Uses of Rationale in PC Security.


57 views
Uploaded on:
Description
Numerous utilizations of rationale in PC security are backhanded, through ... Cryptographic convention examination is a dynamic, rich range for rationale applications ...
Transcripts
Slide 1

Uses of Logic in Computer Security Jonathan Millen SRI International

Slide 2

Areas of Application Multilevel Operating System Security "Orange Book," Commercial Trusted Product Evaluation, A1-level Emphasis on mystery, security/freedom levels Access Control Policies Discretionary or part construct strategies Emphasis with respect to application-particular approaches, trustworthiness Public-Key Infrastructure and Trust Management Network and dispersed framework security Digitally marked testaments for personality and benefits Cryptographic Authentication Protocols For system correspondence classification and verification Other ranges: databases, firewalls/switches, interruption location Computer Security Network Security

Slide 3

Contributions of Logic Undecidability Results Safety issue for optional access control Cryptographic convention investigation Theorem Proving Environments Verifying rightness of formal OS details Inductive confirmations of cryptographic conventions Logic Programming Prolog programs for cryptographic convention examination, trust administration Model Checking For cryptographic convention investigation Specialized Logics For cryptographic convention examination, trust administration

Slide 4

Multilevel Operating System Security Motivated by insurance of characterized data in shared frameworks High-affirmation (A1) frameworks may shield Secret information from uncleared clients Architecture: trusted OS piece, equipment bolster Abstract framework model of access control: Bell-LaPadula (ca. 1975) Structured state-move framework: subject-object access grid, levels Security invariants and move rules (for OS capacities) "Formal Top-Level Specification" (FTLS) More itemized state-move framework Formal Proofs: Model moves fulfill invariants FTLS is an elucidation of the framework model Carried out in situations like Gypsy, FDM, HDM Some FTLS mistakes reflected in code were found Of Historical Interest

Slide 5

Access Control Policies Safety Problem Subject-object-rights lattice "rights" were self-assertive, speaking to various types of access Operations: make/erase subjects, objects; enter/expel rights System of contingent standards to apply operations Harrison-Ruzzo-Ullman Undecidability Result Whether S can ever get right r to question O Comm. ACM 19(8), 1976 Decidable if number of subjects is limited Historical Impact Led to enthusiasm for proficiently decidable frameworks Take-Grant, DAC, RBAC O j S i r

Slide 6

Public-Key Certificates Based on hilter kilter encryption Key pair K A , K A - 1 : one made open, one kept mystery Text square scrambled with K A can be unscrambled just with K A - 1 . Illogical to process mystery key from open key Digital mark Text string T Apply one-way (hash) capacity Encrypt with mystery key Verify by decoding with underwriter\'s open key, think about hash result Public Key Certificate Binds name to open key, marked by trusted gathering Logical Equivalent "A says (K B is the general population key of B)" … gave that K An is the general population key of A T  h(T)  [h(T)]K A - 1 B,K B ,[h(B,K B )]K A - 1

Slide 7

Logic of Distributed Authentication Origination: "Validation in disseminated frameworks: hypothesis and practice," by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992 Theory of says and represents (  connection) (A  B)  ((A says s)  (B says s)) (P8) (A says (B  A))  (B  A) (P10) Application to circulated frameworks An and B are principals : clients or keys (can say something) A says s implies: An approves charge (operation, access) s A  B implies: B delegates power to A Certificate T,[T] K A - 1 implies K A says T Public key endorsement implies K A  A Credentials sent starting with one system hub then onto the next to approve assets Implemented in Taos working framework "accreditations"

Slide 8

Trust Management Policymaker "Decentralized trust administration," Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy Identified trust administration as a particular issue Purpose: to characterize and actualize arrangement utilizing qualifications to process questions Delegation Logic "A rationale based information representation for Authorization with Delegation," Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop Language to express strategies Primitives incorporate says, delegates (represents with article) Access consent is decidable Logic program execution (in Datalog)

Slide 9

Cryptographic Protocols Cryptographic convention a trade of messages over an uncertain correspondence medium, utilizing cryptographic changes to guarantee confirmation and mystery of information and keying material. Applications military correspondences, business interchanges, electronic trade, protection Examples Kerberos: MIT convention for unitary login to network administrations SSL (Secure Socket Layer, utilized as a part of Web programs) IPSec: standard suite of Internet conventions due to the IETF SET (Secure Electronic Transaction) convention PGP (Pretty Good Privacy)

Slide 10

A Popular Example The Needham-Schroeder open key handshake R. M. Needham and M. D. Schroeder, "Utilizing Encryption for Authentication as a part of Large Networks of Computers," Comm. ACM , Dec., 1978 A  B: {A, Na}Kb B  A: {Na, Nb}Ka A  B: {Nb}Kb Purpose: common verification of An and B, sharing privileged insights Na, Nb This is a " Alice-and-Bob " convention determination Na and Nb are nonces (utilized once) Ka is the general population key of A The convention is powerless...

Slide 11

The Attack A (typical) M (false) B (supposes he\'s conversing with A, Nb is bargained) {A,Na}Km {A,Na}Kb {Na,Nb}Ka {Nb}Km {Nb}Kb Lowe, "Breaking and Fixing the Needham-Schroeder Public Key Protocol Using FDR" TACAS 1996, LNCS 1055 A malignant gathering M can produce addresses, go astray from convention

Slide 12

Undecidable in General Reduction of Post correspondence issue Word sets u i , v i for 1  i < n Does there exist u i1 ...u ik = v i1 ...v ik ? Development Protocol with one part (or one for every i) Compromises mystery if arrangement exists Attacker can\'t produce discharge message in view of encryption Observations Messages are unbounded Construction proposed by Heintze & Tygar, 1994 First undecidability evidence by Even & Goldreich, 1983 1999 proof by Durgin, et al indicates nonces are sufficient send {  ,  }K get {X,Y}K if X = Y   , send mystery else pick i, send {Xu i ,Yv i }K

Slide 13

Analysis Approaches Model checking State-space scan for assaults Inductive confirmation Using confirmation instruments or by hand Can demonstrate conventions right (for dynamic encryption) Belief-rationale proofs BAN rationale and successors For validation properties

Slide 14

Linear Logic Model Linear Logic Reference: J.- Y. Girard, "Straight rationale," Theoretical Comp. Sci , 1987 Constructive, used to model state-move frameworks Application to cryptographic conventions Cervesato, Durgin, Lincoln, Mitchell, Scedrov, "A meta-documentation for convention examination," 1999 Computer Security Foundations Workshop Model-checking with direct rationale typical pursuit instrument LLF (LICS \'96) State-move rules F 1 , … , F k   x 1 , … ,  x m . G 1 , … , G n State is a multiset of "realities" Fi, predicates over terms Rule matches truths on left agree with variable substitution Variables xi are instantiated with new images (like nonce!) Left-side certainties are supplanted by right-side actualities in multiset

Slide 15

The MSR Model Implementation of straight rationale model Special term and certainty sorts for cryptographic conventions Symbols for principals, keys, and nonces Terms for encryption and link Facts for convention process state, messages Multiset holds momentum conditions of numerous simultaneous convention sessions Example: A sends message A,{A}K (to B) with new K A 0 (A,B)  (  K) A 1 (A,B,K),M({A}K) Attacker rules spy, build false messages, e.g., M({A}K),M(K)  M({A}K),M(K),M(A) Attacker model is institutionalized MSR model connected as middle dialect CAPSL  MSR  investigation apparatuses (Millen, Denker 1999)

Slide 16

Model Checking Tools State-space hunt down reachability of uncertain states History: back to 1984, Interrogator program in Prolog Meadows\' NRL Protocol Analyzer (NPA), likewise Prolog, 1991 Prolog projects were intuitive General-reason model-checkers Search naturally given beginning conditions, limits Iterative limited profundity look Roscoe and Lowe utilized FDR (model-checker for CSP), 1995 Mitchell, et al utilized Murphi, 1997 Clarke, et al utilized SMV, 1998 Denker, Meseguer, Talcott utilized Maude, 1998 Successful at finding already obscure vulnerabilities!

Slide 17

Non-Repudiation Protocols Different targets and suspicions Fairness destinations: contract marking, evidences of receipt, reasonable trade Applications to electronic business Parties are commonly incredulous, organize very much carried on, no gatecrasher Trusted outsider to determine identified breaks Alternating Temporal Logic application Kremer, Raskin, "Formal confirmation of non-renouncement conventions, a diversion approach," Workshop on Formal Methods and Computer Security , 2000 Used model checker MOCHA Example Objective  <<B,Com>>  (NRO   <<A>>  NRR) Means: B and Com (the system) don\'t have a procedure prompting a state where B has verification of non-revocation of beginning (of some message) yet A has no technique (from that point) prompting a proof of non-denial of receipt

Slide 18

Inductive Proofs State-move model like model checking approaches Application of universally useful particular and check apparatuses Influential Examples: R. Kemmerer, "Analyzing encryption conventions utilizing formal check techniques," IEEE J. Chosen Areas in Comm. , 7(4), May 1989 (FDM). L. Paulson, "The inductive way to deal with confirming cryptographic conventions," J. PC Security

Recommended
View more...