Authorization, Audit, and Provenance in the AURA System

Transcription

1 Authorization, Audit, and Provenance in the AURA System Jeff Vaughan Department of Computer and Information Science University of Pennsylvania Symposium on Provenance in Software Systems March 30, 2009

2 1/27

3 Who am I? What do I do? My thesis research is on the AURA programming system. Proof carrying access control Principled audit logging Analysis of decryption failures (in progress) Key idea Proof checking ensures systems only service high integrity (authentic, high quality) requests Audit logs comprise a documented record of this. 2/27

4 Who am I? What do I do? My thesis research is on the AURA programming system. Proof carrying access control Principled audit logging Analysis of decryption failures (in progress) Key idea Proof checking ensures systems only service high integrity (authentic, high quality) requests Audit logs comprise a documented record of this. What I ll talk about today. 2/27

5 Who am I? What do I do? My thesis research is on the AURA programming system. Proof carrying access control Principled audit logging Analysis of decryption failures (in progress) Key idea Proof checking ensures systems only service high integrity (authentic, high quality) requests Audit logs comprise a documented record of this. What I ll talk about today. 2/27

6 What am I doing here? 3/27

7 What am I doing here? A Definition Provenance: The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this. The Oxford English Dictionary 3/27

8 What am I doing here? A Definition Provenance: The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this. The Oxford English Dictionary 3/27

9 What am I doing here? A Definition Provenance: The history of the ownership of a work of art or an antique, used as a guide to authenticity or quality; a documented record of this. The Oxford English Dictionary What I d like to learn about this week. 3/27

10 Outline 1 An overview of AURA 2 Auditing access control 3 Auditing and confidentiality 4 Conclusion 4/27

11 A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

12 A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

13 A distributed access control example (DancingQueen, Alice) Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

14 A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

15 A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

16 A distributed access control example Jukebox s signature: playfor raw: (s: Song) (p: prin) Unit 5/27

17 The Record Company s (RecCo) Music Policy Policy Statement (Simple): Songs have one or more owners. An owner may authorize principals to play songs he owns. 6/27

18 The Record Company s (RecCo) Music Policy Policy Statement (Simple): Songs have one or more owners. An owner may authorize principals to play songs he owns. Policy Enforcement Problems (Hard): distributed decision making mutual distrust prominent use of delegation 6/27

19 AURA: Enforce policy with proof carrying access control. Programs build proofs attesting to their access rights. Proof components standard rules of inference evidence capturing principal intent (e.g. signatures) Hypothesis: Proofs are provenance metadata! AURA runtime: checks proof structure (well-typedness) logs appropriate proofs for later audit Proof Carrying Authentication [Appel+ 93], Grey Project [Bauer+ 05], Aura [CSF 08, ICFP 08] 7/27

20 AURA s says constructor represents affirmation. Notation p : P means p is a proof of P. The proposition principal Alice affirms proposition P. Alice says P Principals actively affirm propositions with signatures. sign(alice, P): Alice says P Principals are rational. When p: P, return Alice p: Alice says P DCC [Abadi+ 06], Logic with Explicit Time [DeYoung+ 08] 8/27

21 Says + dependent types allow for expressive rules. Example (Bob acts for Alice) Alice says ((P: Prop) Bob says P P) 9/27

22 Says + dependent types allow for expressive rules. Example (Bob acts for Alice) Alice says ((P: Prop) Bob says P P) Example (Bob acts for Alice only regarding jazz) Alice says ((s: Song) isjazz s Bob says (MayPlay Bob s) MayPlay Bob s) 9/27

23 Says + dependent types allow for expressive rules. Example (Bob acts for Alice) Alice says ((P: Prop) Bob says P P) Example (Bob acts for Alice only regarding jazz) Alice says ((s: Song) isjazz s Bob says (MayPlay Bob s) MayPlay Bob s) Example (Kernel allows RPC calls on endorsed strings) (A: prin) (x: string ) A says (valid x) Kernel says (oktorpc x) 9/27

24 Encoding music policy using says. sharerule RecCo says ( (o: prin) (s: Song) (r: prin) (Owns o s) (o says (MayPlay r s)) (MayPlay r s))) playfor: (s: Song) (p: prin) pf (RecCo says (MayPlay p s)) Unit 10/27

25 Encoding music policy using says. sharerule RecCo says ( (o: prin) (s: Song) (r: prin) (Owns o s) (o says (MayPlay r s)) (MayPlay r s))) playfor: (s: Song) (p: prin) pf (RecCo says (MayPlay p s)) Unit Key Property A program can only call playfor when it has an appropriate access control proof. 10/27

26 Using the RecCo policy. 11/27

27 Using the RecCo policy. RecCo Server (Aura Code) Server Log 11/27

28 Using the RecCo policy. 11/27

29 Using the RecCo policy. sign(recco, sharerule): RecCo says sharerule 11/27

30 Using the RecCo policy. 11/27

31 Using the RecCo policy. 11/27

32 Using the RecCo policy. sign(recco, say (Owns Alice TakeFive) Owns Alice TakeFive) 11/27

33 Using the RecCo policy. sign(recco,...) sign(recco,...) 11/27

34 Using the RecCo policy. 11/27

35 Using the RecCo policy. 11/27

36 Using the RecCo policy. RecCo says... sharerule Alice says... RecCo says (MayPlay Bob, TakeFive) p 11/27

37 Using the RecCo policy. 11/27

38 Using the RecCo policy. 11/27

39 Using the RecCo policy. 11/27

40 Using the RecCo policy. 11/27

41 Using the RecCo policy. Auditor 11/27

42 Using the RecCo policy. 11/27

43 Using the RecCo policy. Signatures used to grant Bob access to TakeFive: sign(recco,sharerule): RecCo says sharerule sign(alice,...) sign(recco,...) 11/27

44 Auditing access control 12/27

45 When something unexpected happens: look at the log. System design guarantees a one-to-one correspondence between log entries and resource state changes. If a A s signature does not appear in a log entry, she could not have caused the associated action. Problem: Malicious principals can try to hinder audit with confusing proofs and irrelevant signatures. 13/27

46 Sample proofs, clear and convoluted. Assume we have signatures sign(a, P) and sign(b, Q). Example (A convoluted proof of A says P). A says P B says Q A says P B says Q A says P A says P A says P B says Q Proposition B says Q is logically irrelevant. 14/27

47 Sample proofs, clear and convoluted. Assume we have signatures sign(a, P) and sign(b, Q). Example (A convoluted proof of A says P). A says P B says Q A says P B says Q A says P A says P A says P B says Q Proposition B says Q is logically irrelevant. Example (A clear proof of A says P) A says P (By signature.) 14/27

48 Proof reduction eliminates irrelevant information. Proof reduction schemes transform complicated proofs to simple ones. [Gentzen 35] Reduction can easily be stated by writing proofs in lambda-calculus notation. [Curry 58], [Howard 80] Example (λ x.λ y.y) (sign(a, P)) (sign(b, Q)) convoluted sign(a, P) clear 15/27

49 Proof reduction is a total, deterministic algorithm. AURA 0 is a model of AURA proofs and propositions. Theorem (Confluence for AURA 0 ) If p p 1, and p p 2, then there exists p 3 such that p 1 p 3 and p 2 p 3. That is, different reduction strategies can always reconverge. Theorem (Strong Normalization for AURA 0 ) If Γ 0 p : s, then p is strongly normalizing. That is, reduction sequences starting with p halt. 16/27

50 Auditing and confidentiality 17/27

51 AURA conf extends AURAfor handling confidential data. The real-world contains lots of confidential information. Financial, medical, social data... Data leaks have consequences: legal, financial.... Goals of AURA conf Establish a natural connection between confidential expressions and cryptography. Minimize disruptive changes to AURA s design. Provide for relevant auditing decryption failures are interesting. Work in progress. 18/27

52 Thinking about decryption failures /27

53 Thinking about decryption failures /27

54 Thinking about decryption failures /27

55 Thinking about decryption failures /27

56 Thinking about decryption failures /27

57 Thinking about decryption failures /27

58 Thinking about decryption failures /27

59 Thinking about decryption failures /27

60 Thinking about decryption failures /27

61 Thinking about decryption failures /27

62 Thinking about decryption failures /27

63 Thinking about decryption failures /27

64 Thinking about decryption failures /27

65 Thinking about decryption failures Bob lacks sufficient information to analyze decryption failures. 19/27

66 AURA conf will assign blame using evidence. Ciphertexts can be represented as bit strings Bit Strings B ::= Justified cast: Assign types to bit strings using evidence. p : pf B says (B isa t for A) B p : t for A Key Idea Principal A, can check if B decrypts properly, yielding a t. If not, she assigns blame to B using proof p. 20/27

67 Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice /27

68 Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice /27

69 Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice /27

70 Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice /27

71 Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice /27

72 Decryption failures are audited using justified casts. Evidence: ill-formed Action: ignore message Evidence: mentions Mal Action: blame Mal Evidence: mentions Alice Action: blame Alice /27

73 Auditing crypto. failures improves reliability & security. Understanding decryption failures can help answer the following questions. Is a host or a network error the source of invalid ciphertexts? Which host is sending bad data? Are hosts endorsing ciphertexts against policy? Where was B isa t signed? Are unexpected messages due to bugs, or an attack? 22/27

74 Conclusion 23/27

75 Questions and half-baked ideas. 24/27

76 Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? 24/27

77 Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related? 24/27

78 Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related? Key/signature revocation are tricky in AURA s setting. Can we treat revocation by associating keys (signatures) with provenance metadata? 24/27

79 Questions and half-baked ideas. We still don t know how administrators should best query and monitor AURA logs. Has this been addressed in the setting of provenance metadata? Provenance polynomials/semirings share some basic structure with information flow labels. How are these things related? Key/signature revocation are tricky in AURA s setting. Can we treat revocation by associating keys (signatures) with provenance metadata? There is a tension between preserving privacy of encrypted data and maintaining a full account of its provenance. How can this be resolved? 24/27

80 Conclusion AURA proofs describe how why and how events occur. Provenance describes why and how results are included in a query. I m looking forward to learning from everyone here! Interpreter, Coq scripts, and papers available from 25/27

81 Acknowledgments Thank you to all my collaborators on this work! Limin Jia Karl Mazurak Joseph Schorr Luke Zarko Steve Zdancewic Jianzhou Zhao 26/27

82 Access control and audit replace trust with scrutiny.

83 Access control and audit replace trust with scrutiny.

84 Access control and audit replace trust with scrutiny. sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Log

85 Access control and audit replace trust with scrutiny. sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Typed Interface Typed Interface Log

86 Access control and audit replace trust with scrutiny. sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Trusted Computing Base Log

87 Access control and audit replace trust with scrutiny. Custom Code and Policy sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Log

88 Access control and audit replace trust with scrutiny.

89 Access control and audit replace trust with scrutiny. Custom & Trusted sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource Log

90 Access control and audit replace trust with scrutiny. Custom & Trusted sign(icfp,sharerule): ICFP says sharerule sign(alice,...) sign(icfp,...) sign(icfp,...) sign(alice,...) sign(icfp,sharerule): ICFP says sharerule Proof Evidence Code Kernel Resource All evidence used for access grants is logged. Log

91 Strong normalization proof sketch Fact The Calculus of Constructions with dependent pairs is SN. [Geuvers 95] Proof Idea Show AURA 0 reductions can be simulated in a terminating system based on Constructions. p 0 p 1 p 2 [[ ]] [[ ]] [[ ]] t 0 cc t 1 cc t 1 cc t 2 cc