applications of logic in computer security l.
Skip this Video
Loading SlideShow in 5 Seconds..
Applications of Logic in Computer Security PowerPoint Presentation
Download Presentation
Applications of Logic in Computer Security

Loading in 2 Seconds...

play fullscreen
1 / 21

Applications of Logic in Computer Security - PowerPoint PPT Presentation

  • Uploaded on

Applications of Logic in Computer Security Jonathan Millen SRI International Areas of Application Multilevel Operating System Security “Orange Book,” Commercial Trusted Product Evaluation, A1-level Emphasis on secrecy, security/clearance levels Access Control Policies

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Applications of Logic in Computer Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
applications of logic in computer security

Applications of Logic in Computer Security

Jonathan Millen

SRI International

areas of application
Areas of Application
  • Multilevel Operating System Security
    • “Orange Book,” Commercial Trusted Product Evaluation, A1-level
    • Emphasis on secrecy, security/clearance levels
  • Access Control Policies
    • Discretionary or role-based policies
    • Emphasis on application-specific policies, integrity
  • Public-Key Infrastructure and Trust Management
    • Network and distributed system security
    • Digitally signed certificates for identity and privileges
  • Cryptographic Authentication Protocols
    • For network communication confidentiality and authentication
  • Other areas: databases, firewalls/routers, intrusion detection

Computer Security

Network Security

contributions of logic
Contributions of Logic
  • Undecidability Results
    • Safety problem for discretionary access control
    • Cryptographic protocol analysis
  • Theorem Proving Environments
    • Verifying correctness of formal OS specifications
    • Inductive proofs of cryptographic protocols
  • Logic Programming
    • Prolog programs for cryptographic protocol analysis, trust management
  • Model Checking
    • For cryptographic protocol analysis
  • Specialized Logics
    • For cryptographic protocol analysis, trust management
multilevel operating system security
Multilevel Operating System Security
  • Motivated by protection of classified information in shared systems
    • High-assurance (A1) systems may protect Secret data from uncleared users
    • Architecture: trusted OS kernel, hardware support
  • Abstract system model of access control: Bell-LaPadula (ca. 1975)
    • Structured state-transition system: subject-object access matrix, levels
    • Security invariants and transition rules (for OS functions)
  • “Formal Top-Level Specification” (FTLS)
    • More detailed state-transition system
  • Formal Proofs:
    • Model transitions satisfy invariants
    • FTLS is an interpretation of the system model
    • Carried out in environments like Gypsy, FDM, HDM
    • Some FTLS errors reflected in code were discovered
  • Of Historical Interest
access control policies
Access Control Policies
  • Safety Problem
    • Subject-object-rights matrix
    • “rights” were arbitrary, representing different kinds of access
    • Operations: create/delete subjects, objects; enter/remove rights
    • System of conditional rules to apply operations
  • Harrison-Ruzzo-Ullman Undecidability Result
    • Whether S can ever receive right r to object O
    • Comm. ACM 19(8), 1976
    • Decidable if number of subjects is bounded
  • Historical Impact
    • Led to interest in efficiently decidable systems
    • Take-Grant, DAC, RBAC




public key certificates
Public-Key Certificates
  • Based on asymmetric encryption
    • Key pair KA, KA-1: one made public, one kept secret
    • Text block encrypted with KA can be decrypted only with KA-1 .
    • Impractical to compute secret key from public key
  • Digital signature
    • Text string T
    • Apply one-way (hash) function
    • Encrypt with secret key
    • Verify by decrypting with signer’s public key, compare hash result
  • Public Key Certificate
    • Binds name to public key, signed by trusted party
  • Logical Equivalent
    • “A says (KB is the public key of B)”
    • … provided that KA is the public key of A

T  h(T)  [h(T)]KA-1


logic of distributed authentication
Logic of Distributed Authentication
  • Origination:
    • “Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992
  • Theory of says and speaks for ( relation)
    • (A  B)  ((A says s)  (B says s)) (P8)
    • (A says (B  A))  (B  A) (P10)
  • Application to distributed systems
    • A and B are principals: users or keys (can say something)
    • A says s means: A authorizes command (operation, access) s
    • A  B means: B delegates authority to A
    • Certificate T,[T] KA-1 means KAsays T
    • Public key certificate means KA A
    • Credentials sent from one network node to another to authorize resources
    • Implemented in Taos operating system


trust management
Trust Management
  • Policymaker
    • “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy
    • Identified trust management as a distinct problem
    • Purpose: to define and implement policy using credentials to process queries
  • Delegation Logic
    • “A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop
    • Language to express policies
    • Primitives include says, delegates (speaks for with object)
    • Access permission is decidable
    • Logic program implementation (in Datalog)
cryptographic protocols
Cryptographic Protocols
  • Cryptographic protocol
    • an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material.
  • Applications
    • military communications, business communications, electronic commerce, privacy
  • Examples
    • Kerberos: MIT protocol for unitary login to network services
    • SSL (Secure Socket Layer, used in Web browsers)
    • IPSec: standard suite of Internet protocols due to the IETF
    • SET (Secure Electronic Transaction) protocol
    • PGP (Pretty Good Privacy)
a popular example
A Popular Example
  • The Needham-Schroeder public-key handshake
    • R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978
  • A  B: {A, Na}Kb
  • B  A: {Na, Nb}Ka
  • A  B: {Nb}Kb
  • Purpose: mutual authentication of A and B, sharing secrets Na, Nb
  • This is an “Alice-and-Bob” protocol specification
  • Na and Nb are nonces (used once)
  • Ka is the public key of A
  • The protocol is vulnerable...
the attack
The Attack






(thinks he’s

talking to A,

Nb is compromised)







Lowe, “Breaking and Fixing the Needham-Schroeder Public Key

Protocol Using FDR” TACAS 1996, LNCS 1055

A malicious party M can forge addresses, deviate from protocol

undecidable in general
Undecidable in General
  • Reduction of Post correspondence problem
    • Word pairs ui, vi for 1  i < n
    • Does there exist ui1...uik = vi1...vik?
  • Construction
    • Protocol with one role (or one per i)
    • Compromises secret if solution exists
    • Attacker cannot forge release message
      • because of encryption
  • Observations
    • Messages are unbounded
    • Construction suggested by Heintze & Tygar, 1994
    • First undecidability proof by Even & Goldreich, 1983
    • 1999 proof by Durgin, et al shows nonces are enough

send {,}K

receive {X,Y}K

if X = Y , send secret

else choose i,

send {Xui,Yvi}K

analysis approaches
Analysis Approaches
  • Model checking
    • State-space search for attacks
  • Inductive proof
    • Using verification tools or by hand
    • Can prove protocols correct (for abstract encryption)
  • Belief-logic proofs
    • BAN logic and successors
    • For authentication properties
linear logic model
Linear Logic Model
  • Linear Logic
    • Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987
    • Constructive, used to model state-transition systems
  • Application to cryptographic protocols
    • Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop
    • Model-checking with linear-logic symbolic search tool LLF (LICS ‘96)
  • State-transition rules
    • F1, …, Fkx1, …, xm. G1, …, Gn
    • State is a multiset of “facts” Fi, predicates over terms
    • Rule matches facts on left side with variable substitution
    • Variables xi are instantiated with new symbols (like nonce!)
    • Left-side facts are replaced by right-side facts in multiset
the msr model
The MSR Model
  • Implementation of linear logic model
  • Special term and fact types for cryptographic protocols
    • Symbols for principals, keys, and nonces
    • Terms for encryption and concatenation
    • Facts for protocol process state, messages
    • Multiset holds current states of many concurrent protocol sessions
  • Example: A sends message A,{A}K (to B) with new K
  • A0(A,B)  (K) A1(A,B,K),M({A}K)
  • Attacker rules eavesdrop, construct false messages, e.g.,
  • M({A}K),M(K)  M({A}K),M(K),M(A)
    • Attacker model is standardized
  • MSR model applied as intermediate language
    • CAPSL  MSR  analysis tools (Millen, Denker 1999)
model checking tools
Model Checking Tools
  • State-space search for reachability of insecure states
    • History: back to 1984, Interrogator program in Prolog
    • Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991
    • Prolog programs were interactive
  • General-purpose model-checkers
    • Search automatically given initial conditions, bounds
    • Iterative bounded-depth search
    • Roscoe and Lowe used FDR (model-checker for CSP), 1995
    • Mitchell, et al used Murphi, 1997
    • Clarke, et al used SMV, 1998
    • Denker, Meseguer, Talcott used Maude, 1998
    • Successful at finding previously unknown vulnerabilities!
non repudiation protocols
Non-Repudiation Protocols
  • Different objectives and assumptions
    • Fairness objectives: contract signing, proofs of receipt, fair exchange
    • Applications to electronic commerce
    • Parties are mutually distrustful, network well-behaved, no intruder
    • Trusted third party to resolve detected breaches
  • Alternating Temporal Logic application
    • Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000
    • Used model checker MOCHA
  • Example Objective
    • <<B,Com>> (NRO <<A>> NRR)
    • Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt
inductive proofs
Inductive Proofs
  • State-transition model similar to model checking approaches
  • Application of general-purpose specification and verification tools
  • Influential Examples:
    • R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM).
    • L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle)
  • Paulson’s approach inspired others
    • Bolignano (using Coq), Millen (using PVS)
ban logic
BAN Logic
  • Papers
    • Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990
    • Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy
  • Approach
    • Modal logic of belief plus specialized predicates and inference rules
    • Protocol messages are “idealized” into logical statements
    • Objective is to prove that both parties share common beliefs
  • Idealization
    • A  B: {A, K, B}KBbecomes
    • B sees {good-key(A, K, B)}KB
  • Objective
    • Infer that B believes A saidgood-key(A, K, B)

B | A |~ A  B


inferences and problems
Inferences and Problems
  • Example
    • P believes fresh(X), P believes Q said X |- P believes Q believes X
  • Assumption
    • Protocol idealization must be consistent with beliefs about confidentiality
  • Problem
    • Observed by Nessett right away for digital signature example
      • Good key must not be given away accidentally (or on purpose)
      • Takes deep analysis to determine this
    • Needham-Schroeder Public Key protocol proved correct (!!??)
  • These logics are still used because:
    • They are efficiently decidable
    • They help to understand the protocol
    • They can be used manually
  • Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design
  • Several unusual or specialized logical systems have application to computer security
  • Cryptographic protocol analysis is an active, fertile area for logic applications