Applications of logic in computer security
1 / 21

- PowerPoint PPT Presentation

  • Updated On :

Applications of Logic in Computer Security. Jonathan Millen SRI International. Areas of Application. Multilevel Operating System Security “Orange Book,” Commercial Trusted Product Evaluation, A1-level Emphasis on secrecy, security/clearance levels Access Control Policies

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - courtney

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Applications of logic in computer security l.jpg

Applications of Logic in Computer Security

Jonathan Millen

SRI International

Areas of application l.jpg
Areas of Application

  • Multilevel Operating System Security

    • “Orange Book,” Commercial Trusted Product Evaluation, A1-level

    • Emphasis on secrecy, security/clearance levels

  • Access Control Policies

    • Discretionary or role-based policies

    • Emphasis on application-specific policies, integrity

  • Public-Key Infrastructure and Trust Management

    • Network and distributed system security

    • Digitally signed certificates for identity and privileges

  • Cryptographic Authentication Protocols

    • For network communication confidentiality and authentication

  • Other areas: databases, firewalls/routers, intrusion detection

Computer Security

Network Security

Contributions of logic l.jpg
Contributions of Logic

  • Undecidability Results

    • Safety problem for discretionary access control

    • Cryptographic protocol analysis

  • Theorem Proving Environments

    • Verifying correctness of formal OS specifications

    • Inductive proofs of cryptographic protocols

  • Logic Programming

    • Prolog programs for cryptographic protocol analysis, trust management

  • Model Checking

    • For cryptographic protocol analysis

  • Specialized Logics

    • For cryptographic protocol analysis, trust management

Multilevel operating system security l.jpg
Multilevel Operating System Security

  • Motivated by protection of classified information in shared systems

    • High-assurance (A1) systems may protect Secret data from uncleared users

    • Architecture: trusted OS kernel, hardware support

  • Abstract system model of access control: Bell-LaPadula (ca. 1975)

    • Structured state-transition system: subject-object access matrix, levels

    • Security invariants and transition rules (for OS functions)

  • “Formal Top-Level Specification” (FTLS)

    • More detailed state-transition system

  • Formal Proofs:

    • Model transitions satisfy invariants

    • FTLS is an interpretation of the system model

    • Carried out in environments like Gypsy, FDM, HDM

    • Some FTLS errors reflected in code were discovered

  • Of Historical Interest

Access control policies l.jpg
Access Control Policies

  • Safety Problem

    • Subject-object-rights matrix

    • “rights” were arbitrary, representing different kinds of access

    • Operations: create/delete subjects, objects; enter/remove rights

    • System of conditional rules to apply operations

  • Harrison-Ruzzo-Ullman Undecidability Result

    • Whether S can ever receive right r to object O

    • Comm. ACM 19(8), 1976

    • Decidable if number of subjects is bounded

  • Historical Impact

    • Led to interest in efficiently decidable systems

    • Take-Grant, DAC, RBAC




Public key certificates l.jpg
Public-Key Certificates

  • Based on asymmetric encryption

    • Key pair KA, KA-1: one made public, one kept secret

    • Text block encrypted with KA can be decrypted only with KA-1 .

    • Impractical to compute secret key from public key

  • Digital signature

    • Text string T

    • Apply one-way (hash) function

    • Encrypt with secret key

    • Verify by decrypting with signer’s public key, compare hash result

  • Public Key Certificate

    • Binds name to public key, signed by trusted party

  • Logical Equivalent

    • “A says (KB is the public key of B)”

    • … provided that KA is the public key of A

T  h(T)  [h(T)]KA-1


Logic of distributed authentication l.jpg
Logic of Distributed Authentication

  • Origination:

    • “Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992

  • Theory of says and speaks for ( relation)

    • (A  B)  ((A says s)  (B says s)) (P8)

    • (A says (B  A))  (B  A) (P10)

  • Application to distributed systems

    • A and B are principals: users or keys (can say something)

    • A says s means: A authorizes command (operation, access) s

    • A  B means: B delegates authority to A

    • Certificate T,[T] KA-1 means KAsays T

    • Public key certificate means KA A

    • Credentials sent from one network node to another to authorize resources

    • Implemented in Taos operating system


Trust management l.jpg
Trust Management

  • Policymaker

    • “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy

    • Identified trust management as a distinct problem

    • Purpose: to define and implement policy using credentials to process queries

  • Delegation Logic

    • “A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop

    • Language to express policies

    • Primitives include says, delegates (speaks for with object)

    • Access permission is decidable

    • Logic program implementation (in Datalog)

Cryptographic protocols l.jpg
Cryptographic Protocols

  • Cryptographic protocol

    • an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material.

  • Applications

    • military communications, business communications, electronic commerce, privacy

  • Examples

    • Kerberos: MIT protocol for unitary login to network services

    • SSL (Secure Socket Layer, used in Web browsers)

    • IPSec: standard suite of Internet protocols due to the IETF

    • SET (Secure Electronic Transaction) protocol

    • PGP (Pretty Good Privacy)

A popular example l.jpg
A Popular Example

  • The Needham-Schroeder public-key handshake

    • R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978

  • A  B: {A, Na}Kb

  • B  A: {Na, Nb}Ka

  • A  B: {Nb}Kb

  • Purpose: mutual authentication of A and B, sharing secrets Na, Nb

  • This is an “Alice-and-Bob” protocol specification

  • Na and Nb are nonces (used once)

  • Ka is the public key of A

  • The protocol is vulnerable...

The attack l.jpg
The Attack






(thinks he’s

talking to A,

Nb is compromised)







Lowe, “Breaking and Fixing the Needham-Schroeder Public Key

Protocol Using FDR” TACAS 1996, LNCS 1055

A malicious party M can forge addresses, deviate from protocol

Undecidable in general l.jpg
Undecidable in General

  • Reduction of Post correspondence problem

    • Word pairs ui, vi for 1  i < n

    • Does there exist ui1...uik = vi1...vik?

  • Construction

    • Protocol with one role (or one per i)

    • Compromises secret if solution exists

    • Attacker cannot forge release message

      • because of encryption

  • Observations

    • Messages are unbounded

    • Construction suggested by Heintze & Tygar, 1994

    • First undecidability proof by Even & Goldreich, 1983

    • 1999 proof by Durgin, et al shows nonces are enough

send {,}K

receive {X,Y}K

if X = Y , send secret

else choose i,

send {Xui,Yvi}K

Analysis approaches l.jpg
Analysis Approaches

  • Model checking

    • State-space search for attacks

  • Inductive proof

    • Using verification tools or by hand

    • Can prove protocols correct (for abstract encryption)

  • Belief-logic proofs

    • BAN logic and successors

    • For authentication properties

Linear logic model l.jpg
Linear Logic Model

  • Linear Logic

    • Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987

    • Constructive, used to model state-transition systems

  • Application to cryptographic protocols

    • Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop

    • Model-checking with linear-logic symbolic search tool LLF (LICS ‘96)

  • State-transition rules

    • F1, …, Fkx1, …, xm. G1, …, Gn

    • State is a multiset of “facts” Fi, predicates over terms

    • Rule matches facts on left side with variable substitution

    • Variables xi are instantiated with new symbols (like nonce!)

    • Left-side facts are replaced by right-side facts in multiset

The msr model l.jpg
The MSR Model

  • Implementation of linear logic model

  • Special term and fact types for cryptographic protocols

    • Symbols for principals, keys, and nonces

    • Terms for encryption and concatenation

    • Facts for protocol process state, messages

    • Multiset holds current states of many concurrent protocol sessions

  • Example: A sends message A,{A}K (to B) with new K

  • A0(A,B)  (K) A1(A,B,K),M({A}K)

  • Attacker rules eavesdrop, construct false messages, e.g.,

  • M({A}K),M(K)  M({A}K),M(K),M(A)

    • Attacker model is standardized

  • MSR model applied as intermediate language

    • CAPSL  MSR  analysis tools (Millen, Denker 1999)

Model checking tools l.jpg
Model Checking Tools

  • State-space search for reachability of insecure states

    • History: back to 1984, Interrogator program in Prolog

    • Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991

    • Prolog programs were interactive

  • General-purpose model-checkers

    • Search automatically given initial conditions, bounds

    • Iterative bounded-depth search

    • Roscoe and Lowe used FDR (model-checker for CSP), 1995

    • Mitchell, et al used Murphi, 1997

    • Clarke, et al used SMV, 1998

    • Denker, Meseguer, Talcott used Maude, 1998

    • Successful at finding previously unknown vulnerabilities!

Non repudiation protocols l.jpg
Non-Repudiation Protocols

  • Different objectives and assumptions

    • Fairness objectives: contract signing, proofs of receipt, fair exchange

    • Applications to electronic commerce

    • Parties are mutually distrustful, network well-behaved, no intruder

    • Trusted third party to resolve detected breaches

  • Alternating Temporal Logic application

    • Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000

    • Used model checker MOCHA

  • Example Objective

    • <<B,Com>> (NRO <<A>> NRR)

    • Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt

Inductive proofs l.jpg
Inductive Proofs

  • State-transition model similar to model checking approaches

  • Application of general-purpose specification and verification tools

  • Influential Examples:

    • R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM).

    • L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle)

  • Paulson’s approach inspired others

    • Bolignano (using Coq), Millen (using PVS)

Ban logic l.jpg
BAN Logic

  • Papers

    • Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990

    • Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy

  • Approach

    • Modal logic of belief plus specialized predicates and inference rules

    • Protocol messages are “idealized” into logical statements

    • Objective is to prove that both parties share common beliefs

  • Idealization

    • A  B: {A, K, B}KBbecomes

    • B sees {good-key(A, K, B)}KB

  • Objective

    • Infer that B believes A saidgood-key(A, K, B)

B | A |~ A  B


Inferences and problems l.jpg
Inferences and Problems

  • Example

    • P believes fresh(X), P believes Q said X |- P believes Q believes X

  • Assumption

    • Protocol idealization must be consistent with beliefs about confidentiality

  • Problem

    • Observed by Nessett right away for digital signature example

      • Good key must not be given away accidentally (or on purpose)

      • Takes deep analysis to determine this

    • Needham-Schroeder Public Key protocol proved correct (!!??)

  • These logics are still used because:

    • They are efficiently decidable

    • They help to understand the protocol

    • They can be used manually

Summary l.jpg

  • Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design

  • Several unusual or specialized logical systems have application to computer security

  • Cryptographic protocol analysis is an active, fertile area for logic applications