distributed system security via logical frameworks frank pfenning carnegie mellon university joint...
Post on 20-Dec-2015
217 views
TRANSCRIPT
Distributed System Distributed System Security via Logical Security via Logical
FrameworksFrameworks
Frank PfenningCarnegie Mellon
UniversityJoint work with Lujo Bauer, Deepak Garg, and Mike Reiter
11/18/2005 McGill University 2
OutlineOutline
The Grey Project Authentication and
Authorization Affirmation and Truth Proof Search Absence of Interference Consumable Resources Conclusion
11/18/2005 McGill University 3
The Grey ProjectThe Grey Project
Smartphones for universal access control
Doors, computers, food?, cars?, … Being deployed at CMU CyLab building
Exploit communication capabilities Bluetooth, camera, speaker,
microphone Mobile data services, keypad
Exploit computational power 500 mHz processor, J2ME
11/18/2005 McGill University 4
Technical ChallengesTechnical Challenges
Distributed multi-modal access control
Flexible and extensible Formally analyzable Intuitive and usable
Efficient fair contract signing Capture resilience Privacy protection Interfaces, programming realities
11/18/2005 McGill University 5
Authentication & AuthorizationAuthentication & Authorization
Jack: Please let me into the castle.
Jack: ``Jack’’. Here is my passport.
Guard: Who are you?
Guard: The seal is valid.
Guard: You are in my list.
Guard: You may enter.
The King
These may enter:King, Queen,Jack, Jill,…
Policy
This is Jack
The King
11/18/2005 McGill University 6
Access Control ListsAccess Control Lists
Authentication via certificates Use digitally signed certificates Verify with public key cryptography Employed in Grey architecture
Authorization via access control lists
Check membership in access control list
Inflexible and difficult to extend Replace by other mechanism in Grey
11/18/2005 McGill University 7
Certificates for AuthorizationCertificates for Authorization
Authentication as before
Jack: Here is my commission.
Guard: Why should I let you in?
Guard: Your commission is valid.
Guard: You may enter.The King
Jack may enterAffirmation
11/18/2005 McGill University 8
Authorization via PropositionsAuthorization via Propositions
Policy: let pass if
Enforcement: check if King signed
Apply in other scenarios File systems (may-read, may-write) Doors (may-open)
11/18/2005 McGill University 9
Distributed AuthorizationDistributed Authorization
Authentication as before
Jack: I belong to the Queen’shousehold.
Guard: Why should I let you in?
Guard: Is Jack a memberof your household?
Queen: Yes.The King
PolicyThese may enter:King, Queen, …,Members of theQueen’s household
Guard: You may enter.
The Queen
Jack is a memberof my household
Affirmation
11/18/2005 McGill University 10
Reasoning about AuthorizationReasoning about Authorization
Policy, given as signed certificates:
Enforcement: Check proof of
Requires verification of certificates and logical reasoning
11/18/2005 McGill University 11
Proof-Carrying AuthorizationProof-Carrying Authorization
Resource monitor challenges w. proposition
Client assembles and sends proof object Using local and remote certificates Exploits communication abilities of cell
phone Resource monitor checks proof
Check proper application of inference rules Validate embedded certificates
[Appel & Felten’99] [Bauer’03]
11/18/2005 McGill University 12
Some IssuesSome Issues
Authorization logic General logical rules Policy expression Proof search, representation, and
verification Properties of policies
Certificates Verification authority, expiration,
revocation Use X.509 standard
11/18/2005 McGill University 13
Authorization LogicAuthorization Logic
Logical reasoning about access control
[Abadi,Burrows,Lampson,Plotkin’93]
Much subsequent work omitted here General characteristics of prior
work Decidable (propositional or datalog
fragment) Classical (law of excluded middle) Modal logic (“K says” as modality)
11/18/2005 McGill University 14
A New FoundationA New Foundation
Goals Inherent extensibility Tie between meaning of
connectives (policy expression) and proofs (policy enforcement)
Formal reasoning about policies Further Goals
Reasoning with state, time, and knowledge
[Garg & Pf’05] [Bauer, Bowers, Pf, Reiter’05]
11/18/2005 McGill University 15
Logic, the Multi-Headed HydraLogic, the Multi-Headed Hydra
Classical
Intuitionistic
Epistemic
“Intentional”
Temporal Linear
ModalTraditionalMathematics
Functional Programming
Model Checking
Consumable Resources
Authorization
Knowledge
Distributed Systems
11/18/2005 McGill University 16
How Do We Define a Logic?How Do We Define a Logic?
Must explain the meaning of propositions
The meaning of a proposition is determined by what counts as evidence for its truth
[Gentzen’35] [Martin-Löf’83] [Pf & Davies’01]
Meaning via proofs, proofs via meaning Well-suited for proof-carrying
authorization Other approaches possible
Axiomatic, categorical, denotational, …
11/18/2005 McGill University 17
ExamplesExamples
Disjunction ``A or B’’
Conjunction ``A and B’’
11/18/2005 McGill University 18
Hypothetical JudgmentsHypothetical Judgments
Reasoning from assumptions
Hypothesis rule
Hypotheses can be used arbitrarily often
Hypotheses Conclusion
Gamma,for arbitrary hypotheses
11/18/2005 McGill University 19
Two Sides to Every StoryTwo Sides to Every Story
For each connective: Show how to prove it on the
right-hand side Show how to use it on the left-
hand side Example: Disjunction ``A or
B’’
11/18/2005 McGill University 20
Cut EliminationCut Elimination
The right and left rules must be in harmony
The rule of Cut must be redundant
All uses of Cut can be eliminated Cut does not analyze the given
propositions in Γ or C, but introduces arbitrary A in premises
11/18/2005 McGill University 21
ImplicationImplication
Hypothetical reasoning as a proposition
All rules break down connectives Meaning of proposition composed
from the meanings of it parts
11/18/2005 McGill University 22
AffirmationAffirmation
Only judgment so far: “A true” Affirmation expresses policy
(intent) New judgment: “K affirms A”
Externally new evidence (signed certificates)
Internally new rules (relation to truth)
Example
11/18/2005 McGill University 23
Affirmation and TruthAffirmation and Truth
Principals may affirm any proposition Principals will affirm all true
propositions
Principals can reason logically
This form of Cut must be also be redundant
11/18/2005 McGill University 24
Affirmation as a PropositionAffirmation as a Proposition
New proposition “K says A” Define meaning by right and left
rules
Reason from affirmation assumptions
11/18/2005 McGill University 25
Example ProofExample Proof
11/18/2005 McGill University 26
Example ProofExample Proof
First subproof
Follows by hypothesis rule
11/18/2005 McGill University 27
Example ProofExample Proof
Second subproof
Proof complete by hypothesis rule
11/18/2005 McGill University 28
Distributed Proof SearchDistributed Proof Search
Locally known certificates as hypotheses
Resource monitor’s challenge as conclusion
Construct proof bottom-up Choose rule and apply (backwards) Backtrack if necessary
Contact remote data base or principal when “K says A” is unprovable subgoal
[Bauer, Garriss, Reiter’05]
11/18/2005 McGill University 29
Proof RepresentationProof Representation
Proofs unwieldy on paper Formal representation compact &
efficient Use logical framework
Logic specification Proof search, representation, and
checking Reasoning about logic
Example: earlier proof becomes
11/18/2005 McGill University 30
Logical FrameworksLogical Frameworks
LF logical framework [Harper, Honsell, Plotkin’93]
Judgments as types; proofs as objects
Specifications are open-ended Inherent extensibility of
authorization logic Twelf implementation
[Schürmann’01] [Pientka’03]
Reasoning about encoded logic
11/18/2005 McGill University 31
Some General TheoremsSome General Theorems
Some characteristic theorems
Familiar from functional programming
“K says” forms strong monad Used to isolate effects [Moggi’91] [Wadler’93] [Pf & Davies’01]
11/18/2005 McGill University 32
Some Non-TheoremsSome Non-Theorems
Understand when access is denied
Some non-theorems (for unknown K, A, Q)
Sample meta-argument
Does not match conclusion of any rule
11/18/2005 McGill University 33
Absence of InterferenceAbsence of Interference
Explore consequences of access control policy, expressed in authorization logic
Metatheorem:If “K says” occurs only as conclusion in P and assumption in C then
More complex non-interference theorems
[Garg & Pf’05]
if and only if
11/18/2005 McGill University 34
Formal MetatheoryFormal Metatheory
Formal metatheory of authorization logic in Twelf
Cut elimination Simple non-interference results
Proof search for existential question
“Does there exist a proof of A true” Metatheory for universal questions
“No proof concludes that A true”
11/18/2005 McGill University 35
Consumable ResourcesConsumable Resources
Authentication as before
Jack: I will pay you Gld 100.
Guard: Why should I let you in?
Guard: You may enter when you pay.
Guard:
The King
These may enter:King, Queen, …,anyone who paysGld 100.
Policy
Jack:
11/18/2005 McGill University 36
Consumable ResourcesConsumable Resources
Logically Ephemeral hypotheses (use
only once in proof) Supported in linear logic
Cryptographically Consumable certificates Multi-party contract signing Atomic fair exchange
11/18/2005 McGill University 37
Linear LogicLinear Logic
Persistent and ephemeral hypotheses
Some new connectives A ( B : with ephemeral A we can
prove B A B : both A and B ephemerally
Truth, affirmation, and prior connectives still make sense
Persistent,use arbitrarily
Ephemeral,use once
11/18/2005 McGill University 38
Linear Authorization LogicLinear Authorization Logic
Example (simplified)
Omitted consent (Bank)
11/18/2005 McGill University 39
RealizationRealization
Proving does not consume actual resources
Realizing a complete proof will consume resources (certificates)
Must be atomic Implement with multi-party contract
signing Involves separate ratification
authority [Bauer, Bauers, Pf, Reiter’05]
11/18/2005 McGill University 40
SummarySummary
Cell phones for universal access control
Exploit communication capabilities Being deployed at CMU CyLab floor
Logical approach to access control Flexible and extensible Unifies policy expression and
enforcement Permits formal reasoning about policies Implemented in logical framework
11/18/2005 McGill University 41
Current and Future WorkCurrent and Future Work
Consumable certificates and linear logic
Reasoning with state, multi-party contracts
Privacy and epistemic logic Reasoning with local knowledge, protocols
Expiration and temporal logic Reasoning about time, details of
certificates Engineering the infrastructure,
interfaces