Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University.

Published byCarmella Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University."— Presentation transcript:

1 Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University

2 Authorization and logic Authorization –Deepak wants to read foo.pdf … –Should access be granted? –Why should access be granted? Logic –admin says may_read(deepak, foo.pdf) –Is there a proof? –What is the proof?

3 Design emphasis Proof-theoretic, cut-elimination Intuitionistic authorization logic Logical explanation of connective “says” Non-interference

4 Example: Grey Project at CMU Office door lock has a bluetooth device and processor Principal approaches door with a cell phone Authorization dialog between cell phone and door Door opens (or may not)

5 Example: Policy I can access my door My advisor can access my door Department Head can decide who my advisor is

6 I can access my office My office is WeH 8121 Policy: I can access my door Door challenges cell phone for a proof: ? : deepak says open (deepak, WeH.8121) Cell phone signs deepak says open (deepak, WeH.8121) with my private key to get a certificate c5698h728

7 I can access my office Cell phone sends c5698h728 to door Door verifies (cryptographically) c5698h728 : deepak says open (deepak, WeH.8121) Door opens

8 My advisor can access my office Policies: –My advisor can access my office –Department Head can decide who my advisor is Expressed as policy axiom r1 : 8 S. depthead says advisor (S, deepak) ¾ deepak says open (S, WeH.8121) Policy known to door, cell phone, advisor

9 My advisor can access my office Frank (my advisor) approaches door Door challenges: ? : deepak says open (frank, WeH.8121) Frank’s phone asks database for a proof: ? : depthead says advisor (frank, deepak) Database replies with a proof c9722k902 : depthead says advisor (frank, deepak)

10 My advisor can access my office Frank’s phone now knows: r1 : 8 S. depthead says advisor (S, deepak) ¾ deepak says open (S, WeH.8121) c9722k902 : depthead says advisor (frank, deepak) Phone combines the two to produce a proof r1 [frank] (c9722k902) : deepak says open (frank, WeH.8121) Phone sends proof to door – Door checks proof – Door opens

11 Grey Project Presently uses higher order logic Can be done with first-order logic –Easier proof theory

12 Logic Design with Judgments Judgments are objects of knowledge Our judgments: –A true : proposition A is true –K affirms A : principal K affirms the truth of A Deductions are evidence for judgments Connectives defined by right and left rules Right and left rules must match up –Cut elimination

13 Hypothetical Judgments

14 Implication Right rule Left rule

15 Affirmation Affirmation is a judgment different from truth All principals are willing to affirm true statements

16 The connective “says” “says” internalizes the judgment “affirms” Right rule Left rule

17 “K says” is a Strong Monad K-indexed family of strong monads Corresponds to the lax modality from lax logic [dePaiva et al ’98]

18 Cut-elimination Cut is global soundness Proof by structural induction Mechanically verified with Twelf

19 Identity Identity is global completeness Proof by induction on A

20 Consequences Consistency: Subformula property Independence: More connectives can be added through right and left rules Non-interference properties

21 Non-interference Principals are independent in the logic In the absence of explicit connections, assumption “K says A” cannot affect provability of “L says B” Only dependence via policies Simple non-interference theorem: Refined version in paper

22 Affirmation flow More sophisticated properties involving flow of affirmation can be proved Example: r1 : 8 S. depthead says advisor (S, deepak) ¾ deepak says open (S, WeH.8121) r2 : deepak says open (deepak, WeH.8121) Affirmation flow relation: depthead.advisor · deepak.open

23 Affirmation flow Let  = {r1, r2} For this , depthead.open · deepak.open

24 Affirmation Flow: Decidability Theorem: Relation · is decidable for all policies –(Whole logic is undecidable) Gives an approximate method to automatically analyze policies for possible consequences

25 Further Work: Linear + Knowledge extensions “Use once” authorization Possessed resources (e.g. money) Resource based transactions like credit card authorization, etc. Proof-theory straightforward Non-interference analysis might be much harder – not yet explored

26 Most Closely Related Work [Abadi, Burrows, Lampson, Plotkin’93] propositional, rich calculus of principals [De Treville’02] Binder datalog fragment, decidable, logic programming, modality unclear [Abadi, ICFP’06 to appear] Non- interference properties using DCC

27 Conclusion Contributions –Intuitionistic authorization logic –Affirmation is indexed family of strong monads –Simple proof theory, cut-elimination –Meta-theoretic analysis (Non-interference) Future Work –Real examples –Linear extensions (proof theory done) –Implementation of linear extensions –Temporal features (e.g. short lived certificates)

28 Authentication vs Authorization Authentication: who made a statement –Signed certificates –Public key cryptography Authorization: who should gain access –Access control lists –Issues of trust –Relies on authentication

29 Authorization Logics High level, formal approach to access control in distributed systems Desired Features: –Express access control policies –Enforce (or implement) access control policies –Explore access control policies Abstract from: –Authentication details –Communication protocols

30 Authorization Logic Issues Intuitionistic or classical? Rules for “says” Which logical connectives? First-order or higher order? Decidable? Linear?

31 Logic Design with Judgments Proof-theoretic semantics –Judgments are different from propositions –Connectives defined by intro and elim rules –Cut elimination and identity –The proof-theory is the semantics! Advantages –Easy meta-theoretic analysis –Connectives independent of each other

32 Local Soundness Intro followed by elim of same connective can be compressed Ensures that elimination rule is not too strong New derivation constructed by substitution

33 Local Completeness Every connective can be reintroduced after some eliminations

34 The connective “says” Local soundness and completeness can be verified as for implication Principals remain isolated: their statements can be related only by the policy. r1 : 8 S. depthead says advisor (S, deepak) ¾ deepak says open (S, WeH.8121) Truth is shared

35 Cut-free sequent calculus How do we prove the following? Make a cut-free, atomic sequent calculus Cut and identity are generalizations of local soundness and completeness

36 Cut-free sequent calculus Introduce a new judgment: A hyp (A is a hypothesis) Hypothetical judgments: Judgmental rules:

37 Sequent calculus rules Replace intro and elim rules by right and left rules

38 Other Connectives More connectives (Æ, Ç, 8, 9) can be added through right and left rules Important consequence: Contradictory statements by principals don’t make the logic inconsistent! Important because principals are not constrained in what they affirm

39 Authorization Logic Issues Intuitionistic or classical? (Intuitionistic) Rules for “says” (Indexed family of strong monads) Which logical connectives? (Open ended) First-order or higher order? (First order) Decidable? (No, but efficient theorem proving needed) Linear? (Discussed next!)

40 Knowledge based extensions Judgment for explicit knowledge of principals: K knows A Represent private knowledge Can be added using an indexed family of co-monads Knowledge is stronger than truth:

41 Intuitionistic vs Classical Logic Our logic is intuitionistic Intuitionistic logic has explicit evidence Classical logic is descriptive In authorization, explicit evidence is necessary

42 Three E’s of Authorization Logic Express policies Enforce policies –Small trusted computing base –Logical reading of policies and implementation should agree Explore policies –Clean proof theory –Amenable to meta-theoretic analysis

43 Expressiveness Groups member (deepak, grp). member (frank, grp). 8 S. member (S, grp) ¾ can_access (S, resource). Limited delegation: I can allow Frank to decide who can access my door 8 S. frank says open (S, WeH.8121) ¾ deepak says open (S, WeH.8121)

44 Expressiveness Joint Authorization 8 S. frank says open (S, WeH.8121) ¾ depthead says open (S, WeH.8121) ¾ deepak says open (S, WeH.8121)

45 Logic issues What is “says”? –Indexed family of monads Intuitionistic or classical logic? –Intuitionistic Decidable? –No, but efficient theorem proving needed Linear? –Extension of present work

Download ppt "Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.

Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Kripke-Style Semantics for Normal Systems Arnon Avron and Ori Lahav Tel Aviv University LATD 2010.

Kripke-Style Semantics for Normal Systems Arnon Avron and Ori Lahav Tel Aviv University LATD 2010.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Automated Reasoning Systems For first order Predicate Logic.

Automated Reasoning Systems For first order Predicate Logic.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.

Binder: A logic-based security language John DeTreville, Microsoft What has this to do with building secure software? I think we need many collaborating.
Deduction In addition to being able to represent facts, or real- world statements, as formulas, we want to be able to manipulate facts, e.g., derive new.

Deduction In addition to being able to represent facts, or real- world statements, as formulas, we want to be able to manipulate facts, e.g., derive new.
Proof Planning in Logical Frameworks Carsten Schürmann Yale University September 2002.

Proof Planning in Logical Frameworks Carsten Schürmann Yale University September 2002.
Mathematical Modeling Carsten Schürmann DemTech April 8, 2015 IEEE-SA VSSC-1622.6.

Mathematical Modeling Carsten Schürmann DemTech April 8, 2015 IEEE-SA VSSC
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
74.757 Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.

Formal Logic Proof Methods Direct Proof / Natural Deduction Conditional Proof (Implication Introduction) Reductio ad Absurdum Resolution Refutation.
PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.

PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.
CSE (c) S. Tanimoto, 2008 Propositional Logic

CSE (c) S. Tanimoto, 2008 Propositional Logic
Distributed System Security via Logical Frameworks Frank Pfenning Carnegie Mellon University Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter.

Distributed System Security via Logical Frameworks Frank Pfenning Carnegie Mellon University Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter.
Focusing in Proof-search and Concurrent Synchronization Deepak Garg Carnegie Mellon University (Based on joint work with Frank Pfenning)

Focusing in Proof-search and Concurrent Synchronization Deepak Garg Carnegie Mellon University (Based on joint work with Frank Pfenning)
Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002.

Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002.
Logical Properties of CPS Transforms Deepak Garg Fall, 2004.

Logical Properties of CPS Transforms Deepak Garg Fall, 2004.
Reading: Chapter 4, section 4 Nongraded Homework: Problems at the end of section 4. Graded Homework #4 is due at the beginning of class on Friday. You.

Reading: Chapter 4, section 4 Nongraded Homework: Problems at the end of section 4. Graded Homework #4 is due at the beginning of class on Friday. You.
1 Modeling and Analysis of Networked Secure Systems with Application to Trusted Computing Jason Franklin Joint work with Deepak Garg, Dilsun Kaynar, and.

1 Modeling and Analysis of Networked Secure Systems with Application to Trusted Computing Jason Franklin Joint work with Deepak Garg, Dilsun Kaynar, and.

Similar presentations

Ads by Google