Authorization, Audit, and Provenance in the
A
URASystem
Jeff Vaughan
Department of Computer and Information Science University of Pennsylvania
Symposium on Provenance in Software Systems March 30, 2009
Who am I?
What do I do?
My thesis research is on the AURAprogramming system. Proof carrying access control
Principled audit logging
Analysis of decryption failures (in progress)
Key idea
Proof checking ensures systems only service high integrity (authentic, high quality) requests
Audit logs comprise a documented record of this.
Who am I?
What do I do?
My thesis research is on the AURAprogramming system. Proof carrying access control
Principled audit logging
Analysis of decryption failures (in progress)
Key idea
Proof checking ensures systems only service high integrity (authentic, high quality) requests
Audit logs comprise a documented record of this.
What I’ll talk about today.
Who am I?
What do I do?
My thesis research is on the AURAprogramming system. Proof carrying access control
Principled audit logging
Analysis of decryption failures (in progress)
Key idea
Proof checking ensures systems only service high integrity (authentic, highquality) requests
Audit logs comprisea documented record of this.
What am I doing here?
A Definition
Provenance: . . .
3. The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this.
—The Oxford English Dictionary
What I’d like to learn about this week.
What am I doing here?
A Definition
Provenance: . . .
3. The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this.
—The Oxford English Dictionary
What am I doing here?
A Definition
Provenance: . . .
3. The history of the ownership of a work of art or an antique, used as a guide toauthenticityorquality;a documented record of this.
—The Oxford English Dictionary
What I’d like to learn about this week.
What am I doing here?
A Definition
Provenance: . . .
3. The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this.
—The Oxford English Dictionary
Outline
1 An overview of AURA
2 Auditing access control
3 Auditing and confidentiality
4 Conclusion
A distributed access control example
Jukebox’s signature:
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p:prin) → Unit
A distributed access control example
(DancingQueen, Alice)
Jukebox’s signature:
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p:prin) → Unit
A distributed access control example
Jukebox’s signature:
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p:prin) → Unit
The Record Company’s (RecCo) Music Policy
Policy Statement (Simple):
Songs have one or more owners.
An owner may authorize principals to play songs he owns.
Policy Enforcement Problems (Hard): distributed decision making mutual distrust
The Record Company’s (RecCo) Music Policy
Policy Statement (Simple):
Songs have one or more owners.
An owner may authorize principals to play songs he owns.
Policy Enforcement Problems (Hard): distributed decision making mutual distrust
prominent use of delegation
A
URA: Enforce policy with proof carrying access control.
Programs build proofs attesting to their access rights.
Proof components
standard rules of inference
evidence capturing principal intent (e.g. signatures) Hypothesis: Proofs are provenance metadata! AURAruntime:
checks proof structure (well-typedness) logs appropriate proofs for later audit
Proof Carrying Authentication [Appel+ 93],
A
URA’s says constructor represents affirmation.
Notation“p : P” means “p is a proof of P.”
The proposition “principal Alice affirms proposition P.” Alice says P
Principals actively affirm propositions with signatures. sign(Alice, P): Alice says P
Principals are rational. When p: P, return Alice p: Alice says P
DCC [Abadi+ 06], Logic with Explicit Time [DeYoung+ 08]
Says + dependent types allow for expressive rules.
Example (Bob acts for Alice)
Alice says ((P: Prop) → Bob says P → P)
Example (Bob acts for Alice only regarding jazz)
Alice says ((s: Song) → isJazz s →
Bobsays (MayPlay Bob s) → MayPlay Bob s)
Example (Kernel allows RPC calls on endorsed strings)
(A: prin) → (x: string ) →
Says + dependent types allow for expressive rules.
Example (Bob acts for Alice)
Alice says ((P: Prop) → Bob says P → P)
Example (Bob acts for Alice only regarding jazz)
Alice says ((s: Song) → isJazz s →
Bobsays (MayPlay Bob s) → MayPlay Bob s)
Example (Kernel allows RPC calls on endorsed strings)
(A: prin) → (x: string ) →
Asays (valid x) → Kernel says (okToRpc x)
Says + dependent types allow for expressive rules.
Example (Bob acts for Alice)
Alice says ((P: Prop) → Bob says P → P)
Example (Bob acts for Alice only regarding jazz)
Alice says ((s: Song) → isJazz s →
Bobsays (MayPlay Bob s) → MayPlay Bob s)
Example (Kernel allows RPC calls on endorsed strings)
(A: prin) → (x: string ) →
Encoding music policy using says.
shareRule ≡ RecCosays ((o: prin) → (s: Song) → (r: prin) → (Owns o s) →
(osays (MayPlay r s)) → (MayPlay r s)))
playFor: (s: Song) → (p:prin) →
pf (RecCo says (MayPlay p s)) → Unit
Key Property
A program can only call playFor when it has an appropriate access control proof.
Encoding music policy using says.
shareRule ≡ RecCosays ((o: prin) → (s: Song) → (r: prin) → (Owns o s) →
(osays (MayPlay r s)) → (MayPlay r s)))
playFor: (s: Song) → (p:prin) →
pf (RecCo says (MayPlay p s)) → Unit
Key Property
A program can only call playFor when it has an appropriate access control proof.
Using the RecCo policy.
Using the RecCo policy.
RecCo Server (Aura Code)
Using the RecCo policy.
Using the RecCo policy.
sign(RecCo, shareRule): RecCo says shareRule
Using the RecCo policy.
Using the RecCo policy.
say (Owns Alice TakeFive) sign(RecCo,
Owns Alice TakeFive)
Using the RecCo policy.
sign(RecCo, ...)
sign(Rec Co, ...)
Using the RecCo policy.
Using the RecCo policy.
RecCo says ...
Alice says ... shareRule
RecCo says (MayPlay Bob, TakeFive) ... ... p
⎫
⎪
⎪
⎬
⎪
⎪
⎭
11/27Using the RecCo policy.
Using the RecCo policy.
Using the RecCo policy.
Using the RecCo policy.
Using the RecCo policy.
Signatures used to grant Bob access to TakeFive: sign(RecCo,shareRule):
RecCo says shareRule
sign(Alice, ...) sign(RecCo, ...)
Auditing access control
When something unexpected happens: look at the log.
System design guarantees a one-to-one correspondence between log entries and resource state changes.
If a A’s signature does not appear in a log entry, she could not have caused the associated action.
Problem: Malicious principals can try to hinder audit with confusing proofs and irrelevant signatures.
Sample proofs, clear and convoluted.
Assume we have signaturessign(A, P) and sign(B, Q).
Example (A convoluted proof of Asays P) ..
.
Asays P → B says Q → A says P Asays P
Bsays Q → A says P Bsays Q
Asays P
Proposition Bsays Q is logically irrelevant.
Example (A clear proof of Asays P)
Asays P (By signature.)
Sample proofs, clear and convoluted.
Assume we have signaturessign(A, P) and sign(B, Q).
Example (A convoluted proof of Asays P) ..
.
Asays P → B says Q → A says P Asays P
Bsays Q → A says P Bsays Q
Asays P
Proposition Bsays Q is logically irrelevant.
Example (A clear proof of Asays P)
Proof reduction eliminates irrelevant information.
Proof reduction schemes transform complicated proofs to simple ones. [Gentzen 35]
Reduction can easily be stated by writing proofs in lambda-calculus notation. [Curry 58], [Howard 80]
Example
(λ x .λ y .y ) (sign(A, P)) (sign(B, Q)) convoluted −→∗
sign(A, P) clear
Proof reduction is a total, deterministic algorithm.
AURA0is a model of AURAproofs and propositions.Theorem (Confluence for AURA0)
If p −→∗p1, and p −→∗p2, then there exists p3such that p1−→∗p3and p2−→∗p3.
That is, different reduction strategies can always reconverge.
Theorem (Strong Normalization for AURA0)
If Γ `0p : s, then p is strongly normalizing.
Auditing and confidentiality
A
URAconfextends A
URAfor handling confidential data.
The “real-world” contains lots of confidential information. Financial, medical, social data . . .
Data leaks have consequences: legal, financial. . . . Goals of AURAconf
Establish a natural connection between confidential expressions and cryptography.
Minimize disruptive changes to AURA’s design. Provide for relevant auditing—decryption failures are interesting.
Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111 19/27Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111 19/27Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111 19/27Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111 19/27Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111 19/27Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111 19/27Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111 19/27Thinking about decryption failures.
✔
✘
✘
✘
1000101 1000101 1111111 1111111 1111111A
URAconfwill assign blame using evidence.
Ciphertexts can be represented as bit strings
Bit Strings B ::= 0 | 1 | 00 | 01 | 10 | . . . Justified cast: Assign types to bit strings using evidence.
p :pf B says (B isa t for A) hBip:t for A
Key Idea
Principal A, can check if B decrypts properly, yielding a t.
If not, she assigns blame to B using proof p.
Decryption failures are audited using justified casts.
Evidence: mentions Mal Action: blame Mal Evidence: ill-formed Action: ignore message
Evidence: mentions Alice
Decryption failures are audited using justified casts.
Evidence: mentions Mal Action: blame Mal Evidence: ill-formed Action: ignore message
Evidence: mentions Alice
Action: blame Alice 1111111
Decryption failures are audited using justified casts.
Evidence: mentions Mal Action: blame Mal Evidence: ill-formed Action: ignore message
Evidence: mentions Alice
Decryption failures are audited using justified casts.
Evidence: mentions Mal Action: blame Mal Evidence: ill-formed Action: ignore message
Evidence: mentions Alice
Action: blame Alice 1111111
Decryption failures are audited using justified casts.
Evidence: mentions Mal Action: blame Mal Evidence: ill-formed Action: ignore message
Evidence: mentions Alice
Decryption failures are audited using justified casts.
Evidence: mentions Mal Action: blame Mal Evidence: ill-formed Action: ignore message
Evidence: mentions Alice
Action: blame Alice 1111111
Auditing crypto. failures improves reliability & security.
Understanding decryption failures can help answer the following questions.
Is a host or a network error the source of invalid ciphertexts?
Which host is sending bad data?
Are hosts endorsing ciphertexts against policy? Where was Bisa t signed?
Conclusion
Questions and half-baked ideas.
We still don’t know how administrators should best query and monitor AURAlogs. Has this been addressed in the setting of provenance metadata?
Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related?
Key/signature revocation are tricky in AURA’s setting. Can
we treat revocation by associating keys (signatures) with provenance metadata?
There is a tension between preserving privacy of encrypted data and maintaining a full account of its provenance. How can this be resolved?
Questions and half-baked ideas.
We still don’t know how administrators should best query and monitor AURAlogs. Has this been addressed in the setting of provenance metadata?
Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related?
Key/signature revocation are tricky in AURA’s setting. Can
we treat revocation by associating keys (signatures) with provenance metadata?
There is a tension between preserving privacy of encrypted data and maintaining a full account of its provenance. How can this be resolved?
Questions and half-baked ideas.
We still don’t know how administrators should best query and monitor AURAlogs. Has this been addressed in the setting of provenance metadata?
Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related?
Key/signature revocation are tricky in AURA’s setting. Can
we treat revocation by associating keys (signatures) with provenance metadata?
There is a tension between preserving privacy of encrypted data and maintaining a full account of its provenance. How can this be resolved?
Questions and half-baked ideas.
We still don’t know how administrators should best query and monitor AURAlogs. Has this been addressed in the setting of provenance metadata?
Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related?
Key/signature revocation are tricky in AURA’s setting. Can
we treat revocation by associating keys (signatures) with provenance metadata?
There is a tension between preserving privacy of encrypted data and maintaining a full account of its provenance. How can this be resolved?
Questions and half-baked ideas.
We still don’t know how administrators should best query and monitor AURAlogs. Has this been addressed in the setting of provenance metadata?
Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related?
Key/signature revocation are tricky in AURA’s setting. Can
we treat revocation by associating keys (signatures) with provenance metadata?
There is a tension between preserving privacy of encrypted data and maintaining a full account of its provenance. How can this be resolved?
Conclusion
AURAproofs describe how why and how events occur.
Provenance describes why and how results are included in a query.
I’m looking forward to learning from everyone here!
Interpreter, Coq scripts, and papers available from http://www.cis.upenn.edu/~stevez/sol/aura.html
Acknowledgments
Thank you to all my collaborators on this work! Limin Jia Karl Mazurak Joseph Schorr Luke Zarko Steve Zdancewic Jianzhou Zhao
Access control and audit replace trust with scrutiny.
Access control and audit replace trust with scrutiny.
Access control and audit replace trust with scrutiny.
Resource
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...)
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...) Proof Evidence Log Kernel Code
Access control and audit replace trust with scrutiny.
Resource
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...)
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...) Proof Evidence Log Kernel Code Typed Interface Typed Interface
Access control and audit replace trust with scrutiny.
Trusted Computing Base
Resource
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...)
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...) Proof Evidence Log Kernel Code
Access control and audit replace trust with scrutiny.
Custom Code and Policy Resource
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...)
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...) Proof Evidence Log Kernel Code
Access control and audit replace trust with scrutiny.
Access control and audit replace trust with scrutiny.
Custom & Trusted Resource
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...)
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...) Proof Evidence Log Kernel Code
Access control and audit replace trust with scrutiny.
Custom & Trusted Resource
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...)
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...) sign(ICFP, ...) Proof Evidence Log Kernel Code
Strong normalization proof sketch
Fact
The Calculus of Constructions with dependent pairs is SN.
[Geuvers 95]
Proof Idea
Show AURA0reductions can be simulated in a terminating system based on Constructions.
p0 // [[·]] p1 // [[·]] p2 // [[·]] · · · t0 cc// t1 cc// t10 cc// t2 cc// · · ·