Separation of Powers in the Cloud

Where Applications and Users Become Peers

David H. Lorenz

Open University & Technion

Boaz Rosenan

University of Haifa

We Trust Our Web Applications
 

​With:

  • Personal information
  • Private communications
  • Credit card details

Do they Deserve Our Trust?

 Giants Being Giants...

  • A fair privacy policy

  • Non-intentional privacy leaks

A Simple Idea

Instead of trusting applications with our data...

We simply do not give applications access to it!

Traditionally...

Application Service Provider

Application

Users

User Data

Separation of Powers

Cloud Service Provider

Platform as a Service (PaaS)

Users

User Data

Application Provider

Application

Applications and Users Become Peers

Contribution

  • Conceptual 
    • Apps can work w/o access to user data
  • ​​ Technical
    • Concrete languages 
      • Basic ClouldLog
      • Secure CloudLog 

Basic CloudLog

The Challenge:

How can an application work without access to user data?

Deductive Databases

  • Databases based on logic programming
  • Express knowledge as axioms
    • Facts
    • Rules
  • Decoupling
    • Application logic expressed as rules
    • User data expressed as facts

Basic CloudLog

  • A query language for deductive databases
  • "NoDatalog"
    • Supports compound terms
    • Explicit bottom-up evaluation

Bottom-Up Evaluation

+
++
=
==

or

How Apps Can Work

Cloud Service Provider

CloudLog Database

Users

Facts

Application Provider

Rules

CloudLog Database

Secure CloudLog

The Challenge:

How can access control be applied without trusting the application?

Statements

The Problem with Axioms

  • Axioms are taken to be true
  • Axioms are known to all

Axioms vs. Statements

This is a statement,

not an axiom!

It is going to rain on Wednesday

It is going to rain on Wednesday, said the weatherman

This is an axiom.

The weatherman told the viewers it was going to rain on Wednesday

Converting Statements to Axioms

  • An axiom is created by attaching two sets to a statement
    • A reader set , specifying who can read this statement
    • A writer set , attributing the statement on a speaker

Adding and Removing Statements

  • Any user can add any statement, as long as she attribute it to herself
\in
\in
  • A user can remove a statement if she is a member of its writer set

Querying Facts

A user will see a fact in query results if:

\in
\in
\supseteq
\supseteq

Trusted

How Queries Work

Cloud Service Provider

Users

Facts

Application Provider

Rules

Bottom-Up Evaluation

+
++
=
==

or

?

?

Statement Propagation (1)

\cap
\cap
\cup
\cup

Unchecked Rule

Statement Propagation (2)

\cap
\cap

Checked Rule

Power to the People

  • Users own their data
  • They decide who reads it
  • They can remove it or modify it at will

Two Questions

  • What makes the cloud service provider any more trustworthy than the application provider?
  • Why should application providers give up control over user data and switch over?

A Single Answer

Do one Thing and Do it Well.

Douglas McIlroy

Things They Do Well...

  • Application Providers
    • Make money
    • Spread information
  • Cloud Service Providers
    • Availability
    • Confidentiality
    • Integrity

}

CloudLog

In the Paper...

  • A description of CloudLog
    • Syntax and semantics
  • A Twitter-like example
  • More details on practicality

Related Work

  • Recent work in Deductive Databases:
    • [Cali12], [Bu12], [Abiteboul05], [Alvaro10]
  • Access Control languages:
    • Binder [DeTreville02]
    • SecPAL [Moritz10]
    • DKAL [Gurevich08]

Conclusion

Application Service Provider

Application

Users

User Data

If you want to keep doing this...

Separation of Powers

Cloud Service Provider

Platform as a Service (PaaS)

Users

User Data

Application Provider

Application

This is possible!

Separation of Powers in the Cloud

Where Applications and Users Become Peers

Thank You!

Made with Slides.com