Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010.

Published byGeorgia Edwards Modified over 7 years ago

Similar presentations

Presentation on theme: "A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010."— Presentation transcript:

1 A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010

2 A Proof-Carrying File System Apply proof-carrying authorization (PCA) to a system interface, e.g, a file system Proof-Carrying Authorization ● Rigorous, modern technology for access control ● [AF'99, Bau'02, BGM+'05,...] ● Based on logic and formal proofs

3 Proof-Carrying Authorization (PCA) Example: Grey @ CMU Slide courtesy: Lujo Bauer Credentials are represented as logical formulas, stored in X.509 certificates in cellphones [BGM+'05]

4 Grey Example Scenario Please open Prove that Lujo says open I should ask Lujo's phone for help Prove that Lujo says open Inference Provable if: - Scott is a student - Scott is a faculty - Scott is my TA Proof that Lujo says open Slide courtesy: Lujo Bauer Door checks proof and credentials ● Decentralized policies ● High assurance ● Logic to interpret policies ● Crypto to protect policies ● High accountability ● Rich logs of access ● Decentralized policies ● High assurance ● Logic to interpret policies ● Crypto to protect policies ● High accountability ● Rich logs of access [BGM+'05]

5 Goals & Contributions of this Paper Adapt PCA to a file system, PCFS Address efficiency issues Formal proof of correctness Prototype implementation/evaluation New logic BL Represent time and state-dependent policies Proof-theory: cut-elimination, etc Later! Case study & motivating scenario: Sharing classified information in the U.S. (separate technical report) Later!

6 Motivation: The Complexity of Sharing Classified Information Polygraph Test Background check MI/OCA CIA/HR MI admin Alice has passed polygraph test Alice has no criminal record Alice is cleared at “topsecret” war.txt is classified as “secret” Alice is a CIA employee Alice may read war.txt Access! Alice from CIA wants to read war.txt in MI PCA, in this setting, would: ● Reduce human intervention ● Improve assurance (fewer human errors) ● Improve efficiency ● Hence, PCFS! PCA, in this setting, would: ● Reduce human intervention ● Improve assurance (fewer human errors) ● Improve efficiency ● Hence, PCFS!

7 Outline of Remaining Talk ● Overall design of PCFS, efficiency problem ● Time and state in the logic BL – Integration with PCFS ● Correctness of architecture formalized ● Conclusion

8 The Efficiency Problem Please open Prove that Lujo says open I should ask Lujo's phone for help Prove that Lujo says open Inference Provable if: - Scott is a student - Scott is a faculty - Scott is my TA Proof that Lujo says open Slide courtesy: Lujo Bauer Door checks proof and credentials Is this fast enough? Short answer: NO We are aiming for 2-3K access for a file system Scenario of last slide requires up to 70 certificates per access. Each signature check is ~10μs. Total: 0.7ms Parsing is more expensive And, there is proof checking Solution Cache proof verifications

9 PCFS Architecture FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Procap = Proven capability Fast to check (~100s) Signed with a shared key (MAC) Proca p Check er OK? /Error Implementation ● Prototype implementation for Linux; virtual FS ● 2-3K ops/s in the back-end ● Performance measurements in paper ● Currently, proof search is local ● Pass procaps through disk; uses ● second-level procap cache for efficiency ● Focus on access control only Implementation ● Prototype implementation for Linux; virtual FS ● 2-3K ops/s in the back-end ● Performance measurements in paper ● Currently, proof search is local ● Pass procaps through disk; uses ● second-level procap cache for efficiency ● Focus on access control only

10 Time and State in the Logic BL Understand proof-theory of state and time dependence in access policies Integrate with procap-based enforcement

11 Treatment of State Example Rule applies only while F has meta-data status = classified T T' Encoding The extended attribute “status” on a file determines whether it is classified or not

12 Treatment of Time Example Intelligence community policy A background check for topsecret clearance expires in 5 years Conclusion of this rule is only valid from T to T' [DGF'08] Important Treating time as part of state is less expressive

13 Staleness Problem for Capabilities FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Proca p Check er OK? /Error Time Valid only till May 2010Proof verified in April 2010 Capability used in June 2010 STO P Similar problem for state-based policies

14 Staleness Problem for Capabilities FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Proca p Check er OK? /Error Time Valid only till May 2010Proof verified in April 2010 Contains the constraint that proof expires in May 2010 Check that constraint at the time of access

15 Extraction of Constraints Formalized Modified proof verification that extracts time and state constraints, which are written to procaps

16 Formal Correctness of Checks The use of procaps does not add or reduce valid authorizations, even with state and time

17 Other Features of PCFS ● Default procaps for backwards compatibility ● Separation of duty – pcfsadmin governs policies – pcfssytem performs verification and maintenance ● New permission identity needed to delete file ● New permission govern needed to change protected attributes

18 Conclusion ● PCFS' procaps allow best of both worlds: – Proof-carrying authorization's rigor and flexibility in enforcing access control policies – Efficiency ● Proof-theoretic explanation of time and state in the logic BL ● Enforcement through procaps is formally correct, even with state and time ● Prototype implementation and evaluation

19 Thank You! http://www.cs.cmu.edu/~dg/pcfs

20 Some Related Work ● Proof-carrying authorization – Appel and Felten, 1999 – Bauer, 2002 – Bauer, Garriss, McCune, Reiter, … 2005 ● Nexus authorization logic, operating system – Schneider, Walsh, Sirer, 2009 – Applies PCA-like ideas to OS interfaces, but reference monitor can perform inference to account for state

21 PCFS Performance 1

22 PCFS Performance 2

23 PCFS Performance 3

Download ppt "A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010."

Similar presentations

Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.

Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.

Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.

PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.
A Credential Based Approach to Managing Exceptions in Digital Rights Management Systems Jean-Henry Morin University of Geneva – CUI.

A Credential Based Approach to Managing Exceptions in Digital Rights Management Systems Jean-Henry Morin University of Geneva – CUI.
Distributed System Security via Logical Frameworks Frank Pfenning Carnegie Mellon University Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter.

Distributed System Security via Logical Frameworks Frank Pfenning Carnegie Mellon University Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Lecture 7 Access Control

Lecture 7 Access Control
Understanding Active Directory

Understanding Active Directory
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Smart Phones Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Smart Phones Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura.
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
Dan Parish Program Manager Microsoft Session Code: OFC 304.

Dan Parish Program Manager Microsoft Session Code: OFC 304.
Based on D. Galin, and R. Patton.  According to D. Galin  Software quality assurance is:  A systematic, planned set of actions necessary to provide.

Based on D. Galin, and R. Patton.  According to D. Galin  Software quality assurance is:  A systematic, planned set of actions necessary to provide.
A Survey on Secure Cloud Data Storage ZENG, Xi 1010105140 CAI, Peng 1010121750.

A Survey on Secure Cloud Data Storage ZENG, Xi CAI, Peng
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
1 Introduction to Database Systems. 2 Database and Database System / A database is a shared collection of logically related data designed to meet the.

1 Introduction to Database Systems. 2 Database and Database System / A database is a shared collection of logically related data designed to meet the.
PIV 1 Ketan Mehta May 5, 2005.

PIV 1 Ketan Mehta May 5, 2005.

Similar presentations

Ads by Google