distributed system security via logical frameworks frank pfenning carnegie mellon university joint...

Distributed System Distributed System Security via Logical Security via Logical

FrameworksFrameworks

Frank PfenningCarnegie Mellon

UniversityJoint work with Lujo Bauer, Deepak Garg, and Mike Reiter

11/18/2005 McGill University 2

OutlineOutline

The Grey Project Authentication and

Authorization Affirmation and Truth Proof Search Absence of Interference Consumable Resources Conclusion


The Grey ProjectThe Grey Project

Smartphones for universal access control

Doors, computers, food?, cars?, … Being deployed at CMU CyLab building

Exploit communication capabilities Bluetooth, camera, speaker,

microphone Mobile data services, keypad

Exploit computational power 500 mHz processor, J2ME


Technical ChallengesTechnical Challenges

Distributed multi-modal access control

Flexible and extensible Formally analyzable Intuitive and usable

Efficient fair contract signing Capture resilience Privacy protection Interfaces, programming realities


Authentication & AuthorizationAuthentication & Authorization

Jack: Please let me into the castle.

Jack: ``Jack’’. Here is my passport.

Guard: Who are you?

Guard: The seal is valid.

Guard: You are in my list.

Guard: You may enter.

The King

These may enter:King, Queen,Jack, Jill,…

Policy

This is Jack

The King


Access Control ListsAccess Control Lists

Authentication via certificates Use digitally signed certificates Verify with public key cryptography Employed in Grey architecture

Authorization via access control lists

Check membership in access control list

Inflexible and difficult to extend Replace by other mechanism in Grey


Certificates for AuthorizationCertificates for Authorization

Authentication as before

Jack: Here is my commission.

Guard: Why should I let you in?

Guard: Your commission is valid.

Guard: You may enter.The King

Jack may enterAffirmation


Authorization via PropositionsAuthorization via Propositions

Policy: let pass if

Enforcement: check if King signed

Apply in other scenarios File systems (may-read, may-write) Doors (may-open)


Distributed AuthorizationDistributed Authorization


Jack: I belong to the Queen’shousehold.


Guard: Is Jack a memberof your household?

Queen: Yes.The King

PolicyThese may enter:King, Queen, …,Members of theQueen’s household

Guard: You may enter.

The Queen

Jack is a memberof my household

Affirmation


Reasoning about AuthorizationReasoning about Authorization

Policy, given as signed certificates:

Enforcement: Check proof of

Requires verification of certificates and logical reasoning


Proof-Carrying AuthorizationProof-Carrying Authorization

Resource monitor challenges w. proposition

Client assembles and sends proof object Using local and remote certificates Exploits communication abilities of cell

phone Resource monitor checks proof

Check proper application of inference rules Validate embedded certificates

[Appel & Felten’99] [Bauer’03]


Some IssuesSome Issues

Authorization logic General logical rules Policy expression Proof search, representation, and

verification Properties of policies

Certificates Verification authority, expiration,

revocation Use X.509 standard


Authorization LogicAuthorization Logic

Logical reasoning about access control

[Abadi,Burrows,Lampson,Plotkin’93]

Much subsequent work omitted here General characteristics of prior

work Decidable (propositional or datalog

fragment) Classical (law of excluded middle) Modal logic (“K says” as modality)


A New FoundationA New Foundation

Goals Inherent extensibility Tie between meaning of

connectives (policy expression) and proofs (policy enforcement)

Formal reasoning about policies Further Goals

Reasoning with state, time, and knowledge

[Garg & Pf’05] [Bauer, Bowers, Pf, Reiter’05]


Logic, the Multi-Headed HydraLogic, the Multi-Headed Hydra

Classical

Intuitionistic

Epistemic

“Intentional”

Temporal Linear

ModalTraditionalMathematics

Functional Programming

Model Checking

Consumable Resources

Authorization

Knowledge

Distributed Systems


How Do We Define a Logic?How Do We Define a Logic?

Must explain the meaning of propositions

The meaning of a proposition is determined by what counts as evidence for its truth

[Gentzen’35] [Martin-Löf’83] [Pf & Davies’01]

Meaning via proofs, proofs via meaning Well-suited for proof-carrying

authorization Other approaches possible

Axiomatic, categorical, denotational, …


ExamplesExamples

Disjunction ``A or B’’

Conjunction ``A and B’’


Hypothetical JudgmentsHypothetical Judgments

Reasoning from assumptions

Hypothesis rule

Hypotheses can be used arbitrarily often

Hypotheses Conclusion

Gamma,for arbitrary hypotheses


Two Sides to Every StoryTwo Sides to Every Story

For each connective: Show how to prove it on the

right-hand side Show how to use it on the left-

hand side Example: Disjunction ``A or

B’’


Cut EliminationCut Elimination

The right and left rules must be in harmony

The rule of Cut must be redundant

All uses of Cut can be eliminated Cut does not analyze the given

propositions in Γ or C, but introduces arbitrary A in premises


ImplicationImplication

Hypothetical reasoning as a proposition

All rules break down connectives Meaning of proposition composed

from the meanings of it parts


AffirmationAffirmation

Only judgment so far: “A true” Affirmation expresses policy

(intent) New judgment: “K affirms A”

Externally new evidence (signed certificates)

Internally new rules (relation to truth)

Example


Affirmation and TruthAffirmation and Truth

Principals may affirm any proposition Principals will affirm all true

propositions

Principals can reason logically

This form of Cut must be also be redundant


Affirmation as a PropositionAffirmation as a Proposition

New proposition “K says A” Define meaning by right and left

rules

Reason from affirmation assumptions


Example ProofExample Proof



First subproof

Follows by hypothesis rule



Second subproof

Proof complete by hypothesis rule


Distributed Proof SearchDistributed Proof Search

Locally known certificates as hypotheses

Resource monitor’s challenge as conclusion

Construct proof bottom-up Choose rule and apply (backwards) Backtrack if necessary

Contact remote data base or principal when “K says A” is unprovable subgoal

[Bauer, Garriss, Reiter’05]


Proof RepresentationProof Representation

Proofs unwieldy on paper Formal representation compact &

efficient Use logical framework

Logic specification Proof search, representation, and

checking Reasoning about logic

Example: earlier proof becomes


Logical FrameworksLogical Frameworks

LF logical framework [Harper, Honsell, Plotkin’93]

Judgments as types; proofs as objects

Specifications are open-ended Inherent extensibility of

authorization logic Twelf implementation

[Schürmann’01] [Pientka’03]

Reasoning about encoded logic


Some General TheoremsSome General Theorems

Some characteristic theorems

Familiar from functional programming

“K says” forms strong monad Used to isolate effects [Moggi’91] [Wadler’93] [Pf & Davies’01]


Some Non-TheoremsSome Non-Theorems

Understand when access is denied

Some non-theorems (for unknown K, A, Q)

Sample meta-argument

Does not match conclusion of any rule


Absence of InterferenceAbsence of Interference

Explore consequences of access control policy, expressed in authorization logic

Metatheorem:If “K says” occurs only as conclusion in P and assumption in C then

More complex non-interference theorems

[Garg & Pf’05]

if and only if


Formal MetatheoryFormal Metatheory

Formal metatheory of authorization logic in Twelf

Cut elimination Simple non-interference results

Proof search for existential question

“Does there exist a proof of A true” Metatheory for universal questions

“No proof concludes that A true”


Consumable ResourcesConsumable Resources


Jack: I will pay you Gld 100.


Guard: You may enter when you pay.

Guard:

The King

These may enter:King, Queen, …,anyone who paysGld 100.

Policy

Jack:


Consumable ResourcesConsumable Resources

Logically Ephemeral hypotheses (use

only once in proof) Supported in linear logic

Cryptographically Consumable certificates Multi-party contract signing Atomic fair exchange


Linear LogicLinear Logic

Persistent and ephemeral hypotheses

Some new connectives A ( B : with ephemeral A we can

prove B A B : both A and B ephemerally

Truth, affirmation, and prior connectives still make sense

Persistent,use arbitrarily

Ephemeral,use once


Linear Authorization LogicLinear Authorization Logic

Example (simplified)

Omitted consent (Bank)


RealizationRealization

Proving does not consume actual resources

Realizing a complete proof will consume resources (certificates)

Must be atomic Implement with multi-party contract

signing Involves separate ratification

authority [Bauer, Bauers, Pf, Reiter’05]


SummarySummary

Cell phones for universal access control

Exploit communication capabilities Being deployed at CMU CyLab floor

Logical approach to access control Flexible and extensible Unifies policy expression and

enforcement Permits formal reasoning about policies Implemented in logical framework


Current and Future WorkCurrent and Future Work

Consumable certificates and linear logic

Reasoning with state, multi-party contracts

Privacy and epistemic logic Reasoning with local knowledge, protocols

Expiration and temporal logic Reasoning about time, details of

certificates Engineering the infrastructure,

interfaces

distributed system security via logical frameworks frank pfenning carnegie mellon university joint...

Documents

king slide

king jack

grey slide

authorization policy

queen jack

j2me slide

open slide

household affirmation