type based distributed access control

October 2, 2003October 2, 2003 D. DugganD. Duggan 11

Type Based Type Based Distributed Access Distributed Access

Control Control Dominic DugganDominic Duggan

Stevens Institute of TechnologyStevens Institute of Technology

Joint work with Tom Chothia (Stevens) Joint work with Tom Chothia (Stevens) and Jan Vitek (Purdue) and Jan Vitek (Purdue)


MotivationMotivation

Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.

Consider a computer with public and Consider a computer with public and private data:private data:


Talk outlineTalk outline

Review: Decentralized Label Model Review: Decentralized Label Model (DLM)(DLM)– Local Access ControlLocal Access Control

Key Based Decentralized Label Model Key Based Decentralized Label Model (KDLM)(KDLM)– Distributed Access Control and CryptographyDistributed Access Control and Cryptography

Formal SemanticsFormal Semantics Jeddak: A Language with Distributed Jeddak: A Language with Distributed

Access ControlAccess Control Conclusions and Further WorkConclusions and Further Work


Local Access ControlLocal Access Control

Local Access Control Local Access Control restricts access to restricts access to data.data.

Any read or write Any read or write attempts are attempts are dynamically checked.dynamically checked.

There are no There are no restrictions on restrictions on authorized copies of authorized copies of data.data.


Decentralized Label Model Decentralized Label Model (DLM)(DLM)

Program variable Program variable xx– Has Has typetype intint– Has Has labellabel with policies with policies

Bob : {bob, jane, mike}Bob : {bob, jane, mike} Mary : {bob, jane, mary}Mary : {bob, jane, mary}

– Is accessible by Is accessible by bobbob and and janejane– Access control checked by type Access control checked by type

checkingchecking


DLMDLM

Data is protected by its Data is protected by its type.type.

Each attempt to copy data Each attempt to copy data is statically checked at is statically checked at compile time.compile time.

Copies of data have the Copies of data have the same type and hence the same type and hence the same protection.same protection.

Data sent outside the type Data sent outside the type checked area is no longer checked area is no longer protected.protected.


Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, L3} Data has type {L1, L2, L3}

int int

L1 = bob : { bob, jane }L1 = bob : { bob, jane }

L2 = mary : { bob, jane, L2 = mary : { bob, jane, mary }mary }

L3 = jane : { jane, tim}L3 = jane : { jane, tim}

Only Jane can access dataOnly Jane can access data

L3 L3 jane : { jane, tim, bob} jane : { jane, tim, bob}

Now Jane and Bob can Now Jane and Bob can access the dataaccess the data


ProtocolCommunication

CommunicationSecurity

Minimize the Minimize the Trusted Computing Base Trusted Computing Base

Network

Application

Communication

Network

Application

CommunicationSecurity

DLM KDLM


KDLMKDLM As with the DLM data is As with the DLM data is

protected by its type.protected by its type.

But the data can also be But the data can also be protected by encryption.protected by encryption.

Encryption protects data Encryption protects data leaving the trusted area.leaving the trusted area.

Keys are protected in Keys are protected in the same way as data.the same way as data.


KDLMKDLMAlice Bob

Eve


KDLM: Connecting Keys KDLM: Connecting Keys and Access Restrictionsand Access Restrictions

Key namesKey names have policies (ACLs) have policies (ACLs)– KK has policy: has policy: Joe : {Jane, Mike, Sam}Joe : {Jane, Mike, Sam}– Public-private key pair for key namePublic-private key pair for key name– Private key protected by access Private key protected by access

restrictionsrestrictions

LabelsLabels are sets of key names are sets of key names– Access restricted to intersection of Access restricted to intersection of

policies (ACLs)policies (ACLs)


KDLM: Declassifying KDLM: Declassifying Encrypted DataEncrypted Data

Alice Bob

BA

B A

A


K3 has policyK3 has policy jane : {jane } jane : {jane }K2 has policy:K2 has policy:

mary : {bob,jane,mary}mary : {bob,jane,mary}Declassification in the KDLMDeclassification in the KDLMJane creates certificate for Jane creates certificate for Bob: Bob: K1 declassifies K3K1 declassifies K3

K1 has policy:K1 has policy: bob : {bob, jane bob : {bob, jane}}

Jane

{K1, K2, K3} Encrypted(int)

K1

Bob

Mary

K1 K2

K2

K2 K3

K1 K3


Declassification CertificatesDeclassification Certificates

Key & Policy: Key & Policy: K : skey[ bob : {mary,sam,bob} ]

Label: Label: {{K1, , K2, … ,, … ,Kn}}

Labelled Type: Labelled Type: TT {K1, K2, …,Kn}{K1, K2, …,Kn}

Declassification Cert Types: Declassification Cert Types: K1 declassifies declassifies K2 K1K2


Kinds, Types, LabelsKinds, Types, Labels

Arities, KindsArities, Kinds

A ::= PrinA ::= Prin

A ::= SKeyA ::= SKeyFF[P:{P[P:{P11…P…Pk}k}]]

A ::= IKeyA ::= IKeyFF[P:{P[P:{P11…P…Pkk}]}]

A::= TypeA::= Type

FlagsFlags

F ::= VirtualF ::= Virtual

F ::= ActualF ::= Actual

Key names, Principals, TypesKey names, Principals, Types

K,P,T ::= k, p, tK,P,T ::= k, p, t

K,P,T ::= DecKeyK,P,T ::= DecKeyKKK,P,T ::= EncKeyK,P,T ::= EncKeyKKK,P,T ::= AuthKeyK,P,T ::= AuthKeyKKK,P,T ::= SignKeyK,P,T ::= SignKeyKK

K,P,T ::= KK,P,T ::= K11 reclassifies K reclassifies K22

K,P,T ::= E{LT}K,P,T ::= E{LT}

K,P,T ::= S{LT}K,P,T ::= S{LT}

K,P,T ::= ChanK,P,T ::= ChanLTLTK,P,T ::= K,P,T ::= t:At:A LT LT

L ::= {KL ::= {K11,…,K,…,Kmm}}

LT ::= [T]LT ::= [T]L1,L2L1,L2


ExpressionsExpressionsE ::= newKey E ::= newKey k:Ak:A {e} {e}E ::= newKey E ::= newKey k:Ak:A

(a(a++:LT:LT11, a, a--:LT:LT22) ) {e}{e}

E ::= reclassifyCertE ::= reclassifyCertK1,K2K1,K2()()E ::= reclassifyCertE ::= reclassifyCertK1,K2K1,K2(e)(e)E ::= chainE ::= chainK1,K2,K3K1,K2,K3(e(e11,e,e22))

E ::= encryptE ::= encryptKK(e(e11,….,e,….,ekk,e),e)E ::= decryptE ::= decryptK1,K2K1,K2(e(e11,…,e,…,ekk,e),e)E ::= signE ::= signK1,K2K1,K2(e(e11,…,e,…,ekk,e),e)E ::= authE ::= authKK(e(e11,…,e,…,ekk,e),e)

E ::= x, y, z, wE ::= x, y, z, wE ::= a, b, c, nE ::= a, b, c, n

E ::= new(n:LT){e}E ::= new(n:LT){e}E ::= fork{e}E ::= fork{e}E ::= send(eE ::= send(e11,e,e22))E ::= receive(a)E ::= receive(a)

E ::= reclassifyE ::= reclassifyK1,K2K1,K2(e(e11,e,e22))E ::= packE ::= packt:At:ALTLT(K,e)(K,e)E ::= unpack eE ::= unpack e11 to to

k:Ak:A(x:LT){e(x:LT){e22}}

Types, Principals, Key Types, Principals, Key NamesNames

type

int

3

prin

P

skey[P:{P1…Pk}]

encKeyK

decKeyK

k+ k-

K


Key NamesKey Names

Basically names of policies P:{PBasically names of policies P:{P11,…,P,…,Pkk}}

Exist at the type levelExist at the type level

May be:May be:– ActualActual, i.e., associated public-private key , i.e., associated public-private key

pair at run-timepair at run-time– VirtualVirtual, i.e., only compile-time, i.e., only compile-time


Why Key-Based DLM?Why Key-Based DLM? Suppose we added reclassification certs to DLMSuppose we added reclassification certs to DLM

ee11 has label {Joe:{Mary,Sue}} has label {Joe:{Mary,Sue}}

ee22 has label {Joe:{Mary,Sue}} has label {Joe:{Mary,Sue}}

Joe can declassify eJoe can declassify e11’s label:’s label:declassify ({Joe:{Mary,Sue,Sam}}, edeclassify ({Joe:{Mary,Sue,Sam}}, e11))

Suppose Joe issues certificate:Suppose Joe issues certificate:Joe:{Mary,Sue,Sam} declassifies Joes:{Mary,Sue}Joe:{Mary,Sue,Sam} declassifies Joes:{Mary,Sue}

Then eThen e22 can also be declassified! can also be declassified!


Why Key-Based DLM?Why Key-Based DLM? Some form of structural Some form of structural

equivalence/inclusion on labels is still neededequivalence/inclusion on labels is still needed

ee11 has label L has label L11

ee22 has label L has label L22

e ? ee ? e11 : e : e22 has label L has label L11 L L22

Who would own result label if it was named?Who would own result label if it was named?


JeddakJeddak

Extends Java withExtends Java with– PrincipalsPrincipals– Key namesKey names– Labels and policiesLabels and policies


SummarySummary

KDLM for Distributed Access ControlKDLM for Distributed Access Control

Benefit of Type-Based Approach: Benefit of Type-Based Approach: Access Checking at compile-timeAccess Checking at compile-time

– Lightweight access control for Lightweight access control for accountable systemsaccountable systems

– Extended to “compile-time” cryptoExtended to “compile-time” crypto


Related WorkRelated Work Information flow and type systemsInformation flow and type systems

– DenningDenning– Volpano and SmithVolpano and Smith– Pottier (Flow Caml)Pottier (Flow Caml)

Information flow and access controlInformation flow and access control– StoughtonStoughton– Heintze and Riecke, Heintze and Riecke, – Myers, Liskov (DLM)Myers, Liskov (DLM)– Myers, Zdancewic (JIF)Myers, Zdancewic (JIF)– Banerjee and NaumannBanerjee and Naumann

Types and security protocolsTypes and security protocols– AbadiAbadi– Gordon and JeffreysGordon and Jeffreys– Pierce and LiPierce and Li– Duggan (Crypto Types)Duggan (Crypto Types)


Questions?Questions?

type based distributed access control

Documents

policy jane

access restrictionslabels

policies bob

datal3 jane

skey bob

access restrictionskey

private data

dlm data