Corin Pitcher

Towards a theory of accountability and audit

Accountability mechanisms, which rely on after-the-fact verification, are an attractive means to enforce authorization policies. In this paper, we describe an operational model of accountability-based distributed systems. We describe analyses which support both the design of accountability systems and the validation of auditors for finitary accountability systems. Our study provides formal foundations to explore the tradeoffs underlying the design of accountability systems including: the power of the auditor, the efficiency of the audit protocol, the requirements placed on the agents, and the requirements placed on the communication infrastructure.

Specifications of a high-level conflict-free firewall policy language for multi-domain networks

Multiple firewalls typically cooperate to provide security properties for a network, despite the fact that these firewalls are often spatially distributed and configured in isolation. Without a global view of the network configuration, such a system is ripe for misconfiguration, causing conflicts and major security vulnerabilities. We propose FLIP, a high-level firewall configuration policy language for traffic access control, to enforce security and ensure seamless configuration management. In FLIP, firewall security policies are defined as high-level service-oriented goals, which can be translated automatically into access control rules to be distributed to appropriate enforcement devices. FLIP guarantees that the rules generated will be conflict-free, both on individual firewall and between firewalls. We prove that the translation algorithm is both sound and complete. FLIP supports policy inheritance and customization features that enable defining a global firewall policy for large-scale enterprise network quickly and accurately. Through a case study, we argue that firewall policy management for large-scale networks is efficient and accurate using FLIP.

Local Memory via Layout Randomization

Randomization is used in computer security as a tool to introduce unpredictability into the software infrastructure. In this paper, we study the use of randomization to achieve the secrecy and integrity guarantees for local memory. We follow the approach set out by Abadi and Plot kin. We consider the execution of an idealized language in two environments. In the strict environment, opponents cannot access local variables of the user program. In the lax environment, opponents may attempt to guess allocated memory locations and thus, with small probability, gain access the local memory of the user program. We model these environments using two novel calculi: lambda-mu-hashref and lambda-mu-proberef. Our contribution to the Abadi-Plot kin program is to enrich the programming language with dynamic memory allocation, first class and higher order references and call/cc-style control. On the one hand, these enhancements allow us to directly model a larger class of system hardening principles. On the other hand, the class of opponents is also enhanced since our enriched language permits natural and direct encoding of attacks that alter the control flow of programs. Our main technical result is a fully abstract translation (up to probability) of lambda-mu-hashref into lambda-mu-proberef. Thus, in the presence of randomized layouts, the opponent gains no new power from being able to guess local references of the user program. Our numerical bounds are similar to those of Abadi and Plot kin, thus, the extra programming language features do not cause a concomitant increase in the resources required for protection via randomization.

Generative operational semantics for relaxed memory models

The specification of the Java Memory Model (jmm) is phrased in terms of acceptors of execution sequences rather than the standard generative view of operational semantics. This creates a mismatch with language-based techniques, such as simulation arguments and proofs of type safety. We describe a semantics for the jmm using standard programming language techniques that captures its full expressivity. For data-race-free programs, our model coincides with the jmm. For lockless programs, our model is more expressive than the jmm. The stratification properties required to avoid causality cycles are derived, rather than mandated in the style of the jmm. The jmm is arguably non-canonical in its treatment of the interaction of data races and locks as it fails to validate roach-motel reorderings and various peephole optimizations. Our model differs from the jmm in these cases. We develop a theory of simulation and use it to validate the legality of the above optimizations in any program context.

Timed constraint programming: a declarative approach to usage control

This paper focuses on policy languages for (role-based) access control [14, 32], especially in their modern incarnations in the form of trust-management systems [9] and usage control [30, 31]. Any (declarative) approach to access control and trust management has to address the following issues: Explicit denial, inheritance, and overriding, and History-sensitive access control.Our main contribution is a policy algebra, in the timed concurrent constraint programming paradigm, that uses a form of default constraint programming to address the first issue, and reactive computing to address the second issue.The policy algebra is declarative --- programs can be viewed as imposing temporal constraints on the evolution of the system --- and supports equational reasoning. The validity of equations is established by coinductive proofs based on an operational semantics.The design of the policy algebra supports reasoning about policies by a systematic combination of constraint reasoning and model checking techniques based on linear time temporal-logic. Our framework permits us to perform security analysis with dynamic state-dependent restrictions.

Do As I SaY! Programmatic Access Control with Explicit Identities

We address the programmatic realization of the access control model of security in distributed systems. Our aim is to bridge the gap between abstract/declarative policies and their concrete/operational implementations. We present a programming formalism (which extends the asynchronous pi-calculus with explicit principals) and a specification logic (which extends Datalog with primitives from authorization logic). We provide two kinds of static analysis methods to tie implementation to specification. Type checking determines that a program is a sound implementation of policy; i.e., that all granted accesses are safe in the face of arbitrary opponents. Model checking determines a degree of completeness; i.e., that accesses permitted by the policy are actually granted in the implementation.

Open bisimulation for aspects

We define and study bisimulation for proving contextual equivalence in an aspect extension of the untyped lambda-calculus. To our knowledge, this is the first study of coinductive reasoning principles aimed at proving equality of aspect programs. The language we study is very small, yet powerful enough to encode mutable references and a range of temporal pointcuts (including cflow and regular event patterns).Examples suggest that our bisimulation principle is useful. For an encoding of higher-order programs with state, our methods suffice to establish well-known and well-studied subtle examples involving higher-order functions with state.Even in the presence of first class dynamic advice and expressive pointcuts, our reasoning principles show that aspect-aware interfaces can aid in ensuring that clients of a component are unaffected by changes to an implementation. Our paper generalizes existing results given for open modules to also include a variety of history-sensitive pointcuts such as cflow and regular event patterns.Our formal techniques and results suggest that aspects are amenable to the formal techniques developed for stateful higher-order programs.

TAPIDO: Trust and Authorization Via Provenance and Integrity in Distributed Objects (Extended Abstract)

Existing web services and mashups exemplify the need for flexible construction of distributed applications. How to do so securely remains a topic of current research. We present Tapido, a programming model to address Trust and Authorization concerns via Provenance and Integrity in systems of Distributed Objects. Creation of Tapido objects requires (static) authorization checks and their communication provides fine-grain control of their embedded authorization effects. Tapido programs constrain such delegation of rights by using provenance information. A type-and-effect system with effect polymorphism provides static support for the programmer to reason about security policies. We illustrate the programming model and static analysis with example programs and policies.

Dynamic policy discovery with remote attestation

Remote attestation allows programs running on trusted hardware to prove their identity (and that of their environment) to programs on other hosts. Remote attestation can be used to address security concerns if programs agree on the meaning of data in attestations. This paper studies the enforcement of code-identity based access control policies in a hostile distributed environment, using a combination of remote attestation, dynamic types, and typechecking. This ensures that programs agree on the meaning of data and cannot violate the access control policy, even in the presence of opponent processes. The formal setting is a π-calculus with secure channels, process identity, and remote attestation. Our approach allows executables to be typechecked and deployed independently, without the need for secure initial key and policy distribution beyond the trusted hardware itself.

Lambda-RBAC: Programming with Role-Based Access Control

We study mechanisms that permit program components to express role constraints on clients, focusing on programmatic security mechanisms, which permit access controls to be expressed, in situ, as part of the code realizing basic functionality. In this setting, two questions immediately arise: (1) The user of a component faces the issue of safety: is a particular role sufficient to use the component? (2) The component designer faces the dual issue of protection: is a particular role demanded in all execution paths of the component? We provide a formal calculus and static analysis to answer both questions.