A Type Discipline for Authorization in Distributed Systems

We consider the problem of statically verifying the conformance of the code of a system to an explicit authorization policy. In a distributed setting, some part of the system may be compromised, that is, some nodes of the system and their security credentials may be under the control of an attacker. To help predict and bound the impact of such partial compromise, we advocate logic-based policies that explicitly record dependencies between principals. We propose a conformance criterion, safety despite compromised principals, such that an invalid authorization decision at an uncompromised node can arise only when nodes on which the decision logically depends are compromised. We formalize this criterion in the setting of a process calculus, and present a verification technique based on a type system. Hence, we can verify policy conformance of code that uses a wide range of the security mechanisms found in distributed systems, ranging from secure channels down to cryptographic primitives, including encryption and public-key signatures.

[1]  Joan Feigenbaum,et al.  A practically implementable and tractable delegation logic , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[3]  Michele Bugliesi,et al.  Authenticity by tagging and typing , 2004, FMSE '04.

[4]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[5]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2003 .

[7]  Frank Pfenning,et al.  Non-interference in constructive authorization logic , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[8]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[9]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[10]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[11]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[12]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[13]  Davide Sangiorgi,et al.  The Pi-Calculus - a theory of mobile processes , 2001 .

[14]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[15]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[16]  Andrew D. Gordon,et al.  Secrecy Despite Compromise: Types, Cryptography, and the Pi-Calculus , 2005, CONCUR.

[17]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2002, ACM Trans. Inf. Syst. Secur..

[18]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[19]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[20]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[21]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[22]  David K. Gifford,et al.  Integrating functional and imperative programming , 1986, LFP '86.

[23]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[24]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[25]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[26]  Access control in a core calculus of dependency , 2006, ICFP '06.

[27]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[28]  George Loizou,et al.  A Logic of Access Control , 2001, Comput. J..

[29]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[30]  Andrew D. Gordon,et al.  A type discipline for authorization policies , 2005, TOPL.

[31]  Martín Abadi Access Control in a Core Calculus of Dependency , 2007, Electron. Notes Theor. Comput. Sci..

[32]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[33]  Matteo Maffei,et al.  Dynamic typing for security protocols , 2006 .

[34]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[35]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[36]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[37]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[38]  Raheel Ahmad,et al.  The π-Calculus: A theory of mobile processes , 2008, Scalable Comput. Pract. Exp..

[39]  Andrew W. Appel,et al.  Access control for the web via proof-carrying authorization , 2003 .

[40]  Andrew D. Gordon,et al.  Typing One-to-One and One-to-Many Correspondences in Security Protocols , 2002, ISSS.

[41]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[42]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[43]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[44]  Joshua D. Guttman,et al.  Trust Management in Strand Spaces: A Rely-Guarantee Method , 2004, ESOP.

[45]  Jan Vitek,et al.  Type-based distributed access control , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[46]  Andrew D. Gordon,et al.  Verifying policy-based security for web services , 2004, CCS '04.

[47]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[48]  Martín Abadi,et al.  Secrecy Types for Asymmetric Communication , 2001, FoSSaCS.