Asdsaadsaaaaaccess Control
Martin Abadi UCSC


Says
  -- represents communication across contents
     abstracts from the details of authentication

Choosing Axioms
  -- Standard modal logic (as shown above)
  -- Less (syntactically, with no special rules)
  -- More (a stronger version, S -> (A says S))

Semantics
  A principal may be mapped to a binary relation on
  possible worlds.
  e.g.
    A says S holds at world w
    iff
    S hold at world w'
    for every w' such that wAw'
 
Proof stratgies
  Style of proofs:
    - Hilbert systems
    - Tableaux (Massacci, 1997)
  Proof distribution
    - done at reference monitor
    - partial proofs provided by clients
    - with cert pulled or pushed

Compound Principals
  Represent a richer class of sources for requests
    A \and B
    A for B
    A quoting B
    A as R		Alice as Reviewer
  A \and B speaks for A, etc

Groups
  - we may represent each group by a principal
  - in pratice, it is harder to know when A is not a
    member of G (there is no central dabatase of group
    membership)

Running programs
  - programs need not be fully trusted

  e.g.
    CA, with public key K(ca)
    WS, with public key K(ws)
    OS, with no key
    (WS as OS) the resulting node, with ephemeral public key
      K(n)
    bwl, a user, with public key K(bwl)
    K(del) an ephemeral public key for the node for bwl
    C, a secure channel to a file server
    Sys, admin

    K(CA) says (K(WS) speaks for WS)
    K(WS) says (K(n) speaks for (WS as OS))
    K(CA) says (K(bwl) seaks for bwl)
    K(bwl) says (K(del) speaks for ((WS as OS) for bwl))
    K(n) says (K(del) speaks for ((WS as OS) for bwl))
      -- both agree on the delegation key
    K(del) says (C speaks for ((WS as OS) for bwl))
    
    C says good-to-delete-file1
    And we may deduce:
      ((WS as OS) for bwl) says good-to-delete-file1

    K(CA) says ((WS as OS) speaks for TrustedNode)
    K(CA) says (bwl speaks for sysAdm)
    then deduce:
      TrustedNode for SysAdm
         says good-to-delete-file1

Application: 
  -- Securiry in an OS (wobber et al. 1994)
  -- An account of security in JVMs (Wallach and Felton, 1998)
  -- A Web Access Control system (Bauer, Schneider and Felton, 2002)

Other languages and systems
  PolicyMaker, keyNote
  SDSI (lampson, rivest)
  SPKI
  D1LP and RT
  SD3
  Binder
  XrML 2.0
  ...
  Several of the most recent are based on ideas and tech from
  logic programming

SDSI (Simple Distributed Systems Security Infrastructure)
  -- support for hierarchical public key cert (like X.509)
  -- support local name spaces
     (each principal can bind local names at wish)
  -- local name spaces can be linked
  -- allows definitions of groups and ACLs

  In SDSI, "principals are public keys"
  e.g.
      lawyer -> K means
         lawyer is K or
	 K speaks for lawyer
  Only asymmetric meansings are viable (sepaks for).

Name resolution Algorithm
Some Axioms (Abadi, 1998)
Some symmentics (borrowed from modal logic)

Alternative Axioms (Halperm, van der Meyden, 2001)

Binder (Prolog like, Datalog)
  e.g.
     Facts
     - owns (Alice, Foo.txt)
     - Alice says good(Bob)
     Rules
     - may_access(p, o) :- owns(q, o), blesses(q, p)
     Conclusions

  e.g.
    Suppose F has the rules
     - may_access(p, o) :- owns(q, o), blesses(q, p)
     - blesses(Alice, p) :- Alice says good(p)
     - Alice says good(Bob)
    D may import the fist two with "F says", but not the
    last one.

  -- Can define and use new application specific predicates.
  -- Can be read as a declarative English statement, and it's 
     decidable in PTIME.

Similarities in Data Integration
  Integratie multiplse souces of data
  TSIMMIS and MSL
    - X@s correspond to 's says X'
  Distributed access control is partly about "data integration"

  -- MSL and Binder are used in different environments and for
     different purposes
  -- Security is primarily a property of systems, not of languages.

Proof-carrying Code (PCC)
(Necula and Lee, 1996)
  -- also based on logic
  -- concerned with an authorization decision (running code)
