Results 1  10
of
30
AURA: A programming language for authorization and audit
, 2008
"... This paper presents AURA, a programming language for access control that treats ordinary programming constructs (e.g., integers and recursive functions) and authorization logic constructs (e.g., principals and access control policies) in a uniform way. AURA is based on polymorphic DCC and uses depen ..."
Abstract

Cited by 60 (7 self)
 Add to MetaCart
This paper presents AURA, a programming language for access control that treats ordinary programming constructs (e.g., integers and recursive functions) and authorization logic constructs (e.g., principals and access control policies) in a uniform way. AURA is based on polymorphic DCC and uses dependent types to permit assertions that refer directly to AURA values while keeping computation out of the assertion level to ensure tractability. The main technical results of this paper include fully mechanically verified proofs of the decidability and soundness for AURA’s type system, and a prototype typechecker and interpreter.
Evidencebased Audit
"... Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implici ..."
Abstract

Cited by 46 (14 self)
 Add to MetaCart
(Show Context)
Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implicit in much of the work on authorization logics and proofcarrying authorization. This paper explores some ramifications of adopting this “proofs as log entries ” approach to auditing. Two benefits of evidencebased audit are a reduced trusted computing base and the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because operations like proof normalization can yield information about the relevance of policy statements. To explain these observations concretely, we develop a rich authorization logic based on a dependentlytyped variant of DCC and prove the metatheoretic properties of subjectreduction and normalization. We show untrusted but welltyped applications, that access resources through an appropriate interface, must obey the access control policy and create proofs useful for audit. We show the utility of proofbased auditing in a number of examples and discuss several pragmatic issues, such as proof size, that must be addressed in this context. 1
A Logic of Secure Systems and its Application to Trusted Computing
"... We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication and dy ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
(Show Context)
We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication and dynamically loading and executing unknown (and potentially untrusted) code. The adversary’s capabilities are constrained by the system interface as defined in the programming model (leading to the name CSIADVERSARY). We develop a sound proof system for reasoning about programs, without explicitly reasoning about adversary actions. This form of reasoning was particularly difficult to codify for dynamically loaded unknown pieces of code. We use the logic to characterize trusted computing primitives and prove code integrity and execution integrity properties of two remote attestation protocols. The proofs make precise assumptions needed for the security of these protocols and reveal a surprising insecure interaction between the two protocols. 1
A proofcarrying file system
, 2009
"... This paper presents the design and implementation of PCFS, a file system that uses formal proofs and capabilities to efficiently enforce access policies expressed in a rich logic. Salient features include backwards compatibility with existing programs and automatic enforcement of access rules that d ..."
Abstract

Cited by 26 (13 self)
 Add to MetaCart
(Show Context)
This paper presents the design and implementation of PCFS, a file system that uses formal proofs and capabilities to efficiently enforce access policies expressed in a rich logic. Salient features include backwards compatibility with existing programs and automatic enforcement of access rules that depend on both time and system state. We rigorously prove that enforcement using capabilities is correct, and evaluate the file system’s performance.
SecurityTyped Programming within DependentlyTyped Programming
"... Abstract. Several recent securitytyped programming languages allow programmers to express and enforce authorization policies governing access to controlled resources. Policies are expressed as propositions in an authorization logic, and enforced by a type system that requires each access to a sensi ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Several recent securitytyped programming languages allow programmers to express and enforce authorization policies governing access to controlled resources. Policies are expressed as propositions in an authorization logic, and enforced by a type system that requires each access to a sensitive resource to be accompanied by a proof. The securitytyped languages described in the literature, such as Aura and PCML5, have been presented as new, standalone language designs. In this paper, we instead show how to embed a securitytyped programming language within an existing dependently typed programming language, Agda. This languagedesign strategy allows us to inherit both the metatheoretic results, such as type safety, and the implementation of the host language. Our embedding consists of the following ingredients: First, we represent the syntax and proofs of an authorization logic, Garg and Pfenning’s BL0, using dependent types. Second, we implement a proof search procedure, based on a focused sequent calculus, to ease the burden of constructing proofs. Third, we define an indexed monad of computations on behalf of a principal, with proofcarrying primitive operations. Our work shows that a dependently typed language can be used to prototype a securitytyped language, and contributes to the growing body of literature on using dependently typed languages to construct domainspecific type systems. 1
A Calculus of Contracting Processes
"... We propose a formal theory of contractbased computing. We model contracts as formulae in an intuitionistic logic extended with a “contractual ” form of implication. Decidability holds for our logic: this allows us to mechanically infer the rights and the duties deriving from any set of contracts. W ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
We propose a formal theory of contractbased computing. We model contracts as formulae in an intuitionistic logic extended with a “contractual ” form of implication. Decidability holds for our logic: this allows us to mechanically infer the rights and the duties deriving from any set of contracts. We embed our logic in a core calculus of contracting processes, which combines features from concurrent constraints and calculi for multiparty sessions, while subsuming several idioms for concurrency. 1
Proof search in an authorization logic
, 2009
"... We consider the problem of proof search in an expressive authorization logic that contains a “says ” modality and an ordering on principals. After a description of the proof system for the logic, we identify two fragments that admit complete goaldirected and saturating proof search strategies. A sm ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
(Show Context)
We consider the problem of proof search in an expressive authorization logic that contains a “says ” modality and an ordering on principals. After a description of the proof system for the logic, we identify two fragments that admit complete goaldirected and saturating proof search strategies. A smaller fragment is then presented, which supports both goaldirected and saturating search, and has a sound and complete translation to firstorder logic. We conclude with a brief description of our implementation of goaldirected search. This work was supported partially by the iCAST project sponsored by the National Science Council,
R.: A logic for contracts
, 2009
"... We investigate the logical foundations of contracts in distributed applications. A contract is an agreement stipulated between two or more parties, which specifies the duties and the rights of the parties involved therein. We model contracts as formulae in an intuitionistic logic extended with a co ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
We investigate the logical foundations of contracts in distributed applications. A contract is an agreement stipulated between two or more parties, which specifies the duties and the rights of the parties involved therein. We model contracts as formulae in an intuitionistic logic extended with a contractual form of implication. This supports for a variant of Modus Ponens, where from a promise a b to deduce b, one does not need to know a; yet, it suffices to have a dual promise b a. We study the proof theory for our logic. In particular, we provide it with a Hilbertstyle axiomatisation, which is shown consistent, and with a Gentzenstyle sequent calculus, shown equivalent to the axiomatization. We prove our logic decidable, via a cut elimination property. The rights and the duties deriving from any set of contracts can therefore be mechanically inferred. 1
Constraining Credential Usage in LogicBased Access Control
"... Abstract—Authorization logics allow concise specification of flexible accesscontrol policies, and are the basis for logicbased accesscontrol systems. In such systems, resource owners issue credentials to specify policies, and the consequences of these policies are derived using logical inference ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract—Authorization logics allow concise specification of flexible accesscontrol policies, and are the basis for logicbased accesscontrol systems. In such systems, resource owners issue credentials to specify policies, and the consequences of these policies are derived using logical inference rules. Proofs in authorization logics can serve as capabilities for gaining access to resources. Because a proof is derived from a set of credentials possibly issued by different parties, the issuer of a specific credential may not be aware of all the proofs that her credential may make possible. From this credential issuer’s standpoint, the policy expressed in her credential may thus have unexpected consequences. To solve this general problem, we propose a system in which credentials can specify constraints on how they are to be used. We show how to modularly extend wellstudied authorization logics to support the specification and enforcement of such constraints. A novelty of our design is that we allow the constraints to be arbitrary wellbehaved functions over authorization proofs. Since all the information about an access is contained in the proofs, this makes it possible to express many interesting constraints. We study the formal properties of such a system, and give examples of constraints.
PrincipalCentric Reasoning in Constructive Authorization Logic
, 2008
"... We present an authorization logic DTL0 that explicitly relativizes reasoning to beliefs of principals. The logic assumes that principals are conceited in their beliefs. We describe the natural deduction system, sequent calculus, Hilbertstyle axiomatization, and Kripke semantics of the logic. We pro ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
We present an authorization logic DTL0 that explicitly relativizes reasoning to beliefs of principals. The logic assumes that principals are conceited in their beliefs. We describe the natural deduction system, sequent calculus, Hilbertstyle axiomatization, and Kripke semantics of the logic. We prove several metatheoretic results including cutelimination, and soundness and completeness for the Kripke semantics. We also present translations from several other authorization logics into DTL0, and describe formal connections between DTL0 and the modal logic constructive S4.