Susan Older

Formal Methods for Assuring Security of Protocols

Establishing the security of a system is an intricate problem with subtle nuances: it requires a careful examination of the underlying assumptions, abstractions, and possible actions. Consequently, assuring that a system behaves securely is virtually impossible without the use of rigorous analytical techniques. In this article, we focus on a single cryptographic protocol (Needham–Schroeder) and show how several different formal methods can be used to identify its various vulnerabilities. These vulnerabilities include susceptibility to freshness attacks and impersonations.

Formal development of secure email

Developing systems that are assured to be secure requires precise and accurate descriptions of specifications, designs, implementations, and security properties. Formal specification and verification have long been recognized as giving the highest degree of assurance. In this paper, we describe a software development process that integrates formal verification and synthesis. We demonstrate this process by developing assured sender and receiver C++ code for a secure electronic mail system, Privacy Enhanced Mail. We use higher-order logic for system-requirements specification, design specifications and design verification. We use a combination of higher-order logic and category theory and tools supporting these formalism to refine specifications and synthesize code. Much of our work is applicable to other secure email protocols, as our development is parameter used, component-based, and reusable.

A modal logic for role-based access control

The access-control logic of Lampson, Abadi, and their colleagues [LABW92, ABLP93] makes it possible to assure the correctness of access-control decisions by accounting correctly for identity, credentials, authority, delegation, and privileges. It can be used to describe a variety of access-control policies and to reason about their access-control decisions. However, it lacks an ability to reason about role-based access control (RBAC) [FSG+01, FBK99, FKC03, SCFY96], which is a popular technique for reducing the administrative complexity of associating users and privileges. This dissertation introduces extensions to the access-control logic that can be used to assure the correctness of RBAC access-control decisions. By implementing and extending the access-control logic in a computer-assisted reasoning tool such as the Higher Order Logic (HOL) theorem prover [GM93], the access-control logic and its extensions are proved to be sound. The result is a tool for design and verification engineers to reason about access-control policies including RBAC. In this dissertation, we explain how to use the logic to describe RBAC components, such as user assignments, permission assignments, role inheritance, role activations, and users’ requests. We also describe in detail the steps of implementing the access-control logic and its extensions in the HOL theorem prover. Administrative RBAC systems are also explored to see how the HOL theorem prover can be used to formally verify their properties and policies.

Full Abstraction for Strongly Fair Communicating Processes

Abstract We present a denotational semantics for a language of parallel communicating processes based on Hoares CSP [10] and Milners CCS [14], and we prove that the semantics is fully abstract with respect to a deadlock-sensitive notion of fair behavior. The model incorporates the assumption of strong fairness: every process which is enabled infinitely often makes progress infinitely often. The combination of fairness and deadlock causes problems because the “enabledness” of a process may depend on the status of other processes. We formulate a parameterized notion of strong fairness, generalizing the traditional notion of strong fairness [5] in a way that facilitates compositional analysis. We then provide a denotational semantics which uses a form of trace, augmented with information about enabledness, and is related to the failures model for CSP [2] and to Hennessys acceptance trees [7]. By introducing closure conditions on trace sets, we achieve full abstraction [13]: two processes have the same meaning if and only if they exhibit identical behaviors in all contexts.

Strong Fairness and Full Abstraction for Communicating Processes

We construct several denotational semantics for communicating processes that incorporate assumptions of strong (process) fairness. Strong fairness is the guarantee that every process enabled infinitely often will make progress infinitely often. Modeling fairness compositionally requires care: generally speaking, the fair computations of a command cannot be defined only in terms of the fair computations of its component commands. For this reason, we introduce the notion of parameterized fairness, which generalizes fairness sufficiently to admit a compositional characterization. In each of these semantics, a commands meaning is simply the set of fair traces representing its fair computations; each fair trace records the steps made along a computation as well as additional information made explicit by the definition of parameterized fairness. Each semantics obtains full abstraction with respect to a natural notion of strongly fair program behavior: two terms are given identical meanings precisely when they exhibit the same behaviors in all program contexts.

Reasoning About Delegation and Account Access in Retail Payment Systems

Delegation and trust are essential to the smooth operation of large, geographically distributed systems, such as the US electronic retail payment system. This system supports billions of electronic transactions— from routine banking and store purchases to electronic commerce on the Internet. Because such systems provide the electronic fabric of our networked information society, it is crucial to understand rigorously and precisely the basis for the delegation and trust relationships in them. In this paper, we use a modal logic for access control to analyze these relationships in the context of checks (and their electronic equivalents) as payment instruments. While not free from risk, the retail payment system effectively balances trust, delegation, and risk on billions of transactions. Our logic allows us to explore with rigor the details of trust, delegation, and risk in these transactions.

Banking on interoperability: Secure, interoperable credential management

Abstract An interoperable credential system allows users to reference a single asymmetric key pair to logon to multiple web sites and digitally sign transactions. Models that govern how keys are created, authorized, validated, and revoked are a crucial part of such a system. These models have security, scalability, and liability implications for businesses, so the requirements vary depending on the parties involved. However, the prevailing the public key infrastructure (PKI) system does not meet these diverse needs. PKI requires a certificate authority (CA) to act as a trusted third party for the parties in a transaction. For example, PKI features a receiver key validation model that requires the receiver of the transaction to communicate with a CA to validate the sender’s key used to sign a transaction. These aspects conflict with liability concerns and interoperability goals of businesses doing high-value transactions such as wholesale banking. This paper presents Partner Key Management (PKM) as a mechanism which sufficiently addresses security and liability concerns of businesses performing high-value online transactions, and uses wholesale banking as the motivating example. PKM does not rely on a trusted third party, and features several flexible revocation models to accommodate diverse regulations. PKM is not merely a proposal. Rather, the financial industry has implemented the technology in some of its wholesale banking sites thereby securing millions of dollars of transactions every day. Finally, this paper justifies the security of PKM and its flexible revocation models; and illustrates the justification with proofs through formal logic.

A framework for fair communicating processes

Abstract This paper describes a general framework for modeling fairness for communicating processes, based on the notion of fair traces. Intuitively, a fair trace is an abstract representation of a fair computation, providing enough structure to capture the important essence of the computation (e.g., the sequences of states encountered or the communications made along it) as well as any contextual information necessary for compositionality. The key for determining this necessary contextual information is the introduction of parameterized fairness notions, which permit compositional characterizations of fairness. In contrast, most traditional treatments of fairness are based on operational semantics [8,2] and do not lend themselves naturally to compositional reasoning. This trace framework is remarkably robust. By varying the structure of the traces, we can construct several different semantics that reflect different types of fairness assumptions for the same language of communicating processes. These semantics in turn support not only compositional reasoning about fair program behavior but also the comparison of different fairness notions and the semantic structure that they require.

Policy-based design and verification for mission assurance

Intelligent systems often operate in a blend of cyberspace and physical space. Cyberspace operations--planning, actions, and effects in realms where signals affect intelligent systems--often occur in milliseconds without human intervention. Decisions and actions in cyberspace can affect physical space, particularly in SCADA--supervisory control and data acquisition--systems. For critical military missions, intelligent and autonomous systems must adhere to commander intent and operate in ways that assure the integrity of mission operations. This paper shows how policy, expressed using an access-control logic, serves as a bridge between commanders and implementers. We describe an accesscontrol logic based on a multi-agent propositional modal logic, show how policies are described, how access decisions are justified, and give examples of how concepts of operations are analyzed. Our experience is policybased design and verification is within the reach of practicing engineers. A logical approach enables engineers to think precisely about the security and integrity of their systems and the missions they support.

Credentials management for high-value transactions

Partner key management (PKM) is an interoperable credential management protocol for online commercial transactions of high value. PKM reinterprets traditional public key infrastructure (PKI) for use in high-value commercial transactions, which require additional controls on the use of credentials for authentication and authorization. The need for additional controls is met by the use of partner key practice statements (PKPS), which are machine-readable policy statements precisely specifying a banks policy for accepting and processing payment requests. As assurance is crucial for high-value transactions, we use an access-control logic to: (1) describe the protocol, (2) assure the logical consistency of the operations, and (3) to make the trust assumptions explicit.