- 449 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Applications of Logic in Computer Security' - Solomon

Download Now**An Image/Link below is provided (as is) to download presentation**

Download Now

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Areas of Application

- Multilevel Operating System Security
- “Orange Book,” Commercial Trusted Product Evaluation, A1-level
- Emphasis on secrecy, security/clearance levels
- Access Control Policies
- Discretionary or role-based policies
- Emphasis on application-specific policies, integrity
- Public-Key Infrastructure and Trust Management
- Network and distributed system security
- Digitally signed certificates for identity and privileges
- Cryptographic Authentication Protocols
- For network communication confidentiality and authentication
- Other areas: databases, firewalls/routers, intrusion detection

Computer Security

Network Security

Contributions of Logic

- Undecidability Results
- Safety problem for discretionary access control
- Cryptographic protocol analysis
- Theorem Proving Environments
- Verifying correctness of formal OS specifications
- Inductive proofs of cryptographic protocols
- Logic Programming
- Prolog programs for cryptographic protocol analysis, trust management
- Model Checking
- For cryptographic protocol analysis
- Specialized Logics
- For cryptographic protocol analysis, trust management

Multilevel Operating System Security

- Motivated by protection of classified information in shared systems
- High-assurance (A1) systems may protect Secret data from uncleared users
- Architecture: trusted OS kernel, hardware support
- Abstract system model of access control: Bell-LaPadula (ca. 1975)
- Structured state-transition system: subject-object access matrix, levels
- Security invariants and transition rules (for OS functions)
- “Formal Top-Level Specification” (FTLS)
- More detailed state-transition system
- Formal Proofs:
- Model transitions satisfy invariants
- FTLS is an interpretation of the system model
- Carried out in environments like Gypsy, FDM, HDM
- Some FTLS errors reflected in code were discovered
- Of Historical Interest

Access Control Policies

- Safety Problem
- Subject-object-rights matrix
- “rights” were arbitrary, representing different kinds of access
- Operations: create/delete subjects, objects; enter/remove rights
- System of conditional rules to apply operations
- Harrison-Ruzzo-Ullman Undecidability Result
- Whether S can ever receive right r to object O
- Comm. ACM 19(8), 1976
- Decidable if number of subjects is bounded
- Historical Impact
- Led to interest in efficiently decidable systems
- Take-Grant, DAC, RBAC

Oj

Si

r

Public-Key Certificates

- Based on asymmetric encryption
- Key pair KA, KA-1: one made public, one kept secret
- Text block encrypted with KA can be decrypted only with KA-1 .
- Impractical to compute secret key from public key
- Digital signature
- Text string T
- Apply one-way (hash) function
- Encrypt with secret key
- Verify by decrypting with signer’s public key, compare hash result
- Public Key Certificate
- Binds name to public key, signed by trusted party
- Logical Equivalent
- “A says (KB is the public key of B)”
- … provided that KA is the public key of A

T h(T) [h(T)]KA-1

B,KB,[h(B,KB)]KA-1

Logic of Distributed Authentication

- Origination:
- “Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992
- Theory of says and speaks for ( relation)
- (A B) ((A says s) (B says s)) (P8)
- (A says (B A)) (B A) (P10)
- Application to distributed systems
- A and B are principals: users or keys (can say something)
- A says s means: A authorizes command (operation, access) s
- A B means: B delegates authority to A
- Certificate T,[T] KA-1 means KAsays T
- Public key certificate means KA A
- Credentials sent from one network node to another to authorize resources
- Implemented in Taos operating system

“credentials”

Trust Management

- Policymaker
- “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy
- Identified trust management as a distinct problem
- Purpose: to define and implement policy using credentials to process queries
- Delegation Logic
- “A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop
- Language to express policies
- Primitives include says, delegates (speaks for with object)
- Access permission is decidable
- Logic program implementation (in Datalog)

Cryptographic Protocols

- Cryptographic protocol
- an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material.
- Applications
- military communications, business communications, electronic commerce, privacy
- Examples
- Kerberos: MIT protocol for unitary login to network services
- SSL (Secure Socket Layer, used in Web browsers)
- IPSec: standard suite of Internet protocols due to the IETF
- SET (Secure Electronic Transaction) protocol
- PGP (Pretty Good Privacy)

A Popular Example

- The Needham-Schroeder public-key handshake
- R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978
- A B: {A, Na}Kb
- B A: {Na, Nb}Ka
- A B: {Nb}Kb
- Purpose: mutual authentication of A and B, sharing secrets Na, Nb
- This is an “Alice-and-Bob” protocol specification
- Na and Nb are nonces (used once)
- Ka is the public key of A
- The protocol is vulnerable...

The Attack

A

(normal)

M

(false)

B

(thinks he’s

talking to A,

Nb is compromised)

{A,Na}Km

{A,Na}Kb

{Na,Nb}Ka

{Na,Nb}Ka

{Nb}Km

{Nb}Kb

Lowe, “Breaking and Fixing the Needham-Schroeder Public Key

Protocol Using FDR” TACAS 1996, LNCS 1055

A malicious party M can forge addresses, deviate from protocol

Undecidable in General

- Reduction of Post correspondence problem
- Word pairs ui, vi for 1 i < n
- Does there exist ui1...uik = vi1...vik?
- Construction
- Protocol with one role (or one per i)
- Compromises secret if solution exists
- Attacker cannot forge release message
- because of encryption
- Observations
- Messages are unbounded
- Construction suggested by Heintze & Tygar, 1994
- First undecidability proof by Even & Goldreich, 1983
- 1999 proof by Durgin, et al shows nonces are enough

send {,}K

receive {X,Y}K

if X = Y , send secret

else choose i,

send {Xui,Yvi}K

Analysis Approaches

- Model checking
- State-space search for attacks
- Inductive proof
- Using verification tools or by hand
- Can prove protocols correct (for abstract encryption)
- Belief-logic proofs
- BAN logic and successors
- For authentication properties

Linear Logic Model

- Linear Logic
- Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987
- Constructive, used to model state-transition systems
- Application to cryptographic protocols
- Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop
- Model-checking with linear-logic symbolic search tool LLF (LICS ‘96)
- State-transition rules
- F1, …, Fkx1, …, xm. G1, …, Gn
- State is a multiset of “facts” Fi, predicates over terms
- Rule matches facts on left side with variable substitution
- Variables xi are instantiated with new symbols (like nonce!)
- Left-side facts are replaced by right-side facts in multiset

The MSR Model

- Implementation of linear logic model
- Special term and fact types for cryptographic protocols
- Symbols for principals, keys, and nonces
- Terms for encryption and concatenation
- Facts for protocol process state, messages
- Multiset holds current states of many concurrent protocol sessions
- Example: A sends message A,{A}K (to B) with new K
- A0(A,B) (K) A1(A,B,K),M({A}K)
- Attacker rules eavesdrop, construct false messages, e.g.,
- M({A}K),M(K) M({A}K),M(K),M(A)
- Attacker model is standardized
- MSR model applied as intermediate language
- CAPSL MSR analysis tools (Millen, Denker 1999)

Model Checking Tools

- State-space search for reachability of insecure states
- History: back to 1984, Interrogator program in Prolog
- Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991
- Prolog programs were interactive
- General-purpose model-checkers
- Search automatically given initial conditions, bounds
- Iterative bounded-depth search
- Roscoe and Lowe used FDR (model-checker for CSP), 1995
- Mitchell, et al used Murphi, 1997
- Clarke, et al used SMV, 1998
- Denker, Meseguer, Talcott used Maude, 1998
- Successful at finding previously unknown vulnerabilities!

Non-Repudiation Protocols

- Different objectives and assumptions
- Fairness objectives: contract signing, proofs of receipt, fair exchange
- Applications to electronic commerce
- Parties are mutually distrustful, network well-behaved, no intruder
- Trusted third party to resolve detected breaches
- Alternating Temporal Logic application
- Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000
- Used model checker MOCHA
- Example Objective
- <<B,Com>> (NRO <<A>> NRR)
- Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt

Inductive Proofs

- State-transition model similar to model checking approaches
- Application of general-purpose specification and verification tools
- Influential Examples:
- R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM).
- L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle)
- Paulson’s approach inspired others
- Bolignano (using Coq), Millen (using PVS)

BAN Logic

- Papers
- Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990
- Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy
- Approach
- Modal logic of belief plus specialized predicates and inference rules
- Protocol messages are “idealized” into logical statements
- Objective is to prove that both parties share common beliefs
- Idealization
- A B: {A, K, B}KBbecomes
- B sees {good-key(A, K, B)}KB
- Objective
- Infer that B believes A saidgood-key(A, K, B)

B | A |~ A B

K

Inferences and Problems

- Example
- P believes fresh(X), P believes Q said X |- P believes Q believes X
- Assumption
- Protocol idealization must be consistent with beliefs about confidentiality
- Problem
- Observed by Nessett right away for digital signature example
- Good key must not be given away accidentally (or on purpose)
- Takes deep analysis to determine this
- Needham-Schroeder Public Key protocol proved correct (!!??)
- These logics are still used because:
- They are efficiently decidable
- They help to understand the protocol
- They can be used manually

Summary

- Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design
- Several unusual or specialized logical systems have application to computer security
- Cryptographic protocol analysis is an active, fertile area for logic applications

Download Presentation

Connecting to Server..