Enforcing Secure Service Composition

CSFW 05 p.1 Enforcing Secure Service Composition Massimo Bartoletti Pierpaolo Degano Gian Luigi Ferrari Dipartimento di Informatica, Università di Pisa

CSFW 05 p.2 Example: contract signing ψ e trusted certification service Λ service repository ψ = eventually sgn with no subsequent rvk

CSFW 05 p.2 Example: contract signing ψ e ψ req 1 ϕ 1 [ ], ψ 1 Λ ϕ 1 = never visit untrusted sites (α u ) ψ 1 = eventually get privacy policy (α p )

CSFW 05 p.2 Example: contract signing ψ e ψ req 1 ϕ 1 [ ], ψ 1 α p P1 (ε + α u ) α p P2

CSFW 05 p.2 Example: contract signing ψ e α p ψ req 1 ψ ϕ[e ] ϕ P1 (ε + α u ) α p P2 ϕ = never connect to the network (α c ) after having read local files (α r )

CSFW 05 p.2 Example: contract signing ψ e ψ 2 = receive a signed contract ψ req 1 ψ ϕ[e ] ψ ϕ[req 2 ] ψ 2 Λ ψ α c

CSFW 05 p.2 Example: contract signing ψ e ψ req 1 α r α sgn S1 ψ ϕ[e ] ψ ϕ[req 2 ] ψ α c ψ 2 α r α c α sgn S2 µh. (α rvk + α sgn ) h S3

CSFW 05 p.2 Example: contract signing ψ e ψ req 1 α r α sgn S1 ψ ϕ[e ] ψ ϕ[req 2 ] ψ α c α r α c α sgn S2 µh. (α rvk + α sgn ) h S3

CSFW 05 p.3 Overview calculus for secure service composition local safety/liveness policies call-by-contract service invocation subsumes history-based access control dynamic semantics (liveness?) static semantics: type & effect system approx. runtime behaviour (history expr.) static verification via model checking selects services matching contracts

CSFW 05 p.4 A calculus for service composition λ + histories + local policies + call-by-contract a history η is a sequence of events α policies ϕ, ψ are regular properties of η each computation step in a safety framing ϕ[e] must respect ϕ some step in a liveness framing ψ e must eventually satisfy ψ ϕ[ ],ψ a request req τ τ selects the services respecting (always) ϕ and (eventually) ψ

CSFW 05 p.5 Why local policies? Problem: securization of code upon receipt an untrusted program e is received I want the execution of e to obey a policy ϕ where to insert the checks in e? one issue: e could invoke unknown code solution: dynamic sandboxing ϕ[e] each execution step of e is subject to ϕ the scope of ϕ is left when e terminates

CSFW 05 p.6 Enforcing Principle of least privilege Programs should be granted the minimum set of rights that are needed to accomplish their tasks. an expression must always obey all the active policies (no policy can be overridden) policies can always inspect the whole past history (no event can be hidden) so how to implement privileged calls / discard the past? answer: policies must explicitly allow for it!

CSFW 05 p.7 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α

CSFW 05 p.7 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε α unit

CSFW 05 p.7 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε e 3 = (λx. α )α H 3 = α α αα α unit

CSFW 05 p.7 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε e 3 = (λx. α )α H 3 = α α αα α unit e 4 = (λy. ϕ[α; y ])(λx. ϕ [α ]) H 4 = ϕ[α ϕ [α ]] [ ϕ α[ ϕ α ] ϕ ] ϕ

CSFW 05 p.7 Extracting History Expressions e 1 = if b then α else α H 1 = α + α α, α e 2 = (λx. α ) : unit H 2 = ε e 3 = (λx. α )α H 3 = α α αα α unit e 4 = (λy. ϕ[α; y ])(λx. ϕ [α ]) H 4 = ϕ[α ϕ [α ]] [ ϕ α[ ϕ α ] ϕ ] ϕ e 5 = (λ z x. α; z x) H 5 = µh. α h ε, α, αα,...

CSFW 05 p.8 Validity of Histories obeying all the policies, within their scopes ex: ϕ[α r ]α c valid, ϕ[α r ϕ [α c ]α w ] not valid safe-sets of ϕ[α r ϕ [α c ]α w ]: ϕ[{ε, α r, α r α c, α r α c α w }] ϕ [{α r, α r α c }] ex: ψ α rvk α sgn valid, ψ α sgn α rvk ψ α sgn not live-sets of ψ α sgn α rvk ψ α sgn : ψ {ε, α sgn,...} ψ {α sgn α rvk }

CSFW 05 p.9 Validity of Histories η valid iff, for each safe-set ϕ[{η 1,..., η k }] of η: i 1..k. η i = ϕ and, for each live-set ψ {η 1,..., η h } of η: i 1..h. η i = ψ H valid iff each η H is valid how to verify validity of history expressions?

CSFW 05 p.10 Selecting Services service request: req l τ ϕ[ ],ψ τ lookup Λ for services with signature: e i : τ H i τ I(l) selects those services such that: ϕ[ψ H i ] valid the latent effect will be: Σ i I(l) H i

CSFW 05 p.11 Type & Effect System typing judgements Γ e : τ H, I types: τ ::= unit τ H τ effect: history expr. H + service selection I correctness of history expressions: ε, e η, e = η H type safety: if H is valid and I(l) for each req l, then e will not go wrong

CSFW 05 p.12 Verifying History Expressions If validity were a regular property... H BP A(H) Pushdown automaton validity Ω(H) A Ψ(H) Büchi automaton H valid if L(BP A(H)) L(A Ω(H) ) = But validity of histories is non-regular! ex: µh. α + h h + ϕ[h] [ ϕ [ ϕ α ] ϕ [ ϕ α in or out?

CSFW 05 p.13 Regularizing History Expressions Solution: transform H to make Ω(H) regular idea: eliminating the redundant framings preserves the validity of history expressions ϕ[α ϕ [α ϕ[α ]]] valid iff ϕ[α ϕ [α α ]] valid ψ α ψ α ψ α valid iff α ψ α ψ α valid safety framings can be regularized [Fossacs] liveness framings probably not, but not really needed (quite surprisingly!)

CSFW 05 p.14 Verifying safety framings α c α r α r, α c A ϕ α r α c q0 q1 q2 α r α c L(A ϕ ) α c α r α r, α c q0 α r q1 α c q2 A ϕ[ ] [ ϕ ] ϕ [ ϕ ] ϕ α r q0 q1 α c α r α r [ ϕ α c ] ϕ L(A ϕ[ ] ) [ ϕ α r ] ϕ α c L(A ϕ[ ] )

CSFW 05 p.15 Verifying liveness framings A ψ α rvk q0 α sgn α rvk q1 α sgn

CSFW 05 p.15 Verifying liveness framings A ψ α rvk q0 α sgn α rvk q1 α sgn ψ α rvk ψ ψ ψ q0 α sgn α rvk q1 ψ, α sgn ψ, α rvk ψ q0 α sgn αrvk ψαsgn L(Aψ ) ψ α sgn α rvk ψ L(A ψ )

CSFW 05 p.16 Conclusions λ + histories + local policies + call-by-contract type & effect system: Γ e : τ H, I model-checking validity: H valid BP A(H ) = ϕ [ ] ψ [ ϕ, ψ H type safety + verification: H valid, req l. I(l) = e will not go wrong

CSFW 05 p.17 Programming model (syntax) e, e ::= x λ z x. e e e if b then e else e α ϕ[e] ϕ e req l τ ϕ[ ],ψ τ variable abstraction application conditional access event safety framing liveness framing service request

CSFW 05 p.18 Programming model (semantics) e : τ H τ Λ H = ϕ ψ η, α ηα, η, req τ ϕ[ ],ψ τ η, e η, e η, e η = ϕ η = ϕ η, ϕ[e] η, ϕ[e ] η, e η, e η = ψ η, ψ e η, ψ e η = ϕ η, ϕ[v] η, v η = ψ η, ψ e η, e

CSFW 05 p.19 Type & Effect System Γ, α α : unit Γ, H e : τ Γ, ϕ[h] ϕ[e] : τ Γ, H e : τ Γ, ψ H ψ e : τ Γ; x : τ; z : τ H τ, H e : τ Γ, H e : τ H τ Γ, H e : τ Γ, ε λ z x.e : τ H τ Γ, H H H ee : τ I l = { i e i : τ H i τ Λ ϕ[ψ H i ] valid } Γ, ε, I l req l τ ϕ[ ],ψ τ : τ Σ i I l H i τ

CSFW 05 p.20 A typing example e = λ z x. b? α + (b? zzx + ϕ[zx]) Γ, ε z : τ H τ Γ, ε x : τ Γ, H z x : τ Γ, H H z z x : τ Γ, ϕ[h] ϕ[z x] : τ Γ, H H + ϕ[h] z z x : τ Γ, H H + ϕ[h] ϕ[z x] : τ Γ, H H + ϕ[h] b? z z x + ϕ[z x] : τ Γ, α + H H + ϕ[h] b? α + (b? z z x + ϕ[z x]) : τ H = α + H H + ϕ[h] = H = µh. α + h h + ϕ[h], ε e : unit µh. α+h h+ϕ[h] unit

CSFW 05 p.21 Semantics of History Expressions ε ρ = ε α ρ = α h ρ = ρ(h) H H ρ = H ρ H ρ H + H ρ = H ρ H ρ ϕ[h] ρ = ϕ[ H ρ ] µh.h ρ = n ω f n ( ), f(x) = H ρ{x/h}

CSFW 05 p.22 Regularizing safety (1) ε Φ,Γ = ε h Φ,Γ = h α Φ,Γ = α (H H ) Φ,Γ = H Φ,Γ H Φ,Γ (H + H ) Φ,Γ = H Φ,Γ + H Φ,Γ ϕ[h] Φ,Γ = { H Φ,Γ ϕ[h Φ {ϕ},γ ] if ϕ Φ otherwise

CSFW 05 p.23 Regularizing safety (2) (µh. H) Φ,Γ = µh. (H σ Φ,Γ{(µh.H)Γ/h} σ) where H = H {h/h i } i, h i fresh, h fv(h ) σ(h i ) = (µh.h)γ Φ guard(hi,h ),Γ σ (h i ) = { h h i if guard(h i, H ) Φ otherwise