William R. Marczak
ABSTRACT
We present SecureBlox, a declarative system that unifies a distributed query processor with a security policy framework. SecureBlox decouples security concerns from system specification, allowing easy reconfiguration of a system's security properties to suit a given execution environment. Our implementation of SecureBlox is a series of extensions to LogicBlox, an emerging commercial Datalog-based platform for enterprise software systems. SecureBlox enhances LogicBlox to enable distribution and static meta-programmability, and makes novel use of existing LogicBlox features such as integrity constraints. SecureBlox allows meta-programmability via BloxGenerics - a language extension for compile-time code generation based on the security requirements and trust policies of the deployed environment. We present and evaluate detailed use-cases in which SecureBlox enables diverse applications, including an authenticated declarative routing protocol with encrypted advertisements and an authenticated and encrypted parallel hash join operation. Our results demonstrate SecureBlox's abilities to specify and implement a wide range of different security constructs for distributed systems as well as to enable tradeoffs between performance and security.
- Cassandra: Distributed Access Control Policies with Tunable Expressiveness. In Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), page 159. IEEE Computer Society, 2004. Google Scholar
Digital Library
- M. Abadi. On Access Control, Data Integration, and Their Languages. In Computer Systems: Theory, Technology and Applications, A Tribute to Roger Needham, pages 9--14. Springer-Verlag, 2004.Google Scholar
- M. Abadi and B. T. Loo. Towards a Declarative Language and System for Secure Networking. In Proceedings of the Third USENIX International Workshop on Networking Meets Databases (NetDB), pages 1--6. USENIX Association, 2007. Google ScholarDigital Library
- P. Alvaro, T. Condie, N. Conway, K. Elmeleegy, J. M. Hellerstein, and R. C. Sears. BOOM Analytics: Exploring Data-Centric, Declarative Programming for the Cloud. In EuroSys, 2010. Google ScholarDigital Library
- P. Alvaro, T. Condie, N. Conway, J. M. Hellerstein, and R. C. Sears. I Do Declare: Consensus in a Logic Language. In Proceedings of the Fifth International Workshop on Networking Meets Databases (NetDB), 2009.Google Scholar
- M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized Trust Management. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (SP), page 164. IEEE Society, 1996. Google ScholarDigital Library
- M. Bravenboer and Y. Smaragdakis. Exception Analysis and Points-To Analysis: Better Together. In Proceedings of the Eighteenth International Symposium on Software Testing and Analysis (ISSTA), pages 1--12. ACM, 2009. Google ScholarDigital Library
- M. Bravenboer and Y. Smaragdakis. Strictly Declarative Specification of Sophisticated Points-To Analyses. In Proceeding of the Twenty-Fourth ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA), pages 243--262. ACM, 2009. Google ScholarDigital Library
- W. F. Clocksin and C. S. Melish. Programming in Prolog. Springer-Verlag, 1987. Google ScholarDigital Library
- T. Condie, D. Chu, J. M. Hellerstein, and P. Maniatis. Evita Raced: Metacompilation for Declarative Networks. Proceedings of the VLDB Endowment (PVLDB), 1(1):1153--1165, 2008. Google ScholarDigital Library
- J. DeTreville. Binder, a Logic-Based Security Language. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP), page 105. IEEE Computer Society, 2002. Google ScholarDigital Library
- A. Deutsch, A. Nash, and J. Remmel. The Chase Revisited. In Proceedings of the Twenty-Seventh ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS), pages 149--158. ACM, 2008. Google ScholarDigital Library
- R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second-Generation Onion Router. In Proceedings of the Thirteenth conference on USENIX Security Symposium (SSYM), pages 21--21. USENIX Association, 2004. Google ScholarDigital Library
- R. Geambasu, S. Gribble, and H. M. Levy. CloudViews: Communal Data Sharing in Public Clouds. In Workshop on Hot Topics in Cloud Computing (HotCloud), 2009. Google ScholarDigital Library
- A. Gupta, I. S. Mumick, and V. S. Subrahmanian. Maintaining Views Incrementally. In Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 157--166. ACM, 1993. Google ScholarDigital Library
- R. Huebsch, J. M. Hellerstein, N. Lanham, B. T. Loo, S. Shenker, and I. Stoica. Querying the Internet with PIER. In Proceedings of the Twenty-Ninth International Conference on Very Large Data Bases (VLDB), pages 321--332. VLDB Endowment, 2003. Google ScholarDigital Library
- T. Jim. SD3: A Trust Management System with Certified Evaluation. In Proceedings of the 2001 IEEE Symposium on Security and Privacy (SP), page 106. IEEE Computer Society, 2001. Google ScholarDigital Library
- B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems (TOCS), 10(4):265--310, 1992. Google ScholarDigital Library
- N. Li, B. N. Grosof, and J. Feigenbaum. Delegation Logic: A Logic-Based Approach to Distributed Authorization. ACM Transactions on Information and System Security, 6(1):128--171, 2003. Google ScholarDigital Library
- LogicBlox Inc. http://www.logicblox.com/.Google Scholar
- B. T. Loo, T. Condie, M. Garofalakis, D. E. Gay, J. M. Hellerstein, P. Maniatis, R. Ramakrishnan, T. Roscoe, and I. Stoica. Declarative Networking: Language, Execution and Optimization. In Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 97--108. ACM, 2006. Google ScholarDigital Library
- B. T. Loo, T. Condie, J. M. Hellerstein, P. Maniatis, T. Roscoe, and I. Stoica. Implementing Declarative Overlays. In Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (SOSP), pages 75--90. ACM, 2005. Google ScholarDigital Library
- B. T. Loo, J. M. Hellerstein, I. Stoica, and R. Ramakrishnan. Declarative Routing: Extensible Routing with Declarative Queries. In Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pages 289--300. ACM, 2005. Google ScholarDigital Library
- W. R. Marczak, D. Zook, W. Zhou, M. Aref, and B. T. Loo. Declarative Reconfigurable Trust Management. In Fourth Biennial Conference on Innovative Data Systems Research (CIDR), 2009.Google Scholar
- M. Meier, M. Schmidt, and G. Lausen. On Chase Termination Beyond Stratification. Proceedings of the VLDB Endowment (PVLDB), 2(1):970--981, 2009. Google ScholarDigital Library
- Predictix. http://www.predictix.com/.Google Scholar
- Semmle. http://semmle.com/.Google Scholar
- Who uses Tor? https://www.torproject.org/torusers.html.en.Google Scholar
- W. Zhou, Y. Mao, B. T. Loo, and M. Abadi. Unified Declarative Platform for Secure Networked Information Systems. In Proceedings of the 2009 IEEE International Conference on Data Engineering (ICDE), pages 150--161. IEEE Computer Society, 2009. Google ScholarDigital Library
Index Terms
- SecureBlox: customizable secure distributed data processing
Recommendations
Combining Joint and Semi-Join Operations for Distributed Query Processing
The application of a combination of join and semi-join operations to minimize the amount of data transmission required for distributed query processing is discussed. Specifically, two important concepts that occur with the use of join operations as ...
Decidable containment of recursive queries
Database theoryOne of the most important reasoning tasks on queries is checking containment, i.e., verifying whether one query yields necessarily a subset of the result of another one. Query containment is crucial in several contexts, such as query optimization, query ...
Generating query plans for distributed query processing using genetic algorithm
ICICA'11: Proceedings of the Second international conference on Information Computing and ApplicationsQuery Processing is a key determinant in the overall performance of distributed databases. It requires processing of data at their respective sites and transmission of the same between them. These together constitute a distributed query processing ...
Comments