Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 16, 2004 Logic and Logic Programming in Distributed Access Control (Part.

Slides:



Advertisements
Similar presentations
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Advertisements

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,
Timed Automata.
Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
8.2 Discretionary Access Control Models Weiling Li.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
Trust Management I Anupam Datta Fall A: Foundations of Security and Privacy.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Ninghui Li (Purdue University) Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS.
Algorithmic Problems in Algebraic Structures Undecidability Paul Bell Supervisor: Dr. Igor Potapov Department of Computer Science
Describing Syntax and Semantics
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Security Protocols in Automation Dwaine Clarke MIT Laboratory for Computer Science January 8, 2002 With help from: Matt Burnside, Todd.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
1 Role-Based Cascaded Delegation: A Decentralized Delegation Model for Roles Roberto Tamassia Danfeng Yao William H. Winsborough Brown University Brown.
CS590U Access Control: Theory and Practice Lecture 21 (April 11) Distributed Credential Chain Discovery in Trust Management.
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.
Cryptography, Authentication and Digital Signatures
Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Slide 1 Propositional Definite Clause Logic: Syntax, Semantics and Bottom-up Proofs Jim Little UBC CS 322 – CSP October 20, 2014.
G53SEC 1 Access Control principals, objects and their operations.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Security (and privacy) Larry Rudolph With help from Srini Devedas, Dwaine Clark.
Trust calculus for PKI Roman Novotný, Milan Vereščák.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
DIGITAL SIGNATURE.
Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University.
SecPAL Presented by Daniel Pechulis CS5204 – Operating Systems1.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004.
Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.
From Hoare Logic to Matching Logic Reachability Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Introduction to Access Control and Trust Management Daniel Trivellato.
CIS 250 Advanced Computer Applications Database Management Systems.
2/1/20161 Computer Security Foundational Results.
A Portrait of the Semantic Web in Action Jeff Heflin and James Hendler IEEE Intelligent Systems December 6, 2010 Hyewon Lim.
Introduction to Databases Angela Clark University of South Alabama.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
Overview of the theory of computation Episode 3 0 Turing machines The traditional concepts of computability, decidability and recursive enumerability.
Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.
Decentralized Access Control: Overview Deepak Garg Foundations of Security and Privacy Fall 2009.
Chapter 14: System Protection
Cryptography and Network Security
IS 2150 / TEL 2810 Introduction to Security
Computer Security Foundations
Beyond Proof-of-compliance: Security Analysis in Trust Management
IS 2150 / TEL 2810 Information Security & Privacy
Instructor Materials Chapter 5: Ensuring Integrity
Presentation transcript:

Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 16, 2004 Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS Purdue University

2 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Outline An brief introduction to access control An brief introduction to trust management Logic-based semantics for SDSI Distributed deduction for RT 0

3 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) What is Access Control? Quote from Security Engineering by Ross Anderson  Its function is to control which principals (persons, processes, machines, …) have access to which resources in the system --- which files they can read, which programs they can execute, and how they share data with other principals, and so on.

4 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Access Control is Useful Access control is Pervasive  memory management hardware, OS (Unix, Windows, etc.), middleware, databases, mobile code (Java, etc.), firewall Quote from Security Engineering  Access control is the traditional center of gravity of computer security. It is where security engineering meets computer science.

5 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Basic Access Control Scenario Elements:  objects (resources)  requests for operations on objects  sources for requests, called subjects or principals  a reference monitor to decide on requests Basic steps  authentication  authorization  audit

6 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Access Matrix: History Lampson 1971  “Protection” [Reprinted in ACM Operating Systems Review 1974] Refined by Graham and Denning 1972  “Protection---Principles and Practice” [AFIPS Spring Joint Computer Conference] Harrison, Ruzzo, and Ullman’1976  “Protection in Operating Systems” [CACM]

7 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Access Matrix A set of subjects S A set of objects O  S  O A set of rights R An access control matrix  one row for each subject  one column for each subject/object  each cell contains the rights a subject has over an object

8 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) The Graham-Denning Model Each subject/object has an owner Each subject has a controller (which may be itself) A right may be transferable or nontransferable  a right with a * is transferable

9 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Sample Commands in Graham- Denning Model subject x grants a right r/r* on object o to subject s  precondition: `owner’ in A[x,o]  stores r/r* in A[s,o] subject x transfers a right r/r* on object o to subject s  precondition: r* in A[x,o]  stores r/r* in A[s,o]

10 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) The HRU Model Based on Access Matrix, but allow an arbitrary set of commands Consider properties of an access control system when state changes A protection system has  a finite set of generic rights  a finite set of commands

11 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Commands A command has the form command a(X 1, X 2, …, X k ) if r 1 in (X s_1, X o_1 ) and … and r c in (X s_c, X o_c ) then op 1 … op n end

12 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Primitive Operations enter r into (X s, X o ) delete r from (X s, X o ) create subject X s create object X o delete subject X s delete object X o

13 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) A Protection System as a State Transition System The matrix is the state State changes by executing commands The (Simple) Safety Analysis Problem  determine whether a specific subject could get certain access to a specific object in some state

14 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Simple Safety Analysis in the HRU Model is Undecidable Any Turing machine can be encoded using a protection system Surprising? Maybe not so much.  the commands basically give full power of programming languages

15 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Outline An brief introduction to access control An brief introduction to trust management Logic-based semantics for SDSI Distributed deduction for RT 0

16 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) The Problem Trust Management Addresses: Distributed Authorization Flexible and scalable access control in large- scale, open, distributed, decetralized systems  electronic commerce: transaction authorization application-level / business-policy authorization  resource sharing in decentralized systems coalitions, multi-centric collaborative systems grid computing  health care

17 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Characteristics of Distributed Authorization No central administration, each service makes its own decision No relationship between a service and a user prior to a request  knowing a user’s name may not help  must rely on information from third-party to make authorization decision (delegation) Authorization information is distributed Communication channels may be insecure

AliceEPub StateU ABU StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities

Alice Hospital A CBH Hospital A is a hospital Alice is a physician Grants access to physicians Trusts CBH to certify hospitals Trusts hospitals to certify physicians Medical Database

20 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) The Trust-Management (TM) Approach Multicentric access control using delegation  access control decisions are based on distributed policy statements issued by multiple principals  policy statements contain attributes of principals such as permissions, roles, qualifications, characteristics trust relationships

21 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Common characteristics of TM systems Use public-key certificates for non-local statements Treat public keys as principals to be authorized  authentication consists of verifying signatures Adopt the peer model of authorization  an entity can be an authorizer, a requester, or a credential provider (trusted 3rd party) Treat the authorization decision problem as an application-independent ``proof-of-compliance’’ problem

22 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Digital Signature Scheme Key space: a set of key pairs (K, K -1 )  K is the verification key and is publicly available  K -1 is the signing key and is kept private A signing algorithm sig  sig(K -1, M) outputs a digital signature on M A verification algorithm ver  ver(K, M,  ) outputs yes or no  ver(K, M, sig(K -1, M)) = yes  w/o knowing K -1, it is difficult to find x s.t. ver(K,M,x)=yes

23 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Using digital signatures A digital signature on a message provides:  Authentication  Data integrity  Non-Repudiation A request may be digitally signed Knowing a request is signed by a particular key is not enough  who owns that key?

24 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Public-Key Certificates A certificate is a data record together with a digital signature A certificate is issued by a public key K  signed by K -1 A certificate binds some information to another public key Can be verified by anyone who knows the issuer’s public key  can one trust the issuer’s public key

25 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Existing Kinds of Public Key Infrastructures (PKIs) X.509 certificates  certificates are issued (signed) by certification authorities (CA’s).  CA’s may be arranged in a hierarchy  certificates form a chain Used by numerous applications: SSL, IPSec, etc. PGP  everyone can issue certificates, which bind addresses to public keys

26 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Early Trust Management Langugaes PolicyMaker  Blaze, Feigenbaum & Lacy: “Decentralized Trust Management”, S&P’96.  Blaze, Feigenbaum & Strauss: “Compliance-Checking in the PolicyMaker Trust Management System”, FC’98. KeyNote  Blaze, Feigenbaum, Ioannidis & Keromytis: “The KeyNote Trust- Management System, Version 2”, RFC SPKI (Simple Public Key Infrastructure) / SDSI (Simple Distributed Security Framework)  Rivest & Lampson: SDSI  A Simple Distributed Security Infrastructure, Web-page  Ellison et al.: SPKI Certificate Theory, RFC  Clarke et al.: Certificate Chain Discovery in SPKI/SDSI, JCS’01.

27 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Datalog-based Trust Management Languages Delegation Logic  Li, Grosof & Feigenbaum: “Delegation Logic: A Logic-based Approach to Distributed Authorization”, TISSEC’03. (Conference versions appeared in CSFW’99 and S&P’00) SD3 (Secure Dynamically Distributed Datalog)  Jim: “SD3: A Trust Management System with Certified Evaluation”, S&P’01. Binder  DeTreville: “Binder, a Logic-Based Security Language”, S&P’02. RT: A Family of Role-based Trust-management Languages

28 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Other Closely Related Logic-based Security Languages ABLP logic (Abadi, Burrows, Lampson, et al.)  Lampson et al.: “Authentication in Distributed Systems: Theory and Practice”, TOCS’92.  Abadi et al.: “A Calculus for Access Control in Distributed Systems”, TOPLAS’93. QCM (Query Certificate Managers)  Gunter & Jim: “Policy-directed Certificate Retrieval”, SPE’00 AF logic  Appel & Felton: “Proof-Carrying Authentication”, CCS’99

29 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Issues in Designing Trust Management Langugaes Say what you want  Succinctly and directly  With confidence that you said what you meant Enforcement  Deduction, proof of compliance Policy development tools  Manage policy lifecycle  Safety analysis, availability

30 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Outline An brief introduction to access control An brief introduction to trust management Logic-based semantics for SDSI Distributed deduction for RT 0

31 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) History of SPKI/SDSI SDSI (Simple Distributed Security Infrastructure)  SDSI 1.0 and 1.1  Rivest & Lampson SPKI (Simple Public Key Infrastructure)  SPKI 1.0 (Ellison 1996) SPKI/SDSI 2.0  RFC 2693 [1999]  [Clarke et al. JCS’01]

32 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) An Example in SDSI 2.0 SDSI Certificates  (K C access  K C mit faculty secretary)  (K C mit  K M )  (K M faculty  K EECS faculty)  (K EECS faculty  K Rivest )  (K Rivest secretary  K Rivest alice)  (K Rivest alice  K Alice ) From the above certificates, K C concludes that K Alice has access

33 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) 4-tuple Reduction in RFC 2693 Name strings can be reduced using 4-tuples  (K 1 A 1  K 2 ) reduces “K 1 A 1 A 2 … A n ” to “K 2 A 2 … A n ” e.g., (K C mit  K M ) reduces “K C mit faculty secretary” to “K M faculty secretary”  (K 1 A 1  K 2 B 1 … B m ) reduces “K 1 A 1 A 2 … A n ” to “K 2 B 1 … B m A 2 … A n ” e.g., (K M faculty  K EECS faculty) reduces “K M faculty secretary” to “K EECS faculty secretary”

34 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Applying 4-tuple Reduction in the Example From (K C access) to (K C mit faculty secretary) to (K M faculty secretary) to (K EECS faculty secretary) to (K Rivest secretary) to (K Rivest alice) to (K Alice )

35 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Work on Semantics for SPKI/SDSI Develop specialized modal logics  Abadi: “On SDSI's Linked Local Name Spaces”, CSFW’97, JCS’98.  Halpern & van der Meyden: “A logic for SDSI's linked local name spaces”, CSFW’99, JCS’01 “A Logical Reconstruction of SPKI”, CSFW’01, JCS’03  Howell & Kotz: “A Formal Semantics for SPKI”, ESORICS’00 Other approaches  Li: “Local Names in SPKI/SDSI”, CSFW’00  Jha & Reps: “Analysis of SPKI/SDSI Certificates Using Model Checking”, CSFW’02  Li & Mitchell: “Understanding SPKI/SDSI Using First-Order Logic”, CSFW’03 (Contains the results presented here)

36 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) What is a Semantics? Elements of a semantics  Syntax for statements  Syntax for queries  An entailment relation that determines whether a query Q is true given a set P of statements

37 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) What can we gain by a formal semantics? Why a semantics  understand what queries can be answered  defines the entailment relation in a way that is precise, easy to understand, and easy to compute How to say a semantics is good  subjective metrics: simple, natural, close to original intention  defines answers to a broad class of queries  can use existing work to provide efficient deduction procedures for answering those queries

38 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Concepts in SDSI Concepts  principals K, K 1  identifiersA, B, A 1 e.g., mit, faculty, alice  local namesK A, K 1 A 1 e.g., K M faculty, K Rivest alice  name stringsK A 1 A 2 … A n ,  1 e.g., K C mit faculty secretary

39 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Statements in SDSI 4-tuple (K, A, , V)  K is the issuer principal  A is an identifier   is a name string  V is the validity specification We write (K A   ) for a 4-tuple  ignoring validity specification

40 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) A Rewriting Semantics for SDSI A set P of 4-tuples defines a set of rewriting rules, denoted by RS[P] Queries have the form “can  1 rewrite into  2 ?” Answer a query is not easy.  cannot naively search for all ways of rewriting  1, as there may be recursions e.g., (K friend  K friend friend) What can we do?

41 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (1) Limit to queries like “can  1 rewrite into K?”  In [Clarke et al.’01], the following closure mechanism is used rewrite 4-tuples  e.g., use (K C mit  K M ) to rewrite (K C access  K C mit faculty secretary), one gets (K C access  K M faculty secretary) only uses shortening 4-rules for rewriting compute the closure of all such rewriting then use the resulting shortening 4-tuples to rewrite  1  Search is not goal-directed

42 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (2) Limit to queries like “can  1 rewrite into K?”  In [Li’00], the following XSB logic program is given :- table(contains/2). contains([P0, N0 | T], P2) :- contains([P0, N0], P1), contains([P1 | T], P2). contains([P0, N0], P) :- credential([P0, N0], CN2), contains(CN2, P). contains([P], P, []) :- isPrincipal(P).

43 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (3) [Li, Winsborough & Mitchell, JCS’03]  develop a graph-based search algorithm for a language RT 0, a superset of SDSI combines bottom-up search and goal-directed top- down search with tabling specifically for the kind of rules in RT 0 can deal with distributed discovery  we will talk about this later

44 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Deduction Based on the Rewriting Semantics (4) Use techniques for model checking pushdown systems[Jha & Reps CSFW’15]  SDSI rewriting systems correspond to string rewriting systems modeled by pushdown systems  algorithms for model checking pushdown systems can be used

45 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) SDSI and Pushdown Systems A1A1 Stack: State: K 1 B1B1 B2B2... Apply the rewriting rule: K 1 A 1 to K 2 A 2 A 3 A3A3 Stack: State: K 2 B1B1 B2B2... A2A2 A name string corresponds to a configuration “rewrites into” equivalent to “reaches”

46 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Recap of the Rewriting-based Semantics Defines answers to queries having the form “can  1 rewrite into  2 ?” Specialized algorithms (either developed for SDSI or for model checking pushdown systems) are needed Papers by Abadi and Halpern and van der Meyden try to come up with axiom systems for the rewriting semantics

47 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Set-based Semantic Intuitions Each name string is bound to a set of principals (K A   ) means the local name “K A” is bound to a superset of the principal set that  is bound to

48 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Defining Set-based Semantics (1) A valuation V maps each local name to a set of principals A valuation V can be extended to map each name string to a set of principals  V (K) = { K }  V (K A) = V (K A)  V (K B 1 … B m ) =  V (K j B 2 … B m ) j = 1..n where m>1 and V (K B 1 ) = { K 1, K 2, …, K n }

49 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Defining Set-based Semantics (2) A 4-tuple (K A   ) is the following constraint  V (K A)  V (  ) The semantics of P is the least valuation V P that satisfies all the constraints Queries  “can  rewrite into K?” answered by checking “K  V (  )”. Does not define answers to “can  1 rewrite into  2 ”.  asking whether V (  1 )  V (  2 ) is incorrect

50 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) A Logic-Programming-based Semantics Derived from the Set-based Semantics Translate each 4-tuple into a LP clause  Using a ternary predicate m m(K, A, K’) is true if K’  V (K A)  (K A  K’) to m(K, A, K’)  (K A  K 1 A 1 ) to m(K, A, ?x) :- m(K 1, A 1, ?x)  (K A  K 1 A 1 A 2 ) to m(K,A,?x) :- m(K 1,A 1,?y 1 ), m(?y 1,A 2,?x)  (K A  K 1 A 1 A 2 A 3 ) to m(K,A,?x) :- m(K 1,A 1,?y 1 ), m(?y 1,A 2,?y 2 ), m(?y 2,A s,?x) The minimal Herbrand model determines the semantics

51 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) An Alternative Way of Defining the LP- based Semantics (1) Define a macro contains  contains[  ][ K’ ] means that K’  V (  ) contains [K][K’]  (K= K’) contains [K A][K’]  m(K, A, K’) contains [K A 1 A 2 … A n ][K’]   y (m(K, A 1, y)  contains [y A 2 … A n ][K’]) where n>1

52 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) An Alternative Way of Defining the LP- based Semantics (2) Translates a 4-tuple (K A   ) into a FOL sentence   z ( contains [K A][ z ]  contains [  ][ z ]) This sentence is also a Datalog clause A set P of 4-tuples defines a Datalog program, denoted by SP[P]  The minimal Herbrand model of SP[P] defines the semantics

53 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) An Example of Translation From (K C access  K C mit faculty secretary) to  z ( contains [K C access][ z ]  contains [K C mit faculty secretary][ z ] ) to  z ( m( K C, access, z )   y 1 (m(K C, mit, y 1 )  contains [y 1 faculty secretary][z] ) to  z  y 1 ( m( K C, access, z )  m(K C, mit, y 1 )   y 2 (m(y 1, faculty, y 2 )  contains [y 2 secretary] [z] ) to  z  y 1  y 2 ( m( K C, access, z )  m(K C, mit, y 1 )  m(y 1, faculty, y 2 )  m ( y 2, secretary, z]) )

54 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Set semantics is equivalent to LP semantics The least Herbrand model of SP[P] is equivalent to the least valuation, i.e.,  K’  V P (K A) iff. m(K,A,K’) is in the least Herbrand model of SP[P] Same limitation as set-based semantics  does not define answers to containment between arbitrary name strings

55 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) A First-Order Logic Semantics A set P of 4-tuples defines a FOL theory, denoted by Th[P] A query is a FOL formula  “  1 rewrites into  2 ” is translated into  z ( contains [  1 ][ z ]  contains [  2 ][ z ])  Other FOL formulas can also be used as queries Logical implication determines semantics

56 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) FOL Semantics is Extension of LP Semantics LP semantics is FOL semantics with queries limited to LP queries  m(K,A,K’) is in the least Herbrand model of SP[P] iff. Th[P] |= m(K,A,K’)

57 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Equivalence of Rewriting Semantics and FOL Semantics Theorem: for string rewriting queries, the string rewriting semantics is equivalent to the FOL semantics  Given a set P of 4-tuples, it is possible to rewrite  1 into  2 using the 4-tuples in P if and only if Th[P] |=  z ( contains [  1 ][ z ]  contains [  2 ][ z ])

58 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Advantages of FOL semantics: Computation efficiency A large class of queries can be answered efficiently using logic programs  including rewriting queries  e.g., whether  rewrites into K B 1 B 2 under P can be answered by determining whether SP[P  (K’ A’   )  (K B 1  K’ 1 )  (K’ 1 B 2  K’ 2 )] |= m(K’,A’, K’ 2 ) where K’, K’ 1, and K’ 2 are new principals this proof procedure is sound and complete  this result also follows from results in proof theory regarding Harrop Hereditary formulas

59 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Advantages of FOL semantics: Extensibility Additional kinds of queries can be formulated and answered, e.g.,   z (m(K 1, A 1, z )  m(K 1, A 2, z ))   z (m(K 2, A 1, z )  m(K 2, A 2, z )) Additional forms of statements can be easily handled, e.g.,  (K A  K 1 A 1  K 2 A 2 ) maps to  z (m(K,A, z )  m(K 1,A 1, z )  m(K 2,A 2, z ))

60 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Advantages of FOL Semantics: Summary Simple  captures the set-based intuition  defined using standard FOL Extensible  additional policy language features can be handled easily  allow more meaningful queries Computation efficiency

61 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Outline An brief introduction to access control An brief introduction to trust management Logic-based semantics for SDSI Distributed deduction for RT 0

62 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) What is RT? RT is a family of Role-based Trust-management languages Publications on RT  Li, Winsborough & Mitchell: “Distributed Credential Chain Discovery in Trust Management”, JCS’01, CCS’01  Li, Mitchell & Winsborough: “Design of a Role-Based Trust Management Framework”, S&P’02  Li & Mitchell: “Datalog with Constraints: A Foundation for Trust Management Languages”, PADL’03  Li & Mitchell: “RT: A Role-based Trust-management Framework”, DISCEX’03  Li, Winsborough & Mitchell: “Beyond Proof-of-compliance: Safety and Availability Analysis in Trust Management”, S&P’03

63 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) RT 0 : An Example 1. StateU.stuID  Alice 2. ABU.accredited  StateU 3. EPub.university  ABU.accredited 4. EPub.student  EPub.university.stuID 5. EPub.spdiscount  EPub.student  EOrg.preferred 6. EOrg.preferred  ACM.member 7. ACM.member  Alice Together, the seven credentials prove that Alice is entitled to EPub’s spdiscount

64 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) RT 0 : Concepts and Credentials Concepts:  Entities (Principals): A, B, D  Role names: r, r 1, r 2,...  Roles: A.r, B.r 1,... e.g., StateU.stuID Credentials: A.r  e  Type-1:A.r  D  Type-2:A.r  B.r 1  Type-3:A.r  A.r 1.r 2 e.g., EPub.student  EPub.university.stuID  Type-4:A.r  B 1.r 1  B 2.r 2 ...  B k.r k

65 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) RT 0 and SDSI 2.0 SDSI 2.0 (The SDSI part of SPKI/SDSI 2.0)  has arbitrarily long linked names, e.g., A.r 1.r r k, which can be broken up by introducing new role names RT 0  has intersection (type-4 credentials)  is thus more expressive than SDSI 2.0 algorithms for RT 0 can be used for SDSI 2.0

66 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Goal-directed Chain Discovery Three kinds of queries and algorithms for answering them: 1. Given A.r, determines its members – The backward search algorithm 2. Given D, determines the set of roles that D is a member of – The forward search algorithm 3. Given A.r and D, determines whether D is a member of A.r – The Bi-direction search algorithm

67 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Credential Graph G C Nodes:  A.r and e for each credential A.r  e in C Credential edges:  e  A.r for each credential A.r  e in C Summary edges:  B.r 2  A.r 1.r 2 if there is a path from B to A.r 1  D  A 1.r 1  …  A k.r k if there are paths from D to each A j.r j Reachability in the credential graph is sound and complete wrt. the semantics of RT 0

68 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) An Example Credential Graph StateU.stuID EPub.university ABU.accredited StateU Alice ACM.member EOrg.preferred EPub.university.stuID EPub.student EPub.spdiscount EPub.student  EOrg.preferred Credential Summary Key

69 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) The Forward Search Algorithm (Overview) Starts with one entity node Constructs a proof graph Each node in the graph stores its solutions: roles that this node can reach (is a member of ) Maintains a work list of nodes need to be processed Algorithm Outline: Keep processing nodes in the work list until it is empty

70 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Forward Search In Action 9: EPub.student 7: Epub.university.stuID 6: EPub.university 3: ABU.accredited2: StateU ABU.accredited 1: StateU.stuID 0: Alice StateU.stuID EPub.student ABU.accredited EPub.university 4: ABU.accredited.stuID EPub.student 1. StateU.stuID  Alice 2. ABU.accredited  StateU 3. EPub.university  ABU.accredited 4. EPub.student  EPub.university.stuID 5: ABU 8: EPub

71 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) The Backward and Bi-direction Search Algorithms (Overview) The backward algorithm differs from the forward algorithm in that:  Each node stores outgoing edges, instead of incoming ones  Each node stores entities that can reach it, instead of roles that it can reach  The processing of a node is different traversing the other direction The bi-direction search algorithm combines backward search and forward search

72 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Backward Search In Action 2: EPub.student 4: EPub.university.stuID 6: EPub.university8: ABU.accredited9: StateU StateU 10: StateU.stuID 0: EPub.spdiscount 1: EPub.student  EOrg.preferred 3: EOrg.preferred5: ACM.member7: Alice Alice

73 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Worst-Case Complexity Backward: time O(N 3 +NM), space O(NM)  N is the number of rules  M is the sum of the sizes of all rules, A.r  f 1  f k having size k, other credentials have size 1 Forward: time O(N 2 M), space O(NM) However, this is goal oriented, making it much better in practice

74 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Why Develop These Algorithms? The queries can be answered using logic programs  however, this requires collection of all credentials in the system The backward algorithm is a goal-directed top- down algorithm The forward algorithm is a goal-directed bottom- up algorithm Distributed discovery requires combination of both

75 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Distributed Storage of Credentials Example: 1. EOrg.preferred  ACM.member 2. ACM.member  Alice Who should store a credential?  either issuer or subject It is not reasonable to require that  all credentials are stored by issuers, or,  all are stored by subjects.

Alice EPub StateU ABU 3. ABU.accredited  StateU 1. COE.stuID  Alice 4. EPub.university  ABU.accredited 5. EPub.student  EPub.university.stuID Who stores these statements? 2. StateU.stuID  COE.stuID COE

77 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Traversability of Edges and Paths A credential edge is  forward traversable, if stored by subject  backward traversable, if stored by issuer  confluent, if either forward traversable or backward traversable A path e1  e2 is  forward traversable, if all edges on it are, or e1=e2  backward traversable, if all edges on it are, or e1=e2  confluent, if it can be broken into e1  e’  e’’  e2, With e1  e’ forward, e’  e’’ confluent, and e’’  e2 backward

78 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Traversability of Edges and Paths (con’d) StateU.stuID Alice EPub.university.stuID EPub.student EPub.university ABU.accredited StateU Backward (Issuer stored) Forward (Subject stored) Key Confluent An edge B.r 2  A.r 1.r 2 has the same traversability as B  A.r 1

79 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Overview of Our Typing Approach Goal: Using constraints local to each credential to ensure that every path is confluent Approach:  Give each role name a traceability type Requiring consistent storage strategy at role name level  Introduce a notion of well-typed credentials

80 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Types of Role Names A role name has two types:  Issuer side: issuer-traces-all issuer-traces-def issuer-traces-none  Subject side: subject-traces-all subject-traces-none

Alice EPub StateU ABU 3. ABU.accredited  StateU 1. COE.stuID  Alice 4. EPub.university  ABU.accredited 5. EPub.student  EPub.university.stuID A Typing Scheme 2. StateU.stuID  COE.stuID COE

82 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Well-typed Credentials A credential A.r  e is well-typed if :  Both A.r and e are well typed A role A.r has the same type as r A role expression is well-typed if it is not both issuer- none and subject-none  If A.r is issuer-def or issuer-all, then A must store the credential  If A.r is subject-all, then every subject of the credential must store it  If A.r is issuer-all, then e must be issuer-all  If A.r is subject-all, then e must be subject-all

83 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Agreement on Types and Meaning of Role Names An approach inspired by XML namespaces  Use an Application Domain Specification Document (ADSD) to define a vocabulary Each role has a storage type  Credentials have a preamble Which defines vocabulary identifier to correspond to an ADSD  When using a role name, add a vocabulary identifier as prefix

84 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Main Result about Type System Given a set of well-typed credentials C, if D  e  D  e is confluent  if e is issuer-traces-all, D  e is backward traversable  if e is subject-traces-all, D  e is forward traversable

85 2 nd Int’l Summer School in Computation Logic June 16, 2004 Ninghui Li (Purdue University) Benefits of the Storage Type System Guarantees that chains of well-typed credentials can be discovered Enables efficient chain discovery by telling the algorithm whether forward or backward search should be used for an intermediate query Communicates the application domain knowledge to the algorithm

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.