Separation of Powers in the Cloud

Where Applications and Users become Peers

David H. Lorenz

The Open University of Israel

Boaz Rosenan

The University of Haifa

We Trust our Web Applications

  • With personal information
  • With private communications
  • With credit card details

But Do they Deserve Our Trust?

They Hold Our Data...

  • But do they respect our privacy?
  • Do we trust they don't have "privacy leaks"?

A Simple Idea

Instead of trusting applications with our data...

We simply do not give applications access to it!

Traditionally...

Application Service Provider

Application

Users

User Data

A Separation of Powers

Cloud Service Provider

Platform as a Service (PaaS)

Users

User Data

Application Provider

Application

Applications and Users become Peers

But How?

Welcome to the NoDatalog Era

A tale of Deductive Databases

or

Deductive Databases

  • Based on Logic Programming
  • Using Datalog as a query language
  • Mostly abandoned in the last two decades.

Deductive Databases

  • Express knowledge as axioms:
    • Facts
    • Rules
  • In our model:
    • Application logic can be conveyed as rules,
    • User data can be conveyed as facts.

Example: Twitter-like System

  • follow(alice, bob).
  • tweet(bob, 'Hello, World').
  • timeline(A, B, T) :-
        follow(A, B),
        tweet(B, T).
  • timeline(alice, B, T)?
    • B=bob, T='Hello, World'

A Historic Perspective

  • Datalog lost ground to  SQL.
  • SQL is now losing ground to NoSQL...

Datalog vs. NoSQL

Datalog NoSQL
Support conjunctions (joins) No support for joins
Support only primitive types Support for aggregate / dynamic types

Can a new kind of deductive databases, not based on Datalog, be a better match to the NoSQL era?

NoDatalog

  • is to Datalog what NoSQL is to SQL.
  • is not a specific language or a specific database.
  • is a design-space for deductive databases that:
    • Scale like NoSQL databases.
    • Support compound terms.

CloudLog

  • A single datapoint in the NoDatalog design space.
  • A concrete language described in our paper.
  • Features:
    • Explicit bottom-up and top-down evaluation.
    • Access control.

Back to Users and Applications...

Cloud Service Provider

NoDatalog Database

Users

Facts

Application Provider

Rules

Separation of Powers

  • Applications only publish rules.
  • They do not have access to the data.
  • The database enforces access control.

But how?

A Statement about Statements

The problem with Axioms

  • Axioms are taken to be true.
  • Axioms are known to all.

Axioms vs. Statements

Is it an axiom?

No, it's a statement!

It is going to rain on Wednesday

Axioms vs. Statements

It is going to rain on Wednesday, said the weatherman

This is an axiom.

And Better Yet...

The weatherman told the viewers it was going to rain on Wednesday

Statements to Axioms

  • Statement can be converted to axioms by attaching two sets to each:
    • A reader set, specifying who can read this statement.
    • A writer set, attributing the statement on a speaker.

When Adding a Fact or a Rule

  • The Database makes sure the user is in the provided writer set.
    • I cannot write facts or rules on behalf of anyone else.
\in
\in

Making a Query

Cloud Service Provider

Platform as a Service (PaaS)

Users

User Data

Application Provider

Application

When Querying the Database

  • The Database only considers facts and rules the user is allowed to see.
  • It also only considers facts and rules from authorized writers.
\in
\in
\supseteq
\supseteq

Trusted

Power to the People

  • Users own their data.
  • They decide who reads it.
  • They can remove it or modify it at will.

Discussion

  • What makes the cloud service provider any more trustworthy than the application provider?
  • Why should application providers give up control over user data and switch over?

Trusting the Cloud

  • End users are customers.

  • Holy grail: Working on encrypted statements.

Motivating Applications

  • User awareness to privacy
  • Application providers can still make a buck.

In the Paper...

  • A description of CloudLog.
  • A Twitter-like example.
  • More details on practicality.

Conclusion

  • Applications do not need access to the data.
  • Ownership over data goes back to users.
  • We showed you it's possible. Now there are no excuses...

Thank You!

Separation of Powers in the Cloud

Where Applications and Users become Peers

Separation of Powers in the Cloud

By Boaz Rosenan

Made with Slides.com

Separation of Powers in the Cloud

  • 168

More from Boaz Rosenan