Applications of Logic in Computer Security

Jonathan Millen

SRI International

Areas of Application

Multilevel Operating System Security“Orange Book,” Commercial Trusted Product Evaluation, A1-level

Emphasis on secrecy, security/clearance levels

Access Control PoliciesDiscretionary or role-based policies

Emphasis on application-specific policies, integrity

Public-Key Infrastructure and Trust ManagementNetwork and distributed system security

Digitally signed certificates for identity and privileges

Cryptographic Authentication ProtocolsFor network communication confidentiality and authentication

Other areas: databases, firewalls/routers, intrusion detection

Computer Security

Network Security

Contributions of Logic

Undecidability ResultsSafety problem for discretionary access control

Cryptographic protocol analysis

Theorem Proving EnvironmentsVerifying correctness of formal OS specifications

Inductive proofs of cryptographic protocols

Logic Programming Prolog programs for cryptographic protocol analysis, trust management

Model CheckingFor cryptographic protocol analysis

Specialized LogicsFor cryptographic protocol analysis, trust management

Multilevel Operating System Security

Motivated by protection of classified information in shared systemsHigh-assurance (A1) systems may protect Secret data from uncleared users

Architecture: trusted OS kernel, hardware support

Abstract system model of access control: Bell-LaPadula (ca. 1975)Structured state-transition system: subject-object access matrix, levels

Security invariants and transition rules (for OS functions)

“Formal Top-Level Specification” (FTLS)More detailed state-transition system

Formal Proofs:Model transitions satisfy invariants

FTLS is an interpretation of the system model

Carried out in environments like Gypsy, FDM, HDM

Some FTLS errors reflected in code were discovered

Of Historical Interest

Access Control Policies

Safety ProblemSubject-object-rights matrix

“rights” were arbitrary, representing different kinds of access

Operations: create/delete subjects, objects; enter/remove rights

System of conditional rules to apply operations

Harrison-Ruzzo-Ullman Undecidability ResultWhether S can ever receive right r to object O

Comm. ACM 19(8), 1976

Decidable if number of subjects is bounded

Historical ImpactLed to interest in efficiently decidable systems

Take-Grant, DAC, RBAC

Oj

Si r

Public-Key Certificates

Based on asymmetric encryptionKey pair KA, KA

-1: one made public, one kept secret

Text block encrypted with KA can be decrypted only with KA-1 .

Impractical to compute secret key from public key

Digital signatureText string T

Apply one-way (hash) function

Encrypt with secret key

Verify by decrypting with signer’s public key, compare hash result

Public Key Certificate Binds name to public key, signed by trusted party

Logical Equivalent“A says (KB is the public key of B)”

… provided that KA is the public key of A

T h(T) [h(T)]KA-1T h(T) [h(T)]KA

-1

B,KB,[h(B,KB)]KA-1B,KB,[h(B,KB)]KA

-1

Logic of Distributed Authentication

Origination:“Authentication in distributed systems: theory and practice,” by Lampson,

Abadi, Burrows, and Wobber, ACM Trans. Comp. Sys., 10(4), 1992

Theory of says and speaks for ( relation)(A B) ((A says s) (B says s)) (P8)

(A says (B A)) (B A) (P10)

Application to distributed systemsA and B are principals: users or keys (can say something)

A says s means: A authorizes command (operation, access) s

A B means: B delegates authority to A

Certificate T,[T] KA-1 means KA says T

Public key certificate means KA A

Credentials sent from one network node to another to authorize resources

Implemented in Taos operating system

“credentials”

Trust Management

Policymaker “Decentralized trust management,” Blaze, Feigenbaum, Lacy, 1996 IEEE

Symposium on Security and Privacy

Identified trust management as a distinct problem

Purpose: to define and implement policy using credentials to process queries

Delegation Logic“A logic-based knowledge representation for Authorization with Delegation,” Li,

Feigenbaum, Grosof, 1999 Computer Security Foundations Workshop

Language to express policies

Primitives include says, delegates (speaks for with object)

Access permission is decidable

Logic program implementation (in Datalog)

Cryptographic Protocols

Cryptographic protocolan exchange of messages over an insecure communication medium, using

cryptographic transformations to ensure authentication and secrecy of data and keying material.

Applicationsmilitary communications, business communications, electronic commerce,

privacy

Examples Kerberos: MIT protocol for unitary login to network services

SSL (Secure Socket Layer, used in Web browsers)

IPSec: standard suite of Internet protocols due to the IETF

SET (Secure Electronic Transaction) protocol

PGP (Pretty Good Privacy)

A Popular Example

The Needham-Schroeder public-key handshakeR. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in

Large Networks of Computers,” Comm. ACM, Dec., 1978

A B: {A, Na}Kb

B A: {Na, Nb}Ka

A B: {Nb}Kb

Purpose: mutual authentication of A and B, sharing secrets Na, Nb

This is an “Alice-and-Bob” protocol specification

Na and Nb are nonces (used once)

Ka is the public key of A

The protocol is vulnerable...

The Attack

A M B

{A,Na}Km {A,Na}Kb

{Na,Nb}Ka{Na,Nb}Ka

{Nb}Km {Nb}Kb

Lowe, “Breaking and Fixing the Needham-Schroeder Public KeyProtocol Using FDR” TACAS 1996, LNCS 1055

(normal) (thinks he’s talking to A,Nb is compromised)

A malicious party M can forge addresses, deviate from protocol

(false)

Undecidable in General

Reduction of Post correspondence problemWord pairs ui, vi for 1 i < n

Does there exist ui1...uik = vi1...vik?

ConstructionProtocol with one role (or one per i)

Compromises secret if solution exists

Attacker cannot forge release message because of encryption

ObservationsMessages are unbounded

Construction suggested by Heintze & Tygar, 1994

First undecidability proof by Even & Goldreich, 1983

1999 proof by Durgin, et al shows nonces are enough

send {,}Kreceive {X,Y}Kif X = Y , send secretelse choose i,

send {Xui,Yvi}K

send {,}Kreceive {X,Y}Kif X = Y , send secretelse choose i,

send {Xui,Yvi}K

Analysis Approaches

Model checking State-space search for attacks

Inductive proofUsing verification tools or by hand

Can prove protocols correct (for abstract encryption)

Belief-logic proofsBAN logic and successors

For authentication properties

Linear Logic Model

Linear LogicReference: J.-Y. Girard, “Linear logic,” Theoretical Comp. Sci, 1987

Constructive, used to model state-transition systems

Application to cryptographic protocolsCervesato, Durgin, Lincoln, Mitchell, Scedrov, “A meta-notation for protocol

analysis,” 1999 Computer Security Foundations Workshop

Model-checking with linear-logic symbolic search tool LLF (LICS ‘96)

State-transition rulesF1, …, Fk x1, …, xm. G1, …, Gn

State is a multiset of “facts” Fi, predicates over terms

Rule matches facts on left side with variable substitution

Variables xi are instantiated with new symbols (like nonce!)

Left-side facts are replaced by right-side facts in multiset

The MSR Model

Implementation of linear logic model

Special term and fact types for cryptographic protocolsSymbols for principals, keys, and nonces

Terms for encryption and concatenation

Facts for protocol process state, messages

Multiset holds current states of many concurrent protocol sessions

Example: A sends message A,{A}K (to B) with new K

A0(A,B) (K) A1(A,B,K),M({A}K)

Attacker rules eavesdrop, construct false messages, e.g.,

M({A}K),M(K) M({A}K),M(K),M(A)Attacker model is standardized

MSR model applied as intermediate languageCAPSL MSR analysis tools (Millen, Denker 1999)

Model Checking Tools

State-space search for reachability of insecure statesHistory: back to 1984, Interrogator program in Prolog

Meadows’ NRL Protocol Analyzer (NPA), also Prolog, 1991

Prolog programs were interactive

General-purpose model-checkers Search automatically given initial conditions, bounds

Iterative bounded-depth search

Roscoe and Lowe used FDR (model-checker for CSP), 1995

Mitchell, et al used Murphi, 1997

Clarke, et al used SMV, 1998

Denker, Meseguer, Talcott used Maude, 1998

Successful at finding previously unknown vulnerabilities!

Non-Repudiation Protocols

Different objectives and assumptionsFairness objectives: contract signing, proofs of receipt, fair exchange

Applications to electronic commerce

Parties are mutually distrustful, network well-behaved, no intruder

Trusted third party to resolve detected breaches

Alternating Temporal Logic applicationKremer, Raskin, “Formal verification of non-repudiation protocols, a game

approach,” Workshop on Formal Methods and Computer Security, 2000

Used model checker MOCHA

Example Objective<<B,Com>> (NRO <<A>> NRR)

Means: B and Com (the network) do not have a strategy leading to a state where B has proof of non-repudiation of origin (of some message) but A has no strategy (from there) leading to a proof of non-repudiation of receipt

Inductive Proofs

State-transition model similar to model checking approaches

Application of general-purpose specification and verification tools

Influential Examples:R. Kemmerer, "Analyzing encryption protocols using formal verification

techniques," IEEE J. Selected Areas in Comm., 7(4), May 1989 (FDM).

L. Paulson, “The inductive approach to verifying cryptographic protocols,” J. Computer Security 6(1), 1998 (used Isabelle)

Paulson’s approach inspired othersBolignano (using Coq), Millen (using PVS)

BAN Logic

PapersBurrows, Abadi, Needham, “A logic of authentication,” ACM Trans. Computer

Systems 8(1), 1990

Gong, Needham, Yahalom, “Reasoning about belief in cryptographic protocols,” 1990 IEEE Symposium on Security and Privacy

ApproachModal logic of belief plus specialized predicates and inference rules

Protocol messages are “idealized” into logical statements

Objective is to prove that both parties share common beliefs

IdealizationA B: {A, K, B}KB becomes

B sees {good-key(A, K, B)}KB

ObjectiveInfer that B believes A said good-key(A, K, B)

B | A |~ A BB | A |~ A BK

Inferences and Problems

ExampleP believes fresh(X), P believes Q said X |- P believes Q believes X

AssumptionProtocol idealization must be consistent with beliefs about confidentiality

ProblemObserved by Nessett right away for digital signature example

Good key must not be given away accidentally (or on purpose)

Takes deep analysis to determine this

Needham-Schroeder Public Key protocol proved correct (!!??)

These logics are still used because:They are efficiently decidable

They help to understand the protocol

They can be used manually

Summary

Many applications of logic in computer security are indirect, through use of tools that require deep logic-system knowledge to design

Several unusual or specialized logical systems have application to computer security

Cryptographic protocol analysis is an active, fertile area for logic applications