1. PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009

2. Goal and Method  Goal of PCFS: Rich access control for a file system  Expressiveness  Capture high-level intent directly  Motivation: Classified information – intelligence agencies  Dynamic (changing) policies  Access control lists do not suffice  Rigorous enforcement  Technical methods:  Proof-carrying authorization  Conditional cryptographic capabilities

3. PCFS: Workflow FILE-APIFILE-API File System Data Proof, certificate verifier (trusted) Procap (Capability) Proof search (untrusted) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Procap Checker (trusted) OK? /Error admin says may (...) admin says may (...) admin says may (...) admin says may (...) Proof-carrying authorization [AF’99] Approx. 1000 times faster than proof checking

4. Dynamic Policies  What if policies or credentials change after capability is issued?  Time-of-check-to-time-of-use attack  Capabilities conditional on parts of policies that can change  Some ways of policy change:  Expiration: “Allow access from 2008 to 2009”  State: “Allow access while protocol is in phase 2”  Revocation: A credential on which access depends is revoked  Consumption: “Allow access once”  Logic expresses time, state, consumption  Describe conditions for capabilities, and how they can be extracted from a logical proof  Prove that enforcement is correct with respect to proof-carrying authorization

5. Results  New logic (BL), proof-theory, meta-theory, capabilities  Implementation of file system (includes prover for BL)  Case study with classified information http://www.cs.cmu.edu/~dg/pcfs