Selected Results and Related Issues of Confidentiality-Preserving Controlled Interaction Execution

  • Joachim BiskupEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9616)


Controlled Interaction Execution has been developed as a security server for inference control shielding an isolated, logic-oriented information system when interacting over the time with a client by means of messages, in particular for query and transaction processing. The control aims at preserving confidentiality in a formalized sense, intuitively and simplifying rephrased as follows: Even when having (assumed) a priori knowledge, recording the interaction history, being aware of the details of the control mechanism, and unrestrictedly rationally reasoning, the client should never be able to infer the validity of any sentence declared as a potential secret in the security server’s confidentiality policy. To enforce this goal, for each of a rich variety of specific situations a dedicated censor has been designed. As far as needed, a censor distorts a functionally expected reaction message such that suitably weakened or even believably incorrect information is communicated to the client. In this article, we consider selected results of recent and ongoing work and discuss several issues for further research and development. The topics covered range from the impact of the underlying logic, whether propositional or first-order or for non-monotonic beliefs or an abstraction from any specific one, to the kind of the interactions, whether only queries or also view publishing or updates or revisions or even procedural programs.


A priori knowledge Belief Censor Client state Completeness Confidentiality Constraint satisfaction Distortion Evaluated secrecy First-order logic Guarded commands Inference control Information system Information flow control Interaction history Knowledge Lying Model theory Monitoring Non-monotonic reasoning Policy Possibilistic secrecy Proof theory Program execution Query answering Rational reasoning Refusal Relational database Security automaton Security invariant Theorem proving Update processing View publishing Weakening 



I would like to sincerely thank all colleagues who have worked together with me on Controlled Interaction Execution, in particular the co-authors of joint publications. Moreover, I am specially indebted to Marcel Preuß and Cornelia Tadros for many helpful comments on an earlier draft. Finally, I gratefully acknowledge the longtime support of the German Research Council, DFG, under grants Bi 311/12 and SFB 876/A5.


  1. 1.
    Abiteboul, S., Hull, R., Vianu, V.: Foundations of Databases. Addison-Wesley, Reading (1995)zbMATHGoogle Scholar
  2. 2.
    Aggarwal, G., Bawa, M., Ganesan, P., Garcia-Molina, H., Kenthapadi, K., Motwani, R., Srivastava, U., Thomas, D., Xu, Y.: Two can keep a secret: a distributed architecture for secure database services. In: 2nd Biennial Conference on Innovative Data Systems Research, CIDR 2005, pp. 186–199. Online Proceedings (2005)Google Scholar
  3. 3.
    Ailamazyan, A.K., Gilula, M.M., Stolbushkin, A.P., Shvarts, G.F.: Reduction of a relational model with infinite domains to the finite-domain case. Russian version: Dokl. Akad. Nauk SSSR 286, 308–311; English translation: Sov. Phys. Dokl. 31(1), 11–13 (1968)Google Scholar
  4. 4.
    Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F. (eds.): The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press, Cambridge (2003)zbMATHGoogle Scholar
  5. 5.
    Balliu, M., Dam, M., Guernic, G.L.: Encover: symbolic exploration for information flow security. In: Chong, S. (ed.) IEEE Computer Security Foundations Symposium, CSF 2012, pp. 30–44. IEEE Computer Society, Los Alamitos (2012)CrossRefGoogle Scholar
  6. 6.
    Beierle, C., Kern-Isberner, G.: A conceptual agent model based on a uniform approach to various belief operations. In: Mertsching, B., Hund, M., Aziz, Z. (eds.) KI 2009. LNCS, vol. 5803, pp. 273–280. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: a mathematical model, volume II. J. Comput. Sec. 4(2/3), 229–263 (1996). Reprint of MITRE Corporation (1974)Google Scholar
  8. 8.
    Biskup, J.: For unknown secrecies refusal is better than lying. Data Knowl. Eng. 33(1), 1–23 (2000)CrossRefzbMATHGoogle Scholar
  9. 9.
    Biskup, J.: Security in Computing Systems - Challenges. Approaches and Solutions. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  10. 10.
    Biskup, J.: Dynamic policy adaption for inference control of queries to a propositional information system. J. Comput. Secur. 20, 509–546 (2012)Google Scholar
  11. 11.
    Biskup, J.: Inference-usability confinement by maintaining inference-proof views of an information system. Int. J. Comput. Sci. Eng. 7(1), 17–37 (2012)CrossRefGoogle Scholar
  12. 12.
    Biskup, J.: Logic-oriented confidentiality policies for controlled interaction execution. In: Madaan, A., Kikuchi, S., Bhalla, S. (eds.) DNIS 2013. LNCS, vol. 7813, pp. 1–22. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. 13.
    Biskup, J., Bonatti, P.A.: Lying versus refusal for known potential secrets. Data Knowl. Eng. 38(2), 199–222 (2001)CrossRefzbMATHGoogle Scholar
  14. 14.
    Biskup, J., Bonatti, P.A.: Controlled query evaluation for enforcing confidentiality in complete information systems. Int. J. Inf. Secur. 3(1), 14–27 (2004)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Biskup, J., Bonatti, P.A.: Controlled query evaluation for known policies by combining lying and refusal. Ann. Math. Artif. Intell. 40(1–2), 37–62 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Biskup, J., Bonatti, P.A.: Controlled query evaluation with open queries for a decidable relational submodel. Ann. Math. Artif. Intell. 50(1–2), 39–77 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Biskup, J., Bonatti, P.A., Galdi, C., Sauro, L.: Optimality and complexity of inference-proof data filtering and CQE. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014, Part II. LNCS, vol. 8713, pp. 165–181. Springer, Heidelberg (2014)Google Scholar
  18. 18.
    Biskup, J., Bring, M., Bulinski, M.: Confidentiality preserving evaluation of open relational queries. In: Morzy, T., Valduriez, P., Bellatreche, L. (eds.) ADBIS 2015. LNCS, vol. 9282, pp. 431–445. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  19. 19.
    Biskup, J., Dahn, C., Diekmann, K., Menzel, R., Schalge, D., Wiese, L.: Publishing inference-proof relational data: an implementation and experiments (2015) (submitted for publication)Google Scholar
  20. 20.
    Biskup, J., Embley, D.W., Lochner, J.H.: Reducing inference control to access control for normalized database schemas. Inf. Process. Lett. 106(1), 8–12 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Biskup, J., Gogolin, C., Seiler, J., Weibert, T.: Inference-proof view update transactions with forwarded refreshments. J. Comput. Secur. 19, 487–529 (2011)Google Scholar
  22. 22.
    Biskup, J., Hartmann, S., Link, S., Lochner, J.-H.: Efficient inference control for open relational queries. In: Foresti, S., Jajodia, S. (eds.) Data and Applications Security and Privacy XXIV. LNCS, vol. 6166, pp. 162–176. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Biskup, J., Hartmann, S., Link, S., Lochner, J.-H., Schlotmann, T.: Signature-based inference-usability confinement for relational databases under functional and join dependencies. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 56–73. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Biskup, J., Li, L.: On inference-proof view processing of XML documents. IEEE Trans. Dependable Sec. Comput. 10(2), 99–113 (2013)CrossRefGoogle Scholar
  25. 25.
    Biskup, J., Preuß, M.: Database fragmentation with encryption: under which semantic constraints and a priori knowledge can two keep a secret? In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 17–32. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  26. 26.
    Biskup, J., Preuß, M.: Inference-proof data publishing by minimally weakening a database instance. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 30–49. Springer, Heidelberg (2014)Google Scholar
  27. 27.
    Biskup, J., Preuß, M., Wiese, L.: On the inference-proofness of database fragmentation satisfying confidentiality constraints. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 246–261. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  28. 28.
    Biskup, J., Tadros, C.: Policy-based secrecy in the Runs & Systems framework and controlled query evaluation. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) Advances in Information and Computer Security, IWSEC 2010, Short Papers, pp. 60–77. Information Processing Society of Japan (IPSJ) (2010)Google Scholar
  29. 29.
    Biskup, J., Tadros, C.: Inference-Proof View Update Transactions with Minimal Refusals. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 104–121. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  30. 30.
    Biskup, J., Tadros, C.: Revising belief without revealing secrets. In: Lukasiewicz, T., Sali, A. (eds.) FoIKS 2012. LNCS, vol. 7153, pp. 51–70. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  31. 31.
    Biskup, J., Tadros, C.: Confidentiality enforcement by hybrid control of flows from abstract information states through program execution via declassification (2015) (submitted for publication)Google Scholar
  32. 32.
    Biskup, J., Tadros, C.: Constructing inference-proof belief mediators. In: Samarati, P. (ed.) DBSec 2015. LNCS, vol. 9149, pp. 188–203. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  33. 33.
    Biskup, J., Tadros, C.: Preserving confidentiality while reacting on iterated queries and belief revisions. Ann. Math. Artif. Intell. 73(1–2), 75–123 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Biskup, J., Tadros, C.: On the simulation assumption for controlled interaction processing (to appear, 2016)Google Scholar
  35. 35.
    Biskup, J., Tadros, C., Wiese, L.: Towards controlled query evaluation for incomplete first-order databases. In: Link, S., Prade, H. (eds.) FoIKS 2010. LNCS, vol. 5956, pp. 230–247. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  36. 36.
    Biskup, J., Weibert, T.: Keeping secrets in incomplete databases. Int. J. Inf. Secur. 7(3), 199–217 (2008)CrossRefGoogle Scholar
  37. 37.
    Biskup, J., Wiese, L.: Preprocessing for controlled query evaluation with availability policy. J. Comput. Secur. 16(4), 477–494 (2008)Google Scholar
  38. 38.
    Biskup, J., Wiese, L.: A sound and complete model-generation procedure for consistent and confidentiality-preserving databases. Theoret. Comput. Sci. 412, 4044–4072 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Bonatti, P.A., Kraus, S., Subrahmanian, V.S.: Foundations of secure deductive databases. IEEE Trans. Knowl. Data Eng. 7(3), 406–422 (1995)CrossRefGoogle Scholar
  40. 40.
    Bonatti, P.A., Petrova, I.M., Sauro, L.: Optimized construction of secure knowledge-base views. In: Calvanese, D., Konev, B. (eds.) International Workshop on Description Logics 2015. CEUR Workshop Proceedings, vol. 1350. (2015)Google Scholar
  41. 41.
    Bonatti, P.A., Sauro, L.: A confidentiality model for ontologies. In: Alani, H., Kagal, L., Fokoue, A., Groth, P., Biemann, C., Parreira, J.X., Aroyo, L., Noy, N., Welty, C., Janowicz, K. (eds.) ISWC 2013, Part I. LNCS, vol. 8218, pp. 17–32. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  42. 42.
    Bordeaux, L., Hamadi, Y., Zhang, L.: Propositional satisfiability and constraint programming: a comparative survey. ACM Comput. Surv. 38(4), 12.1–12.54 (2006)CrossRefGoogle Scholar
  43. 43.
    Börger, E., Grädel, E., Gurevich, Y.: The Classical Decision Problem. Perspectives in Mathematical Logic. Springer, Heidelberg (1997)CrossRefzbMATHGoogle Scholar
  44. 44.
    Brachman, R.J., Levesque, H.J.: Knowledge Representation and Reasoning. Elsevier, Amsterdam (2004)Google Scholar
  45. 45.
    Ciriani, V., De Capitani di Vermercati, S., Foresti, S., Jajodia, S., Paraboschi, S., Samarati, P.: Combining fragmentation and encryption to protect privacy in data storage. ACM Trans. Inf. Syst. Secur. 13(3), 1–33 (2010)CrossRefGoogle Scholar
  46. 46.
    Ciriani, V., De Capitani di Vermercati, S., Foresti, S., Samarati, P.: K-anonymity. In: Yu, T., Jajodia, S. (eds.) Secure Data Management in Decentralized Systems. Advances in Information Security, vol. 33, pp. 323–353. Springer, New York (2007)CrossRefGoogle Scholar
  47. 47.
    Cuppens, F., Gabillon, A.: Cover story management. Data Knowl. Eng. 37(2), 177–201 (2001)CrossRefzbMATHGoogle Scholar
  48. 48.
    De Capitani di Vermercati, S., Foresti, S., Jajodia, S., Livraga, G., Paraboschi, S., Samarati, P.: Fragmentation in presence of data dependencies. IEEE Trans. Dependable Sec. Comput. 11(6), 510–523 (2014)CrossRefGoogle Scholar
  49. 49.
    Denning, D.E., Akl, S.G., Heckman, M., Lunt, T.F., Morgenstern, M., Neumann, P.G., Schell, R.R.: Views for multilevel database security. IEEE Trans. Software Eng. 13(2), 129–140 (1987)CrossRefGoogle Scholar
  50. 50.
    Denning, D.E., Schlörer, J.: Inference controls for statistical databases. IEEE Comput. 16(7), 69–82 (1983)CrossRefGoogle Scholar
  51. 51.
    Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2015)CrossRefGoogle Scholar
  52. 52.
    Ebbinghaus, H.D., Flum, J.: Finite Model Theory. Springer, Heidelberg (1995)zbMATHGoogle Scholar
  53. 53.
    Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning about Knowledge. MIT Press, Cambridge (1995)zbMATHGoogle Scholar
  54. 54.
    Farkas, C., Jajodia, S.: The inference problem: a survey. SIGKDD Explor. 4(2), 6–11 (2002)CrossRefGoogle Scholar
  55. 55.
    Fitting, M., Mendelsohn, R.L.: First-Order Modal Logic, Synthese Library, vol. 277. Kluwer Academic Publishers, Dordrecht (1998)CrossRefzbMATHGoogle Scholar
  56. 56.
    Friedman, N., Halpern, J.Y.: Plausibility measures and default reasoning. J. ACM 48(4), 648–685 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    Fung, B.C.M., Wang, K., Chen, R., Yu, P.S.: Privacy-preserving data publishing: a survey of recent developments. ACM Comput. Surv. 42(4), 1–53 (2010)CrossRefGoogle Scholar
  58. 58.
    Fung, B.C.M., Wang, K., Fu, A.W.C., Yu, P.S.: Introduction to Privacy-Preserving Data Publishing - Concepts and Techniques. Chapman & Hall/CRC, Boca Raton (2010)CrossRefGoogle Scholar
  59. 59.
    Ganapathy, V., Thomas, D., Feder, T., Garcia-Molina, H., Motwani, R.: Distributing data for secure database services. Trans. Data Priv. 5(1), 253–272 (2012)MathSciNetGoogle Scholar
  60. 60.
    Gray III, J.W.: Toward a mathematical foundation for information flow security. In: IEEE Symposium on Security and Privacy, pp. 21–35 (1991)Google Scholar
  61. 61.
    Halpern, J.Y., O’Neill, K.R.: Secrecy in multiagent systems. ACM Trans. Inf. Syst. Secur. 12(1), 1–47 (2008)CrossRefGoogle Scholar
  62. 62.
    Katebi, H., Sakallah, K.A., Marques-Silva, J.P.: Empirical study of the anatomy of modern sat solvers. In: Sakallah, K.A., Simon, L. (eds.) SAT 2011. LNCS, vol. 6695, pp. 343–356. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  63. 63.
    Levesque, H.J., Lakemeyer, G.: The Logic of Knowledge Bases. MIT Press, Cambridge (2000)zbMATHGoogle Scholar
  64. 64.
    Libkin, L.: Elements of Finite Model Theory. Springer, Heidelberg (2004)CrossRefzbMATHGoogle Scholar
  65. 65.
    Lunt, T.F., Denning, D.E., Schell, R.R., Heckman, M., Shockley, W.R.: The SeaView security model. IEEE Trans. Software Eng. 16(6), 593–607 (1990)CrossRefGoogle Scholar
  66. 66.
    Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: L-diversity: privacy beyond k-anonymity. TKDD 1(1), 3 (2007)CrossRefGoogle Scholar
  67. 67.
    Malik, S., Zhang, L.: Boolean satisfiability from theoretical hardness to practical success. Commun. ACM 52(8), 76–82 (2009)CrossRefGoogle Scholar
  68. 68.
    Nerode, A., Shore, R.: Logic for Applications, 2nd edn. Springer, New York (1997)CrossRefzbMATHGoogle Scholar
  69. 69.
    Ray, D., Ligatti, J.: A theory of gray security policies. In: Pernul, G., Ryan, P.Y.A., Weippl, E.R. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 481–499. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  70. 70.
    Reiter, R.: What should a database know? Logic Program. 14, 127–153 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  71. 71.
    Robinson, J.A., Voronkov, A. (eds.): Handbook of Automated Reasoning (in 2 volumes). Elsevier, MIT Press, Amsterdam, Cambridge (2001)zbMATHGoogle Scholar
  72. 72.
    Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: IEEE Computer Security Foundations Workshop, CSFW 2005, pp. 255–269. IEEE Computer Society (2005)Google Scholar
  73. 73.
    Sandhu, R.S., Jajodia, S.: Polyinstantation for cover stories. In: Deswarte, Y., Quisquater, J.-J., Eizenberg, G. (eds.) ESORICS 1992. LNCS, pp. 307–328. Springer, Heidelberg (1992)Google Scholar
  74. 74.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)CrossRefGoogle Scholar
  75. 75.
    Shoenfield, J.R.: Mathematical Logic. Addison-Wesley, Reading (1967)Google Scholar
  76. 76.
    Sicherman, G.L., de Jonge, W., van de Riet, R.P.: Answering queries without revealing secrets. ACM Trans. Database Syst. 8(1), 41–59 (1983)CrossRefzbMATHGoogle Scholar
  77. 77.
    Spohn, W.: Ordinal conditional functions: A dynamic theory of epistemic states. In: Skyrms, B., Harper, W.L. (eds.) Irvine Conference on Probability and Causation. Causation in Decision, Belief Change, and Statistics, vol. II, pp. 105–134. Kluwer, Dordrecht (1988)Google Scholar
  78. 78.
    Studer, T., Werner, J.: Censors for boolean description logic. Trans. Data Priv. 7(3), 223–252 (2014)MathSciNetGoogle Scholar
  79. 79.
    Sutcliff, G., Suttner, C.: The TPTP problem library for automated theorem proving. Technical report (2015).
  80. 80.
    Sutcliffe, G.: The TPTP problem library and associated infrastructure: The FOF and CNF parts, v3.5.0. J. Autom. Reason. 43(4), 337–362 (2009)CrossRefzbMATHGoogle Scholar
  81. 81.
    Thalheim, B.: Entity-Relationship Modeling - Foundations of Database Technology. Springer, Heidelberg (2000)CrossRefzbMATHGoogle Scholar
  82. 82.
    Traub, J.F., Yemini, Y., Wozniakowski, H.: The statistical security of a statistical database. ACM Trans. Database Syst. 9(4), 672–679 (1984)CrossRefGoogle Scholar
  83. 83.
    Weissenbacher, G., Malik, S.: Boolean satisfiability solvers: techniques and extensions. In: Nipkow, T., Grumberg, O., Hauptmann, B. (eds.) Software Safety and Security - Tools for Analysis and Verification, pp. 205–253. IOS Press (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Technische Universität DortmundDortmundGermany

Personalised recommendations