Towards a Declarative Language and System for Secure Networking Martín Abadi 1,2, Boon Thau Loo 3 1 Microsoft Research Silicon Valley, 2 UC Santa Cruz, 3 University of Pennsylvania
Motivation Designing secure network protocols is hard Imperative languages makes process tedious and error-prone Explore the use of declarative languages for secure networking: “Ask for what you want, not how to implement it” Success of database research 70’s – today: Database research has revolutionized data management
Approach Examine two classes of declarative languages: Database query language for declarative networking Logic-based access control languages in distributed systems Contribution: Compare these two classes of languages Propose a unifying declarative language and system
Why might this be useful? Intellectually interesting to compare two languages Single declarative language and system Ease of management Many useful examples: authenticated routing protocols, secure overlays, DNSSEC, trust management in shared testbeds, P2P information sharing, etc. Fine-grained control over interaction between security and network protocol Potential for cross-layer analysis and optimizations Distributed query engines to process security policies
Outline Background: Declarative networking Access control & related languages Introduction to Datalog Network Datalog and Binder languages Secure Network Datalog Language design Examples Future Directions
Declarative Networking A declarative framework for networks: Declarative specifications of networks, compiled to distributed dataflows Distributed query engine to execute distributed dataflows to implement protocols Observation: Recursive queries are a natural fit for routing Network Datalog (NDlog) language
A Declarative Network Distributed recursive query Traditional Networks Declarative Networks Network State Distributed database Network protocol Recursive Query Execution Network messages Distributed Dataflow Dataflow messages Dataflow messages
Declarative Networking Declarative Routing [SIGCOMM ’05]: Extensible Routers (balance of flexibility, efficiency and safety). Textbook routing protocols (3-8 lines) Declarative Overlays [SOSP ’05]: Rapid prototyping of new overlay networks Chord DHT overlay routing (47 lines) Narada Mesh (16 lines) Database Fundamentals [SIGMOD ‘06] Languge, execution and optimizations System available:
Access Control Central to security, pervasive in computer systems Model: objects, resources requests for operations on objects sources for requests, called principals a reference monitor to decide on requests Principal Reference Monitor Object Do operatio n guard
Logics in Access Control Logical tools and ideas have been used to explain and improve access control Logic-based languages: Binder, SD3, D1LP, SecPAL, etc. Trust management We focus on Binder: Simple design, Most similar to NDlog Promises relatively straightforward unification with NDlog
Key Insight Binder and NDlog are based on logic and Datalog Extends Datalog in surprisingly similar ways Notion of context (location) to identify components (nodes) in a distributed system Suggests possibility to unify both languages Similar observation: Martín Abadi. “On Access Control, Data Integration, and Their Languages.” Comparing Tsimmis and Binder
Outline Background: Declarative networking Access control & related languages Introduction to Datalog NDlog and Binder languages SeNDlog Language design Examples Future Directions
Review of Datalog ,, …,. Datalog rule syntax: Types of conditions in body: Input tables: link(src,dst) predicate Arithmetic and list operations Head is an output table Recursive rules: result of head in rule body Body Head
All-Pairs Reachability R2: reachable(S,D) link(S,Z), reachable(Z,D) R1: reachable(S,D) link(S,D) Input: link(source, destination) Output: reachable(source, destination) “For all nodes S,D, If there is a link from S to D, then S can reach D”. link(a,b) – “there is a link from node a to node b” reachable(a,b) – “node a can reach node b”
All-Pairs Reachability R2: reachable(S,D) link(S,Z), reachable(Z,D) R1: reachable(S,D) link(S,D) Input: link(source, destination) Output: reachable(source, destination) “For all nodes S,D and Z, If there is a link from S to Z, AND Z can reach D, then S can reach D”.
All-Pairs Reachability R1: R2: Network c d reachable Output table: Input @dc link c b b c reachable Location Specifier Query:
Implicit Communication A networking language with no explicit communication: R2: Data placement induces communication
Path Vector in NDlog Input: destination) Query output: destination, pathVector) R1: P=(S,D). R2: P=S P 2. 2 ), Query: Add S to front of P 2 Previous work: - Communication patterns are the same as the actual path vector protocol - Easy to compose new protocols (distance-vector, link-state, multicast, etc)
Execution Plan Nodes in execution plan (“operators”): Network operators (send/recv, cc, retry, rate limitation) Relational operators (selects, projects, joins, aggregates) Flow operators (mux, demux, queues) Messages Network In Messages Network Out Single P2 Node
Binder Logic-based language for access control Similar to Datalog, with the special construct “says” Rules in different context Alice’s context A1: may-access(P,O,read) :- good(P). A2: may-access(P,O,read) :- bob says may-access(P,O,read). Bob’s context may-access(charlie,o,read). Export: bob says may-access(charlie,o,read) Import: bob says may-access(charlie,o,read). Export: Alice says may-access(charlie,o,read).
Notion of “Says” “says” abstracts the details of authentication When “p says s”, p may transmit s in a variety of ways: on a local channel via a trusted operating system within a computer, on a physically secure channel between two machines, on a channel secured with shared-key cryptography, or, in a certificate with a public-key digital signature.
Comparing Binder and NDlog Trusted vs untrusted networks NDlog: Location relates to data placement. E.g. Global rules: :- Binder: Communication happens via “says” Import and export of facts into context may-access(P,O,read) :- bob says may-access(P,O,read). Bottom-up vs Top-down evaluation Export of derived tuples: Binder: no integration of security policy with export of data NDlog: location specifier in rule head
Secure Network Datalog (SeNDlog) Unifies Binder and NDlog Goals of the language: Expressive as Binder and NDlog Supports authenticated communication and enables differentiation of roles Supports both trusted and untrusted environments Amenable to execution and optimizations in distributed query engines Bottom-up evaluation strategy Incremental continuous execution model
SeNDlog At N, E1: p(X,Y) :- p1(X), p2(Y). E2: p(X,Y,W) :- Y says p1(X), Z says p2(W). E3: :- p1(X), Y says p2(Z). E4: Z says :- Z says p(Y), p1(X). Important features: - Local principle (address, address/key, address/key/username) - “Localized” rule bodies within context - Import predicates. “says” construct – different levels of “says” - Export predicates with location specifiers - Honesty constraint
Example 1: Authenticated Path Vector Protocol At Z, Z1: path(Z,X,P) :- neighbor(Z,X), P=(Z,X). Z2: path(Z,Y,P) :- X says advertise(Y,P). Z3: :- neighbor(Z,X), path(Z,Y,P), P1=X P. c says advertise(d,[b,c,d]) b says advertise(d,[a,b,c,d]) bdca
Example 2: Secure DHT Identifiers Security weakness in DHT – malicious nodes occupy a high part of key space Solution: certified node identifiers from CA 5 additional rules to P2-Chord Details in the paper. Nodes have different roles: CA, landmark, joining node, etc. Certificates can be forwarded from one node to another: Use of honesty constraint. Another example: DNSSEC
Ongoing Work Implementation in P2 system: “says” construct Communication via signed certificates Rule bodies within context Implement variety of secure networks. E.g. DNSSEC, secure routing, secure DHTs, trust management in extensible testbeds, P2P information sharing, your suggestions! Cross-layer analysis and optimizations Exploit fine-grained control over security and networks. Authenticity of routing table entries Logic proof why it is there. Trusted but not trustworthy? Optimize protocols to favor trusted nodes
Future Work Query language issues: Logic-based trust management: SD3, SecPAL, D1LP Distributed Datalog: ubQL, d3log Data integration: Tsimmis Different approach: We started from Binder and NDlog Lots of domain knowledge but biased What if we design from scratch? Sending / receiving & Distributed computations Notion of context Trust relationships Continuous incremental evaluations
Thank You