Applications of Logic in Computer Security Jonathan Millen SRI International

Areas of Application Multilevel Operating System Security “Orange Book,” Commercial Trusted Product Evaluation, A1-level Emphasis on secrecy, security/clearance levels Access Control Policies Discretionary or role-based policies Emphasis on application-specific policies, integrity Public-Key Infrastructure and Trust Management Network and distributed system security Digitally signed certificates for identity and privileges Cryptographic Authentication Protocols For network communication confidentiality and authentication Other areas: databases, firewalls/routers, intrusion detection Computer Security Network Security

Contributions of Logic Undecidability Results Safety problem for discretionary access control Cryptographic protocol analysis Theorem Proving Environments Verifying correctness of formal OS specifications Inductive proofs of cryptographic protocols Logic Programming Prolog programs for cryptographic protocol analysis, trust management Model Checking For cryptographic protocol analysis Specialized Logics For cryptographic protocol analysis, trust management

Multilevel Operating System Security Motivated by protection of classified information in shared systems High-assurance (A1) systems may protect Secret data from uncleared users Architecture: trusted OS kernel, hardware support Abstract system model of access control: Bell-LaPadula (ca. 1975) Structured state-transition system: subject-object access matrix, levels Security invariants and transition rules (for OS functions) “Formal Top-Level Specification” (FTLS) More detailed state-transition system Formal Proofs: Model transitions satisfy invariants FTLS is an interpretation of the system model Carried out in environments like Gypsy, FDM, HDM Some FTLS errors reflected in code were discovered Of Historical Interest

Access Control Policies Safety Problem Subject-object-rights matrix “rights” were arbitrary, representing different kinds of access Operations: create/delete subjects, objects; enter/remove rights System of conditional rules to apply operations Harrison-Ruzzo-Ullman Undecidability Result Whether S can ever receive right r to object O Comm. ACM 19(8), 1976 Decidable if number of subjects is bounded Historical Impact Led to interest in efficiently decidable systems Take-Grant, DAC, RBAC OjOj SiSi r

Public-Key Certificates Based on asymmetric encryption Key pair K A, K A -1 : one made public, one kept secret Text block encrypted with K A can be decrypted only with K A -1. Impractical to compute secret key from public key Digital signature Text string T Apply one-way (hash) function Encrypt with secret key Verify by decrypting with signer’s public key, compare hash result Public Key Certificate Binds name to public key, signed by trusted party Logical Equivalent “A says (K B is the public key of B)” … provided that K A is the public key of A T  h(T)  [h(T)]K A -1 B,K B,[h(B,K B )]K A -1

Logic of Distributed Authentication Origination: “Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992 Theory of says and speaks for (  relation) (A  B)  ((A says s)  (B says s)) (P8) (A says (B  A))  (B  A) (P10) Application to distributed systems A and B are principals: users or keys (can say something) A says s means: A authorizes command (operation, access) s A  B means: B delegates authority to A Certificate T,[T] K A -1 means K A says T Public key certificate means K A  A Credentials sent from one network node to another to authorize resources Implemented in Taos operating system “credentials”

Trust Management Policymaker “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy Identified trust management as a distinct problem Purpose: to define and implement policy using credentials to process queries Delegation Logic “A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop Language to express policies Primitives include says, delegates (speaks for with object) Access permission is decidable Logic program implementation (in Datalog)

Cryptographic Protocols Cryptographic protocol an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material. Applications military communications, business communications, electronic commerce, privacy Examples Kerberos: MIT protocol for unitary login to network services SSL (Secure Socket Layer, used in Web browsers) IPSec: standard suite of Internet protocols due to the IETF SET (Secure Electronic Transaction) protocol PGP (Pretty Good Privacy)

A Popular Example The Needham-Schroeder public-key handshake R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978 A  B: {A, Na}Kb B  A: {Na, Nb}Ka A  B: {Nb}Kb Purpose: mutual authentication of A and B, sharing secrets Na, Nb This is an “Alice-and-Bob” protocol specification Na and Nb are nonces (used once) Ka is the public key of A The protocol is vulnerable...

The Attack AMB {A,Na}Km{A,Na}Kb {Na,Nb}Ka {Nb}Km {Nb}Kb Lowe, “Breaking and Fixing the Needham-Schroeder Public Key Protocol Using FDR” TACAS 1996, LNCS 1055 (normal) (thinks he’s talking to A, Nb is compromised) A malicious party M can forge addresses, deviate from protocol (false)

Undecidable in General Reduction of Post correspondence problem Word pairs u i, v i for 1  i < n Does there exist u i1...u ik = v i1...v ik ? Construction Protocol with one role (or one per i) Compromises secret if solution exists Attacker cannot forge release message because of encryption Observations Messages are unbounded Construction suggested by Heintze & Tygar, 1994 First undecidability proof by Even & Goldreich, proof by Durgin, et al shows nonces are enough send { ,  }K receive {X,Y}K if X = Y  , send secret else choose i, send {Xu i,Yv i }K send { ,  }K receive {X,Y}K if X = Y  , send secret else choose i, send {Xu i,Yv i }K

Analysis Approaches Model checking State-space search for attacks Inductive proof Using verification tools or by hand Can prove protocols correct (for abstract encryption) Belief-logic proofs BAN logic and successors For authentication properties

Linear Logic Model Linear Logic Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987 Constructive, used to model state-transition systems Application to cryptographic protocols Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop Model-checking with linear-logic symbolic search tool LLF (LICS ‘96) State-transition rules F 1, …, F k   x 1, …,  x m. G 1, …, G n State is a multiset of “facts” Fi, predicates over terms Rule matches facts on left side with variable substitution Variables xi are instantiated with new symbols (like nonce!) Left-side facts are replaced by right-side facts in multiset

The MSR Model Implementation of linear logic model Special term and fact types for cryptographic protocols Symbols for principals, keys, and nonces Terms for encryption and concatenation Facts for protocol process state, messages Multiset holds current states of many concurrent protocol sessions Example: A sends message A,{A}K (to B) with new K A 0 (A,B)  (  K) A 1 (A,B,K),M({A}K) Attacker rules eavesdrop, construct false messages, e.g., M({A}K),M(K)  M({A}K),M(K),M(A) Attacker model is standardized MSR model applied as intermediate language CAPSL  MSR  analysis tools (Millen, Denker 1999)

Model Checking Tools State-space search for reachability of insecure states History: back to 1984, Interrogator program in Prolog Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991 Prolog programs were interactive General-purpose model-checkers Search automatically given initial conditions, bounds Iterative bounded-depth search Roscoe and Lowe used FDR (model-checker for CSP), 1995 Mitchell, et al used Murphi, 1997 Clarke, et al used SMV, 1998 Denker, Meseguer, Talcott used Maude, 1998 Successful at finding previously unknown vulnerabilities!

Non-Repudiation Protocols Different objectives and assumptions Fairness objectives: contract signing, proofs of receipt, fair exchange Applications to electronic commerce Parties are mutually distrustful, network well-behaved, no intruder Trusted third party to resolve detected breaches Alternating Temporal Logic application Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000 Used model checker MOCHA Example Objective  >  (NRO   >  NRR) Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt

Inductive Proofs State-transition model similar to model checking approaches Application of general-purpose specification and verification tools Influential Examples: R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM). L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle) Paulson’s approach inspired others Bolignano (using Coq), Millen (using PVS)

BAN Logic Papers Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990 Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy Approach Modal logic of belief plus specialized predicates and inference rules Protocol messages are “idealized” into logical statements Objective is to prove that both parties share common beliefs Idealization A  B: {A, K, B}K B becomes B sees {good-key(A, K, B)}K B Objective Infer that B believes A said good-key(A, K, B) B |  A |~ A  B K

Inferences and Problems Example P believes fresh(X), P believes Q said X |- P believes Q believes X Assumption Protocol idealization must be consistent with beliefs about confidentiality Problem Observed by Nessett right away for digital signature example Good key must not be given away accidentally (or on purpose) Takes deep analysis to determine this Needham-Schroeder Public Key protocol proved correct (!!??) These logics are still used because: They are efficiently decidable They help to understand the protocol They can be used manually

Summary Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design Several unusual or specialized logical systems have application to computer security Cryptographic protocol analysis is an active, fertile area for logic applications