Protecting Information with Logic-based Access Control Deepak Garg Student Seminar Series May 01, 2009

Broad Problem “Build a file system (PCFS) that uses logic to specify and enforce access policies” Access policy = Set of rules to decide who should have access to what information Useful in large organizations with proprietary information that needs to be protected Canonical example: intelligence agencies with classified information (a la CIA)

Present Policy Enforcement 1. An individual may read a classified file only if he/she is a CIA employee. In addition, the individual must have a security clearance above the classification level of the file A file may only be classified by an original classification authority (OCA). An OCA is the President, or an appointee. 3. A background check expires every 3 years unless renewed.... High-level policy - 100s of pages - Multiple documents Implementation - Access control lists Read: Alice, Bob Write: Alice, Charlie Read: Alice Write: Dan File1 File2 Manual Effort Difficult Error prone

PCFS Enforcement Implementation - Capabilities File1 File2 (admin says (may (U,F,read) ← CIA-HR says employee(U), OCA says level_file (F,L), level_individual(U,L'), below(L,L') )) (admin says (level_individual(U,L) ← POLY-ADMIN says poly(U), BG-ADMIN says bg(U,L) )) High-level policy - Logical formulas Automatic using Formal Proofs

Technical Contributions Design logics to express policies Must capture time, delegation Investigate proof theory, meta theory Construct automatic tools Proof search tool Proof verification tool (creates capabilities) Implement file system backend: Use capabilities to authorize access Efficiency is a concern

Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

Problem: Granting Access POLY-ADMIN BG-ADMIN OCA CIA-HR Bob Charlie Alice has passed polygraph test Alice has background check “topsecret” Alice is cleared at “topsecret” war.txt is classified as “secret” Alice is a CIA employee Dan Alice may read war.txt Access control lists How Alice came to read war.txt - 7 administrators - 6 phone calls - This is over-simplified! Difficult for administrators Error prone! 2009

Problem: Credential Expiration POLY-ADMIN BG-ADMIN OCA CIA-HR Bob Charlie Alice's background check EXPIRED Alice's “topsecret” REVOKED Dan Alice may NOT read war.txt Access control lists How Alice lost her access - 4 administrators - 3 phone calls 4. A background check expires every 3 years unless renewed Difficult for administrators Error prone! Can we automate? Exactly what we seek to do!

Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

The Two Existing Ideas How should policies be represented? Natural language is difficult to parse, ambiguous Idea! Represent policies as formulas of a logic [ABLPW'92'93] Logic is rigorous, amenable to automation How do we use the logical representation for enforcement? Proof-carrying authorization (PCA) [AP'99] Require a formal proof showing that policies entail access

Background: Policies in Logic 1. An individual may read a classified file only if he/she is a CIA employee. In addition, the individual must have a security clearance above the classification level of the file A file may only be classified by an original classification authority (OCA). An OCA is the President, or an appointee. 3. An individual may be cleared at a level after an appropriate background check, and a polygraph test. As an exception, A background check expires every 3 years unless renewed.... (admin says (may (U,F,read) ← CIA-HR says employee(U), OCA says level_file (F,L), level_individual(U,L'), below(L,L') )) (admin says (level_individual(U,L) ← POLY-ADMIN says poly(U), BG-ADMIN says bg(U,L) )) Digital signature made with admin's private key Certificate [ABLPW'92,'93]

Writing Policies in Logic (Contd) POLY-ADMIN OCA CIA-HR BG-ADMIN (OCA says level_file (“war.txt”,secret) ) Certificate (POLY-ADMIN says poly (Alice) ) Certificate (CIA-HR says employee (Alice) ) Certificate (BG-ADMIN says bg (Alice,topsecret) ) Certificate 2009

Background: Proof-Carrying Authorization APIAPI Alice Resource admin says may (...) admin says may (...) admin says may (...) admin says may (...) Result yes Error no Access resource Check? Proof, Certific ate Verifier Result /Error Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Proof = List of deduction steps showing why access follows from policies [AF'99]

Summary of Prior Ideas Represent policies in logic Enforce with proofs Which logic? Why should a logic be believed? How expressive is the logic? How should proofs be constructed? Is PCA efficient?

Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

Proof-theory Representing policies in logic; logic must be trustworthy Since proofs are used for enforcement, the basis for logic should be proofs (proof-theoretic semantics) Novel contribution Develop a new logic; study proofs Natural Deduction (define the connectives) Sequent Calculus (needed for proof search) [CSFW'06,IMLA'08]

Meta-theory Global theorems about proofs E.g., cut-elimination for sequent calculus If Γ A and Γ, A B Then Γ B Circuitous proofs can be avoided Proof-theoretic: Inference rules fit well Proof-search: Subformula property Authorization: Leads to non-interference theorems [CSFW'06,IMLA'08]

Expressiveness: Adding Time POLY-ADMIN OCA CIA-HR BG-ADMIN (OCA says level_file (“war.txt”,secret) ) Certificate (POLY-ADMIN says poly (Alice) ) Certificate (CIA-HR says employee (Alice) ) Certificate (BG-ADMIN says bg (Alice,topsecret) ) Certificate 4. A background check expires every 3 years unless renewed Not represented in formalized [2009,2011] New formula in logic: = A holds from time t1 to time t2 Changes the logic's judgments Constraints must be added Logic's theory must be reworked [CSF'08] Cannot be enforced with proofs

Proof Search Logic is quite complex: says How do we search for proofs? Given a policy Γ and a formula A, how do we construct a proof M :: Γ A Use meta-theoretic properties! We want M in natural deduction style Sequent calculus + cut-elimination: proof may only contain subformulas Logic programming: chain inference rules together; use goals to pick policy rules [Prolog]

Proof Search Example (admin says (may (U,F,read) ← CIA-HR says employee(U), OCA says level_file (F,L), level_individual(U,L'), below(L,L') ( -∞,∞ ) (admin says (level_individual(U,L) ← POLY-ADMIN says poly(U), BG-ADMIN says bg(U,L) ( -∞,∞ ) Certificate (OCA says level_file (“war.txt”,secret) ( -∞,∞ ) Certificate (POLY-ADMIN says poly (Alice) ( -∞,∞ ) Certificate (CIA-HR says employee (Alice) ( -∞,∞ ) Certificate (BG-ADMIN says bg (Alice,topsecret) [2009,2011] Certificate Goal: A = (admin says may(Alice, “war.txt”, [2009,2011] [2009,2011] ⊆ (-∞,∞) Goal: B = (admin says level_individual(Alice, [2009,2011] [2009,2011] ⊆ (-∞,∞) Goal: C = (BG-ADMIN says [2009,2011] [2009,2011] ⊆ [2009,2011] L' = topsecret

Proof: Alice may read war.txt (pf_atI (pf_saysI (pf_synth2check (pf_impE (pf_impE (pf_impE (pf_impE (pf_forallE (pf_forallE (pf_forallE (pf_forallE (pf_hyp cred/admin/may/read/_) (prim_int2principal 1003)) (prim_str2file "/war.txt")) secret) topsecret) (pf_saysI (pf_synth2check (pf_hyp cred/ciahr/alice/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_saysI (pf_synth2check (pf_hyp cred/oca/war/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_synth2check (pf_impE (pf_impE (pf_forallE (pf_forallE (pf_hyp cred/admin/level_indi/_) (prim_int2principal 1003)) topsecret) (pf_saysI (pf_synth2check (pf_hyp cred/polyadmin/alice/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_saysI (pf_synth2check (pf_hyp cred/bgadmin/alice/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_synth2check (pf_hyp cred/loca/below/2)) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)))))

Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

Problem with PCA: Efficiency APIAPI Alice Resource admin says may (...) admin says may (...) admin says may (...) admin says may (...) Result yes Error no Access resource Check? Proof, Certific ate Verifier Result /Error Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) - Takes at least ~10ms for small proofs with 2-3 certificates - Grows linearly with size of proof and number of certificates (~2ms / certificate – parsing and signature check) - Large real proofs: ~1000 proof steps + 70 certificates Max. number of file operations per second < 10 Serious problem: PCA will not work in a file system! Re-architect PCA to make it scale

PCFS Workflow Diagram FILE-APIFILE-API Storage Data Proof, certificate verifier ProCap Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error ProCap = PROven CAPability Fast to check (~100s) Signed with a shared key (MAC) Rigorous, automatic policy enforcement ProCa p Check er OK? /Error

2009 The Staleness Problem FILE-APIFILE-API Storage Data Proof, certificate verifier ProCap Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error ProCap = PROven CAPability Fast to check (~100s) Signed with a shared key (MAC) Rigorous, automatic policy enforcement ProCa p Check er OK? /Error 2012 ProCap contains conditions under which it is valid. Include constraints on time of access. Conditions checked before ProCap is accepted.

ProCap Example procap (prim_int2principal 1003) % Principal authorized (prim_str2file "/war.txt") % File authorized read % Permission authorized % Conditions that must hold (qhcl_base (hypconstraint_cons (hypconstraint_ constraint_nil (leq (prim_date2time 2007:01:01:00:00:00) ctime)) (hypconstraint_cons (hypconstraint_ constraint_nil (leq ctime (prim_date2time 2020:12:31:00:00:00))) (hypconstraint_cons (hypconstraint_ constraint_nil (leq (prim_date2time 2009:01:01:00:00:00) ctime)) (hypconstraint_cons (hypconstraint_ constraint_nil (leq ctime (prim_date2time 2011:12:31:00:00:00))) hypconstraint_nil))))) % State conditions that must hold state_nil % MAC # e043bbc078edb959fad88e7822d9

Enforcement Workflow admin says may (...) admin says may (...) admin says may (...) admin says may (...) administrators Proof search Proof, certificate verifier PoliciesProofProCap Information about time

PCFS Implementation FILE-APIFILE-API Storage (Ext3) Data Proof, certificate verifier ProCap Theorem Prover admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Fast: operations/s ProCa p Check er OK? /Error C++ SML Implemented in Linux as a virtual filesystem - Uses kernel upcalls to check ProCaps - Uses Fuse

Demo of PCFS

PCFS Summary Logic-based enforcement of access policies Combine deep foundations with practical implementation Theoretical issues: Proof-theory and meta-theory Explicit time for expirations Proof search Practical issues: Efficiency (add ProCaps)

Ideas for Future Work Applications of PCFS' architecture Distributed file system Access control in embedded devices Framework for access policies User interface for writing policies, converting to logic Meta-correctness of policies

Work Related to PCFS Logics and languages for expressing access policies [ABLPW'92'93,DeTreville'02,...] Proof-carrying authorization [AP'99,Bau'03,...] Capabilities in file systems [ALC'03,GGT'97,...]

Conclusion Logic and capabilities can be combined to provide rigorous, automatic, efficient enforcement of complex access policies.

Thank You. Questions?

Revocation in PCFS Centrally control certificates, proofs, and ProCaps Use short-lived ProCaps, make proof verifier revocation aware Include certificate IDs in ProCaps, make file system revocation aware Model revocable credentials as elements of system state (PCFS has built-in support)