Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Information with Logic-based Access Control Deepak Garg Student Seminar Series May 01, 2009.

Published byOsborne McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "Protecting Information with Logic-based Access Control Deepak Garg Student Seminar Series May 01, 2009."— Presentation transcript:

1 Protecting Information with Logic-based Access Control Deepak Garg Student Seminar Series May 01, 2009

2 Broad Problem “Build a file system (PCFS) that uses logic to specify and enforce access policies” Access policy = Set of rules to decide who should have access to what information Useful in large organizations with proprietary information that needs to be protected Canonical example: intelligence agencies with classified information (a la CIA)

3 Present Policy Enforcement 1. An individual may read a classified file only if he/she is a CIA employee. In addition, the individual must have a security clearance above the classification level of the file.... 2. A file may only be classified by an original classification authority (OCA). An OCA is the President, or an appointee. 3. A background check expires every 3 years unless renewed.... High-level policy - 100s of pages - Multiple documents Implementation - Access control lists Read: Alice, Bob Write: Alice, Charlie Read: Alice Write: Dan File1 File2 Manual Effort Difficult Error prone

4 PCFS Enforcement Implementation - Capabilities File1 File2 (admin says (may (U,F,read) ← CIA-HR says employee(U), OCA says level_file (F,L), level_individual(U,L'), below(L,L') )) (admin says (level_individual(U,L) ← POLY-ADMIN says poly(U), BG-ADMIN says bg(U,L) )) High-level policy - Logical formulas Automatic using Formal Proofs

5 Technical Contributions Design logics to express policies Must capture time, delegation Investigate proof theory, meta theory Construct automatic tools Proof search tool Proof verification tool (creates capabilities) Implement file system backend: Use capabilities to authorize access Efficiency is a concern

6 Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

7 Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

8 Problem: Granting Access POLY-ADMIN BG-ADMIN OCA CIA-HR Bob Charlie Alice has passed polygraph test Alice has background check “topsecret” Alice is cleared at “topsecret” war.txt is classified as “secret” Alice is a CIA employee Dan Alice may read war.txt Access control lists How Alice came to read war.txt - 7 administrators - 6 phone calls - This is over-simplified! Difficult for administrators Error prone! 2009

9 Problem: Credential Expiration POLY-ADMIN BG-ADMIN OCA CIA-HR Bob Charlie Alice's background check EXPIRED Alice's “topsecret” REVOKED Dan Alice may NOT read war.txt Access control lists How Alice lost her access - 4 administrators - 3 phone calls 4. A background check expires every 3 years unless renewed.... 2012 Difficult for administrators Error prone! Can we automate? Exactly what we seek to do!

10 Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

11 The Two Existing Ideas How should policies be represented? Natural language is difficult to parse, ambiguous Idea! Represent policies as formulas of a logic [ABLPW'92'93] Logic is rigorous, amenable to automation How do we use the logical representation for enforcement? Proof-carrying authorization (PCA) [AP'99] Require a formal proof showing that policies entail access

12 Background: Policies in Logic 1. An individual may read a classified file only if he/she is a CIA employee. In addition, the individual must have a security clearance above the classification level of the file.... 2. A file may only be classified by an original classification authority (OCA). An OCA is the President, or an appointee. 3. An individual may be cleared at a level after an appropriate background check, and a polygraph test. As an exception,... 4. A background check expires every 3 years unless renewed.... (admin says (may (U,F,read) ← CIA-HR says employee(U), OCA says level_file (F,L), level_individual(U,L'), below(L,L') )) (admin says (level_individual(U,L) ← POLY-ADMIN says poly(U), BG-ADMIN says bg(U,L) )) Digital signature made with admin's private key Certificate [ABLPW'92,'93]

13 Writing Policies in Logic (Contd) POLY-ADMIN OCA CIA-HR BG-ADMIN (OCA says level_file (“war.txt”,secret) ) Certificate (POLY-ADMIN says poly (Alice) ) Certificate (CIA-HR says employee (Alice) ) Certificate (BG-ADMIN says bg (Alice,topsecret) ) Certificate 2009

14 Background: Proof-Carrying Authorization APIAPI Alice Resource admin says may (...) admin says may (...) admin says may (...) admin says may (...) Result yes Error no Access resource Check? Proof, Certific ate Verifier Result /Error Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Proof = List of deduction steps showing why access follows from policies [AF'99]

15 Summary of Prior Ideas Represent policies in logic Enforce with proofs Which logic? Why should a logic be believed? How expressive is the logic? How should proofs be constructed? Is PCA efficient?

16 Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

17 Proof-theory Representing policies in logic; logic must be trustworthy Since proofs are used for enforcement, the basis for logic should be proofs (proof-theoretic semantics) Novel contribution Develop a new logic; study proofs Natural Deduction (define the connectives) Sequent Calculus (needed for proof search) [CSFW'06,IMLA'08]

18 Meta-theory Global theorems about proofs E.g., cut-elimination for sequent calculus If Γ A and Γ, A B Then Γ B Circuitous proofs can be avoided Proof-theoretic: Inference rules fit well Proof-search: Subformula property Authorization: Leads to non-interference theorems [CSFW'06,IMLA'08]

19 Expressiveness: Adding Time POLY-ADMIN OCA CIA-HR BG-ADMIN (OCA says level_file (“war.txt”,secret) ) Certificate (POLY-ADMIN says poly (Alice) ) Certificate (CIA-HR says employee (Alice) ) Certificate (BG-ADMIN says bg (Alice,topsecret) ) Certificate 4. A background check expires every 3 years unless renewed.... 2009 Not represented in formalized policy! @ [2009,2011] New formula in logic: A@[t1,t2] = A holds from time t1 to time t2 Changes the logic's judgments Constraints must be added Logic's theory must be reworked [CSF'08] Cannot be enforced with proofs

20 Proof Search Logic is quite complex: says + @ How do we search for proofs? Given a policy Γ and a formula A, how do we construct a proof M :: Γ A Use meta-theoretic properties! We want M in natural deduction style Sequent calculus + cut-elimination: proof may only contain subformulas Logic programming: chain inference rules together; use goals to pick policy rules [Prolog]

21 Proof Search Example (admin says (may (U,F,read) ← CIA-HR says employee(U), OCA says level_file (F,L), level_individual(U,L'), below(L,L') )) @ ( -∞,∞ ) (admin says (level_individual(U,L) ← POLY-ADMIN says poly(U), BG-ADMIN says bg(U,L) )) @ ( -∞,∞ ) Certificate (OCA says level_file (“war.txt”,secret) ) @ ( -∞,∞ ) Certificate (POLY-ADMIN says poly (Alice) ) @ ( -∞,∞ ) Certificate (CIA-HR says employee (Alice) ) @ ( -∞,∞ ) Certificate (BG-ADMIN says bg (Alice,topsecret) ) @ [2009,2011] Certificate Goal: A = (admin says may(Alice, “war.txt”, read)) @ [2009,2011] [2009,2011] ⊆ (-∞,∞) Goal: B = (admin says level_individual(Alice, L')) @ [2009,2011] [2009,2011] ⊆ (-∞,∞) Goal: C = (BG-ADMIN says bg(Alice,L')) @ [2009,2011] [2009,2011] ⊆ [2009,2011] L' = topsecret

22 Proof: Alice may read war.txt (pf_atI (pf_saysI (pf_synth2check (pf_impE (pf_impE (pf_impE (pf_impE (pf_forallE (pf_forallE (pf_forallE (pf_forallE (pf_hyp cred/admin/may/read/_) (prim_int2principal 1003)) (prim_str2file "/war.txt")) secret) topsecret) (pf_saysI (pf_synth2check (pf_hyp cred/ciahr/alice/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_saysI (pf_synth2check (pf_hyp cred/oca/war/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_synth2check (pf_impE (pf_impE (pf_forallE (pf_forallE (pf_hyp cred/admin/level_indi/_) (prim_int2principal 1003)) topsecret) (pf_saysI (pf_synth2check (pf_hyp cred/polyadmin/alice/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_saysI (pf_synth2check (pf_hyp cred/bgadmin/alice/_))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00))) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)) (pf_synth2check (pf_hyp cred/loca/below/2)) (prim_date2time 2009:01:01:00:00:00) (prim_date2time 2011:12:31:00:00:00)))))

23 Plan Motivation: Why use logic for access control? Prior ideas: Representing policies in a logic, proof-carrying authorization Proof-theory, time, proof search PCFS' architecture and implementation Demo Conclusion

24 Problem with PCA: Efficiency APIAPI Alice Resource admin says may (...) admin says may (...) admin says may (...) admin says may (...) Result yes Error no Access resource Check? Proof, Certific ate Verifier Result /Error Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) - Takes at least ~10ms for small proofs with 2-3 certificates - Grows linearly with size of proof and number of certificates (~2ms / certificate – parsing and signature check) - Large real proofs: ~1000 proof steps + 70 certificates Max. number of file operations per second < 10 Serious problem: PCA will not work in a file system! Re-architect PCA to make it scale

25 PCFS Workflow Diagram FILE-APIFILE-API Storage Data Proof, certificate verifier ProCap Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error ProCap = PROven CAPability Fast to check (~100s) Signed with a shared key (MAC) Rigorous, automatic policy enforcement ProCa p Check er OK? /Error

26 2009 The Staleness Problem FILE-APIFILE-API Storage Data Proof, certificate verifier ProCap Proof search admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error ProCap = PROven CAPability Fast to check (~100s) Signed with a shared key (MAC) Rigorous, automatic policy enforcement ProCa p Check er OK? /Error 2012 ProCap contains conditions under which it is valid. Include constraints on time of access. Conditions checked before ProCap is accepted.

27 ProCap Example procap (prim_int2principal 1003) % Principal authorized (prim_str2file "/war.txt") % File authorized read % Permission authorized % Conditions that must hold (qhcl_base (hypconstraint_cons (hypconstraint_ constraint_nil (leq (prim_date2time 2007:01:01:00:00:00) ctime)) (hypconstraint_cons (hypconstraint_ constraint_nil (leq ctime (prim_date2time 2020:12:31:00:00:00))) (hypconstraint_cons (hypconstraint_ constraint_nil (leq (prim_date2time 2009:01:01:00:00:00) ctime)) (hypconstraint_cons (hypconstraint_ constraint_nil (leq ctime (prim_date2time 2011:12:31:00:00:00))) hypconstraint_nil))))) % State conditions that must hold state_nil % MAC #153199967058e043bbc078edb959fad88e7822d9

28 Enforcement Workflow admin says may (...) admin says may (...) admin says may (...) admin says may (...) administrators Proof search Proof, certificate verifier PoliciesProofProCap Information about time

29 PCFS Implementation FILE-APIFILE-API Storage (Ext3) Data Proof, certificate verifier ProCap Theorem Prover admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Fast: 500-3000 operations/s ProCa p Check er OK? /Error C++ SML Implemented in Linux as a virtual filesystem - Uses kernel upcalls to check ProCaps - Uses Fuse

30 Demo of PCFS

31 PCFS Summary Logic-based enforcement of access policies Combine deep foundations with practical implementation Theoretical issues: Proof-theory and meta-theory Explicit time for expirations Proof search Practical issues: Efficiency (add ProCaps)

32 Ideas for Future Work Applications of PCFS' architecture Distributed file system Access control in embedded devices Framework for access policies User interface for writing policies, converting to logic Meta-correctness of policies

33 Work Related to PCFS Logics and languages for expressing access policies [ABLPW'92'93,DeTreville'02,...] Proof-carrying authorization [AP'99,Bau'03,...] Capabilities in file systems [ALC'03,GGT'97,...]

34 Conclusion Logic and capabilities can be combined to provide rigorous, automatic, efficient enforcement of complex access policies.

35 Thank You. Questions?

36 Revocation in PCFS Centrally control certificates, proofs, and ProCaps Use short-lived ProCaps, make proof verifier revocation aware Include certificate IDs in ProCaps, make file system revocation aware Model revocable credentials as elements of system state (PCFS has built-in support)

Download ppt "Protecting Information with Logic-based Access Control Deepak Garg Student Seminar Series May 01, 2009."

Similar presentations

Jeremy S. Bradbury, James R. Cordy, Juergen Dingel, Michel Wermelinger

Jeremy S. Bradbury, James R. Cordy, Juergen Dingel, Michel Wermelinger
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.

Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
PKI Implementation in the Real World

PKI Implementation in the Real World
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Assurance through Enhanced Design Methodology Orlando, FL 5 December 2012 Nirav Davé SRI International This effort is sponsored by the Defense Advanced.

Assurance through Enhanced Design Methodology Orlando, FL 5 December 2012 Nirav Davé SRI International This effort is sponsored by the Defense Advanced.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.

PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.
A Credential Based Approach to Managing Exceptions in Digital Rights Management Systems Jean-Henry Morin University of Geneva – CUI.

A Credential Based Approach to Managing Exceptions in Digital Rights Management Systems Jean-Henry Morin University of Geneva – CUI.
1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University.

1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University.
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
Describing Syntax and Semantics

Describing Syntax and Semantics
Security Management.

Security Management.
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.

Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.

Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.

Similar presentations

Ads by Google