distributed system security via logical frameworks frank pfenning carnegie mellon university joint...

Distributed System Distributed System Security via Logical Security via Logical

FrameworksFrameworks

Frank PfenningCarnegie Mellon

UniversityJoint work with Lujo Bauer, Deepak Garg, and Mike Reiter

11/18/2005 McGill University 2

OutlineOutline

The Grey Project Authentication and

Authorization Affirmation and Truth Proof Search Absence of Interference Consumable Resources Conclusion

11/18/2005 McGill University 3

The Grey ProjectThe Grey Project

Smartphones for universal access control

Doors, computers, food?, cars?, … Being deployed at CMU CyLab building

Exploit communication capabilities Bluetooth, camera, speaker,

microphone Mobile data services, keypad

Exploit computational power 500 mHz processor, J2ME

11/18/2005 McGill University 4

Technical ChallengesTechnical Challenges

Distributed multi-modal access control

Flexible and extensible Formally analyzable Intuitive and usable

Efficient fair contract signing Capture resilience Privacy protection Interfaces, programming realities

11/18/2005 McGill University 5

Authentication & AuthorizationAuthentication & Authorization

Jack: Please let me into the castle.

Jack: ``Jack’’. Here is my passport.

Guard: Who are you?

Guard: The seal is valid.

Guard: You are in my list.

Guard: You may enter.

The King

These may enter:King, Queen,Jack, Jill,…

Policy

This is Jack

The King

11/18/2005 McGill University 6

Access Control ListsAccess Control Lists

Authentication via certificates Use digitally signed certificates Verify with public key cryptography Employed in Grey architecture

Authorization via access control lists

Check membership in access control list

Inflexible and difficult to extend Replace by other mechanism in Grey

11/18/2005 McGill University 7

Certificates for AuthorizationCertificates for Authorization

Authentication as before

Jack: Here is my commission.

Guard: Why should I let you in?

Guard: Your commission is valid.

Guard: You may enter.The King

Jack may enterAffirmation

11/18/2005 McGill University 8

Authorization via PropositionsAuthorization via Propositions

Policy: let pass if

Enforcement: check if King signed

Apply in other scenarios File systems (may-read, may-write) Doors (may-open)

11/18/2005 McGill University 9

Distributed AuthorizationDistributed Authorization

Authentication as before

Jack: I belong to the Queen’shousehold.

Guard: Why should I let you in?

Guard: Is Jack a memberof your household?

Queen: Yes.The King

PolicyThese may enter:King, Queen, …,Members of theQueen’s household

Guard: You may enter.

The Queen

Jack is a memberof my household

Affirmation

11/18/2005 McGill University 10

Reasoning about AuthorizationReasoning about Authorization

Policy, given as signed certificates:

Enforcement: Check proof of

Requires verification of certificates and logical reasoning

11/18/2005 McGill University 11

Proof-Carrying AuthorizationProof-Carrying Authorization

Resource monitor challenges w. proposition

Client assembles and sends proof object Using local and remote certificates Exploits communication abilities of cell

phone Resource monitor checks proof

Check proper application of inference rules Validate embedded certificates

[Appel & Felten’99] [Bauer’03]

11/18/2005 McGill University 12

Some IssuesSome Issues

Authorization logic General logical rules Policy expression Proof search, representation, and

verification Properties of policies

Certificates Verification authority, expiration,

revocation Use X.509 standard

11/18/2005 McGill University 13

Authorization LogicAuthorization Logic

Logical reasoning about access control

[Abadi,Burrows,Lampson,Plotkin’93]

Much subsequent work omitted here General characteristics of prior

work Decidable (propositional or datalog

fragment) Classical (law of excluded middle) Modal logic (“K says” as modality)

11/18/2005 McGill University 14

A New FoundationA New Foundation

Goals Inherent extensibility Tie between meaning of

connectives (policy expression) and proofs (policy enforcement)

Formal reasoning about policies Further Goals

Reasoning with state, time, and knowledge

[Garg & Pf’05] [Bauer, Bowers, Pf, Reiter’05]

11/18/2005 McGill University 15

Logic, the Multi-Headed HydraLogic, the Multi-Headed Hydra

Classical

Intuitionistic

Epistemic

“Intentional”

Temporal Linear

ModalTraditionalMathematics

Functional Programming

Model Checking

Consumable Resources

Authorization

Knowledge

Distributed Systems

11/18/2005 McGill University 16

How Do We Define a Logic?How Do We Define a Logic?

Must explain the meaning of propositions

The meaning of a proposition is determined by what counts as evidence for its truth

[Gentzen’35] [Martin-Löf’83] [Pf & Davies’01]

Meaning via proofs, proofs via meaning Well-suited for proof-carrying

authorization Other approaches possible

Axiomatic, categorical, denotational, …

11/18/2005 McGill University 17

ExamplesExamples

Disjunction ``A or B’’

Conjunction ``A and B’’

11/18/2005 McGill University 18

Hypothetical JudgmentsHypothetical Judgments

Reasoning from assumptions

Hypothesis rule

Hypotheses can be used arbitrarily often

Hypotheses Conclusion

Gamma,for arbitrary hypotheses

11/18/2005 McGill University 19

Two Sides to Every StoryTwo Sides to Every Story

For each connective: Show how to prove it on the

right-hand side Show how to use it on the left-

hand side Example: Disjunction ``A or

B’’

11/18/2005 McGill University 20

Cut EliminationCut Elimination

The right and left rules must be in harmony

The rule of Cut must be redundant

All uses of Cut can be eliminated Cut does not analyze the given

propositions in Γ or C, but introduces arbitrary A in premises

11/18/2005 McGill University 21

ImplicationImplication

Hypothetical reasoning as a proposition

All rules break down connectives Meaning of proposition composed

from the meanings of it parts

11/18/2005 McGill University 22

AffirmationAffirmation

Only judgment so far: “A true” Affirmation expresses policy

(intent) New judgment: “K affirms A”

Externally new evidence (signed certificates)

Internally new rules (relation to truth)

Example

11/18/2005 McGill University 23

Affirmation and TruthAffirmation and Truth

Principals may affirm any proposition Principals will affirm all true

propositions

Principals can reason logically

This form of Cut must be also be redundant

11/18/2005 McGill University 24

Affirmation as a PropositionAffirmation as a Proposition

New proposition “K says A” Define meaning by right and left

rules

Reason from affirmation assumptions

11/18/2005 McGill University 25

Example ProofExample Proof

11/18/2005 McGill University 26

Example ProofExample Proof

First subproof

Follows by hypothesis rule

11/18/2005 McGill University 27

Example ProofExample Proof

Second subproof

Proof complete by hypothesis rule

11/18/2005 McGill University 28

Distributed Proof SearchDistributed Proof Search

Locally known certificates as hypotheses

Resource monitor’s challenge as conclusion

Construct proof bottom-up Choose rule and apply (backwards) Backtrack if necessary

Contact remote data base or principal when “K says A” is unprovable subgoal

[Bauer, Garriss, Reiter’05]

11/18/2005 McGill University 29

Proof RepresentationProof Representation

Proofs unwieldy on paper Formal representation compact &

efficient Use logical framework

Logic specification Proof search, representation, and

checking Reasoning about logic

Example: earlier proof becomes

11/18/2005 McGill University 30

Logical FrameworksLogical Frameworks

LF logical framework [Harper, Honsell, Plotkin’93]

Judgments as types; proofs as objects

Specifications are open-ended Inherent extensibility of

authorization logic Twelf implementation

[Schürmann’01] [Pientka’03]

Reasoning about encoded logic

11/18/2005 McGill University 31

Some General TheoremsSome General Theorems

Some characteristic theorems

Familiar from functional programming

“K says” forms strong monad Used to isolate effects [Moggi’91] [Wadler’93] [Pf & Davies’01]

11/18/2005 McGill University 32

Some Non-TheoremsSome Non-Theorems

Understand when access is denied

Some non-theorems (for unknown K, A, Q)

Sample meta-argument

Does not match conclusion of any rule

11/18/2005 McGill University 33

Absence of InterferenceAbsence of Interference

Explore consequences of access control policy, expressed in authorization logic

Metatheorem:If “K says” occurs only as conclusion in P and assumption in C then

More complex non-interference theorems

[Garg & Pf’05]

if and only if

11/18/2005 McGill University 34

Formal MetatheoryFormal Metatheory

Formal metatheory of authorization logic in Twelf

Cut elimination Simple non-interference results

Proof search for existential question

“Does there exist a proof of A true” Metatheory for universal questions

“No proof concludes that A true”

11/18/2005 McGill University 35

Consumable ResourcesConsumable Resources

Authentication as before

Jack: I will pay you Gld 100.

Guard: Why should I let you in?

Guard: You may enter when you pay.

Guard:

The King

These may enter:King, Queen, …,anyone who paysGld 100.

Policy

Jack:

11/18/2005 McGill University 36

Consumable ResourcesConsumable Resources

Logically Ephemeral hypotheses (use

only once in proof) Supported in linear logic

Cryptographically Consumable certificates Multi-party contract signing Atomic fair exchange

11/18/2005 McGill University 37

Linear LogicLinear Logic

Persistent and ephemeral hypotheses

Some new connectives A ( B : with ephemeral A we can

prove B A B : both A and B ephemerally

Truth, affirmation, and prior connectives still make sense

Persistent,use arbitrarily

Ephemeral,use once

11/18/2005 McGill University 38

Linear Authorization LogicLinear Authorization Logic

Example (simplified)

Omitted consent (Bank)

11/18/2005 McGill University 39

RealizationRealization

Proving does not consume actual resources

Realizing a complete proof will consume resources (certificates)

Must be atomic Implement with multi-party contract

signing Involves separate ratification

authority [Bauer, Bauers, Pf, Reiter’05]

11/18/2005 McGill University 40

SummarySummary

Cell phones for universal access control

Exploit communication capabilities Being deployed at CMU CyLab floor

Logical approach to access control Flexible and extensible Unifies policy expression and

enforcement Permits formal reasoning about policies Implemented in logical framework

11/18/2005 McGill University 41

Current and Future WorkCurrent and Future Work

Consumable certificates and linear logic

Reasoning with state, multi-party contracts

Privacy and epistemic logic Reasoning with local knowledge, protocols

Expiration and temporal logic Reasoning about time, details of

certificates Engineering the infrastructure,

interfaces