Towards a Declarative Language and System for Secure Networking

1. Towards a Declarative Language and System for Secure Networking Mart�n Abadi1,2, Boon Thau Loo3

3. Approach Examine two classes of declarative languages: Database query language for declarative networking Logic-based access control languages in distributed systems Contribution: Compare these two classes of languages Propose a unifying declarative language and system

4. Why might this be useful? Intellectually interesting to compare two languages Single declarative language and system Ease of management Many useful examples: authenticated routing protocols, secure overlays, DNSSEC, trust management in shared testbeds, P2P information sharing, etc. Fine-grained control over interaction between security and network protocol Potential for cross-layer analysis and optimizations Distributed query engines to process security policies

5. Outline Background: Declarative networking Access control & related languages Introduction to Datalog Network Datalog and Binder languages Secure Network Datalog Language design Examples Future Directions

6. Declarative Networking A declarative framework for networks: Declarative specifications of networks, compiled to distributed dataflows Distributed query engine to execute distributed dataflows to implement protocols Observation: Recursive queries are a natural fit for routing Network Datalog (NDlog) language

7. A Declarative Network

8. Declarative Networking Declarative Routing [SIGCOMM �05]: Extensible Routers (balance of flexibility, efficiency and safety). Textbook routing protocols (3-8 lines) Declarative Overlays [SOSP �05]: Rapid prototyping of new overlay networks Chord DHT overlay routing (47 lines) Narada Mesh (16 lines) Database Fundamentals [SIGMOD �06] Languge, execution and optimizations System available: http://p2.cs.berkeley.edu

9. Access Control Central to security, pervasive in computer systems Model: objects, resources requests for operations on objects sources for requests, called principals a reference monitor to decide on requests

10. Logics in Access Control Logical tools and ideas have been used to explain and improve access control Logic-based languages: Binder, SD3, D1LP, SecPAL, etc. Trust management We focus on Binder: Simple design, Most similar to NDlog Promises relatively straightforward unification with NDlog

11. Key Insight Binder and NDlog are based on logic and Datalog Extends Datalog in surprisingly similar ways Notion of context (location) to identify components (nodes) in a distributed system Suggests possibility to unify both languages Similar observation: Mart�n Abadi. �On Access Control, Data Integration, and Their Languages.� Comparing Tsimmis and Binder

12. Outline Background: Declarative networking Access control & related languages Introduction to Datalog NDlog and Binder languages SeNDlog Language design Examples Future Directions

13. Review of Datalog

14. All-Pairs Reachability

15. All-Pairs Reachability

16. Network Datalog

17. Implicit Communication A networking language with no explicit communication:

18. Path Vector in NDlog

19. Execution Plan

20. Binder Logic-based language for access control Similar to Datalog, with the special construct �says� Rules in different context Alice has David also has access.Alice has David also has access.

21. Notion of �Says� �says� abstracts the details of authentication When �p says s�, p may transmit s in a variety of ways: on a local channel via a trusted operating system within a computer, on a physically secure channel between two machines, on a channel secured with shared-key cryptography, or, in a certificate with a public-key digital signature.

22. Comparing Binder and NDlog Trusted vs untrusted networks NDlog: Location relates to data placement. E.g. link(@X,Y). Global rules: r(@X,Y) :- l(@X,Z), r(@Z,Y). Binder: Communication happens via �says� Import and export of facts into context may-access(P,O,read) :- bob says may-access(P,O,read). Bottom-up vs Top-down evaluation Export of derived tuples: Binder: no integration of security policy with export of data NDlog: location specifier in rule head

23. Secure Network Datalog (SeNDlog) Unifies Binder and NDlog Goals of the language: Expressive as Binder and NDlog Supports authenticated communication and enables differentiation of roles Supports both trusted and untrusted environments Amenable to execution and optimizations in distributed query engines Bottom-up evaluation strategy Incremental continuous execution model

24. SeNDlog At N, E1: p(X,Y) :- p1(X), p2(Y). E2: p(X,Y,W) :- Y says p1(X), Z says p2(W). E3: p(Y,Z)@X :- p1(X), Y says p2(Z). E4: Z says p(Y)@X :- Z says p(Y), p1(X).

25. Example 1: Authenticated Path Vector Protocol

26. Example 2:Secure DHT Identifiers Security weakness in DHT � malicious nodes occupy a high part of key space Solution: certified node identifiers from CA 5 additional rules to P2-Chord Details in the paper. Nodes have different roles: CA, landmark, joining node, etc. Certificates can be forwarded from one node to another: Use of honesty constraint. Another example: DNSSEC

27. Ongoing Work Implementation in P2 system: �says� construct Communication via signed certificates Rule bodies within context Implement variety of secure networks. E.g. DNSSEC, secure routing, secure DHTs, trust management in extensible testbeds, P2P information sharing, your suggestions! Cross-layer analysis and optimizations Exploit fine-grained control over security and networks. Authenticity of routing table entries Logic proof why it is there. Trusted but not trustworthy? Optimize protocols to favor trusted nodes

28. Future Work Query language issues: Logic-based trust management: SD3, SecPAL, D1LP Distributed Datalog: ubQL, d3log Data integration: Tsimmis Different approach: We started from Binder and NDlog Lots of domain knowledge but biased What if we design from scratch? Sending / receiving & Distributed computations Notion of context Trust relationships Continuous incremental evaluations

29. Thank You