Subtyping for Access Control (talk)

Subtyping for Access Control

MyThS REVIEW MEETING

Vladimiro Sassone

Group Types for Mobility

Aim:

Resource Access Control

➤ _{Detect and prevent unwanted access to resources.}

➤ _{We focus on static approaches based on enforcing type disciplines.}

Groups:

Constraints like k : _CanEnter(n) are modelled as:

n belongs to group G

k may cross the border of any ambient of group G.

For instance, the system:

k[in n | l[outk ] ] | n[ ]

is

well-typed

k : _amb[K,_cross(N)]

Group Types for Mobility

Aim:

Resource Access Control

➤ _{Detect and prevent unwanted access to resources.}

➤ _{We focus on static approaches based on enforcing type disciplines.}

Groups:

n belongs to group G

k may cross the border of any ambient of group G.

For instance, the system:

k[in n | l[outk ] ] | n[ ]

Indirect Border Crossing in MA

Troyan Horses:

Odysseus[in _Horse.out_Horse.Destroy ] | _Horse[in _Troy] | _Troy[Trojans ]

is well-typed under assumptions:

Odysseus : _amb[Achaean,_cross(Toy)]

Horse : _amb[Toy,_cross(City)]

Troy : _amb[City, ]

However

Troy[Trojans | _Horse[ ] | _Odysseus[Destroy ] ]

Indirect Border Crossing in MA

Troyan Horses:

Odysseus[in _Horse.out_Horse.Destroy ] | _Horse[in _Troy] | _Troy[Trojans ]

is well-typed under assumptions:

Odysseus : _amb[Achaean,_cross(Toy)]

Horse : _amb[Toy,_cross(City)]

Troy : _amb[City, ]

However

Troy[Trojans | _Horse[ ] | _Odysseus[Destroy ] ]

Typed Boxed Ambients: Syntax

η ::= n _names

¯

¯ ↑ enclosing amb

¯

¯ ? local

P ::= 0 _{nil process} V, U ::= n _name

¯

¯ P1|P2 composition

¯

¯ inV may enter V ¯

¯ (νn:A)P restriction

¯

¯ outV may exit V ¯

¯ !P replication

¯

¯ V₁.V₂ path ¯

¯ V [P ] ambient ¯

¯ V.P prefixing

¯

¯ (x : W)η.P input ¯

¯ hV iη.P output ¯

Reduction Semantics

Mobility:

n[ inm.P|Q ] | m[R] −→ m[n[P | Q ] | R] (_In)

m[n[outm.P | Q ] | R ] −→ n[ P | Q] | m[R] (_Out)

Communication:

(x_).P | hV i_.Q −→ _P{

V

x

(x₎n_{.P | n[h}V _{i.Q | R] −→ P{}

V

x

(x_).P | _n[hV i↑_.Q | _R] −→ _P{

V

x

hV in_.P | _n[(x_).Q | _R] −→ _P | _n[Q{

V

x

Reduction Semantics

Mobility:

n[ inm.P|Q ] | m[R] −→ m[n[P | Q ] | R] (_In)

m[n[outm.P | Q ] | R ] −→ n[ P | Q] | m[R] (_Out)

Communication:

(x_).P | hV i_.Q −→ _P{

V

x

(x₎n_{.P | n[h}V _{i.Q | R] −→ P{}

V

x

(x_).P | _n[hV i↑_.Q | _R] −→ _P{

V

x

hV in_.P | _n[(x_).Q | _R] −→ _P | _n[Q{

V

x

Types

Groups:

Sets of groups:

Ambients types:

A ::= _ambχ[G, M, C] amb of group G, good for actions χ ⊆ {i,o,c,r,w},

with mobility type M, _{and communication type} C

Process types:

Π ::= _proc[G, M, C] _{process that can be enclosed in an ambient of group} G, may drive to ambients whose groups are in M,

and communicates as described by type C

Capability types:

Types (cont.)

Mobility types:

M ::= _mob[G _{] mobility specs}

Communication types:

C ::= _com[E, F] E _{for local and} F _{for upward exchange}

Exchange types:

E, F ::= _rw[I, O] _{read/write values} (_{valid if} O ≺ I)

Message types:

I, O ::= ⊥ ¯¯ W₁ × . . . × W_k ¯

¯ > bottom, tuple, top

Value types:

W, Y ::= A _{ambient name}

¯

Subtyping

χ1 ⊆ χ0 ⊆ {i,o,c,r,w}

ambχ0[G, M, C] ≺ ambχ1[G, M, C]

(sProc)

M0 ≺ M1; C0 ≺ C1

proc[G, M0, C0] ≺ proc[G, M1, C1]

(sCap)

M0 ≺ M1; F0 ≺ F1

cap[G, M0, F0] ≺ cap[G, M1, F1]

(sMob)

G_{0 ⊆} G₁

mob[G_{0] ≺ mob[}G_1]

(sCom)

E0 ≺ E1; F0 ≺ F1

com[E0, F0] ≺ com[E1, F1]

(sExc)

I1 ≺ I0; O0 ≺ O1

rw[I0, O0] ≺ rw[I1, O1]

(sMsg)

−

⊥ ≺ W1 × . . . × Wk ≺ >

(sTuple)

Wi ≺ Ti; i ∈ 1..k

Good Values

Γ, n : W,Γ0 ` ¦

Γ, n : W,Γ0 ` n : W

(Val pfx)

Γ ` V0 : K; Γ ` V1 : K

Γ ` V0.V1 : K

(Val in)

Γ ` V : _ambi[G, M,com[E, F]]

H ∈ Γ Γ ` inV : _cap[H,_mob[{G}], E]

(Val sub)

Γ ` V : W; W ≺ W0

Γ ` V : W0

(Val out)

Γ ` V : _ambo[G, M,com[E, F]]

Good Processes – Mobility

Γ ` V :<sub>cap</sub>[G, M, F]; Γ ` P:_proc[G, M, _com[E, F]]

Γ ` V.P:_proc[G, M,_com[E, F]]

(Pro amb)

Γ ` V :<sub>amb</sub>c[H,mob[S ],com[E, F]]; Γ ` P:proc[H,mob[S ],com[E, F]]

G ∈ S

Γ ` V [P ]:_proc[G,_mob[∅],_com[F,_zero]]

(Pro res)

Γ, n : A ` P : Π

Γ ` (νn : A)P : Π

(Pro gres)

Γ,G ` P : Π

G 6∈ fg(Π) Γ ` (νG)P : Π

(Pro 0₎

G ∈ dom(Γ)

Γ ` 0 : _proc[G,_mob[∅],_com[_zero,_zero]]

(Pro par)

Γ ` P : Π; Γ ` Q : Π

Γ ` P | Q : Π

(Pro rep)

Good Processes – Communication

Γ,x _: W _{` P : proc[G, M, com[rw[I, O], F]]}

I ≺ W

Γ ` (x _: W_{).P : proc[G, M,com[rw[I, O], F]]}

(out ?₎

Γ ` V <sub>:</sub> W<sub>; Γ</sub> ` _{P : proc[G, M,com[rw[I,}W_{], F]]}

Γ ` hV i_{.P : proc[G, M,com[rw[I,}W_{], F]]}

(inp ↑₎

Γ,x _: W ` _{P : proc[G, M,com[E,rw[I, O]]]}

I ≺ W

Γ ` (x _: W_k)↑_{.P : proc[G, M,com[E,rw[I, O]]]}

(output ↑₎

Γ ` V <sub>:</sub> W<sub>; Γ</sub> ` _{P : proc[G, M, com[E,rw[I,}W_]]]

Properties

Communication properties:

➤ _{If Γ ` (</sub>x <sub>:</sub> W<sub>).P | h</sub>V <sub>i.Q : Π then Γ `} V _:Y _with Y _≺ W_.

Mobility properties:

➤ _{If Γ ` n[in m.P | Q ] | m[R] : Π, then}

Γ ` m : <sub>amb</sub>χ0[M, , ] and Γ ` n : ambχ1[ ,mob[S ], ]

with M ∈ S _{, i,c ∈ χ0 and c ∈ χ1.}

➤ _{If Γ ` m[n[outm.P | Q ] | R] : Π, then}

Γ ` m : <sub>amb</sub>χ0[M,mob[Sm], ] and Γ ` n : ambχ1[N,mob[Sn], ]

with o,c ∈ χ0, c ∈ χ1, M ∈ Sn and Sm ⊆ Sn.

Subject reduction:

Properties

Communication properties:

➤ _{If Γ ` (</sub>x <sub>:</sub> W<sub>).P | h</sub>V <sub>i.Q : Π then Γ `} V _:Y _with Y _≺ W_.

Mobility properties:

➤ _{If Γ ` n[in m.P | Q ] | m[R] : Π, then}

Γ ` m : <sub>amb</sub>χ0[M, , ] and Γ ` n : ambχ1[ ,mob[S ], ]

with M ∈ S _{, i,c ∈ χ0 and c ∈ χ1.}

➤ _{If Γ ` m[n[outm.P | Q ] | R] : Π, then}

Γ ` m : <sub>amb</sub>χ0[M,mob[Sm], ] and Γ ` n : ambχ1[N,mob[Sn], ]

with o,c ∈ χ0, c ∈ χ1, M ∈ Sn and Sm ⊆ Sn.

Subject reduction:

Properties

Communication properties:

➤ _{If Γ ` (</sub>x <sub>:</sub> W<sub>).P | h</sub>V <sub>i.Q : Π then Γ `} V _:Y _with Y _≺ W_.

Mobility properties:

➤ _{If Γ ` n[in m.P | Q ] | m[R] : Π, then}

Γ ` m : <sub>amb</sub>χ0[M, , ] and Γ ` n : ambχ1[ ,mob[S ], ]

with M ∈ S _{, i,c ∈ χ0 and c ∈ χ1.}

➤ _{If Γ ` m[n[outm.P | Q ] | R] : Π, then}

Γ ` m : <sub>amb</sub>χ0[M,mob[Sm], ] and Γ ` n : ambχ1[N,mob[Sn], ]

with o,c ∈ χ0, c ∈ χ1, M ∈ Sn and Sm ⊆ Sn.

Detecting Odysseus’ intentions

Odysseus[in _Horse.out_Horse.Destroy ] | _Horse[in _Troy] | _Troy[Trojans ]

we need assumptions of the form:

Odysseus : _ambc[Achaean,mob[{Ground,Toy,City}], ]

Horse : _ambioc[Toy,mob[{Ground,City}], ]

Troy : _ambioc[City, , ]

representing that _Odysseus is an Achaean intentioned to move into a City! On the other hand, under assumptions of the form

Odysseus : _ambc[Achaean,mob[{Ground,Toy}], ]

the Trojans should not fear any attack from _Odysseus.

Detecting Odysseus’ intentions

Odysseus[in _Horse.out_Horse.Destroy ] | _Horse[in _Troy] | _Troy[Trojans ]

we need assumptions of the form:

Odysseus : _ambc[Achaean,mob[{Ground,Toy,City}], ]

Horse : _ambioc[Toy,mob[{Ground,City}], ]

Troy : _ambioc[City, , ]

representing that _Odysseus is an Achaean intentioned to move into a City! On the other hand, under assumptions of the form

Odysseus : _ambc[Achaean,mob[{Ground,Toy}], ]

BSA: Adding co-capabilities

Reduction Semantics:

n[inm.P | Q ] | m[in α.R | S ] −→ m[n[ P | Q] | R | S ] _for α ∈ {?, n}

m[n[outm.P | Q ] | R ] | outα.S −→ n[P | Q ] | m[R] | S _for α ∈ {?, n}

Mobility Types:

M ::= _mob[S _,C_]

Subtyping Relation:

(sMob)

G_{0 ⊆} G_1, C_{0 ⊆} C₁

Good Values in BSA

Γ ` V :_ambi[G, M,com[E, F]]

Γ ` in V :_cap[H,_mob[{G},∅], E]

(Val out)

Γ ` V :_ambo[G,mob[S ,C],com[E, F]]

Γ ` outV :_cap[H,_mob[S _{,∅], F]}

(Val coin)

Γ ` V :_ambi[G, M,com[E, F]]

Γ ` in V :_cap[H,_mob[∅,{G}], F]

(Val coout)

Γ ` V :_ambo[G, M,com[E, F]]

Γ ` outV :_cap[H,_mob[∅,{G}], F]

(Val coin ?₎

G ∈ dom(Γ)

Γ ` in ? :_cap[G,_mob[∅,U _],zero]

(Val coout ?₎

G ∈ dom(Γ)

Good Processes – Mobility in BSA

G ∈ dom(Γ)

Γ ` 0:_proc[G,_mob[∅,∅],_com[_zero,_zero]]

(Pro pfx)

Γ ` V :<sub>cap</sub>[G, M, F]; Γ ` P:_proc[G, M, _com[E, F]]

Γ ` V.P:_proc[G, M,_com[E, F]]

(Pro amb)

Γ ` V :_ambc[H,mob[S ,C],com[E, F]]

Γ ` P:_proc[H,_mob[S_,C_{],com[E, F]]}

G ∈ S

Control Properties in BSA

Access Control Theorem:

Whenever

Γ ` m[in α.P | Q ] : Π or Γ ` m[outα.P | Q] : Π,

with α ∈ {?, n}, then

➤ _{Γ ` m : ambχ0[ ,mob[ ,}C_{], ], and}

➤ _{either α = ? and} C ₌ U _,

Using co-capabilities to defend Troy

BSA

The Trojan War , Odysseus[in _Horse.out_Horse.Destroy]

¯

¯ Horse[in ? .in Troy ] ¯

¯ Troy[in Horse.Trojans | outOdysseus.Sinon]

which can be

well-typed

Γ ` _Troy : _ambioc[City,mob[ ,{Toy,Achaean}], ]

Using co-capabilities to defend Troy (ctd)

The Trojan Trap , Odysseus[in _Horse.out_Horse.Destroy ]

¯

¯ Horse[in ? .in Troy] ¯

¯ Troy[inHorse.Trojans]

This situation would be perfectly safe for _Troy (but dangerous for _Odysseus!) provided we can type it under the assumptions of the form

Odysseus : _ambc[Achaean, , ]

Horse : _ambioc[Toy, ,com[E, 0]]