Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010.

Similar presentations


Presentation on theme: "A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010."— Presentation transcript:

1 A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010

2 A Proof-Carrying File System Apply proof-carrying authorization (PCA) to a system interface, e.g, a file system Proof-Carrying Authorization ● Rigorous, modern technology for access control ● [AF'99, Bau'02, BGM+'05,...] ● Based on logic and formal proofs

3 Proof-Carrying Authorization (PCA) Example: Grey @ CMU Slide courtesy: Lujo Bauer Credentials are represented as logical formulas, stored in X.509 certificates in cellphones [BGM+'05]

4 Grey Example Scenario Please open Prove that Lujo says open I should ask Lujo's phone for help Prove that Lujo says open Inference Provable if: - Scott is a student - Scott is a faculty - Scott is my TA Proof that Lujo says open Slide courtesy: Lujo Bauer Door checks proof and credentials ● Decentralized policies ● High assurance ● Logic to interpret policies ● Crypto to protect policies ● High accountability ● Rich logs of access ● Decentralized policies ● High assurance ● Logic to interpret policies ● Crypto to protect policies ● High accountability ● Rich logs of access [BGM+'05]

5 Goals & Contributions of this Paper Adapt PCA to a file system, PCFS Address efficiency issues Formal proof of correctness Prototype implementation/evaluation New logic BL Represent time and state-dependent policies Proof-theory: cut-elimination, etc Later! Case study & motivating scenario: Sharing classified information in the U.S. (separate technical report) Later!

6 Motivation: The Complexity of Sharing Classified Information Polygraph Test Background check MI/OCA CIA/HR MI admin Alice has passed polygraph test Alice has no criminal record Alice is cleared at “topsecret” war.txt is classified as “secret” Alice is a CIA employee Alice may read war.txt Access! Alice from CIA wants to read war.txt in MI PCA, in this setting, would: ● Reduce human intervention ● Improve assurance (fewer human errors) ● Improve efficiency ● Hence, PCFS! PCA, in this setting, would: ● Reduce human intervention ● Improve assurance (fewer human errors) ● Improve efficiency ● Hence, PCFS!

7 Outline of Remaining Talk ● Overall design of PCFS, efficiency problem ● Time and state in the logic BL – Integration with PCFS ● Correctness of architecture formalized ● Conclusion

8 The Efficiency Problem Please open Prove that Lujo says open I should ask Lujo's phone for help Prove that Lujo says open Inference Provable if: - Scott is a student - Scott is a faculty - Scott is my TA Proof that Lujo says open Slide courtesy: Lujo Bauer Door checks proof and credentials Is this fast enough? Short answer: NO We are aiming for 2-3K access for a file system Scenario of last slide requires up to 70 certificates per access. Each signature check is ~10μs. Total: 0.7ms Parsing is more expensive And, there is proof checking Solution Cache proof verifications

9 PCFS Architecture FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Procap = Proven capability Fast to check (~100s) Signed with a shared key (MAC) Proca p Check er OK? /Error Implementation ● Prototype implementation for Linux; virtual FS ● 2-3K ops/s in the back-end ● Performance measurements in paper ● Currently, proof search is local ● Pass procaps through disk; uses ● second-level procap cache for efficiency ● Focus on access control only Implementation ● Prototype implementation for Linux; virtual FS ● 2-3K ops/s in the back-end ● Performance measurements in paper ● Currently, proof search is local ● Pass procaps through disk; uses ● second-level procap cache for efficiency ● Focus on access control only

10 Time and State in the Logic BL Understand proof-theory of state and time dependence in access policies Integrate with procap-based enforcement

11 Treatment of State Example Rule applies only while F has meta-data status = classified T T' Encoding The extended attribute “status” on a file determines whether it is classified or not

12 Treatment of Time Example Intelligence community policy A background check for topsecret clearance expires in 5 years Conclusion of this rule is only valid from T to T' [DGF'08] Important Treating time as part of state is less expressive

13 Staleness Problem for Capabilities FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Proca p Check er OK? /Error Time Valid only till May 2010Proof verified in April 2010 Capability used in June 2010 STO P Similar problem for state-based policies

14 Staleness Problem for Capabilities FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Proca p Check er OK? /Error Time Valid only till May 2010Proof verified in April 2010 Contains the constraint that proof expires in May 2010 Check that constraint at the time of access

15 Extraction of Constraints Formalized Modified proof verification that extracts time and state constraints, which are written to procaps

16 Formal Correctness of Checks The use of procaps does not add or reduce valid authorizations, even with state and time

17 Other Features of PCFS ● Default procaps for backwards compatibility ● Separation of duty – pcfsadmin governs policies – pcfssytem performs verification and maintenance ● New permission identity needed to delete file ● New permission govern needed to change protected attributes

18 Conclusion ● PCFS' procaps allow best of both worlds: – Proof-carrying authorization's rigor and flexibility in enforcing access control policies – Efficiency ● Proof-theoretic explanation of time and state in the logic BL ● Enforcement through procaps is formally correct, even with state and time ● Prototype implementation and evaluation

19 Thank You! http://www.cs.cmu.edu/~dg/pcfs

20 Some Related Work ● Proof-carrying authorization – Appel and Felten, 1999 – Bauer, 2002 – Bauer, Garriss, McCune, Reiter, … 2005 ● Nexus authorization logic, operating system – Schneider, Walsh, Sirer, 2009 – Applies PCA-like ideas to OS interfaces, but reference monitor can perform inference to account for state

21 PCFS Performance 1

22 PCFS Performance 2

23 PCFS Performance 3


Download ppt "A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010."

Similar presentations


Ads by Google