Decentralized Access Control: Policy Languages and Logics Deepak Garg Foundations of Security and Privacy Fall 2009

Access Control: General Picture Policy Username: alice Password:************ Principal Principal Request to perform operation Reference Monitor (Guard) Resource Enter house Check bank balance

Decentralized Policies Server1 Policy1 Server2 Policy2 Server3 Policy3 Principal Principal Request to perform operation Reference Monitor (Guard) Resource There is a delegation of trust (e.g., ACM -> CMU)

Decentralized Policy Distribution Individual administrators (e.g., CMU and ACM) represent policies in certificates Certificate = statement + digital signature Certificates are also called credentials Alice is a member of CMU For all U, M. ((U has a subscription) and (M is a member of U)) imply (M has free access) CMU has a subscription

Example of Distributed Access Download paper.pdf ACM Prove that you are a member of CMU Inference: Certificate missing! Check certificate. Inference: Allow access paper.pdf CMU

Certificate Verification and Inference Download paper.pdf ACM Certificate verification and inference are very important Prove that you are a member of CMU Inference: Certificate missing! Check certificate. Inference: Allow access Certificate verification Policy rules and facts are authentic (PKI helps) paper.pdf Inference Deduce permissions from rules and facts CMU

Policy Languages and Logics What language is used to write policy statements and infer permissions from them? For all U, M. ((U has a subscription) and (M is a member of U)) imply (M has free access) Principled approaches: Declarative Languages E.g., RT, SecPAL, Cassandra, Binder Logics E.g., ABLP, GP, BL ∀ U, M. ((hasSubscription(U) ∧ isMember(M,U)) ⊃ hasFreeAccess(M))

In This Lecture ... Frameworks for expressing decentralized policies and inferring permissions Policy languages One modern example, SecPAL [BFG'07] Syntax Inference system Access control logics One example from my own research Inference system (proof theory)

Security Policy Assertion Language (SecPAL)

Note: Uppercase letters ACM Example in SecPAL hasFreeAccess(M) if hasSubscription(U), isMember(M,U) isMember(Alice,CMU) Note: Uppercase letters (M, U) are universally quantified variables. Others (Alice,CMU) are constants. hasSubscription(CMU)

Where's the Delegation? What here says that ACM trusts CMU to decide hasFreeAccess(M) if hasSubscription(U), isMember(M,U) isMember(Alice,CMU) What here says that ACM trusts CMU to decide its members? hasSubscription(CMU) Nothing so far!

Delegation in SecPAL isMember(Alice,CMU) hasFreeAccess(M) if hasSubscription(U), isMember(M,U) isMember(Alice,CMU) CMU cansay isMember(M,CMU) hasSubscription(CMU)

Delegation in SecPAL isMember(Alice,CMU) hasFreeAccess(M) if hasSubscription(U), isMember(M,U) isMember(Alice,CMU) (U cansay isMember(M,U)) if hasSubscription(U) hasSubscription(CMU)

Syntax of SecPAL Statements Variable X Principal A ::= Alice | Bob | … | X Term t ::= X | A | ... Fact f ::= A cansay f | p(t1,...,tn) Statement s ::= f if f1, ..., fn

ACM Example Revisited Technical Problem Download paper.pdf ACM Prove that you are a member of CMU Inference: Certificate missing! Check certificate. Inference: Allow access paper.pdf Technical Problem How is the origin of a certificate represented in the formal language? (This is necessary for writing inference rules) CMU

The says Keyword and Assertions Variable X Principal A ::= Alice | Bob | … | X Term t ::= X | A | ... Fact f ::= A cansay f | p(t1,...,tn) Statement s ::= f if f1, ..., fn Assertions a ::= A says s

Certificates to Assertions Inference is performed over assertions, not certificates Inference Engine at ACM's Server hasFreeAccess(M) if hasSubscription(U), isMember(M,U) ACM says (hasFreeAccess(M) if hasSubscription(U), isMember(M,U)) CMU says (isMember(Alice,CMU)) isMember(Alice,CMU)

Inference in the ACM Example Download paper.pdf ACM Prove that you are a member of CMU ACM says ... CMU says ... Inference Engine in ACM's Server SecPAL assertions imported from certificates Access for Alice SecPAL Inference Check certificate. Inference: Allow access Inference: Certificate missing! paper.pdf CMU

Summary of Assertions and Inference Certificates Derived SecPAL Assertions ... SecPAL Assertions Certificate checking ACM says ... CMU says ... ACM says ... CMU says ... SecPAL Inference

SecPAL Inference System Combine assertions to deduce more assertions Inference rules: definition of inference Implementation Translate SecPAL into Datalog for efficiency Use an inference engine over Datalog (standard, non- trivial to build) Theorem that SecPAL inference rules and Datalog inference over translated assertions have same consequences Focus on this

SecPAL Inference Rules Judgment: AC ▶ A says f List of assertions imported from certificates Derived assertion A says (f if f1,...,fn)  AC AC ▶ A says fi ------------------------------------------------------------- AC ▶ A says f AC ▶ A says (B cansay f) AC ▶ B says f ------------------------------------------------------------ AC ▶ A says f

Inference for the ACM Example Assertions Imported from Certificates (1) ACM says (hasFreeAccess(M) if hasSubscription(U), isMember(M,U)) (2) ACM says (hasSubscription(CMU)) (3) ACM says ((U cansay isMember(M,U)) if hasSubscription(U)) (4) CMU says (isMember(Alice,CMU)) Goal (To show) ACM says (hasFreeAccess(Alice)) SecPAL Inference (5) ACM says (CMU cansay isMember(Alice,CMU)) (2,3) (6) ACM says (isMember(Alice,CMU)) (5,4) (7) ACM says (hasFreeAccess(Alice)) (1,2,6)

Further Expressiveness: Constraints Variable X Principal A ::= Alice | Bob | … | X Term t ::= X | A | ... Fact f ::= A cansay f | p(t1,...,tn) Statement s ::= f if f1, ..., fn,c Assertions a ::= A says s c ::= t1 <= t2 | inSet(t1,t2) | ...

Examples with Constraints Time-limited credentials CMU says (isMember(Alice,CMU) if currentYear<=2009) MLS FileServer says (mayread(M,F) if level(F) <= level(M)) Separation of duty can-authorize-payment(R,P) = Bank says isManager(R), Bank says initiated(X,P), X <> R

Summary of SecPAL Syntax for representing policy statements Certificates are imported into SecPAL as assertions Formal rules for inference over assertions Deduce new assertions from existing ones Implementation via translation to Datalog Formal theorem of correctness

Access Control Logics (a.k.a. Policy Logics)

From Policy Languages to Logics Policy languages, e.g. SecPAL: Contain custom constructs like (A says s) and (A cansay f) Provide inference rules for interpreting constructs Do the constructs have a logical interpretation? What are their formal semantics, proof theory? Access control logics seek to answer these questions

Access Control Logics Access control logic: A logic designed for representing access policies E.g.: ABLP, GP, ICL, DCC, BL, … Focus of access control logic is foundations (semantics, proof theory) Understand connectives like says Can also be used practically like policy languages, with better foundations Grey (next lecture), PCFS (my thesis), Nexus (Cornell)

An Access Control Logic Variously known as GP, ICL, CDD [GP'06,Aba'06,GA'08] Builds on intuitionistic first-order logic Only “access control” construct is (A says s) Both semantics and proof theory have been investigated – focus on proof theory here For details, see related handout