Loading in 5 sec....

Applications of Logic in Computer SecurityPowerPoint Presentation

Applications of Logic in Computer Security

- 433 Views
- Updated On :
- Presentation posted in: Computers / Electronics

Applications of Logic in Computer Security Jonathan Millen SRI International Areas of Application Multilevel Operating System Security “Orange Book,” Commercial Trusted Product Evaluation, A1-level Emphasis on secrecy, security/clearance levels Access Control Policies

Applications of Logic in Computer Security

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Applications of Logic in Computer Security

Jonathan Millen

SRI International

- Multilevel Operating System Security
- “Orange Book,” Commercial Trusted Product Evaluation, A1-level
- Emphasis on secrecy, security/clearance levels

- Access Control Policies
- Discretionary or role-based policies
- Emphasis on application-specific policies, integrity

- Public-Key Infrastructure and Trust Management
- Network and distributed system security
- Digitally signed certificates for identity and privileges

- Cryptographic Authentication Protocols
- For network communication confidentiality and authentication

- Other areas: databases, firewalls/routers, intrusion detection

Computer Security

Network Security

- Undecidability Results
- Safety problem for discretionary access control
- Cryptographic protocol analysis

- Theorem Proving Environments
- Verifying correctness of formal OS specifications
- Inductive proofs of cryptographic protocols

- Logic Programming
- Prolog programs for cryptographic protocol analysis, trust management

- Model Checking
- For cryptographic protocol analysis

- Specialized Logics
- For cryptographic protocol analysis, trust management

- Motivated by protection of classified information in shared systems
- High-assurance (A1) systems may protect Secret data from uncleared users
- Architecture: trusted OS kernel, hardware support

- Abstract system model of access control: Bell-LaPadula (ca. 1975)
- Structured state-transition system: subject-object access matrix, levels
- Security invariants and transition rules (for OS functions)

- “Formal Top-Level Specification” (FTLS)
- More detailed state-transition system

- Formal Proofs:
- Model transitions satisfy invariants
- FTLS is an interpretation of the system model
- Carried out in environments like Gypsy, FDM, HDM
- Some FTLS errors reflected in code were discovered

- Of Historical Interest

- Safety Problem
- Subject-object-rights matrix
- “rights” were arbitrary, representing different kinds of access
- Operations: create/delete subjects, objects; enter/remove rights
- System of conditional rules to apply operations

- Harrison-Ruzzo-Ullman Undecidability Result
- Whether S can ever receive right r to object O
- Comm. ACM 19(8), 1976
- Decidable if number of subjects is bounded

- Historical Impact
- Led to interest in efficiently decidable systems
- Take-Grant, DAC, RBAC

Oj

Si

r

- Based on asymmetric encryption
- Key pair KA, KA-1: one made public, one kept secret
- Text block encrypted with KA can be decrypted only with KA-1 .
- Impractical to compute secret key from public key

- Digital signature
- Text string T
- Apply one-way (hash) function
- Encrypt with secret key
- Verify by decrypting with signer’s public key, compare hash result

- Public Key Certificate
- Binds name to public key, signed by trusted party

- Logical Equivalent
- “A says (KB is the public key of B)”
- … provided that KA is the public key of A

T h(T) [h(T)]KA-1

B,KB,[h(B,KB)]KA-1

- Origination:
- “Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992

- Theory of says and speaks for ( relation)
- (A B) ((A says s) (B says s)) (P8)
- (A says (B A)) (B A) (P10)

- Application to distributed systems
- A and B are principals: users or keys (can say something)
- A says s means: A authorizes command (operation, access) s
- A B means: B delegates authority to A
- Certificate T,[T] KA-1 means KAsays T
- Public key certificate means KA A
- Credentials sent from one network node to another to authorize resources
- Implemented in Taos operating system

“credentials”

- Policymaker
- “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy
- Identified trust management as a distinct problem
- Purpose: to define and implement policy using credentials to process queries

- Delegation Logic
- “A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop
- Language to express policies
- Primitives include says, delegates (speaks for with object)
- Access permission is decidable
- Logic program implementation (in Datalog)

- Cryptographic protocol
- an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material.

- Applications
- military communications, business communications, electronic commerce, privacy

- Examples
- Kerberos: MIT protocol for unitary login to network services
- SSL (Secure Socket Layer, used in Web browsers)
- IPSec: standard suite of Internet protocols due to the IETF
- SET (Secure Electronic Transaction) protocol
- PGP (Pretty Good Privacy)

- The Needham-Schroeder public-key handshake
- R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978

- A B: {A, Na}Kb
- B A: {Na, Nb}Ka
- A B: {Nb}Kb
- Purpose: mutual authentication of A and B, sharing secrets Na, Nb
- This is an “Alice-and-Bob” protocol specification
- Na and Nb are nonces (used once)
- Ka is the public key of A
- The protocol is vulnerable...

A

(normal)

M

(false)

B

(thinks he’s

talking to A,

Nb is compromised)

{A,Na}Km

{A,Na}Kb

{Na,Nb}Ka

{Na,Nb}Ka

{Nb}Km

{Nb}Kb

Lowe, “Breaking and Fixing the Needham-Schroeder Public Key

Protocol Using FDR” TACAS 1996, LNCS 1055

A malicious party M can forge addresses, deviate from protocol

- Reduction of Post correspondence problem
- Word pairs ui, vi for 1 i < n
- Does there exist ui1...uik = vi1...vik?

- Construction
- Protocol with one role (or one per i)
- Compromises secret if solution exists
- Attacker cannot forge release message
- because of encryption

- Observations
- Messages are unbounded
- Construction suggested by Heintze & Tygar, 1994
- First undecidability proof by Even & Goldreich, 1983
- 1999 proof by Durgin, et al shows nonces are enough

send {,}K

receive {X,Y}K

if X = Y , send secret

else choose i,

send {Xui,Yvi}K

- Model checking
- State-space search for attacks

- Inductive proof
- Using verification tools or by hand
- Can prove protocols correct (for abstract encryption)

- Belief-logic proofs
- BAN logic and successors
- For authentication properties

- Linear Logic
- Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987
- Constructive, used to model state-transition systems

- Application to cryptographic protocols
- Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop
- Model-checking with linear-logic symbolic search tool LLF (LICS ‘96)

- State-transition rules
- F1, …, Fkx1, …, xm. G1, …, Gn
- State is a multiset of “facts” Fi, predicates over terms
- Rule matches facts on left side with variable substitution
- Variables xi are instantiated with new symbols (like nonce!)
- Left-side facts are replaced by right-side facts in multiset

- Implementation of linear logic model
- Special term and fact types for cryptographic protocols
- Symbols for principals, keys, and nonces
- Terms for encryption and concatenation
- Facts for protocol process state, messages
- Multiset holds current states of many concurrent protocol sessions

- Example: A sends message A,{A}K (to B) with new K
- A0(A,B) (K) A1(A,B,K),M({A}K)
- Attacker rules eavesdrop, construct false messages, e.g.,
- M({A}K),M(K) M({A}K),M(K),M(A)
- Attacker model is standardized

- MSR model applied as intermediate language
- CAPSL MSR analysis tools (Millen, Denker 1999)

- State-space search for reachability of insecure states
- History: back to 1984, Interrogator program in Prolog
- Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991
- Prolog programs were interactive

- General-purpose model-checkers
- Search automatically given initial conditions, bounds
- Iterative bounded-depth search
- Roscoe and Lowe used FDR (model-checker for CSP), 1995
- Mitchell, et al used Murphi, 1997
- Clarke, et al used SMV, 1998
- Denker, Meseguer, Talcott used Maude, 1998
- Successful at finding previously unknown vulnerabilities!

- Different objectives and assumptions
- Fairness objectives: contract signing, proofs of receipt, fair exchange
- Applications to electronic commerce
- Parties are mutually distrustful, network well-behaved, no intruder
- Trusted third party to resolve detected breaches

- Alternating Temporal Logic application
- Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000
- Used model checker MOCHA

- Example Objective
- <<B,Com>> (NRO <<A>> NRR)
- Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt

- State-transition model similar to model checking approaches
- Application of general-purpose specification and verification tools
- Influential Examples:
- R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM).
- L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle)

- Paulson’s approach inspired others
- Bolignano (using Coq), Millen (using PVS)

- Papers
- Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990
- Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy

- Approach
- Modal logic of belief plus specialized predicates and inference rules
- Protocol messages are “idealized” into logical statements
- Objective is to prove that both parties share common beliefs

- Idealization
- A B: {A, K, B}KBbecomes
- B sees {good-key(A, K, B)}KB

- Objective
- Infer that B believes A saidgood-key(A, K, B)

B | A |~ A B

K

- Example
- P believes fresh(X), P believes Q said X |- P believes Q believes X

- Assumption
- Protocol idealization must be consistent with beliefs about confidentiality

- Problem
- Observed by Nessett right away for digital signature example
- Good key must not be given away accidentally (or on purpose)
- Takes deep analysis to determine this

- Needham-Schroeder Public Key protocol proved correct (!!??)

- Observed by Nessett right away for digital signature example
- These logics are still used because:
- They are efficiently decidable
- They help to understand the protocol
- They can be used manually

- Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design
- Several unusual or specialized logical systems have application to computer security
- Cryptographic protocol analysis is an active, fertile area for logic applications