Distributed System
Security via Logical
Frameworks
Frank Pfenning
Carnegie Mellon University
Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter
Outline







The Grey Project
Authentication and Authorization
Affirmation and Truth
Proof Search
Absence of Interference
Consumable Resources
Conclusion
11/18/2005
McGill University
2
The Grey Project
 Smartphones for universal access control
 Doors, computers, food?, cars?, …
 Being deployed at CMU CyLab building
 Exploit communication capabilities
 Bluetooth, camera, speaker, microphone
 Mobile data services, keypad
 Exploit computational power
 500 mHz processor, J2ME
11/18/2005
McGill University
3
Technical Challenges
 Distributed multi-modal access control
 Flexible and extensible
 Formally analyzable
 Intuitive and usable




Efficient fair contract signing
Capture resilience
Privacy protection
Interfaces, programming realities
11/18/2005
McGill University
4
Authentication & Authorization
Jack: Please let me into the castle.
Guard: Who are you?
Policy
These may enter:
Jack: ``Jack’’.
Here is my passport.
King, Queen,
Jack, Jill,…
Guard: The seal
is valid.
The King
This is Jack
Guard: You are in my list.
The King
Guard: You may enter.
11/18/2005
McGill University
5
Access Control Lists
 Authentication via certificates
 Use digitally signed certificates
 Verify with public key cryptography
 Employed in Grey architecture
 Authorization via access control lists
 Check membership in access control list
 Inflexible and difficult to extend
 Replace by other mechanism in Grey
11/18/2005
McGill University
6
Certificates for Authorization
Authentication as before
Guard: Why should I let you in?
Jack: Here is my commission.
Affirmation
Guard: Your
commission
is valid.
Jack may
enter
Guard: You may enter.
The King
11/18/2005
McGill University
7
Authorization via Propositions
 Policy: let pass if
 Enforcement: check if King signed
 Apply in other scenarios
 File systems (may-read, may-write)
 Doors (may-open)
11/18/2005
McGill University
8
Distributed Authorization
Authentication as before
Guard: Why should I let you in?
Affirmation
is a member
Jack: I belongJack
to
the Queen’s
of my household
household.
Policy
Guard:
Is
Jack
a member
These
may
enter:
The Queen
of your
household?
King, Queen, …,
Members of the
Queen:
Yes.household
Queen’s
The King
Guard: You may enter.
11/18/2005
McGill University
9
Reasoning about Authorization
 Policy, given as signed certificates:
 Enforcement: Check proof of
 Requires verification of certificates and
logical reasoning
11/18/2005
McGill University
10
Proof-Carrying Authorization
 Resource monitor challenges w. proposition
 Client assembles and sends proof object
 Using local and remote certificates
 Exploits communication abilities of cell phone
 Resource monitor checks proof
 Check proper application of inference rules
 Validate embedded certificates

[Appel & Felten’99] [Bauer’03]
11/18/2005
McGill University
11
Some Issues
 Authorization logic




General logical rules
Policy expression
Proof search, representation, and verification
Properties of policies
 Certificates
 Verification authority, expiration, revocation
 Use X.509 standard
11/18/2005
McGill University
12
Authorization Logic
 Logical reasoning about access control

[Abadi,Burrows,Lampson,Plotkin’93]
 Much subsequent work omitted here
 General characteristics of prior work
 Decidable (propositional or datalog fragment)
 Classical (law of excluded middle)
 Modal logic (“K says” as modality)
11/18/2005
McGill University
13
A New Foundation
 Goals
 Inherent extensibility
 Tie between meaning of connectives (policy
expression) and proofs (policy enforcement)
 Formal reasoning about policies
 Further Goals
 Reasoning with state, time, and knowledge

[Garg & Pf’05] [Bauer, Bowers, Pf, Reiter’05]
11/18/2005
McGill University
14
Logic, the Multi-Headed
Hydra
Consumable Resources
Model Checking Temporal
Linear
“Intentional”
Intuitionistic
Functional
Programming
Authorization
Epistemic
Knowledge
Classical
Modal
Traditional
Mathematics
Distributed
Systems
11/18/2005
McGill University
15
How Do We Define a Logic?
 Must explain the meaning of propositions
 The meaning of a proposition is determined
by what counts as evidence for its truth

[Gentzen’35] [Martin-Löf’83] [Pf & Davies’01]
 Meaning via proofs, proofs via meaning
 Well-suited for proof-carrying authorization
 Other approaches possible
 Axiomatic, categorical, denotational, …
11/18/2005
McGill University
16
Examples
 Disjunction ``A or B’’
 Conjunction ``A and B’’
11/18/2005
McGill University
17
Hypothetical Judgments
 Reasoning from assumptions
Hypotheses
Conclusion
 Hypothesis rule
Gamma,
for arbitrary hypotheses
 Hypotheses can be used arbitrarily often
11/18/2005
McGill University
18
Two Sides to Every Story
 For each connective:
 Show how to prove it on the right-hand side
 Show how to use it on the left-hand side
 Example: Disjunction ``A or B’’
11/18/2005
McGill University
19
Cut Elimination
 The right and left rules must be in harmony
 The rule of Cut must be redundant
 All uses of Cut can be eliminated
 Cut does not analyze the given propositions in
Γ or C, but introduces arbitrary A in premises
11/18/2005
McGill University
20
Implication
 Hypothetical reasoning as a proposition
 All rules break down connectives
 Meaning of proposition composed from the
meanings of it parts
11/18/2005
McGill University
21
Affirmation
 Only judgment so far: “A true”
 Affirmation expresses policy (intent)
 New judgment: “K affirms A”
 Externally new evidence (signed certificates)
 Internally new rules (relation to truth)
 Example
11/18/2005
McGill University
22
Affirmation and Truth
 Principals may affirm any proposition
 Principals will affirm all true propositions
 Principals can reason logically
 This form of Cut must be also be redundant
11/18/2005
McGill University
23
Affirmation as a Proposition
 New proposition “K says A”
 Define meaning by right and left rules
 Reason from affirmation assumptions
11/18/2005
McGill University
24
Example Proof
11/18/2005
McGill University
25
Example Proof
 First subproof
 Follows by hypothesis rule
11/18/2005
McGill University
26
Example Proof
 Second subproof
 Proof complete by hypothesis rule
11/18/2005
McGill University
27
Distributed Proof Search
 Locally known certificates as hypotheses
 Resource monitor’s challenge as conclusion
 Construct proof bottom-up
 Choose rule and apply (backwards)
 Backtrack if necessary
 Contact remote data base or principal when
“K says A” is unprovable subgoal

[Bauer, Garriss, Reiter’05]
11/18/2005
McGill University
28
Proof Representation
 Proofs unwieldy on paper
 Formal representation compact & efficient
 Use logical framework
 Logic specification
 Proof search, representation, and checking
 Reasoning about logic
 Example: earlier proof becomes
11/18/2005
McGill University
29
Logical Frameworks
 LF logical framework

[Harper, Honsell, Plotkin’93]
 Judgments as types; proofs as objects
 Specifications are open-ended
 Inherent extensibility of authorization logic
 Twelf implementation

[Schürmann’01] [Pientka’03]
 Reasoning about encoded logic
11/18/2005
McGill University
30
Some General Theorems
 Some characteristic theorems
 Familiar from functional programming
 “K says” forms strong monad
 Used to isolate effects

11/18/2005
[Moggi’91] [Wadler’93] [Pf & Davies’01]
McGill University
31
Some Non-Theorems
 Understand when access is denied
 Some non-theorems (for unknown K, A, Q)
 Sample meta-argument
Does not match conclusion of any rule
11/18/2005
McGill University
32
Absence of Interference
 Explore consequences of access control
policy, expressed in authorization logic
 Metatheorem:If “K says” occurs only as
conclusion in P and assumption in C then
if and only if
 More complex non-interference theorems

11/18/2005
[Garg & Pf’05]
McGill University
33
Formal Metatheory
 Formal metatheory of authorization logic
in Twelf
 Cut elimination
 Simple non-interference results
 Proof search for existential question
 “Does there exist a proof of A true”
 Metatheory for universal questions
 “No proof concludes that A true”
11/18/2005
McGill University
34
Policy
Consumable These
Resources
may enter:
King, Queen, …,
Authentication
as who
before
anyone
pays
Gld 100.
Kingyou in?
Guard: Why shouldThe
I let
Jack: I will pay you Gld 100.
Guard: You may enter when you pay.
Guard:
Jack:
11/18/2005
McGill University
35
Consumable Resources
 Logically
 Ephemeral hypotheses (use only once in proof)
 Supported in linear logic
 Cryptographically
 Consumable certificates
 Multi-party contract signing
 Atomic fair exchange
11/18/2005
McGill University
36
Linear Logic
 Persistent and ephemeral hypotheses
Persistent,
use arbitrarily
Ephemeral,
use once
 Some new connectives
 A ( B : with ephemeral A we can prove B
 A B : both A and B ephemerally
 Truth, affirmation, and prior connectives
still make sense
11/18/2005
McGill University
37
Linear Authorization Logic
 Example (simplified)
 Omitted consent (Bank)
11/18/2005
McGill University
38
Realization
 Proving does not consume actual resources
 Realizing a complete proof will consume
resources (certificates)
 Must be atomic
 Implement with multi-party contract signing
 Involves separate ratification authority

[Bauer, Bauers, Pf, Reiter’05]
11/18/2005
McGill University
39
Summary
 Cell phones for universal access control
 Exploit communication capabilities
 Being deployed at CMU CyLab floor
 Logical approach to access control




11/18/2005
Flexible and extensible
Unifies policy expression and enforcement
Permits formal reasoning about policies
Implemented in logical framework
McGill University
40
Current and Future Work
 Consumable certificates and linear logic
 Reasoning with state, multi-party contracts
 Privacy and epistemic logic
 Reasoning with local knowledge, protocols
 Expiration and temporal logic
 Reasoning about time, details of certificates
 Engineering the infrastructure, interfaces
11/18/2005
McGill University
41