Access control for the web via proof-carrying authorization

After a short period of being not much more than a curiosity, the World-Wide Web quickly became an important medium for discussion, commerce, and business. Instead of holding just information that the entire world could see, web pages also became used to access email, financial records, and other personal or proprietary data that was meant to be viewed only by particular individuals or groups. This made it necessary to design mechanisms that would restrict access to web pages. Unfortunately, most current mechanisms are lacking in generality and flexibility—they interoperate poorly and can express only a limited number of security policies. We view access control on the web as a general distributed authorization problem and develop a solution by adapting the techniques of proof-carrying authorization, a framework for defining security logics based on higher-order logic. In this dissertation we present a particular logic for modeling access-control scenarios that occur on the web. We give this application-specific logic a semantics in higher-order logic, thus ensuring its soundness, and use it to implement a system that regulates access to web pages. Our system uncouples authorization from authentication, allowing for better interoperation across administrative domains and more expressive security policies. Our implementation consists of a web server module and a local web proxy. The server allows access to pages only if the web browser can demonstrate that it is authorized to view them. The browser's local proxy accomplishes this by mechanically constructing a proof of a challenge sent to it by the server. Our system supports arbitrarily complex delegation, and we implement a framework that lets the web browser locate and use pieces of the security policy that have been distributed across arbitrary hosts. Our system was built for controlling access to web pages, but could relatively easily be extended to encompass access control for other applications as well.

[1]  Dirk Balfanz,et al.  A security infrastructure for distributed Java applications , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[3]  Alonzo Church,et al.  A formulation of the simple theory of types , 1940, Journal of Symbolic Logic.

[4]  Martín Abadi,et al.  On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[6]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[7]  Andrew W. Appel,et al.  A Trustworthy Proof Checker , 2004, Journal of Automated Reasoning.

[8]  Joan Feigenbaum,et al.  A logic-based knowledge representation for authorization with delegation , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[9]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[10]  George C. Necula,et al.  Efficient Representation and Validation of Logical Proofs , 1997, LICS 1997.

[11]  Jean-Emile Elien,et al.  Certificate discovery using SPKI/SDSI 2.0 certificates , 1998 .

[12]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[13]  Pietro Iglio,et al.  Role templates for content-based access control , 1997, RBAC '97.

[14]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[15]  Scott B. Cantor,et al.  Shibboleth architecture draft v05 , 2002 .

[16]  Peter B. Andrews Classical Type Theory , 2001, Handbook of Automated Reasoning.

[17]  M. Yasuhara,et al.  Review: Peter B. Andrews, An Introduction to Mathematical Logic and Type Theory: To Truth Through Proof , 1988 .

[18]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[19]  Andrew J. Maywah,et al.  An implementation of a secure web client using SPKI/SDSI certificates , 2000 .

[20]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[21]  Joan Feigenbaum,et al.  A practically implementable and tractable delegation logic , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[22]  Peter B. Andrews An introduction to mathematical logic and type theory - to truth through proof , 1986, Computer science and applied mathematics.

[23]  Lawrence C. Stewart,et al.  Firefly: a multiprocessor workstation , 1987, IEEE Trans. Computers.

[24]  Ronald L. Rivest,et al.  Certificate Chain Discovery in SPKI/SDSI , 2002, J. Comput. Secur..

[25]  Emil C. Lupu,et al.  Reconciling role based management and role based access control , 1997, RBAC '97.

[26]  Butler W. Lampson,et al.  Simple Public Key Certificate , 1998 .

[27]  Vipin Samar Single sign-on using cookies for Web applications , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[28]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[29]  Joyce K. Reynolds,et al.  Executive Introduction to Directory Services Using the X.500 Protocol , 1992, RFC.

[30]  Peter Honeyman,et al.  Kerberized Credential Translation: A Solution to Web Access Control , 2001, USENIX Security Symposium.

[31]  Joan Feigenbaum,et al.  Nonmonotonicity, User Interfaces, and Risk Assessment in Certificate Revocation , 2002, Financial Cryptography.

[32]  Blake Ramsdell,et al.  S/MIME Version 3 Message Specification , 1999, RFC.

[33]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[34]  Blake Ramsdell,et al.  S/MIME Version 3 Certificate Handling , 1999, RFC.

[35]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[36]  Carl A. Gunter,et al.  Policy‐directed certificate retrieval , 2000 .

[37]  Joan Feigenbaum,et al.  REFEREE: Trust Management for Web Applications , 1997, Comput. Networks.

[38]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[39]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[40]  Dwaine E. Clarke,et al.  SPKI/SDSI HTTP Server / Certificate Chain Discovery in SPKI/SDSI , 2001 .

[41]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[42]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[43]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[44]  Joan Feigenbaum,et al.  KeyNote: Trust Management for Public-Key Infrastructures (Position Paper) , 1998, Security Protocols Workshop.

[45]  Lujo Bauer,et al.  A General and Flexible Access-Control System for the Web , 2002, USENIX Security Symposium.

[46]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[47]  Joseph Y. Halpern,et al.  A Logic for SDSI's Linked Local Name Spaces , 2001, J. Comput. Secur..