Distributed System Security via Logical Frameworks Frank Pfenning Carnegie Mellon University Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter

11/18/2005 McGill University2 Outline  The Grey Project  Authentication and Authorization  Affirmation and Truth  Proof Search  Absence of Interference  Consumable Resources  Conclusion

11/18/2005 McGill University3 The Grey Project  Smartphones for universal access control  Doors, computers, food?, cars?, …  Being deployed at CMU CyLab building  Exploit communication capabilities  Bluetooth, camera, speaker, microphone  Mobile data services, keypad  Exploit computational power  500 mHz processor, J2ME

11/18/2005 McGill University4 Technical Challenges  Distributed multi-modal access control  Flexible and extensible  Formally analyzable  Intuitive and usable  Efficient fair contract signing  Capture resilience  Privacy protection  Interfaces, programming realities

11/18/2005 McGill University5 Authentication & Authorization Jack: Please let me into the castle. Jack: ``Jack’’. Here is my passport. Guard: Who are you? Guard: The seal is valid. Guard: You are in my list. Guard: You may enter. The King These may enter: King, Queen, Jack, Jill,… Policy This is Jack The King

11/18/2005 McGill University6 Access Control Lists  Authentication via certificates  Use digitally signed certificates  Verify with public key cryptography  Employed in Grey architecture  Authorization via access control lists  Check membership in access control list  Inflexible and difficult to extend  Replace by other mechanism in Grey

11/18/2005 McGill University7 Certificates for Authorization Authentication as before Jack: Here is my commission. Guard: Why should I let you in? Guard: Your commission is valid. Guard: You may enter. The King Jack may enter Affirmation

11/18/2005 McGill University8 Authorization via Propositions  Policy: let pass if  Enforcement: check if King signed  Apply in other scenarios  File systems (may-read, may-write)  Doors (may-open)

11/18/2005 McGill University9 Distributed Authorization Authentication as before Jack: I belong to the Queen’s household. Guard: Why should I let you in? Guard: Is Jack a member of your household? Queen: Yes. The King Policy These may enter: King, Queen, …, Members of the Queen’s household Guard: You may enter. The Queen Jack is a member of my household Affirmation

11/18/2005 McGill University10 Reasoning about Authorization  Policy, given as signed certificates:  Enforcement: Check proof of  Requires verification of certificates and logical reasoning

11/18/2005 McGill University11 Proof-Carrying Authorization  Resource monitor challenges w. proposition  Client assembles and sends proof object  Using local and remote certificates  Exploits communication abilities of cell phone  Resource monitor checks proof  Check proper application of inference rules  Validate embedded certificates  [Appel & Felten’99] [Bauer’03]

11/18/2005 McGill University12 Some Issues  Authorization logic  General logical rules  Policy expression  Proof search, representation, and verification  Properties of policies  Certificates  Verification authority, expiration, revocation  Use X.509 standard

11/18/2005 McGill University13 Authorization Logic  Logical reasoning about access control  [Abadi,Burrows,Lampson,Plotkin’93]  Much subsequent work omitted here  General characteristics of prior work  Decidable (propositional or datalog fragment)  Classical (law of excluded middle)  Modal logic (“K says” as modality)

11/18/2005 McGill University14 A New Foundation  Goals  Inherent extensibility  Tie between meaning of connectives (policy expression) and proofs (policy enforcement)  Formal reasoning about policies  Further Goals  Reasoning with state, time, and knowledge  [Garg & Pf’05] [Bauer, Bowers, Pf, Reiter’05]

11/18/2005 McGill University15 Logic, the Multi-Headed Hydra Classical Intuitionistic Epistemic “Intentional” Temporal Linear Modal Traditional Mathematics Functional Programming Model Checking Consumable Resources Authorization Knowledge Distributed Systems

11/18/2005 McGill University16 How Do We Define a Logic?  Must explain the meaning of propositions  The meaning of a proposition is determined by what counts as evidence for its truth  [Gentzen’35] [Martin-Löf’83] [Pf & Davies’01]  Meaning via proofs, proofs via meaning  Well-suited for proof-carrying authorization  Other approaches possible  Axiomatic, categorical, denotational, …

11/18/2005 McGill University17 Examples  Disjunction ``A or B’’  Conjunction ``A and B’’

11/18/2005 McGill University18 Hypothetical Judgments  Reasoning from assumptions  Hypothesis rule  Hypotheses can be used arbitrarily often HypothesesConclusion Gamma, for arbitrary hypotheses

11/18/2005 McGill University19 Two Sides to Every Story  For each connective:  Show how to prove it on the right-hand side  Show how to use it on the left-hand side  Example: Disjunction ``A or B’’

11/18/2005 McGill University20 Cut Elimination  The right and left rules must be in harmony  The rule of Cut must be redundant  All uses of Cut can be eliminated  Cut does not analyze the given propositions in Γ or C, but introduces arbitrary A in premises

11/18/2005 McGill University21 Implication  Hypothetical reasoning as a proposition  All rules break down connectives  Meaning of proposition composed from the meanings of it parts

11/18/2005 McGill University22 Affirmation  Only judgment so far: “A true”  Affirmation expresses policy (intent)  New judgment: “K affirms A”  Externally new evidence (signed certificates)  Internally new rules (relation to truth)  Example

11/18/2005 McGill University23 Affirmation and Truth  Principals may affirm any proposition  Principals will affirm all true propositions  Principals can reason logically  This form of Cut must be also be redundant

11/18/2005 McGill University24 Affirmation as a Proposition  New proposition “K says A”  Define meaning by right and left rules  Reason from affirmation assumptions

11/18/2005 McGill University25 Example Proof

11/18/2005 McGill University26 Example Proof  First subproof  Follows by hypothesis rule

11/18/2005 McGill University27 Example Proof  Second subproof  Proof complete by hypothesis rule

11/18/2005 McGill University28 Distributed Proof Search  Locally known certificates as hypotheses  Resource monitor’s challenge as conclusion  Construct proof bottom-up  Choose rule and apply (backwards)  Backtrack if necessary  Contact remote data base or principal when “K says A” is unprovable subgoal  [Bauer, Garriss, Reiter’05]

11/18/2005 McGill University29 Proof Representation  Proofs unwieldy on paper  Formal representation compact & efficient  Use logical framework  Logic specification  Proof search, representation, and checking  Reasoning about logic  Example: earlier proof becomes

11/18/2005 McGill University30 Logical Frameworks  LF logical framework  [Harper, Honsell, Plotkin’93]  Judgments as types; proofs as objects  Specifications are open-ended  Inherent extensibility of authorization logic  Twelf implementation  [Schürmann’01] [Pientka’03]  Reasoning about encoded logic

11/18/2005 McGill University31 Some General Theorems  Some characteristic theorems  Familiar from functional programming  “K says” forms strong monad  Used to isolate effects  [Moggi’91] [Wadler’93] [Pf & Davies’01]

11/18/2005 McGill University32 Some Non-Theorems  Understand when access is denied  Some non-theorems (for unknown K, A, Q)  Sample meta-argument Does not match conclusion of any rule

11/18/2005 McGill University33 Absence of Interference  Explore consequences of access control policy, expressed in authorization logic  Metatheorem:If “K says” occurs only as conclusion in P and assumption in C then  More complex non-interference theorems  [Garg & Pf’05] if and only if

11/18/2005 McGill University34 Formal Metatheory  Formal metatheory of authorization logic in Twelf  Cut elimination  Simple non-interference results  Proof search for existential question  “Does there exist a proof of A true”  Metatheory for universal questions  “No proof concludes that A true”

11/18/2005 McGill University35 Consumable Resources Authentication as before Jack: I will pay you Gld 100. Guard: Why should I let you in? Guard: You may enter when you pay. Guard: The King These may enter: King, Queen, …, anyone who pays Gld 100. Policy Jack:

11/18/2005 McGill University36 Consumable Resources  Logically  Ephemeral hypotheses (use only once in proof)  Supported in linear logic  Cryptographically  Consumable certificates  Multi-party contract signing  Atomic fair exchange

11/18/2005 McGill University37 Linear Logic  Persistent and ephemeral hypotheses  Some new connectives  A ( B : with ephemeral A we can prove B  A ­ B : both A and B ephemerally  Truth, affirmation, and prior connectives still make sense Persistent, use arbitrarily Ephemeral, use once

11/18/2005 McGill University38 Linear Authorization Logic  Example (simplified)  Omitted consent (Bank)

11/18/2005 McGill University39 Realization  Proving does not consume actual resources  Realizing a complete proof will consume resources (certificates)  Must be atomic  Implement with multi-party contract signing  Involves separate ratification authority  [Bauer, Bauers, Pf, Reiter’05]

11/18/2005 McGill University40 Summary  Cell phones for universal access control  Exploit communication capabilities  Being deployed at CMU CyLab floor  Logical approach to access control  Flexible and extensible  Unifies policy expression and enforcement  Permits formal reasoning about policies  Implemented in logical framework

11/18/2005 McGill University41 Current and Future Work  Consumable certificates and linear logic  Reasoning with state, multi-party contracts  Privacy and epistemic logic  Reasoning with local knowledge, protocols  Expiration and temporal logic  Reasoning about time, details of certificates  Engineering the infrastructure, interfaces