An authorization model for query execution in the cloud

Abstract

We present a novel approach for the specification and enforcement of authorizations that enables controlled data sharing for collaborative queries in the cloud. Data authorities can establish authorizations regulating access to their data distinguishing three visibility levels (no visibility, encrypted visibility, and plaintext visibility). Authorizations are enforced accounting for the information content carried in the computation to ensure no information is improperly leaked and adjusting visibility of data on-the-fly. Assignment of operations to subjects takes into consideration the cost of operation execution as well as of the encryption/decryption operations needed to make the assignment authorized. Our approach enables users and data authorities to fully enjoy the benefits and economic savings of the competitive open cloud market, while maintaining control over data.

A Proofs of theorems

Theorem 1

Let T(N) be a query tree plan. \(\forall n_{x},n_{y} \in \mathtt{N}\) with profile [\(R_{x}^{v\!\!\,p}\), \(R_{x}^{v\!\!\,e}\), \(R_{x}^{i\!\!\,p}\)\(,R_{x}^{i\!\!\,e}\),\({R_{x}^{\simeq }}]\) and \([{R_{y}^{v\!\!\,p}},{R_{y}^{v\!\!\,e}},{R_{y}^{i\!\!\,p}},{R_{y}^{i\!\!\,e}},{R_{y}^{\simeq }}]\), respectively, s.t. \(n_{y}\) is a descendant of \(n_{x}\):

1. i)

   \((R_{y}^{v\!\!\,p} \cup R_{y}^{v\!\!\,e} \cup R_{y}^{i\!\!\,p} \cup R_{y}^{i\!\!\,e} \cup \{A\mid A\in R_{y}^{\simeq }\}) \subseteq (R_{x}^{v\!\!\,p} \cup R_{x}^{v\!\!\,e} \cup R_{x}^{i\!\!\,p} \cup R_{x}^{i\!\!\,e} \cup \{A\mid A\in R_{x}^{\simeq }\})\)

2. ii)

   \(\forall A\in R_{y}^{\simeq }, \exists A'\in R_{x}^{\simeq }, A\subseteq A'.\)

Proof

We separately prove the two conditions of the theorem.

i) Let us first analyze the case in which \(n_{x}\) is the direct ancestor of \(n_{y}\). Assume, by contradiction, that \(\exists a_{}\in \{R_{y}^{v\!\!\,p} \cup R_{y}^{v\!\!\,e} \cup R_{y}^{i\!\!\,p} \cup R_{y}^{i\!\!\,e} \cup \{A\mid A\in R_{y}^{\simeq }\}\}\) s.t. \(a_{}\not \in \{R_{x}^{v\!\!\,p} \cup R_{x}^{v\!\!\,e} \cup R_{x}^{i\!\!\,p} \cup R_{x}^{i\!\!\,e} \cup \{A\mid A\in R_{x}^{\simeq }\}\}\). This would imply that attribute \(a_{}\) is removed from the profile of \(R_{x}\) by the execution of the operation represented by \(n_{x}\). According to the operations in Figs. 2 and 3 , projection, group-by, udf, and rename operations remove attributes from relation profiles (and, more precisely, from the visible components of profiles). However, the attributes removed from the visible components by rename operation are inserted into the renamed attributes component and, from there, into the components of the relation profile where the new attribute name appears. The attributes removed from the visible components by projection, group-by, and udf operations already belong to \(R_{x}^{i\!\!\,p}\cup R_{x}^{i\!\!\,e}\cup \{A\mid A\in R_{x}^{\simeq }\}\). In fact, since projections have been pushed down in T(N), the first projection removes all attributes that are neither involved in operations in the query plan, nor returned in the query result. Therefore, for each relation, only the attributes explicitly appearing in the clauses of the query survive in the profile of the relation corresponding to the projection pushed down at each relation. The attributes removed can only be the attributes on which operations have already been evaluated, since otherwise the query could not be evaluated correctly. The operations in which an attribute \(a_{}\), removed by the projection, the group-by, or the udf at \(n_{x}\), have possibly been involved (as illustrated in Fig. 2) are: selection (\(a_{}\) would be in \(R_{x}^{i\!\!\,p}\), \(R_{x}^{i\!\!\,e}\), or \(R_{x}^{\simeq }\)); join (\(a_{}\) would be in \(R_{x}^{\simeq }\)); group-by (\(a_{}\) would be in \(R_{x}^{i\!\!\,p}\) or \(R_{x}^{i\!\!\,e}\)); a set operator (\(a_{}\) would be in \(R_{x}^{\simeq }\)); and udf (\(a_{}\) would be in \(R_{x}^{\simeq }\)). Note that the Cartesian product does not specifically operate on any attribute. Also, attributes involved in aggregations will be subject to operations or will belong to the query result. Encryption/decryption operations are instead functional to query evaluation. Hence, no attribute is removed from the profile of \(R_{x}\), contradicting our hypothesis.

Since \(\forall n_{x},n_{y}\) s.t. \(n_{y}\) is a direct descendant of \(n_{x}\), \((R_{y}^{v\!\!\,p} \cup R_{y}^{v\!\!\,e} \cup R_{y}^{i\!\!\,p} \cup R_{y}^{i\!\!\,e} \cup \{A\mid A\in R_{y}^{\simeq }\})\) \(\subseteq \) \((R_{x}^{v\!\!\,p} \cup R_{x}^{v\!\!\,e} \cup R_{x}^{i\!\!\,p} \cup R_{x}^{i\!\!\,e} \cup \{A\mid A\in R_{x}^{\simeq }\})\), by the transitivity of operator \(\subseteq \) the first condition of the theorem holds.

ii) Let us first analyze the case in which \(n_{x}\) is the direct ancestor of \(n_{y}\) and assume, by contradiction, that \(\exists A \in R_{y}^{\simeq }\) s.t. \(\not \exists A'\in R_{x}^{\simeq }, A\subseteq A'.\) The sets of attributes included in \(R_{y}^{\simeq }\) are impacted only when the operation in \(n_{x}\) is one of the operations described in the following.

ii.1) \(n_{x}\) is a Cartesian product. The Cartesian product combines \(R_{y}^{\simeq }\) with \(R_{z}^{\simeq }\), with \(R_{z}\) the other operator of \(n_{x}\) (i.e., \(R_{x}^{\simeq }=R_{y}^{\simeq }\cup R_{z}^{\simeq }\)). Then, if \(A{}\in R_{y}^{\simeq }\) and \(\exists A_{i}\in R_{z}^{\simeq }\) s.t. \(A{}\cap A_{i}\ne \emptyset \), then \(A'=A\cup A_{i}\) is inserted into \(R_{x}^{\simeq }\) in place of A. Otherwise, A belongs to the \(R_{x}^{\simeq }\). This contradicts our hypothesis.

ii.2) \(n_{x}\) is a selection or join with condition \(a_{i}\) op \(a_{j}\). The selection/join operations cause \(R_{x}^{\simeq }=R_{y}^{\simeq }\cup {}R_{z}^{\simeq }\cup {}\{a_{i},a_{j}\}\), which inserts equivalence {\(a_{i}\),\(a_{j}\)} in the result of \(R_{y}^{\simeq }\cup R_{z}^{\simeq }\). Then, it merges the set \(A_{i}\in (R_{y}^{\simeq }\cup R_{z}^{\simeq })\) s.t. \(a_{i}\)\(\in A_i\) with the set \(A_{j}\in (R_{y}^{\simeq }\cup R_{z}^{\simeq })\) s.t. \(a_{j}\in A_{j}\), producing a new set \(A_{ij}=A_{i}\cup A_{j}\), if such sets exist; it inserts \(a_{j}\) into \(A_{i}\) if \(A_j\) does not exist (and vice versa), producing a new set \(A_{ij}=A_{i}\cup \{a_{j}\}\) (or \(A_{ij}=A_{j}\cup \{a_{i}\}\)) in place of \(A_{i}\) or \(A_j\), respectively. It creates set \(A_{ij}=\{a_{i},a_{j}\}\) if neither \(A_i\) nor \(A_j\) exist. The set \(R_{x}^{\simeq }\) is then obtained as \(R_{x}^{\simeq }=R_{y}^{\simeq }\cup R_{z}^{\simeq }\setminus \{A_{i},A_{j}\}\cup \{A_{ij}\}\). Therefore, if \(a_{i}\not \in A\) and \(a_{j}\not \in A\) (remember that \(A\in \) \(R_{y}^{\simeq }\)), then \(A\in R_{x}^{\simeq }\). Otherwise, \(A_{ij}\in R_{x}^{\simeq }\) and \(A\subset A_{ij}\). This contradicts our hypothesis.

ii.3) \(n_{x}\) is a set operator. Any set operator causes \(R_{x}^{\simeq }=R_{y}^{\simeq }\cup {}R_{z}^{\simeq }\cup {}\{a_{yi},a_{zi}\}\), which inserts equivalence {\(a_{yi}\),\(a_{zi}\)}, for \(i=1,\ldots ,|R_{y}^{v\!\!\,p} \cup R_{y}^{v\!\!\,e}|\), in the result of \(R_{y}^{\simeq }\cup R_{z}^{\simeq }\). The insertion of each pair {\(a_{yi}\),\(a_{zi}\)} into the result of \(R_{y}^{\simeq }\cup R_{z}^{\simeq }\) operates as illustrated above for the selection/join operation. Hence, if \(a_{yi}\not \in A\) and \(a_{zi}\not \in A\) (remember that \(A\in \) \(R_{y}^{\simeq }\)), then \(A\in R_{x}^{\simeq }\), else \({A_{yizi}}\in R_{x}^{\simeq }\) and \(A\subset A_{yizi}\). This contradicts our hypothesis.

ii.4) \(n_{x}\) is a udf operating over a set \(A_x\) of attributes. The udf operation causes \(R_{x}^{\simeq }=R_{y}^{\simeq }\cup {}A_x\), which inserts equivalence \(A_x\) into \(R_{y}^{\simeq }\). Then, it merges the set \(A_{i}\in R_{y}^{\simeq }\) s.t. \(A_{i}\cap A_x \ne \emptyset \) with the set \(A_x\), producing a new set \(A_{ix}=A_{i}\cup A_x\), if such set exists, and inserts \(A_{ix}\) into \(R_{y}^{\simeq }\) in place of \(A_i\). It creates set \(A_{x}\) otherwise. Therefore, if \(A_x \cap A =\emptyset \), then \(A\in R_{x}^{\simeq }\). Otherwise, \(A_{ix}\in R_{x}^{\simeq }\) and \(A\subset A_{ix}\). This contradicts our hypothesis.

Renaming does not have impact on the second condition of the theorem, since renamed attributes are substituted by the corresponding original attribute names when the profile is closed (Definition 3). Since \(\forall n_{x},n_{y}\) s.t. \(n_{y}\) is a direct descendant of \(n_{x}\), \(\forall A\in R_{y}^{\simeq }, \exists A'\in R_{x}^{\simeq }\) s.t. \(A\subseteq A'\), for the transitivity of operator \(\subseteq \), the second condition of the theorem holds.

\(\square \)

Theorem 2

Let T(N) be a query tree plan, \(n_{}\)\(\in \mathtt{N}\) be a non-leaf node \(n_{l}\),\(n_{r}\)\(\in \mathtt{N}\) be its non-leaf children, if any. \(\hat{R}_{l}^{v\!\!\,p} \cup \hat{R}_{r}^{v\!\!\,p} \subseteq \hat{R}_{}^{i\!\!\,p} \Longrightarrow \Lambda (n_x)\subseteq \Lambda (n), \forall n_x\) ancestor of n.

Proof

Let us first analyze the case in which \(n_{x}\) is the direct ancestor of \(n_{}\) in T(N) and assume, by contradiction, that \(\exists S_{}\in \Lambda (n_{x})\) s.t. \(S_{}\not \in \Lambda (n_{})\). By Definition 8, this implies that \(S_{}\) is authorized for relation \(R_{x}\) produced by \(n_{x}\) over operands \(\hat{R}_{}\) and possibly \(\hat{R}_{w}\), with \(n_{w}\) the other direct descendant of \(n_{x}\) if \(n_{x}\) represents a binary operation, and \(S_{}\) is authorized for \(\hat{R}_{}\) and \(\hat{R}_{w}\) (if it is the case). At the same time, \(S_{}\) is not authorized for \(R_{}\), \(\hat{R}_{l}\), and/or \(\hat{R}_{r}\). By Theorem 1, all attributes in the profile of a node also belong to the profiles of its ancestors. Then, \(S_{}\) could be authorized for \(R_{x}\) and not for \(R_{}\) only if there exists an attribute \(a_{}\in {{{\mathcal {E}}}}_{S_{}}\) s.t. \(a_{}\) appears plaintext (visible and/or implicit) in the profiles of \(\hat{R}_{l}\), \(\hat{R}_{r}\), or \(R_{}\) and is included encrypted in the profiles of \(\hat{R}_{}\), \(\hat{R}_{w}\), and \(R_{x}\). Let us separately analyze the cases in which \(a_{}\) is visible plaintext and implicit plaintext. If \(a_{}\) appears implicit plaintext in the profile of \(R_{}\) or of an operand of \(n_{}\) (meaning in \(\hat{R}_{l}\) or \(\hat{R}_{r}\)), since no operation removes attributes from an implicit component of a profile (see Fig. 2), then \(a_{}\) will also be included in the implicit plaintext component of the profiles of all ancestors of \(n_{}\), including \(n_{x}\). Therefore, \(S_{}\not \in \Lambda (n_{x})\), contradicting our hypothesis. Let us now analyze the case in which \(a_{}\) is visible plaintext in the profile of \(\hat{R}_{l}\), \(\hat{R}_{r}\), or \(R_{}\). In all these cases, by Definition 7, \(a_{}\) is needed plaintext for the execution of the operation in \(n_{}\) (as otherwise it would be encrypted in \(\hat{R}_{l}\), \(\hat{R}_{r}\), and then also in the profile of the relation resulting from \(n_{}\)). However, by hypothesis \(\hat{R}_{l}^{v\!\!\,p} \cup \hat{R}_{r}^{v\!\!\,p} \subseteq \hat{R}_{}^{i\!\!\,p}\). Then, \(a_{}\) would be included in the implicit plaintext components of the ancestors of \(n_{}\), thus making \(S_{}\not \in \Lambda (n_{x})\), contradicting our hypothesis. Since \(\forall n_{},n_{x}\) s.t. \(n_{x}\) is the direct ancestor of \(n_{}\), \(\hat{R}_{l}^{v\!\!\,p} \cup \hat{R}_{r}^{v\!\!\,p} \subseteq \hat{R}_{}^{i\!\!\,p} \Longrightarrow \Lambda (n_{x})\subseteq \Lambda (n_{})\), for the transitivity of operator \(\subseteq \), the theorem holds. \(\square \)

Theorem 3

Let T(N) be a query plan, and \(\Lambda \) be a candidate assignment function for it:

1. i)

   \(\forall \mathtt{T'}\) \(\in \) \({{{\mathcal {T}}}}\), \(\lambda ,\) and \(n_{}\in {\mathtt{N}}\), if \({\mathtt{T}}'\) is an extended query plan for \({\mathtt{T}}\) and \(\lambda \) is an authorized assignment for \({\mathtt{T'}}\), then \(\lambda (n_{})\in \Lambda (n_{})\).

2. ii)

   \(\forall \lambda ,\) if \(\forall n_{}\in {\mathtt{N}}, \lambda (n_{})\in \Lambda (n_{}),\) then there exists an extended query plan \({\mathtt{T'}}\) for \({\mathtt{T}}\) such that \(\lambda \) is an authorized assignment for \({\mathtt{T'}}\).

Proof

To clearly distinguish between nodes of the original tree T(N) and the same nodes in the extended tree T’(N), we will denote with \(n'_{}\) the counterpart in T’(N) of node \(n_{}\) in T(N). We now separately prove the two conditions of the theorem.

i) Suppose, by contradiction, that \(\exists S_{}=\lambda (n'_{})\) s.t. \(S_{}\not \in \Lambda (n_{})\), meaning that \(S_{}\) is authorized for \(n'_{}\), \(n'_{l}\), and \(n'_{r}\) and not for \(n_{}\), \(\hat{R}_{l}\), and \(\hat{R}_{r}\). This can occur in two scenarios.

i.1) \(\exists a_{}\) in the profiles of \(n_{}\), \(\hat{R}_{l}\), and/or \(\hat{R}_{r}\) s.t. \(a_{}\) does not belong to the profiles of \(n'_{}\), \(n'_{l}\), and \(n'_{r}\), and \(a_{}\not \in {{{\mathcal {P}}}}_{S_{}}\cup {{{\mathcal {E}}}}_{S_{}}\).

Theorem 1 states that all attributes in the profile of a relation belong to the profile of its ancestor. Therefore, if \(a_{}\) does not belong to the profile of \(n_{}\) (\(n'_{}\), resp.), then \(a_{}\) belongs to the profiles of neither \(n_{l}\) nor \(n_{r}\) (\(n'_{l}\) nor \(n'_{r}\), resp.). On the other hand, if \(a_{}\) belongs to the profile of \(n_{}\) (\(n'_{}\), resp.), then \(a_{}\) certainly belongs to the profiles of either \(n_{l}\) or \(n_{r}\) (\(n'_{l}\) or \(n'_{r}\), resp.). Therefore, we can focus on the profiles of \(n_{}\) and \(n'_{}\). The profile of \(n_{}\) is computed assuming operands \(\hat{R}_{l}\) and \(\hat{R}_{r}\). According to Definition 7, the computation of minimum required views does not change which attributes are included in the profile of a node. This implies that the attributes in the profile of \(n_{}\) be the same of \(n'_{}\), contradicting our hypothesis.

i.2) \(\exists a_{}\) appearing plaintext in the profiles of \(n_{}\), \(\hat{R}_{l}\), and/or \(\hat{R}_{r}\) s.t. \(a_{}\) is encrypted in the profiles of \(n'_{}\), \(n'_{l}\), and \(n'_{r}\), and \(a_{}\in {{{\mathcal {E}}}}_{S_{}}\).

Let us first analyze the case in which \(a_{}\) is visible plaintext in the profile of \(n_{}\), \(\hat{R}_{l}\), and/or \(\hat{R}_{r}\). In all these cases, by Definition 7, \(a_{}\) is needed plaintext for the execution of the operation in \(n_{}\) but then it should also be represented in the clear also in \(n'_{}\), \(n'_{l}\), and \(n'_{r}\) to ensure computability of the operation, thus contradicting our hypothesis.

Let us now analyze the case in which \(a_{}\) is implicit plaintext in the profile of \(n_{}\), \(\hat{R}_{l}\), or \(\hat{R}_{r}\). This can occur only if an operation over \(a_{}\) has been executed by (at least) one descendant \(n_{d}\) of \(n_{}\) and left a trace in the implicit component. Since \(n_{d}\), being in T(N), operates on the minimum required view(s) of its descendant(s), it left a trace in the implicit plaintext component of the profile of \(n_{d}\) only if the operation required to operate on the plaintext representation of \(a_{}\). However, the same operation is to be evaluated also by \(n'_{d}\) in T’(N), and therefore \(a_{}\) appears in the implicit plaintext component of the profiles of \(n'_{}\), \(n'_{l}\), and/or \(n'_{r}\), thus contradicting our hypothesis.

ii) Suppose, by contradiction, that \(\forall n_{}, S_{}=\lambda (n_{})\in \Lambda (n_{})\) and that \(\not \exists \) T’(N) s.t. T’(N) is an extended plan for T(N) for which \(\lambda \) is an authorized assignment. This can occur in two scenarios.

ii.1) \(\exists a_{}\) in the profiles of \(n'_{}\), \(n'_{l}\), and/or \(n'_{r}\) s.t. \(a_{}\) does not belong to the profiles of \(n_{}\), \(\hat{R}_{l}\), \(\hat{R}_{r}\), and \(a_{}\not \in {{{\mathcal {P}}}}_{S_{}}\cup {{{\mathcal {E}}}}_{S_{}}\).

As previously shown, the sets of attributes in the profile of a node in T(N) and of its counterpart in T’(N) include the same set of attributes.

ii.2) \(\exists a_{}\) plaintext in the profiles of \(n'_{}\), \(n'_{l}\), and/or \(n'_{r}\) s.t. \(a_{}\) is encrypted in the profiles of \(n_{}\), \(\hat{R}_{l}\), and \(\hat{R}_{r}\), and \(a_{}\in {{{\mathcal {E}}}}_{S_{}}\).

Let us first analyze the case in which \(a_{}\) is visible plaintext in the profiles of \(n'_{}\), \(n'_{l}\), and/or \(n'_{r}\). Since \(a_{}\) appears in encrypted form in the profiles of the original query plan, plaintext visibility over \(a_{}\) is not required to execute the operation in \(n'_{}\). Then, T’(N) can be extended encrypting \(a_{}\) before \(n'_{}\).

Let us now analyze the case in which \(a_{}\) is implicit plaintext in the profiles of \(n'_{}\), \(n'_{l}\), and/or \(n'_{r}\). In this case, an operation inserting \(a_{}\) into the implicit component of a profile has been carried out over the plaintext representation of \(a_{}\) in (at least) one descendant \(n'_{d}\) of node \(n'_{}\) in T’(N). However, since \(a_{}\) belongs to the implicit plaintext component of the profiles of neither \(\hat{R}_{l}\), nor \(\hat{R}_{r}\), this operation can also be evaluated over the encrypted representation of \(a_{}\). Hence, T’(N) can be extended with an encryption operation over \(a_{}\) preceding \(n'_{d}\). This includes \(a_{}\) in the implicit encrypted component in the profile of \(n'_{d}\) and of its ancestors, rather than their implicit plaintext component. Indeed, no operation moves attributes out from implicit components (see Figs. 2 and 3 ). \(\square \)