210 likes | 415 Vues
Applications of Logic in Computer Security. Jonathan Millen SRI International. Areas of Application. Multilevel Operating System Security “Orange Book,” Commercial Trusted Product Evaluation, A1-level Emphasis on secrecy, security/clearance levels Access Control Policies
E N D
Applications of Logic in Computer Security Jonathan Millen SRI International
Areas of Application • Multilevel Operating System Security • “Orange Book,” Commercial Trusted Product Evaluation, A1-level • Emphasis on secrecy, security/clearance levels • Access Control Policies • Discretionary or role-based policies • Emphasis on application-specific policies, integrity • Public-Key Infrastructure and Trust Management • Network and distributed system security • Digitally signed certificates for identity and privileges • Cryptographic Authentication Protocols • For network communication confidentiality and authentication • Other areas: databases, firewalls/routers, intrusion detection Computer Security Network Security
Contributions of Logic • Undecidability Results • Safety problem for discretionary access control • Cryptographic protocol analysis • Theorem Proving Environments • Verifying correctness of formal OS specifications • Inductive proofs of cryptographic protocols • Logic Programming • Prolog programs for cryptographic protocol analysis, trust management • Model Checking • For cryptographic protocol analysis • Specialized Logics • For cryptographic protocol analysis, trust management
Multilevel Operating System Security • Motivated by protection of classified information in shared systems • High-assurance (A1) systems may protect Secret data from uncleared users • Architecture: trusted OS kernel, hardware support • Abstract system model of access control: Bell-LaPadula (ca. 1975) • Structured state-transition system: subject-object access matrix, levels • Security invariants and transition rules (for OS functions) • “Formal Top-Level Specification” (FTLS) • More detailed state-transition system • Formal Proofs: • Model transitions satisfy invariants • FTLS is an interpretation of the system model • Carried out in environments like Gypsy, FDM, HDM • Some FTLS errors reflected in code were discovered • Of Historical Interest
Access Control Policies • Safety Problem • Subject-object-rights matrix • “rights” were arbitrary, representing different kinds of access • Operations: create/delete subjects, objects; enter/remove rights • System of conditional rules to apply operations • Harrison-Ruzzo-Ullman Undecidability Result • Whether S can ever receive right r to object O • Comm. ACM 19(8), 1976 • Decidable if number of subjects is bounded • Historical Impact • Led to interest in efficiently decidable systems • Take-Grant, DAC, RBAC Oj Si r
Public-Key Certificates • Based on asymmetric encryption • Key pair KA, KA-1: one made public, one kept secret • Text block encrypted with KA can be decrypted only with KA-1 . • Impractical to compute secret key from public key • Digital signature • Text string T • Apply one-way (hash) function • Encrypt with secret key • Verify by decrypting with signer’s public key, compare hash result • Public Key Certificate • Binds name to public key, signed by trusted party • Logical Equivalent • “A says (KB is the public key of B)” • … provided that KA is the public key of A T h(T) [h(T)]KA-1 B,KB,[h(B,KB)]KA-1
Logic of Distributed Authentication • Origination: • “Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992 • Theory of says and speaks for ( relation) • (A B) ((A says s) (B says s)) (P8) • (A says (B A)) (B A) (P10) • Application to distributed systems • A and B are principals: users or keys (can say something) • A says s means: A authorizes command (operation, access) s • A B means: B delegates authority to A • Certificate T,[T] KA-1 means KAsays T • Public key certificate means KA A • Credentials sent from one network node to another to authorize resources • Implemented in Taos operating system “credentials”
Trust Management • Policymaker • “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy • Identified trust management as a distinct problem • Purpose: to define and implement policy using credentials to process queries • Delegation Logic • “A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop • Language to express policies • Primitives include says, delegates (speaks for with object) • Access permission is decidable • Logic program implementation (in Datalog)
Cryptographic Protocols • Cryptographic protocol • an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material. • Applications • military communications, business communications, electronic commerce, privacy • Examples • Kerberos: MIT protocol for unitary login to network services • SSL (Secure Socket Layer, used in Web browsers) • IPSec: standard suite of Internet protocols due to the IETF • SET (Secure Electronic Transaction) protocol • PGP (Pretty Good Privacy)
A Popular Example • The Needham-Schroeder public-key handshake • R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978 • A B: {A, Na}Kb • B A: {Na, Nb}Ka • A B: {Nb}Kb • Purpose: mutual authentication of A and B, sharing secrets Na, Nb • This is an “Alice-and-Bob” protocol specification • Na and Nb are nonces (used once) • Ka is the public key of A • The protocol is vulnerable...
The Attack A (normal) M (false) B (thinks he’s talking to A, Nb is compromised) {A,Na}Km {A,Na}Kb {Na,Nb}Ka {Na,Nb}Ka {Nb}Km {Nb}Kb Lowe, “Breaking and Fixing the Needham-Schroeder Public Key Protocol Using FDR” TACAS 1996, LNCS 1055 A malicious party M can forge addresses, deviate from protocol
Undecidable in General • Reduction of Post correspondence problem • Word pairs ui, vi for 1 i < n • Does there exist ui1...uik = vi1...vik? • Construction • Protocol with one role (or one per i) • Compromises secret if solution exists • Attacker cannot forge release message • because of encryption • Observations • Messages are unbounded • Construction suggested by Heintze & Tygar, 1994 • First undecidability proof by Even & Goldreich, 1983 • 1999 proof by Durgin, et al shows nonces are enough send {,}K receive {X,Y}K if X = Y , send secret else choose i, send {Xui,Yvi}K
Analysis Approaches • Model checking • State-space search for attacks • Inductive proof • Using verification tools or by hand • Can prove protocols correct (for abstract encryption) • Belief-logic proofs • BAN logic and successors • For authentication properties
Linear Logic Model • Linear Logic • Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987 • Constructive, used to model state-transition systems • Application to cryptographic protocols • Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop • Model-checking with linear-logic symbolic search tool LLF (LICS ‘96) • State-transition rules • F1, …, Fkx1, …, xm. G1, …, Gn • State is a multiset of “facts” Fi, predicates over terms • Rule matches facts on left side with variable substitution • Variables xi are instantiated with new symbols (like nonce!) • Left-side facts are replaced by right-side facts in multiset
The MSR Model • Implementation of linear logic model • Special term and fact types for cryptographic protocols • Symbols for principals, keys, and nonces • Terms for encryption and concatenation • Facts for protocol process state, messages • Multiset holds current states of many concurrent protocol sessions • Example: A sends message A,{A}K (to B) with new K • A0(A,B) (K) A1(A,B,K),M({A}K) • Attacker rules eavesdrop, construct false messages, e.g., • M({A}K),M(K) M({A}K),M(K),M(A) • Attacker model is standardized • MSR model applied as intermediate language • CAPSL MSR analysis tools (Millen, Denker 1999)
Model Checking Tools • State-space search for reachability of insecure states • History: back to 1984, Interrogator program in Prolog • Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991 • Prolog programs were interactive • General-purpose model-checkers • Search automatically given initial conditions, bounds • Iterative bounded-depth search • Roscoe and Lowe used FDR (model-checker for CSP), 1995 • Mitchell, et al used Murphi, 1997 • Clarke, et al used SMV, 1998 • Denker, Meseguer, Talcott used Maude, 1998 • Successful at finding previously unknown vulnerabilities!
Non-Repudiation Protocols • Different objectives and assumptions • Fairness objectives: contract signing, proofs of receipt, fair exchange • Applications to electronic commerce • Parties are mutually distrustful, network well-behaved, no intruder • Trusted third party to resolve detected breaches • Alternating Temporal Logic application • Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000 • Used model checker MOCHA • Example Objective • <<B,Com>> (NRO <<A>> NRR) • Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt
Inductive Proofs • State-transition model similar to model checking approaches • Application of general-purpose specification and verification tools • Influential Examples: • R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM). • L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle) • Paulson’s approach inspired others • Bolignano (using Coq), Millen (using PVS)
BAN Logic • Papers • Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990 • Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy • Approach • Modal logic of belief plus specialized predicates and inference rules • Protocol messages are “idealized” into logical statements • Objective is to prove that both parties share common beliefs • Idealization • A B: {A, K, B}KBbecomes • B sees {good-key(A, K, B)}KB • Objective • Infer that B believes A saidgood-key(A, K, B) B | A |~ A B K
Inferences and Problems • Example • P believes fresh(X), P believes Q said X |- P believes Q believes X • Assumption • Protocol idealization must be consistent with beliefs about confidentiality • Problem • Observed by Nessett right away for digital signature example • Good key must not be given away accidentally (or on purpose) • Takes deep analysis to determine this • Needham-Schroeder Public Key protocol proved correct (!!??) • These logics are still used because: • They are efficiently decidable • They help to understand the protocol • They can be used manually
Summary • Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design • Several unusual or specialized logical systems have application to computer security • Cryptographic protocol analysis is an active, fertile area for logic applications