Results 1  10
of
26
Evidencebased Audit
"... Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implici ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implicit in much of the work on authorization logics and proofcarrying authorization. This paper explores some ramifications of adopting this “proofs as log entries ” approach to auditing. Two benefits of evidencebased audit are a reduced trusted computing base and the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because operations like proof normalization can yield information about the relevance of policy statements. To explain these observations concretely, we develop a rich authorization logic based on a dependentlytyped variant of DCC and prove the metatheoretic properties of subjectreduction and normalization. We show untrusted but welltyped applications, that access resources through an appropriate interface, must obey the access control policy and create proofs useful for audit. We show the utility of proofbased auditing in a number of examples and discuss several pragmatic issues, such as proof size, that must be addressed in this context. 1
A Logic of Secure Systems and its Application to Trusted Computing
"... We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication and dy ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication and dynamically loading and executing unknown (and potentially untrusted) code. The adversary’s capabilities are constrained by the system interface as defined in the programming model (leading to the name CSIADVERSARY). We develop a sound proof system for reasoning about programs, without explicitly reasoning about adversary actions. This form of reasoning was particularly difficult to codify for dynamically loaded unknown pieces of code. We use the logic to characterize trusted computing primitives and prove code integrity and execution integrity properties of two remote attestation protocols. The proofs make precise assumptions needed for the security of these protocols and reveal a surprising insecure interaction between the two protocols. 1
A proofcarrying file system
, 2009
"... This paper presents the design and implementation of PCFS, a file system that uses formal proofs and capabilities to efficiently enforce access policies expressed in a rich logic. Salient features include backwards compatibility with existing programs and automatic enforcement of access rules that d ..."
Abstract

Cited by 19 (10 self)
 Add to MetaCart
This paper presents the design and implementation of PCFS, a file system that uses formal proofs and capabilities to efficiently enforce access policies expressed in a rich logic. Salient features include backwards compatibility with existing programs and automatic enforcement of access rules that depend on both time and system state. We rigorously prove that enforcement using capabilities is correct, and evaluate the file system’s performance.
SecurityTyped Programming within DependentlyTyped Programming
"... Abstract. Several recent securitytyped programming languages allow programmers to express and enforce authorization policies governing access to controlled resources. Policies are expressed as propositions in an authorization logic, and enforced by a type system that requires each access to a sensi ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Abstract. Several recent securitytyped programming languages allow programmers to express and enforce authorization policies governing access to controlled resources. Policies are expressed as propositions in an authorization logic, and enforced by a type system that requires each access to a sensitive resource to be accompanied by a proof. The securitytyped languages described in the literature, such as Aura and PCML5, have been presented as new, standalone language designs. In this paper, we instead show how to embed a securitytyped programming language within an existing dependently typed programming language, Agda. This languagedesign strategy allows us to inherit both the metatheoretic results, such as type safety, and the implementation of the host language. Our embedding consists of the following ingredients: First, we represent the syntax and proofs of an authorization logic, Garg and Pfenning’s BL0, using dependent types. Second, we implement a proof search procedure, based on a focused sequent calculus, to ease the burden of constructing proofs. Third, we define an indexed monad of computations on behalf of a principal, with proofcarrying primitive operations. Our work shows that a dependently typed language can be used to prototype a securitytyped language, and contributes to the growing body of literature on using dependently typed languages to construct domainspecific type systems. 1
Proof search in an authorization logic
, 2009
"... We consider the problem of proof search in an expressive authorization logic that contains a “says ” modality and an ordering on principals. After a description of the proof system for the logic, we identify two fragments that admit complete goaldirected and saturating proof search strategies. A sm ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
We consider the problem of proof search in an expressive authorization logic that contains a “says ” modality and an ordering on principals. After a description of the proof system for the logic, we identify two fragments that admit complete goaldirected and saturating proof search strategies. A smaller fragment is then presented, which supports both goaldirected and saturating search, and has a sound and complete translation to firstorder logic. We conclude with a brief description of our implementation of goaldirected search. This work was supported partially by the iCAST project sponsored by the National Science Council,
PrincipalCentric Reasoning in Constructive Authorization Logic
, 2008
"... We present an authorization logic DTL0 that explicitly relativizes reasoning to beliefs of principals. The logic assumes that principals are conceited in their beliefs. We describe the natural deduction system, sequent calculus, Hilbertstyle axiomatization, and Kripke semantics of the logic. We pro ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
We present an authorization logic DTL0 that explicitly relativizes reasoning to beliefs of principals. The logic assumes that principals are conceited in their beliefs. We describe the natural deduction system, sequent calculus, Hilbertstyle axiomatization, and Kripke semantics of the logic. We prove several metatheoretic results including cutelimination, and soundness and completeness for the Kripke semantics. We also present translations from several other authorization logics into DTL0, and describe formal connections between DTL0 and the modal logic constructive S4.
Constraining Credential Usage in LogicBased Access Control
"... Abstract—Authorization logics allow concise specification of flexible accesscontrol policies, and are the basis for logicbased accesscontrol systems. In such systems, resource owners issue credentials to specify policies, and the consequences of these policies are derived using logical inference ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract—Authorization logics allow concise specification of flexible accesscontrol policies, and are the basis for logicbased accesscontrol systems. In such systems, resource owners issue credentials to specify policies, and the consequences of these policies are derived using logical inference rules. Proofs in authorization logics can serve as capabilities for gaining access to resources. Because a proof is derived from a set of credentials possibly issued by different parties, the issuer of a specific credential may not be aware of all the proofs that her credential may make possible. From this credential issuer’s standpoint, the policy expressed in her credential may thus have unexpected consequences. To solve this general problem, we propose a system in which credentials can specify constraints on how they are to be used. We show how to modularly extend wellstudied authorization logics to support the specification and enforcement of such constraints. A novelty of our design is that we allow the constraints to be arbitrary wellbehaved functions over authorization proofs. Since all the information about an access is contained in the proofs, this makes it possible to express many interesting constraints. We study the formal properties of such a system, and give examples of constraints.
A Calculus of Contracting Processes
"... We propose a formal theory of contractbased computing. We model contracts as formulae in an intuitionistic logic extended with a “contractual ” form of implication. Decidability holds for our logic: this allows us to mechanically infer the rights and the duties deriving from any set of contracts. W ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We propose a formal theory of contractbased computing. We model contracts as formulae in an intuitionistic logic extended with a “contractual ” form of implication. Decidability holds for our logic: this allows us to mechanically infer the rights and the duties deriving from any set of contracts. We embed our logic in a core calculus of contracting processes, which combines features from concurrent constraints and calculi for multiparty sessions, while subsuming several idioms for concurrency. 1
A Logical Representation of Common Rules for Controlling Access to Classified Information
, 2009
"... Official policies for controlling access to classified information in the U.S. are quite complex and often difficult to enforce. We present an encoding of a common core of these policies in an authorization logic, and describe their rigorous enforcement in PCFS, a file system implemented for such pu ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Official policies for controlling access to classified information in the U.S. are quite complex and often difficult to enforce. We present an encoding of a common core of these policies in an authorization logic, and describe their rigorous enforcement in PCFS, a file system implemented for such purposes.
A Hybrid Linear Logic for Constrained Transition Systems
, 2009
"... Linear implication can represent state transitions, but real transition systems operate under temporal, stochastic or probabilistic constraints that are not directly representable in ordinary linear logic. We propose a general modal extension of intuitionistic linear logic where logical truth is ind ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Linear implication can represent state transitions, but real transition systems operate under temporal, stochastic or probabilistic constraints that are not directly representable in ordinary linear logic. We propose a general modal extension of intuitionistic linear logic where logical truth is indexed by constraints and hybrid connectives combine constraint reasoning with logical reasoning. The logic has a focused cutfree sequent calculus that can be used to internalize the rules of particular constrained transition systems; we illustrate this with an adequate encoding of the synchronous stochastic picalculus. We also present some preliminary experiments of direct encoding of biological systems in the logic. 1