Distributed System Security via Logical Frameworks - PowerPoint PPT Presentation

About This Presentation
Title:

Distributed System Security via Logical Frameworks

Description:

Distributed System Security via Logical Frameworks. Frank ... Jack: Please let me into the castle. Jack: ``Jack''. Here is my passport. Guard: Who are you? ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: Distributed System Security via Logical Frameworks


1
Distributed System Security via Logical Frameworks
  • Frank Pfenning
  • Carnegie Mellon University

Joint work with Lujo Bauer, Deepak Garg, and Mike
Reiter
2
Outline
  • The Grey Project
  • Authentication and Authorization
  • Affirmation and Truth
  • Proof Search
  • Absence of Interference
  • Consumable Resources
  • Conclusion

3
The Grey Project
  • Smartphones for universal access control
  • Doors, computers, food?, cars?,
  • Being deployed at CMU CyLab building
  • Exploit communication capabilities
  • Bluetooth, camera, speaker, microphone
  • Mobile data services, keypad
  • Exploit computational power
  • 500 mHz processor, J2ME

4
Technical Challenges
  • Distributed multi-modal access control
  • Flexible and extensible
  • Formally analyzable
  • Intuitive and usable
  • Efficient fair contract signing
  • Capture resilience
  • Privacy protection
  • Interfaces, programming realities

5
Authentication Authorization
Jack Please let me into the castle.
Guard Who are you?
Jack Jack. Here is my passport.
Guard The seal is valid.
Guard You are in my list.
Guard You may enter.
6
Access Control Lists
  • Authentication via certificates
  • Use digitally signed certificates
  • Verify with public key cryptography
  • Employed in Grey architecture
  • Authorization via access control lists
  • Check membership in access control list
  • Inflexible and difficult to extend
  • Replace by other mechanism in Grey

7
Certificates for Authorization
Authentication as before
Guard Why should I let you in?
Jack Here is my commission.
Guard Your commission is valid.
Guard You may enter.
8
Authorization via Propositions
  • Policy let pass if
  • Enforcement check if King signed
  • Apply in other scenarios
  • File systems (may-read, may-write)
  • Doors (may-open)

9
Distributed Authorization
Authentication as before
Guard Why should I let you in?
Jack I belong to the Queens household.
Guard Is Jack a member of your household?
Queen Yes.
Guard You may enter.
10
Reasoning about Authorization
  • Policy, given as signed certificates
  • Enforcement Check proof of
  • Requires verification of certificates and logical
    reasoning

11
Proof-Carrying Authorization
  • Resource monitor challenges w. proposition
  • Client assembles and sends proof object
  • Using local and remote certificates
  • Exploits communication abilities of cell phone
  • Resource monitor checks proof
  • Check proper application of inference rules
  • Validate embedded certificates
  • Appel Felten99 Bauer03

12
Some Issues
  • Authorization logic
  • General logical rules
  • Policy expression
  • Proof search, representation, and verification
  • Properties of policies
  • Certificates
  • Verification authority, expiration, revocation
  • Use X.509 standard

13
Authorization Logic
  • Logical reasoning about access control
  • Abadi,Burrows,Lampson,Plotkin93
  • Much subsequent work omitted here
  • General characteristics of prior work
  • Decidable (propositional or datalog fragment)
  • Classical (law of excluded middle)
  • Modal logic (K says as modality)

14
A New Foundation
  • Goals
  • Inherent extensibility
  • Tie between meaning of connectives (policy
    expression) and proofs (policy enforcement)
  • Formal reasoning about policies
  • Further Goals
  • Reasoning with state, time, and knowledge
  • Garg Pf05 Bauer, Bowers, Pf, Reiter05

15
Logic, the Multi-Headed Hydra
Consumable Resources
Temporal
Linear
Model Checking
Intentional
Intuitionistic
Authorization
Functional Programming
Epistemic
Classical
Knowledge
Modal
Traditional Mathematics
Distributed Systems
16
How Do We Define a Logic?
  • Must explain the meaning of propositions
  • The meaning of a proposition is determined by
    what counts as evidence for its truth
  • Gentzen35 Martin-Löf83 Pf Davies01
  • Meaning via proofs, proofs via meaning
  • Well-suited for proof-carrying authorization
  • Other approaches possible
  • Axiomatic, categorical, denotational,

17
Examples
  • Disjunction A or B
  • Conjunction A and B

18
Hypothetical Judgments
  • Reasoning from assumptions
  • Hypothesis rule
  • Hypotheses can be used arbitrarily often

Hypotheses
Conclusion
Gamma, for arbitrary hypotheses
19
Two Sides to Every Story
  • For each connective
  • Show how to prove it on the right-hand side
  • Show how to use it on the left-hand side
  • Example Disjunction A or B

20
Cut Elimination
  • The right and left rules must be in harmony
  • The rule of Cut must be redundant
  • All uses of Cut can be eliminated
  • Cut does not analyze the given propositions in G
    or C, but introduces arbitrary A in premises

21
Implication
  • Hypothetical reasoning as a proposition
  • All rules break down connectives
  • Meaning of proposition composed from the meanings
    of it parts

22
Affirmation
  • Only judgment so far A true
  • Affirmation expresses policy (intent)
  • New judgment K affirms A
  • Externally new evidence (signed certificates)
  • Internally new rules (relation to truth)
  • Example

23
Affirmation and Truth
  • Principals may affirm any proposition
  • Principals will affirm all true propositions
  • Principals can reason logically
  • This form of Cut must be also be redundant

24
Affirmation as a Proposition
  • New proposition K says A
  • Define meaning by right and left rules
  • Reason from affirmation assumptions

25
Example Proof
26
Example Proof
  • First subproof
  • Follows by hypothesis rule

27
Example Proof
  • Second subproof
  • Proof complete by hypothesis rule

28
Distributed Proof Search
  • Locally known certificates as hypotheses
  • Resource monitors challenge as conclusion
  • Construct proof bottom-up
  • Choose rule and apply (backwards)
  • Backtrack if necessary
  • Contact remote data base or principal when K
    says A is unprovable subgoal
  • Bauer, Garriss, Reiter05

29
Proof Representation
  • Proofs unwieldy on paper
  • Formal representation compact efficient
  • Use logical framework
  • Logic specification
  • Proof search, representation, and checking
  • Reasoning about logic
  • Example earlier proof becomes

30
Logical Frameworks
  • LF logical framework
  • Harper, Honsell, Plotkin93
  • Judgments as types proofs as objects
  • Specifications are open-ended
  • Inherent extensibility of authorization logic
  • Twelf implementation
  • Schürmann01 Pientka03
  • Reasoning about encoded logic

31
Some General Theorems
  • Some characteristic theorems
  • Familiar from functional programming
  • K says forms strong monad
  • Used to isolate effects
  • Moggi91 Wadler93 Pf Davies01

32
Some Non-Theorems
  • Understand when access is denied
  • Some non-theorems (for unknown K, A, Q)
  • Sample meta-argument

Does not match conclusion of any rule
33
Absence of Interference
  • Explore consequences of access control policy,
    expressed in authorization logic
  • MetatheoremIf K says occurs only as conclusion
    in P and assumption in C then
  • More complex non-interference theorems
  • Garg Pf05

if and only if
34
Formal Metatheory
  • Formal metatheory of authorization logic in Twelf
  • Cut elimination
  • Simple non-interference results
  • Proof search for existential question
  • Does there exist a proof of A true
  • Metatheory for universal questions
  • No proof concludes that A true

35
Consumable Resources
Authentication as before
Guard Why should I let you in?
Jack I will pay you Gld 100.
Guard You may enter when you pay.
Guard
Jack
36
Consumable Resources
  • Logically
  • Ephemeral hypotheses (use only once in proof)
  • Supported in linear logic
  • Cryptographically
  • Consumable certificates
  • Multi-party contract signing
  • Atomic fair exchange

37
Linear Logic
  • Persistent and ephemeral hypotheses
  • Some new connectives
  • A ( B with ephemeral A we can prove B
  • A B both A and B ephemerally
  • Truth, affirmation, and prior connectives still
    make sense

38
Linear Authorization Logic
  • Example (simplified)
  • Omitted consent (Bank)

39
Realization
  • Proving does not consume actual resources
  • Realizing a complete proof will consume resources
    (certificates)
  • Must be atomic
  • Implement with multi-party contract signing
  • Involves separate ratification authority
  • Bauer, Bauers, Pf, Reiter05

40
Summary
  • Cell phones for universal access control
  • Exploit communication capabilities
  • Being deployed at CMU CyLab floor
  • Logical approach to access control
  • Flexible and extensible
  • Unifies policy expression and enforcement
  • Permits formal reasoning about policies
  • Implemented in logical framework

41
Current and Future Work
  • Consumable certificates and linear logic
  • Reasoning with state, multi-party contracts
  • Privacy and epistemic logic
  • Reasoning with local knowledge, protocols
  • Expiration and temporal logic
  • Reasoning about time, details of certificates
  • Engineering the infrastructure, interfaces
Write a Comment
User Comments (0)
About PowerShow.com