Type Based Distributed Access Control

Type Based Type Based Distributed Access Distributed Access

Control Control Tom ChothiaTom Chothia

ÈcÈcole Polytechniqueole Polytechnique

Joint work with Dominic Duggan Joint work with Dominic Duggan (Stevens) and Jan Vitek (Purdue) (Stevens) and Jan Vitek (Purdue)

MotivationMotivation

Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.

MotivationMotivation

Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.

Consider a computer with public and Consider a computer with public and private data:private data:

Talk outlineTalk outline

Review: Decentralized Label Model Review: Decentralized Label Model (DLM)(DLM)– Local Access ControlLocal Access Control

Key Based Decentralized Label Model Key Based Decentralized Label Model (KDLM)(KDLM)– Distributed Access Control and Distributed Access Control and

CryptographyCryptography The Jeddak Language The Jeddak Language ConclusionsConclusions

Local Access ControlLocal Access Control

Local Access Control Local Access Control restricts access to restricts access to data.data.



Any read or write Any read or write attempts are attempts are dynamically checked.dynamically checked.



Any read or write Any read or write attempts are attempts are dynamically checked.dynamically checked.

There are no There are no restrictions on restrictions on authorized copies of authorized copies of data.data.

Types for Information FlowTypes for Information Flow

High and Low High and Low security types.security types.

high

low



No read up. No No read up. No write Down.write Down.

high

low




A Total OrderA Total Order

high

low




A Total Order.A Total Order.

Even a lattice.Even a lattice.

high

low


Secrecy duel to Secrecy duel to Integrity.Integrity.

Declassification?Declassification?

high

low

Types for information FlowTypes for information Flow x: int high; y: int low; x: int high; y: int low;

Can do: Can do:

x = x +2 ; x = y + 2; if x > y then x = y;x = x +2 ; x = y + 2; if x > y then x = y;

Can’t do: Can’t do:

y = x;y = x;

if x > y then y = 0; if x > y then y = 0;

if guess = pwd then reject;if guess = pwd then reject;

J.I.F. and theJ.I.F. and theDecentralized Label Model Decentralized Label Model

(DLM)(DLM) Program variable Program variable xx

– Has Has data typedata type intint– Has Has labellabel with policies with policies

Bob : {bob, jane, mike}Bob : {bob, jane, mike} Mary : {bob, jane, mary}Mary : {bob, jane, mary}

– Is accessible by Is accessible by bobbob and and janejane– Access control checked by type Access control checked by type

checkingchecking

DLM Types for Information DLM Types for Information FlowFlow

DLM, bottom half DLM, bottom half of lattice.of lattice.

No one has an No one has an automatic right to automatic right to read your data.read your data.

Alice Bob Eve

Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, Data has type {L1, L2,

L3} intL3} int


L3} int L3} int

L1 = bob : { bob, jane }L1 = bob : { bob, jane }


L3} int L3} int


L2 = mary : { bob, jane, L2 = mary : { bob, jane, mary }mary }


L3} int L3} int



L3 = jane : { jane, tim}L3 = jane : { jane, tim}


L3} int L3} int




Only Jane can access Only Jane can access datadata


L3} int L3} int




Only Jane can access Only Jane can access datadata

L3 L3 jane : { jane, tim, jane : { jane, tim, bob}bob}

Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, L3} Data has type {L1, L2, L3}

int int




Only Jane can access dataOnly Jane can access data

L3 L3 jane : { jane, tim, bob} jane : { jane, tim, bob}

Now Jane and Bob can Now Jane and Bob can access the dataaccess the data

DLMDLM

DLMDLM

Data is protected by its Data is protected by its type.type.

DLMDLM


Each attempt to copy data Each attempt to copy data is statically checked at is statically checked at compile time.compile time.

DLMDLM


Each attempt to copy data Each attempt to copy data is statically checked at is statically checked at compile time.compile time.

Copies of data have the Copies of data have the same type and hence the same type and hence the same protection.same protection.

DLMDLM

Data is protected by its type.Data is protected by its type.

Each attempt to copy data is Each attempt to copy data is statically checked at compile statically checked at compile time.time.

Copies of data have the same Copies of data have the same type and hence the same type and hence the same protection.protection.

Data sent outside the type Data sent outside the type checked area is no longer checked area is no longer protected.protected.

Protocol

Minimize the Minimize the Trusted Computing Base Trusted Computing Base

Network

Application

DLM

ProtocolCommunication

CommunicationSecurity


Network

Application

DLM

ProtocolCommunication



Network

Application

Communication

Network

Application


DLM KDLM

KDLM: Connecting Keys KDLM: Connecting Keys and Access Restrictionsand Access Restrictions

Key namesKey names have policies (ACLs) have policies (ACLs)– KK has policy: has policy: Joe : {Jane, Mike, Sam}Joe : {Jane, Mike, Sam}– Public-private key pair for key namePublic-private key pair for key name– Private key protected by access Private key protected by access

restrictionsrestrictions

LabelsLabels are sets of key names are sets of key names– Access restricted to intersection of Access restricted to intersection of

policies (ACLs)policies (ACLs)

Keys, Labels and Keys, Labels and CertificatesCertificates

Key & Policy: Key & Policy: K : Key[ bob : {mary,sam,bob} ]

Label: Label: {{K1, , K2, … ,, … ,Kn}}

Labeled Type: Labeled Type: TT {K1,..,Kn} , {K1’,..,Km’}{K1,..,Kn} , {K1’,..,Km’}

Declassification Cert Types: Declassification Cert Types: K1 declassifies declassifies K2 K1K2

KDLMKDLM

KDLMKDLM

As with the DLM data As with the DLM data is protected by its is protected by its type.type.

KDLMKDLM


But the data can also But the data can also be protected by be protected by encryption.encryption.

KDLMKDLM


But the data can also But the data can also be protected by be protected by encryption.encryption.

Encryption protects Encryption protects data leaving the data leaving the trusted area.trusted area.

KDLMKDLM As with the DLM data is As with the DLM data is

protected by its type.protected by its type.

But the data can also be But the data can also be protected by encryption.protected by encryption.

Encryption protects data Encryption protects data leaving the trusted area.leaving the trusted area.

Keys are protected in Keys are protected in the same way as data.the same way as data.

Labeled KeysLabeled Keys

K : Key ( P:{PK : Key ( P:{P11,…,P,…,Pkk} )} )

aa++ : [ EncKey ( K ) ] : [ EncKey ( K ) ]

aa-- : [ DecKey ( K ) ] : [ DecKey ( K ) ] LL

Key names exist at the type level.Key names exist at the type level.

KDLMKDLMAlice Bob

K:A,B K:A,B K

KDLMKDLM

Alice Bob

K:A,B K:A,B K

KDLMKDLMAlice Bob

K:A,B K:A,B K

K

KDLMKDLM

Alice Bob

Eve

K:A,B K:A,BK

KDLMKDLMAlice Bob

K:A,B K:A,B K

K

Why Key-Based DLM?Why Key-Based DLM? Some form of structural Some form of structural

equivalence/inclusion on labels is still neededequivalence/inclusion on labels is still needed

ee11 has label L has label L11

ee22 has label L has label L22

““If e then eIf e then e11 else e else e22” has label L” has label L11 L L22

Who would own result label if it was named?Who would own result label if it was named?

Why Key-Based DLM?Why Key-Based DLM? Suppose we added reclassification certs to DLMSuppose we added reclassification certs to DLM

ee11 has label {Joe:{Mary,Sue}} has label {Joe:{Mary,Sue}}

ee22 has label {Joe:{Mary,Sue}} has label {Joe:{Mary,Sue}}

Joe can declassify eJoe can declassify e11’s label:’s label:declassify ({Joe:{Mary,Sue,Sam}}, edeclassify ({Joe:{Mary,Sue,Sam}}, e11))

Suppose Joe issues certificate:Suppose Joe issues certificate:Joe:{Mary,Sue,Sam} declassifies Joes:{Mary,Sue}Joe:{Mary,Sue,Sam} declassifies Joes:{Mary,Sue}

Then eThen e22 can also be declassified! can also be declassified!

Key Type RulesKey Type Rules New names are created by the right New names are created by the right

principal.principal.

Restrictions on who may use a key are Restrictions on who may use a key are greater or equal to the restrictions implied greater or equal to the restrictions implied by the key name.by the key name.

All of the keys named in the label are All of the keys named in the label are provided for encryption.provided for encryption.

Decrypted data is assigned the labels from Decrypted data is assigned the labels from the keys used to decrypt. the keys used to decrypt.

Jane

{K1, K2, K3} Encrypted(int)

Bob

Mary

K1 has policy:K1 has policy: bob : {bob, jane bob : {bob, jane}}

Jane


K1

Bob

Mary

K1

K2 has policy:K2 has policy:mary : {bob,jane,mary}mary : {bob,jane,mary}

Jane


K1

Bob

Mary

K1 K2

K2

K2

K3 has policyK3 has policy jane : {jane } jane : {jane }

Jane


K1

Bob

Mary

K1 K2

K2

K2 K3

Jane


K1

Bob

Mary

K1 K2

K2

K2 K3

K1 K3

Types, Principals, Key Types, Principals, Key NamesNames

Type

int

3

decKeyK

k-

Prin

P

Ekey ( P:{P1…Pk} )

KencKeyK

k+x

[T]L,L’

Kinds

TypesKey Name

Prin

Values

Kinds, Types, LabelsKinds, Types, Labels

Arities, KindsArities, Kinds

A ::= PrinA ::= Prin

A ::= KeyA ::= KeyFF[P:{P[P:{P11…P…Pk}k}]]

A ::= TypeA ::= Type

FlagsFlags

F ::= VirtualF ::= Virtual

F ::= ActualF ::= Actual

Key names, Principals, TypesKey names, Principals, Types

K,P,T ::= k, p, tK,P,T ::= k, p, t

K,P,T ::= DecKeyK,P,T ::= DecKeyKKK,P,T ::= EncKeyK,P,T ::= EncKeyKKK,P,T ::= AuthKeyK,P,T ::= AuthKeyKKK,P,T ::= SignKeyK,P,T ::= SignKeyKK

K,P,T ::= KK,P,T ::= K11 reclassifies K reclassifies K22

K,P,T ::= E{LT}K,P,T ::= E{LT}

K,P,T ::= S{LT}K,P,T ::= S{LT}

K,P,T ::= ChanK,P,T ::= ChanLTLTK,P,T ::= K,P,T ::= t:At:A LT LT

L ::= {KL ::= {K11,…,K,…,Kmm}}

LT ::= [T]LT ::= [T]L1,L2L1,L2

ExpressionsExpressionsE ::= newKey E ::= newKey k:Ak:A {e} {e}E ::= newKey E ::= newKey k:Ak:A

(a(a++:LT:LT11, a, a--:LT:LT22) ) {e}{e}

E ::= encryptE ::= encryptKK(e(e11,….,e,….,ekk,e),e)E ::= decryptE ::= decryptK1,K2K1,K2(e(e11,…,e,…,ekk,e),e)E ::= signE ::= signK1,K2K1,K2(e(e11,…,e,…,ekk,e),e)E ::= authE ::= authKK(e(e11,…,e,…,ekk,e),e)

E ::= reclassifyCertE ::= reclassifyCertK1,K2K1,K2()()E ::= reclassifyCertE ::= reclassifyCertK1,K2K1,K2(e)(e)E ::= chainE ::= chainK1,K2,K3K1,K2,K3(e1,e2)(e1,e2)

E ::= x, y, z, wE ::= x, y, z, wE ::= a, b, c, nE ::= a, b, c, n

E ::= new(n:LT){e}E ::= new(n:LT){e}E ::= fork{e}E ::= fork{e}E ::= send(eE ::= send(e11,e,e22))E ::= receive(a)E ::= receive(a)

E ::= packE ::= packt:At:ALTLT(K,e)(K,e)E ::= unpack eE ::= unpack e11 to to

k:Ak:A(x:LT){e(x:LT){e22}}

KDLM Type Rules for KeysKDLM Type Rules for Keys

TE |- K : Key ( P: { Ps } ) P in ( L2 PRINS of TE )

( L1 PRINS of TE ) subset of { Ps }

TE |- [ DecKey(K) ]]L1,L2L1,L2

KDLM Type Rules for KeysKDLM Type Rules for Keys


( L1 PRINS of TE ) subset of { Ps }

TE |- [ EncKey(K) ]]L1,L2L1,L2


TE |- [ DecKey(K) ]]L1,L2L1,L2

TE;VE |- encrypt ( { Keyi } , data ) : [E{T}]{},L’

TE;VE |- { Keyi } : { [ EncKey(Ki) ]L1,L1’ }

TE;VE |- data : [T]L0,L’ L0 = {Ki}

TE;VE |- encrypt ( { Keyi } , data ) : [E{T}]{},L’

TE;VE |- { Keyi } : { [ EncKey(Ki) ]L1,L1’ }

TE;VE |- data : [T]L0,L’ L0 = {Ki}

TE;VE |- decrypt ( { Keyi } , data ) : [T]L,L’

TE;VE |- { Keyi } : { [ DecKey(Ki) ]L2,L2’ }

TE;VE |- data : [E{T}]{},L’ L = {Ki}

CorrectnessCorrectness

Theorem 1: (Subject reduction)Theorem 1: (Subject reduction)

Types are preserved by reduction Types are preserved by reduction

therefore no data leaks.therefore no data leaks.

CorrectnessCorrectness

Theorem 1: (Subject reduction)Theorem 1: (Subject reduction)

Types are preserved by reduction Types are preserved by reduction

therefore no data leaks.therefore no data leaks.

Theorem 2: (Progress)Theorem 2: (Progress)

Any expression that isn’t a value can beAny expression that isn’t a value can be

reduced or it’s mismatched decryption.reduced or it’s mismatched decryption.




CryptographyCryptography The Jeddak LanguageThe Jeddak Language ConclusionsConclusions

JeddakJeddak

Generic Java extended with Generic Java extended with distributed access control using keys distributed access control using keys

Jeddak extends Java withJeddak extends Java with– PrincipalsPrincipals– Key namesKey names– Labels and policiesLabels and policies

GJ: Generic JavaGJ: Generic Java

Type: Type: int, string, Object, Vector,….int, string, Object, Vector,….

VectorVector returns type returns type ObjectObjects.s.

Generic type: Generic type: Vector<int>, Vector<int>,

MyObject<YourObject>MyObject<YourObject>

The Java Crypto APIThe Java Crypto APIKeyPair pair = keyGen.generateKeyPair();KeyPair pair = keyGen.generateKeyPair();

PrivateKey priv_key = pair.getPrivate();PrivateKey priv_key = pair.getPrivate();PublicKey pub_key = pair.getPublic();PublicKey pub_key = pair.getPublic();

Cipher enCipher = Cipher.getInstance("...")Cipher enCipher = Cipher.getInstance("...")

enCipher.init(encrypt_mode,pub_key)enCipher.init(encrypt_mode,pub_key)

enCipher.doFinal(data)enCipher.doFinal(data)

Approximate Jeddak Crypto Approximate Jeddak Crypto APIAPI

KeyPair<KeyNm> pair = KeyPair<KeyNm> pair = keyGen.generateKeyPair();keyGen.generateKeyPair();

PrivateKey<KeyNm> priv_key = pair.getPrivate();PrivateKey<KeyNm> priv_key = pair.getPrivate();PublicKey<KeyNm> pub_key = pair.getPublic();PublicKey<KeyNm> pub_key = pair.getPublic();

Cipher enCipher<KeyNameSet> =Cipher enCipher<KeyNameSet> = Cipher.getInstance("...")Cipher.getInstance("...")enCipher.init(encrypt_mode,pub_key_array);enCipher.init(encrypt_mode,pub_key_array);

enCipher.doFinal(data)enCipher.doFinal(data)

Key AgreementKey Agreement

KeyAgreement.init( key )KeyAgreement.init( key )

Key key1 = Key key1 = KeyAgreement.doPhase( key, KeyAgreement.doPhase( key, lastFlag )lastFlag )

SecretKey SecretKey KeyAgreement.generateSecrate( “…” KeyAgreement.generateSecrate( “…” ))

Key AgreementKey Agreement

KeyAgreement.init( key )KeyAgreement.init( key )

Key<Label> key1 = Key<Label> key1 = KeyAgreement.doPhase( key, KeyAgreement.doPhase( key, lastFlag )lastFlag )

SecretKey<Label> SecretKey<Label> KeyAgreement.generateSecrate( “…” KeyAgreement.generateSecrate( “…” ))

A simple exampleA simple example

Key [ ThisPrin:{} ] Kpriv;Key [ ThisPrin:{} ] Kpriv;

string {KPriv} mysecret; string {KPriv} mysecret;

ppublic void reader1 ( String arg ) { … }

public void reader2<Keyname> (String {KPriv} arg) {…}

reader( mysecret ) ;

reader2<KPriv> (mysecret);

Patient Doctor examplePatient Doctor examplePrin Doctor1, Patient, Nurse , Doctor2;Prin Doctor1, Patient, Nurse , Doctor2;


KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;



Med_File { DocRecord, PatRecord } patient_file;Med_File { DocRecord, PatRecord } patient_file;Notes { PatRecord } med_diary; Notes { PatRecord } med_diary;




KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;Notes { Priv_Notes } budget;Notes { Priv_Notes } budget;




KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;Notes { Priv_Notes } budget;Notes { Priv_Notes } budget;

Patient { Priv_Notes declassifies PatRecord };Patient { Priv_Notes declassifies PatRecord };Doctor1 { Priv_Notes declassifies DocRecord };Doctor1 { Priv_Notes declassifies DocRecord };

PapersPapers ““Typed Based Distributed Access Control”, CSFW Typed Based Distributed Access Control”, CSFW

0303 - KDLM model - KDLM model - Type system and correctness.- Type system and correctness.

““Principals, Policies and Keys in a Secure Principals, Policies and Keys in a Secure Distributed Programming Language”, FCS 04Distributed Programming Language”, FCS 04

- Types for sending keys.- Types for sending keys. - Language examples- Language examples

““The Jeddak Language”, Hopefully when it’s The Jeddak Language”, Hopefully when it’s finished.finished.

Further WorkFurther Work

Finish off Jeddak.Finish off Jeddak.

Running code.Running code.

Accountability. Accountability.

Related WorkRelated Work Information flow and type systemsInformation flow and type systems

– DenningDenning– Volpano and SmithVolpano and Smith– Pottier (Flow Caml)Pottier (Flow Caml)– Gordan and FourientGordan and Fourient

Information flow and access controlInformation flow and access control– StoughtonStoughton– Heintze and Riecke, Heintze and Riecke, – Myers, Liskov (DLM)Myers, Liskov (DLM)– Myers, Zdancewic (JIF)Myers, Zdancewic (JIF)– Banerjee and NaumannBanerjee and Naumann

Types and security protocolsTypes and security protocols– AbadiAbadi– Gordon and JeffreysGordon and Jeffreys– Pierce and LiPierce and Li– Duggan (Crypto Types)Duggan (Crypto Types)

SummarySummary

KDLM for Distributed Access ControlKDLM for Distributed Access Control

Benefit of Type-Based Approach: Benefit of Type-Based Approach: Access Checking at compile-timeAccess Checking at compile-time

– Lightweight access control for Lightweight access control for accountable systemsaccountable systems

– Extended to “compile-time” cryptoExtended to “compile-time” crypto

Questions?Questions?

Type Based Distributed Access Control

Documents

Transcript of Type Based Distributed Access Control