A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010.

Slides:



Advertisements
Similar presentations
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Advertisements

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Logical Attestation: An Authorization Architecture for Trustworthy Computing Emin Gün Sirer Willem de Bruijn †, Patrick Reynolds *, Alan Shieh ‡, Kevin.
Secure Operating Systems Lesson 0x11h: Systems Assurance.
PCFS: A Proof-Carrying File System Deepak Garg and Frank Pfenning Carnegie Mellon University July 09, 2009.
A Credential Based Approach to Managing Exceptions in Digital Rights Management Systems Jean-Henry Morin University of Geneva – CUI.
Distributed System Security via Logical Frameworks Frank Pfenning Carnegie Mellon University Joint work with Lujo Bauer, Deepak Garg, and Mike Reiter.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Lecture 7 Access Control
Understanding Active Directory
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Smart Phones Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura.
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
Dan Parish Program Manager Microsoft Session Code: OFC 304.
Based on D. Galin, and R. Patton.  According to D. Galin  Software quality assurance is:  A systematic, planned set of actions necessary to provide.
A Survey on Secure Cloud Data Storage ZENG, Xi CAI, Peng
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
1 Introduction to Database Systems. 2 Database and Database System / A database is a shared collection of logically related data designed to meet the.
PIV 1 Ketan Mehta May 5, 2005.
Computer Science 725 – Software Security Presentation “Decentralized Trust Management” Decentralized Trust ManagementDecentralized Trust Management M.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Secure Credential Manager Claes Nilsson - Sony Ericsson
A Unifying Approach to the Design of a Secure Database Operating System Written By: David L. Spooner Ehud Gudes.
Proof-Carrying Code & Proof-Carrying Authentication Stuart Pickard CSCI 297 June 2, 2005.
Student Curriculum Planning System MSE Project Presentation I Kevin Sung.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Non-interference in Constructive Authorization Logic Deepak Garg and Frank Pfenning Carnegie Mellon University.
OHTO -01 SOFTWARE ENGINEERING LECTURE 3 Today: Requirements Analysis Requirements tell us what the system should do - not how it should do it.
Full-Text Support in a Database Semantic File System Kristen LeFevre & Kevin Roundy Computer Sciences 736.
Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.
PolicyMorph: Interactive Policy Model Transformations for a Logical ABAC Framework Michael LeMay Omid Fatemieh Carl A. Gunter.
AFS/OSD Project R.Belloni, L.Giammarino, A.Maslennikov, G.Palumbo, H.Reuter, R.Toebbicke.
Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.
Protecting Information with Logic-based Access Control Deepak Garg Student Seminar Series May 01, 2009.
Decentralized Access Control: Overview Deepak Garg Foundations of Security and Privacy Fall 2009.
Testing and delivery Web design principles. Web development is software development.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
Decentralized Access Control: Policy Languages and Logics
Efficient Asynchronous Accumulators for Distributed PKI
CS4222 Principles of Database System
Software Project Configuration Management
Operating System Structures
Cloud Security– an overview Keke Chen
The Development Process of Web Applications
On the Duality of Operating System Structures
Computer Data Security & Privacy
Data and Applications Security Developments and Directions
Outline What does the OS protect? Authentication for operating systems
Architecture Components
Outline What does the OS protect? Authentication for operating systems
Jared Davis CyberTrust Meeting March 1, 2006
Business Rule Based Configuration Management and Software System Implementation Using Decision Tables Olegas Vasilecas, Aidas Smaizys VGTU, Vilnius, Lithuania.
Modern Systems: Security
Organization for the Advancement of Structured Information Standards
KMIP Entity Object and Client Registration
Object-Based Storage Advanced Operating System HoSeok Seo
Chapter 2: System Structures
Chapter 2: Operating-System Structures
Outline Chapter 2 (cont) OS Design OS structure
Principles of Programming Languages
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
A Distributed Tabling Algorithm for Rule Based Policy Systems
System calls….. C-program->POSIX call
Chapter 2: Operating-System Structures
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

A Proof-Carrying File System Deepak Garg and Frank Pfenning (Carnegie Mellon University) IEEE Symposium on Security and Privacy May 18, 2010

A Proof-Carrying File System Apply proof-carrying authorization (PCA) to a system interface, e.g, a file system Proof-Carrying Authorization ● Rigorous, modern technology for access control ● [AF'99, Bau'02, BGM+'05,...] ● Based on logic and formal proofs

Proof-Carrying Authorization (PCA) Example: CMU Slide courtesy: Lujo Bauer Credentials are represented as logical formulas, stored in X.509 certificates in cellphones [BGM+'05]

Grey Example Scenario Please open Prove that Lujo says open I should ask Lujo's phone for help Prove that Lujo says open Inference Provable if: - Scott is a student - Scott is a faculty - Scott is my TA Proof that Lujo says open Slide courtesy: Lujo Bauer Door checks proof and credentials ● Decentralized policies ● High assurance ● Logic to interpret policies ● Crypto to protect policies ● High accountability ● Rich logs of access ● Decentralized policies ● High assurance ● Logic to interpret policies ● Crypto to protect policies ● High accountability ● Rich logs of access [BGM+'05]

Goals & Contributions of this Paper Adapt PCA to a file system, PCFS Address efficiency issues Formal proof of correctness Prototype implementation/evaluation New logic BL Represent time and state-dependent policies Proof-theory: cut-elimination, etc Later! Case study & motivating scenario: Sharing classified information in the U.S. (separate technical report) Later!

Motivation: The Complexity of Sharing Classified Information Polygraph Test Background check MI/OCA CIA/HR MI admin Alice has passed polygraph test Alice has no criminal record Alice is cleared at “topsecret” war.txt is classified as “secret” Alice is a CIA employee Alice may read war.txt Access! Alice from CIA wants to read war.txt in MI PCA, in this setting, would: ● Reduce human intervention ● Improve assurance (fewer human errors) ● Improve efficiency ● Hence, PCFS! PCA, in this setting, would: ● Reduce human intervention ● Improve assurance (fewer human errors) ● Improve efficiency ● Hence, PCFS!

Outline of Remaining Talk ● Overall design of PCFS, efficiency problem ● Time and state in the logic BL – Integration with PCFS ● Correctness of architecture formalized ● Conclusion

The Efficiency Problem Please open Prove that Lujo says open I should ask Lujo's phone for help Prove that Lujo says open Inference Provable if: - Scott is a student - Scott is a faculty - Scott is my TA Proof that Lujo says open Slide courtesy: Lujo Bauer Door checks proof and credentials Is this fast enough? Short answer: NO We are aiming for 2-3K access for a file system Scenario of last slide requires up to 70 certificates per access. Each signature check is ~10μs. Total: 0.7ms Parsing is more expensive And, there is proof checking Solution Cache proof verifications

PCFS Architecture FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Procap = Proven capability Fast to check (~100s) Signed with a shared key (MAC) Proca p Check er OK? /Error Implementation ● Prototype implementation for Linux; virtual FS ● 2-3K ops/s in the back-end ● Performance measurements in paper ● Currently, proof search is local ● Pass procaps through disk; uses ● second-level procap cache for efficiency ● Focus on access control only Implementation ● Prototype implementation for Linux; virtual FS ● 2-3K ops/s in the back-end ● Performance measurements in paper ● Currently, proof search is local ● Pass procaps through disk; uses ● second-level procap cache for efficiency ● Focus on access control only

Time and State in the Logic BL Understand proof-theory of state and time dependence in access policies Integrate with procap-based enforcement

Treatment of State Example Rule applies only while F has meta-data status = classified T T' Encoding The extended attribute “status” on a file determines whether it is classified or not

Treatment of Time Example Intelligence community policy A background check for topsecret clearance expires in 5 years Conclusion of this rule is only valid from T to T' [DGF'08] Important Treating time as part of state is less expressive

Staleness Problem for Capabilities FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Proca p Check er OK? /Error Time Valid only till May 2010Proof verified in April 2010 Capability used in June 2010 STO P Similar problem for state-based policies

Staleness Problem for Capabilities FILE-APIFILE-API Storage Data Proof, certificate verifier Procap Proof search admin says may (...) admin says may (...) admin says may (...) Alice yes Data no Error Proca p Check er OK? /Error Time Valid only till May 2010Proof verified in April 2010 Contains the constraint that proof expires in May 2010 Check that constraint at the time of access

Extraction of Constraints Formalized Modified proof verification that extracts time and state constraints, which are written to procaps

Formal Correctness of Checks The use of procaps does not add or reduce valid authorizations, even with state and time

Other Features of PCFS ● Default procaps for backwards compatibility ● Separation of duty – pcfsadmin governs policies – pcfssytem performs verification and maintenance ● New permission identity needed to delete file ● New permission govern needed to change protected attributes

Conclusion ● PCFS' procaps allow best of both worlds: – Proof-carrying authorization's rigor and flexibility in enforcing access control policies – Efficiency ● Proof-theoretic explanation of time and state in the logic BL ● Enforcement through procaps is formally correct, even with state and time ● Prototype implementation and evaluation

Thank You!

Some Related Work ● Proof-carrying authorization – Appel and Felten, 1999 – Bauer, 2002 – Bauer, Garriss, McCune, Reiter, … 2005 ● Nexus authorization logic, operating system – Schneider, Walsh, Sirer, 2009 – Applies PCA-like ideas to OS interfaces, but reference monitor can perform inference to account for state

PCFS Performance 1

PCFS Performance 2

PCFS Performance 3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.