DS2: Declarative Secure Distributed Systems


The DS2 project explores a unified declarative platform for specifying, implementing, and analyzing secure extensible distributed systems. Our work is motivated by the proliferation of large-scale network information systems currently deployed for a variety of application domains including network monitoring infrastructures, publish-subscribe systems, cloud computing, content distribution networks, and network routing. Despite their widespread usage, designing and implementing these large-scale systems remains a challenge, in part because of the sheer scale of deployment, but also due to emerging security threats.

Code release: An initial prototype of DS2 has been developed using the RapidNet declarative networking system. This release includes support for Secure Network Datalog [ICDE09] and Network Provenance [NetDB08, SIGMOD10]. Source code is available for download.

DS2 makes the following contributions:

Secure Network Datalog: We have developed the Secure Network Datalog (SeNDlog) language [NetDB07, ICDE09], which unifies logic-based access languages and distributed recursive query languages for declarative networks. SeNDlog enables network routing, information systems, and their security policies to be specified and implemented within a common framework. SeNDlog has a wide range of use cases, ranging from secure routing, to anonymous networking [NDSS10], and secure cloud data management.

Network Provenance: The dataflow framework used in declarative networking captures information flow as distributed queries. Hence, it is natural to utilize data provenance to explain the existence of any network state, which is analogous to the use of proof trees in security audits. We have proposed the notion of network provenance [NetDB08, SIGMOD10], and demonstrated how they map into networking use cases, including real-time diagnostics, forensics, and trust management. We have further evaluated techniques for querying and maintaining network provenance efficiently in a distributed setting.

Secure LogicBlox: To validate our ideas in a production system used commercially, in collaboration with LogicBlox Inc, we have conceptualized and implemented LBTrust [CIDR09], a declarative system for extensible trust management, where various security constructs can be customized and composed in a declarative fashion. LBTrust utilizes LogicBlox, an emerging commercial Datalog-based platform for enterprise software systems. The LBTrust system enhances the LogicBlox runtime system to enable metaconstraints and meta-programmability, which enables customizable cryptographic, partitioning and distribution strategies based on the execution environment. A follow-up system called SecureBlox [SIGMOD10] enables customized distributed data processing to be implemented using the LogicBlox environment.





  • The Design and Implementation of the A3 Application-Aware Anonymity Platform. [Link]
    Micah Sherr, Harjot Gill, Taher Aquil Saeed, Andrew Mao, William R. Marczak, Saravana Soundararajan, Wenchao Zhou, Boon Thau Loo, and Matt Blaze.
    Computer Networks (COMNET), Elsevier Publishing, 2013.
  • Private and Verifiable Interdomain Routing Decisions. [PDF]
    Mingchen Zhao, Wenchao Zhou, Alexander J. T. Gurney, Andreas Haeberlen, Micah Sherr, and Boon Thau Loo
    ACM SIGCOMM Conference on Data Communication, Helsinki, Finland, August 2012.
  • Declarative Secure Distributed Information Systems. [Link]
    Wenchao Zhou, Tao Tao, Boon Thau Loo, and Yun Mao.
    Computer Languages, Systems & Structures (COMLAN), Elsevier Publishing, 2012.
  • Towards a Data-centric View of Cloud Security. [Paper]
    Wenchao Zhou, Micah Sherr, William R. Marczak, Zhuoyao Zhang, Tao Tao, Boon Thau Loo, Insup Lee.
    Second International Workshop on Cloud Data Management (CloudDB), in conjunction with CIKM, Oct 2010.
  • Efficient Querying and Maintenance of Network Provenance at Internet-Scale. [Paper] [Talk]
    Wenchao Zhou, Micah Sherr, Tao Tao, Xiaozhou Li, Boon Thau Loo, and Yun Mao.
    ACM SIGMOD International Conference on Management of Data (SIGMOD), June 2010.

  • SecureBlox: Customizable Secure Distributed Data Processing. [Paper] [Talk]
    William Marczak, Shan Shan Huang, Martin Bravenboer, Micah Sherr, Boon Thau Loo, and Molham Aref.
    ACM SIGMOD International Conference on Management of Data (SIGMOD), June 2010.

  • Towards Secure Cloud Data Management. [PDF]
    Wenchao Zhou, William R. Marczak, Tao Tao, Zhuoyao Zhang, Micah Sherr, Boon Thau Loo, and Insup Lee.
    University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-CIS-10-10, Feb 2010.
  • A3: An Extensible Platform for Application-Aware Anonymity. [PDF]
    Micah Sherr, Andrew Mao, William R. Marczak, Wenchao Zhou and Boon Thau Loo.
    17th Annual Network & Distributed System Security Symposium (NDSS), Feb 2010.

  • DMaC: Distributed Monitoring and Checking. [Paper]
    Wenchao Zhou, Oleg Sokolsky, Boon Thau Loo, and Insup Lee.
    9th International Workshop on Runtime Verification (RV), Grenoble, France, Jun 2009.

  • Unified Declarative Platform for Secure Networked Information Systems [Paper] [Talk]
    Wenchao Zhou, Yun Mao, Boon Thau Loo, and Martín Abadi
    In the 25th International Conference on Data Engineering (ICDE), Shanghai, China, Apr 2009.

  • Recursive Computation of Regions and Connectivity in Networks. [Paper]
    Mengmeng Liu, Nicholas E. Taylor, Wenchao Zhou, Zachary Ives, and Boon Thau Loo.
    In 25th International Conference on Data Engineering (ICDE), Shanghai, China, Apr 2009.

  • Declarative Reconfigurable Trust Management. [Paper]
    William R. Marczak, David Zook, Wenchao Zhou, Molham Aref, and Boon Thau Loo.
    4th Biennial Conference on Innovative Data Systems Research (CIDR), Pacific Grove, CA, Jan 2009.

  • Provenance-aware Secure Networks [Paper] [Talk]
    Wenchao Zhou, Eric Cronin and Boon Thau Loo
    In the 4th International Workshop on Networking meets Databases (NetDB), in conjunction with ICDE, Cancun, Mexico, Apr 2008.

  • Towards a Declarative Language and System for Secure Networking [Paper]
    Martín Abadi and Boon Thau Loo
    In the 3rd International Workshop on Networking meets Databases (NetDB), in conjunction with NSDI, Cambridge, MA, Apr 2007.


This worker is partially supported by NSF Grants CNS-0721845, IIS-0812270, CNS-0831376, and CNS-0845552; and OSD/AFOSR MURI Collaborative Policies and Assured Information Sharing.