trust and authorization via provenance and integrity in distributed objects
DESCRIPTION
Trust and Authorization via Provenance and Integrity in Distributed Objects. Andy Cirillo James Riely Radha Jagadeesan Corin Pitcher School of CTI, DePaul University. Chicago. An Example: Content Aggregation. Owner adds Aggregator to Account(s) - PowerPoint PPT PresentationTRANSCRIPT
Trust and Authorization via Provenance and Integrity in Distributed Objects
Andy CirilloJames Riely Radha JagadeesanCorin Pitcher
School of CTI, DePaul University. Chicago.
Trust and Authorization via Provenance and Integrity in Distributed Objects
Owner adds Aggregator to Account(s)Owner asks Aggregator for summary of balancesAggregator requests balance from Account(s)Aggregator returns aggregate balanceContent AggregatorsFinancial Services, e.g. Mint, YodleeMashups, Web ServicesSecurity Concerns: Trust & Authorization Privacy Delegation Audits for accountabilityAn Example: Content Aggregation
A. Cirillo, R. Jagadeesan, C. Pitcher and J. RielyTrust and Authorization via Provenance and Integrity in Distributed Objects }Provenance2
"all that one needs to say for provenance is: want to know the origin AND path of the requests/responses""provenance is crosscutting across issues"2Our language-based approach to security Distributed Objects
De-perimeterization [ Jericho Forum ]
Object programming idioms: flexible composition constrained by interfaces
(vs. Info Flow style)
Focus on semantic attacks on trust and authorization (vs. Network is the Opponent)
A. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects3
"Then segue --- no wall around each component, so each component must be self-protecting""use OO idiom --- give interfaces, composition is constrained by interfaces, constraints on composition are only for honest dudes""information flow --- components have to follow a law, but get a nice system-level property""here --- components have to build their own security in / do their own work ---- trades off system-level properties with more flexible programming and types to recover guarantees""if someone wants very strong guarantees, go with info. flow --- we think it's more flexible to program components separately"* use abstractions provided by crypto. Get around attacks on Cryptoeach object takes care of itself. Build system level guarantees by composition. Design patterns. Contrast against centralized strong guarantees, eg. Info flow. false tradeoffs.. Try to make interfaces of objects flexible enough, eg by abstraction and parametrization.
3Outline of approachA calculus of distributed objects [Gordon/Hankin + provenance & integrity primitives ]
Type-and-effect system, object-centric effects [Object creation has obligations, possession gives benefits ]
Type system provides robust safety against attackers
A. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects4
Rest of the TalkInformal introduction to calculus: dynamicsInformal introduction to calculus: staticsExampleSketch of formal stuff Full paper: http://www.teasp.org/tapido
Rest of the TalkInformal introduction to calculus: dynamicsInformal introduction to calculus: staticsExampleSketch of formal stuff
Calculus: Key ingredientsConcurrent Object Calculus [Gordon/Hankin 98]Heap objects as processesAsymmetric, partially commutative concurrent composition
Right-most term is return value; cf. imperative-style concurrency
Explicit identities [Abadi, Burrows, Lampson, Plotkin,Wobber, etc.]People/machines/processes/keysObjects located at identities
Integrity assumptions on method invocationIntegrity: know the sender
A. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects7
Calculus: Located Objects
A. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects8
Objects located at site of creation
Object reference preserves provenance of creator
8
Calculus: Integrity via opsem
Method executes under authority of object.The special variable caller is bound to calling principal.A. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects9
Is required Integrity realizable?See, for example:Proxy Based Systems [RMI, Jini etc ]Security goals [Li, Mitchell and D. Tong; B. Scheifler; Gordon and Pucella]Implementation using Signing + SSL/TLSA. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects10
Rest of the TalkInformal introduction to calculus: dynamicsInformal introduction to calculus: staticsExampleSketch of formal stuffProvenance in SecurityProvenance (noun )1 :origin, source2 :the history of ownership of a valued object or work of art or literature In security, the source of a messageImmediate provenance (who created it?/who sent it?)Full history (who touched it?)User-defined provenance: keep only what you needA. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects12Provenance in SecurityStack InspectionAn a posteriori look at the stackCriticism limited expressiveness [Fournet/Gordon 2001] Security-Passing Style suitable for distribution
History-Based Access Control [Abadi/Fournet]Adds expressiveness
Sweet Spot: Programming ProvenanceExpressive and programmableA. Cirillo, R. Jagadeesan, C. Pitcher and J. Riely Trust and Authorization via Provenance and Integrity in Distributed Objects13Type-and-Effect SystemLanguage of effects : First-order logic fragmentsDecidable entailment: i.e. does ?MonotonicAuthorization Logics (i.e. has a says modality). (e.g.) Binder, SecPAL,
Object-centric effects refer to immutable fields of objects (e.g.) if the object is an authorization token, effect can record the rights associated with these object (vs. method-centric effects)
A. Cirillo, R. Jagadeesan, C. Pitcher and J. RielyTrust and Authorization via Provenance and Integrity in Distributed Objects14Type-and-effect system slide: OK* Emphasize that effects are on object construction not methods.* Normally people talk about effects on methods. * Could think of it as "Rights associated with object. With a very general notion of 'Rights'."* Modality delimits different world views
14A proposition P communicated from sender to receiver, e.g., "Access permitted for "
...send object...Object-centric effectsSender...receive object...ReceiverP knownP knownP not knownP known(Sender says P) knownA. Cirillo, R. Jagadeesan, C. Pitcher and J. RielyTrust and Authorization via Provenance and Integrity in Distributed Objects15Issue: Inconsistency of local statesNeed worlds / contexts INSIDE logicObject-centric effects: CreationEffects must be validated at instantiation (i.e. global policy must logically entail the effect on class, with substitutions for fields)
class C{final S foo, final T bar}[pred(foo,bar)]
When typing, effects bounded by the context; e.g., in order to type
a[new C(bam,bash)]
the policy must entail a says pred(bam,bash).
For typing, an attacker is a principal who can say anything(e.g. if a is an attacker then a says false)A. Cirillo, R. Jagadeesan, C. Pitcher and J. RielyTrust and Authorization via Provenance and Integrity in Distributed Objects16Object-centric effects: CreationExamplesThis class can NEVER be instantiated (except by an attacker)
class C{}[false]
This one, sometimes
class C{final int x, final int y}[x < y]
i.e. new C{w,z} typechecks only if theres a proof of w < z
Ex. Use effect polymorphism to encode an expect construct[cf. Gordon/Fournet/Maffeis]
class Proof{}[]
expect = new Proof()
A. Cirillo, R. Jagadeesan, C. Pitcher and J. RielyTrust and Authorization via Provenance and Integrity in Distributed Objects17Object-centric effects: TransmissionPossession of an object reference releases effectsGet built-in Prov(src,tgt,data) effect automatically class C{final T fld1}[isFunny(fld1)] class D{ Unit doSomething(C obj) { expect Prov(caller,this.loc,obj) & obj.loc says isFunny(obj.fld1) } }For example, A creates and sends C; B gets to use effect B[d:D{}] | A[d.doSomething(new C(foo))] * | B[expect Prov(A,B,obj) & A says isFunny(foo)]A. Cirillo, R. Jagadeesan, C. Pitcher and J. RielyTrust and Authorization via Provenance and Integrity in Distributed Objects18Object-centric effects: SubtypingA. Cirillo, R. Jagadeesan, C. Pitcher and J. RielyTrust and Authorization via Provenance and Integrity in Distributed Objects19Inheritance conjoins effects; e.g. suppose class D{}[] class C extends D{}[] then the actual effect of C is
Subtyping involves entailment of effects, e.g. C