Technical Reports (CIS)
Title
Evidence-based Audit, Technical Appendix
Document Type
Technical Report
Date of this Version
April 2008
Abstract
Authorization logics provide a principled and flexible approach
to specifying access control policies. One of their
compelling benefits is that a proof in the logic is evidence
that an access-control decision has been made in accordance
with policy. Using such proofs for auditing reduces
the trusted computing base and enables the ability to detect
flaws in complex authorization policies. Moreover, the
proof structure is itself useful, because proof normalization
can yield information about the relevance of policy statements.
Untrusted, but well-typed, applications that access
resources through an appropriate interface must obey the
access control policy and create proofs useful for audit.
This paper presents AURA0, an authorization logic
based on a dependently-typed variant of DCC and proves
the metatheoretic properties of subject-reduction and normalization.
It shows the utility of proof-based auditing in a
number of examples and discusses several pragmatic issues
that must be addressed in this context.
Download
Date Posted: 05 May 2008
Comments
University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-CIS-08-09.