On Secure Distributed Implementations of Dynamic Access Control

Distributed implementations of access control abound in distributed storage protocols. While such implementations are often accompanied by informal justifications of their correctness, our formal analysis reveals that their correctness can be tricky. In particular, we discover several subtleties in a standard protocol based on capabilities, that can break security under a simple specification of access control. At the same time, we show a sensible refinement of the specification for which a secure implementation of access control is possible. Our models and proofs are formalized in the applied pi calculus, following some new techniques that may be of independent interest. Finally, we indicate how our principles can be applied to securely distribute other state machines.

[1]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Martín Abadi,et al.  Authentication primitives and their compilation , 2000, POPL '00.

[3]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[4]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[5]  Michael Backes,et al.  Lazy revocation in cryptographic file systems , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[6]  Sergio Maffeis,et al.  Dynamic Web data : a process algebraic approach , 2006 .

[7]  Mihir Bellare,et al.  Lecture Notes on Cryptography , 2001 .

[8]  Shai Halevi,et al.  Enforcing Confinement in Distributed Storage and a Cryptographic Model for Access Control , 2005, IACR Cryptol. ePrint Arch..

[9]  Martín Abadi,et al.  Secure Implementation of Channel Abstractions , 2002, Inf. Comput..

[10]  Robin Milner,et al.  Fully Abstract Models of Typed lambda-Calculi , 1977, Theor. Comput. Sci..

[11]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[12]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[13]  Avik Chaudhuri,et al.  Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Martín Abadi,et al.  Formal security analysis of basic network-attached storage , 2005, FMSE '05.

[15]  Martín Abadi,et al.  Protection in Programming-Language Translations , 1998, ICALP.

[16]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[17]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[18]  Michael Backes,et al.  Secure Key-Updating for Lazy Revocation , 2006, ESORICS.

[19]  Howard Gobioff,et al.  Security for Network Attached Storage Devices , 1997 .

[20]  M. Abadi,et al.  Formal Analysis of Dynamic, Distributed File-System Access Controls , 2006, FORTE.

[21]  Kevin Fu,et al.  Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage , 2006, NDSS.

[22]  Dennis Shasha,et al.  Building secure file systems out of byzantine storage , 2002, PODC '02.

[23]  Andrew C. Myers,et al.  Secure program partitioning , 2002, TOCS.

[24]  Robin Milner,et al.  The Polyadic π-Calculus: a Tutorial , 1993 .