Auditing without Leaks Despite Curiosity

TL;DR

This paper introduces a refined, privacy-preserving auditability model for data access, with a wait-free implementation of auditable registers that prevent unauthorized knowledge while tracking effective reads.

Contribution

It proposes a new definition of auditability based on effective reads and provides a wait-free, encrypted implementation for multi-writer, multi-reader registers and their extensions.

Findings

Effective read detection is achievable with atomic operations.

Encryption prevents unauthorized access to audit logs.

Extensions support max registers and versioned types.

Abstract

\textit{Auditing} data accesses helps preserve privacy and ensures accountability by allowing one to determine who accessed (potentially sensitive) information. A prior formal definition of register auditability was based on the values returned by read operations, \emph{without accounting for cases where a reader might learn a value without explicitly reading it or gain knowledge of data access without being an auditor}. This paper introduces a refined definition of auditability that focuses on when a read operation is \emph{effective}, rather than relying on its completion and return of a value. Furthermore, we formally specify the constraints that \textit{prevent readers from learning values they did not explicitly read or from auditing other readers' accesses.} Our primary algorithmic contribution is a wait-free implementation of a \emph{multi-writer, multi-reader register} that tracks effective reads while preventing unauthorized audits. The key challenge is ensuring that a read is auditable as soon as it becomes effective, which we achieve by combining value access and access logging into a single atomic operation. Another challenge is recording accesses without exposing them to readers, which we address using a simple encryption technique (one-time pad). We extend this implementation to an \emph{auditable max register} that tracks the largest value ever written. The implementation deals with the additional challenge posed by the max register semantics, which allows readers to learn prior values without reading them. The max register, in turn, serves as the foundation for implementing an \emph{auditable snapshot} object and, more generally, \emph{versioned types}. These extensions maintain the strengthened notion of auditability, appropriately adapted from multi-writer, multi-reader registers.