Belief Semantics of Authorization Logic
Andrew Hirsch and Michael ClarksonGeorge Washington UniversityCornell University
DCAPSJanuary 24, 2014
Clarkson: Belief Semantics of Authorization Logic
2
Formal Reasoning about Authorization
Standard policies: DAC, MAC, …
Formula-based policies: determine access decision on basis of
whether properties hold specify why access should be permitted useful in distributed systems
obj1 obj2 obj3
subj1 r,w r r
subj2 r,w
subj3 r rConfidential
Unclassified
Secret
Top Secret
No read up No write down
Clarkson: Belief Semantics of Authorization Logic
3
Credentials-based Authorization
a.k.a. claims-based authorization and proof-carrying authorization
, ,…f y
Credential: claim or belief about world
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]
formulas in authorization logic
Clarkson: Belief Semantics of Authorization Logic
4
Credentials-based Authorization
, ,…f y
a.k.a. claims-based authorization and proof-carrying authorization
Goal formula: must be satisfied to grant request a
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]
Clarkson: Belief Semantics of Authorization Logic
5
Credentials-based Authorization
, ,…f y
a.k.a. claims-based authorization and proof-carrying authorization
a
Guard: uses logical inference to derive goal formula from credentials
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]
Clarkson: Belief Semantics of Authorization Logic
6
Credentials-based Authorization
, ,…f y
Guard: uses logical inference to derive goal formula from credentials
a.k.a. claims-based authorization and proof-carrying authorization
a
this work: increase trustworthiness of reasoning in authorization logic
[Abadi, Burrows, Lampson & Plotkin 1991; Bauer, Schneider & Felten 2003; Schneider 2013]
Clarkson: Belief Semantics of Authorization Logic
7
Increased Trustworthiness
[Hirsch and Clarkson, CCS 2013] New belief semantics for authorization logic
purpose of semantics: interpret formulas in model of real worldstandard Kripke semantics: requires technical machinery not related to real worldbelief semantics: way to interpret formulas in a straightforward, systems-oriented model; belief subsumes Kripke
Sound proof system for both semanticsproof system “has no bugs”found unsoundness in existing logic
Machine-checked proof of soundnessproof that “proof system ‘has no bugs’” itself has no bugs
Clarkson: Belief Semantics of Authorization Logic
8
FOCAL
First-Order: Quantifiers: ∀∃ Functions, relations
Constructive: Connectives: ∧ ∨ ⇒ ¬
Authorization Logic: Attribution of beliefs: says Delegation: speaksfor
= NAL -- [Schneider, Walsh & Sirer 2011]= CDD ++ [Abadi 2007]
FOCAL
Clarkson: Belief Semantics of Authorization Logic
9
FOCAL
First-Order: Quantifiers: ∀∃ Functions, relations
Constructive: connectives: ∧ ∨ ⇒ ¬
Authorization Logic: Attribution of beliefs: says Delegation: speaksfor
= NAL -- [Schneider, Walsh & Sirer 2011]= CDD ++ [Abadi 2007]
this talk ignores FOC fragment
Clarkson: Belief Semantics of Authorization Logic
10
Authorization Logic (Review)
Two distinguishing features:1. Attribute beliefs to principals
p says fsource matters: p says f and q says f
aren’t the samenot all-seeing: f holds doesn’t mean p
says fnot infallible: maybe p says f but f
doesn’t holdsays “winter is coming”
Clarkson: Belief Semantics of Authorization Logic
11
Authorization Logic (Review)
Two distinguishing features:1. Attribute beliefs to principals
p says fHow do principals form beliefs? Start with initial beliefs Add to beliefs by:
querying state of system receiving credentials from other principals Infer new beliefs by logical inference from existing
beliefs Worldview: snapshot of principal’s beliefs
[Schneider, Walsh & Sirer 2011]
Clarkson: Belief Semantics of Authorization Logic
12
Authorization Logic (Review)
Two distinguishing features:2. Enable delegation between
principalsp speaksfor q
…if p says something, it’s as if q says it, too
q
p
worldview(p) ⊆ worldview(q)
on {treaties}
restricted delegation
speaksfor
so the king delegates to the envoy
Clarkson: Belief Semantics of Authorization Logic
13
Authorization Logic (Review)
therefore goal formula satisfied and chest is opened
Goal formula:King says OpenChest
King says Envoy speaksfor King
Envoy says OpenChesttherefore Envoy speaksfor King
therefore King says OpenChest
Clarkson: Belief Semantics of Authorization Logic
14
Trustworthiness of Reasoning
Q: How do we know reasoning is right?A: Formal proof system: mechanical reasoning
⊢ y
Clarkson: Belief Semantics of Authorization Logic
15
Trustworthiness of Reasoning
Q: How do we know reasoning is right?A: Formal proof system: mechanical reasoningQ: How do we know proof system is right?A: Proof of soundness: system is consistent with some model of reality
⊢ y
Clarkson: Belief Semantics of Authorization Logic
16
Trustworthiness of Reasoning
Q: How do we know reasoning is right?A: Formal proof system: mechanical reasoningQ: How do we know proof system is right?A: Proof of soundness: system is consistent with some model of realityQ: How do we get that model?A: Need semantics: how to interpret formulas…The more natural the model, the better.
⊨ y
⊢ y
Our new belief semantics…
Clarkson: Belief Semantics of Authorization Logic
17
Belief Semantics
Use possible worlds to model system state
facts:It’s cold in DCx=42.TCP port 443 is open.
facts:It’s cold in DCx=43.TCP port 443 is open.
Clarkson: Belief Semantics of Authorization Logic
18
Belief Semantics
Each principal p has its own worldview w(w,p) at world w
w(w, princess) w(w, envoy) w(w, king)
[Konolige 1983; Burrows, Abadi & Needham 1988; Appel & Felten 1999;Schneider, Walsh & Sirer 2011]
Why include w as parameter to w?…so that beliefs can depend on system state
f ∊ w(w,p) means: at world w, p believes f
Clarkson: Belief Semantics of Authorization Logic
19
Belief Semantics
Belief model B:worldviews w
Worldviews must be closed under logical consequence…principals believe all consequences of their beliefs
…machinery for first-order logic…machinery for constructive logic
validity judgment: B,w ⊨ y
Clarkson: Belief Semantics of Authorization Logic
20
Belief Semantics
Clarkson: Belief Semantics of Authorization Logic
21
Belief Semantics
B,w ⊨ p says fiff
f ∊ w(w,p)
(simplified to avoid machinery of constructive FOL)
Clarkson: Belief Semantics of Authorization Logic
22
Belief Semantics
B,w ⊨ p speaksfor q iff
w(w,p) ⊆ w(w,q)
qp
worldview(p) ⊆ worldview(q)
(simplified to avoid machinery of constructive FOL)
Clarkson: Belief Semantics of Authorization Logic
23
Other Semantics for Authorization Logic?
Usual semantics is based on Kripke semantics of modal logic
…because says is like ◽
[Abadi, Burrows, Lampson & Plotkin 1991; Howell 2000; Garg & Abadi 2008; Garg 2008; Genovese, Garg & Rispoli 2012]
Clarkson: Belief Semantics of Authorization Logic
24
Kripke Semantics (Review)
K,w ⊨ p says fiff
for all worlds w’ such that w ≤p w’ : K,w’ ⊨ f
≤p (accessibility relation)w ≤p w’ means:
given information in world w,
p considers world w’ possible
Clarkson: Belief Semantics of Authorization Logic
25
Belief Semantics vs. Kripke Semantics
B,w ⊨ p says fiff
f ∊ w(w,p)
belief semantics:
K,w ⊨ p says fiff
for all w’ : w ≤p w’ implies K,w’ ⊨ f
Kripke semantics:
Belief semantics directly captures intuition about sets of beliefs…
Kripke semantics doesn’t;indirects through accessibility relations
Clarkson: Belief Semantics of Authorization Logic
26
Belief Semantics vs. Kripke Semantics
K,w ⊨ p speaksfor qiff
≤p ⊇ ≤q
B,w ⊨ p speaksfor q iff
w(w,p) ⊆ w(w,q)
belief semantics: Kripke semantics:
Again, belief semantics directly capturesintuition about sets of beliefs
Just an issue of style?…belief semantics more faithfully model reality
Clarkson: Belief Semantics of Authorization Logic
27
Belief Semantics vs. Kripke Semantics
Which is more expressive?
Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B.At each world, form the set of all formulas said by
a principal in K. Make that the principal’s worldview in B.
Clarkson: Belief Semantics of Authorization Logic
28
Belief Semantics vs. Kripke Semantics
Which is more expressive?
Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B.
Theorem. There exist belief structures that cannot be transformed into equivalent Kripke structures.
Clarkson: Belief Semantics of Authorization Logic
29
Belief Semantics vs. Kripke Semantics
Which is more expressive?
Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B.
Theorem. There exist belief structures that cannot be transformed into equivalent Kripke structures.
Belief
Kripke
Clarkson: Belief Semantics of Authorization Logic
30
Belief Semantics vs. Kripke Semantics
Which is more expressive?
Theorem. Every Kripke structure K can be transformed into an equivalent belief structure B.
Theorem. There exist belief structures that cannot be transformed into equivalent Kripke structures.
…so belief semantics subsume Kripke semantics
Clarkson: Belief Semantics of Authorization Logic
31
FOCAL Proof System
Proof theory: calculate with formulas
G ⊢ f (derivability judgment)
as opposed to…
Model theory: interpret meaning of formulas
B,w ⊨ f (validity judgment)
Clarkson: Belief Semantics of Authorization Logic
32
FOCAL Proof System
Clarkson: Belief Semantics of Authorization Logic
33
FOCAL Proof System
1. Natural deduction proof system with localized hypotheses
2. Rules themselves are well-known but this seems to be a mildly novel combination
Clarkson: Belief Semantics of Authorization Logic
34
Soundness
Theorem. If f is derivable from G, then f is valid in any belief model of G.Theorem. If f is derivable from G, then f is valid in any Kripke model of G.
Proof. Mechanized in Coq.(about 2,400 LoC)
First mechanized proof of soundness for authorization logic!
…increases trustworthiness of logic
Clarkson: Belief Semantics of Authorization Logic
35
Soundness
Nexus Authorization Logic (NAL)[Schneider, Walsh & Sirer 2011] Has a formal proof system Has an informal semantics (worldviews, main
inspiration for FOCAL)
Fact: NAL proof system permits derivation of a formula that is invalid in our formal belief semantics not intended to be valid by NAL designers
…NAL is unsound (but easily fixed)
Formal semantics and proofs of
soundness yield a more trustworthy
logic!
Clarkson: Belief Semantics of Authorization Logic
36
Related Work
CDD [Abadi 2007] NAL [Schneider, Walsh & Sirer 2011] ICL [Garg & Abadi 2008] DTL0 [Garg 2008] BLsf [Genovese, Garg & Rispoli 2012] Unnamed logics [Garg & Pfenning 2006] [Howell
2000] Many other logics and systems:
Taos, PCA, SPKI/SDSI, Delegation Logic, Cassandra, PolicyMaker, Referee, KeyNote, SD3, Binder, Soutei, SecPAL, DKAL, Alpaca, WS-Policy, Grey, …
FOCAL builds on many of these, and makes new contributions…
Clarkson: Belief Semantics of Authorization Logic
37
Summary
FOCAL: first order constructive authorization logic
First formal belief semantics for authorization logic
Transformation from Kripke semantics to belief semantics Belief subsumes Kripke
Sound proof system for both semantics Found unsoundness in existing logic
First machine-checked proof of soundness for authorization logic
…increased trustworthiness of authorization logic
Belief Semantics of Authorization Logic
Andrew Hirsch and Michael ClarksonGeorge Washington UniversityCornell University
DCAPSJanuary 24, 2014
Clarkson: Belief Semantics of Authorization Logic
39
Future Work
Completeness Verified theorem checker Semantics of group principals
Clarkson: Belief Semantics of Authorization Logic
40
Extra Slides
Clarkson: Belief Semantics of Authorization Logic
41
Completeness of FOCAL?
Starting points to get completeness result: ICL [Garg & Abadi 2008]:
uses different (lax logic) semantics of says
DTL0 [Garg 2008]: doesn’t have speaksfor
BLsf [Genovese, Garg & Rispoli 2012]: uses different (strong) semantics of speaksfor
Clarkson: Belief Semantics of Authorization Logic
42
Weak Speaksfor
Weak speaksfor: p speaksfor q
iff “for all f” : p says f ⇒ q says f
Kripke semantics of speaksfor are stronger [Howell 2000](principals speak for one another less often)
WSF condition in our paper is ugly but needed to make Kripke semantics behave
Might eliminate WSF by introducing some second-order model theory
Clarkson: Belief Semantics of Authorization Logic
43
FOCAL vs. NAL
FOCAL = NAL – 2nd order quantification
+ primitive speaksfor– restricted delegation– subprincipals– group principals
simplicity
open!
NAL: Schneider, Walsh & Sirer 2011
Clarkson: Belief Semantics of Authorization Logic
44
FOCAL vs. CDD
FOCAL = CDD – 2nd order quantification
+ primitive speaksfor+ 1st order quantification
& terms
CDD: Abadi 2007
Clarkson: Belief Semantics of Authorization Logic
45
Belief vs. Knowledge
FOCAL (et al.) is a logic of beliefprincipals who issue credentials are
expressing a belief about state of system
they might be wrongthey might be malicious
Logic of knowledge would impose axiom:
(p says f) ⇒ f
Clarkson: Belief Semantics of Authorization Logic
46
Healthiness Conditions (Belief)
Worldview closure: principals believe all consequences of their beliefs
Says transparency: any number of says is equivalent to just one says
Belief hand-off: ensure validity of hand-off:
(q says (p speaksfor q)) ⇒ (p speaksfor q)
Clarkson: Belief Semantics of Authorization Logic
47
Healthiness Conditions (Kripke)
IT: principal accessibility relations are “intuitionistically” transitive
ID: principal accessibility relations are “intuitionistically” dense
F2: technical condition from constructive modal logic literature to achieve soundness
H: ensure validity of hand-off WSF: weak speaksfor to get equivalence
with belief semantics
Clarkson: Belief Semantics of Authorization Logic
48
Countermodel for Belief → Kripke
X does not holdw(w,p) = {X}
w: B,w ⊨ p says X
What can ≤p be?
• If empty, then p says false, but false isn’t in w(w,p)• If w ≤p w, then K,w ⊭ p says X, but X is in w(w,p)
Either way, Kripke semantics is not equivalent to belief semantics