Logic: An Authorization Logic with Explicit Time

Allowing access to resources, including data and hardware, without compromising their security is a fundamental challenge in computer science. Because of the number and complexity of authorization policies in access control systems, it is clear that ad hoc methods for specifying and enforcing policies cannot inspire a high degree of trust. Authorization logics have been proposed as a theoretically sound alternative. However, for an authorization logic to be useful in practice, it should be able to model most, if not all, naturally occurring policy features. One common feature is the time-dependency of authorizations. For example, a user may only be permitted to access a given resource on workdays. Surprisingly, of the numerous proposals for access control logics, we know of no logic that incorporates time internally. In an attempt to fill this void, this thesis develops a logic with explicit time that permits reasoning about complex, yet natural, time-dependent authorizations. The logic is then extended to account for authorizations that may be used only once. A careful study of the meta-theory of both logics is conducted, and the logics’ rich expressive power is demonstrated through several examples. Finally, a proof checker for the latter logic is formalized and discussed.

[1]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[2]  Limin Jia Linear logic and imperative programming , 2008 .

[3]  Lujo Bauer,et al.  Distributed proving in access-control systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[5]  Thom W. Frühwirth,et al.  Temporal Annotated Constraint Logic Programming , 1996, J. Symb. Comput..

[6]  Jerry den Hartog,et al.  Audit-based compliance control , 2007, International Journal of Information Security.

[7]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[8]  Access control in a core calculus of dependency , 2006, ICFP '06.

[9]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[10]  Martín Abadi,et al.  Logic in access control , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[11]  Bor-Yuh Evan Chang,et al.  A judgmental analysis of linear logic , 2003 .

[12]  M. E. Szabo,et al.  The collected papers of Gerhard Gentzen , 1969 .

[13]  Martín Abadi,et al.  Explicit substitutions , 1989, POPL '90.

[14]  Frank Pfenning,et al.  A judgmental reconstruction of modal logic , 2001, Mathematical Structures in Computer Science.

[15]  Frank Pfenning,et al.  Efficient resource management for linear logic proof search , 1996, Theor. Comput. Sci..

[16]  Andrew W. Appel,et al.  Access control for the web via proof-carrying authorization , 2003 .

[17]  Benjamin C. Pierce,et al.  Local type inference , 1998, POPL '98.

[18]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[19]  Jason Reed Hybridizing a Logical Framework , 2007, Electron. Notes Theor. Comput. Sci..

[20]  Robert Tappan Morris,et al.  Alpaca: extensible authorization for distributed services , 2007, CCS '07.

[21]  Patrick Lincoln,et al.  Linear logic , 1992, SIGA.

[22]  Max I. Kanovich,et al.  Specifying Real-Time Finite-State Systems in Linear Logic , 1998, COTIC.

[23]  Zohar Manna,et al.  Reasoning in Interval Temporal Logic , 1983, Logic of Programs.

[24]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[25]  P. Martin-Löf On the meanings of the logical constants and the justi cations of the logical laws , 1996 .

[26]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[27]  Rohit Chadha,et al.  A Hybrid Intuitionistic Logic: Semantics and Decidability , 2006, J. Log. Comput..

[28]  G. Gentzen Untersuchungen über das logische Schließen. I , 1935 .

[29]  Michael Mendler,et al.  Propositional Lax Logic , 1997, Inf. Comput..

[30]  Frank Pfenning,et al.  Using Constrained Intuitionistic Linear Logic for Hybrid Robotic Planning Problems , 2007, Proceedings 2007 IEEE International Conference on Robotics and Automation.

[31]  Kevin D. Bowers,et al.  Consumable Credentials in Logic-Based Access-Control Systems , 2006 .

[32]  Lujo Bauer,et al.  Consumable Credentials in Linear-Logic-Based Access-Control Systems , 2007, NDSS.

[33]  Lujo Bauer,et al.  Device-Enabled Authorization in the Grey System ¶ , 2006 .

[34]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[35]  Limin Jia,et al.  Evidence-Based Audit , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[36]  Frank Pfenning,et al.  Non-interference in constructive authorization logic , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[37]  Patrick Blackburn,et al.  Representation, Reasoning, and Relational Structures: a Hybrid Logic Manifesto , 2000, Log. J. IGPL.