Auditing without Leaks Despite Curiosity

Abstract

Auditing data accesses helps preserve privacy and ensures accountability by allowing one to determine who accessed (potentially sensitive) information. A prior formal definition of register auditability was based on the values returned by read operations, without accounting for cases where a reader might learn a value without explicitly reading it or gain knowledge of data access without being an auditor. This paper introduces a refined definition of auditability that focuses on when a read operation is effective, rather than relying on its completion and return of a value. Furthermore, we formally specify the constraints that prevent readers from learning values they did not explicitly read or from auditing other readers' accesses. Our primary algorithmic contribution is a wait-free implementation of a multi-writer, multi-reader register that tracks effective reads while preventing unauthorized audits. The key challenge is ensuring that a read is auditable as soon as it becomes effective, which we achieve by combining value access and access logging into a single atomic operation. Another challenge is recording accesses without exposing them to readers, which we address using a simple encryption technique (one-time pad). We extend this implementation to an auditable max register that tracks the largest value ever written. The implementation deals with the additional challenge posed by the max register semantics, which allows readers to learn prior values without reading them. The max register, in turn, serves as the foundation for implementing an auditable snapshot object and, more generally, versioned types. These extensions maintain the strengthened notion of auditability, appropriately adapted from multi-writer, multi-reader registers.