Ninghui Li (Purdue University) Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS.

Slides:



Advertisements
Similar presentations
Computer Science CPSC 322 Lecture 25 Top Down Proof Procedure (Ch 5.2.2)
Advertisements

Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,
Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)
Methods of Proof Chapter 7, Part II. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound) generation.
1 A Description Logic with Concrete Domains CS848 presentation Presenter: Yongjuan Zou.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Proof methods Proof methods divide into (roughly) two kinds: –Application of inference rules Legitimate (sound) generation of new sentences from old Proof.
Logic in general Logics are formal languages for representing information such that conclusions can be drawn Syntax defines the sentences in the language.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
Trust Management I Anupam Datta Fall A: Foundations of Security and Privacy.
Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Logical Agents Chapter 7. Why Do We Need Logic? Problem-solving agents were very inflexible: hard code every possible state. Search is almost always exponential.
Methods of Proof Chapter 7, second half.
Extensible proof-carrying authorization in Alpaca October 31, 2007 ACM CCS – Alexandria, VA Chris Lesniewski-Laas, Bryan Ford, Jacob Strauss, Robert Morris,
CS1502 Formal Methods in Computer Science Lecture Notes 10 Resolution and Horn Sentences.
Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.
1 Role-Based Cascaded Delegation: A Decentralized Delegation Model for Roles Roberto Tamassia Danfeng Yao William H. Winsborough Brown University Brown.
CS590U Access Control: Theory and Practice Lecture 21 (April 11) Distributed Credential Chain Discovery in Trust Management.
Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014.
Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.
Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part.
An Algebra for Composing Access Control Policies (2002) Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATI Presenter: Siqing Du Date:
Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.
Computational Complexity Theory Lecture 2: Reductions, NP-completeness, Cook-Levin theorem Indian Institute of Science.
Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 16, 2004 Logic and Logic Programming in Distributed Access Control (Part.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
Advanced Topics in Propositional Logic Chapter 17 Language, Proof and Logic.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Of 33 lecture 12: propositional logic – part I. of 33 propositions and connectives … two-valued logic – every sentence is either true or false some sentences.
Slide 1 Propositional Definite Clause Logic: Syntax, Semantics and Bottom-up Proofs Jim Little UBC CS 322 – CSP October 20, 2014.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
Computing & Information Sciences Kansas State University Lecture 13 of 42 CIS 530 / 730 Artificial Intelligence Lecture 13 of 42 William H. Hsu Department.
Trust calculus for PKI Roman Novotný, Milan Vereščák.
ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Logical Agents Chapter 7. Knowledge bases Knowledge base (KB): set of sentences in a formal language Inference: deriving new sentences from the KB. E.g.:
A Logic of Partially Satisfied Constraints Nic Wilson Cork Constraint Computation Centre Computer Science, UCC.
Logical Agents Chapter 7. Outline Knowledge-based agents Logic in general Propositional (Boolean) logic Equivalence, validity, satisfiability.
Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University.
CS6133 Software Specification and Verification
SecPAL Presented by Daniel Pechulis CS5204 – Operating Systems1.
SDSI -- A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for Computer Science (joint work with Butler Lampson)
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Computer Science CPSC 322 Lecture 22 Logical Consequences, Proof Procedures (Ch 5.2.2)
Introduction to Access Control and Trust Management Daniel Trivellato.
© Copyright 2008 STI INNSBRUCK Intelligent Systems Propositional Logic.
Inference in First Order Logic. Outline Reducing first order inference to propositional inference Unification Generalized Modus Ponens Forward and backward.
SDSI -- A Simple Distributed Security Infrastructure by Ronald L. Rivest MIT Lab for Computer Science (joint work with Butler Lampson)
1 Propositional Logic Limits The expressive power of propositional logic is limited. The assumption is that everything can be expressed by simple facts.
Logical Agents Chapter 7. Outline Knowledge-based agents Propositional (Boolean) logic Equivalence, validity, satisfiability Inference rules and theorem.
Proof Methods for Propositional Logic CIS 391 – Intro to Artificial Intelligence.
On Abductive Equivalence Katsumi Inoue National Institute of Informatics Chiaki Sakama Wakayama University MBR
Computing & Information Sciences Kansas State University Wednesday, 04 Oct 2006CIS 490 / 730: Artificial Intelligence Lecture 17 of 42 Wednesday, 04 October.
Computing & Information Sciences Kansas State University Friday, 13 Oct 2006CIS 490 / 730: Artificial Intelligence Lecture 21 of 42 Friday, 13 October.
COMP 412, FALL Type Systems C OMP 412 Rice University Houston, Texas Fall 2000 Copyright 2000, Robert Cartwright, all rights reserved. Students.
Artificial Intelligence Logical Agents Chapter 7.
Certifying and Synthesizing Membership Equational Proofs Patrick Lincoln (SRI) joint work with Steven Eker (SRI), Jose Meseguer (Urbana) and Grigore Rosu.
Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.
Decentralized Access Control: Overview Deepak Garg Foundations of Security and Privacy Fall 2009.
Decentralized Access Control: Policy Languages and Logics
The Propositional Calculus
SPKI/SDSI 2.0 A Simple Distributed Security Infrastructure
Back to “Serious” Topics…
Research Challenges in Enterprise Privacy Authorization Language
Methods of Proof Chapter 7, second half.
ece 720 intelligent web: ontology and beyond
Presentation transcript:

Ninghui Li (Purdue University) Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS Purdue University

2 Ninghui Li (Purdue University) Outline A brief introduction to trust management Logic-based semantics for SDSI

3 Ninghui Li (Purdue University) The Trust-Management (TM) Approach Multi-centric access control using delegation  access control decisions are based on distributed policy statements issued by multiple principals  policy statements contain attributes of principals such as permissions, roles, qualifications, characteristics trust relationships

4 Ninghui Li (Purdue University) Common characteristics of TM systems Use public-key certificates for non-local statements Treat public keys as principals to be authorized  authentication consists of verifying signatures

5 Ninghui Li (Purdue University) Digital Signature Scheme Key space: a set of key pairs (K, K -1 )  K is the verification key and is publicly available  K -1 is the signing key and is kept private A signing algorithm sig  sig(K -1, M) outputs a digital signature on M A verification algorithm ver  ver(K, M,  ) outputs yes or no  ver(K, M, sig(K -1, M)) = yes  w/o knowing K -1, it is difficult to find  s.t. ver(K,M,  )=yes

6 Ninghui Li (Purdue University) Public-Key Certificates A certificate is a data record together with a digital signature A certificate is signed using K -1  we say that it is issued by a public key K A certificate binds some information to another public key (the subject key) Can be verified by anyone who knows the issuer’s public key  can one trust the issuer’s public key?

7 Ninghui Li (Purdue University) Early Trust Management Langugaes PolicyMaker  Blaze, Feigenbaum & Lacy: “Decentralized Trust Management”, S&P’96.  Blaze, Feigenbaum & Strauss: “Compliance-Checking in the PolicyMaker Trust Management System”, FC’98. KeyNote  Blaze, Feigenbaum, Ioannidis & Keromytis: “The KeyNote Trust- Management System, Version 2”, RFC SPKI (Simple Public Key Infrastructure) / SDSI (Simple Distributed Security Framework)  Rivest & Lampson: SDSI  A Simple Distributed Security Infrastructure, Web-page  Ellison et al.: SPKI Certificate Theory, RFC  Clarke et al.: Certificate Chain Discovery in SPKI/SDSI, JCS’01.

8 Ninghui Li (Purdue University) Datalog-based Trust Management Languages Delegation Logic  Li, Grosof & Feigenbaum: “Delegation Logic: A Logic-based Approach to Distributed Authorization”, TISSEC’03. (Conference versions appeared in CSFW’99 and S&P’00) SD3 (Secure Dynamically Distributed Datalog)  Jim: “SD3: A Trust Management System with Certified Evaluation”, S&P’01. Binder  DeTreville: “Binder, a Logic-Based Security Language”, S&P’02. RT: A Family of Role-based Trust-management Languages

9 Ninghui Li (Purdue University) Other Closely Related Logic-based Security Languages ABLP logic (Abadi, Burrows, Lampson, et al.)  Lampson et al.: “Authentication in Distributed Systems: Theory and Practice”, TOCS’92.  Abadi et al.: “A Calculus for Access Control in Distributed Systems”, TOPLAS’93. QCM (Query Certificate Managers)  Gunter & Jim: “Policy-directed Certificate Retrieval”, SPE’00 AF logic  Appel & Felton: “Proof-Carrying Authentication”, CCS’99

10 Ninghui Li (Purdue University) History of SPKI/SDSI SDSI (Simple Distributed Security Infrastructure)  SDSI 1.0 and 1.1  Rivest & Lampson 96 SPKI (Simple Public Key Infrastructure)  SPKI 1.0 (Ellison 1996) SPKI/SDSI 2.0  RFC 2693 [1999]  [Clarke et al. JCS’01]

11 Ninghui Li (Purdue University) An Example in SDSI 2.0 SDSI Certificates  (K C access  K C mit faculty secretary)  (K C mit  K M )  (K M faculty  K EECS faculty)  (K EECS faculty  K Rivest )  (K Rivest secretary  K Rivest alice)  (K Rivest alice  K Alice ) From the above certificates, K C concludes that K Alice has access

12 Ninghui Li (Purdue University) 4-tuple Reduction in RFC 2693 Name strings can be reduced using 4-tuples  (K 1 A 1  K 2 ) reduces “K 1 A 1 A 2 … A n ” to “K 2 A 2 … A n ” e.g., (K C mit  K M ) reduces “K C mit faculty secretary” to “K M faculty secretary”  (K 1 A 1  K 2 B 1 … B m ) reduces “K 1 A 1 A 2 … A n ” to “K 2 B 1 … B m A 2 … A n ” e.g., (K M faculty  K EECS faculty) reduces “K M faculty secretary” to “K EECS faculty secretary”

13 Ninghui Li (Purdue University) Applying 4-tuple Reduction in the Example From (K C access) to (K C mit faculty secretary) to (K M faculty secretary) to (K EECS faculty secretary) to (K Rivest secretary) to (K Rivest alice) to (K Alice ) (K C access  K C mit faculty secretary)(K C mit  K M ) (K M faculty  K EECS faculty)(K EECS faculty  K Rivest ) (K Rivest secretary  K Rivest alice)(K Rivest alice  K Alice )

14 Ninghui Li (Purdue University) Papers on Semantics for SPKI/SDSI Develop specialized modal logics  Abadi: “On SDSI's Linked Local Name Spaces”, CSFW’97, JCS’98.  Halpern & van der Meyden: “A logic for SDSI's linked local name spaces”, CSFW’99, JCS’01 “A Logical Reconstruction of SPKI”, CSFW’01, JCS’03  Howell & Kotz: “A Formal Semantics for SPKI”, ESORICS’00 Other approaches  Li: “Local Names in SPKI/SDSI”, CSFW’00  Jha & Reps: “Analysis of SPKI/SDSI Certificates Using Model Checking”, CSFW’02  Li & Mitchell: “Understanding SPKI/SDSI Using First-Order Logic”, CSFW’03 (Contains the results presented here)

15 Ninghui Li (Purdue University) What is a Semantics? Elements of a semantics  syntax for statements  syntax for queries  an entailment relation that determines whether a query Q is true given a set P of statements

16 Ninghui Li (Purdue University) Why a Formal Semantics? What can we gain by a formal semantics  understand what queries can be answered  defines the entailment relation in a way that is precise, easy to understand, and easy to compute How can one say a semantics is good  subjective metrics: simple, natural, close to original intention  defines answers to a broad class of queries  can use existing work to provide efficient deduction procedures for answering those queries

17 Ninghui Li (Purdue University) Concepts in SDSI Concepts  principalsK, K 1  identifiersA, B, A 1 e.g., mit, faculty, alice  local namesK A, K 1 A 1 e.g., K M faculty, K Rivest alice  name stringsK A 1 A 2 … A n ,  1 e.g., K C mit faculty secretary

18 Ninghui Li (Purdue University) Statements in SDSI 4-tuple (K, A, , V)  K is the issuer principal  A is an identifier   is a name string  V is the validity specification We write (K A   ) for a 4-tuple  ignoring validity specification

19 Ninghui Li (Purdue University) A Rewriting Semantics for SDSI A set P of 4-tuples defines a set of rewriting rules, denoted by RS[P] Queries have the form “can  1 rewrite into  2 ?” Answer a query is not easy.  cannot naively search for all ways of rewriting  1, as there may be recursions e.g., (K friend  K friend friend) What can we do?

20 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (1) Limit queries to the form “can  1 rewrite into K?”  In [Clarke et al.’01], the following closure mechanism is used rewrite 4-tuples  e.g., apply (K C mit  K M ) to rewrite (K C access  K C mit faculty secretary), one gets (K C access  K M faculty secretary) compute the closure of a set of 4-tuples,  obtained by applying 4-tuples that rewrites to a principal then use the resulting shortening 4-tuples to rewrite  1  Search is not goal-directed

21 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (2) Limit to queries like “can  1 rewrite into K?”  In [Li CSFW’00], the following XSB logic program is given :- table(contains/2). contains([P0, N0 | T], P2) :- contains([P0, N0], P1), contains([P1 | T], P2). contains([P0, N0], P) :- credential([P0, N0], CN2), contains(CN2, P). contains([P], P, []) :- isPrincipal(P).

22 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (3) [Li, Winsborough & Mitchell, CCS’01, JCS’03]  develop a graph-based search algorithm for a language RT 0, a superset of SDSI combines bottom-up search and goal-directed top- down search with tabling specifically for the kind of rules in RT 0 can deal with distributed discovery

23 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (4) Use techniques for model checking pushdown systems[Jha & Reps CSFW’02]  SDSI rewriting systems correspond to string rewriting systems modeled by pushdown systems  algorithms for model checking pushdown systems can be used takes time O(N^3), where N is the total size of the SDSI statements

24 Ninghui Li (Purdue University) SDSI and Pushdown Systems A1A1 Stack: State: K 1 B1B1 B2B2... Apply the rewriting rule: K 1 A 1 to K 2 A 2 A 3 A3A3 Stack: State: K 2 B1B1 B2B2... A2A2 A name string corresponds to a configuration “rewrites into” equivalent to “reaches”

25 Ninghui Li (Purdue University) Recap of the Rewriting-based Semantics Defines answers to queries having the form “can  1 rewrite into  2 ?” Specialized algorithms (either developed for SDSI or for model checking pushdown systems) are needed Papers by Abadi and Halpern and van der Meyden try to come up with axiom systems for the rewriting semantics

26 Ninghui Li (Purdue University) Set-based Semantic Intuitions Each name string is bound to a set of principals (K A   ) means the local name “K A” is bound to a superset of the principal set that  is bound to

27 Ninghui Li (Purdue University) Defining Set-based Semantics (1) A valuation V maps each local name to a set of principals A valuation V can be extended to map each name string to a set of principals  V (K) = { K }  V (K A) = V (K A)  V (K B 1 … B m ) =  V (K j B 2 … B m ) j = 1..n where m>1 and V (K B 1 ) = { K 1, K 2, …, K n }

28 Ninghui Li (Purdue University) Defining Set-based Semantics (2) A 4-tuple (K A   ) is the following constraint  V (K A)  V (  ) The semantics of P is the least valuation V P that satisfies all the constraints Queries  “can  rewrite into K?” answered by checking whether “K  V P (  )”. Does not define answers to “can  1 rewrite into  2 ”.  asking whether V P (  1 )  V P (  2 ) is incorrect

29 Ninghui Li (Purdue University) Relationship Between the Rewriting Semantics and the Set Semantics Theorem: Given P,  1, and  2,  1 rewrites into  2 using P if and only if for any P’  P, V P’ (  1 )  V P’ (  2 ). Corrolary: Given P, , and K,  rewrites into K using P if and only if V P (  )  { K }

30 Ninghui Li (Purdue University) A Logic-Programming-based Semantics Derived from the Set-based Semantics Translate each 4-tuple into a LP clause  Using a ternary predicate m m(K, A, K’) is true if K’  V (K A)  (K A  K’) to m(K, A, K’)  (K A  K 1 A 1 ) to m(K, A, ?x) :- m(K 1, A 1, ?x)  (K A  K 1 A 1 A 2 ) to m(K,A,?x) :- m(K 1,A 1,?y 1 ), m(?y 1,A 2,?x)  (K A  K 1 A 1 A 2 A 3 ) to m(K,A,?x) :- m(K 1,A 1,?y 1 ), m(?y 1,A 2,?y 2 ), m(?y 2,A 3,?x) The minimal Herbrand model determines the semantics

31 Ninghui Li (Purdue University) An Alternative Way of Defining the LP- based Semantics (1) Define a macro contains  contains[  ][ K’ ] means that K’  V (  ) contains [K][K’]  (K= K’) contains [K A][K’]  m(K, A, K’) contains [K A 1 A 2 … A n ][K’]   y (m(K, A 1, y)  contains [y A 2 … A n ][K’]) where n>1

32 Ninghui Li (Purdue University) An Alternative Way of Defining the LP- based Semantics (2) Translates a 4-tuple (K A   ) into a FOL sentence   z ( contains [K A][ z ]  contains [  ][ z ]) This sentence is also a Datalog clause A set P of 4-tuples defines a Datalog program, denoted by SP[P]  The minimal Herbrand model of SP[P] defines the semantics

33 Ninghui Li (Purdue University) An Example of Translation From (K C access  K C mit faculty secretary) to  z ( contains [K C access][ z ]  contains [K C mit faculty secretary][ z ] ) to  z ( m( K C, access, z )   y 1 (m(K C, mit, y 1 )  contains [y 1 faculty secretary][z] ) to  z  y 1 ( m( K C, access, z )  m(K C, mit, y 1 )   y 2 (m(y 1, faculty, y 2 )  contains [y 2 secretary] [z] ) to  z  y 1  y 2 ( m( K C, access, z )  m(K C, mit, y 1 )  m(y 1, faculty, y 2 )  m ( y 2, secretary, z]) )

34 Ninghui Li (Purdue University) Set semantics is equivalent to LP semantics The least Herbrand model of SP[P] is equivalent to the least valuation, i.e.,  K’  V P (K A) iff. m(K,A,K’) is in the least Herbrand model of SP[P] Same limitation as set-based semantics  does not define answers to containment between arbitrary name strings

35 Ninghui Li (Purdue University) A First-Order Logic (FOL) Semantics A set P of 4-tuples defines a FOL theory, denoted by Th[P] A query is a FOL formula  “  1 rewrites into  2 ” is translated into  z ( contains [  1 ][ z ]  contains [  2 ][ z ])  Other FOL formulas can also be used as queries Logical implication determines semantics

36 Ninghui Li (Purdue University) FOL Semantics is Extension of LP Semantics LP semantics is FOL semantics with queries limited to LP queries  m(K,A,K’) is in the least Herbrand model of SP[P] iff. Th[P] |= m(K,A,K’)

37 Ninghui Li (Purdue University) Equivalence of Rewriting Semantics and FOL Semantics Theorem: for string rewriting queries, the string rewriting semantics is equivalent to the FOL semantics  Given a set P of 4-tuples, it is possible to rewrite  1 into  2 using the 4-tuples in P if and only if Th[P] |=  z ( contains [  1 ][ z ]  contains [  2 ][ z ])

38 Ninghui Li (Purdue University) Advantages of FOL semantics: Computation efficiency A large class of queries can be answered efficiently using logic programs  including rewriting queries  e.g., whether  rewrites into K B 1 B 2 under P can be answered by determining whether SP[P  (K’ A’   )  (K B 1  K’ 1 )  (K’ 1 B 2  K’ 2 )] |= m(K’,A’, K’ 2 ) where K’, K’ 1, and K’ 2 are new principals this proof procedure is sound and complete  this result also follows from results in proof theory regarding Harrop Hereditary formulas

39 Ninghui Li (Purdue University) Advantages of FOL semantics: Extensibility Additional kinds of queries can be formulated and answered, e.g.,   z (m(K 1, A 1, z )  m(K 1, A 2, z ))   z (m(K 2, A 1, z )  m(K 2, A 2, z )) Additional forms of statements can be easily handled, e.g.,  (K A  K 1 A 1  K 2 A 2 ) maps to  z (m(K,A, z )  m(K 1,A 1, z )  m(K 2,A 2, z ))

40 Ninghui Li (Purdue University) Summary: 4 Semantics String Rewriting: difficult to extend Set: limited in queries Logic Programming First-Order Logic

41 Ninghui Li (Purdue University) Advantages of FOL Semantics: Summary Simple  captures the set-based intuition  defined using standard FOL Extensible  additional policy language features can be handled easily  allow more meaningful queries Computation efficiency

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.