Slides - Cornell University
advertisement
Belief Semantics of
Authorization Logic
Andrew Hirsch and Michael Clarkson
George Washington University
Cornell University
ACM Conference on Computer and Communications Security
November 6, 2013
Formal Reasoning about
Authorization
Standard policies: DAC, MAC, …
subj1
obj1
obj2
obj3
r,w
r
r
subj2
subj3
r,w
r
r
Top Secret
Secret
No read up
No write down
Confidential
Unclassified
Formula-based policies:
determine access decision on basis of whether
properties hold
specify why access should be permitted
useful in distributed systems
Clarkson: Belief Semantics of Authorization Logic
2
Credentials-based Authorization
a.k.a. claims-based authorization and proof-carrying authorization
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneid
Credential: claim or belief about
world
f,y,
formulas in authorization logic
Clarkson: Belief Semantics of Authorization Logic
3
Credentials-based Authorization
a.k.a. claims-based authorization and proof-carrying authorization
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneid
f,y,
Clarkson: Belief Semantics of Authorization Logic
Goal formula: must be
satisfied to grant
request
a
4
Credentials-based Authorization
a.k.a. claims-based authorization and proof-carrying authorization
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneid
f,y,
a
Guard: uses logical inference to derive goal formula from
credentials
Clarkson: Belief Semantics of Authorization Logic
5
Credentials-based Authorization
a.k.a. claims-based authorization and proof-carrying authorization
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneid
f,y,
a
Guard: uses logical inference to derive goal formula from
credentials
this work: increase trustworthiness of reasoning in authorization
Clarkson: Belief Semantics of Authorization Logic
6
Increased Trustworthiness
New belief semantics for authorization logic
purpose of semantics: interpret formulas in model of real world
standard Kripke semantics: requires technical machinery not
related to real world
belief semantics: way to interpret formulas in a straightforward,
systems-oriented model; belief subsumes Kripke
Sound proof system for both semantics
proof system “has no bugs”
found unsoundness in existing logic
Machine-checked proof of soundness
proof that “proof system ‘has no bugs’” itself has no bugs
Clarkson: Belief Semantics of Authorization Logic
7
FOCAL
First-Order:
Quantifiers: ∀∃
Functions, relations
Constructive:
FOCAL
Connectives: ∧ ∨ ⇒ ¬
Authorization Logic:
Attribution of beliefs: says
Delegation: speaksfor
= NAL -- [Schneider, Walsh & Sirer 2011]
= CDD ++ [Abadi 2007]
Clarkson: Belief Semantics of Authorization Logic
8
FOCAL
First-Order:
this talk ignores FOC fragment
Constructive:
Quantifiers: ∀∃
Functions, relations
connectives: ∧ ∨ ⇒ ¬
Authorization Logic:
Attribution of beliefs: says
Delegation: speaksfor
= NAL -- [Schneider, Walsh & Sirer 2011]
= CDD ++ [Abadi 2007]
Clarkson: Belief Semantics of Authorization Logic
9
Authorization Logic (Review)
Two distinguishing features:
1. Attribute beliefs to principals
p says f
source matters: p says f and q says f aren’t
the same
not all-seeing: f holds doesn’t mean p says f
not infallible: maybe p says f but f doesn’t
hold
says “winter is coming”
Clarkson: Belief Semantics of Authorization Logic
10
Authorization Logic (Review)
Two distinguishing features:
1. Attribute beliefs to principals
p says f
How do principals form beliefs?
Start
with initial beliefs
Add to beliefs by:
querying state of system
receiving credentials from other principals
Infer new beliefs by logical inference from existing beliefs
Worldview: snapshot
[Schneider, Walsh & Sirer 2011]
Clarkson: Belief Semantics of Authorization Logic
of principal’s beliefs
11
Authorization Logic (Review)
Two distinguishing features:
2. Enable delegation between principals
q
p speaksfor q
…if p says something, it’s as if q says it, too
p
worldview(p) ⊆ worldview(
speaksfor
on {treaties}
so the king delegates to the envoy
restricted delegation
Clarkson: Belief Semantics of Authorization Logic
12
Authorization Logic (Review)
King says Envoy speaksfor King
therefore Envoy speaksfor King
Envoy says OpenChes
therefore King says OpenChest
therefore goal formula
satisfied and chest is
opened
Goal formula:
King says
Clarkson: Belief Semantics of AuthorizationOpenChest
Logic
13
Trustworthiness of Reasoning
Q: How do we know reasoning is right?
A: Formal proof system: mechanical
reasoning
Clarkson: Belief Semantics of Authorization Logic
⊢y
14
Trustworthiness of Reasoning
Q: How do we know reasoning is right?
A: Formal proof system: mechanical
⊢y
reasoning
Q: How do we know proof system is right?
A: Proof of soundness: system is consistent
with some model of reality
Clarkson: Belief Semantics of Authorization Logic
15
Trustworthiness of Reasoning
Q: How do we know reasoning is right?
A: Formal proof system: mechanical
⊢y
reasoning
Q: How do we know proof system is right?
A: Proof of soundness: system is consistent
with some model of reality
Q: How do we get that model?
⊨y
A: Need semantics: how to interpret
formulas
Our new belief semantics
…The more natural the model, the better.
Clarkson: Belief Semantics of Authorization Logic
16
Belief Semantics
Use possible worlds to model system state
facts:
It’s cloudy in Berlin.
x=42.
TCP port 443 is
open.
Clarkson: Belief Semantics of Authorization Logic
facts:
It’s cloudy in Berlin.
x=43.
TCP port 443 is
open.
17
Belief Semantics
Each principal p has its own worldview w(w,p) at
world 1983;
w Burrows, Abadi & Needham 1988; Appel & Felten 1999;
[Konolige
Schneider, Walsh & Sirer 2011]
Why include w as parameter to w?
…so that beliefs can depend on system state
w(w, princess)
w(w, envoy)
w(w, king)
f ∊ w(w,p) means: at world w, p
believes f
Clarkson: Belief Semantics of Authorization Logic
18
Belief Semantics
Belief model B:
worldviews w
Worldviews must be closed under logical consequence
…principals believe all consequences of their beliefs
…machinery for first-order logic
…machinery for constructive logic
validity judgment: B,w
⊨y
Clarkson: Belief Semantics of Authorization Logic
19
Belief Semantics
Clarkson: Belief Semantics of Authorization Logic
20
Belief Semantics
B,w ⊨ p says f
iff
f ∊ w(w,p)
(simplified to avoid machinery of constructive FOL)
Clarkson: Belief Semantics of Authorization Logic
21
Belief Semantics
worldview(p) ⊆ worldview(q)
q
p
B,w ⊨ p speaksfor q
iff
w(w,p) ⊆ w(w,q)
(simplified to avoid machinery of constructive FOL)
Clarkson: Belief Semantics of Authorization Logic
22
Other Semantics for Authorization
Logic?
Usual semantics is based on Kripke
semantics of modal logic
…because says is like ◽
[Abadi, Burrows, Lampson & Plotkin 1991; Howell 2000;
Garg & Abadi 2008; Garg 2008; Genovese, Garg &
Rispoli 2012]
Clarkson: Belief Semantics of Authorization Logic
23
Kripke Semantics (Review)
K,w ⊨ p says f
iff
for all worlds w’ such that w ≤p w’ : K,w’ ⊨ f
≤p (accessibility relation)
w ≤p w’ means:
given information in world w,
p considers world w’ possible
Clarkson: Belief Semantics of Authorization Logic
24
Belief Semantics vs. Kripke
Semantics
belief semantics:
Kripke semantics:
B,w ⊨ p says f
K,w ⊨ p says f
iff
iff
f ∊ w(w,p) for all w’ : w ≤p w’ implies K,w’ ⊨ f
Belief semantics directly captures
intuition about sets of beliefs…
Kripke semantics doesn’t;
indirects through accessibility relations
Clarkson: Belief Semantics of Authorization Logic
25
Belief Semantics vs. Kripke
Semantics
belief semantics:
Kripke semantics:
B,w ⊨ p speaksfor q K,w ⊨ p speaksfor q
iff
iff
w(w,p) ⊆ w(w,q)
≤p ⊇ ≤ q
Again, belief semantics directly
captures
intuition about sets of beliefs
Just an issue of style?
…belief semantics more faithfully model realit
Clarkson: Belief Semantics of Authorization Logic
26
Belief Semantics vs. Kripke
Semantics
Which is more expressive?
Theorem. Every Kripke structure K can be
transformed into an equivalent belief
structure
B. form the set of all formulas said by a
At each world,
principal in K. Make that the principal’s worldview in B.
Clarkson: Belief Semantics of Authorization Logic
27
Belief Semantics vs. Kripke
Semantics
Which is more expressive?
Theorem. Every Kripke structure K can be
transformed into an equivalent belief
structure B.
Theorem. There exist belief structures that
cannot be transformed into equivalent
Kripke structures.
Clarkson: Belief Semantics of Authorization Logic
28
Belief Semantics vs. Kripke
Semantics
Which is more expressive?
Belief
Theorem. Every Kripke structure K can be
transformed into an equivalent belief
structure B.
Kripke
Theorem. There exist belief structures that
cannot be transformed into equivalent
Kripke structures.
Clarkson: Belief Semantics of Authorization Logic
29
Belief Semantics vs. Kripke
Semantics
Which is more expressive?
Theorem. Every Kripke structure K can be
transformed into an equivalent belief
structure B.
Theorem. There exist belief structures that
cannot be transformed into equivalent
Kripke structures.
…so belief semantics subsume Kripke
Clarkson: Belief Semantics of Authorization Logic
30
FOCAL Proof System
Proof theory: calculate with formulas
G ⊢ f (derivability judgment)
as opposed to…
Semantics: interpret meaning of formulas
B,w ⊨ f (validity judgment)
Clarkson: Belief Semantics of Authorization Logic
31
FOCAL Proof System
Clarkson: Belief Semantics of Authorization Logic
32
FOCAL Proof System
1. Natural deduction proof system
with localized hypotheses
2. Rules themselves are wellknown but this seems to be a
mildly novel combination
Clarkson: Belief Semantics of Authorization Logic
33
Soundness
Theorem. If f is derivable from G, then f is
valid in any (belief or Kripke) model of G.
Proof. Mechanized in Coq.
(about 2,400 LoC)
First mechanized proof of soundness for authorization
logic!
…increases trustworthiness of log
Clarkson: Belief Semantics of Authorization Logic
34
Soundness
Nexus Authorization Logic (NAL)
[Schneider, Walsh & Sirer 2011]
Has a formal proof system
Has an informal semantics (worldviews, main inspiration for
Formal semantics
FOCAL)
and proofs of soundness
Fact: NAL proof system permits derivation
yield
a
of a formula that is
trustworthy
invalidmore
in our formal
belief semantics logic!
not intended to be valid by NAL designers
…NAL is unsound (but easily fixed)
Clarkson: Belief Semantics of Authorization Logic
35
Related Work
CDD [Abadi 2007]
NAL [Schneider, Walsh & Sirer 2011]
ICL [Garg & Abadi 2008]
DTL0 [Garg 2008]
BLsf [Genovese, Garg & Rispoli 2012]
Unnamed logics [Garg & Pfenning 2006] [Howell 2000]
Many other logics and systems:
Taos, PCA, SPKI/SDSI, Delegation Logic, Cassandra,
PolicyMaker, Referee, KeyNote, SD3, Binder, Soutei,
SecPAL, DKAL, Alpaca, WS-Policy, Grey, …
FOCAL builds on many of these, and makes new
contributions…
Clarkson: Belief Semantics of Authorization Logic
36
Summary
FOCAL: first order constructive authorization
logic
First formal belief semantics for authorization
logic
Transformation from Kripke semantics to belief
semantics
Sound proof system for both semantics
Belief subsumes Kripke
Found unsoundness in existing logic
First machine-checked proof of soundness for
authorization logic
Clarkson: Belief Semantics of Authorization Logic
37
Belief Semantics of
Authorization Logic
Andrew Hirsch and Michael Clarkson
George Washington University
Cornell University
ACM Conference on Computer and Communications Security
November 6, 2013
Future Work
Completeness
Verified theorem checker
Semantics of group principals
Clarkson: Belief Semantics of Authorization Logic
39
Extra Slides
Clarkson: Belief Semantics of Authorization Logic
40
Completeness of FOCAL?
Starting points to get completeness result:
ICL [Garg & Abadi 2008]:
uses different (lax logic) semantics of says
DTL0 [Garg 2008]:
doesn’t have speaksfor
BLsf [Genovese, Garg & Rispoli 2012]:
uses different (strong) semantics of
speaksfor
Clarkson: Belief Semantics of Authorization Logic
41
Weak Speaksfor
Weak speaksfor:
p speaksfor q
iff
“for all f” : p says f ⇒ q says f
Kripke semantics of speaksfor are stronger [Howell 2000]
(principals speak for one another less often)
WSF condition in our paper is ugly but needed to make
Kripke semantics behave
Might eliminate WSF by introducing some second-order
model theory
Clarkson: Belief Semantics of Authorization Logic
42
FOCAL vs. NAL
NAL: Schneider, Walsh & Sirer 2011
FOCAL = NAL
– 2nd order
quantification
+ primitive speaksfor
– restricted delegation
– subprincipals
– group principals
Clarkson: Belief Semantics of Authorization Logic
simplicity
open!
43
FOCAL vs. CDD
CDD: Abadi 2007
FOCAL = CDD
– 2nd order
quantification
+ primitive speaksfor
+ 1st order quantification &
terms
Clarkson: Belief Semantics of Authorization Logic
44
Belief vs. Knowledge
FOCAL (et al.) is a logic of belief
principals who issue credentials are
expressing a belief about state of system
they might be wrong
they might be malicious
Logic of knowledge would impose axiom:
(p says f) ⇒ f
Clarkson: Belief Semantics of Authorization Logic
45
Healthiness Conditions (Belief)
Worldview closure: principals believe all
consequences of their beliefs
Says transparency: any number of says
is equivalent to just one says
Belief hand-off: ensure validity of handoff:
(q says (p speaksfor q)) ⇒ (p speaksfor q)
Clarkson: Belief Semantics of Authorization Logic
46
Healthiness Conditions (Kripke)
IT: principal accessibility relations are
“intuitionistically” transitive
ID: principal accessibility relations are
“intuitionistically” dense
F2: technical condition from constructive modal
logic literature to achieve soundness
H: ensure validity of hand-off
WSF: weak speaksfor to get equivalence with
belief semantics
Clarkson: Belief Semantics of Authorization Logic
47
Countermodel for Belief → Kripke
w:
X does not hold
w(w,p) = {X}
B,w ⊨ p says X
What can ≤p be?
• If empty, then p says false, but false isn’t in w(w,p)
• If w ≤p w, then K,w ⊭ p says X, but X is in w(w,p)
Either way, Kripke semantics is not equivalent to belief
semantics
Clarkson: Belief Semantics of Authorization Logic
48
