- 75 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Belief Semantics of Authorization Logic' - blithe

Download Now**An Image/Link below is provided (as is) to download presentation**

Download Now

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Belief Semantics of Authorization Logic

### Belief Semantics of Authorization Logic

Andrew Hirsch and Michael Clarkson

George Washington University

Cornell University

DCAPS

January 24, 2014

Formal Reasoning about Authorization

Standard policies: DAC, MAC, …

Formula-based policies:

- determine access decision on basis of whether properties hold
- specify why access should be permitted
- useful in distributed systems

Top Secret

Secret

No read up

No write down

Confidential

Unclassified

Clarkson: Belief Semantics of Authorization Logic

Credentials-based Authorization

a.k.a. claims-based authorization and proof-carrying authorization

[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

Credential:claim or belief about world

f,y,…

formulas in authorization logic

Clarkson: Belief Semantics of Authorization Logic

Credentials-based Authorization

a.k.a. claims-based authorization and proof-carrying authorization

[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

Goal formula: must be satisfied to grant request

f,y,…

a

Clarkson: Belief Semantics of Authorization Logic

Credentials-based Authorization

a.k.a. claims-based authorization and proof-carrying authorization

[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

f,y,…

a

Guard: uses logical inference to derive goal formula from credentials

Clarkson: Belief Semantics of Authorization Logic

Credentials-based Authorization

a.k.a. claims-based authorization and proof-carrying authorization

[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

f,y,…

a

Guard: uses logical inference to derive goal formula from credentials

this work: increase trustworthiness of reasoning in authorization logic

Clarkson: Belief Semantics of Authorization Logic

Increased Trustworthiness

[Hirsch and Clarkson, CCS 2013]

- New belief semantics for authorization logic

purpose of semantics: interpret formulas in model of real world

standard Kripke semantics: requires technical machinery not related to real world

belief semantics: way to interpret formulas in a straightforward, systems-oriented model; belief subsumes Kripke

- Sound proof system for both semantics

proof system “has no bugs”

found unsoundness in existing logic

- Machine-checked proof of soundness

proof that “proof system ‘has no bugs’” itself has no bugs

Clarkson: Belief Semantics of Authorization Logic

FOCAL

FOCAL

- First-Order:
- Quantifiers: ∀∃
- Functions, relations
- Constructive:
- Connectives: ∧ ∨ ⇒ ¬
- Authorization Logic:
- Attribution of beliefs: says
- Delegation: speaksfor

= NAL -- [Schneider, Walsh & Sirer 2011]

= CDD ++ [Abadi 2007]

Clarkson: Belief Semantics of Authorization Logic

FOCAL

- First-Order:
- Quantifiers: ∀∃
- Functions, relations
- Constructive:
- connectives: ∧ ∨ ⇒ ¬
- Authorization Logic:
- Attribution of beliefs: says
- Delegation: speaksfor

= NAL -- [Schneider, Walsh & Sirer 2011]

= CDD ++ [Abadi 2007]

this talk ignores FOC fragment

Clarkson: Belief Semantics of Authorization Logic

Authorization Logic (Review)

Two distinguishing features:

- Attribute beliefs to principals

p says f

- source matters: p says f and q says f aren’t the same
- not all-seeing: f holds doesn’t mean p says f
- not infallible: maybe p says f but f doesn’t hold

says “winter is coming”

Clarkson: Belief Semantics of Authorization Logic

Authorization Logic (Review)

Two distinguishing features:

- Attribute beliefs to principals

p says f

How do principals form beliefs?

- Start with initial beliefs
- Add to beliefs by:
- querying state of system
- receiving credentials from other principals
- Infer new beliefs by logical inference from existing beliefs
- Worldview: snapshot of principal’s beliefs[Schneider, Walsh & Sirer 2011]

Clarkson: Belief Semantics of Authorization Logic

Authorization Logic (Review)

Two distinguishing features:

- Enable delegation between principals

p speaksfor q

…if p says something, it’s as if q says it, too

q

p

- worldview(p) ⊆ worldview(q)

on {treaties}

speaksfor

so the king delegates to the envoy

Clarkson: Belief Semantics of Authorization Logic

restricted delegation

Authorization Logic (Review)

King says Envoy speaksfor King

Envoy says OpenChest

therefore Envoy speaksfor King

therefore King says OpenChest

therefore goal formula satisfied and chest is opened

Goal formula:

King says OpenChest

Clarkson: Belief Semantics of Authorization Logic

Trustworthiness of Reasoning

Q: How do we know reasoning is right?

A: Formal proof system: mechanical reasoning

⊢y

Clarkson: Belief Semantics of Authorization Logic

Trustworthiness of Reasoning

Q: How do we know reasoning is right?

A: Formal proof system: mechanical reasoning

Q: How do we know proof system is right?

A: Proof of soundness: system is consistent with some model of reality

⊢y

Clarkson: Belief Semantics of Authorization Logic

Trustworthiness of Reasoning

Q: How do we know reasoning is right?

A: Formal proof system: mechanical reasoning

Q: How do we know proof system is right?

A: Proof of soundness: system is consistent with some model of reality

Q: How do we get that model?

A: Needsemantics:how to interpret formulas

…The more natural the model, the better.

⊢y

⊨ y

Our new belief semantics…

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics

Use possible worlds to model system state

facts:

It’s cold in DC

x=42.

TCP port 443 is open.

facts:

It’s cold in DC

x=43.

TCP port 443 is open.

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics

Each principal p has its own worldview w(w,p) at world w

[Konolige 1983; Burrows, Abadi & Needham 1988; Appel & Felten 1999;Schneider, Walsh & Sirer 2011]

Why include w as parameter to w?

…so that beliefs can depend on system state

w(w, princess)

w(w, envoy)

w(w, king)

f∊w(w,p) means: at world w, p believesf

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics

Belief model B:

- worldviews w

Worldviews must be closed under logical consequence

…principals believe all consequences of their beliefs

- …machinery for first-order logic
- …machinery for constructive logic

validity judgment: B,w ⊨ y

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics

B,w ⊨ p says fifff ∊ w(w,p)

(simplified to avoid machinery of constructive FOL)

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics

q

B,w ⊨ p speaksfor qiffw(w,p) ⊆ w(w,q)

p

- worldview(p) ⊆ worldview(q)

(simplified to avoid machinery of constructive FOL)

Clarkson: Belief Semantics of Authorization Logic

Other Semantics for Authorization Logic?

Usual semantics is based on Kripkesemantics of modal logic

…because says is like ◽

[Abadi, Burrows, Lampson & Plotkin 1991; Howell 2000; Garg& Abadi2008; Garg 2008; Genovese, Garg & Rispoli 2012]

Clarkson: Belief Semantics of Authorization Logic

Kripke Semantics (Review)

K,w⊨ p says f

iff

for all worlds w’ such that w ≤p w’ : K,w’ ⊨ f

≤p (accessibility relation)

w ≤p w’ means: given information in world w, p considers world w’ possible

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics vs. Kripke Semantics

belief semantics:

Kripke semantics:

B,w ⊨ p says fifff ∊ w(w,p)

K,w ⊨ p says fifffor all w’ : w ≤p w’ implies K,w’ ⊨f

Belief semantics directly captures intuition about sets of beliefs…

Kripke semantics doesn’t;indirects through accessibility relations

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics vs. Kripke Semantics

belief semantics:

Kripke semantics:

B,w ⊨ p speaksfor qiffw(w,p) ⊆ w(w,q)

K,w ⊨ p speaksfor qiff≤p ⊇ ≤q

Again, belief semantics directly capturesintuition about sets of beliefs

Just an issue of style?

…belief semantics more faithfully model reality

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics vs. Kripke Semantics

Which is more expressive?

Theorem.Every Kripke structure K can be transformed into an equivalent belief structure B.

At each world, form the set of all formulas said by a principal in K. Make that the principal’s worldview in B.

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics vs. Kripke Semantics

Which is more expressive?

Theorem.Every Kripke structure K can be transformed into an equivalent belief structure B.

Theorem.There exist belief structures that cannot be transformed into equivalent Kripke structures.

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics vs. Kripke Semantics

Which is more expressive?

Theorem.Every Kripke structure K can be transformed into an equivalent belief structure B.

Theorem.There exist belief structures that cannot be transformed into equivalent Kripke structures.

Belief

Kripke

Clarkson: Belief Semantics of Authorization Logic

Belief Semantics vs. Kripke Semantics

Which is more expressive?

Theorem.Every Kripke structure K can be transformed into an equivalent belief structure B.

Theorem.There exist belief structures that cannot be transformed into equivalent Kripke structures.

…so belief semantics subsume Kripke semantics

Clarkson: Belief Semantics of Authorization Logic

FOCAL Proof System

Proof theory: calculate with formulas

G ⊢ f (derivability judgment)

as opposed to…

Model theory: interpret meaning of formulas

B,w ⊨ f (validity judgment)

Clarkson: Belief Semantics of Authorization Logic

FOCAL Proof System

Clarkson: Belief Semantics of Authorization Logic

FOCAL Proof System

Natural deduction proof system with localized hypotheses

Rules themselves are well-known but this seems to be a mildly novel combination

Clarkson: Belief Semantics of Authorization Logic

Soundness

Theorem.If f is derivable from G, then f is valid in any belief model of G.

Theorem.If f is derivable from G, then f is valid in any Kripkemodel of G.

Proof. Mechanized in Coq.

(about 2,400 LoC)

First mechanized proof of soundness for authorization logic!

…increases trustworthiness of logic

Clarkson: Belief Semantics of Authorization Logic

Soundness

Nexus Authorization Logic (NAL)[Schneider, Walsh & Sirer 2011]

- Has a formal proof system
- Has an informal semantics (worldviews, main inspiration for FOCAL)

Fact: NAL proof system permits derivation of a formula that is

- invalid in our formal belief semantics
- not intended to be valid by NAL designers

…NAL is unsound (but easily fixed)

Formal semantics and proofs of soundness yield a more trustworthy logic!

Clarkson: Belief Semantics of Authorization Logic

Related Work

- CDD [Abadi 2007]
- NAL [Schneider, Walsh & Sirer 2011]
- ICL [Garg & Abadi 2008]
- DTL0 [Garg 2008]
- BLsf[Genovese, Garg & Rispoli 2012]
- Unnamed logics [Garg & Pfenning 2006] [Howell 2000]
- Many other logics and systems:Taos, PCA, SPKI/SDSI, Delegation Logic, Cassandra, PolicyMaker, Referee, KeyNote, SD3, Binder, Soutei, SecPAL, DKAL, Alpaca, WS-Policy, Grey, …

FOCAL builds on many of these, and makes new contributions…

Clarkson: Belief Semantics of Authorization Logic

Summary

- FOCAL: first order constructive authorization logic
- First formal belief semantics for authorization logic
- Transformation from Kripke semantics to belief semantics
- Belief subsumes Kripke
- Sound proof system for both semantics
- Found unsoundness in existing logic
- First machine-checked proof of soundness for authorization logic

…increased trustworthiness of authorization logic

Clarkson: Belief Semantics of Authorization Logic

Andrew Hirsch and Michael Clarkson

George Washington University

Cornell University

DCAPS

January 24, 2014

Future Work

- Completeness
- Verified theorem checker
- Semantics of group principals

Clarkson: Belief Semantics of Authorization Logic

Extra Slides

Clarkson: Belief Semantics of Authorization Logic

Completeness of FOCAL?

Starting points to get completeness result:

- ICL[Garg & Abadi 2008]: uses different (lax logic) semantics of says
- DTL0[Garg 2008]: doesn’t have speaksfor
- BLsf[Genovese, Garg & Rispoli 2012]: uses different (strong) semantics of speaksfor

Clarkson: Belief Semantics of Authorization Logic

Weak Speaksfor

Weak speaksfor:

p speaksfor q iff“for all f” : p says f ⇒ q says f

Kripke semantics of speaksforare stronger[Howell 2000](principals speak for one another less often)

- WSF condition in our paper is ugly but needed to make Kripke semantics behave
- Might eliminate WSF by introducing some second-order model theory

Clarkson: Belief Semantics of Authorization Logic

FOCAL vs. NAL

NAL: Schneider, Walsh & Sirer2011

FOCAL = NAL– 2nd order quantification

+ primitive speaksfor

– restricted delegation

– subprincipals

– group principals

simplicity

open!

Clarkson: Belief Semantics of Authorization Logic

FOCAL vs. CDD

CDD: Abadi 2007

FOCAL = CDD– 2nd order quantification

+ primitive speaksfor

+ 1st order quantification & terms

Clarkson: Belief Semantics of Authorization Logic

Belief vs. Knowledge

- FOCAL (et al.) is a logic of belief
- principals who issue credentials are expressing a belief about state of system
- they might be wrong
- they might be malicious
- Logic of knowledgewould impose axiom:

(p says f)⇒f

Clarkson: Belief Semantics of Authorization Logic

Healthiness Conditions (Belief)

- Worldview closure: principals believe all consequences of their beliefs
- Says transparency: any number of says is equivalent to just one says
- Belief hand-off: ensure validity of hand-off:

(q says (p speaksfor q)) ⇒ (p speaksfor q)

Clarkson: Belief Semantics of Authorization Logic

Healthiness Conditions (Kripke)

- IT: principal accessibility relations are “intuitionistically” transitive
- ID: principal accessibility relations are “intuitionistically” dense
- F2: technical condition from constructive modal logic literature to achieve soundness
- H: ensure validity of hand-off
- WSF: weak speaksforto get equivalence with belief semantics

Clarkson: Belief Semantics of Authorization Logic

Countermodel for Belief →Kripke

w:

B,w ⊨ p says X

What can ≤p be?

- If empty, then p says false, but false isn’t in w(w,p)
- If w ≤p w, then K,w ⊭ p says X, but X is in w(w,p)

Either way, Kripke semantics is not equivalent to belief semantics

X does not hold

w(w,p) = {X}

Clarkson: Belief Semantics of Authorization Logic

Download Presentation

Connecting to Server..