## Evidence-based Audit

### Cached

### Download Links

- [www.seas.upenn.edu]
- [www.cis.upenn.edu]
- [www.cis.upenn.edu]
- [people.seas.harvard.edu]
- [www.jeffvaughan.net]
- [www.andrew.cmu.edu]
- [www.seas.upenn.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 39 - 11 self |

### BibTeX

@MISC{Vaughan_evidence-basedaudit,

author = {Jeffrey A. Vaughan and Limin Jia and Karl Mazurak and Steve Zdancewic},

title = {Evidence-based Audit},

year = {}

}

### OpenURL

### Abstract

Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an access-control decision has been made in accordance with policy. Using such proofs for auditing purposes is implicit in much of the work on authorization logics and proof-carrying authorization. This paper explores some ramifications of adopting this “proofs as log entries ” approach to auditing. Two benefits of evidence-based audit are a reduced trusted computing base and the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because operations like proof normalization can yield information about the relevance of policy statements. To explain these observations concretely, we develop a rich authorization logic based on a dependently-typed variant of DCC and prove the metatheoretic properties of subject-reduction and normalization. We show untrusted but well-typed applications, that access resources through an appropriate interface, must obey the access control policy and create proofs useful for audit. We show the utility of proof-based auditing in a number of examples and discuss several pragmatic issues, such as proof size, that must be addressed in this context. 1

### Citations

847 |
A formulation of the simple theory of types
- Church
- 1940
(Show Context)
Citation Context ... proofs, like our applications, need not reside in the trusted computing base. Additionally, both systems use expressive foundational logics to define policies, higher-order logic in the case of Grey =-=[19]-=-. In order to make proof search effective, Bauer suggests using cut-down fragments of higher order logic for expressing particular rule sets and using a distributed, tactic-based proof search algorith... |

356 |
Protection in operating systems
- Harrison, Ruzzo, et al.
- 1976
(Show Context)
Citation Context ...equences. The latter issue is particularly acute in light of Harrison and colleagues’ observation that determining the ultimate effect of policy changes in even simple systems is generally undecidable=-=[27]-=-. Point (3) recognizes that reference monitors may be complex, and likely to be vulnerable to implementation flaws. The Aura programming model suggests a different approach to protecting resources. Th... |

349 | A calculus for access control in distributed systems
- Abadi, Burrows, et al.
(Show Context)
Citation Context ...idence that justifies the authorization decisions made during the system’s execution. What is valid evidence for an authorization decision? Following an abundance of prior work on authorization logic =-=[3, 28, 21, 1, 30, 2, 25]-=-, we adopt the stance that log entries should contain proofs of suitable propositions that encode access-control queries. Indeed, the idea of logging such proofs is implicit in the proof-carrying auth... |

230 |
Computer Security: Art and Science
- Bishop
- 2003
(Show Context)
Citation Context ...t challenges and sketches some future research directions. Section 6 discusses related work. 2 Kernel Mediated Access Control A common system design idiom protects resources with a reference monitors =-=[16]-=-. The reference monitor takes requests from (generally) untrusted clients and may decide to allow or deny them. A well implemented reference monitor should be configured using a well-specified set of ... |

221 | A core calculus of dependency
- Abadi, Banerjee, et al.
- 1999
(Show Context)
Citation Context ...19] recognized the importance of says and provided a variety of interpretations for it. Garg and Pfenning [21] and, later, Abadi [2] introduced the treatment of says as an indexed monad. Both systems =-=[21, 3]-=- also enjoy the crucial noninterference property: in the absence of delegation, nothing B says can cause A to say false. AURA0 builds on this prior work, especially Abadi’s DCC, in several ways. The a... |

200 | Delegation Logic: A logic-based approach to distributed authorization
- Li, Grosof, et al.
- 2003
(Show Context)
Citation Context ...idence that justifies the authorization decisions made during the system’s execution. What is valid evidence for an authorization decision? Following an abundance of prior work on authorization logic =-=[3, 28, 21, 1, 30, 2, 25]-=-, we adopt the stance that log entries should contain proofs of suitable propositions that encode access-control queries. Indeed, the idea of logging such proofs is implicit in the proof-carrying auth... |

175 | A logical language for expressing authorizations
- Jajodia, Samarati, et al.
- 1997
(Show Context)
Citation Context ...idence that justifies the authorization decisions made during the system’s execution. What is valid evidence for an authorization decision? Following an abundance of prior work on authorization logic =-=[3, 28, 21, 1, 30, 2, 25]-=-, we adopt the stance that log entries should contain proofs of suitable propositions that encode access-control queries. Indeed, the idea of logging such proofs is implicit in the proof-carrying auth... |

175 | Execution monitoring of security-critical programs in distributed systems: A specication-based approach
- Ko, Ruschitzka, et al.
- 1997
(Show Context)
Citation Context ...has been work on cryptographically protecting logs to prevent or detect log tampering [32, 15], efficiently searching confidential logs [33], and experimental research on effective, practical logging =-=[9, 29]-=-. But there is relatively little work on what the contents of an audit log should be or how to ensure that a system implementation performs appropriate logging (see Wee’s paper on a logging and auditi... |

173 | Proof-carrying authentication
- Appel, Felten
- 1999
(Show Context)
Citation Context ... that log entries should contain proofs of suitable propositions that encode access-control queries. Indeed, the idea of logging such proofs is implicit in the proof-carrying authorization literature =-=[7, 11, 14]-=-, but, to our knowledge, the use of proofs for auditing purposes has not been studied outright. There are several compelling reasons why it is profitable to include proofs of authorization decisions i... |

160 | The role of trust management in distributed systems security
- Blaze, Feigenbaum, et al.
- 1999
(Show Context)
Citation Context ...signing abstractly, Fournet and colleagues’ type system (and computation model) can explicitly discuss cryptographic operations. Trust management systems like PolicyMaker and Keynote are also related =-=[17]-=-. Trust Management systems are intended to answer the question “Does the set C of credentials, prove that the request r complies with the local security policy P .” [17] Such systems use general purpo... |

109 |
a logic-based security language
- Binder
- 2002
(Show Context)
Citation Context |

86 | Logic in access control
- Abadi
- 2003
(Show Context)
Citation Context |

82 | Cryptographic support for secure logs on untrusted machines
- Schneier, Kelsey
- 1998
(Show Context)
Citation Context ... in practice, there has been surprisingly little research into what constitutes good auditing procedures. 1 There has been work on cryptographically protecting logs to prevent or detect log tampering =-=[32, 15]-=-, efficiently searching confidential logs [33], and experimental research on effective, practical logging [9, 29]. But there is relatively little work on what the contents of an audit log should be or... |

71 | Distributed proving in access-control systems
- Bauer, Garriss, et al.
- 2005
(Show Context)
Citation Context ... that log entries should contain proofs of suitable propositions that encode access-control queries. Indeed, the idea of logging such proofs is implicit in the proof-carrying authorization literature =-=[7, 11, 14]-=-, but, to our knowledge, the use of proofs for auditing purposes has not been studied outright. There are several compelling reasons why it is profitable to include proofs of authorization decisions i... |

64 | Building an encrypted and searchable audit log
- Waters, Balfanz, et al.
- 2004
(Show Context)
Citation Context ...esearch into what constitutes good auditing procedures. 1 There has been work on cryptographically protecting logs to prevent or detect log tampering [32, 15], efficiently searching confidential logs =-=[33]-=-, and experimental research on effective, practical logging [9, 29]. But there is relatively little work on what the contents of an audit log should be or how to ensure that a system implementation pe... |

61 | Forward integrity for secure audit logs
- Bellare, Yee
- 1997
(Show Context)
Citation Context ... in practice, there has been surprisingly little research into what constitutes good auditing procedures. 1 There has been work on cryptographically protecting logs to prevent or detect log tampering =-=[32, 15]-=-, efficiently searching confidential logs [33], and experimental research on effective, practical logging [9, 29]. But there is relatively little work on what the contents of an audit log should be or... |

60 | Device-enabled authorization in the Grey system
- Bauer, Garriss, et al.
- 2005
(Show Context)
Citation Context ...d attempts at proof construction. Conversely, some operations take arguments that should not be logged, for security or space constraints.s6 Related Work Earlier work on proof-carrying access control =-=[6, 8, 18, 13, 14, 23]-=- recognized the importance of “says”, but Abadi [4] was the first to define it as an indexed monad, as in Aura0. Abadi et al.’s work [5] also proved DCC’s key noninterference property: in the absence ... |

60 | Efficient representation and validation of proofs
- Necula, Lee
- 1998
(Show Context)
Citation Context ...er concerns that need to be addressed. In particular, we will require efficient log operations and compact proof representations. Prior work on proof compression in the context of proof-carrying code =-=[31]-=- should apply in this setting, but until we have experience with concrete examples, it is not clear how large the authorization proofs may become in practice. A related issue is what kind of tool supp... |

59 |
Access control in a core calculus of dependency
- Abadi
- 2007
(Show Context)
Citation Context |

53 | Non-interference in constructive authorization logic
- Garg, Pfenning
- 2006
(Show Context)
Citation Context |

44 | Access Control for the Web via Proof-Carrying Authorization
- Bauer
- 2003
(Show Context)
Citation Context ... that log entries should contain proofs of suitable propositions that encode access-control queries. Indeed, the idea of logging such proofs is implicit in the proof-carrying authorization literature =-=[7, 11, 14]-=-, but, to our knowledge, the use of proofs for auditing purposes has not been studied outright. There are several compelling reasons why it is profitable to include proofs of authorization decisions i... |

38 | A type discipline for authorization policies
- Fournet, Gordon, et al.
- 2005
(Show Context)
Citation Context ...evant operations. To illustrate Aura more concretely, Section 3 develops a dependently typed authorization logic based on DCC [4] and similar to that found in the work by Gordon, Fournet, and Maffeis =-=[23, 24]-=-. This language, Aura0, is intended to model the fragment of Aura relevant to auditing. We show how proof-theoretic properties such as subject reduction and normalization can play a useful rôle in thi... |

33 | A type discipline for authorization in distributed systems
- Fournet, Gordon, et al.
- 2007
(Show Context)
Citation Context ...evant operations. To illustrate AURA more concretely, Section 3 develops a dependently typed authorization logic based on DCC [2] and similar to that found in the work by Gordon, Fournet, and Maffeis =-=[19, 20]-=-. This language, AURA0, is intended to model the fragment of AURA relevant to auditing. We show how proof-theoretic properties such as subject reduction and normalization can play a useful role in thi... |

22 | An authorization logic with explicit time
- DeYoung, Garg, et al.
- 2008
(Show Context)
Citation Context ...e only a set number of times. They can also be used to represent protocols at the type level, ensuring, for example, that a file descriptor is not used after it is closed. Garg, deYoung, and Pfenning =-=[18]-=- are studying a constructive and linear access control logic with an explicit time intervals. Their syntax includes propositions of the form P @[T1, T2], meaning “P is valid between times T1 and T2.” ... |

21 | An approach to UNIX security logging
- Axelsson, Lindqvist, et al.
- 1998
(Show Context)
Citation Context ...has been work on cryptographically protecting logs to prevent or detect log tampering [32, 15], efficiently searching confidential logs [33], and experimental research on effective, practical logging =-=[9, 29]-=-. But there is relatively little work on what the contents of an audit log should be or how to ensure that a system implementation performs appropriate logging (see Wee’s paper on a logging and auditi... |

20 | Consumable credentials in logic-based access-control systems
- Bowers, Bauer, et al.
- 2007
(Show Context)
Citation Context ...tures might also be limited in the number of times they may be used, and this seems like a natural application for linear types (see Bauer et al. for an authorization logic with linearity constraints =-=[12]-=-). Objects of a linear type must be used exactly once, making linear types appropriate for granting a user access to a resource only a set number of times. They can also be used to represent protocols... |

17 | An audit logic for accountability
- Cederquist, Corin, et al.
- 2005
(Show Context)
Citation Context ...d attempts at proof construction. Conversely, some operations take arguments that should not be logged, for security or space constraints.s6 Related Work Earlier work on proof-carrying access control =-=[6, 8, 18, 13, 14, 23]-=- recognized the importance of “says”, but Abadi [4] was the first to define it as an indexed monad, as in Aura0. Abadi et al.’s work [5] also proved DCC’s key noninterference property: in the absence ... |

15 | A short and flexible proof of strong normalization for the calculus of constructions
- Geuvers
- 1995
(Show Context)
Citation Context ...normalizing. Proof Sketch. We prove Aura0 is strongly normalizing by translating Aura0 to the Calculus of Construction extended with product dependent types, which is known to be strongly normalizing =-=[26]-=-. The key property of the translation is that it preserves types and reduction steps. The interesting cases are the translations of DCC terms. The translation drops the says monad, and translates the ... |

8 | P.: Monadic type systems: Pure type systems for impure settings (preliminary report - Barthe, Hatcliff, et al. - 1997 |

7 |
LAFS: A logging and auditing file system
- Wee
- 1995
(Show Context)
Citation Context ...relatively little work on what the contents of an audit log should be or how to ensure that a system implementation performs appropriate logging (see Wee’s paper on a logging and auditing file system =-=[34]-=- for one approach to these issues, however). In this paper, we argue that audit log entries should constitute evidence that justifies the authorization decisions made during the system’s execution. Wh... |

3 |
Aura: A programming language for authorization and audit, preliminary technical results
- Jia, Vaughan, et al.
- 2008
(Show Context)
Citation Context ...ed by a careless or malicious programmer. The impetus for this paper stems from our experience with the (ongoing) design and implementation of a new security-oriented programming language called AURA =-=[25]-=-. 1 Note that the term auditing can also refer to the practice of statically validating a property of the system. Code review, for example, seeks to find flaws in software before it is deployed. Such ... |

2 |
A type discipline for distributed systems
- Fournet, Gordon, et al.
- 2007
(Show Context)
Citation Context ...evant operations. To illustrate Aura more concretely, Section 3 develops a dependently typed authorization logic based on DCC [4] and similar to that found in the work by Gordon, Fournet, and Maffeis =-=[23, 24]-=-. This language, Aura0, is intended to model the fragment of Aura relevant to auditing. We show how proof-theoretic properties such as subject reduction and normalization can play a useful rôle in thi... |

2 |
A calculus for access control in dis14 systems
- Abadi, Burrows, et al.
- 1993
(Show Context)
Citation Context ..., we argue that audit log entries should constitute evidence that justifies the authorization decisions made during the system’s execution. Following an abundance of prior work on authorization logic =-=[4, 24, 17, 1, 27, 2, 21]-=-, we adopt the stance that log entries should contain proofs that access should be granted. Indeed, the idea of logging such proofs is implicit in the proof-carrying authorization literature [5, 7, 10... |

1 |
An authorization logic with explicit time, 2007. Draft, by personal communication
- deYoung, Garg, et al.
(Show Context)
Citation Context ...e only a set number of times. They can also be used to represent protocols at the type level, ensuring, for example, that a file descriptor is not used after it is closed. Garg, deYoung, and Pfenning =-=[22]-=- are studying a constructive and linear access control logic with an explicit time intervals. Their syntax includes propositions of the form P @[T1, T2], meaning “P is valid between times T1 and T2.” ... |

1 | trivial induction the structure of t1. Σ - By |

1 | Evidence-based audit, technical appendix
- Vaughan, Jia, et al.
- 2008
(Show Context)
Citation Context ...tance of normalization with respect to auditing. It concludes with proofs of subject reduction, strong normalization and confluence for AURA0; details may be found in theaccompanying technical report =-=[31]-=-. 3.1 Syntax Figure 3 defines the syntax of AURA0, which features two varieties of terms: access control proofs p, which are classified by corresponding propositions P of kind Prop, and conventional e... |