1 / 85

Logic and Logic Programming in Distributed Access Control (Part One)

Logic and Logic Programming in Distributed Access Control (Part One). Ninghui Li Department of Computer Science and CERIAS Purdue University. Outline. An brief introduction to access control An brief introduction to trust management Logic-based semantics for SDSI

livana
Télécharger la présentation

Logic and Logic Programming in Distributed Access Control (Part One)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS Purdue University Ninghui Li (Purdue University)

  2. Outline • An brief introduction to access control • An brief introduction to trust management • Logic-based semantics for SDSI • Distributed deduction for RT0 Ninghui Li (Purdue University)

  3. What is Access Control? • Quote from Security Engineering by Ross Anderson • Its function is to control which principals (persons, processes, machines, …) have access to which resources in the system --- which files they can read, which programs they can execute, and how they share data with other principals, and so on. Ninghui Li (Purdue University)

  4. Access Control is Useful • Access control is Pervasive • memory management hardware, OS (Unix, Windows, etc.), middleware, databases, mobile code (Java, etc.), firewall • Quote from Security Engineering • Access control is the traditional center of gravity of computer security. It is where security engineering meets computer science. Ninghui Li (Purdue University)

  5. Basic Access Control Scenario • Elements: • objects (resources) • requests for operations on objects • sources for requests, called subjects or principals • a reference monitor to decide on requests • Basic steps • authentication • authorization • audit Ninghui Li (Purdue University)

  6. Access Matrix: History • Lampson 1971 • “Protection” [Reprinted in ACM Operating Systems Review 1974] • Refined by Graham and Denning 1972 • “Protection---Principles and Practice” [AFIPS Spring Joint Computer Conference] • Harrison, Ruzzo, and Ullman’1976 • “Protection in Operating Systems” [CACM] Ninghui Li (Purdue University)

  7. Access Matrix • A set of subjects S • A set of objects O • S  O • A set of rights R • An access control matrix • one row for each subject • one column for each subject/object • each cell contains the rights a subject has over an object Ninghui Li (Purdue University)

  8. The Graham-Denning Model • Each subject/object has an owner • Each subject has a controller (which may be itself) • A right may be transferable or nontransferable • a right with a * is transferable Ninghui Li (Purdue University)

  9. Sample Commands in Graham-Denning Model • subject x grants a right r/r* on object o to subject s • precondition: `owner’ in A[x,o] • stores r/r* in A[s,o] • subject x transfers a right r/r* on object o to subject s • precondition: r* in A[x,o] • stores r/r* in A[s,o] Ninghui Li (Purdue University)

  10. The HRU Model • Based on Access Matrix, but allow an arbitrary set of commands • Consider properties of an access control system when state changes • A protection system has • a finite set of generic rights • a finite set of commands Ninghui Li (Purdue University)

  11. Commands • A command has the form command a(X1, X2, …, Xk) if r1 in (Xs_1, Xo_1) and … and rc in (Xs_c, Xo_c) then op1 … opn end Ninghui Li (Purdue University)

  12. Primitive Operations • enter r into (Xs, Xo) • delete r from (Xs, Xo) • create subject Xs • create object Xo • delete subject Xs • delete object Xo Ninghui Li (Purdue University)

  13. A Protection System as a State Transition System • The matrix is the state • State changes by executing commands • The (Simple) Safety Analysis Problem • determine whether a specific subject could get certain access to a specific object in some state Ninghui Li (Purdue University)

  14. Simple Safety Analysis in the HRU Model is Undecidable • Any Turing machine can be encoded using a protection system • Surprising? Maybe not so much. • the commands basically give full power of programming languages Ninghui Li (Purdue University)

  15. Outline • An brief introduction to access control • An brief introduction to trust management • Logic-based semantics for SDSI • Distributed deduction for RT0 Ninghui Li (Purdue University)

  16. The Problem Trust Management Addresses: Distributed Authorization • Flexible and scalable access control in large-scale, open, distributed, decetralized systems • electronic commerce: • transaction authorization • application-level / business-policyauthorization • resource sharing in decentralized systems • coalitions, multi-centric collaborative systems • grid computing • health care Ninghui Li (Purdue University)

  17. Characteristics of Distributed Authorization • No central administration, each service makes its own decision • No relationship between a service and a user prior to a request • knowing a user’s name may not help • must rely on information from third-party to make authorization decision (delegation) • Authorization information is distributed • Communication channels may be insecure Ninghui Li (Purdue University)

  18. EPub Alice Grants access to university students Trusts universities to certify students Trusts ABU to certify universities Alice is a student StateU is a university StateU ABU

  19. Medical Database Alice Grants access to physicians Trusts CBH to certify hospitals Trusts hospitals to certify physicians Alice is a physician Hospital A is a hospital Hospital A CBH

  20. The Trust-Management (TM) Approach • Multicentric access control using delegation • access control decisions are based on distributed policy statements issued by multiple principals • policy statements contain • attributes of principals such as permissions, roles, qualifications, characteristics • trust relationships Ninghui Li (Purdue University)

  21. Common characteristics of TM systems • Use public-key certificates for non-local statements • Treat public keys as principals to be authorized • authentication consists of verifying signatures • Adopt the peer model of authorization • an entity can be an authorizer, a requester, or a credential provider (trusted 3rd party) • Treat the authorization decision problem as an application-independent``proof-of-compliance’’ problem Ninghui Li (Purdue University)

  22. Digital Signature Scheme • Key space: a set of key pairs (K, K-1) • K is the verification key and is publicly available • K-1 is the signing key and is kept private • A signing algorithm sig • sig(K-1, M) outputs a digital signature on M • A verification algorithm ver • ver(K, M, ) outputs yes or no • ver(K, M, sig(K-1, M)) = yes • w/o knowing K-1, it is difficult to find x s.t. ver(K,M,x)=yes Ninghui Li (Purdue University)

  23. Using digital signatures • A digital signature on a message provides: • Authentication • Data integrity • Non-Repudiation • A request may be digitally signed • Knowing a request is signed by a particular key is not enough • who owns that key? Ninghui Li (Purdue University)

  24. Public-Key Certificates • A certificate is a data record together with a digital signature • A certificate is issued by a public key K • signed by K-1 • A certificate binds some information to another public key • Can be verified by anyone who knows the issuer’s public key • can one trust the issuer’s public key Ninghui Li (Purdue University)

  25. Existing Kinds of Public Key Infrastructures (PKIs) • X.509 certificates • certificates are issued (signed) by certification authorities (CA’s). • CA’s may be arranged in a hierarchy • certificates form a chain • Used by numerous applications: SSL, IPSec, etc. • PGP • everyone can issue certificates, which bind email addresses to public keys Ninghui Li (Purdue University)

  26. Early Trust Management Langugaes • PolicyMaker • Blaze, Feigenbaum & Lacy: “Decentralized Trust Management”, S&P’96. • Blaze, Feigenbaum & Strauss: “Compliance-Checking in the PolicyMaker Trust Management System”, FC’98. • KeyNote • Blaze, Feigenbaum, Ioannidis & Keromytis: “The KeyNote Trust-Management System, Version 2”, RFC 2714. • SPKI (Simple Public Key Infrastructure) / SDSI (Simple Distributed Security Framework) • Rivest & Lampson: SDSI  A Simple Distributed Security Infrastructure, Web-page 1996. • Ellison et al.: SPKI Certificate Theory, RFC 2693. • Clarke et al.: Certificate Chain Discovery in SPKI/SDSI, JCS’01. Ninghui Li (Purdue University)

  27. Datalog-based Trust Management Languages • Delegation Logic • Li, Grosof & Feigenbaum: “Delegation Logic: A Logic-based Approach to Distributed Authorization”, TISSEC’03. (Conference versions appeared in CSFW’99 and S&P’00) • SD3 (Secure Dynamically Distributed Datalog) • Jim: “SD3: A Trust Management System with Certified Evaluation”, S&P’01. • Binder • DeTreville: “Binder, a Logic-Based Security Language”, S&P’02. • RT: A Family of Role-based Trust-management Languages Ninghui Li (Purdue University)

  28. Other Closely Related Logic-based Security Languages • ABLP logic (Abadi, Burrows, Lampson, et al.) • Lampson et al.: “Authentication in Distributed Systems: Theory and Practice”, TOCS’92. • Abadi et al.: “A Calculus for Access Control in Distributed Systems”, TOPLAS’93. • QCM (Query Certificate Managers) • Gunter & Jim: “Policy-directed Certificate Retrieval”, SPE’00 • AF logic • Appel & Felton: “Proof-Carrying Authentication”, CCS’99 Ninghui Li (Purdue University)

  29. Issues in Designing Trust Management Langugaes • Say what you want • Succinctly and directly • With confidence that you said what you meant • Enforcement • Deduction, proof of compliance • Policy development tools • Manage policy lifecycle • Safety analysis, availability Ninghui Li (Purdue University)

  30. Outline • An brief introduction to access control • An brief introduction to trust management • Logic-based semantics for SDSI • Distributed deduction for RT0 Ninghui Li (Purdue University)

  31. History of SPKI/SDSI • SDSI (Simple Distributed Security Infrastructure) • SDSI 1.0 and 1.1 • Rivest & Lampson • SPKI (Simple Public Key Infrastructure) • SPKI 1.0 (Ellison 1996) • SPKI/SDSI 2.0 • RFC 2693 [1999] • [Clarke et al. JCS’01] Ninghui Li (Purdue University)

  32. An Example in SDSI 2.0 • SDSI Certificates • (KC access  KC mit faculty secretary) • (KC mit KM) • (KM faculty  KEECS faculty) • (KEECS faculty KRivest) • (KRivest secretary KRivest alice) • (KRivest alice KAlice) • From the above certificates, KC concludes that KAlice has access Ninghui Li (Purdue University)

  33. 4-tuple Reduction in RFC 2693 • Name strings can be reduced using 4-tuples • (K1 A1  K2) reduces “K1 A1 A2 … An” to “K2 A2 … An” • e.g., (KC mit KM) reduces “KC mit faculty secretary” to “KM faculty secretary” • (K1 A1  K2 B1 …Bm) reduces “K1 A1 A2 … An” to “K2 B1 …Bm A2 … An” • e.g., (KM faculty  KEECS faculty) reduces “KM faculty secretary” to “KEECS faculty secretary” Ninghui Li (Purdue University)

  34. Applying 4-tuple Reduction in the Example • From (KC access) to (KC mit faculty secretary) to (KM faculty secretary) to (KEECS faculty secretary) to (KRivest secretary) to (KRivest alice) to (KAlice) Ninghui Li (Purdue University)

  35. Work on Semantics for SPKI/SDSI • Develop specialized modal logics • Abadi: “On SDSI's Linked Local Name Spaces”, CSFW’97, JCS’98. • Halpern & van der Meyden: • “A logic for SDSI's linked local name spaces”, CSFW’99, JCS’01 • “A Logical Reconstruction of SPKI”, CSFW’01, JCS’03 • Howell & Kotz: “A Formal Semantics for SPKI”, ESORICS’00 • Other approaches • Li: “Local Names in SPKI/SDSI”, CSFW’00 • Jha & Reps: “Analysis of SPKI/SDSI Certificates Using Model Checking”, CSFW’02 • Li & Mitchell: “Understanding SPKI/SDSI Using First-Order Logic”, CSFW’03 (Contains the results presented here) Ninghui Li (Purdue University)

  36. What is a Semantics? • Elements of a semantics • Syntax for statements • Syntax for queries • An entailment relation that determines whether a query Q is true given a set P of statements Ninghui Li (Purdue University)

  37. What can we gain by a formal semantics? • Why a semantics • understand what queries can be answered • defines the entailment relation in a way that is precise, easy to understand, and easy to compute • How to say a semantics is good • subjective metrics: • simple, natural, close to original intention • defines answers to a broad class of queries • can use existing work to provide efficient deduction procedures for answering those queries Ninghui Li (Purdue University)

  38. Concepts in SDSI • Concepts • principals K, K1 • identifiers A, B, A1 e.g., mit, faculty, alice • local names K A, K1 A1 e.g., KM faculty, KRivest alice • name strings K A1 A2 … An, 1 e.g., KC mit faculty secretary Ninghui Li (Purdue University)

  39. Statements in SDSI • 4-tuple (K, A, , V) • K is the issuer principal • A is an identifier •  is a name string • V is the validity specification • We write (K A ) for a 4-tuple • ignoring validity specification Ninghui Li (Purdue University)

  40. A Rewriting Semantics for SDSI • A set P of 4-tuples defines a set of rewriting rules, denoted by RS[P] • Queries have the form “can 1 rewrite into 2?” • Answer a query is not easy. • cannot naively search for all ways of rewriting 1, as there may be recursions • e.g., (K friend  K friend friend) • What can we do? Ninghui Li (Purdue University)

  41. Deduction Based on the Rewriting Semantics (1) • Limit to queries like “can 1 rewrite into K?” • In [Clarke et al.’01], the following closure mechanism is used • rewrite 4-tuples • e.g., use (KC mit KM) to rewrite (KC access  KC mit faculty secretary), one gets (KC access  KM faculty secretary) • only uses shortening 4-rules for rewriting • compute the closure of all such rewriting • then use the resulting shortening 4-tuples to rewrite 1 • Search is not goal-directed Ninghui Li (Purdue University)

  42. Deduction Based on the Rewriting Semantics (2) • Limit to queries like “can 1 rewrite into K?” • In [Li’00], the following XSB logic program is given :- table(contains/2). contains([P0, N0 | T], P2) :- contains([P0, N0], P1), contains([P1 | T], P2). contains([P0, N0], P) :- credential([P0, N0], CN2), contains(CN2, P). contains([P], P, []) :- isPrincipal(P). Ninghui Li (Purdue University)

  43. Deduction Based on the Rewriting Semantics (3) • [Li, Winsborough & Mitchell, JCS’03] • develop a graph-based search algorithm for a language RT0, a superset of SDSI • combines bottom-up search and goal-directed top-down search with tabling specifically for the kind of rules in RT0 • can deal with distributed discovery • we will talk about this later Ninghui Li (Purdue University)

  44. Deduction Based on the Rewriting Semantics (4) • Use techniques for model checking pushdown systems [Jha & Reps CSFW’15] • SDSI rewriting systems correspond to string rewriting systems modeled by pushdown systems • algorithms for model checking pushdown systems can be used Ninghui Li (Purdue University)

  45. Stack: A2 A3 B1 B2 ... State: K2 SDSI and Pushdown Systems Stack: A1 B1 Apply the rewriting rule: K1 A1 to K2 A2 A3 B2 ... State: K1 A name string corresponds to a configuration “rewrites into” equivalent to “reaches” Ninghui Li (Purdue University)

  46. Recap of the Rewriting-based Semantics • Defines answers to queries having the form “can 1 rewrite into 2?” • Specialized algorithms (either developed for SDSI or for model checking pushdown systems) are needed • Papers by Abadi and Halpern and van der Meyden try to come up with axiom systems for the rewriting semantics Ninghui Li (Purdue University)

  47. Set-based Semantic Intuitions • Each name string is bound to a set of principals • (K A ) means the local name “K A” is bound to a superset of the principal set that  is bound to Ninghui Li (Purdue University)

  48. Defining Set-based Semantics (1) • A valuation V maps each local name to a set of principals • A valuation V can be extended to map each name string to a set of principals • V(K) = { K } • V(K A) = V (K A) • V (K B1 …Bm) = V(Kj B2…Bm) j = 1..n • where m>1 and V (K B1) = {K1, K2, …, Kn} Ninghui Li (Purdue University)

  49. Defining Set-based Semantics (2) • A 4-tuple (K A ) is the following constraint • V (K A) V () • The semantics of P is the least valuation VP that satisfies all the constraints • Queries • “can  rewrite into K?” answered by checking “K  V ()”. • Does not define answers to “can 1 rewrite into 2”. • asking whether V (1)  V (2) is incorrect Ninghui Li (Purdue University)

  50. A Logic-Programming-based Semantics Derived from the Set-based Semantics • Translate each 4-tuple into a LP clause • Using a ternary predicate m • m(K, A, K’) is true if K’ V (K A) • (K A K’) to m(K, A, K’) • (K A K1 A1) to m(K, A, ?x) :- m(K1, A1, ?x) • (K A K1 A1 A2) to m(K,A,?x) :- m(K1,A1,?y1), m(?y1,A2,?x) • (K A K1 A1 A2 A3) to m(K,A,?x) :- m(K1,A1,?y1), m(?y1,A2,?y2), m(?y2,As,?x) • The minimal Herbrand model determines the semantics Ninghui Li (Purdue University)

More Related