Analysis of Reachability Properties in Communicating Authorization Policies

Cryptographic protocols and authorization policies are two leading techniques for securing software systems. The former are concerned with the enforcement of secure communications in distributed systems, while the latter specify which users under which conditions can be granted access to resources of a system. The two have been mostly studied in isolation. Indeed, there are a number of algorithms for deciding symbolic reachability in (a bounded number of sessions of) cryptographic protocols [23,24,26,50,54]. These decidability results, however, are not readily applicable to a more refined model of protocols in which the internal authorization policies of the participants are non-trivial and indeed security-relevant. Similarly, distributed authorization logics, such as [16, 27, 38], typically abstract away from the communication events by assuming that all the policy statements exchanged among the participants are simply (and solely) signed certificates. We argue that these studies are inadequate for analyzing security as a whole, encompassing authorization logics, cryptographic protocols and the interface between the two, i.e. how communication influences the policy inference, and vice versa. Indeed, the need for integrated analysis of authorization logics and cryptographic protocols has been recognized in the literature [3, 12, 40, 41, 51]. We present a formal language for specifying communicating authorization policies. Communicating authorization policies are distributed authorization policies that communicate through insecure asynchronous media. The language allows us to write declarative authorization policies. The interface between policy decisions and communication events is specified using guards and policy updates. Guards constrain the transmission of messages to the communication media to the satisfaction of (possibly negative) conditions on the policy and allow to make nondeterministic choices. Policy updates modify the policy of a participant according to the messages received; in particular, information can be introduced in the policy and retracted from the policy. The attacker, who controls the communication media, is modeled as a message deduction engine. We give trace semantics to communicating authorization policies, and formulate a generic reachability problem. The reachability problem subsumes the secrecy problem for security protocols [31] and the safety problem for authorization policies [43]. We show that the reachability problem is decidable for a fragment of policies specified in our formal language. The fragment, dubbed DC, is of practical relevance, as demonstrated with examples. In particular, policies in DC belong to a fragment of Horn theory, called AL, that allows infinite minimal models; this singles out the fragment from many authorization languages with finite minimal models. We give a decision algorithm for the reachability problem in specifications in DC. The algorithm extends the existing constraint reduction systems for analyzing security protocols, by employing a novel proof search procedure for policies in AL and novel techniques for handling (symbolically) negative queries and retracted policy statements. Furthermore, we give a different proof technique for another decidable fragment of communicating authorization policies, called DC1, which is a strict subset of the DC fragment. The proof technique is based on encoding the derivation of