Type Based Type Based Distributed Access Distributed Access
Control Control Tom ChothiaTom Chothia
ÈcÈcole Polytechniqueole Polytechnique
Joint work with Dominic Duggan Joint work with Dominic Duggan (Stevens) and Jan Vitek (Purdue) (Stevens) and Jan Vitek (Purdue)
MotivationMotivation
Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.
MotivationMotivation
Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.
Consider a computer with public and Consider a computer with public and private data:private data:
MotivationMotivation
Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.
Consider a computer with public and Consider a computer with public and private data:private data:
MotivationMotivation
Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.
Consider a computer with public and Consider a computer with public and private data:private data:
MotivationMotivation
Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.
Consider a computer with public and Consider a computer with public and private data:private data:
MotivationMotivation
Our aim is to use types to place conditions Our aim is to use types to place conditions on how data may be distributed.on how data may be distributed.
Consider a computer with public and Consider a computer with public and private data:private data:
Talk outlineTalk outline
Review: Decentralized Label Model Review: Decentralized Label Model (DLM)(DLM)– Local Access ControlLocal Access Control
Key Based Decentralized Label Model Key Based Decentralized Label Model (KDLM)(KDLM)– Distributed Access Control and Distributed Access Control and
CryptographyCryptography The Jeddak Language The Jeddak Language ConclusionsConclusions
Local Access ControlLocal Access Control
Local Access Control Local Access Control restricts access to restricts access to data.data.
Local Access ControlLocal Access Control
Local Access Control Local Access Control restricts access to restricts access to data.data.
Any read or write Any read or write attempts are attempts are dynamically checked.dynamically checked.
Local Access ControlLocal Access Control
Local Access Control Local Access Control restricts access to restricts access to data.data.
Any read or write Any read or write attempts are attempts are dynamically checked.dynamically checked.
There are no There are no restrictions on restrictions on authorized copies of authorized copies of data.data.
Types for Information FlowTypes for Information Flow
High and Low High and Low security types.security types.
high
low
Types for Information FlowTypes for Information Flow
High and Low High and Low security types.security types.
No read up. No No read up. No write Down.write Down.
high
low
Types for Information FlowTypes for Information Flow
High and Low High and Low security types.security types.
No read up. No No read up. No write Down.write Down.
A Total OrderA Total Order
high
low
Types for Information FlowTypes for Information Flow
High and Low High and Low security types.security types.
No read up. No No read up. No write Down.write Down.
A Total Order.A Total Order.
Even a lattice.Even a lattice.
high
low
Types for Information FlowTypes for Information Flow
Secrecy duel to Secrecy duel to Integrity.Integrity.
Declassification?Declassification?
high
low
Types for information FlowTypes for information Flow x: int high; y: int low; x: int high; y: int low;
Can do: Can do:
x = x +2 ; x = y + 2; if x > y then x = y;x = x +2 ; x = y + 2; if x > y then x = y;
Can’t do: Can’t do:
y = x;y = x;
if x > y then y = 0; if x > y then y = 0;
if guess = pwd then reject;if guess = pwd then reject;
J.I.F. and theJ.I.F. and theDecentralized Label Model Decentralized Label Model
(DLM)(DLM) Program variable Program variable xx
– Has Has data typedata type intint– Has Has labellabel with policies with policies
Bob : {bob, jane, mike}Bob : {bob, jane, mike} Mary : {bob, jane, mary}Mary : {bob, jane, mary}
– Is accessible by Is accessible by bobbob and and janejane– Access control checked by type Access control checked by type
checkingchecking
DLM Types for Information DLM Types for Information FlowFlow
DLM, bottom half DLM, bottom half of lattice.of lattice.
No one has an No one has an automatic right to automatic right to read your data.read your data.
Alice Bob Eve
Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, Data has type {L1, L2,
L3} intL3} int
Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, Data has type {L1, L2,
L3} int L3} int
L1 = bob : { bob, jane }L1 = bob : { bob, jane }
Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, Data has type {L1, L2,
L3} int L3} int
L1 = bob : { bob, jane }L1 = bob : { bob, jane }
L2 = mary : { bob, jane, L2 = mary : { bob, jane, mary }mary }
Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, Data has type {L1, L2,
L3} int L3} int
L1 = bob : { bob, jane }L1 = bob : { bob, jane }
L2 = mary : { bob, jane, L2 = mary : { bob, jane, mary }mary }
L3 = jane : { jane, tim}L3 = jane : { jane, tim}
Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, Data has type {L1, L2,
L3} int L3} int
L1 = bob : { bob, jane }L1 = bob : { bob, jane }
L2 = mary : { bob, jane, L2 = mary : { bob, jane, mary }mary }
L3 = jane : { jane, tim}L3 = jane : { jane, tim}
Only Jane can access Only Jane can access datadata
Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, Data has type {L1, L2,
L3} int L3} int
L1 = bob : { bob, jane }L1 = bob : { bob, jane }
L2 = mary : { bob, jane, L2 = mary : { bob, jane, mary }mary }
L3 = jane : { jane, tim}L3 = jane : { jane, tim}
Only Jane can access Only Jane can access datadata
L3 L3 jane : { jane, tim, jane : { jane, tim, bob}bob}
Declassification in the DLMDeclassification in the DLM Data has type {L1, L2, L3} Data has type {L1, L2, L3}
int int
L1 = bob : { bob, jane }L1 = bob : { bob, jane }
L2 = mary : { bob, jane, L2 = mary : { bob, jane, mary }mary }
L3 = jane : { jane, tim}L3 = jane : { jane, tim}
Only Jane can access dataOnly Jane can access data
L3 L3 jane : { jane, tim, bob} jane : { jane, tim, bob}
Now Jane and Bob can Now Jane and Bob can access the dataaccess the data
DLMDLM
Data is protected by its Data is protected by its type.type.
Each attempt to copy data Each attempt to copy data is statically checked at is statically checked at compile time.compile time.
DLMDLM
Data is protected by its Data is protected by its type.type.
Each attempt to copy data Each attempt to copy data is statically checked at is statically checked at compile time.compile time.
Copies of data have the Copies of data have the same type and hence the same type and hence the same protection.same protection.
DLMDLM
Data is protected by its type.Data is protected by its type.
Each attempt to copy data is Each attempt to copy data is statically checked at compile statically checked at compile time.time.
Copies of data have the same Copies of data have the same type and hence the same type and hence the same protection.protection.
Data sent outside the type Data sent outside the type checked area is no longer checked area is no longer protected.protected.
Talk outlineTalk outline
Review: Decentralized Label Model Review: Decentralized Label Model (DLM)(DLM)– Local Access ControlLocal Access Control
Key Based Decentralized Label Model Key Based Decentralized Label Model (KDLM)(KDLM)– Distributed Access Control and Distributed Access Control and
CryptographyCryptography The Jeddak Language The Jeddak Language ConclusionsConclusions
Protocol
Minimize the Minimize the Trusted Computing Base Trusted Computing Base
Network
Application
DLM
ProtocolCommunication
CommunicationSecurity
Minimize the Minimize the Trusted Computing Base Trusted Computing Base
Network
Application
DLM
ProtocolCommunication
CommunicationSecurity
Minimize the Minimize the Trusted Computing Base Trusted Computing Base
Network
Application
Communication
Network
Application
CommunicationSecurity
DLM KDLM
KDLM: Connecting Keys KDLM: Connecting Keys and Access Restrictionsand Access Restrictions
Key namesKey names have policies (ACLs) have policies (ACLs)– KK has policy: has policy: Joe : {Jane, Mike, Sam}Joe : {Jane, Mike, Sam}– Public-private key pair for key namePublic-private key pair for key name– Private key protected by access Private key protected by access
restrictionsrestrictions
LabelsLabels are sets of key names are sets of key names– Access restricted to intersection of Access restricted to intersection of
policies (ACLs)policies (ACLs)
Keys, Labels and Keys, Labels and CertificatesCertificates
Key & Policy: Key & Policy: K : Key[ bob : {mary,sam,bob} ]
Label: Label: {{K1, , K2, … ,, … ,Kn}}
Labeled Type: Labeled Type: TT {K1,..,Kn} , {K1’,..,Km’}{K1,..,Kn} , {K1’,..,Km’}
Declassification Cert Types: Declassification Cert Types: K1 declassifies declassifies K2 K1K2
KDLMKDLM
As with the DLM data As with the DLM data is protected by its is protected by its type.type.
KDLMKDLM
As with the DLM data As with the DLM data is protected by its is protected by its type.type.
KDLMKDLM
As with the DLM data As with the DLM data is protected by its is protected by its type.type.
But the data can also But the data can also be protected by be protected by encryption.encryption.
KDLMKDLM
As with the DLM data As with the DLM data is protected by its is protected by its type.type.
But the data can also But the data can also be protected by be protected by encryption.encryption.
Encryption protects Encryption protects data leaving the data leaving the trusted area.trusted area.
KDLMKDLM As with the DLM data is As with the DLM data is
protected by its type.protected by its type.
But the data can also be But the data can also be protected by encryption.protected by encryption.
Encryption protects data Encryption protects data leaving the trusted area.leaving the trusted area.
Keys are protected in Keys are protected in the same way as data.the same way as data.
Labeled KeysLabeled Keys
K : Key ( P:{PK : Key ( P:{P11,…,P,…,Pkk} )} )
aa++ : [ EncKey ( K ) ] : [ EncKey ( K ) ]
aa-- : [ DecKey ( K ) ] : [ DecKey ( K ) ] LL
Key names exist at the type level.Key names exist at the type level.
Why Key-Based DLM?Why Key-Based DLM? Some form of structural Some form of structural
equivalence/inclusion on labels is still neededequivalence/inclusion on labels is still needed
ee11 has label L has label L11
ee22 has label L has label L22
““If e then eIf e then e11 else e else e22” has label L” has label L11 L L22
Who would own result label if it was named?Who would own result label if it was named?
Why Key-Based DLM?Why Key-Based DLM? Suppose we added reclassification certs to DLMSuppose we added reclassification certs to DLM
ee11 has label {Joe:{Mary,Sue}} has label {Joe:{Mary,Sue}}
ee22 has label {Joe:{Mary,Sue}} has label {Joe:{Mary,Sue}}
Joe can declassify eJoe can declassify e11’s label:’s label:declassify ({Joe:{Mary,Sue,Sam}}, edeclassify ({Joe:{Mary,Sue,Sam}}, e11))
Suppose Joe issues certificate:Suppose Joe issues certificate:Joe:{Mary,Sue,Sam} declassifies Joes:{Mary,Sue}Joe:{Mary,Sue,Sam} declassifies Joes:{Mary,Sue}
Then eThen e22 can also be declassified! can also be declassified!
Key Type RulesKey Type Rules New names are created by the right New names are created by the right
principal.principal.
Restrictions on who may use a key are Restrictions on who may use a key are greater or equal to the restrictions implied greater or equal to the restrictions implied by the key name.by the key name.
All of the keys named in the label are All of the keys named in the label are provided for encryption.provided for encryption.
Decrypted data is assigned the labels from Decrypted data is assigned the labels from the keys used to decrypt. the keys used to decrypt.
K1 has policy:K1 has policy: bob : {bob, jane bob : {bob, jane}}
Jane
{K1, K2, K3} Encrypted(int)
K1
Bob
Mary
K1
K2 has policy:K2 has policy:mary : {bob,jane,mary}mary : {bob,jane,mary}
Jane
{K1, K2, K3} Encrypted(int)
K1
Bob
Mary
K1 K2
K2
K2
K3 has policyK3 has policy jane : {jane } jane : {jane }
Jane
{K1, K2, K3} Encrypted(int)
K1
Bob
Mary
K1 K2
K2
K2 K3
Types, Principals, Key Types, Principals, Key NamesNames
Type
int
3
decKeyK
k-
Prin
P
Ekey ( P:{P1…Pk} )
KencKeyK
k+x
[T]L,L’
Kinds
TypesKey Name
Prin
Values
Types, Principals, Key Types, Principals, Key NamesNames
Type
int
3
decKeyK
k-
Prin
P
Ekey ( P:{P1…Pk} )
KencKeyK
k+x
[T]L,L’
Kinds
TypesKey Name
Prin
Values
Kinds, Types, LabelsKinds, Types, Labels
Arities, KindsArities, Kinds
A ::= PrinA ::= Prin
A ::= KeyA ::= KeyFF[P:{P[P:{P11…P…Pk}k}]]
A ::= TypeA ::= Type
FlagsFlags
F ::= VirtualF ::= Virtual
F ::= ActualF ::= Actual
Key names, Principals, TypesKey names, Principals, Types
K,P,T ::= k, p, tK,P,T ::= k, p, t
K,P,T ::= DecKeyK,P,T ::= DecKeyKKK,P,T ::= EncKeyK,P,T ::= EncKeyKKK,P,T ::= AuthKeyK,P,T ::= AuthKeyKKK,P,T ::= SignKeyK,P,T ::= SignKeyKK
K,P,T ::= KK,P,T ::= K11 reclassifies K reclassifies K22
K,P,T ::= E{LT}K,P,T ::= E{LT}
K,P,T ::= S{LT}K,P,T ::= S{LT}
K,P,T ::= ChanK,P,T ::= ChanLTLTK,P,T ::= K,P,T ::= t:At:A LT LT
L ::= {KL ::= {K11,…,K,…,Kmm}}
LT ::= [T]LT ::= [T]L1,L2L1,L2
ExpressionsExpressionsE ::= newKey E ::= newKey k:Ak:A {e} {e}E ::= newKey E ::= newKey k:Ak:A
(a(a++:LT:LT11, a, a--:LT:LT22) ) {e}{e}
E ::= encryptE ::= encryptKK(e(e11,….,e,….,ekk,e),e)E ::= decryptE ::= decryptK1,K2K1,K2(e(e11,…,e,…,ekk,e),e)E ::= signE ::= signK1,K2K1,K2(e(e11,…,e,…,ekk,e),e)E ::= authE ::= authKK(e(e11,…,e,…,ekk,e),e)
E ::= reclassifyCertE ::= reclassifyCertK1,K2K1,K2()()E ::= reclassifyCertE ::= reclassifyCertK1,K2K1,K2(e)(e)E ::= chainE ::= chainK1,K2,K3K1,K2,K3(e1,e2)(e1,e2)
E ::= x, y, z, wE ::= x, y, z, wE ::= a, b, c, nE ::= a, b, c, n
E ::= new(n:LT){e}E ::= new(n:LT){e}E ::= fork{e}E ::= fork{e}E ::= send(eE ::= send(e11,e,e22))E ::= receive(a)E ::= receive(a)
E ::= packE ::= packt:At:ALTLT(K,e)(K,e)E ::= unpack eE ::= unpack e11 to to
k:Ak:A(x:LT){e(x:LT){e22}}
KDLM Type Rules for KeysKDLM Type Rules for Keys
TE |- K : Key ( P: { Ps } ) P in ( L2 PRINS of TE )
( L1 PRINS of TE ) subset of { Ps }
TE |- [ DecKey(K) ]]L1,L2L1,L2
KDLM Type Rules for KeysKDLM Type Rules for Keys
TE |- K : Key ( P: { Ps } ) P in ( L2 PRINS of TE )
( L1 PRINS of TE ) subset of { Ps }
TE |- [ EncKey(K) ]]L1,L2L1,L2
TE |- K : Key ( P: { Ps } ) P in ( L2 PRINS of TE )
TE |- [ DecKey(K) ]]L1,L2L1,L2
TE;VE |- encrypt ( { Keyi } , data ) : [E{T}]{},L’
TE;VE |- { Keyi } : { [ EncKey(Ki) ]L1,L1’ }
TE;VE |- data : [T]L0,L’ L0 = {Ki}
TE;VE |- encrypt ( { Keyi } , data ) : [E{T}]{},L’
TE;VE |- { Keyi } : { [ EncKey(Ki) ]L1,L1’ }
TE;VE |- data : [T]L0,L’ L0 = {Ki}
TE;VE |- decrypt ( { Keyi } , data ) : [T]L,L’
TE;VE |- { Keyi } : { [ DecKey(Ki) ]L2,L2’ }
TE;VE |- data : [E{T}]{},L’ L = {Ki}
CorrectnessCorrectness
Theorem 1: (Subject reduction)Theorem 1: (Subject reduction)
Types are preserved by reduction Types are preserved by reduction
therefore no data leaks.therefore no data leaks.
CorrectnessCorrectness
Theorem 1: (Subject reduction)Theorem 1: (Subject reduction)
Types are preserved by reduction Types are preserved by reduction
therefore no data leaks.therefore no data leaks.
Theorem 2: (Progress)Theorem 2: (Progress)
Any expression that isn’t a value can beAny expression that isn’t a value can be
reduced or it’s mismatched decryption.reduced or it’s mismatched decryption.
Talk outlineTalk outline
Review: Decentralized Label Model Review: Decentralized Label Model (DLM)(DLM)– Local Access ControlLocal Access Control
Key Based Decentralized Label Model Key Based Decentralized Label Model (KDLM)(KDLM)– Distributed Access Control and Distributed Access Control and
CryptographyCryptography The Jeddak LanguageThe Jeddak Language ConclusionsConclusions
JeddakJeddak
Generic Java extended with Generic Java extended with distributed access control using keys distributed access control using keys
Jeddak extends Java withJeddak extends Java with– PrincipalsPrincipals– Key namesKey names– Labels and policiesLabels and policies
GJ: Generic JavaGJ: Generic Java
Type: Type: int, string, Object, Vector,….int, string, Object, Vector,….
VectorVector returns type returns type ObjectObjects.s.
Generic type: Generic type: Vector<int>, Vector<int>,
MyObject<YourObject>MyObject<YourObject>
The Java Crypto APIThe Java Crypto APIKeyPair pair = keyGen.generateKeyPair();KeyPair pair = keyGen.generateKeyPair();
PrivateKey priv_key = pair.getPrivate();PrivateKey priv_key = pair.getPrivate();PublicKey pub_key = pair.getPublic();PublicKey pub_key = pair.getPublic();
Cipher enCipher = Cipher.getInstance("...")Cipher enCipher = Cipher.getInstance("...")
enCipher.init(encrypt_mode,pub_key)enCipher.init(encrypt_mode,pub_key)
enCipher.doFinal(data)enCipher.doFinal(data)
Approximate Jeddak Crypto Approximate Jeddak Crypto APIAPI
KeyPair<KeyNm> pair = KeyPair<KeyNm> pair = keyGen.generateKeyPair();keyGen.generateKeyPair();
PrivateKey<KeyNm> priv_key = pair.getPrivate();PrivateKey<KeyNm> priv_key = pair.getPrivate();PublicKey<KeyNm> pub_key = pair.getPublic();PublicKey<KeyNm> pub_key = pair.getPublic();
Cipher enCipher<KeyNameSet> =Cipher enCipher<KeyNameSet> = Cipher.getInstance("...")Cipher.getInstance("...")enCipher.init(encrypt_mode,pub_key_array);enCipher.init(encrypt_mode,pub_key_array);
enCipher.doFinal(data)enCipher.doFinal(data)
Key AgreementKey Agreement
KeyAgreement.init( key )KeyAgreement.init( key )
Key key1 = Key key1 = KeyAgreement.doPhase( key, KeyAgreement.doPhase( key, lastFlag )lastFlag )
SecretKey SecretKey KeyAgreement.generateSecrate( “…” KeyAgreement.generateSecrate( “…” ))
Key AgreementKey Agreement
KeyAgreement.init( key )KeyAgreement.init( key )
Key<Label> key1 = Key<Label> key1 = KeyAgreement.doPhase( key, KeyAgreement.doPhase( key, lastFlag )lastFlag )
SecretKey<Label> SecretKey<Label> KeyAgreement.generateSecrate( “…” KeyAgreement.generateSecrate( “…” ))
A simple exampleA simple example
Key [ ThisPrin:{} ] Kpriv;Key [ ThisPrin:{} ] Kpriv;
string {KPriv} mysecret; string {KPriv} mysecret;
ppublic void reader1 ( String arg ) { … }
public void reader2<Keyname> (String {KPriv} arg) {…}
reader( mysecret ) ;
reader2<KPriv> (mysecret);
Patient Doctor examplePatient Doctor examplePrin Doctor1, Patient, Nurse , Doctor2;Prin Doctor1, Patient, Nurse , Doctor2;
Patient Doctor examplePatient Doctor examplePrin Doctor1, Patient, Nurse , Doctor2;Prin Doctor1, Patient, Nurse , Doctor2;
KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;
Patient Doctor examplePatient Doctor examplePrin Doctor1, Patient, Nurse , Doctor2;Prin Doctor1, Patient, Nurse , Doctor2;
KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;
Med_File { DocRecord, PatRecord } patient_file;Med_File { DocRecord, PatRecord } patient_file;Notes { PatRecord } med_diary; Notes { PatRecord } med_diary;
Patient Doctor examplePatient Doctor examplePrin Doctor1, Patient, Nurse , Doctor2;Prin Doctor1, Patient, Nurse , Doctor2;
KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;
Med_File { DocRecord, PatRecord } patient_file;Med_File { DocRecord, PatRecord } patient_file;Notes { PatRecord } med_diary; Notes { PatRecord } med_diary;
KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;Notes { Priv_Notes } budget;Notes { Priv_Notes } budget;
Patient Doctor examplePatient Doctor examplePrin Doctor1, Patient, Nurse , Doctor2;Prin Doctor1, Patient, Nurse , Doctor2;
KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Doctor1 : { Doctor1, Patient } ] DocPolicy;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;KeyNm [ Patient :{ Doctor1, Patient, Nurse} ] PatRecord;
Med_File { DocRecord, PatRecord } patient_file;Med_File { DocRecord, PatRecord } patient_file;Notes { PatRecord } med_diary; Notes { PatRecord } med_diary;
KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;KeyNm [ Doctor2:{ Doctor1, Doctor2 } ] Priv_Notes;Notes { Priv_Notes } budget;Notes { Priv_Notes } budget;
Patient { Priv_Notes declassifies PatRecord };Patient { Priv_Notes declassifies PatRecord };Doctor1 { Priv_Notes declassifies DocRecord };Doctor1 { Priv_Notes declassifies DocRecord };
Talk outlineTalk outline
Review: Decentralized Label Model Review: Decentralized Label Model (DLM)(DLM)– Local Access ControlLocal Access Control
Key Based Decentralized Label Model Key Based Decentralized Label Model (KDLM)(KDLM)– Distributed Access Control and Distributed Access Control and
CryptographyCryptography The Jeddak Language The Jeddak Language ConclusionsConclusions
PapersPapers ““Typed Based Distributed Access Control”, CSFW Typed Based Distributed Access Control”, CSFW
0303 - KDLM model - KDLM model - Type system and correctness.- Type system and correctness.
““Principals, Policies and Keys in a Secure Principals, Policies and Keys in a Secure Distributed Programming Language”, FCS 04Distributed Programming Language”, FCS 04
- Types for sending keys.- Types for sending keys. - Language examples- Language examples
““The Jeddak Language”, Hopefully when it’s The Jeddak Language”, Hopefully when it’s finished.finished.
Further WorkFurther Work
Finish off Jeddak.Finish off Jeddak.
Running code.Running code.
Accountability. Accountability.
Related WorkRelated Work Information flow and type systemsInformation flow and type systems
– DenningDenning– Volpano and SmithVolpano and Smith– Pottier (Flow Caml)Pottier (Flow Caml)– Gordan and FourientGordan and Fourient
Information flow and access controlInformation flow and access control– StoughtonStoughton– Heintze and Riecke, Heintze and Riecke, – Myers, Liskov (DLM)Myers, Liskov (DLM)– Myers, Zdancewic (JIF)Myers, Zdancewic (JIF)– Banerjee and NaumannBanerjee and Naumann
Types and security protocolsTypes and security protocols– AbadiAbadi– Gordon and JeffreysGordon and Jeffreys– Pierce and LiPierce and Li– Duggan (Crypto Types)Duggan (Crypto Types)
SummarySummary
KDLM for Distributed Access ControlKDLM for Distributed Access Control
Benefit of Type-Based Approach: Benefit of Type-Based Approach: Access Checking at compile-timeAccess Checking at compile-time
– Lightweight access control for Lightweight access control for accountable systemsaccountable systems
– Extended to “compile-time” cryptoExtended to “compile-time” crypto