Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014

Belief Semantics of Authorization Logic

Andrew Hirsch and Michael ClarksonGeorge Washington UniversityCornell University

DCAPSJanuary 24, 2014

Clarkson: Belief Semantics of Authorization Logic

2

Formal Reasoning about Authorization

Standard policies: DAC, MAC, …

Formula-based policies: determine access decision on basis of

whether properties hold specify why access should be permitted useful in distributed systems

obj1 obj2 obj3

subj1 r,w r r

subj2 r,w

subj3 r rConfidential

Unclassified

Secret

Top Secret

No read up No write down


3

Credentials-based Authorization

a.k.a. claims-based authorization and proof-carrying authorization

, ,…f y

Credential: claim or belief about world

[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]

formulas in authorization logic


4


, ,…f y


Goal formula: must be satisfied to grant request a



5


, ,…f y


a

Guard: uses logical inference to derive goal formula from credentials



6


, ,…f y

Guard: uses logical inference to derive goal formula from credentials


a

this work: increase trustworthiness of reasoning in authorization logic



7

Increased Trustworthiness

[Hirsch and Clarkson, CCS 2013] New belief semantics for authorization logic

purpose of semantics: interpret formulas in model of real worldstandard Kripke semantics: requires technical machinery not related to real worldbelief semantics: way to interpret formulas in a straightforward, systems-oriented model; belief subsumes Kripke

Sound proof system for both semanticsproof system “has no bugs”found unsoundness in existing logic

Machine-checked proof of soundnessproof that “proof system ‘has no bugs’” itself has no bugs


8

FOCAL

First-Order: Quantifiers: ∀∃ Functions, relations

Constructive: Connectives: ∧ ∨ ⇒ ¬

Authorization Logic: Attribution of beliefs: says Delegation: speaksfor

= NAL -- [Schneider, Walsh & Sirer 2011]= CDD ++ [Abadi 2007]

FOCAL


9

FOCAL

First-Order: Quantifiers: ∀∃ Functions, relations

Constructive: connectives: ∧ ∨ ⇒ ¬

Authorization Logic: Attribution of beliefs: says Delegation: speaksfor

= NAL -- [Schneider, Walsh & Sirer 2011]= CDD ++ [Abadi 2007]

this talk ignores FOC fragment


10

Authorization Logic (Review)

Two distinguishing features:1. Attribute beliefs to principals

p says fsource matters: p says f and q says f

aren’t the samenot all-seeing: f holds doesn’t mean p

says fnot infallible: maybe p says f but f

doesn’t holdsays “winter is coming”


11


Two distinguishing features:1. Attribute beliefs to principals

p says fHow do principals form beliefs? Start with initial beliefs Add to beliefs by:

querying state of system receiving credentials from other principals Infer new beliefs by logical inference from existing

beliefs Worldview: snapshot of principal’s beliefs

[Schneider, Walsh & Sirer 2011]


12


Two distinguishing features:2. Enable delegation between

principalsp speaksfor q

…if p says something, it’s as if q says it, too

q

p

worldview(p) ⊆ worldview(q)

on {treaties}

restricted delegation

speaksfor

so the king delegates to the envoy


13


therefore goal formula satisfied and chest is opened

Goal formula:King says OpenChest

King says Envoy speaksfor King

Envoy says OpenChesttherefore Envoy speaksfor King

therefore King says OpenChest


14

Trustworthiness of Reasoning

Q: How do we know reasoning is right?A: Formal proof system: mechanical reasoning

⊢ y


15


Q: How do we know reasoning is right?A: Formal proof system: mechanical reasoningQ: How do we know proof system is right?A: Proof of soundness: system is consistent with some model of reality

⊢ y


16


Q: How do we know reasoning is right?A: Formal proof system: mechanical reasoningQ: How do we know proof system is right?A: Proof of soundness: system is consistent with some model of realityQ: How do we get that model?A: Need semantics: how to interpret formulas…The more natural the model, the better.

⊨ y

⊢ y

Our new belief semantics…


17

Belief Semantics

Use possible worlds to model system state

facts:It’s cold in DCx=42.TCP port 443 is open.

facts:It’s cold in DCx=43.TCP port 443 is open.


18

Belief Semantics

Each principal p has its own worldview w(w,p) at world w

w(w, princess) w(w, envoy) w(w, king)

[Konolige 1983; Burrows, Abadi & Needham 1988; Appel & Felten 1999;Schneider, Walsh & Sirer 2011]

Why include w as parameter to w?…so that beliefs can depend on system state

f ∊ w(w,p) means: at world w, p believes f


19

Belief Semantics

Belief model B:worldviews w

Worldviews must be closed under logical consequence…principals believe all consequences of their beliefs

…machinery for first-order logic…machinery for constructive logic

validity judgment: B,w ⊨ y


20

Belief Semantics


21

Belief Semantics

B,w ⊨ p says fiff

f ∊ w(w,p)

(simplified to avoid machinery of constructive FOL)


22

Belief Semantics

B,w ⊨ p speaksfor q iff

w(w,p) ⊆ w(w,q)

qp

worldview(p) ⊆ worldview(q)

(simplified to avoid machinery of constructive FOL)


23

Other Semantics for Authorization Logic?

Usual semantics is based on Kripke semantics of modal logic

…because says is like ◽

[Abadi, Burrows, Lampson & Plotkin 1991; Howell 2000; Garg & Abadi 2008; Garg 2008; Genovese, Garg & Rispoli 2012]


24

Kripke Semantics (Review)

K,w ⊨ p says fiff

for all worlds w’ such that w ≤p w’ : K,w’ ⊨ f

≤p (accessibility relation)w ≤p w’ means:

given information in world w,

p considers world w’ possible


25

Belief Semantics vs. Kripke Semantics

B,w ⊨ p says fiff

f ∊ w(w,p)

belief semantics:

K,w ⊨ p says fiff

for all w’ : w ≤p w’ implies K,w’ ⊨ f

Kripke semantics:

Belief semantics directly captures intuition about sets of beliefs…

Kripke semantics doesn’t;indirects through accessibility relations


26


K,w ⊨ p speaksfor qiff

≤p ⊇ ≤q

B,w ⊨ p speaksfor q iff

w(w,p) ⊆ w(w,q)

belief semantics: Kripke semantics:

Again, belief semantics directly capturesintuition about sets of beliefs

Just an issue of style?…belief semantics more faithfully model reality


27


Which is more expressive?

Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B.At each world, form the set of all formulas said by

a principal in K. Make that the principal’s worldview in B.


28



Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B.

Theorem. There exist belief structures that cannot be transformed into equivalent Kripke structures.


29





Belief

Kripke


30





…so belief semantics subsume Kripke semantics


31

FOCAL Proof System

Proof theory: calculate with formulas

G ⊢ f (derivability judgment)

as opposed to…

Model theory: interpret meaning of formulas

B,w ⊨ f (validity judgment)


32

FOCAL Proof System


33

FOCAL Proof System

1. Natural deduction proof system with localized hypotheses

2. Rules themselves are well-known but this seems to be a mildly novel combination


34

Soundness

Theorem. If f is derivable from G, then f is valid in any belief model of G.Theorem. If f is derivable from G, then f is valid in any Kripke model of G.

Proof. Mechanized in Coq.(about 2,400 LoC)

First mechanized proof of soundness for authorization logic!

…increases trustworthiness of logic


35

Soundness

Nexus Authorization Logic (NAL)[Schneider, Walsh & Sirer 2011] Has a formal proof system Has an informal semantics (worldviews, main

inspiration for FOCAL)

Fact: NAL proof system permits derivation of a formula that is invalid in our formal belief semantics not intended to be valid by NAL designers

…NAL is unsound (but easily fixed)

Formal semantics and proofs of

soundness yield a more trustworthy

logic!


36

Related Work

CDD [Abadi 2007] NAL [Schneider, Walsh & Sirer 2011] ICL [Garg & Abadi 2008] DTL0 [Garg 2008] BLsf [Genovese, Garg & Rispoli 2012] Unnamed logics [Garg & Pfenning 2006] [Howell

2000] Many other logics and systems:

Taos, PCA, SPKI/SDSI, Delegation Logic, Cassandra, PolicyMaker, Referee, KeyNote, SD3, Binder, Soutei, SecPAL, DKAL, Alpaca, WS-Policy, Grey, …

FOCAL builds on many of these, and makes new contributions…


37

Summary

FOCAL: first order constructive authorization logic

First formal belief semantics for authorization logic

Transformation from Kripke semantics to belief semantics Belief subsumes Kripke

Sound proof system for both semantics Found unsoundness in existing logic

First machine-checked proof of soundness for authorization logic

…increased trustworthiness of authorization logic

Belief Semantics of Authorization Logic

Andrew Hirsch and Michael ClarksonGeorge Washington UniversityCornell University

DCAPSJanuary 24, 2014


39

Future Work

Completeness Verified theorem checker Semantics of group principals


40

Extra Slides


41

Completeness of FOCAL?

Starting points to get completeness result: ICL [Garg & Abadi 2008]:

uses different (lax logic) semantics of says

DTL0 [Garg 2008]: doesn’t have speaksfor

BLsf [Genovese, Garg & Rispoli 2012]: uses different (strong) semantics of speaksfor


42

Weak Speaksfor

Weak speaksfor: p speaksfor q

iff “for all f” : p says f ⇒ q says f

Kripke semantics of speaksfor are stronger [Howell 2000](principals speak for one another less often)

WSF condition in our paper is ugly but needed to make Kripke semantics behave

Might eliminate WSF by introducing some second-order model theory


43

FOCAL vs. NAL

FOCAL = NAL – 2nd order quantification

+ primitive speaksfor– restricted delegation– subprincipals– group principals

simplicity

open!

NAL: Schneider, Walsh & Sirer 2011


44

FOCAL vs. CDD

FOCAL = CDD – 2nd order quantification

+ primitive speaksfor+ 1st order quantification

& terms

CDD: Abadi 2007


45

Belief vs. Knowledge

FOCAL (et al.) is a logic of beliefprincipals who issue credentials are

expressing a belief about state of system

they might be wrongthey might be malicious

Logic of knowledge would impose axiom:

(p says f) ⇒ f


46

Healthiness Conditions (Belief)

Worldview closure: principals believe all consequences of their beliefs

Says transparency: any number of says is equivalent to just one says

Belief hand-off: ensure validity of hand-off:

(q says (p speaksfor q)) ⇒ (p speaksfor q)


47

Healthiness Conditions (Kripke)

IT: principal accessibility relations are “intuitionistically” transitive

ID: principal accessibility relations are “intuitionistically” dense

F2: technical condition from constructive modal logic literature to achieve soundness

H: ensure validity of hand-off WSF: weak speaksfor to get equivalence

with belief semantics


48

Countermodel for Belief → Kripke

X does not holdw(w,p) = {X}

w: B,w ⊨ p says X

What can ≤p be?

• If empty, then p says false, but false isn’t in w(w,p)• If w ≤p w, then K,w ⊭ p says X, but X is in w(w,p)

Either way, Kripke semantics is not equivalent to belief semantics

Documents

Belief Semantics of Authorization Logic Andrew Hirsch and Michael Clarkson George Washington University Cornell University DCAPS January 24, 2014