Policy Compliance of Queries for Private Information Retrieval
OverviewThe use of Private Information Retrieval (PIR) techniques enable a client to retrieve items from a co-operating database without revealing either the query or the items being retrieved. However, as both the query and the results are hidden from the database owner, it is in principle possible for the client to access information that she is not authorized to access. In order to prevent this, it must be possible to prove that the queries being posed are compliant with a set of privacy policies previously agreed upon by the client and server. Policy assurance deals with proving that queries made by the client conform to mandated policies and that leakage of sensitive information is not possible.
We propose to extend our AIR (Accountability in RDF) policy language to capture the semantics of query-based privacy policies. The AIR policy language is aimed at meeting policy compliance requirements of open, decentralized information infrastructures such as the World Wide Web and large enterprise systems. It is able to provide detailed explanations for policy compliance and non-compliance by using dependency tracking. The explanation feature will be particularly useful in this program because it will allow database owners to check the correctness of their policy and allow users to trust that their policy is being enforced correctly. We will also modify the AIR reasoner to understand the properties of these queries and incorporate compliance checking for both individual and combinations of queries.
In stage 1, we will support policy compliance over SPARQL queries by extending SPASQL to express a subset of SPARQL as RDF graphs so that AIR policies can be written over different components of queries.
In stage 2, We allow policies to be written at a higher level and be less dependent on the query and database structure.
In stage 3, we will support SQL queries either converting SQL to RDF directly or via SPARQL.
Policy Assurance ToolsWe have developed several tools to help develop SPARQL-based policies as well view the result of the policy inference.
Justification User InterfaceAs explanations are usually in the form of proof trees, which might be incomprehensible to end users, we have developed a graphical Justification User Interface in Tabulator, a Firefox extension for SemanticWeb browsing. The interface allows users to view the explanation provided by the AIR reasoner in different ways: (i) in a simple Semantic Web based rule language, and (ii) in a graphical layout that highlights the result of the reasoning and shows both its natural language explanation as well as its specific premises (or dependencies) and allows these explanations to be explored.
Download Tabulator Firefox extension to view demos below
SPARQL to N3 TranslatorAs our tools are based in SW technologies, we require the queries to be in a compatible format as well. SPARQL, unfortunately, is not in RDF requiring the SPARQL queries to be translated into RDF Our first attempt at SPARQL translation lead to a detailed ontology in RDF that captured most of the semantics of SPARQL. Though this was useful research, it lead to lengthy and complex policies. We realized that we could not continue with this translation, so we tried to come up with a simplified ontology. This ontology actually flattened the earlier ontology causing us to lose most of the semantics of SPARQL. This ontology is the smallest ontology we could come up with that maintained the components of the query that we require for reasoning and it greatly reduced the size and complexity of our policies The SPARQL to N3 service accepts sparql queries and returns the translated query in our simplified ontology.
Policy GeneratorWe support automated policy generation using policy templates for : restriction, inclusion, exclusion, chaining, and default deny. The requirements for each policy are different, so please visit the policy generator page for further details. The policy generator outputs an AIR policy in N3.
Policy Execution ServiceThe Policy Execution Page accepts the URI of a policy and the URI of a SPARQL query in N3 as input. It passes these along to the AIR reasoner, and displays the reasoning output in a Web browser. If you have Tabulator installed, the results will appear automatically in the Justification UI.
SPARQL EndpointWe put the test database into a SPARQL endpoint and gave it an easy to use front end.
Use Case 0: Understanding Structure of SPARQL policiesThe database contains personal information including SSN numbers, openid uris, name, contact details etc. This use case is based on the initial sparql translation. The policy states that if SSN number is referred to in the query either as the requested value or just to filter the data, the query is incompliant.
Use Case 1: Types of PoliciesWe move away from a particular kind of database and try to generalize the building blocks of queries that we might want to build. The generic policies include:
Use Case 2: Using External Semantic Web Information
Use Case 3: Query HistoryUse Case 3 introduces support for query history. If a policy supports history, this means that the policy will make a compliance decision based on not only the current query that a use makes to the database, but also the user's entire history of queries. The current reference implementation of a history-aware policy demonstrates one possibility for the format of such a policy. We are still working on a good online demo for query history.
Use Case 4: Controlling Source/Graphs
We should also consider policies which control what tables a user has access to. The following generic policies will do just that. Note that these all use the new translation of SPARQL.
Use Case 5: Meta-Policies and More Control
Using the AIR policy language, it is also possible to use some more
sophisticated policy control. For example, we can place several
policies on one document. This allows us to build several base
policies which may be used frequently, and match them as we see
fit. For example, we can have a policy checking for which variables
are retrieved, and another checking from where they are retrieved, in
maintained by Lalana Kagal
$Revision: 31138 $
$Date: 2011-08-23 16:59:02 -0400 (Tue, 23 Aug 2011) $