On Generalized Authorization Problems

1
On GeneralizedAuthorization Problems
Stefan Schwoon University of Stuttgart
Somesh Jha and Thomas Reps University of
Wisconsin
Stuart Stubblebine Stubblebine Research Labs
2
Weighted Pushdown Systemsand their Application
toQuery Evaluation in SPKI/SDSI
Weighted Pushdown Systems
Pushdown Systems
Application
Query Evaluation
SPKI/SDSI
3
Authorization Problems

• Traditionally, authorization restrictions are
  specified using access control lists (ACLs)
• Associate permissions with objects
• For directory D
• reps rlidwka
• jha rlidwk
• repsstudents rl
• SPKI/SDSI
• Local name spaces
• reps students
• reps students spouse
• Delegation

4
SPKI/SDSI
Principals (Public Keys) KBob, KAlice
Individuals KCS CS
Department KOwnerR Owner of
resource R
Local Names KCS faculty KBob myStudents
Extended Names KBob myStudents Spouse
5
Name Certs
Bob is a CS faculty member KCS faculty ? KBob
Alice is a student of Bobs KBob myStudents ?
KAlice
Alices friends . . . KAlice myFriends ? KJoe
KAlice myFriends ? KMary enemies KAlice
myFriends ? KMary enemies spouse
6
Auth Certs
A CS faculty member can use host H KOwnerH ?
? KCS faculty ?
Bob allows access to his students KBob ? ? KBob
myStudents ?
Alice allows access to her friends KAlice ? ?
KAlice myFriends ?
7
Certificate Chain
KOwnerH ?
KOwnerH ? ? KCS faculty ?
KCS faculty ? KBob
KBob myStudents ? KAlice
8
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
9
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
10
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
11
Pushdown System (PDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
12
Rules Define a Transition Relation
lts,Agt ? lts,egt
lts,Agt ? lts,Bgt
lts,Agt ? lts,B Cgt
13
Pushdown System (PDS)

• PDS Pushdown automaton without an input tape
• Mechanism for defining a class of infinite-state
  transition systems
• lts, Agt ? lts, A Agt

lts,Agt
lts,AAgt
lts,AAAgt
lts,AAAAgt
?
14
PDS Terminology
Configuration lts, B A Cgt
c ? c (transition relation) c follows from c
by a transition rule c predecessor of c c
successor of c c0 ? c1 ? . . . ? cn (a run)
c ? c reflexive transitive closure of ?
15
PDS Terminology
c ? c (transition relation) c follows from c
by a transition rule c predecessor of c c
successor of c c0 ? c1 ? . . . ? cn (a run)
c ? c reflexive transitive closure of ?
16
A Certificate Chain is a Run
ltKOwnerH,?gt
ltKOwnerH, ?gt ? ltKCS,faculty ?gt
17
Basic Authorization QueryltKOwnerH,?gt ?
Pre(ltKAlice,?gt, ltKAlice,gt)?
ltKOwnerH,?gt
18
Representation Issue

• The set of configurations pre(S) can
  be infinite
• Example
• lts,Agt ? lts, e gt
• pre ( lts,Agt) s Ai i 1
• Solution in the PDS literature
• Represent a set of configurations
• with an automaton

19
pre(M)
M
20
ltKAlice, gt,ltKAlice, gt
KOwnerH
KBob
KAlice
KCS
,
21
What Does the Automaton Represent?

• A set of configurations
• ltK, a1 am gt is in the set if there is a path
• Initial automaton represents
• ltKAlice, gt,ltKAlice, gt

KOwnerH
KBob
KAlice
KCS
22
From M to Pre(M)
lts,Agt ? lts1,A1 . . . Amgt
23
Pre(ltKAlice, gt,ltKAlice, gt)
myStudents
faculty
KOwnerH
KBob
KAlice
KCS
,
ltKCS,faculty gt ? ltKBob, egt
24
Pre(ltKAlice, gt, ltKAlice, gt)
myStudents
faculty
KOwnerH
KBob
KAlice
KCS
,
ltKOwnerH, ?gt ? ltKCS, faculty ?gt
25
Pre(ltKAlice, gt, ltKAlice, gt)
myStudents
faculty
KOwnerH
KBob
KAlice
KCS
,
ltKOwnerH, ?gt ? Pre(ltKAlice, ?gt, ltKAlice, gt)
26
Time and Space Complexity

• nK number of principals
• C sum of the lengths of the right-hand sides
  of the certs in C
• Pre
• Time complexity O(nK C)
• Space complexity O(nK C)
• Post
• Time and space complexity O(nK C nk C2)

2
2
27
SPKI/SDSI
Query Evaluation
Application
Pushdown Systems
Weighted Pushdown Systems
28
Weighted Pushdown System (WPDS)
States s1, s2, s3, s4 Stack symbols
A, B, C, D Transition rules lts1, Agt ? lts2,
egt lts1, Agt ? lts2, Bgt lts1, Agt ? lts2, B Cgt
w1
w2
w3
29
Privacy using a Weighted PDS
ltKInsurer, ?gt ? ltKH, patient gt
ltKH, patientgt ? ltKAIDS, patientgt ltKH,
patientgt ? ltKIM, patientgt ltKAIDS, patientgt ?
ltKAlice, egt ltKIM, patientgt ? ltKAlice, egt
I S I S I
30
Privacy using a Weighted PDS
I ? I ? I I
I ? S ? S S
ltKInsurer, ?gt
I
I
ltKH, patient gt
ltKH, patient gt
S
I
I
S
ltKIM, patient gt
ltKAIDS, patient gt
?
I
S
S ? I I
ltKAlice, gt
31
Idempotent Semiring (D, ?, ?, 0, 1) Meet
Semilattice (D, ?, ..., ?, ...)
a ? b iff a ? b a ? ?
a ? 0 a a ? b b ? a a ? (b ? c) (a ? b) ?
c a ? a a
a ? 1 a a ? (b ? c) (a ? b) ? c
a ? (b ? c) (a ? b) ? (a ? c) (a ? b) ? c (a
? c) ? (b ? c) a ? 0 0 ? a a
32
Idempotent Semiring (D, ?, ?, 0, 1) Meet
Semilattice (D, ?, ..., ?, ...)
a ? b iff a ? b a ? ?
(D, ?, ?, ?, ?)
D ? ? 0
1 Validity N??? max min -? ?
33
Auth Cert Reduction is Incomplete Li Mitchell
CSFW 03

• Rule Authorization
• KOwnerD ? ? KAlice ? read
• KOwnerD ? ? KAlice ? write

Request Does KAlice have read,write access to D?
No
RFC2693 Remove all certificates
whose authorization is not ? read,write
34
Authorization using a Weighted PDS
ltKOwnerD, ? gt
? ?
Cert chain?!
read ? write read, write
35
Authorization using a Weighted PDS
ltKOwnerD, ? gt
ltKOwnerD, ? gt
read
write
Cert tree
? ?
ltKAlice, gt
read ? write read, write
36
Validity using a Weighted PDS

• Rule Validity
• KOwnerD ? ? KAlice ? 10
• KOwnerD ? ? KAlice ? 20

Request Does KAlice have the right to access
D? If so, what is the cert chain with the largest
validity value?
37
Validity using a Weighted PDS
ltKOwnerD, ? gt
? max
max(10, 20) 20
38
Authorization Validity

• Rule Authorization
• KOwnerD ? ? KAlice ? read
• KOwnerD ? ? KAlice ? write

Validity 10 20
? ? 0
1 Authorization ? ? ?
rlidwka Validity max min -?
?
?read,write, 20? ?
read10,write20
39
Authorization Validity

• Rule Authorization
• KOwnerD ? ? KAlice ? read
• KOwnerD ? ? KAlice ? write

Validity 10 20
? ? 0
1 Authorization ? ? ?
rlidwka Validity max min -?
?
?read,write, 20? ?
Demo
read10,write20
40
Authorization Validity
ltKOwnerD, ? gt
read10
ltKAlice, gt
read10 ? write20 read10,write20
41
Authorization Validity
ltKOwnerD, ? gt
r10,w15,l10
r5,w20,k5
ltKAlice, gt
r10,w15,l10 ? r5,w20,k5
r10,w20,l10,k5
42
From M to Pre(M)
sk
? (w ? X)
V
s
43
Correctness Argument

• Characterize certain sequences of PDS transitions
  using grammar flow analysis (GFA)
• Pop sequence net pop of one symbol

A
p
q
?
?
w
E.g., for each rule ?p,A? ? ?p,A?
?x.w ? x( )
PS(p,A,q) PS(p,A,q)
PS(p,A,q) PS(p,A,q)

• Automaton construction
• finding the productive nonterminals
• coincidence theorem for GFA ? correct weights

44
Contributions

• SPKI/SDSI anomalies solved via weighted PDSs
• Authorization
• Validity
• Certificate chains
• Not just basic authorization queries
• Jha Reps CSFW 02
• SPKI/SDSI semantics
• infinite-state transition system
• meet-over-all-paths values
• Construction of certificate trees
• Threshold certs (slight extension)
• Publicly available implementation (WPDS Library)
• Supports both post and pre queries

45
Other Applications of WPDSs

• Reps, T., Schwoon, S., and Jha, S., Weighted
  pushdown systems and their application to
  interprocedural dataflow analysis. In Proc. of
  the Static Analysis Symposium, 2003.
• Supports a broader set of dataflow-analysis
  queries than past work (30 years worth . . .)

46
Related Work

• SPKI/SDSI
• see paper
• Pushdown systems
• Bouajjani, Esparza, Maler Concur 97
• Esparza et al. CAV 00
• Bouajjani, Esparza, Touili POPL 03
• Weighted-hypergraph problems
• Knuth IPL 77
• Grammar flow analysis Möncke Wilhelm WAGA 91
• Ramalingam thesis LNCS 1089
• Ramalingam Reps J. Alg 96
• Dataflow analysis
• Sharir Pnueli 81
• IDE framework Sagiv, Reps, Horwitz TCS 96

47
(No Transcript)