Presentation is loading. Please wait.

Presentation is loading. Please wait.

Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014.

Published byEileen Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014."— Presentation transcript:

1 Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014

2 Formal Reasoning about Authorization Standard policies: DAC, MAC, … Formula-based policies:  determine access decision on basis of whether properties hold  specify why access should be permitted  useful in distributed systems Clarkson: Belief Semantics of Authorization Logic2 obj1obj2obj3 subj1r,wrr subj2r,w subj3rr Confidential Unclassified Secret Top Secret No read upNo write down

3 Credentials-based Authorization Clarkson: Belief Semantics of Authorization Logic3 a.k.a. claims-based authorization and proof-carrying authorization  Credential: claim or belief about world [Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013] formulas in authorization logic

4 Credentials-based Authorization Clarkson: Belief Semantics of Authorization Logic4  a.k.a. claims-based authorization and proof-carrying authorization Goal formula: must be satisfied to grant request  [Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

5 Credentials-based Authorization Clarkson: Belief Semantics of Authorization Logic5  a.k.a. claims-based authorization and proof-carrying authorization  Guard: uses logical inference to derive goal formula from credentials [Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

6 Credentials-based Authorization Clarkson: Belief Semantics of Authorization Logic6  Guard: uses logical inference to derive goal formula from credentials a.k.a. claims-based authorization and proof-carrying authorization  this work: increase trustworthiness of reasoning in authorization logic [Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

7 Increased Trustworthiness [Hirsch and Clarkson, CCS 2013]  New belief semantics for authorization logic purpose of semantics: interpret formulas in model of real world standard Kripke semantics: requires technical machinery not related to real world belief semantics: way to interpret formulas in a straightforward, systems-oriented model; belief subsumes Kripke  Sound proof system for both semantics proof system “has no bugs” found unsoundness in existing logic  Machine-checked proof of soundness proof that “proof system ‘has no bugs’” itself has no bugs Clarkson: Belief Semantics of Authorization Logic7

8 FOCAL  First-Order: Quantifiers: ∀∃ Functions, relations  Constructive: Connectives: ∧ ∨ ⇒ ¬  Authorization Logic: Attribution of beliefs: says Delegation: speaksfor = NAL -- [Schneider, Walsh & Sirer 2011] = CDD ++ [Abadi 2007] Clarkson: Belief Semantics of Authorization Logic8 FOCAL

9  First-Order: Quantifiers: ∀∃ Functions, relations  Constructive: connectives: ∧ ∨ ⇒ ¬  Authorization Logic: Attribution of beliefs: says Delegation: speaksfor = NAL -- [Schneider, Walsh & Sirer 2011] = CDD ++ [Abadi 2007] Clarkson: Belief Semantics of Authorization Logic9 this talk ignores FOC fragment

10 Authorization Logic (Review) Two distinguishing features: 1. Attribute beliefs to principals p says  source matters: p says  and q says  aren’t the same not all-seeing:  holds doesn’t mean p says  not infallible: maybe p says  but  doesn’t hold Clarkson: Belief Semantics of Authorization Logic10 says “winter is coming”

11 Authorization Logic (Review) Two distinguishing features: 1. Attribute beliefs to principals p says  How do principals form beliefs?  Start with initial beliefs  Add to beliefs by: querying state of system receiving credentials from other principals Infer new beliefs by logical inference from existing beliefs  Worldview: snapshot of principal’s beliefs [Schneider, Walsh & Sirer 2011] Clarkson: Belief Semantics of Authorization Logic11

12 Authorization Logic (Review) Two distinguishing features: 2. Enable delegation between principals p speaksfor q …if p says something, it’s as if q says it, too Clarkson: Belief Semantics of Authorization Logic12 q p worldview(p) ⊆ worldview(q) on {treaties} restricted delegation speaksfor so the king delegates to the envoy

13 Authorization Logic (Review) Clarkson: Belief Semantics of Authorization Logic13 therefore goal formula satisfied and chest is opened Goal formula: King says OpenChest King says Envoy speaksfor King Envoy says OpenChest therefore Envoy speaksfor King therefore King says OpenChest

14 Trustworthiness of Reasoning Q: How do we know reasoning is right? A: Formal proof system: mechanical reasoning Clarkson: Belief Semantics of Authorization Logic14 ⊢ ⊢ 

15 Trustworthiness of Reasoning Q: How do we know reasoning is right? A: Formal proof system: mechanical reasoning Q: How do we know proof system is right? A: Proof of soundness: system is consistent with some model of reality Clarkson: Belief Semantics of Authorization Logic15 ⊢ ⊢ 

16 Trustworthiness of Reasoning Q: How do we know reasoning is right? A: Formal proof system: mechanical reasoning Q: How do we know proof system is right? A: Proof of soundness: system is consistent with some model of reality Q: How do we get that model? A: Need semantics: how to interpret formulas …The more natural the model, the better. Clarkson: Belief Semantics of Authorization Logic16 ⊨ ⊨  ⊢ ⊢  Our new belief semantics…

17 Belief Semantics Clarkson: Belief Semantics of Authorization Logic17 Use possible worlds to model system state facts: It’s cold in DC x=42. TCP port 443 is open. facts: It’s cold in DC x=43. TCP port 443 is open.

18 Belief Semantics Each principal p has its own worldview  (w,p) at world w Clarkson: Belief Semantics of Authorization Logic18  (w, princess)  (w, envoy)  (w, king) [Konolige 1983; Burrows, Abadi & Needham 1988; Appel & Felten 1999; Schneider, Walsh & Sirer 2011] Why include w as parameter to  ? …so that beliefs can depend on system state  ∊  (w,p) means: at world w, p believes 

19 Belief Semantics Belief model B: worldviews  Worldviews must be closed under logical consequence …principals believe all consequences of their beliefs …machinery for first-order logic …machinery for constructive logic Clarkson: Belief Semantics of Authorization Logic19 validity judgment: B,w ⊨ 

20 Belief Semantics Clarkson: Belief Semantics of Authorization Logic20

21 Belief Semantics Clarkson: Belief Semantics of Authorization Logic21 B,w ⊨ p says  iff  ∊  (w,p) (simplified to avoid machinery of constructive FOL)

22 Belief Semantics Clarkson: Belief Semantics of Authorization Logic22 B,w ⊨ p speaksfor q iff  (w,p) ⊆  (w,q) q p worldview(p) ⊆ worldview(q) (simplified to avoid machinery of constructive FOL)

23 Other Semantics for Authorization Logic? Usual semantics is based on Kripke semantics of modal logic …because says is like Clarkson: Belief Semantics of Authorization Logic23 [Abadi, Burrows, Lampson & Plotkin 1991; Howell 2000; Garg & Abadi 2008; Garg 2008; Genovese, Garg & Rispoli 2012]

24 Kripke Semantics (Review) Clarkson: Belief Semantics of Authorization Logic24 K,w ⊨ p says  iff for all worlds w’ such that w ≤ p w’ : K,w’ ⊨  ≤ p (accessibility relation) w ≤ p w’ means: given information in world w, p considers world w’ possible

25 Belief Semantics vs. Kripke Semantics Clarkson: Belief Semantics of Authorization Logic25 B,w ⊨ p says  iff  ∊  (w,p) belief semantics: K,w ⊨ p says  iff for all w’ : w ≤ p w’ implies K,w’ ⊨  Kripke semantics: Belief semantics directly captures intuition about sets of beliefs… Kripke semantics doesn’t; indirects through accessibility relations

26 Belief Semantics vs. Kripke Semantics Clarkson: Belief Semantics of Authorization Logic26 K,w ⊨ p speaksfor q iff ≤ p ⊇ ≤ q B,w ⊨ p speaksfor q iff  (w,p) ⊆  (w,q) belief semantics:Kripke semantics: Again, belief semantics directly captures intuition about sets of beliefs Just an issue of style? …belief semantics more faithfully model reality

27 Belief Semantics vs. Kripke Semantics Which is more expressive? Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B. Clarkson: Belief Semantics of Authorization Logic27 At each world, form the set of all formulas said by a principal in K. Make that the principal’s worldview in B.

28 Belief Semantics vs. Kripke Semantics Which is more expressive? Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B. Theorem. There exist belief structures that cannot be transformed into equivalent Kripke structures. Clarkson: Belief Semantics of Authorization Logic28

29 Belief Semantics vs. Kripke Semantics Which is more expressive? Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B. Theorem. There exist belief structures that cannot be transformed into equivalent Kripke structures. Clarkson: Belief Semantics of Authorization Logic29 Belief Kripke

30 Belief Semantics vs. Kripke Semantics Which is more expressive? Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B. Theorem. There exist belief structures that cannot be transformed into equivalent Kripke structures. …so belief semantics subsume Kripke semantics Clarkson: Belief Semantics of Authorization Logic30

31 FOCAL Proof System Proof theory: calculate with formulas  ⊢  derivability judgment) as opposed to… Model theory: interpret meaning of formulas B,w ⊨  validity judgment) Clarkson: Belief Semantics of Authorization Logic31

32 FOCAL Proof System Clarkson: Belief Semantics of Authorization Logic32

33 FOCAL Proof System Clarkson: Belief Semantics of Authorization Logic33 1.Natural deduction proof system with localized hypotheses 2.Rules themselves are well- known but this seems to be a mildly novel combination

34 Soundness Theorem. If  is derivable from , then  is valid in any belief model of . Theorem. If  is derivable from , then  is valid in any Kripke model of . Proof. Mechanized in Coq. (about 2,400 LoC) First mechanized proof of soundness for authorization logic! Clarkson: Belief Semantics of Authorization Logic34 …increases trustworthiness of logic

35 Soundness Nexus Authorization Logic (NAL) [Schneider, Walsh & Sirer 2011]  Has a formal proof system  Has an informal semantics (worldviews, main inspiration for FOCAL) Fact: NAL proof system permits derivation of a formula that is  invalid in our formal belief semantics  not intended to be valid by NAL designers …NAL is unsound (but easily fixed) Clarkson: Belief Semantics of Authorization Logic35 Formal semantics and proofs of soundness yield a more trustworthy logic!

36 Related Work  CDD [Abadi 2007]  NAL [Schneider, Walsh & Sirer 2011]  ICL [Garg & Abadi 2008]  DTL 0 [Garg 2008]  BL sf [Genovese, Garg & Rispoli 2012]  Unnamed logics [Garg & Pfenning 2006] [Howell 2000]  Many other logics and systems: Taos, PCA, SPKI/SDSI, Delegation Logic, Cassandra, PolicyMaker, Referee, KeyNote, SD3, Binder, Soutei, SecPAL, DKAL, Alpaca, WS-Policy, Grey, … FOCAL builds on many of these, and makes new contributions… Clarkson: Belief Semantics of Authorization Logic36

37 Summary  FOCAL: first order constructive authorization logic  First formal belief semantics for authorization logic  Transformation from Kripke semantics to belief semantics Belief subsumes Kripke  Sound proof system for both semantics Found unsoundness in existing logic  First machine-checked proof of soundness for authorization logic …increased trustworthiness of authorization logic Clarkson: Belief Semantics of Authorization Logic37

38 Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014

39 Future Work  Completeness  Verified theorem checker  Semantics of group principals Clarkson: Belief Semantics of Authorization Logic39

40 Extra Slides 40Clarkson: Belief Semantics of Authorization Logic

41 Completeness of FOCAL? Starting points to get completeness result:  ICL [Garg & Abadi 2008]: uses different (lax logic) semantics of says  DTL 0 [Garg 2008]: doesn’t have speaksfor  BL sf [Genovese, Garg & Rispoli 2012]: uses different (strong) semantics of speaksfor Clarkson: Belief Semantics of Authorization Logic41

42 Weak Speaksfor Weak speaksfor: p speaksfor q iff “for all  ” : p says  ⇒ q says  Kripke semantics of speaksfor are stronger [Howell 2000] (principals speak for one another less often)  WSF condition in our paper is ugly but needed to make Kripke semantics behave  Might eliminate WSF by introducing some second-order model theory Clarkson: Belief Semantics of Authorization Logic42

43 FOCAL vs. NAL FOCAL = NAL– 2 nd order quantification + primitive speaksfor – restricted delegation – subprincipals – group principals Clarkson: Belief Semantics of Authorization Logic43 simplicity open! NAL: Schneider, Walsh & Sirer 2011

44 FOCAL vs. CDD FOCAL = CDD– 2 nd order quantification + primitive speaksfor + 1 st order quantification & terms Clarkson: Belief Semantics of Authorization Logic44 CDD: Abadi 2007

45 Belief vs. Knowledge  FOCAL (et al.) is a logic of belief principals who issue credentials are expressing a belief about state of system they might be wrong they might be malicious  Logic of knowledge would impose axiom: (p says  ⇒  Clarkson: Belief Semantics of Authorization Logic45

46 Healthiness Conditions (Belief)  Worldview closure: principals believe all consequences of their beliefs  Says transparency: any number of says is equivalent to just one says  Belief hand-off: ensure validity of hand- off: (q says (p speaksfor q)) ⇒ (p speaksfor q) Clarkson: Belief Semantics of Authorization Logic46

47 Healthiness Conditions (Kripke)  IT: principal accessibility relations are “intuitionistically” transitive  ID: principal accessibility relations are “intuitionistically” dense  F2: technical condition from constructive modal logic literature to achieve soundness  H: ensure validity of hand-off  WSF: weak speaksfor to get equivalence with belief semantics Clarkson: Belief Semantics of Authorization Logic47

48 Countermodel for Belief → Kripke Clarkson: Belief Semantics of Authorization Logic48 X does not hold  (w,p) = {X} w: B,w ⊨ p says X What can ≤ p be? If empty, then p says false, but false isn’t in  (w,p) If w ≤ p w, then K,w ⊭ p says X, but X is in  (w,p) Either way, Kripke semantics is not equivalent to belief semantics

Download ppt "Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014."

Similar presentations

Artificial Intelligence

Artificial Intelligence
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Completeness and Expressiveness

Completeness and Expressiveness
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Techniques for Proving the Completeness of a Proof System Hongseok Yang Seoul National University Cristiano Calcagno Imperial College.

Techniques for Proving the Completeness of a Proof System Hongseok Yang Seoul National University Cristiano Calcagno Imperial College.
Possible World Semantics for Modal Logic

Possible World Semantics for Modal Logic
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Agents That Reason Logically Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 7 Spring 2004.

Agents That Reason Logically Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 7 Spring 2004.
Knowledge Representation Methods

Knowledge Representation Methods
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.

Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
Knoweldge Representation & Reasoning

Knoweldge Representation & Reasoning
Scientific Thinking - 1 A. It is not what the man of science believes that distinguishes him, but how and why he believes it. B. A hypothesis is scientific.

Scientific Thinking - 1 A. It is not what the man of science believes that distinguishes him, but how and why he believes it. B. A hypothesis is scientific.
Chapter 7 Reasoning about Knowledge by Neha Saxena Id: 13 CS 267.

Chapter 7 Reasoning about Knowledge by Neha Saxena Id: 13 CS 267.
Extensible proof-carrying authorization in Alpaca October 31, 2007 ACM CCS – Alexandria, VA Chris Lesniewski-Laas, Bryan Ford, Jacob Strauss, Robert Morris,

Extensible proof-carrying authorization in Alpaca October 31, 2007 ACM CCS – Alexandria, VA Chris Lesniewski-Laas, Bryan Ford, Jacob Strauss, Robert Morris,
Discrete Mathematics and its Applications

Discrete Mathematics and its Applications

Similar presentations

Ads by Google