1 / 21

Applications of Logic in Computer Security

Applications of Logic in Computer Security. Jonathan Millen SRI International. Areas of Application. Multilevel Operating System Security “Orange Book,” Commercial Trusted Product Evaluation, A1-level Emphasis on secrecy, security/clearance levels Access Control Policies

Ava
Download Presentation

Applications of Logic in Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applications of Logic in Computer Security Jonathan Millen SRI International

  2. Areas of Application • Multilevel Operating System Security • “Orange Book,” Commercial Trusted Product Evaluation, A1-level • Emphasis on secrecy, security/clearance levels • Access Control Policies • Discretionary or role-based policies • Emphasis on application-specific policies, integrity • Public-Key Infrastructure and Trust Management • Network and distributed system security • Digitally signed certificates for identity and privileges • Cryptographic Authentication Protocols • For network communication confidentiality and authentication • Other areas: databases, firewalls/routers, intrusion detection Computer Security Network Security

  3. Contributions of Logic • Undecidability Results • Safety problem for discretionary access control • Cryptographic protocol analysis • Theorem Proving Environments • Verifying correctness of formal OS specifications • Inductive proofs of cryptographic protocols • Logic Programming • Prolog programs for cryptographic protocol analysis, trust management • Model Checking • For cryptographic protocol analysis • Specialized Logics • For cryptographic protocol analysis, trust management

  4. Multilevel Operating System Security • Motivated by protection of classified information in shared systems • High-assurance (A1) systems may protect Secret data from uncleared users • Architecture: trusted OS kernel, hardware support • Abstract system model of access control: Bell-LaPadula (ca. 1975) • Structured state-transition system: subject-object access matrix, levels • Security invariants and transition rules (for OS functions) • “Formal Top-Level Specification” (FTLS) • More detailed state-transition system • Formal Proofs: • Model transitions satisfy invariants • FTLS is an interpretation of the system model • Carried out in environments like Gypsy, FDM, HDM • Some FTLS errors reflected in code were discovered • Of Historical Interest

  5. Access Control Policies • Safety Problem • Subject-object-rights matrix • “rights” were arbitrary, representing different kinds of access • Operations: create/delete subjects, objects; enter/remove rights • System of conditional rules to apply operations • Harrison-Ruzzo-Ullman Undecidability Result • Whether S can ever receive right r to object O • Comm. ACM 19(8), 1976 • Decidable if number of subjects is bounded • Historical Impact • Led to interest in efficiently decidable systems • Take-Grant, DAC, RBAC Oj Si r

  6. Public-Key Certificates • Based on asymmetric encryption • Key pair KA, KA-1: one made public, one kept secret • Text block encrypted with KA can be decrypted only with KA-1 . • Impractical to compute secret key from public key • Digital signature • Text string T • Apply one-way (hash) function • Encrypt with secret key • Verify by decrypting with signer’s public key, compare hash result • Public Key Certificate • Binds name to public key, signed by trusted party • Logical Equivalent • “A says (KB is the public key of B)” • … provided that KA is the public key of A T  h(T)  [h(T)]KA-1 B,KB,[h(B,KB)]KA-1

  7. Logic of Distributed Authentication • Origination: • “Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992 • Theory of says and speaks for ( relation) • (A  B)  ((A says s)  (B says s)) (P8) • (A says (B  A))  (B  A) (P10) • Application to distributed systems • A and B are principals: users or keys (can say something) • A says s means: A authorizes command (operation, access) s • A  B means: B delegates authority to A • Certificate T,[T] KA-1 means KAsays T • Public key certificate means KA A • Credentials sent from one network node to another to authorize resources • Implemented in Taos operating system “credentials”

  8. Trust Management • Policymaker • “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy • Identified trust management as a distinct problem • Purpose: to define and implement policy using credentials to process queries • Delegation Logic • “A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop • Language to express policies • Primitives include says, delegates (speaks for with object) • Access permission is decidable • Logic program implementation (in Datalog)

  9. Cryptographic Protocols • Cryptographic protocol • an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material. • Applications • military communications, business communications, electronic commerce, privacy • Examples • Kerberos: MIT protocol for unitary login to network services • SSL (Secure Socket Layer, used in Web browsers) • IPSec: standard suite of Internet protocols due to the IETF • SET (Secure Electronic Transaction) protocol • PGP (Pretty Good Privacy)

  10. A Popular Example • The Needham-Schroeder public-key handshake • R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978 • A  B: {A, Na}Kb • B  A: {Na, Nb}Ka • A  B: {Nb}Kb • Purpose: mutual authentication of A and B, sharing secrets Na, Nb • This is an “Alice-and-Bob” protocol specification • Na and Nb are nonces (used once) • Ka is the public key of A • The protocol is vulnerable...

  11. The Attack A (normal) M (false) B (thinks he’s talking to A, Nb is compromised) {A,Na}Km {A,Na}Kb {Na,Nb}Ka {Na,Nb}Ka {Nb}Km {Nb}Kb Lowe, “Breaking and Fixing the Needham-Schroeder Public Key Protocol Using FDR” TACAS 1996, LNCS 1055 A malicious party M can forge addresses, deviate from protocol

  12. Undecidable in General • Reduction of Post correspondence problem • Word pairs ui, vi for 1  i < n • Does there exist ui1...uik = vi1...vik? • Construction • Protocol with one role (or one per i) • Compromises secret if solution exists • Attacker cannot forge release message • because of encryption • Observations • Messages are unbounded • Construction suggested by Heintze & Tygar, 1994 • First undecidability proof by Even & Goldreich, 1983 • 1999 proof by Durgin, et al shows nonces are enough send {,}K receive {X,Y}K if X = Y , send secret else choose i, send {Xui,Yvi}K

  13. Analysis Approaches • Model checking • State-space search for attacks • Inductive proof • Using verification tools or by hand • Can prove protocols correct (for abstract encryption) • Belief-logic proofs • BAN logic and successors • For authentication properties

  14. Linear Logic Model • Linear Logic • Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987 • Constructive, used to model state-transition systems • Application to cryptographic protocols • Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop • Model-checking with linear-logic symbolic search tool LLF (LICS ‘96) • State-transition rules • F1, …, Fkx1, …, xm. G1, …, Gn • State is a multiset of “facts” Fi, predicates over terms • Rule matches facts on left side with variable substitution • Variables xi are instantiated with new symbols (like nonce!) • Left-side facts are replaced by right-side facts in multiset

  15. The MSR Model • Implementation of linear logic model • Special term and fact types for cryptographic protocols • Symbols for principals, keys, and nonces • Terms for encryption and concatenation • Facts for protocol process state, messages • Multiset holds current states of many concurrent protocol sessions • Example: A sends message A,{A}K (to B) with new K • A0(A,B)  (K) A1(A,B,K),M({A}K) • Attacker rules eavesdrop, construct false messages, e.g., • M({A}K),M(K)  M({A}K),M(K),M(A) • Attacker model is standardized • MSR model applied as intermediate language • CAPSL  MSR  analysis tools (Millen, Denker 1999)

  16. Model Checking Tools • State-space search for reachability of insecure states • History: back to 1984, Interrogator program in Prolog • Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991 • Prolog programs were interactive • General-purpose model-checkers • Search automatically given initial conditions, bounds • Iterative bounded-depth search • Roscoe and Lowe used FDR (model-checker for CSP), 1995 • Mitchell, et al used Murphi, 1997 • Clarke, et al used SMV, 1998 • Denker, Meseguer, Talcott used Maude, 1998 • Successful at finding previously unknown vulnerabilities!

  17. Non-Repudiation Protocols • Different objectives and assumptions • Fairness objectives: contract signing, proofs of receipt, fair exchange • Applications to electronic commerce • Parties are mutually distrustful, network well-behaved, no intruder • Trusted third party to resolve detected breaches • Alternating Temporal Logic application • Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000 • Used model checker MOCHA • Example Objective • <<B,Com>> (NRO <<A>> NRR) • Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt

  18. Inductive Proofs • State-transition model similar to model checking approaches • Application of general-purpose specification and verification tools • Influential Examples: • R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM). • L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle) • Paulson’s approach inspired others • Bolignano (using Coq), Millen (using PVS)

  19. BAN Logic • Papers • Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990 • Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy • Approach • Modal logic of belief plus specialized predicates and inference rules • Protocol messages are “idealized” into logical statements • Objective is to prove that both parties share common beliefs • Idealization • A  B: {A, K, B}KBbecomes • B sees {good-key(A, K, B)}KB • Objective • Infer that B believes A saidgood-key(A, K, B) B | A |~ A  B K

  20. Inferences and Problems • Example • P believes fresh(X), P believes Q said X |- P believes Q believes X • Assumption • Protocol idealization must be consistent with beliefs about confidentiality • Problem • Observed by Nessett right away for digital signature example • Good key must not be given away accidentally (or on purpose) • Takes deep analysis to determine this • Needham-Schroeder Public Key protocol proved correct (!!??) • These logics are still used because: • They are efficiently decidable • They help to understand the protocol • They can be used manually

  21. Summary • Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design • Several unusual or specialized logical systems have application to computer security • Cryptographic protocol analysis is an active, fertile area for logic applications

More Related