Date of this Version
In this paper, we present a unified declarative platform for specifying, implementing, analyzing and auditing large-scale secure information systems. Our proposed system builds upon techniques from logic-based trust management systems, declarative networking, and data analysis via provenance. First, we propose the Secure Network Datalog (SeNDlog) language that unifies Binder, a logic-based language for access control in distributed systems, and Network Datalog (NDlog), a distributed recursive query language for declarative networks. SeNDlog enables network routing, information systems, and their security policies to be specified and implemented within a common declarative framework. Second, we extend existing distributed recursive query processing techniques to execute SeNDlog programs that incorporate the notion of authenticated communication among untrusted nodes. Third, we demonstrate that an integrated declarative framework enables cross-layer analysis and auditing via the use of distributed network provenance. Finally, using a local cluster and the PlanetLab testbed, we perform a detailed performance study of a variety of declarative secure networked information systems implemented using our platform. We further perform an evaluation of network provenance via a SeNDlog-based packet tracing service within a local cluster.
Date Posted: 14 March 2008