Applications of Logic in Computer
Security
Jonathan Millen
SRI International
Areas of Application
Multilevel Operating System Security
“Orange Book,” Commercial Trusted Product Evaluation, A1-level
Emphasis on secrecy, security/clearance levels
Access Control Policies
Computer Security
Discretionary or role-based policies
Emphasis on application-specific policies, integrity
Public-Key Infrastructure and Trust Management
Network and distributed system security
Digitally signed certificates for identity and privileges
Network Security
Cryptographic Authentication Protocols
For network communication confidentiality and authentication
Other areas: databases, firewalls/routers, intrusion detection
Contributions of Logic
Undecidability Results
Safety problem for discretionary access control
Cryptographic protocol analysis
Theorem Proving Environments
Verifying correctness of formal OS specifications
Inductive proofs of cryptographic protocols
Logic Programming
Prolog programs for cryptographic protocol analysis, trust management
Model Checking
For cryptographic protocol analysis
Specialized Logics
For cryptographic protocol analysis, trust management
Multilevel Operating System Security
Motivated by protection of classified information in shared systems
High-assurance (A1) systems may protect Secret data from uncleared users
Architecture: trusted OS kernel, hardware support
Abstract system model of access control: Bell-LaPadula (ca. 1975)
Structured state-transition system: subject-object access matrix, levels
Security invariants and transition rules (for OS functions)
“Formal Top-Level Specification” (FTLS)
More detailed state-transition system
Formal Proofs:
Model transitions satisfy invariants
FTLS is an interpretation of the system model
Carried out in environments like Gypsy, FDM, HDM
Some FTLS errors reflected in code were discovered
Of Historical Interest
Access Control Policies
Safety Problem
Subject-object-rights matrix
“rights” were arbitrary, representing different kinds of access
Operations: create/delete subjects, objects; enter/remove rights
System of conditional rules to apply operations
Harrison-Ruzzo-Ullman Undecidability Result
Whether S can ever receive right r to object O
Comm. ACM 19(8), 1976
Decidable if number of subjects is bounded
Historical Impact
Led to interest in efficiently decidable systems
Take-Grant, DAC, RBAC
Si
Oj
r
Public-Key Certificates
Based on asymmetric encryption
Key pair KA, KA-1: one made public, one kept secret
Text block encrypted with KA can be decrypted only with KA-1 .
Impractical to compute secret key from public key
Digital signature
Text string T
T  h(T)  [h(T)]KA-1
Apply one-way (hash) function
Encrypt with secret key
Verify by decrypting with signer’s public key, compare hash result
Public Key Certificate
Binds name to public key, signed by trusted party
Logical Equivalent
“A says (KB is the public key of B)”
… provided that KA is the public key of A
B,KB,[h(B,KB)]KA-1
Logic of Distributed Authentication
Origination:
“Authentication in distributed systems: theory and practice,” by Lampson,
Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992
Theory of says and speaks for ( relation)
(A  B)  ((A says s)  (B says s))
(A says (B  A))  (B  A)
(P8)
(P10)
Application to distributed systems
A and B are principals: users or keys (can say something)
A says s means: A authorizes command (operation, access) s
A  B means: B delegates authority to A
“credentials”
Certificate T,[T] KA-1 means KA says T
Public key certificate means KA  A
Credentials sent from one network node to another to authorize resources
Implemented in Taos operating system
Trust Management
Policymaker
“Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE
Symposium on Security and Privacy
Identified trust management as a distinct problem
Purpose: to define and implement policy using credentials to process queries
Delegation Logic
“A logic-based knowledge representation for Authorization with Delegation,” Li,
Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop
Language to express policies
Primitives include says, delegates (speaks for with object)
Access permission is decidable
Logic program implementation (in Datalog)
Cryptographic Protocols
Cryptographic protocol
an exchange of messages over an insecure communication medium, using
cryptographic transformations to ensure authentication and secrecy of data
and keying material.
Applications
military communications, business communications, electronic commerce,
privacy
Examples
Kerberos: MIT protocol for unitary login to network services
SSL (Secure Socket Layer, used in Web browsers)
IPSec: standard suite of Internet protocols due to the IETF
SET (Secure Electronic Transaction) protocol
PGP (Pretty Good Privacy)
A Popular Example
The Needham-Schroeder public-key handshake
R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in
Large Networks of Computers,” Comm. ACM, Dec., 1978
A  B: {A, Na}Kb
B  A: {Na, Nb}Ka
A  B: {Nb}Kb
Purpose: mutual authentication of A and B, sharing secrets Na, Nb
This is an “Alice-and-Bob” protocol specification
Na and Nb are nonces (used once)
Ka is the public key of A
The protocol is vulnerable...
The Attack
A
(normal)
M
(false)
{A,Na}Km
{A,Na}Kb
{Na,Nb}Ka
{Na,Nb}Ka
{Nb}Km
B
(thinks he’s
talking to A,
Nb is compromised)
{Nb}Kb
Lowe, “Breaking and Fixing the Needham-Schroeder Public Key
Protocol Using FDR” TACAS 1996, LNCS 1055
A malicious party M can forge addresses, deviate from protocol
Undecidable in General
Reduction of Post correspondence problem
Word pairs ui, vi for 1  i < n
Does there exist ui1...uik = vi1...vik?
Construction
Protocol with one role (or one per i)
Compromises secret if solution exists
Attacker cannot forge release message
send {,}K
receive {X,Y}K
if X = Y  , send secret
else choose i,
send {Xui,Yvi}K
because of encryption
Observations
Messages are unbounded
Construction suggested by Heintze & Tygar, 1994
First undecidability proof by Even & Goldreich, 1983
1999 proof by Durgin, et al shows nonces are enough
Analysis Approaches
Model checking
State-space search for attacks
Inductive proof
Using verification tools or by hand
Can prove protocols correct (for abstract encryption)
Belief-logic proofs
BAN logic and successors
For authentication properties
Linear Logic Model
Linear Logic
Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987
Constructive, used to model state-transition systems
Application to cryptographic protocols
Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol
analysis,” 1999 Computer Security Foundations Workshop
Model-checking with linear-logic symbolic search tool LLF (LICS ‘96)
State-transition rules
F1, …, Fk  x1, …, xm. G1, …, Gn
State is a multiset of “facts” Fi, predicates over terms
Rule matches facts on left side with variable substitution
Variables xi are instantiated with new symbols (like nonce!)
Left-side facts are replaced by right-side facts in multiset
The MSR Model
Implementation of linear logic model
Special term and fact types for cryptographic protocols
Symbols for principals, keys, and nonces
Terms for encryption and concatenation
Facts for protocol process state, messages
Multiset holds current states of many concurrent protocol sessions
Example: A sends message A,{A}K (to B) with new K
A0(A,B)  (K) A1(A,B,K),M({A}K)
Attacker rules eavesdrop, construct false messages, e.g.,
M({A}K),M(K)  M({A}K),M(K),M(A)
Attacker model is standardized
MSR model applied as intermediate language
CAPSL  MSR  analysis tools (Millen, Denker 1999)
Model Checking Tools
State-space search for reachability of insecure states
History: back to 1984, Interrogator program in Prolog
Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991
Prolog programs were interactive
General-purpose model-checkers
Search automatically given initial conditions, bounds
Iterative bounded-depth search
Roscoe and Lowe used FDR (model-checker for CSP), 1995
Mitchell, et al used Murphi, 1997
Clarke, et al used SMV, 1998
Denker, Meseguer, Talcott used Maude, 1998
Successful at finding previously unknown vulnerabilities!
Non-Repudiation Protocols
Different objectives and assumptions
Fairness objectives: contract signing, proofs of receipt, fair exchange
Applications to electronic commerce
Parties are mutually distrustful, network well-behaved, no intruder
Trusted third party to resolve detected breaches
Alternating Temporal Logic application
Kremer, Raskin, “Formal verification of non-repudiation protocols, a game
approach,” Workshop on Formal Methods and Computer Security, 2000
Used model checker MOCHA
Example Objective
<<B,Com>> (NRO  <<A>> NRR)
Means: B and Com (the network) do not have a strategy leading to a state
where B has proof of non-repudiation of origin (of some message) but A has
no strategy (from there) leading to a proof of non-repudiation of receipt
Inductive Proofs
State-transition model similar to model checking approaches
Application of general-purpose specification and verification tools
Influential Examples:
R. Kemmerer, "Analyzing encryption protocols using formal verification
techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM).
L. Paulson, “The inductive approach to verifying cryptographic protocols,” J.
Computer Security 6(1), 1998 (used Isabelle)
Paulson’s approach inspired others
Bolignano (using Coq), Millen (using PVS)
BAN Logic
Papers
Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer
Systems 8(1), 1990
Gong, Needham, Yahalom, “Reasoning about belief in cryptographic
protocols,” 1990 IEEE Symposium on Security and Privacy
Approach
Modal logic of belief plus specialized predicates and inference rules
Protocol messages are “idealized” into logical statements
Objective is to prove that both parties share common beliefs
Idealization
A  B: {A, K, B}KB
becomes
B sees {good-key(A, K, B)}KB
Objective
Infer that B believes A said good-key(A, K, B)
K
B | A |~ A  B
Inferences and Problems
Example
P believes fresh(X), P believes Q said X |- P believes Q believes X
Assumption
Protocol idealization must be consistent with beliefs about confidentiality
Problem
Observed by Nessett right away for digital signature example
Good key must not be given away accidentally (or on purpose)
Takes deep analysis to determine this
Needham-Schroeder Public Key protocol proved correct (!!??)
These logics are still used because:
They are efficiently decidable
They help to understand the protocol
They can be used manually
Summary
Many applications of logic in computer security are indirect, through use of
tools that require deep logic-system knowledge to design
Several unusual or specialized logical systems have application to
computer security
Cryptographic protocol analysis is an active, fertile area for logic
applications