This paper presents the design and implementation of PCFS, a file system that uses formal proofs and capabilities to efficiently enforce access policies expressed in a rich logic. Salient features include backwards compatibility with existing programs and automatic enforcement of access rules that depend on both time and system state. We rigorously prove that enforcement using capabilities is correct, and evaluate the file system’s performance.

Abstract Garg and Abadi recently proved that prominent access control logics can be translated in a sound and complete way into modal logic S4. We have previously outlined how normal multimodal logics, including monomodal logics K and S4, can be embedded in simple type theory and we have demonstrated that the higher-order theorem prover LEO-II can automate reasoning in and about them. In this paper we combine these results and describe a sound (and complete) embedding of different access control logics in simple type theory. Employing this framework we show that the off the shelf theorem prover LEO-II can be applied to automate reasoning in and about prominent access control logics. 1

We consider the problem of proof search in an expressive authorization logic that contains a “says ” modality and an ordering on principals. After a description of the proof system for the logic, we identify two fragments that admit complete goal-directed and saturating proof search strategies. A smaller fragment is then presented, which supports both goal-directed and saturating search, and has a sound and complete translation to first-order logic. We conclude with a brief description of our implementation of goal-directed search. This work was supported partially by the iCAST project sponsored by the National Science Council,

Abstract. Several recent security-typed programming languages allow programmers to express and enforce authorization policies governing access to controlled resources. Policies are expressed as propositions in an authorization logic, and enforced by a type system that requires each access to a sensitive resource to be accompanied by a proof. The securitytyped languages described in the literature, such as Aura and PCML5, have been presented as new, stand-alone language designs. In this paper, we instead show how to embed a security-typed programming language within an existing dependently typed programming language, Agda. This language-design strategy allows us to inherit both the metatheoretic results, such as type safety, and the implementation of the host language. Our embedding consists of the following ingredients: First, we represent the syntax and proofs of an authorization logic, Garg and Pfenning’s BL0, using dependent types. Second, we implement a proof search procedure, based on a focused sequent calculus, to ease the burden of constructing proofs. Third, we define an indexed monad of computations on behalf of a principal, with proof-carrying primitive operations. Our work shows that a dependently typed language can be used to prototype a security-typed language, and contributes to the growing body of literature on using dependently typed languages to construct domain-specific type systems. 1

We present an authorization logic DTL0 that explicitly relativizes reasoning to beliefs of principals. The logic assumes that principals are conceited in their beliefs. We describe the natural deduction system, sequent calculus, Hilbert-style axiomatization, and Kripke semantics of the logic. We prove several meta-theoretic results including cut-elimination, and soundness and completeness for the Kripke semantics. We also present translations from several other authorization logics into DTL0, and describe formal connections between DTL0 and the modal logic constructive S4.

Abstract. Access control is central to security in computer systems. Over the years, there have been many efforts to explain and to improve access control, sometimes with logical ideas and tools. This paper is a partial survey and discussion of the role of logic in access control. It considers logical foundations for access control and their applications, in particular in languages for security policies. It focuses on some specific logics and their properties. It is intended as a written counterpart to a tutorial given at the 2009 International School on Foundations of Security Analysis and Design. 1

We propose a formal theory of contract-based computing. We model contracts as formulae in an intuitionistic logic extended with a “contractual ” form of implication. Decidability holds for our logic: this allows us to mechanically infer the rights and the duties deriving from any set of contracts. We embed our logic in a core calculus of contracting processes, which combines features from concurrent constraints and calculi for multiparty sessions, while subsuming several idioms for concurrency. 1

Abstract—Authorization logics allow concise specification of flexible access-control policies, and are the basis for logic-based access-control systems. In such systems, resource owners issue credentials to specify policies, and the consequences of these policies are derived using logical inference rules. Proofs in authorization logics can serve as capabilities for gaining access to resources. Because a proof is derived from a set of credentials possibly issued by different parties, the issuer of a specific credential may not be aware of all the proofs that her credential may make possible. From this credential issuer’s standpoint, the policy expressed in her credential may thus have unexpected consequences. To solve this general problem, we propose a system in which credentials can specify constraints on how they are to be used. We show how to modularly extend wellstudied authorization logics to support the specification and enforcement of such constraints. A novelty of our design is that we allow the constraints to be arbitrary well-behaved functions over authorization proofs. Since all the information about an access is contained in the proofs, this makes it possible to express many interesting constraints. We study the formal properties of such a system, and give examples of constraints.

Formal languages for policy have been developed for access control and conformance checking. In this paper, we describe a formalism that combines features that have been developed for each application. From access control, we adopt the use of a saying operator. From conformance checking, we adopt the use of operators for obligation and permission. The operators are combined using an axiom that permits a principal to speak on behalf of another. The combination yields benefits to both applications. For access control, we overcome the problematic interaction between hand-off and classical reasoning. For conformance, we obtain a characterization of legal power by nesting saying with obligation and permission. The axioms result in a decidable logic. We integrate the axioms into a logic programming approach, which lets us use quantification in policies while preserving decidability of access control decisions. Conformance checking, in the presence of nested obligations and permissions, is shown to be decidable. Non-interference is characterized using reachability via permitted statements.

Lax modalities occur in intuitionistic logics concerned with hardware verification, the computational lambda calculus, and access control in secure systems. They also encapsulate the logic of Lawvere-Tierney-Grothendieck topologies on topoi. This paper provides a complete semantics for quantified lax logic by combining the Beth-Kripke-Joyal cover semantics for first-order intuitionistic logic with the classical relational semantics for a “diamond ” modality. The main technique used is the lifting of a multiplicative closure operator (nucleus) from a Heyting algebra to its MacNeille completion, and the representation of an arbitrary locale as the lattice of “propositions ” of a suitable cover system. In addition, the theory is worked out for certain constructive versions of the classical logics K and S4. An alternative completeness proof is given for (non-modal) first-order intuitionistic logic itself with respect to the cover semantics, using a simple and explicit Henkin-style construction of a characteristic model whose points are principal theories rather than prime saturated ones. The paper provides further evidence that there is more to intuitionistic modal logic than the generalisation of properties of boxes and diamonds from Boolean modal logic.