Applications of Logic in Computer Security
Areas of Application
Multilevel Operating System Security
“Orange Book,” Commercial Trusted Product Evaluation, A1-level Emphasis on secrecy, security/clearance levels
Access Control Policies
Discretionary or role-based policies
Emphasis on application-specific policies, integrity
Public-Key Infrastructure and Trust Management
Network and distributed system securityDigitally signed certificates for identity and privileges
Cryptographic Authentication Protocols
For network communication confidentiality and authentication
Other areas: databases, firewalls/routers, intrusion detection
Computer Security
Contributions of Logic
Undecidability Results
Safety problem for discretionary access control Cryptographic protocol analysis
Theorem Proving Environments
Verifying correctness of formal OS specifications Inductive proofs of cryptographic protocols
Logic Programming
Prolog programs for cryptographic protocol analysis, trust management
Model Checking
For cryptographic protocol analysis
Specialized Logics
Multilevel Operating System Security
Motivated by protection of classified information in shared systems
High-assurance (A1) systems may protect Secret data from uncleared users Architecture: trusted OS kernel, hardware support
Abstract system model of access control: Bell-LaPadula (ca. 1975)
Structured state-transition system: subject-object access matrix, levels Security invariants and transition rules (for OS functions)
“Formal Top-Level Specification” (FTLS)
More detailed state-transition system
Formal Proofs:
Model transitions satisfy invariants
FTLS is an interpretation of the system model
Carried out in environments like Gypsy, FDM, HDM Some FTLS errors reflected in code were discovered
Access Control Policies
Safety Problem
Subject-object-rights matrix
“rights” were arbitrary, representing different kinds of access Operations: create/delete subjects, objects; enter/remove rights System of conditional rules to apply operations
Harrison-Ruzzo-Ullman Undecidability Result
Whether S can ever receive right r to object O
Comm. ACM 19(8), 1976
Decidable if number of subjects is bounded
Historical Impact
Led to interest in efficiently decidable systems Take-Grant, DAC, RBAC
O
jPublic-Key Certificates
Based on asymmetric encryption
Key pair KA, KA-1: one made public, one kept secret
Text block encrypted with KA can be decrypted only with KA-1 . Impractical to compute secret key from public key
Digital signature
Text string T
Apply one-way (hash) function Encrypt with secret key
Verify by decrypting with signer’s public key, compare hash result
Public Key Certificate
Binds name to public key, signed by trusted party
Logical Equivalent
“A says (KB is the public key of B)”
… provided that KA is the public key of A
T
h(T)
[h(T)]K
A-1T
h(T)
[h(T)]K
A-1B,K
B,[h(B,K
B)]K
A-1Logic of Distributed Authentication
Origination:
“Authentication in distributed systems: theory and practice,” by Lampson, Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992
Theory of
says
and
speaks for
(
relation)
(A B) ((A says s) (B says s)) (P8) (A says (B A)) (B A) (P10)
Application to distributed systems
A and B are principals: users or keys (can say something) A says s means: A authorizes command (operation, access) s A B means: B delegates authority to A
Certificate T,[T] KA-1 means KA says T Public key certificate means KA A
Credentials sent from one network node to another to authorize resources Implemented in Taos operating system
Trust Management
Policymaker
“Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE Symposium on Security and Privacy
Identified trust management as a distinct problem
Purpose: to define and implement policy using credentials to process queries
Delegation Logic
“A logic-based knowledge representation for Authorization with Delegation,” Li, Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop
Language to express policies
Primitives include says, delegates (speaks for with object) Access permission is decidable
Cryptographic Protocols
Cryptographic protocol
an exchange of messages over an insecure communication medium, using cryptographic transformations to ensure authentication and secrecy of data and keying material.
Applications
military communications, business communications, electronic commerce, privacy
Examples
Kerberos: MIT protocol for unitary login to network services SSL (Secure Socket Layer, used in Web browsers)
IPSec: standard suite of Internet protocols due to the IETF SET (Secure Electronic Transaction) protocol
A Popular Example
The Needham-Schroeder public-key handshake
R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Comm. ACM, Dec., 1978
A
B: {A, Na}Kb
B
A: {Na, Nb}Ka
A
B: {Nb}Kb
Purpose: mutual authentication of A and B, sharing secrets Na, Nb
This is an “
Alice-and-Bob
” protocol specification
Na and Nb are
nonces
(used once)
Ka is the public key of A
The Attack
A
M
B
{A,Na}Km
{A,Na}Kb
{Na,Nb}Ka
{Na,Nb}Ka
{Nb}Km
{Nb}Kb
Lowe, “Breaking and Fixing the Needham-Schroeder Public Key
Protocol Using FDR” TACAS 1996, LNCS 1055
(normal)
(thinks he’s
talking to A,
Nb is compromised)
Undecidable in General
Reduction of Post correspondence problem
Word pairs ui, vi for 1 i < n
Does there exist ui1...uik = vi1...vik?
Construction
Protocol with one role (or one per i) Compromises secret if solution exists Attacker cannot forge release message
because of encryption
Observations
Messages are unbounded
Construction suggested by Heintze & Tygar, 1994 First undecidability proof by Even & Goldreich, 1983 1999 proof by Durgin, et al shows nonces are enough
send {
,
}K
receive {X,Y}K
if X = Y
, send secret
else choose i,
send {Xu
i,Yv
i}K
send {
,
}K
receive {X,Y}K
if X = Y
, send secret
Analysis Approaches
Model checking
State-space search for attacks
Inductive proof
Using verification tools or by hand
Can prove protocols correct (for abstract encryption)
Belief-logic proofs
Linear Logic Model
Linear Logic
Reference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987 Constructive, used to model state-transition systems
Application to cryptographic protocols
Cervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol analysis,” 1999 Computer Security Foundations Workshop
Model-checking with linear-logic symbolic search tool LLF (LICS ‘96)
State-transition rules
F1, …, Fk x1, …, xm. G1, …, Gn
The MSR Model
Implementation of linear logic model
Special term and fact types for cryptographic protocols
Symbols for principals, keys, and nonces Terms for encryption and concatenation Facts for protocol process state, messages
Multiset holds current states of many concurrent protocol sessions
Example: A sends message A,{A}K (to B) with new K
A
0(A,B)
(
K) A
1(A,B,K),M({A}K)
Attacker rules eavesdrop, construct false messages, e.g.,
M({A}K),M(K)
M({A}K),M(K),M(A)
Attacker model is standardized
MSR model applied as intermediate language
Model Checking Tools
State-space search for reachability of insecure states
History: back to 1984, Interrogator program in Prolog
Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991 Prolog programs were interactive
General-purpose model-checkers
Search automatically given initial conditions, bounds Iterative bounded-depth search
Roscoe and Lowe used FDR (model-checker for CSP), 1995 Mitchell, et al used Murphi, 1997
Clarke, et al used SMV, 1998
Denker, Meseguer, Talcott used Maude, 1998
Non-Repudiation Protocols
Different objectives and assumptions
Fairness objectives: contract signing, proofs of receipt, fair exchange Applications to electronic commerce
Parties are mutually distrustful, network well-behaved, no intruder Trusted third party to resolve detected breaches
Alternating Temporal Logic application
Kremer, Raskin, “Formal verification of non-repudiation protocols, a game approach,” Workshop on Formal Methods and Computer Security, 2000 Used model checker MOCHA
Example Objective
<<B,Com>> (NRO <<A>> NRR)
Means: B and Com (the network) do not have a strategy leading to a state
Inductive Proofs
State-transition model similar to model checking approaches
Application of general-purpose specification and verification tools
Influential Examples:
R. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM). L. Paulson, “The inductive approach to verifying cryptographic protocols,” J.
Computer Security 6(1), 1998 (used Isabelle)
Paulson’s approach inspired others
BAN Logic
Papers
Burrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer Systems 8(1), 1990
Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy
Approach
Modal logic of belief plus specialized predicates and inference rules Protocol messages are “idealized” into logical statements
Objective is to prove that both parties share common beliefs
Idealization
A B: {A, K, B}KB becomes B sees {good-key(A, K, B)}KB
Objective
Infer that B believes A said good-key(A, K, B)
B |
A |~ A
B
Inferences and Problems
Example
P believes fresh(X), P believes Q said X |- P believes Q believes X
Assumption
Protocol idealization must be consistent with beliefs about confidentiality
Problem
Observed by Nessett right away for digital signature example
Good key must not be given away accidentally (or on purpose) Takes deep analysis to determine this
Needham-Schroeder Public Key protocol proved correct (!!??)
These logics are still used because:
They are efficiently decidable
Summary
Many applications of logic in computer security are indirect, through use of
tools that require deep logic-system knowledge to design
Several unusual or specialized logical systems have application to
computer security
