Title: Distributed System Security via Logical Frameworks
1Distributed System Security via Logical Frameworks
- Frank Pfenning
- Carnegie Mellon University
Joint work with Lujo Bauer, Deepak Garg, and Mike
Reiter
2Outline
- The Grey Project
- Authentication and Authorization
- Affirmation and Truth
- Proof Search
- Absence of Interference
- Consumable Resources
- Conclusion
3The Grey Project
- Smartphones for universal access control
- Doors, computers, food?, cars?,
- Being deployed at CMU CyLab building
- Exploit communication capabilities
- Bluetooth, camera, speaker, microphone
- Mobile data services, keypad
- Exploit computational power
- 500 mHz processor, J2ME
4Technical Challenges
- Distributed multi-modal access control
- Flexible and extensible
- Formally analyzable
- Intuitive and usable
- Efficient fair contract signing
- Capture resilience
- Privacy protection
- Interfaces, programming realities
5Authentication Authorization
Jack Please let me into the castle.
Guard Who are you?
Jack Jack. Here is my passport.
Guard The seal is valid.
Guard You are in my list.
Guard You may enter.
6Access Control Lists
- Authentication via certificates
- Use digitally signed certificates
- Verify with public key cryptography
- Employed in Grey architecture
- Authorization via access control lists
- Check membership in access control list
- Inflexible and difficult to extend
- Replace by other mechanism in Grey
7Certificates for Authorization
Authentication as before
Guard Why should I let you in?
Jack Here is my commission.
Guard Your commission is valid.
Guard You may enter.
8Authorization via Propositions
- Policy let pass if
- Enforcement check if King signed
- Apply in other scenarios
- File systems (may-read, may-write)
- Doors (may-open)
9Distributed Authorization
Authentication as before
Guard Why should I let you in?
Jack I belong to the Queens household.
Guard Is Jack a member of your household?
Queen Yes.
Guard You may enter.
10Reasoning about Authorization
- Policy, given as signed certificates
- Enforcement Check proof of
- Requires verification of certificates and logical
reasoning
11Proof-Carrying Authorization
- Resource monitor challenges w. proposition
- Client assembles and sends proof object
- Using local and remote certificates
- Exploits communication abilities of cell phone
- Resource monitor checks proof
- Check proper application of inference rules
- Validate embedded certificates
- Appel Felten99 Bauer03
12Some Issues
- Authorization logic
- General logical rules
- Policy expression
- Proof search, representation, and verification
- Properties of policies
- Certificates
- Verification authority, expiration, revocation
- Use X.509 standard
13Authorization Logic
- Logical reasoning about access control
- Abadi,Burrows,Lampson,Plotkin93
- Much subsequent work omitted here
- General characteristics of prior work
- Decidable (propositional or datalog fragment)
- Classical (law of excluded middle)
- Modal logic (K says as modality)
14A New Foundation
- Goals
- Inherent extensibility
- Tie between meaning of connectives (policy
expression) and proofs (policy enforcement) - Formal reasoning about policies
- Further Goals
- Reasoning with state, time, and knowledge
- Garg Pf05 Bauer, Bowers, Pf, Reiter05
15Logic, the Multi-Headed Hydra
Consumable Resources
Temporal
Linear
Model Checking
Intentional
Intuitionistic
Authorization
Functional Programming
Epistemic
Classical
Knowledge
Modal
Traditional Mathematics
Distributed Systems
16How Do We Define a Logic?
- Must explain the meaning of propositions
- The meaning of a proposition is determined by
what counts as evidence for its truth - Gentzen35 Martin-Löf83 Pf Davies01
- Meaning via proofs, proofs via meaning
- Well-suited for proof-carrying authorization
- Other approaches possible
- Axiomatic, categorical, denotational,
17Examples
- Disjunction A or B
- Conjunction A and B
18Hypothetical Judgments
- Reasoning from assumptions
- Hypothesis rule
- Hypotheses can be used arbitrarily often
Hypotheses
Conclusion
Gamma, for arbitrary hypotheses
19Two Sides to Every Story
- For each connective
- Show how to prove it on the right-hand side
- Show how to use it on the left-hand side
- Example Disjunction A or B
20Cut Elimination
- The right and left rules must be in harmony
- The rule of Cut must be redundant
- All uses of Cut can be eliminated
- Cut does not analyze the given propositions in G
or C, but introduces arbitrary A in premises
21Implication
- Hypothetical reasoning as a proposition
- All rules break down connectives
- Meaning of proposition composed from the meanings
of it parts
22Affirmation
- Only judgment so far A true
- Affirmation expresses policy (intent)
- New judgment K affirms A
- Externally new evidence (signed certificates)
- Internally new rules (relation to truth)
- Example
23Affirmation and Truth
- Principals may affirm any proposition
- Principals will affirm all true propositions
- Principals can reason logically
- This form of Cut must be also be redundant
24Affirmation as a Proposition
- New proposition K says A
- Define meaning by right and left rules
- Reason from affirmation assumptions
25Example Proof
26Example Proof
- First subproof
- Follows by hypothesis rule
27Example Proof
- Second subproof
- Proof complete by hypothesis rule
28Distributed Proof Search
- Locally known certificates as hypotheses
- Resource monitors challenge as conclusion
- Construct proof bottom-up
- Choose rule and apply (backwards)
- Backtrack if necessary
- Contact remote data base or principal when K
says A is unprovable subgoal - Bauer, Garriss, Reiter05
29Proof Representation
- Proofs unwieldy on paper
- Formal representation compact efficient
- Use logical framework
- Logic specification
- Proof search, representation, and checking
- Reasoning about logic
- Example earlier proof becomes
30Logical Frameworks
- LF logical framework
- Harper, Honsell, Plotkin93
- Judgments as types proofs as objects
- Specifications are open-ended
- Inherent extensibility of authorization logic
- Twelf implementation
- Schürmann01 Pientka03
- Reasoning about encoded logic
31Some General Theorems
- Some characteristic theorems
- Familiar from functional programming
- K says forms strong monad
- Used to isolate effects
- Moggi91 Wadler93 Pf Davies01
32Some Non-Theorems
- Understand when access is denied
- Some non-theorems (for unknown K, A, Q)
- Sample meta-argument
Does not match conclusion of any rule
33Absence of Interference
- Explore consequences of access control policy,
expressed in authorization logic - MetatheoremIf K says occurs only as conclusion
in P and assumption in C then - More complex non-interference theorems
- Garg Pf05
if and only if
34Formal Metatheory
- Formal metatheory of authorization logic in Twelf
- Cut elimination
- Simple non-interference results
- Proof search for existential question
- Does there exist a proof of A true
- Metatheory for universal questions
- No proof concludes that A true
35Consumable Resources
Authentication as before
Guard Why should I let you in?
Jack I will pay you Gld 100.
Guard You may enter when you pay.
Guard
Jack
36Consumable Resources
- Logically
- Ephemeral hypotheses (use only once in proof)
- Supported in linear logic
- Cryptographically
- Consumable certificates
- Multi-party contract signing
- Atomic fair exchange
37Linear Logic
- Persistent and ephemeral hypotheses
- Some new connectives
- A ( B with ephemeral A we can prove B
- A B both A and B ephemerally
- Truth, affirmation, and prior connectives still
make sense
38Linear Authorization Logic
- Example (simplified)
- Omitted consent (Bank)
39Realization
- Proving does not consume actual resources
- Realizing a complete proof will consume resources
(certificates) - Must be atomic
- Implement with multi-party contract signing
- Involves separate ratification authority
- Bauer, Bauers, Pf, Reiter05
40Summary
- Cell phones for universal access control
- Exploit communication capabilities
- Being deployed at CMU CyLab floor
- Logical approach to access control
- Flexible and extensible
- Unifies policy expression and enforcement
- Permits formal reasoning about policies
- Implemented in logical framework
41Current and Future Work
- Consumable certificates and linear logic
- Reasoning with state, multi-party contracts
- Privacy and epistemic logic
- Reasoning with local knowledge, protocols
- Expiration and temporal logic
- Reasoning about time, details of certificates
- Engineering the infrastructure, interfaces