_nb,Nb’) 3. State = 3 /\ RCV({Nb.A}_Kb) =|> State’:= 5 /\ request(B,A,bob_alice_na,Na) end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% role session(A, B: agent, Ka, Kb: public_key) def= local SA, RA, SB, RB: channel (dy) composition alice(A,B,Ka,Kb,SA,RA) /\ bob (A,B,Ka,Kb,SB,RB) end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% role environment() def= const a, b : agent, ka, kb, ki : public_key, na, nb, alice_bob_nb, bob_alice_na : protocol_id intruder_knowledge = {a, b, ka, kb, ki, inv(ki)} composition session(a,b,ka,kb) /\ session(a,i,ka,ki) /\ session(i,b,ki,kb) end role %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% goal secrecy_of na, nb authentication_on alice_bob_nb authentication_on bob_alice_na end goal %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% environment()

11

Details on the Proof of Concept

his chapter describes the details underlying the proof of concept introT duced in §5. The policy language Praia employed in this thesis has been described in §2.

11.1

The Backus-Naur Form and Design Layers

To define the policy language and the scenario, the layered model proposed in [113] is employed. This model consists of the following three layers, which must be defined for both the policy language Praia and the system events: • language layer defines the application-independent syntax and (informal) semantics. • domain layer specifies scenario-specific vocabulary, such as objects, subjects and their attributes. • instance layer consists of the actual instances obtained by the language and domain layers. Only the language and the domain layers need to be defined for privacy policies and log entries, for their concrete instances (instance layer) are obtained by generating sentences using the underlying structure (language layer) and the vocabulary (domain layer). To define the language and domain layers, the Backus-Naur Form (BNF) notation is used. BNF is a metasyntax employed to describe formal languages widely used in several areas in computer science, such as programming languages and protocol specification. A BNF specification is a set of derivation rules :=

where is a nonterminal and consists of sequences of symbols and/or sequences separated by the vertical bar “|” indicating a choice, the whole being a possible substitution for the symbol on the left. Symbols that never appear on a left side are terminals. Relating the layered model with (the contents of) a BNF definition, the resulting correspondence is illustrated in Fig. 11.1. The language layer corresponds to a BNF specification that defines the structure of nonterminals and the application-independent terminals; the domain layer, on the other hand, defines the application-dependent terminals for the undefined nonterminals at the language layer. Finally, sentences of the BNF characterise the instance layer.

§11 Details on the Proof of Concept

178 Instance

!

Sentences

Domain

!

Terminals

Language

!

Rules and nonterminals

Layer

BNF

Fig. 11.1. Correspondence between the layers and the BNF components. Instance

Policy rules

Audit-trails

6

6 Domain

Language

Scenario (airport)

Praia

Log Format

Fig. 11.2. Concrete layers for the proof of concept.

Based on this, the following sections move from the language layer towards the instance layer by providing, for policies and system events, the corresponding BNF grammars, as depicted in Fig. 11.2. More precisely, in §11.2 the language layer for the system events are defined. (The policy language Praia was defined in §2.5.) §11.3 defined the common domain layer, where the instance layer is illustrated by means of examples.

11.2

Definition of System Events

Being online, the BBox receives system events through the log message handler (LMH), as described in §3.2.3. Acting in the language layer, this section defines the format of the messages sent by the system (i.e. its devices) to the BBox, thereby also defining the format in which messages are recorded in the secure log file of the BBox. The log message send by a system device to the BBox consists of two pieces of information, namely: • I is the identifier of the data provider to whom the payload is related. This is defined in the domain layer in §11.3 • P is the actual system event to the recorded in the secure log file. The definition below generalises the definition of payloads given in §4.4.1. This section defines the language for P . The format of P depends on the type of system event being signalled to the BBox. This is defined as follows: Definition 11.1 (Format of message payload P .) The message payload P is defined by the BNF depicted in Fig. 11.3. We assume standard values for the

§11.2 Definition of System Events

179

1.

2.

:=  | ####### := PRE # | ACC # | POS # | 3. := no Ref | PRE | ACC | POS 4. := role = | purpose = | security level = 5. := , , , 6. := notify | delete 7. := 8. := grant | deny Fig. 11.3. BNF defining the log messages characterising system events.

nonterminal symbols , denoting the IP number described in term of four octets of the signalling device and , that denotes the timestamp in which the event has been collected. a As in the definition of the policy language Praia, the nonterminal symbols , , , and are applicationdependent and defined at the domain layer in §11.3. Below, we address the syntax and (informal) semantics of the log entries P . Structure of the entries. The structure of the entries follow the “normal” form put forward in [33], which is similar to the format adopted by the other log services, such as the syslog. Each entry consists of control fields common to all entries and characterised by the nonterminals , , and . Besides that, each entry encompasses fields that depend on its underlying type. We consider three types of entry (Production 2), which are distinguished by the entry identifiers PRE for preconditional predicates, ACC for authorisational predicates and POS for postconditional predicates, whereas each identifier is followed by a natural number uniquely identifying the entry. As in [33], # separates the fields of an entry, while ### separates entries themselves. The actual payload of a log message depends on its type (Productions 4–6). Entries expressing preconditional predicates may assume the values in Production 4. Entries denoting authorisations are defined in Production 5, whereas entries that stand for postconditional predicates are defined in Production 6. Their semantics is similar to that of their homonymous counterparts in Praia and presented in §2.5. Note that entries can be related to each other, thereby encoding the correlation of events reported on in §4.4. Such a correlation is captured by the pointer defined in Production 3, which refers to an entry of some type or to no entry (terminal no Ref).

180

§11 Details on the Proof of Concept

Meaning of the entries. Each entry puts on a record of a system event of some type captured by a particular device at some point in time. This involves the following nonterminals (the corresponding symbols in the symbolic representation of entries in §4.4.1 are given in the parentheses): • is a sequence number attached to the entry by the BBox. This values should not be confused with the type dependent, unique identifier of an entry denoted by the prefixes PRE, ACC or POS followed by a natural number. (This corresponds to the field ID.) • denotes the IP address of the device that send the log message to the BBox. This piece of information is added to the entry in order to provide for fine-grained accountability of actions. • represents the point of time at which the payload has been captured by the device. Timestamps are important in checking for the fulfillment policy rules encompassing postconditional predicates. (This corresponds to the field N.) • indicates the type of entry the payload reports on. This nonterminal is built by a unique entry identifier and the actual entry payload. • represents an action related to a preconditional predicate. Three actions are intended, namely the fact that a subject assumes some role; that a purpose for an access is set up; and that the security level of a subject is adjusted. (This corresponds to a possible type of field E.) • represents an access decision taken by some of the reference monitors in place in the system. Such payload registers whether a subject has been granted a right upon an object. (This corresponds to a possible type of field E.) • represents an action related to a postconditional predicate. Two actions are provided, namely the notification of an individual about the deletion of some data item (object) and the overall notification triggered by some access. (This corresponds to a possible type of field E.) • is a referrer that points to another entry. The link is captured by the unique identifier of the entry, as reported in §4.4.1. (This corresponds to the field Z.)

11.3

Domain and Instance Layers

The previous sections define the language layer. This section focusses on the domain layer common to both Praia language and the system events and by giving examples of sentences, the instance layer can also be shown. Hence, the primary goal here is to define the setup underlying the airport scenario, i.e. the set of objects and subjects involved therein, as well as the set of roles subjects can assume, the set of possible purposes for accesses to data items and the security level subjects may exhibit. (The setup proposed here is merely for illustrative purposes only and does not reflect any concrete or intended realisation of the scenario.)

§11.3 Domain and Instance Layers

181

1. 2. 3. 4. 5. 6.

:= * | terminal | rfid reader | barcode reader := * | creditCard.number | #passport | baggage tag | profile.name | profile.address | profile.history := accounting | check in | sec check | marketing := billing | statistics | tracking | ticket issue := high | low := A | B | C Fig. 11.4. BNF defining the domain layer for the airport scenario.

Definition 11.2 (Domain layer.) The domain layer for the airport scenario is defined by the BNF rules depicted in Fig. 11.4. a Note that the sets and contain the special symbol *. This terminal symbol acts a wildcard representing any of the other terminals, which is a useful concept in formulating privacy policies, as described in §2.5. Terminals, such as creditCard.number and baggage tag actually require additional definitions stipulating their format. (For example, a credit card number is built by four groups of numbers, each of which consisting of a quadruple of digits in the interval [1;9].) However, we abstract away from these details and focus instead on the type of information they purport, regardless of their format. Moreover, Def. 11.2 also sets up the set of individuals participating in the system. The nonterminal defines the piece of information I in the log message sent from the device to the BBox. Given the definition of the language and the domain layers, below we exemplify some of the sentences that can be obtained by the Praia language together with the counterexamples that are generated from these instances, as well as examples of log entries, thereby demonstrating examples of the instance layer. Example 11.1 (Instances of Praia rules and their counterexamples.) Consider an individual A with the following privacy preferences: (1) allow read access to the credit card number only to subjects with the role accounting and purpose billing. The authorised read access must be notified within 7 days. (2) deny the collect access to the baggage tags to RFID readers. (3) allow terminals the write access to history of A only if the role of the terminal is check-in and the purpose behind the access is to issue a ticket. These privacy preferences are expressed in Praia by the privacy policy PA consisting of the rules r1 , r2 , r3 , such that: r1 = (allow, *, creditcard.number, read; role = accounting && purpose = billing; notify within 7 days) r2 = (deny, rfid_reader, baggage_tag, collect; no_preB; no_posB)

§11 Details on the Proof of Concept

182

r3 = (allow, terminal, profile.history, write; role = check_in && purpose = ticket_issue; no_posB) Note how preconditional rules are expressed (rule r3 ), namely by adding a single atomic postconditional predicate no posB, which mimics the traditional nop instruction, denoting in our setting the absence of postconditional predicates. Authorisational (rule r2 ) and postconditional rules are obtained in a similar manner using the atomic preconditional predicate no preB. Given this representation of policy rules, we can also demonstrate the counterexamples obtained by applying the Algorithm 3 to PA . The generated set of counterexamples CPA = {cr1 , c0r1 , cr2 , cr3 , c0r3 } such that: cr1 = (allow, *, creditcard.number, read; !role = accounting, !purpose = billing; !notify within 7 days) c0r1 = (deny, *, creditcard.number, read; role = accounting, purpose = billing; notify within 7 days) cr2 = (allow, rfid_reader, baggage_tag, collect; no_preB; no_posB) cr3 = (allow, terminal, profile.history, write; !role = check_in, !purpose = ticket_issue; no_posB) c0r3 = (deny, terminal, profile.history, write role = check_in, purpose = ticket_issue; no_posB) where ! denotes the negation symbol ¬.

a

Default configurations of policies. The following discussion on the default ruling closes the presentation of the proof of concept. Some policy languages allow the stipulation of a default, global configuration for access decisions to unmanaged data items, i.e. objects whose access and usage is not explicitly managed by a policy rule. (See §8 for some languages that include such a setup.) Two configurations are generally considered, namely default-deny and default-allow . The former states that every access attempt not explicitly permitted as a policy rule must be denied by the reference monitor. The latter states the opposite: every access not explicitly denied as a policy rule is to be allowed. While Praia does not include constructs to explicitly express such a feature, we implicitly assume a default setting “don’t care”. Access decisions to unmanaged data items are simply ignored by the audit process, as the rights that can be exercised upon these objects are not stipulated by the policy rules.

§11.3 Domain and Instance Layers

183

However, default settings can be approximated in Praia by means of the wildcard *, so that the default behaviour is hardwired in the policy as rules. Similar to the rule r1 in Example 11.1, if an individual wants to, e.g., deny to every subject the read access to his history, then the following rule should be added to the policy r = (deny, *, profile.history, read; no_preB; no_posB). Here a cautionary note on the usage of this strategy. The following two rules represent the extreme cases for the representation of default configurations in Praia for the read right: r0 = (deny, *, *, read; no_preB; no_posB)

r00 = (allow, *, *, read; no_preB; no_posB)

These rules deny (respectively grant) read access to every subject upon every object. Although possible, such rules are quite restrictive and may lead to conflicts. The reason lies in the scope of the rules, which encompasses all the objects defined in the domain layer, as well as all the subjects acting in the scenario. Since we consider that each data item is solely on the scope of one subject and right (otherwise there is a conflict in the policy), rules such as r0 and r00 have an intrinsic potential to conflict with other rules of the policy. In fact, adding one of these rules to a policy eventually rules out all other rules with the read right, making the policy “maximal consistent”.

Literature

1. Abadi, M., and Needham, R. Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering 22, 1 (January 1996), 6–15. [59] 2. Accorsi, R. On the relationship of privacy and secure remote logging in dynamic systems. In Security and Privacy in Dynamic Environments, S. Fischer-H¨ ubner, K. Rannemberg, L. Yngstr¨ om, and S. Lindskog, Eds., vol. 201 of IFIP Conference Proceedings. Springer-Verlag, 2006, pp. 329–339. [144] 3. Accorsi, R., and Bernauer, M. On privacy evidence for UbiComp environments – Broadening the notion of control to improve user acceptance. In Proceedings of the 5th Workshop on Privacy in UbiComp (2007), A. Bajart, H. Muller, and T. Strang, Eds., pp. 433–438. [159] 4. Accorsi, R., and Bernauer, M. Policy-based event correlation and audit. In Submitted to the ACM Symposium on Applied Computing (2008). [104, 118, 148] 5. Accorsi, R., and Hohl, A. Delegating secure logging in pervasive computing systems. In Proceedings of the 3rd International Conference on Security in Pervasive Computing, J. Clark, R. Paige, F. Pollack, and P. Brooke, Eds., vol. 3934 of Lecture Notes in Computer Science. Springer Verlag, 2006, pp. 58–72. [160] 6. Accorsi, R., Sato, Y., and Kai, S. Compliance monitor for early warning risk determination. To appear in Wirtschaftsinformatik 50, 5 (October 2008). [139] 7. Accorsi, R., and Stocker, T. Automated privacy audits based on pruning of log data. In Proceedings of the EDOC International Workshop on Security and Privacy in Enterprise Computing (2008), IEEE Computer Society Press. [104] 8. Aczel, P. An introduction to inductive definitions. In Handbook of Mathematical Logic, J. Barwise, Ed. North-Holland, 1977, pp. 739–782. [20] 9. Agurippa. Account aggregation. http://agurippa.com/eng/about/index.html, 2008. [13] 10. Alles, M., Kogan, A., and Vasarhelyi, M. Black box logging and tertiary monitoring of continuous assurance systems. Information Systems Control Journal 1 (2003). [140] 11. Alpern, B., and Schneider, F. Defining liveness. Information Processing Letters 21, 4 (October 1985), 181–185. [21] 12. Andersen, H. Model checking and boolean graphs. Theoretical Computer Science 126, 1 (April 1994), 3–30. [20] 13. Anderson, A. A comparison of two privacy policy languages: EPAL and XACML. Proceedings of the 3rd ACM workshop on Secure web services (2006), 53–60. [170] 14. Anonymity.online. http://anon.inf.tu-dresden.de/. [11, 157] ´ n, A. Goal-based requirements analysis. In Proceedings of the 2nd IEEE 15. Anto International Conference on Requirements Engineering. IEEE Computer Society Press, 1996, pp. 136–144. [135, 136] ´ n, A. Goal Identification and Refinement in the Specification of Software16. Anto Based Information Systems. PhD thesis, Georgia Institute of Technology, 1997. [135] ´ n, A., Bertino, E., Li, N., and Yu, T. A roadmap for comprehensive 17. Anto online privacy policy management. Communications of the ACM 50, 7 (July 2007), 109–116. [6, 145, 167]

186

Literature

18. Arona, A., Bruschi, D., and Rosti, E. Adding availability to log services of untrusted machines. In Proceedings of the 15th Annual Computer Security Applications Conference (1999), IEEE Computer Society Press, p. 199. [143] 19. Ashley, P., Hada, S., Karjoth, G., Powers, C., and Schunter, M. Enterprise privacy authorization language. Tech. rep., IBM Research, March 2003. [11, 17, 157, 169] 20. Ashley, P., Hada, S., Karjoth, G., and Schunter, M. E-P3P privacy policies and privacy authorization. In Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society (2002), ACM Press, pp. 103–109. [11, 157, 168] 21. Ashley, P., Powers, C., and Schunter, M. From privacy promises to privacy management: A new approach for enforcing privacy throughout an enterprise. In Proceedings of the 3rd Workshop on New Security Paradigms. ACM Press, 2002, pp. 43–50. [11, 148, 149, 157] 22. Automated validation of internet security protocols and applications. http:// www.avispa-project.org/, 2008. [59] 23. Bace, J., and Rozwell, C. Understanding the components of compliance. Gartner Research Paper, July 2006. [145, 158] 24. Balacheff, B., and Chen, L. Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall International, 2002. [59] 25. Balajinath, B., and Raghavan, S. V. Intrusion detection through learning behavior model. Computer Communications 24, 12 (July 2001), 1202–1212. [146] 26. Barnett, M., Leino, R., and Schulte, W. The Spec# programming system: An overview. In Proceedings of the Conference on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices (2005), G. Bathe, L. Burdy, M. Huisman, and J.-L. Muntean, Eds., vol. 3362 of Lecture Notes in Computer Science, Springer-Verlag, pp. 46–69. [19] 27. Basin, D. Lazy infinite-state analysis of security protocols. In Secure Networking, R. Baumgart, Ed., vol. 1740 of Lecture Notes in Computer Science. SpringerVerlag, 1999, pp. 30–42. [9] 28. Bauer, M., Meints, M., and Hansen, M. Structured overview on prototypes and concepts of identity management. Deliverable for FIDIS Project, Unabh¨ angiges Landeszentrum f¨ ur Datenschutz, 2005. [11, 157] 29. BEEP. http://www.beepcore.org/, 2005. [141] 30. Benantar, M. Access Control Systems. Springer-Verlag, 2006. [19] 31. Benassi, P. TRUSTe: An online privacy seal program. Communications of the ACM 42, 2 (February 1999), 56–59. [11, 157] 32. Bettini, C., Jajodia, S., Wang, S., and Wijesekera, D. Provisions and obligations in policy rule management. Journal of Network and Systems Management 11, 3 (September 2003), 351–372. [18, 19] 33. Bishop, M. A standard audit trail format. In Proceedings of the 18th National Information Security Systems Conference, S. Barnett and I. Perry, Eds. DIANE Publishing, 1996, pp. 136–145. [9, 179] 34. Bishop, M. Introduction to Computer Security. Addison-Wesley, 2005. [4, 38, 47] 35. Biskup, J., and Flegel, U. On pseudonymization of audit data for intrusion detection. In Enhancing Privacy Technologies, H. Federrath, Ed., vol. 2009 of Lecture Notes in Computer Science. Springer-Verlag, 2001, pp. 161–180. [145] ´ n, A. Analyzing regulatory rules for privacy and se36. Breaux, T., and Anto curity requirements. IEEE Transactions on Software Engineering 34, 1 (January/February 2008), 5–20. [3, 34, 78, 158]

Literature

187

´ n, A., Karat, C.-M., and Karat, J. Enforceability vs. ac37. Breaux, T., Anto countability in electronic policies. In Proceedings of the 7th International Workshop on Policies for Distributed Systems and Networks (2006), IEEE Computer Society Press, pp. 227–230. [3, 19, 20, 135, 136, 137, 139] 38. Bretherton, F., and Singley, P. Metadata: A user’s view. In Proceedings of the 7th Working Conference on Scientific and Statistical Database Management (1994), IEEE Computer Society Press, pp. 166–174. [55] 39. Camenisch, J., and Michels, M. Proving in zero-knowledge that a number is the product of two safe primes. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, J. Stern, Ed., vol. 1592 of Lecture Notes in Computer Science. Springer-Verlag, 1999, pp. 107–122. [11, 157] 40. Canny, J. The future of human-computer interaction. Queue 4, 6 (July 2006), 24–32. [159] 41. Capgemini. RFID and consumers: Understanding their mindsets. http://www. us.capgemini.com/, January 2004. [157] 42. Carlin, A., and Gallegos, F. IT audit: A critical business process. IEEE Computer 40, 7 (July 2007), 87–89. [1, 110, 145, 151] 43. Casassa-Mont, M. Dealing with privacy obligations: Important aspects and technical approaches. In Proceedings of the International Conference on Trust and Privacy in Digital Business, K. Sokratis, J. Lopes, and G. Pernul, Eds., vol. 3184 of Lecture Notes in Computer Science. Springer-Verlag, 2004, pp. 120–131. [11, 157] 44. Casassa-Mont, M., Pearson, S., and Bramhall, P. Towards accountable management of identity and privacy: Sticky policies and enforceable tracing services. In Proceedings of the 14th International Workshop on Database and Expert Systems Applications. IEEE Computer Society, 2003, pp. 377–382. [11, 150, 157] 45. Casassa-Mont, M., Pearson, S., and Bramhall, P. Towards accountable management of privacy and identity information. In Proceedings of the European Symposium on Research in Computer Security, E. Snekkenes and D. Gollmann, Eds., vol. 2808 of Lecture Notes in Computer Science. Springer-Verlag, 2003, pp. 146–161. [148, 150, 167] 46. Cederquist, J., Corin, R., Dekker, M., Etalle, S., den Hartog, J., and Lenzini, G. Audit-based compliance control. International Journal of Information Security 6, 2-3 (2007), 133–151. [148, 149] 47. CERT/CC. Denial of service attacks, 2005. http://www.cert.org/tech_tips/ denial_of_service.html. [130] 48. Chalmers, A. Wege der Wissenschaft. Springer-Verlag, 2001. [67] 49. Chaum, D. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24, 2 (February 1981), 84–88. [11, 157] 50. Chen, L., Harrison, K., Moss, A., Soldera, D., and Smart, N. Certification of public keys within an identity based system. In Proceedings of the 5th International Conference on Information Security, vol. 2433 of Lecture Notes in Computer Science. Springer-Verlag, 2002, pp. 322–333. [150] 51. Church, A. Introduction to Mathematical Logic. Princeton University Press, 1956. [67, 72] 52. Clark, J., and Jacob, J. A survey of authentication protocol literature: Version 1.0. Available at http://www.cs.york.ac.uk/~jac/papers/drareview.ps.gz, 1997. [45]

188

Literature

¨ hntopp, M. Identity management and its support of mul53. Clauß, S., and Ko tilateral security. Computer Networks 37, 2 (October 2001), 205–219. [11, 157] 54. Common Criteria Portal. http://www.commoncriteriaportal.org/. [11, 157] 55. Common Criteria Portal. http://www.niap-ccevs.org/cc-scheme/, 2008. [151] 56. Contos, B. Litigation-quality log data. IT Defense (November 2006), 20–23. [144] ¨rkka ¨inen, J. 57. Das, G., Fleischer, R., Gasieniec, L., Gunopulos, D., and Ka Episode matching. In Proceedings of the 8th Annual Symposium on Combinatorial Pattern Matching, vol. 1264 of Lecture Notes in Computer Science. SpringerVerlag, 1997, pp. 12–27. [147] 58. The Data Protection Act. http://http://www.opsi.gov.uk/acts/acts1998/ ukpga_19980029_en_1/. [9, 14] 59. Debar, H., Dacier, M., and Wespi, A. Towards a taxonomy of intrusiondetection systems. Computer Networks 31, 9 (April 1999), 805–822. [146] 60. Dekker, M., and Etalle, S. Audit-based access control for electronic health records. Electronic Notes in Theoretical Computer Science 168 (2007), 221–236. [149] 61. Dijkstra, E. Position paper on “Fairness”. Software Engineering Notes 13, 2 (April 1988), 18–20. [26] 62. Ding, L., Yu, F., Yue, G., and Xu, C. An improved algorithm of pattern matching for information security audit system. In Proceedings of the International MultiConference of Engineers and Computer Scientists (2007), S. I. Ao, O. Castillo, C. Douglas, D. D. Feng, and J.-A. Lee, Eds., Lecture Notes in Engineering and Computer Science, Newswood Limited, pp. 459–463. [146] 63. Dolev, D., and Yao, A. On the security of public key protocols. IEEE Transactions on Information Theory 2, 29 (March 1983), 198–208. [57, 144] 64. Dougherty, D., Fisler, K., and Krishnamurth, S. Obligations and their interaction with programs. In Proceedings of the 12th European Symposium On Research In Computer Security, J. Biskup and J. Lopez, Eds., vol. 4734. SpringerVerlag, 2007, pp. 375–389. [135, 138, 139] 65. Emerson, E. Temporal and modal logic. In Handbook of Theoretical Computer Science, J. van Leeuwen, Ed. Elsevier, 1990, pp. 996–1072. [3] 66. Etalle, S., and Winsborough, W. A posteriori compliance control. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (2007), V. Lotz and B. Thuraisingham, Eds., ACM Press, pp. 11–20. [148, 149] 67. Ethereal Website. http://www.ethereal.com/, 2008. [141] 68. European Commission. Directive 95/46/EC. Journal of the European Communities, 281 (November 1995), 31. [9] 69. Farmer, D., and Venema, W. Forensic Discovery. Addison-Wesley, 2004. [140] 70. Fergunson, N., and Schneier, B. Practical Cryptography. Wiley Publishing, Inc., 2003. [58, 142, 143] 71. Flegel, U. Pseudonymizing unix log files. In Proceedings of the Infrastructure Security Conference, G. Davida, Y. Frankel, and O. Rees, Eds., vol. 2437 of Lecture Notes in Computer Science. Springer-Verlag, 2002, pp. 162–179. [145] 72. Focardi, R., and Gorrieri, R. Classification of security properties (Part I: Information flow). In Foundations of Security Analysis and Design, R. Focardi and R. Gorrieri, Eds., vol. 2171 of Lecture Notes in Computer Science. SpringerVerlag, 2001, pp. 331–396. [22] 73. Foster, I., Kesselman, C., and Tuecke, S. The anatomy of the grid. International Journal of Supercomputer Applications 15, 3 (August 2001), 200–222. [13]

Literature

189

74. Franklin, M. A survey of key evolving cryptosystems. International Journal of Security and Networks 1, 1/2 (2006), 46–53. [47] 75. Frye, D. Network Security Policies and Procedures, vol. 32 of Advances in Information Security. Springer-Verlag, 2007. [158] 76. Gallegos, F., Senft, S., Manson, D., and Gonzales, C. Information Technology Control and Audit. Auerbach Publications, 2004. [1, 38, 53, 68, 145, 151] 77. Gama, P., and Ferreira, P. Obligation policies: An enforcement platform. In Proceedings of the 6th International Workshop on Policies for Distributed Systems and Networks. IEEE Computer Society, 2005, pp. 203–212. [11, 157] 78. Garcia-Molina, H., Ullman, J., and Widom, J. Database Systems: The Complete Book. Prentice Hall, 2001. [4] ¨ller, S., and Pfitzmann, B. Regulations expressed 79. Giblin, C., Liu, A., Mu as logical models (REALM). In Proceedings of the 18th Annual Conference on Legal Knowledge and Information Systems (2005), IOS Press, pp. 37–48. [2] 80. Glynos, D., Kotzanikolaou, P., and Douligeris, C. Preventing impersonation attacks in MANET with multi-factor authentication. In 3rd International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (2005), IEEE Computer Society Press, pp. 59–64. [39] 81. Goldberg, I., Wagner, D., and Brewer, E. Privacy-enhancing technologies for the web. In Proceedings of the IEEE Compcon (1997), pp. 103–109. [10] 82. Goldschlag, D., Reed, M., and Syverson, P. Onion routing. Communications of the ACM 42, 2 (1999), 39–41. [11, 157] 83. Gong, L. Inside Java 2 Platform Security. Addison-Wesley, 1999. [115] 84. Gorelik, V. One step ahead. ACM QUEUE 5, 1 (February 2007), 24–31. [145] 85. Graff, M., and van Wyk, K. Secure Coding: Principles & Practices. O’Reilly, 2003. [131] 86. Group, T. C. TCG glossary of technical terms. https://www. trustedcomputinggroup.org/groups/glossary/. [45] ¨nther, O., and Spiekermann, S. RFID and the perception of control: The 87. Gu consumer’s view. Communications of the ACM 48, 9 (September 2005), 73–76. [157] 88. Hamlen, K., Morrisett, G., and Schneider, F. Computability classes for enforcement mechanisms. ACM Transactions on Programming Languages and Systems 28, 1 (January 2006), 175–205. [27, 139] 89. Hilty, M., Basin, D., and Pretschner, A. On obligations. In Proceedings of the 10th European Symposium on Research in Computer Security, S. D. C. di Vimercati, P. Syverson, and D. Gollmann, Eds., vol. 3679 of Lecture Notes in Computer Science. Springer-Verlag, 2005, pp. 98–117. [11, 19, 157] 90. Hilty, M., Pretschner, A., Basin, D., Schaefer, C., and Walter, T. A policy language for distributed usage control. In 12th European Symposium on Research in Computer Security, J. Biskup and J. Lopez, Eds., vol. 4734 of Lecture Notes in Computer Science. Springer-Verlag, 2007, pp. 531–546. [34] 91. Hilty, M., Pretschner, A., Schaefer, C., and Walter, T. DUKE: Distributed usage control enforcement. In Proceedings of the POLICY (2007), IEEE Computer Press, p. 275. [11, 157] 92. Health Insurance Portability and Accountability Act (HIPAA). http://www.cms. hhs.gov/HIPAAGenInfo/. [2] 93. Hoare, C. An axiomatic basis for computer programming. Communications of the ACM 12, 10 (October 1969), 576–583. [19] 94. Hoffman, L. Computers and privacy: A survey. ACM Computing Surveys 1, 2 (June 1969), 85–103. [9]

190

Literature

95. Hohl, A. Traceable Processing of Personal Data in Remote Services Using TCG. PhD thesis, University of Freiburg, 2006. [59, 60] 96. Hohl, A., Lowis, L., and Zugenmaier, A. Look who’s talking – authenticating service access points. In Proceedings of the 2nd International Conference of Ubiquitous Computing, D. Hutter and M. Ullmann, Eds., vol. 3450 of Lecture Notes in Computer Science. Springer-Verlag, 2005, pp. 151–162. [59] ¨ hn, S. Bringing users back into control: A new paradigm for usability in 97. Ho highly dynamic systems. In Proceedings of the 3rd International Conference on Trust, Privacy and Digital Business, S. Fischer-H¨ ubner, S. Furnell, and C. Lambrinoudakis, Eds., vol. 4083 of Lecture Notes in Computer Science. SpringerVerlag, 2006, pp. 114–122. [159] ¨ hn, S., Accorsi, R., and Maier, M. An approach to usable security for 98. Ho ambient intelligence environments. In Long-Term and Dynamical Aspects of Information Security, A. Schmidt, M. Kreutzer, and R. Accorsi, Eds. Nova Science Publishers, 2007, pp. 1–17. [159] 99. Hosmer, C. Digital evidence bag. Communications of the ACM 49, 2 (February 2006), 69–70. [144, 152] 100. Howard, M., and Leblanc, D. Writing Secure Code. Microsoft Press, 2001. [39, 131] 101. IATA’s simplifying the business initiatve. http://www.sita.aero/News_Centre/ Simplifying_the_Business. [12] 102. IBM. Tivoli software. http://www-306.ibm.com/software/tivoli/. [149] 103. Idemix. http://www.zurich.ibm.com/security/idemix/. [11, 157] 104. IETF. Website of the Working Group for security issues in network event logging. http://tools.ietf.org/wg/syslog/, 2008. [141] 105. Iliev, A., and Smith, S. Protecting client privacy with trusted computing at the server. IEEE Security & Privacy 3, 2 (March/April 2005), 20–28. [45] 106. iManager. http://www.iig.uni-freiburg.de/telematik/atus/idm.html. [11, 157] 107. Irwin, K., Yu, T., and Winsborough, W. On the modelling and analysis of obligations. In Proceedings of the 13th ACM Conference Computer Communications Security. ACM Press, 2006, pp. 134–143. [135, 136, 138, 139] 108. Itkis, G. Cryptographic tamper evidence. In Proceedings of the Conference on Computer and Communication Security. ACM Press, 2003, pp. 355–364. [47] 109. Jajodia, S., Kudo, M., and Subrahmanian, V. Provisional authorizations. In E-Commerce Security and Privacy, A. Ghosh, Ed. Kluwer Academic Publishers, 2001, pp. 133–159. [11, 19, 157] 110. JAP anonymity and privacy. http://anon.inf.tu-dresden.de/. [11, 157] 111. Jendricke, U., and tom Markotten, D. G. Usability meets security - The identity-manager as your personal security assistant for the internet. In Proceedings of the 16th Annual Computer Security Applications Conference (2000), IEEE Computer Society, pp. 344–354. [10] 112. Kagal, L., Finin, T., and Joshi, A. A policy based approach to security for the semantic web. In Proceedings of the 2nd International Semantic Web Conference, D. Fensel, K. Sycara, and J. Mylopoulos, Eds., vol. 2870 of Lecture Notes in Computer Science. Springer-Verlag, 2003, pp. 402–418. [17] ¨hmer, M., and Gilliot, M. Extended privacy definition tool. In Proceed113. Ka ings of the Multikonferenz Wirtschaftsinformatik, Lecture Notes in Informatics. Springer-Verlag, to appear in 2008. [11, 17, 157, 177]

Literature

191

114. Kahn Consulting. Computer security log files as evidence. http://www. kahnconsultinginc.com/images/pdfs/KCI_ArcSight_ESM_Evaluation.pdf, August 06. [37, 144] 115. Kelly, R. A survey of trusted computing specifications and related technologies, 2003. SANS Publication Series. [45, 173] 116. Kelsey, J., and Callas, J. Signed syslog messages. IETF Internet Draft, 2005. http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-16. txt. [141] 117. Personal communication with Dr. Erin Kenneally, senior forensic investigator at the UC at San Diego, September 2007. [158] 118. Kenneally, E. Digital logs – Proof matters. Digital Investigation 1, 2 (June 2004), 94–101. [6, 37, 91, 144, 152] 119. Kenneally, E., and Brown, C. Risk sensitive digital evidence collection. Digital Investigation 2, 2 (June 2005), 101–119. [15, 140] 120. Kent, K., and Souppaya, M. Guide to Computer Security Log Management. National Institute of Standards and Technology (NIST), September 2006. [39] 121. King, S., and Chen, P. Backtracking intrusions. ACM Transactions on Computer Systems 23, 1 (February 2005), 51–76. [4] 122. Knuth, D. Big omicron and big omega and big theta. SIGACT News 8, 2 (April-June 1976), 18–24. [104] 123. Knuth, D. The Art of Computer Programming, vol. 3: Sorting and Searching. Addison-Wesley, 1997. [55, 103] 124. Kobsa, A. Privacy-enhanced web personalization. In The Adaptive Web: Methods and Strategies for Web Personalization, P. Brusilovsky, A. Kobsa, and W. Nejdl, Eds. Springer-Verlag, 2007, pp. 628–670. [159] ´, L. Fast multipattern search algorithms for 125. Kuri, J., Navarro, G., and Me intrusion detection. In Proceedings of the 7th Symposium on String Processing and Information Retrieval. IEEE Computer Society, 2000, pp. 169–180. [146] ´, L., and Heye, L. A pattern matching based 126. Kuri, J., Navarro, G., Me filter for audit reduction and fast detection of potential intrusions. In Recent Advances in Intrusion Detection, vol. 1907 of Lecture Notes in Computer Science. Springer-Verlag, 2000, pp. 17–27. [146] 127. Kurose, J., and Ross, K. Computer Networking. Addison-Wesley, 2005. [43, 141] 128. Lamport, L. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering 3, 2 (March 1977), 125–143. [20] 129. Lamport, L. Password authentication with insecure communication. Communications of the ACM 24, 11 (November 1981), 770–772. [47] 130. Lamport, L., and Schneider, F. The ‘Hoare Logic’ of CSP and all that. ACM Transactions on Programming Languages and Systems 6, 2 (April 1984), 281–296. [21] 131. Lampson, B., Abadi, M., Burrows, M., and Wobber, E. Authentication in distributed systems: Theory and practice. ACM Operating Systems Review 25, 5 (October 1991), 165–182. [25, 138] 132. Langheinrich, M. A privacy awareness system for ubiquitous computing environments. In In Proceedings of the 4th International Conference on Ubiquitous Computing, G. Borriello and L. E. Holmquist, Eds., vol. 2498 of Lecture Notes in Computer Science. Springer-Verlag, 2002, pp. 237–245. [11, 157, 167] 133. Lee, W., and Stolfo, S. Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium. IEEE Computer Press, 1998, pp. 6–20. [146]

192

Literature

134. The liberty alliance project. http://www.projectliberty.org/. [11, 14, 157] 135. Ligatti, J., Bauer, L., and Walker, D. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4, 1/2 (February 2005), 2–16. [27, 139] 136. Lonvick, C. RFC 3164: The BSD syslog protocol. Request for Comments, 2001. http://www.ietf.org/rfc/rfc3164.txt. [4, 140] 137. Lowe, G. An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters 56, 3 (1995), 131–133. [59] 138. Lowe, G. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of the 2nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems, vol. 1055 of Lecture Notes in Computer Science. Springer-Verlag, 1996, pp. 147–166. [59] 139. Lowis, L., and Hohl, A. Enabling persistent service links. In Proceedinds of the International Conference on E-Commerce Technology. IEEE Computer Society, 2005, pp. 301–306. [46, 59] 140. Lunt, T. Automated audit trail analysis and intrusion detection: A survey. In Proceedings of the 11th Computer Security Conference (1988). [146] 141. Lunt, T. A survey of intrusion detection techniques. Computers and Security 12, 4 (June 1993), 405–418. [70] 142. Lunt, T., and Anderson, D. Software requirements specification: Nextgeneration intrusion detection experts system. Available at http://www.sdl. sri.com/papers/reqts94/, March 1993. [146] 143. Lupu, E., and Sloman, M. Conflicts in policy-based distributed systems management. IEEE Transactions of Software Engineering 25, 6 (November/December 1999), 852–869. [33, 133] 144. Madigan, E., Petrulich, C., and Motuk, K. The cost of non-compliance: when policies fail. In Proceedings of the 32nd Annual ACM Conference on User Services (2004), J. S. Whiting, J. Ashworth, and D. Mateik, Eds., ACM Press, pp. 47–51. [158] 145. Maier, P. Audit and Trace Log Management. Auerbach Publications, 2006. [6, 38, 133, 144] 146. Maloof, M., Ed. Machine Learning and Data Mining for Computer Security. Springer Verlag, 2005. [146] 147. Maurer, U. New approaches to digital evidence. Proceedings of the IEEE 92, 6 (June 2004), 933–947. [140, 153] 148. Menezes, A., van Oorschot, P., and Vanstone, S. Handbook of Applied Cryptography. CRC Press, July 1999. [42] 149. Mercuri, R. On auditing audit trails. Communications of the ACM 46, 1 (January 2003), 17–20. [6, 38, 145] 150. Miyazaki, A., and Krishnamurthy, S. Internet seals of approval: Effects on online privacy policies and consumer perceptions. Journal of Consumer Affairs 36, 1 (2002), 28–49. [11, 157] 151. Moffett, J., and Sloman, M. Policy conflict analysis in distributed system management. Journal of Organizational Computing 4, 1 (April 1993), 1–22. [33] ¨ller, G. Privacy and security in highly dynamic systems. Communications 152. Mu of the ACM 49, 9 (September 2006), 28–31. [13, 159] 153. Necula, G., and Lee, P. Proof-Carrying Code. Pittsburgh, Pa. : School of Computer Science, Carnegie Mellon University, 1996. [148] 154. Needham, R., and Schroeder, M. Using encryption for authentication in large networks of computers. Communications of the ACM 21, 12 (December 1978), 993–999. [45]

Literature

193

¨rcher Zeitung. 155. Neue Zu Mit Blackbox im Auto Versicherungspr¨ amien sparen. http://www.nzz.ch/nachrichten/wirtschaft/aktuell/mit_blackbox_ im_auto_versicherungspraemien_sparen_1.696390.html, March 2008. [140] 156. New, D., and Rose, M. RFC 3195: Reliable delivery for syslog. Request for Comments, 2001. http://www.ietf.org/rfc/rfc3195.txt. [141] 157. Niemeyer, P., and Knudsen, J. Learning Java. O’Reilly, 2005. [115] 158. Norman, D. The Invisible Computer. MIT Press, 1999. [159] 159. OASIS. Extensible access control markup language. http://www.oasis-open. org/committees/xacml/. [170] 160. Ohtaki, Y. Partial disclosure of searchable encrypted data with support for boolean queries. In Proceedings of the 1st International Workshop on Advances in Policy Enforcement (2008), S. Jakoubi, S. Tjoa, and E. Weippl, Eds., IEEE Computer Society, pp. 1083–1090. [145] 161. Oliver, R. What is Transparency? McGraw-Hill, 2004. [159] 162. Oppliger, R., and Ritz, R. Digital evidence: Dream and reality. IEEE Security and Privacy 1, 5 (September/October 2003), 44–48. [5, 39, 140] 163. Otway, D., and Rees, O. Efficient and timely mutual authentication. ACM Operating Systems Review 21, 1 (January 1987), 8–10. [45] 164. Owicki, S., and Lamport, L. Proving liveness properties of concurrent programs. ACM Transactions on Programming Languages and Systems 4, 3 (July 1982), 455–495. [21] 165. Panda, B., Giordano, J., and Kalil, D. Next-generation of cyber forensics. Communications of the ACM 49, 2 (February 2006), 44–47. [140, 158] 166. Park, J., and Sandhu, R. The UCONABC usage control model. ACM Transactions on Information and System Security 7, 1 (February 2004), 128–174. [3, 17] 167. Pashalidis, A., and Mitchell, C. A taxonomy of single sign-on systems. In Information Security and Privacy, R. Safavi-Naini and J. Seberry, Eds., vol. 2727 of Lecture Notes in Computer Science. Springer-Verlag, 2003, pp. 249–264. [13] 168. Microsoft passport. http://www.passport.com/. [11, 14, 157] 169. Daily traffic rank trend for the MS-Passport website. http://www.alexa.com/ data/details/traffic_details?&range=2y&size=large&compare_sites=&y= t&url=http://www.passport.net. [14] 170. Peikari, C., and Chuvakin, A. Security Warrior. O’Reilly, 2004. [115] 171. Pinsker, R., and Li, S. Costs and benefits of XBRL adoption: Early evidence. Communications of the ACM 51, 3 (March 2008), 47–50. [158] 172. Personal information protection act. http://www.psp.gov.ab.ca/. [14] 173. Popper, K. Conjecture and Refutations. Routledge, 1963. [67] 174. Powers, C., Ashley, P., and Schunter, M. Privacy promises, access control, and privacy management. In Proceedings of the 3rd Third International Symposium on Electronic Commerce (2002), IEEE Computer Society Press, pp. 13–21. [149] 175. Pretschner, A., Hilty, M., and Basin, D. Distributed usage control. Communications of the ACM 49, 9 (September 2006), 39–44. [9, 19, 135, 137, 139] ¨tz, F., and Walter, T. 176. Pretschner, A., Hilty, M., Schaefer, C., Schu Usage control enforcement: Present and future. IEEE Security & Privacy 6, 4 (July/August 2008), 44–53. [9, 25, 27] 177. Pretschner, A., Massacci, F., and Hilty, M. Usage control in serviceoriented architectures. In Proceedings of the 4th International Conference on Trust, Privacy and Security in Digital Business, C. Lambrinoudakis, G. Pernul,

194

178. 179. 180.

181.

182.

183. 184. 185.

186. 187.

188. 189.

190. 191. 192.

193. 194. 195. 196. 197.

Literature and A. M. Tjoa, Eds., vol. 4657 of Lecture Notes in Computer Science. SpringerVerlag, 2007, pp. 83–93. [145] Privacy bird. http://www.privacybird.org/. [167] Prokein, O. IT-Risikomanagement. Gabler Verlag, 2008. [158] ¨ller, G. Sicherheit, insbesondere Rannenberg, K., Pfitzmann, A., and Mu mehrseitige sicherheit. In Mehrseitige Sicherheit in der Kommunikationstechnik, G. M¨ uller and A. Pfitzmann, Eds. Addison-Wesley, 1997, pp. 21–30. [10, 38] Raub, D., and Steinwandt, R. An algebra for enterprise privacy policies closed under composition and cojunction. In Proceedings of the International Conference on Emerging Trends in Information and Communication Security, G. M¨ uller, Ed., vol. 3995 of Lecture Notes in Computer Science. Springer-Verlag, 2006, pp. 130– 144. [11, 157, 169] Reeder, R., Karat, C.-M., Karat, J., and Brodie, C. Usability challenges in security and privacy policy-authoring interfaces. In Proceedings of the 11th International Conference on Human-Computer Interaction (2007), M. C. C. Baranauskas, P. A. Palanque, J. Abascal, and S. D. J. Barbosa, Eds., vol. 4663 of Lecture Notes in Computer Science, Springer-Verlag, pp. 141–155. [10, 11] Reiter, M., and Rubin, A. Anonymous web transactions with crowds. Commununications of the ACM 42, 2 (1999), 32–48. [11, 157] Reliable syslog. http://security.sdsc.edu/software/sdsc-syslog/. [141] ´quete, A., and Ferreira, P. Enforcing obligation with security Ribeiro, C., Zu monitors. In Proceedings of the 3rd International Conference on Information and Communications Security, S. Qing, T. Okamoto, and J. Zhou, Eds., vol. 2229 of Lecture Notes in Computer Science. Springer-Verlag, 2001, pp. 172–176. [11, 19, 157] Ringelstein, C. Protokollierung in service-orientierten architekturen. Datenschutz und Datensicherheit 31, 10 (2007). [9, 145] Roger, M., and Goubault-Larrecq, J. Log auditing through model-checking. In Proceedings of the Computer Security Foundations Workshop (2001), IEEE Computer Society, pp. 220–235. [147] Rogers, M., and Seigfried, K. The future of computer forensics: A needs analysis survey. Computers & Security 23, 1 (2004), 12–16. [152] Roscoe, B. Intensional specifications of security protocols. In Proceedings of the 9th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 1996, pp. 28–38. [160] Rothfeder, J. Privacy in the age of transparency. Strategy & Business (Spring 2004), 99–103. [159] Ryan, P., Schneider, S., Goldsmith, M., Lowe, G., and Roscoe, B. Modelling and Analysis of Security Protocols. Addison Wesley, 2001. [9] ¨ker, J., and Accorsi, R. Personalization in privacy-aware Sackmann, S., Stru highly dynamic systems. Communications of the ACM 49, 9 (September 2006), 32–38. [10, 157] Salomon, D. Data Privacy and Security. Springer Verlag, 2003. [42] Saltzer, J., and Schroeder, M. The protection of information in computer systems. Proceedings of the IEEE 63, 9 (September 1975), 1278–1308. [3] Sandhu, R., and Samarati, P. Access control: Principles and practice. IEEE Communications Magazine 32, 9 (September 1994), 40–48. [4, 19, 104] Sandhu, R., and Samarati, P. Authentication, access control, and audit. ACM Computing Surveys 28, 1 (March 1996), 241–243. [17, 145] Sanett, S., and Park, E. Authenticity as a requirement of preserving digital data and records. IASSIST Quarterly 24, 1 (2000), 15–18. [38]

Literature

195

198. SANS. Sans top-20 2007 security risks. http://www.sans.org/top20/. [145] 199. The Sarbanes-Oxley Act. http://www.sarbanes-oxley.com/. [2] 200. Schmidt, A. Implicit human computer interaction through context. Personal and Ubiquitous Computing 4, 2-3 (June 2000), 191–199. [159] 201. Schneider, F. Enforceable security policies. ACM Transactions on Information and System Security 3, 1 (February 2000), 30–50. [3, 15, 17, 20, 21, 23, 27, 135, 136, 137, 138, 167] 202. Schneider, F., Morrisett, G., and Harper, R. A language-based approach to security. In Informatics – 10 years back. 10 years ahead., R. Wilhelm, Ed., vol. 2000 of Lecture Notes in Computer Science. Springer-Verlag, 2001, pp. 86– 101. [115] 203. Schneier, B. Applied Cryptography. John Wiley and Sons, Inc, 1996. [42] 204. Schneier, B., and Kelsey, J. Security audit logs to support computer forensics. ACM Transactions on Information and System Security 2, 2 (May 1999), 159–176. [140, 142, 143] ˇar, V., Jerman-Blaˇ ˇ, B., and Klobuc ˇar, T. Privacy-enhancing tech205. Senic zic nologies – Approaches and development. Computer Standards and Interfaces 25, 2 (May 2003), 147–158. [10] 206. Sevinc ¸ , P., Strasser, M., and Basin, D. Securing the distribution and storage of secrets with trusted platform modules. In Proceedings of the 1st Workshop in Information Security Theory and Practice, D. Sauveron, K. Markantonakis, A. Bilas, and J.-J. Quisquater, Eds., vol. 4462 of Lecture Notes in Computer Science. Springer, 2007, pp. 53–66. [42] 207. Shibboleth project. http://shibboleth.internet2.edu/. [11, 157] 208. Shim, S., Bhalla, G., and Pendyala, V. Federated identity management. Computer 38, 12 (December 2005), 120–122. [11, 13, 157] 209. Sipser, M. Introduction to the Theory of Computation, first ed. PWS Publishing Company, 1996. [78, 104] 210. Sistla, P. Safety, liveness and fairness in temporal logic. Formal Aspects of Computing 6, 5 (September 1994), 495–512. [26] 211. Snodgrass, R., Yao, S., and Collberg, C. Tamper detection in audit logs. In Proceedings of the 30th Conference on Very Large Data Bases, M. Nascimento, ¨ M. T. Ozsu, D. Kossmann, R. Miller, J. Blakeley, and B. Schiefer, Eds. Morgan Kaufmann, 2004, pp. 504–515. [47] 212. Sorebo, G. A model for private sector compliance in information security. IT Compliance Journal 2 (2006), 7–14. [68, 145] 213. Stahlberg, P., Miklau, G., and Levine, B. Threats to privacy in the forensic analysis of database systems. In Proceedings of the 26th International Conference on Management of Data, C. Y. Chan, B. C. Ooi, and A. Zhou, Eds. ACM Press, 2007, pp. 91–102. [158] 214. Stathopoulos, V., Kotzanikolaou, P., and Magkos, E. A framework for secure and verifiable logging in public communication networks. In Proceedings of the Workshop on Critical Information Infrastructures Security, J. Lopez, Ed., vol. 4347 of Lecture Notes in Computer Science. Springer-Verlag, 2006, pp. 273– 284. [143] 215. Sterne, D. On the buzzword “security policy”. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 1991, pp. 219–230. [11, 17, 157] 216. Sweene, L. k-Anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, 5 (May 2002), 557– 570. [11, 157]

196

Literature

217. Syslog-ng web site. http://www.balabit.com/products/syslog_ng/. [141] 218. Tapscott, D., and Ticoll, D. The Naked Corporation: How the Age of Transparency will Revolutionize Business. Free Press, 2003. [159] 219. Tavani, H., and Moor, J. Privacy protection, control of information, and privacy-enhancing technologies. ACM Computer and Society 31, 1 (March 2001), 6–11. [10, 157] 220. Tcpdump Website. http://www.tcpdump.org/, 2008. [141] 221. The Common Digital Evidence Storage Format Working Group. Standardizing digital evidence storage. Communications of the ACM 49, 2 (February 2006), 67–68. [144, 152] 222. TPM Emulator Berlios. http://tmp-emulator.berlios.de, 2008. [115] 223. TRUSTe. http://www.truste.org/. [11, 157] 224. Udo, G. Privacy and security in concerns as major barriers for e-commerce: A survey study. Information Management and Computer Security 9, 4 (October 2001), 165–174. [157] 225. W3C. EPAL submission. http://www.w3.org/Submission/2003/07/Comment. [169] 226. W3C. P3P: Platform for privacy preferences. http://www.w3.org/P3P/. [11, 17, 157, 165, 167] 227. Watchfire and WebCPO. http://www.watchfire.com/. [151] 228. Waterfield, P., and Casey, J. The governance of compliance: Putting policies into practice. Yankee Report, April 2005. [6, 110] 229. Waters, B., Balfanz, D., Durfee, G., and Smetters, D. Building an encrypted and searchable audit log. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (2004). [145] 230. Weitzner, D. Beyond secrecy – New privacy protection strategies for open information systems. IEEE Internet Computing 11, 5 (September/October 2007), 94–96. [145] 231. Westin, A. Privacy and Freedom. Atheneum, 1967. [9] ¨ller, G. Privacy with delegation of rights by identity 232. Wohlgemuth, S., and Mu management. In Proceedings of the International Conference on Emerging Trends on Information and Communication Security, G. M¨ uller, Ed., vol. 3995 of Lecture Notes in Computer Science. Springer-Verlag, 2006, pp. 175–190. [11, 157] 233. Woo, T., and Lam, S. A lesson in authentication protocol design. ACM Operating Systems Review 28, 3 (July 1994), 24–37. [59] 234. Woo, T., and Lam, S. Authentication for distributed systems. In Practical Cryptography for Data Internetworks, W. Stallings, Ed. IEEE Computer Society Press, 1996. [45] 235. The eXtensible Business Reporting Language (XBRL). http://www.xbrl.org/. [158]

Abbreviation and Symbol Index

PET HDS N auth preB posB σ Υ P Π Pˆ ΣS σ[..i] P r r+ r− EM ≺ ≈ BNF

Privacy-Enhancing Technologies 10 Highly Dynamic Systems 12 natural numbers 15 authorisational predicate 18 preconditional predicate 19 postconditional predicate 19 event sequence, trace 20 universe of traces 20 arbitrary predicate 20 set of traces 20 predicate P on single traces 20 traces of system S 20 prefix of σ with i events 21 policy, set of rules 22 policy rule 22 policy rule with positive ruling 22 policy rule with negative ruling 22 Execution Monitoring 23 “is weaker” relation 28 “is equivalent” relation 28 Backus-Naur Form 28

di P K {X}K

E DAKL NSPK N PCR AIK G I L T M LVA CPG C FE V EGE auth

Part I LMH EAH LVH ERH TPM

Hash(X)

Log Message Handler 41 Entry Append Handler 41 Log View Handler 41 Entry Retrieval Handler 41 Trusted Platform Module 41 log device 42 payload of a log message or entry 42 cryptographic key 42 encryption of X with the key K 42

Talg ID Z

application of the Hash function to X 42 log entry 42 Device Authorisation and Key Lookup Table 43 Needham-Schroeder Public Key 45 nonce 45 Platform Configuration Registers 45 Attestation Identity Key 46 evolving entry authentication key 47 index of an entry, identifier of data providers 47 log view 53 audit trail of log views 53 metadata of log views 53 Log View Authenticator 69 Counterexample Pattern Generator 69 set of counterexample patterns 69 Falsification Engine 69 set of counterexample instances, violations 69 Evidence Generation Engine 69 predicate auth with changed ruling 71 time complexity of algorithm alg 78 set of unique entry identifiers 79 index component of log entries capturing their correlation 79

Part II RSA

Rivest Shamir Adleman 115

198 3DES SHA TCB UDP TCP E-P3P IBE NIST

Abbreviation and Symbol Index Triple Data Encryption Standard 115 Secure Hash Algorithm 115 Trusted Computing Base 138 User Datagram Protocol 141 Transmission Control Protocol 141 Platform for Enterprise Privacy Practices 150 Identity-Based Encryption 150 National Institute of Stan-

CC

dards and Technology 151 Common Criteria 151

Appendix P3P XACML URN TPM

Platform for Privacy Preferences 165 Extended Access Control Markup Language 170 Uniform Resource Name 171 Trusted Computing Module 173

Index

attacker model – data at rest, 60 – data in transit, 57 audit 1 – audit trail, 5 – automated, 6 – correctness criterion, 96 – exhaustive mode, 81 – fast mode, 92 – IT audit, 1 – manual, 6 – offline, 6 – online, 6 – semi-automated, 6 – superfast mode, 93

– correlation, 80 log data 4 – authenticity, 5, 38 – confidentiality, 38, 60 – integrity, 38, 62 – – accuracy 38 – – compactness 38 – – completeness 38 – log entry, 4 – log file, 4 – origin integrity, 38 log view 6 – communication, 55 – generation, 53 MAC 43 managed data item 18 mutual authentication 44

BNF 28, 177 – nonterminal, 177 – terminal, 177

nonce counterexample pattern – generation, 70, 76 – transformation, 72

object 18 obligation 3 – controllable, 137 – observable, 138 – postcondition, 19 – precondition, 19

decidability 34 default ruling 182 domain layer 177 enforcement 23 evolving cryptographic key falsification

47

7

hash chain 48 HIPAA 2 identity-based encryption 150 instance layer 177 intrusion detection systems 146 language layer log – collector, 4 – device, 4 – relay, 4 log dat

177

45

PET 10 policy – language, 17 – – Praia 28 – privacy, 17 – security, 17 policy rule 17 – auditable, 24 – authorisational, 22 – authorisation element, 18 – enforceable, 23 – enforcement, 3, 23, 136 – monitorable, 27 – obligation element, 19 – postconditional, 22 – preconditional, 22 – regular, 22 – ruling, 18

200

Index

– satisfaction, 22 – violation, 23 postconditional predicate – bounded demanding, 25 – – alive 26 – forbidding, 24 – unbounded demanding, 26 privacy 9 privacy evidence 12 – expressiveness, 111 – generation, 91 process rewriting 139 property 20 – bounded-liveness, 25 – formalisation, 20 – liveness, 21 – safety, 21

remote attestation right 18

reference monitor

verification

23, 136

45, 173

Sarbanes-Oxley 2 secure logging 5 – reliable syslog, 141 – Schneier Kelsey, 142 – syslog, 140 – syslog-ng, 141 – syslog-sign, 141 sticky policy 149, 167 subject 18 trace 20 trusted computing base usage control

9 109

138