TP3.1: Accountablity

Subproject manager
Prof. Dr. Alexander Pretschner
Researcher
Amjad Ibrahim
Researcher
Ehsan Zibaei



Accountability


Modern socio-technical systems are increasingly complex, e.g. connected mobility systems. Especially when designed as platforms or ecosystems, system boundaries of such systems are constantly changing. At run-time, new components are on- or off-boarded. This makes the consideration of all possible threats, e.g. privacy or security incidents, at design time impossible. Consequently, during runtime unwanted behavior occurs (almost) inevitably.
Ideally, unwanted behavior should be prevented. If this is not possible, systems can still be equipped with detective measures. Accountability[1], as a detective approach, provides mechanisms to answer questions about a system’s behavior and identify responsible parties a posteriori. For example, “why was the airbag released?”
Accountability fundamentally means preserving evidence and supporting reasoning about the causal relationships[2] within the collected evidence.

Accountability Framework

Challenges



Causality
Although there are several proposed algorithms in the literature [3,4,5], there are no open implementations that can be used to test and compare the effectiveness and the performance of these algorithms.
Evidence
  • Logs as the basis of the causality analysis requires the security (integrity, completeness, soundness) of these logs.
  • At design time, the granularity and the precision of logged data should be specified.

Objectives


Conceptual and Technical Framework for Accountability
  • Identification of unwanted behavior derived from legal, contractual, and self-imposed obligations at different layers
  • Detect, document and reason about violations of requirements concerning security, safety and privacy


Approach

Assess generic causality-based mechanisms
  • Implementation of three causality algorithms [3,4,5]
  • Development of a benchmark framework (ACCBench) for comparing these algorithms [6]


Securing the evidence (Work in progress)
  • Using cryptographic schemes to ensure integrity, confidentiality, verifiability and tamper evidence of the evidence.


References
[1] Weitzner, D., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.: Information accountability, Communications of the ACM 51(6):82-87, 2008
[2] Halpern, J., Pearl, J.: Causes and Explanations: A Structural-Model Approach. Part I: Causes. arXiv:cs/0011012v3 [cs.AI] 7, 2005
[3] Go¨ssler, G., Le Me´tayer, D.: A General Trace-Based Framework of Logical Causality. [Research Report] RR-8378, 2013.
[4] Gregor Gössler and Lacramioara Astefanoaei. 2014. Blaming in component-based real-time systems. In Proceedings of the 14th International Conference on Embedded Software (EMSOFT ’14). ACM, New York, NY, USA, , Article 7 , 10 pages.
[5] U. S. Mian, J. den Hartog, S. Etalle, N. Zannone Auditing with incomplete logs. In Proceedings of the 3rd Hot Issues in Security Principles and Trust (HotSpot 2015), 2015.
[6] Simon Rehwald: Comparing causality-based Accountability Mechanisms, B.Sc. Thesis in Information Systems, Technische Universität München 2016.
[7] University College London (UCL), Electronic Access Control – Specification Guidance Document, http://www.ucl.ac.uk/estates/security/specifications/