1 / 89

Type Based Distributed Access Control

Type Based Distributed Access Control. Tom Chothia È c ole Polytechnique Joint work with Dominic Duggan (Stevens) and Jan Vitek (Purdue). Motivation. Our aim is to use types to place conditions on how data may be distributed. Motivation.

Download Presentation

Type Based Distributed Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Type Based Distributed Access Control Tom Chothia Ècole Polytechnique Joint work with Dominic Duggan (Stevens) and Jan Vitek (Purdue)

  2. Motivation • Our aim is to use types to place conditions on how data may be distributed.

  3. Motivation • Our aim is to use types to place conditions on how data may be distributed. • Consider a computer with public and private data:

  4. Motivation • Our aim is to use types to place conditions on how data may be distributed. • Consider a computer with public and private data:

  5. Motivation • Our aim is to use types to place conditions on how data may be distributed. • Consider a computer with public and private data:

  6. Motivation • Our aim is to use types to place conditions on how data may be distributed. • Consider a computer with public and private data:

  7. Motivation • Our aim is to use types to place conditions on how data may be distributed. • Consider a computer with public and private data:

  8. Talk outline • Review: Decentralized Label Model (DLM) • Local Access Control • Key Based Decentralized Label Model (KDLM) • Distributed Access Control and Cryptography • The Jeddak Language • Conclusions

  9. Local Access Control • Local Access Control restricts access to data.

  10. Local Access Control • Local Access Control restricts access to data. • Any read or write attempts are dynamically checked.

  11. Local Access Control • Local Access Control restricts access to data. • Any read or write attempts are dynamically checked. • There are no restrictions on authorized copies of data.

  12. High and Low security types. Types for Information Flow high low

  13. High and Low security types. No read up. No write Down. Types for Information Flow high low

  14. High and Low security types. No read up. No write Down. A Total Order high low Types for Information Flow

  15. High and Low security types. No read up. No write Down. A Total Order. Even a lattice. Types for Information Flow high low

  16. Secrecy duel to Integrity. Declassification? Types for Information Flow high low

  17. Types for information Flow • x: int high; y: int low; • Can do: x = x +2 ; x = y + 2; if x > y then x = y; • Can’t do: y = x; if x > y then y = 0; if guess = pwd then reject;

  18. J.I.F. and theDecentralized Label Model (DLM) • Program variable x • Has data typeint • Has label with policies • Bob : {bob, jane, mike} • Mary : {bob, jane, mary} • Is accessible by bob and jane • Access control checked by type checking

  19. DLM, bottom half of lattice. No one has an automatic right to read your data. DLM Types for Information Flow Alice Eve Bob

  20. Declassification in the DLM • Data has type {L1, L2, L3} int Jane Bob Mary Tim

  21. Declassification in the DLM • Data has type {L1, L2, L3} int • L1 = bob : { bob, jane } Jane Bob Mary Tim

  22. Declassification in the DLM • Data has type {L1, L2, L3} int • L1 = bob : { bob, jane } • L2 = mary : { bob, jane, mary } Jane Bob Mary Tim

  23. Declassification in the DLM • Data has type {L1, L2, L3} int • L1 = bob : { bob, jane } • L2 = mary : { bob, jane, mary } • L3 = jane : { jane, tim} Jane Bob Mary Tim

  24. Declassification in the DLM • Data has type {L1, L2, L3} int • L1 = bob : { bob, jane } • L2 = mary : { bob, jane, mary } • L3 = jane : { jane, tim} • Only Jane can access data Jane Bob Mary Tim

  25. Declassification in the DLM • Data has type {L1, L2, L3} int • L1 = bob : { bob, jane } • L2 = mary : { bob, jane, mary } • L3 = jane : { jane, tim} • Only Jane can access data • L3  jane : { jane, tim, bob} Jane Bob Mary Tim

  26. Declassification in the DLM • Data has type {L1, L2, L3} int • L1 = bob : { bob, jane } • L2 = mary : { bob, jane, mary } • L3 = jane : { jane, tim} • Only Jane can access data • L3  jane : { jane, tim, bob} • Now Jane and Bob can access the data Jane Bob Mary Tim

  27. DLM

  28. DLM • Data is protected by its type.

  29. DLM • Data is protected by its type. • Each attempt to copy data is statically checked at compile time.

  30. DLM • Data is protected by its type. • Each attempt to copy data is statically checked at compile time. • Copies of data have the same type and hence the same protection.

  31. DLM • Data is protected by its type. • Each attempt to copy data is statically checked at compile time. • Copies of data have the same type and hence the same protection. • Data sent outside the type checked area is no longer protected.

  32. Talk outline • Review: Decentralized Label Model (DLM) • Local Access Control • Key Based Decentralized Label Model (KDLM) • Distributed Access Control and Cryptography • The Jeddak Language • Conclusions

  33. Minimize the Trusted Computing Base DLM Application Protocol Network

  34. Communication Security Communication Minimize the Trusted Computing Base DLM Application Protocol Network

  35. Application Communication Security Communication Security Communication Communication Network Minimize the Trusted Computing Base DLM KDLM Application Protocol Network

  36. KDLM: Connecting Keys and Access Restrictions • Key names have policies (ACLs) • K has policy: Joe : {Jane, Mike, Sam} • Public-private key pair for key name • Private key protected by access restrictions • Labels are sets of key names • Access restricted to intersection of policies (ACLs)

  37. Keys, Labels and Certificates Key & Policy: K : Key[ bob : {mary,sam,bob} ] Label: {K1, K2, … ,Kn} Labeled Type: T{K1,..,Kn} , {K1’,..,Km’} Declassification Cert Types: K1 declassifies K2 K1K2

  38. KDLM

  39. KDLM • As with the DLM data is protected by its type.

  40. KDLM • As with the DLM data is protected by its type.

  41. KDLM • As with the DLM data is protected by its type. • But the data can also be protected by encryption.

  42. KDLM • As with the DLM data is protected by its type. • But the data can also be protected by encryption. • Encryption protects data leaving the trusted area.

  43. KDLM • As with the DLM data is protected by its type. • But the data can also be protected by encryption. • Encryption protects data leaving the trusted area. • Keys are protected in the same way as data.

  44. Labeled Keys • K : Key ( P:{P1,…,Pk} ) • a+ : [ EncKey ( K ) ] • a- : [ DecKey ( K ) ] L • Key names exist at the type level.

  45. K:A,B K:A,B KDLM Bob Alice K

  46. K:A,B K:A,B KDLM Bob Alice K

  47. K:A,B K:A,B KDLM Bob Alice K

  48. K:A,B K:A,B KDLM Bob Alice K

  49. K:A,B K:A,B KDLM Bob Alice K K

  50. Bob Alice K:A,B K:A,B K Eve KDLM

More Related