AURA: A language with authorization and audit

Similar documents
Authorization, Audit, and Provenance in the AURA System

Aura: Programming with Authorization and Audit

Semantic Analysis: Types and Type Checking

Introducing Formal Methods. Software Engineering and Formal Methods

Design by Contract beyond class modelling

Modal Proofs as Distributed Programs (Extended Abstract)

POLYTYPIC PROGRAMMING OR: Programming Language Theory is Helpful

Trust but Verify: Authorization for Web Services. The University of Vermont

CSE 373: Data Structure & Algorithms Lecture 25: Programming Languages. Nicki Dell Spring 2014

Automated Theorem Proving - summary of lecture 1

Introduction to type systems

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Cassandra. References:

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

System Description: Delphin A Functional Programming Language for Deductive Systems

[Refer Slide Time: 05:10]

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday

The CompCert verified C compiler

Functional Programming. Functional Programming Languages. Chapter 14. Introduction

PROGRAM LOGICS FOR CERTIFIED COMPILERS

CIS 551 / TCOM 401 Computer and Network Security

Automated Formal Analysis of Internet Routing Systems

Transparent Monitoring of a Process Self in a Virtual Environment

Project Software Security: Securing SendMail with JAAS and Polymer

Lecture 11: Tail Recursion; Continuations

Trustworthy Software Systems

Applications of formal verification for secure Cloud environments at CEA LIST

ML for the Working Programmer

Lecture 1: Introduction

Programming Language Pragmatics

Journal of Functional Programming, volume 3 number 4, Dynamics in ML

CHAPTER 7 GENERAL PROOF SYSTEMS

BUSINESS RULES CONCEPTS... 2 BUSINESS RULE ENGINE ARCHITECTURE By using the RETE Algorithm Benefits of RETE Algorithm...

Programming Languages in Artificial Intelligence

Relations: their uses in programming and computational specifications

How To Write A Program Verification And Programming Book

Indexed Types in Object-Oriented Programming

Topics. Introduction. Java History CS 146. Introduction to Programming and Algorithms Module 1. Module Objectives

Pretty-big-step semantics

Parametric Domain-theoretic models of Linear Abadi & Plotkin Logic

A Security Domain Model for Static Analysis and Verification of Software Programs

Chapter 7: Functional Programming Languages

Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software

The ConTract Model. Helmut Wächter, Andreas Reuter. November 9, 1999

Pluggable Type Systems. Gilad Bracha

Chapter 1 Fundamentals of Java Programming

Overview. Elements of Programming Languages. Advanced constructs. Motivating inner class example

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

The Road from Software Testing to Theorem Proving

Datatype-generic data migrations

Formal Engineering for Industrial Software Development

Lecture 13 of 41. More Propositional and Predicate Logic

Static Analysis and Validation of Composite Behaviors in Composable Behavior Technology

Termination Checking: Comparing Structural Recursion and Sized Types by Examples

The Classes P and NP

Technical Brief Distributed Trusted Computing

CS 356 Lecture 28 Internet Authentication. Spring 2013

Lecture 9. Semantic Analysis Scoping and Symbol Table

Security challenges for internet technologies on mobile devices

Android Developer Fundamental 1

Acronym Term Description

The programming language C. sws1 1

Static vs. Dynamic. Lecture 10: Static Semantics Overview 1. Typical Semantic Errors: Java, C++ Typical Tasks of the Semantic Analyzer

To Java SE 8, and Beyond (Plan B)

Secure cloud access system using JAR ABSTRACT:

Object-Oriented Software Specification in Programming Language Design and Implementation

Idris, a General Purpose Dependently Typed Programming Language: Design and Implementation

Lecture Data Types and Types of a Language

Monitoring Metric First-order Temporal Properties

Specification and Analysis of Contracts Lecture 1 Introduction

Computer Programming I

Deterministic Discrete Modeling

Bindings, mobility of bindings, and the -quantifier

Web Presentation Layer Architecture

THE IMPACT OF INHERITANCE ON SECURITY IN OBJECT-ORIENTED DATABASE SYSTEMS

Programming and Software Development CTAG Alignments

Chapter 15 Functional Programming Languages

Boogie: A Modular Reusable Verifier for Object-Oriented Programs

FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

Java Application Developer Certificate Program Competencies

Quotes from Object-Oriented Software Construction

Software Architecture

InvGen: An Efficient Invariant Generator

Programming Languages Featherweight Java David Walker

core. Volume I - Fundamentals Seventh Edition Sun Microsystems Press A Prentice Hall Title ULB Darmstadt

Stack Allocation. Run-Time Data Structures. Static Structures

Transcription:

AURA: A language with authorization and audit Steve Zdancewic University of Pennsylvania WG 2.8 2008

Security-oriented Languages Limin Jia, Karl Mazurak, Jeff Vaughan, Jianzhou Zhao Joey Schorr and Luke Zarko Manifest Security Project (NSF-0714649) Penn: Benjamin Pierce, Stephanie Weirich CMU: Karl Crary, Bob Harper, Frank Pfenning CAREER: Language-based Distributed System Security (NSF-0311204) 2

Goal of the AURA project: Develop a security-oriented programming language that supports: Proof-carrying Authorization [Appel & Felton] [Bauer et al.] Strong information-flow properties (as in Jif [Myers et al.], FlowCaml [Pottier & Simonet]) Why? Declarative policies (for access control & information flow) Auditing & logging: proofs of authorization are informative Good theoretical foundations In this talk: tour of AURA's Focus on the authorization and audit components 3

Outline AURA's programming model Authorization logic Examples Programming in AURA (Restricted) Dependent types Status, future directions, conclusions 4

AURA: Programming Model application code code system interface I/O AURA runtime system AURA is a call-by-value type-safe functional programming language As in Java, C#, etc. AURA provides an interface to the OS resources disk, network, memory, AURA is intended to be used for writing security-critical components 5

AURA: Authorization Policies proof application code code policy system interface I/O AURA runtime system AURA security policies are expressed in an authorization logic Applications can define their own policies Language provides features for creating/manipulating proofs 6

AURA: Authorization Policies proof data application code code policy system interface I/O AURA runtime system log Proofs are first class and they can depend on data Proof objects are capabilities needed to access resources protected by the runtime: AURA's type system ensures compliance The runtime logs the proofs for later audit 7

AURA: Principals and Keys proof data application A B code code policy I/O system interface AURA runtime system A B log For distributed systems, AURA also manages private keys Keys can create policy assertions sharable over the network Connected to the policy by AURA's notion of principal 8

Evidence-based Audit Connecting the contents of log entries to policy helps determine what to log. policy code log 9

Evidence-based Audit Connecting the contents of log entries to policy helps determine what to log. policy code Proofs contain structure that can help administrators find flaws or misconfigurations in the policy. log 10

Evidence-based Audit Connecting the contents of log entries to policy helps determine what to log. policy code Proofs contain structure that can help administrators find flaws or misconfigurations in the policy. Reduced TCB: Typed interface forces code to provide auditable evidence. log 11

Outline AURA's programming model Authorization logic Examples Programming in AURA (Restricted) Dependent types Status, future directions, conclusions 12

AURA's Authorization Logic Policy propositions ϕ ::=true c A says ϕ α ϕ ϕ ϕ ϕ ϕ ϕ α. ϕ Encoded using Π types and inductive datatypes. Principals A,B,C P,Q,R etc. Constructive logic: proofs are programs easy integration with software Access control in a Core Calculus of Dependency [Abadi: ICFP 2006] 13

Example: File system authorization P1: FS says (Owns A f1) P2: FS says (Owns B f2) OwnerControlsRead: FS says o,r,f. (Owns o f) (o says (MayRead r f)) (MayRead r f) Might need to prove: FS says (MayRead A f1) What are "Owns" and "f1"? 14

Decentralized Authorization Authorization policies require application-specific constants: e.g. "MayRead B f" or "Owns A f" There is no "proof evidence" associated with these constants Otherwise, it would be easy to forge authorization proofs But, principal A should be able to create a proof of A says (MayRead B f) No justification required -- this is a matter of policy, not fact! Decentralized implementation: One proof that "A says T" is A's digital signature on a string "T" written sign(a, "T") 15

P1: FS says (Owns A f1) Example Proof (1) OwnerControlsRead: FS says o,r,f. (Owns o f) (o says (MayRead r f)) (MayRead r f) Direct authorization via FS's signature: sign(fs, "MayRead A f1") : FS says (MayRead A f1) 16

P1: FS says (Owns A f1) Example Proof (2) OwnerControlsRead: FS says o,r,f. (Owns o f) (o says (MayRead r f)) (MayRead r f) Complex proof constructed using "bind" and "return" bind p = OwnerControlsRead in bind q = P1 in return FS (p A A f1 q sign(a,"mayread A f1"))) : FS says (MayRead A f1) 17

Authority in AURA How to create the value sign(a, "ϕ")? Components of the software have authority Authority modeled as possession of a private key With A's authority : say("ϕ") evaluates to sign(a, "ϕ") What ϕ's should a program be able to say? From a statically predetermined set (static auditing) From a set determined at load time In any case: log which assertions are made 18

Outline AURA's programming model Authorization logic Examples Programming in AURA (Restricted) Dependent types Status, future directions, conclusions 19

AURA Programming Language Static Types: describe programs int FileHandle string prin int -> int pf ϕ Propositions: specify policy ϕ A says ϕ (ϕ φ) α.t (Owns A fh1) (ϕ -> φ) Dynamic Programs: computations, I/O 3 fh1 "hello" A say(ϕ) \x:t.e Evidence: proofs/credentials sign(a, "ϕ") bind/return \x:t.e Programs Policies 20

(Restricted) Dependent Types Policy propositions can mention program data E.g. "f1" is a file handle that can appear in a policy AURA restricts dependency to first order data types Disallows computation at the type level only values! Programming with dependent types: {x:t; U(x)} dependent pair* (* syntactic sugar) (x:t) U(x) dependent functions Invariant: sign only types Computation can't depend on signatures But, can use predicates: {x:int; pf A says Good(x)} 21

Auditing Interfaces Type of the "native" read operation: raw_read : FileHandle String AURA's runtime exposes it this way: read : (f:filehandle) pf RT says (OkToRead self f) {ans:string; pf RT says (DidRead f ans)} RT is a principal that represents the AURA runtime OKtoRead and DidRead are "generic" policies The application implements its own policies about when it is OKtoRead by providing assertions, etc. Parts of the runtime must delegate to the application 22

Signatures Assertions: uninhabited constants that construct Prop s assert MayRead : Prin -> FileHandle -> Prop; assert Owns : Prin -> FileHandle -> Prop; AURA supports mutually recursive datatypes and mutually inductively defined propositions: data List: Type -> Type { nil : (t:type) -> List t cons: (t:type) -> t -> List t -> List t } data OwnerInfo : FileHandle -> Type { } oinfo : (f:filehandle) -> (p:prin) -> pf (self says (Owns p f)) -> OwnerInfo f data And : Prop -> Prop -> Prop { } both : (p:prop) -> (q:prop) -> p -> q -> And p q 23

More about Prop vs. Type We want the Prop fragment to be a logic: Pure, strongly normalizing Signature typing rules add a strong positivity constraint for Prop to rule out divergence We need to separate the Prop and Type fragments Type fragment includes divergent terms (possibly other effects) This is the purpose of the pf monad. A value of type pf P is of the form return p t where t is a pure proof term that proves P. It is possible to write a loop of type pf P by not one of type P. 24

(see demo.core) Example Program 25

Formalizing Core AURA Lambda-cube-like representation with a very simple core: t ::= x ctr λx:t 1.t 2 t 1 t 2 (x:t 1 ) t 2 match t 1 t 2 with {b} (t 1 : t 2 ) c Plus these constants (special typechecking rules): c ::= Type Prop Kind prin says return s bind s self sign pf return p bind p if 26

Coq Formalization Type system and operational semantics: 30 rules in 4 mutually inductive predicates: wf_env, wf_tm, wf_branches, wf_brn Signature checking: wf_sig, wf_bundle_tcrs, wf_bundle_ctrs, wf_ctr_decls Conversion relation (for casts) that reflects dynamic equality checks into the static type system Evaluation rules Correctness properties proved in Coq: Type soundness and decidability of typechecking (~7000 loc) Decidability of typechecking is simplified by: Restricted dependency (only values) Limited equality proofs available statically Paper proof of strong normalization of (a slightly simplified version of) the Prop fragment. 27

Observations about the Formalization Dealing with mutually recursive datatypes and pattern matching was a lot of work Significant source of complexity for soundness and decidability hopefully reusable in other contexts (our lambda cube plus constants can probably be instantiated to other languages) Initial investment in formalization was heavy many hours to implement the typing rules, etc. But: having machine checked proofs is a big win, especially for large groups of collaborators. It gets easier over time 28

Open Questions AURA needed improvements: Anonymous existential types / dependent type & inference Richer dependent types? Explicit / richer equality proofs? Revocation/expiration of signed objects? [Garg and Pfenning] Connection to program verification? Correlate distributed logs? This story seems just fine for integrity, but what about confidentiality? We have many ideas about connecting to information-flow analysis Is there an "encryption" analog to "signatures" interpretation? Encode confidentiality using security monads [work at Chalmers] 29

Conjecture: Non-security use? Carve up a program into principals Perhaps by module? Allow principals to make arbitrary (dependent) logical assertions Interfaces can specify constraints in this logic (e.g. propositions regulate type equality) The says modality offers an escape hatch: no need to construct an actual proof Cast uses asserted equality (not verifiable equality ) says isolates components, allows assignment of blame and makes trust relationships explicit. Question: is this interesting? Useful? Does anyone know of any work similar to this? 30

Outline AURA's programming model Authorization logic Examples Programming in AURA Dependent types Status, future directions, conclusions 31

AURA's Status Have implemented an interpreter in F# Many small examples programs Working on larger examples Goal: experience with proof sizes, logging infrastructure Planning to compile AURA to Microsoft.NET platform Proof representation / compatibility with C# and other.net languages Luke Zarko is awesome Penn undergrad applying this fall to Ph.D. programs for next year 32

Security-oriented Languages AURA A language with support for authorization and audit Authorization logic Limited form of dependent types Language features that support secure systems www.cis.upenn.edu/~stevez/sol 33

Thanks! 34

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information