Authorization Yuri Gurevich with Andreas Blass, Michal Moskal, Itay - - PowerPoint PPT Presentation

authorization yuri gurevich with andreas blass michal
SMART_READER_LITE
LIVE PREVIEW

Authorization Yuri Gurevich with Andreas Blass, Michal Moskal, Itay - - PowerPoint PPT Presentation

Jan 22, 2024 367 likes •742 views

Evidential Authorization Yuri Gurevich with Andreas Blass, Michal Moskal, Itay Neeman Future of Software Engineering, Zurich, Nov 2010 1 1 The future aint what it used to be. Yogi Berra 2 MOTIVATION Drawings by Hava Gurevich 3

slide-1
SLIDE 1

1 1

Evidential Authorization

Yuri Gurevich with Andreas Blass, Michal Moskal, Itay Neeman Future of Software Engineering, Zurich, Nov 2010

slide-2
SLIDE 2

2

“The future ain’t what it used to be.” Yogi Berra

slide-3
SLIDE 3

§ MOTIVATION

Drawings by Hava Gurevich

3

slide-4
SLIDE 4

You manage a public cloud

Attracting fat customers The security problem A glorified blob store? The promise of cryptography The mystery of the world of brick and

mortar

4

slide-5
SLIDE 5

Example: Commerce

An involved support system

 Banks issue letters of credit  Insurance companies underwrite the

transactions and transportation

 ...

Numerous policies are enforced.

5

slide-6
SLIDE 6

Another example: Clinical trials

Here are some actors in that drama:

Trial organizer

 CRO = Contract Research Organization = Clinical

Research Organization

Trial sites

 University hospitals for example.

Physicians,

also lab technicians, auditors, etc.

6

slide-7
SLIDE 7

Yet another example

Compliance

7

slide-8
SLIDE 8

Lifting to the cloud

In the case of a clinical trial, we’d like that all

patient info is (properly guarded) in the cloud.

 There will be another actor:

Policies must high level.

 To allow comprehension and reasoning.

Policies must be stated formally.

 To allow automation.

Cryptography is indispensible in enforcing

policies but first we need a policy language

8

slide-9
SLIDE 9

Enter DKAL

Distributed Knowledge Authorization

Language was created with such applications in mind.

It required foundational logic

investigation.

It is in the process of tech transfer.

9

slide-10
SLIDE 10

§ PROBLEM

10

slide-11
SLIDE 11

Authorization used to be simple

The authorization matrix

 ACLs vs. the capability model

Problems

 Groups, exceptions and combinations of such  From ACL’s to policies  Security, in particular privacy  Federated scenarious 11

slide-12
SLIDE 12

Authz is only a tip of the policy iceberg

Security policies beyond permit/deny

 “Change you password every 6 weeks.”

Policies beyond typical security

 “The physician will not see you before you fill the

questionnaire.”

 Attire: business casual

Organizations, including governments, are

drowning in policies, laws, regulations, etc.

12

slide-13
SLIDE 13

Engineering solutions

Decentralized and imperative

XACML XrML

and weak in the semantics department

13

slide-14
SLIDE 14

Logic-based solutions

centralized and declarative

14

Engine

Principal Principal Principal Principal Principal

slide-15
SLIDE 15

How to bridge the gap?

There is a genuine tension between logic and federated scenarios.

Logic is centralized and declarative. Federated scenarios are decentralized and

imperative.

15

slide-16
SLIDE 16

§ RELATIVITY

16

slide-17
SLIDE 17

Infons

Real world statements are rarely true or false.

1.

Turning right on red light is legal.

2.

This picture is beautiful. Haggis is edible.

In case 1, as in relativity theory, the value (in this case the truth value) depends on observer’s place. In case 2, the truth value may be ill-defined even for

  • bservers.

Forget about truth values and treat statements as pieces of information, infons. It is not about whether the infon is true or false; it is about which parties know the infon and which don’t.

17

slide-18
SLIDE 18

Infon logic

Infon logic happens to be a conservative extension of well-known constructive (aka intuitionistic) logic.

The extension is by means of connectives “p said x”

and “p implied x”. (The first is essentially a special case

  • f the second; we’ll return to the issue.)

“P is trusted on saying x” abbreviates “(P said x)  x”.

And similarly for implying x.

18

slide-19
SLIDE 19

Knowledge vs. information

Plato’s Theaetetus

Infon logic is sort of an information theory. So called epistemic logics are really about information as well.

Infon logic is not an intuitionistic version of known knowledge logics.

There you have “Yuri knows that Bertrand knows x”. But Yuri

  • nly knows what Bertrand said or implied.

Knowledge remains informal.

The omniscience paradox

19

slide-20
SLIDE 20

Algorithmics

Primal infon logic The linear-time decision procedure

20

slide-21
SLIDE 21

§

FEDERATION

21

slide-22
SLIDE 22

Communicating principals

The DKAL world consists of communicating

principals.

There is nothing else. Principals live in their own states, control their

privacy and compute their knowledge.

22

slide-23
SLIDE 23

The state of a principal

Conceptually

state = substrate + infostrate.

The substrate is a database (or a collection of

such).

For example, the substrate of a trial organizer

may contain, for each trial, a relation where each row is an actual or potential trial site.

23

slide-24
SLIDE 24

Infostrate

Knowledge assertions

 These are infons (syntactically, infon

formulas)

Communication rules Filters

24

slide-25
SLIDE 25

What does principal know?

  • 1. Knowledge assertions

 He may have some knowledge assertions from

birth

 An incoming message may result in a new

knowledge assertion.

 Assertions may be deleted.

  • 2. Results of infon-logic deductions from his

valid assertions.

25

slide-26
SLIDE 26

Remarks

It is not necessary that every principal speaks

DKAL.

 Guido’s work on DKAL adjudication engine for

XACML.

Having communication in the language

facilitates analysis of multiple policies.

26

slide-27
SLIDE 27

§ COMMUNICATION

27

slide-28
SLIDE 28

Declarative is too narrow

This is really a separate lecture. Declarative vs. high-level The EU suit against Microsoft

28

slide-29
SLIDE 29

Communication rules

if premise

then send [justified] to recipient content

Here premise and content are infon

formulas and recipient is a term.

How does it work?

29

slide-30
SLIDE 30

One abbreviation

if premise then say [justified] to recipient content for if premise then send [justified] to recipient sender said content

30

slide-31
SLIDE 31

§ EVIDENTIAL DKAL

Most fascinating is a feature that would make any journalist tremble. Tuyuca requires verb-endings to show how the speaker knows something. Diga ape-wi means “the boy played soccer (I saw him)”. Diga ape-hiyi means “the boy played soccer (I assume)”. English can provide such information, but for Tuyuca that is obligatory.

  • --The Economist, January 1, 2010 (slightly simplified)

31

slide-32
SLIDE 32

Simple justifications of principal A

If ϕ has the form (A said α)

  • r

β (A implied α), then a cryptographic signature of principal A under (a strong hash of) the ϕ is a justification for ϕ. (The first is essentially the special case of the second.)

32

slide-33
SLIDE 33

Composite justifications of A

A justification for an arbitrary infon formula ϕ is a derivation of ϕ in infon logic from

simple justifications, and axioms of shared theories e.g.

arithmetic.

33

slide-34
SLIDE 34

§ CLINICAL TRIALS

34

slide-35
SLIDE 35

To demo or not to demo

The demo requires

internet connection

(to use an SQL engine in the cloud),

time.

35

slide-36
SLIDE 36

Instead of the demo

36 ...

Org Site Site Phys Phys

KeyMgr