Applications of Logic in Computer Security

1
Applications of Logic in Computer Security

• Jonathan Millen
• SRI International

2
Areas of Application

• Multilevel Operating System Security
• Orange Book, Commercial Trusted Product
  Evaluation, A1-level
• Emphasis on secrecy, security/clearance levels
• Access Control Policies
• Discretionary or role-based policies
• Emphasis on application-specific policies,
  integrity
• Public-Key Infrastructure and Trust Management
• Network and distributed system security
• Digitally signed certificates for identity and
  privileges
• Cryptographic Authentication Protocols
• For network communication confidentiality and
  authentication
• Other areas databases, firewalls/routers,
  intrusion detection

Computer Security
Network Security
3
Contributions of Logic

• Undecidability Results
• Safety problem for discretionary access control
• Cryptographic protocol analysis
• Theorem Proving Environments
• Verifying correctness of formal OS specifications
• Inductive proofs of cryptographic protocols
• Logic Programming
• Prolog programs for cryptographic protocol
  analysis, trust management
• Model Checking
• For cryptographic protocol analysis
• Specialized Logics
• For cryptographic protocol analysis, trust
  management

4
Multilevel Operating System Security

• Motivated by protection of classified information
  in shared systems
• High-assurance (A1) systems may protect Secret
  data from uncleared users
• Architecture trusted OS kernel, hardware support
• Abstract system model of access control
  Bell-LaPadula (ca. 1975)
• Structured state-transition system
  subject-object access matrix, levels
• Security invariants and transition rules (for OS
  functions)
• Formal Top-Level Specification (FTLS)
• More detailed state-transition system
• Formal Proofs
• Model transitions satisfy invariants
• FTLS is an interpretation of the system model
• Carried out in environments like Gypsy, FDM, HDM
• Some FTLS errors reflected in code were
  discovered
• Of Historical Interest

5
Access Control Policies

• Safety Problem
• Subject-object-rights matrix
• rights were arbitrary, representing different
  kinds of access
• Operations create/delete subjects, objects
  enter/remove rights
• System of conditional rules to apply operations
• Harrison-Ruzzo-Ullman Undecidability Result
• Whether S can ever receive right r to object O
• Comm. ACM 19(8), 1976
• Decidable if number of subjects is bounded
• Historical Impact
• Led to interest in efficiently decidable systems
• Take-Grant, DAC, RBAC

Oj
Si
r
6
Public-Key Certificates

• Based on asymmetric encryption
• Key pair KA, KA-1 one made public, one kept
  secret
• Text block encrypted with KA can be decrypted
  only with KA-1 .
• Impractical to compute secret key from public key
• Digital signature
• Text string T
• Apply one-way (hash) function
• Encrypt with secret key
• Verify by decrypting with signers public key,
  compare hash result
• Public Key Certificate
• Binds name to public key, signed by trusted party
• Logical Equivalent
• A says (KB is the public key of B)
• provided that KA is the public key of A

T ? h(T) ? h(T)KA-1
B,KB,h(B,KB)KA-1
7
Logic of Distributed Authentication

• Origination
• Authentication in distributed systems theory
  and practice, by Lampson, Abadi, Burrows, and
  Wobber, ACM Trans. Comp. Sys., 10(4), 1992
• Theory of says and speaks for (? relation)
• (A ? B) ? ((A says s) ? (B says s))
  (P8)
• (A says (B ? A)) ? (B ? A)
  (P10)
• Application to distributed systems
• A and B are principals users or keys (can say
  something)
• A says s means A authorizes command (operation,
  access) s
• A ? B means B delegates authority to A
• Certificate T,T KA-1 means KA says T
• Public key certificate means KA ? A
• Credentials sent from one network node to another
  to authorize resources
• Implemented in Taos operating system

credentials
8
Trust Management

• Policymaker
• Decentralized trust management, Blaze,
  Feigenbaum, Lacy, 1996 IEEE Symposium on Security
  and Privacy
• Identified trust management as a distinct problem
• Purpose to define and implement policy using
  credentials to process queries
• Delegation Logic
• A logic-based knowledge representation for
  Authorization with Delegation, Li, Feigenbaum,
  Grosof, 1999 Computer Security Foundations
  Workshop
• Language to express policies
• Primitives include says, delegates (speaks for
  with object)
• Access permission is decidable
• Logic program implementation (in Datalog)

9
Cryptographic Protocols

• Cryptographic protocol
• an exchange of messages over an insecure
  communication medium, using cryptographic
  transformations to ensure authentication and
  secrecy of data and keying material.
• Applications
• military communications, business communications,
  electronic commerce, privacy
• Examples
• Kerberos MIT protocol for unitary login to
  network services
• SSL (Secure Socket Layer, used in Web browsers)
• IPSec standard suite of Internet protocols due
  to the IETF
• SET (Secure Electronic Transaction) protocol
• PGP (Pretty Good Privacy)

10
A Popular Example

• The Needham-Schroeder public-key handshake
• R. M. Needham and M. D. Schroeder, Using
  Encryption for Authentication in Large Networks
  of Computers, Comm. ACM, Dec., 1978
• A ? B A, NaKb
• B ? A Na, NbKa
• A ? B NbKb
• Purpose mutual authentication of A and B,
  sharing secrets Na, Nb
• This is an Alice-and-Bob protocol specification
• Na and Nb are nonces (used once)
• Ka is the public key of A
• The protocol is vulnerable...

11
The Attack
A
M
B
(normal)
(thinks hes talking to A, Nb is compromised)
(false)
A,NaKm
A,NaKb
Na,NbKa
Na,NbKa
NbKm
NbKb
Lowe, Breaking and Fixing the Needham-Schroeder
Public Key Protocol Using FDR TACAS 1996, LNCS
1055
A malicious party M can forge addresses, deviate
from protocol
12
Undecidable in General

• Reduction of Post correspondence problem
• Word pairs ui, vi for 1 ? i lt n
• Does there exist ui1...uik vi1...vik?
• Construction
• Protocol with one role (or one per i)
• Compromises secret if solution exists
• Attacker cannot forge release message
• because of encryption
• Observations
• Messages are unbounded
• Construction suggested by Heintze Tygar, 1994
• First undecidability proof by Even Goldreich,
  1983
• 1999 proof by Durgin, et al shows nonces are
  enough

send ?,?K receive X,YK if X Y ? ?, send
secret else choose i, send Xui,YviK
13
Analysis Approaches

• Model checking
• State-space search for attacks
• Inductive proof
• Using verification tools or by hand
• Can prove protocols correct (for abstract
  encryption)
• Belief-logic proofs
• BAN logic and successors
• For authentication properties

14
Linear Logic Model

• Linear Logic
• Reference J.-Y. Girard, Linear logic,
  Theoretical Comp. Sci, 1987
• Constructive, used to model state-transition
  systems
• Application to cryptographic protocols
• Cervesato, Durgin, Lincoln, Mitchell, Scedrov, A
  meta-notation for protocol analysis, 1999
  Computer Security Foundations Workshop
• Model-checking with linear-logic symbolic search
  tool LLF (LICS 96)
• State-transition rules
• F1, , Fk ? ?x1, , ?xm. G1, , Gn
• State is a multiset of facts Fi, predicates
  over terms
• Rule matches facts on left side with variable
  substitution
• Variables xi are instantiated with new symbols
  (like nonce!)
• Left-side facts are replaced by right-side facts
  in multiset

15
The MSR Model

• Implementation of linear logic model
• Special term and fact types for cryptographic
  protocols
• Symbols for principals, keys, and nonces
• Terms for encryption and concatenation
• Facts for protocol process state, messages
• Multiset holds current states of many concurrent
  protocol sessions
• Example A sends message A,AK (to B) with new
  K
• A0(A,B) ? (?K) A1(A,B,K),M(AK)
• Attacker rules eavesdrop, construct false
  messages, e.g.,
• M(AK),M(K) ? M(AK),M(K),M(A)
• Attacker model is standardized
• MSR model applied as intermediate language
• CAPSL ? MSR ? analysis tools (Millen, Denker 1999)

16
Model Checking Tools

• State-space search for reachability of insecure
  states
• History back to 1984, Interrogator program in
  Prolog
• Meadows NRL Protocol Analyzer (NPA), also
  Prolog, 1991
• Prolog programs were interactive
• General-purpose model-checkers
• Search automatically given initial conditions,
  bounds
• Iterative bounded-depth search
• Roscoe and Lowe used FDR (model-checker for CSP),
  1995
• Mitchell, et al used Murphi, 1997
• Clarke, et al used SMV, 1998
• Denker, Meseguer, Talcott used Maude, 1998
• Successful at finding previously unknown
  vulnerabilities!

17
Non-Repudiation Protocols

• Different objectives and assumptions
• Fairness objectives contract signing, proofs of
  receipt, fair exchange
• Applications to electronic commerce
• Parties are mutually distrustful, network
  well-behaved, no intruder
• Trusted third party to resolve detected breaches
• Alternating Temporal Logic application
• Kremer, Raskin, Formal verification of
  non-repudiation protocols, a game approach,
  Workshop on Formal Methods and Computer Security,
  2000
• Used model checker MOCHA
• Example Objective
• ?ltltB,Comgtgt ?(NRO ? ?ltltAgtgt ?NRR)
• Means B and Com (the network) do not have a
  strategy leading to a state where B has proof of
  non-repudiation of origin (of some message) but A
  has no strategy (from there) leading to a proof
  of non-repudiation of receipt

18
Inductive Proofs

• State-transition model similar to model checking
  approaches
• Application of general-purpose specification and
  verification tools
• Influential Examples
• R. Kemmerer, "Analyzing encryption protocols
  using formal verification techniques," IEEE J.
  Selected Areas in Comm., 7(4), May 1989 (FDM).
• L. Paulson, The inductive approach to verifying
  cryptographic protocols, J. Computer Security
  6(1), 1998 (used Isabelle)
• Paulsons approach inspired others
• Bolignano (using Coq), Millen (using PVS)

19
BAN Logic

• Papers
• Burrows, Abadi, Needham, A logic of
  authentication, ACM Trans. Computer Systems
  8(1), 1990
• Gong, Needham, Yahalom, Reasoning about belief
  in cryptographic protocols, 1990 IEEE Symposium
  on Security and Privacy
• Approach
• Modal logic of belief plus specialized predicates
  and inference rules
• Protocol messages are idealized into logical
  statements
• Objective is to prove that both parties share
  common beliefs
• Idealization
• A ? B A, K, BKB becomes
• B sees good-key(A, K, B)KB
• Objective
• Infer that B believes A said good-key(A, K, B)

B ? A A ? B
K
20
Inferences and Problems

• Example
• P believes fresh(X), P believes Q said X - P
  believes Q believes X
• Assumption
• Protocol idealization must be consistent with
  beliefs about confidentiality
• Problem
• Observed by Nessett right away for digital
  signature example
• Good key must not be given away accidentally (or
  on purpose)
• Takes deep analysis to determine this
• Needham-Schroeder Public Key protocol proved
  correct (!!??)
• These logics are still used because
• They are efficiently decidable
• They help to understand the protocol
• They can be used manually

21
Summary

• Many applications of logic in computer security
  are indirect, through use of tools that require
  deep logic-system knowledge to design
• Several unusual or specialized logical systems
  have application to computer security
• Cryptographic protocol analysis is an active,
  fertile area for logic applications