# HG changeset patch # User Christian Urban # Date 1384830348 0 # Node ID e78af5feb655a5056fdf8433be7be231b417e9ea # Parent e4fda36422dd2ca5a32ca7733a61bdb3133e9b25 added diff -r e4fda36422dd -r e78af5feb655 progs/prove.scala --- a/progs/prove.scala Sun Nov 17 19:22:57 2013 +0000 +++ b/progs/prove.scala Tue Nov 19 03:05:48 2013 +0000 @@ -15,6 +15,8 @@ case class Says(p: String, f: Form) extends Form case class And(f1: Form, f2: Form) extends Form case class Or(f1: Form, f2: Form) extends Form +case class Sends(p: String, q: String, f: Form) extends Form +case class Enc(f1: Form, f2: Form) extends Form case class Judgement(gamma: Set[Form], f: Form) { def lhs = gamma @@ -67,6 +69,8 @@ case And(f1, f2) => prove(j.lhs |- f1, () => prove(j.lhs |- f2, sc)) + case Sends(p, q, f) => prove(j.lhs + (p says f) |- (q says f), sc) + case Enc(f1, f2) => prove(j.lhs + f1 |- f2, sc) case _ => () } @@ -79,12 +83,19 @@ case Imp(f1, f2) => prove(lhs_rest |- f1, () => prove(lhs_rest + f2 |- rhs, sc)) + case Sends(p, q, f) => + prove(lhs_rest |- (p says f), + () => prove(lhs_rest + (q says f) |- rhs, sc)) + case Enc(f1, f2) => + prove(lhs_rest |- f1, + () => prove(lhs_rest + f2 |- rhs, sc)) case Or(f1, f2) => prove(lhs_rest + f1 |- rhs, () => prove(lhs_rest + f2 |- rhs, sc)) case Says(p, Imp(f1, f2)) => prove(lhs_rest |- Says(p, f1), - () => prove(lhs_rest + Says(p, f2) |- rhs, sc)) + () => prove(lhs_rest + Says(p, f2) |- rhs, sc)) + case _ => () } @@ -128,4 +139,40 @@ run (Set[Form](AtLib, Policy_HoD, Policy_Lib) |- Email) +println("Server Example") +val Alice = "Alice" +//val Bob = "Bob" -- already defined +val Server = "Server" + +def Connect(p: String, q: String) : Form = + Pred("Connect", List(Var(p), Var(q))) + + +val A = "A" +val B = "B" +val S = "S" +val CAB = Connect(A, B) +val Msg = Pred("Msg", Nil) +val KAS = Pred("Kas", Nil) +val KBS = Pred("Kbs", Nil) +val KAB = Pred("Kab", Nil) + +val Gamma_big : Set[Form] = + Set( A says CAB, + Sends(A, S, CAB), + S says (CAB -> Enc(KAB, KAS)), + S says (CAB -> Enc(Enc(KAB, KBS), KAS)), + Sends(S, A, Enc(KAB, KAS)), + Sends(S, A, Enc(Enc(KAB, KBS), KAS)), + Sends(A, B, Enc(KAB, KBS)), + Sends(A, B, Enc(Msg, KAB)), + A says KAS, + B says KBS, + S says KAS, + A says (Enc(Msg, KAB)) + ) + +run (Gamma_big |- (B says Msg)) + + diff -r e4fda36422dd -r e78af5feb655 slides/slides06.pdf Binary file slides/slides06.pdf has changed diff -r e4fda36422dd -r e78af5feb655 slides/slides06.tex --- a/slides/slides06.tex Sun Nov 17 19:22:57 2013 +0000 +++ b/slides/slides06.tex Tue Nov 19 03:05:48 2013 +0000 @@ -889,6 +889,9 @@ \begin{frame}[c] \begin{itemize} +\item \bl{$P \,\text{says}\, F$} means \bl{$P$} can send a ``signal'' \bl{$F$} through a wire, or +can make a statement \bl{$F$}\bigskip + \item \bl{$P$} is entitled to do \bl{$F$}\smallskip\\ \bl{$P \,\text{controls}\, F \,\dn\, (P\,\text{says}\, F) \Rightarrow F$}\medskip diff -r e4fda36422dd -r e78af5feb655 slides/slides07.pdf Binary file slides/slides07.pdf has changed diff -r e4fda36422dd -r e78af5feb655 slides/slides07.tex --- a/slides/slides07.tex Sun Nov 17 19:22:57 2013 +0000 +++ b/slides/slides07.tex Tue Nov 19 03:05:48 2013 +0000 @@ -1,8 +1,8 @@ \documentclass[dvipsnames,14pt,t]{beamer} \usepackage{proof} -\usepackage{beamerthemeplainculight} -\usepackage[T1]{fontenc} -\usepackage[latin1]{inputenc} +\usepackage{beamerthemeplaincu} +%\usepackage[T1]{fontenc} +%\usepackage[latin1]{inputenc} \usepackage{mathpartir} \usepackage{isabelle} \usepackage{isabellesym} @@ -27,6 +27,9 @@ \renewcommand{\isatagproof}{} \renewcommand{\endisatagproof}{} \renewcommand{\isamarkupcmt}[1]{#1} +\newcommand{\isaliteral}[1]{} +\newcommand{\isactrlisub}[1]{\emph{\isascriptstyle${}\sb{#1}$}} + % Isabelle characters \renewcommand{\isacharunderscore}{\_} @@ -93,126 +96,11 @@ showstringspaces=false} % beamer stuff -\renewcommand{\slidecaption}{APP 07, King's College London, 13 November 2012} +\renewcommand{\slidecaption}{APP 07, King's College London, 19 November 2013} \newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions \newcommand{\bl}[1]{\textcolor{blue}{#1}} -% The data files, written on the first run. -\begin{filecontents}{re-python.data} -1 0.029 -5 0.029 -10 0.029 -15 0.032 -16 0.042 -17 0.042 -18 0.055 -19 0.084 -20 0.136 -21 0.248 -22 0.464 -23 0.899 -24 1.773 -25 3.505 -26 6.993 -27 14.503 -28 29.307 -#29 58.886 -\end{filecontents} - -\begin{filecontents}{re1.data} -1 0.00179 -2 0.00011 -3 0.00014 -4 0.00026 -5 0.00050 -6 0.00095 -7 0.00190 -8 0.00287 -9 0.00779 -10 0.01399 -11 0.01894 -12 0.03666 -13 0.07994 -14 0.08944 -15 0.02377 -16 0.07392 -17 0.22798 -18 0.65310 -19 2.11360 -20 6.31606 -21 21.46013 -\end{filecontents} - -\begin{filecontents}{re2.data} -1 0.00240 -2 0.00013 -3 0.00020 -4 0.00030 -5 0.00049 -6 0.00083 -7 0.00146 -8 0.00228 -9 0.00351 -10 0.00640 -11 0.01217 -12 0.02565 -13 0.01382 -14 0.02423 -15 0.05065 -16 0.06522 -17 0.02140 -18 0.05176 -19 0.18254 -20 0.51898 -21 1.39631 -22 2.69501 -23 8.07952 -\end{filecontents} - -\begin{filecontents}{re-internal.data} -1 0.00069 -301 0.00700 -601 0.00297 -901 0.00470 -1201 0.01301 -1501 0.01175 -1801 0.01761 -2101 0.01787 -2401 0.02717 -2701 0.03932 -3001 0.03470 -3301 0.04349 -3601 0.05411 -3901 0.06181 -4201 0.07119 -4501 0.08578 -\end{filecontents} - -\begin{filecontents}{re3.data} -1 0.001605 -501 0.131066 -1001 0.057885 -1501 0.136875 -2001 0.176238 -2501 0.254363 -3001 0.37262 -3501 0.500946 -4001 0.638384 -4501 0.816605 -5001 1.00491 -5501 1.232505 -6001 1.525672 -6501 1.757502 -7001 2.092784 -7501 2.429224 -8001 2.803037 -8501 3.463045 -9001 3.609 -9501 4.081504 -10001 4.54569 -\end{filecontents} - \begin{document} @@ -234,7 +122,7 @@ \begin{center} \begin{tabular}{ll} Email: & christian.urban at kcl.ac.uk\\ - Of$\!$fice: & S1.27 (1st floor Strand Building)\\ + Office: & S1.27 (1st floor Strand Building)\\ Slides: & KEATS (also homework is there)\\ \end{tabular} \end{center} @@ -242,486 +130,259 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Judgements} - -\begin{center} -\begin{tikzpicture}[scale=1] - - \draw (0.0,0.0) node {\LARGE \bl{$\Gamma \vdash F$}}; - \onslide<2->{ - \draw (-1,-0.3) node (X) {}; - \draw (-2.0,-2.0) node (Y) {}; - \draw (0.7,-3) node {\begin{tabular}{l}Gamma\\stands for a collection of formulas\\(``assumptions'')\end{tabular}}; - \draw[red, ->, line width = 2mm] (Y) -- (X); - \draw (1.2,-0.1) node (X1) {}; - \draw (2.8,-0.1) node (Y1) {}; - \draw (4.5,-0.1) node {\begin{tabular}{l}a single formula\end{tabular}}; - \draw[red, ->, line width = 2mm] (Y1) -- (X1); - - \draw (-0.1,0.1) node (X2) {}; - \draw (0.5,1.5) node (Y2) {}; - \draw (1,1.8) node {\begin{tabular}{l}entails sign\end{tabular}}; - \draw[red, ->, line width = 2mm] (Y2) -- (X2);} - - \end{tikzpicture} -\end{center} - -\pause\pause -\footnotesize Gimel (Phoenician), Gamma (Greek), C and G (Latin), Gim (Arabic),\\[-2mm] ?? (Indian), Ge (Cyrillic) -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Inference Rules} - -\begin{center} -\begin{tikzpicture}[scale=1] - - \draw (0.0,0.0) node - {\Large\bl{\infer{\Gamma \vdash F_1 \wedge F_2}{\Gamma \vdash F_1 & \Gamma \vdash F_2}}}; - - \draw (-0.1,-0.7) node (X) {}; - \draw (-0.1,-1.9) node (Y) {}; - \draw (-0.2,-2) node {\begin{tabular}{l}conclusion\end{tabular}}; - \draw[red, ->, line width = 2mm] (Y) -- (X); - - \draw (-1,0.6) node (X2) {}; - \draw (0.0,1.6) node (Y2) {}; - \draw (0,1.8) node {\begin{tabular}{l}premisses\end{tabular}}; - \draw[red, ->, line width = 2mm] (Y2) -- (X2); - \draw (1,0.6) node (X3) {}; - \draw (0.0,1.6) node (Y3) {}; - \draw[red, ->, line width = 2mm] (Y3) -- (X3); - \end{tikzpicture} -\end{center} - -\only<2>{ -\begin{textblock}{11}(1,13) -\small -\bl{$P \,\text{says}\, F \vdash Q\,\text{says}\, F\wedge P \,\text{says}\, G $} -\end{textblock}} -\only<3>{ -\begin{textblock}{11}(1,13) -\small -\bl{$\underbrace{P \,\text{says}\, F}_{\Gamma} \vdash \underbrace{Q\,\text{says}\, F}_{F_1} \,\wedge - \underbrace{P \,\text{says}\, G}_{F_2} $} -\end{textblock}} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] - -\begin{center} -\Large -\bl{\infer{\Gamma \vdash F_2}{\Gamma \vdash F_1\Rightarrow F_2 & \Gamma \vdash F_1}}\bigskip\bigskip\bigskip - -\bl{\infer{\Gamma\vdash P\,\text{says}\, F}{\Gamma \vdash F}} -\end{center} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[t] - -We want to prove - -\begin{center} -\bl{$\Gamma \vdash \text{del\_file}$} -\end{center}\pause - -There is an inference rule - -\begin{center} -\bl{\infer{\Gamma \vdash P \,\text{says}\, F}{\Gamma \vdash F}} -\end{center}\pause - -So we can derive \bl{$\Gamma \vdash \text{Alice} \,\text{says}\,\text{del\_file}$}.\bigskip\pause - -\bl{$\Gamma$} contains already \bl{$\text{Alice} \,\text{says}\,\text{del\_file}$}. \\ -So we can use the rule - -\begin{center} -\bl{\infer{\Gamma, F \vdash F}{}} -\end{center} - -\onslide<5>{\bf\alert{What is wrong with this?}} -\hfill{\bf Done. Qed.} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Digression: Proofs in CS} - -Formal proofs in CS sound like science fiction? Completely irrelevant! -Lecturers gone mad!\pause - -\begin{itemize} -\item in 2008, verification of a small C-compiler -\begin{itemize} -\item ``if my input program has a certain behaviour, then the compiled machine code has the same behaviour'' -\item is as good as \texttt{gcc -O1}, but less buggy -\end{itemize} -\medskip -\item in 2010, verification of a micro-kernel operating system (approximately 8700 loc) -\begin{itemize} -\item 200k loc of proof -\item 25 - 30 person years -\item found 160 bugs in the C code (144 by the proof) -\end{itemize} -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] \frametitle{} - \begin{tabular}{c@ {\hspace{2mm}}c} - \\[6mm] - \begin{tabular}{c} - \includegraphics[scale=0.11]{harper.jpg}\\[-2mm] - {\footnotesize Bob Harper}\\[-2.5mm] - {\footnotesize (CMU)} - \end{tabular} - \begin{tabular}{c} - \includegraphics[scale=0.37]{pfenning.jpg}\\[-2mm] - {\footnotesize Frank Pfenning}\\[-2.5mm] - {\footnotesize (CMU)} - \end{tabular} & - - \begin{tabular}{p{6cm}} - \raggedright - \color{gray}{published a proof about a specification in a journal (2005), - $\sim$31pages} - \end{tabular}\\ - - \pause - \\[0mm] - - \begin{tabular}{c} - \includegraphics[scale=0.36]{appel.jpg}\\[-2mm] - {\footnotesize Andrew Appel}\\[-2.5mm] - {\footnotesize (Princeton)} - \end{tabular} & + Recall the following scenario: - \begin{tabular}{p{6cm}} - \raggedright - \color{gray}{relied on their proof in a\\ {\bf security} critical application} - \end{tabular} - \end{tabular} - - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame} - \frametitle{Proof-Carrying Code} - - \begin{textblock}{10}(2.5,2.2) - \begin{block}{Idea:} - \begin{center} - \begin{tikzpicture} - \draw[help lines,cream] (0,0.2) grid (8,4); - - \draw[line width=1mm, red] (5.5,0.6) rectangle (7.5,4); - \node[anchor=base] at (6.5,2.8) - {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering user: untrusted code\end{tabular}}; - - \draw[line width=1mm, red] (0.5,0.6) rectangle (2.5,4); - \node[anchor=base] at (1.5,2.3) - {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering developer ---\\ web server\end{tabular}}; - - \onslide<3->{ - \draw[line width=1mm, red, fill=red] (5.5,0.6) rectangle (7.5,1.8); - \node[anchor=base,white] at (6.5,1.1) - {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\bf\centering proof- checker\end{tabular}};} - - \node at (3.8,3.0) [single arrow, fill=red,text=white, minimum height=3cm]{\bf code}; - \onslide<2->{ - \node at (3.8,1.3) [single arrow, fill=red,text=white, minimum height=3cm]{\bf certificate}; - \node at (3.8,1.9) {\small\color{gray}{\mbox{}\hspace{-1mm}a proof}}; - } + \begin{itemize} + \item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file}} + should be deleted, then this file must be deleted. + \item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether + \textcolor{blue}{\isa{file}} should be deleted (delegation). + \item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file}}. + \end{itemize}\bigskip - - \end{tikzpicture} - \end{center} - \end{block} - \end{textblock} - - %\begin{textblock}{15}(2,12) - %\small - %\begin{itemize} - %\item<4-> Appel's checker is $\sim$2700 lines of code (1865 loc of\\ LF definitions; - %803 loc in C including 2 library functions)\\[-3mm] - %\item<5-> 167 loc in C implement a type-checker - %\end{itemize} - %\end{textblock} - - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - \tikzstyle{every node}=[node distance=25mm,text height=1.5ex, text depth=.25ex] - \tikzstyle{node1}=[rectangle, minimum size=10mm, rounded corners=3mm, very thick, - draw=black!50, top color=white, bottom color=black!20] - \tikzstyle{node2}=[rectangle, minimum size=12mm, rounded corners=3mm, very thick, - draw=red!70, top color=white, bottom color=red!50!black!20] - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}<2->[squeeze] - \frametitle{} - - \begin{columns} - - \begin{column}{0.8\textwidth} - \begin{textblock}{0}(1,2) + \small + \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l} + \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}},\\ + \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\ + \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}\\ + \end{tabular}}\medskip - \begin{tikzpicture} - \matrix[ampersand replacement=\&,column sep=7mm, row sep=5mm] - { \&[-10mm] - \node (def1) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}}; \& - \node (proof1) [node1] {\large Proof}; \& - \node (alg1) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}}; \\ - - \onslide<4->{\node {\begin{tabular}{c}\small 1st\\[-2.5mm] \footnotesize solution\end{tabular}};} \& - \onslide<4->{\node (def2) [node2] {\large Spec$^\text{+ex}$};} \& - \onslide<4->{\node (proof2) [node1] {\large Proof};} \& - \onslide<4->{\node (alg2) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\ - - \onslide<5->{\node {\begin{tabular}{c}\small 2nd\\[-2.5mm] \footnotesize solution\end{tabular}};} \& - \onslide<5->{\node (def3) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \& - \onslide<5->{\node (proof3) [node1] {\large Proof};} \& - \onslide<5->{\node (alg3) [node2] {\large Alg$^\text{-ex}$};} \\ + \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}} + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \onslide<6->{\node {\begin{tabular}{c}\small 3rd\\[-2.5mm] \footnotesize solution\end{tabular}};} \& - \onslide<6->{\node (def4) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \& - \onslide<6->{\node (proof4) [node2] {\large\hspace{1mm}Proof\hspace{1mm}};} \& - \onslide<6->{\node (alg4) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\ - }; - - \draw[->,black!50,line width=2mm] (proof1) -- (def1); - \draw[->,black!50,line width=2mm] (proof1) -- (alg1); - - \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (def2);} - \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (alg2);} - - \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (def3);} - \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (alg3);} - - \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (def4);} - \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (alg4);} - - \onslide<3->{\draw[white,line width=1mm] (1.1,3.2) -- (0.9,2.85) -- (1.1,2.35) -- (0.9,2.0);} - \end{tikzpicture} - - \end{textblock} - \end{column} - \end{columns} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {\hspace{-2mm}}c@ {}}The Access Control Problem\end{tabular}} - \begin{textblock}{3}(12,3.6) - \onslide<4->{ - \begin{tikzpicture} - \node at (0,0) [single arrow, shape border rotate=270, fill=red,text=white]{2h}; - \end{tikzpicture}} - \end{textblock} +\begin{center} + \begin{tikzpicture}[scale=1] + + \draw[line width=1mm] (-.3, -0.5) rectangle (1.5,2); + \draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}}; + \draw (4.2,1) node {\begin{tabular}{l}provable/\\not provable\end{tabular}}; + \draw (0.6,0.8) node {\footnotesize \begin{tabular}{l}AC-\\ Checker:\\ applies\\ inference\\ rules\end{tabular}}; + + \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1); + \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1); + \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2); + + \draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\boldmath\bl{$\Gamma$})\end{tabular}}; + + \end{tikzpicture} +\end{center} - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] + +\begin{itemize} +\item \bl{$P \,\text{says}\, F$} means \bl{$P$} can send a ``signal'' \bl{$F$} through a wire, or +can make a ``statement'' \bl{$F$}\bigskip\pause + +\item \bl{$P$} is entitled to do \bl{$F$}\smallskip\\ +\bl{$P \,\text{controls}\, F \,\dn\, (P\,\text{says}\, F) \Rightarrow F$}\medskip + +\begin{center} +\bl{\infer{\Gamma \vdash F}{\Gamma \vdash P\,\text{controls}\, F & \Gamma \vdash P\,\text{says}\,F}} +\end{center} + + +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] - \frametitle{Mars Pathfinder Mission 1997} + \frametitle{Security Levels} + \small + + \begin{itemize} + \item Top secret (\bl{$T\!S$}) + \item Secret (\bl{$S$}) + \item Public (\bl{$P$}) + \end{itemize} \begin{center} - \includegraphics[scale=0.15]{marspath1.png} - \includegraphics[scale=0.16]{marspath3.png} - \includegraphics[scale=0.3]{marsrover.png} + \bl{$slev(P) < slev(S) < slev(T\!S)$}\pause \end{center} - + \begin{itemize} - \item despite NASA's famous testing procedure, the lander crashed frequently on Mars - \item problem was an algorithm not used in the OS + \item Bob has a clearance for ``secret'' + \item Bob can read documents that are public or sectret, but not top secret \end{itemize} \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Reading a File} + + \bl{\begin{center} + \begin{tabular}{c} + \begin{tabular}{@ {}l@ {}} + \only<2->{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$}}\\ + \only<2->{\hspace{3cm}}Bob controls Permitted $($File, read$)$\\ + Bob says Permitted $($File, read$)$\only<2->{\\} + \only<2>{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$}}% + \only<3>{\textcolor{red}{$slev($File$)$ $=$ $P$}\\}% + \only<3>{\textcolor{red}{$slev($Bob$)$ $=$ $S$}\\}% + \only<3>{\textcolor{red}{$slev(P)$ $<$ $slev(S)$}\\}% + \end{tabular}\\ + \hline + Permitted $($File, read$)$ + \end{tabular} + \end{center}} + + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] - \frametitle{Priority Inheritance Protocol} + \frametitle{Substitution Rule} + \small + + \bl{\begin{center} + \begin{tabular}{c} + $\Gamma \vdash slev(P) = l_1$ \hspace{4mm} $\Gamma \vdash slev(Q) = l_2$ + \hspace{4mm} $\Gamma \vdash l_1 < l_2$\\\hline + $\Gamma \vdash slev(P) < slev(Q)$ + \end{tabular} + \end{center}}\bigskip\pause \begin{itemize} - \item \ldots a scheduling algorithm that is widely used in real-time operating systems - \item has been ``proved'' correct by hand in a paper in 1983 - \item \ldots but the first algorithm turned out to be incorrect, despite its ``proof''\bigskip\pause - - \item we specified the algorithm and then proved that the specification makes - ``sense'' - \item we implemented our specification in C on top of PINTOS (used for teaching at Stanford) - \item our implementation was much more efficient than their reference implementation + \item \bl{$slev($Bob$)$ $=$ $S$} + \item \bl{$slev($File$)$ $=$ $P$} + \item \bl{$slev(P) < slev(S)$} \end{itemize} \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Regular Expression Matching} -\tiny - -\begin{tabular}{@ {\hspace{-6mm}}cc} -\begin{tikzpicture}[y=.1cm, x=.15cm] - %axis - \draw (0,0) -- coordinate (x axis mid) (30,0); - \draw (0,0) -- coordinate (y axis mid) (0,30); - %ticks - \foreach \x in {0,5,...,30} - \draw (\x,1pt) -- (\x,-3pt) - node[anchor=north] {\x}; - \foreach \y in {0,5,...,30} - \draw (1pt,\y) -- (-3pt,\y) - node[anchor=east] {\y}; - %labels - \node[below=0.3cm] at (x axis mid) {\bl{a}s}; - \node[rotate=90, left=0.6cm] at (y axis mid) {secs}; +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Reading a File} - %plots - \draw[color=blue] plot[mark=*, mark options={fill=white}] - file {re-python.data}; - \only<1->{ - \draw[color=red] plot[mark=triangle*, mark options={fill=white} ] - file {re1.data};} - \only<1->{ - \draw[color=green] plot[mark=square*, mark options={fill=white} ] - file {re2.data};} - - %legend - \begin{scope}[shift={(4,20)}] - \draw[color=blue] (0,0) -- - plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0) - node[right]{\footnotesize Python}; - \only<1->{\draw[yshift=6mm, color=red] (0,0) -- - plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0) - node[right]{\footnotesize Scala V1};} - \only<1->{ - \draw[yshift=12mm, color=green] (0,0) -- - plot[mark=square*, mark options={fill=white}] (0.25,0) -- (0.5,0) - node[right]{\footnotesize Scala V2 with simplifications};} - \end{scope} -\end{tikzpicture} & + \bl{\begin{center} + \begin{tabular}{c} + \begin{tabular}{@ {}l@ {}} + $slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$\\ + \hspace{3cm}Bob controls Permitted $($File, read$)$\\ + Bob says Permitted $($File, read$)$\\ + $slev($File$)$ $=$ $P$\\ + $slev($Bob$)$ $=$ $T\!S$\\ + \only<1>{\textcolor{red}{$?$}}% + \only<2>{\textcolor{red}{$slev(P) < slev(S)$}\\}% + \only<2>{\textcolor{red}{$slev(S) < slev(T\!S)$}}% + \end{tabular}\\ + \hline + Permitted $($File, read$)$ + \end{tabular} + \end{center}} -\begin{tikzpicture}[y=.35cm, x=.00045cm] - %axis - \draw (0,0) -- coordinate (x axis mid) (10000,0); - \draw (0,0) -- coordinate (y axis mid) (0,6); - %ticks - \foreach \x in {0,2000,...,10000} - \draw (\x,1pt) -- (\x,-3pt) - node[anchor=north] {\x}; - \foreach \y in {0,1,...,6} - \draw (1pt,\y) -- (-3pt,\y) - node[anchor=east] {\y}; - %labels - \node[below=0.3cm] at (x axis mid) {\bl{a}s}; - \node[rotate=90, left=0.6cm] at (y axis mid) {secs}; + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Transitivity Rule} + \small + + \bl{\begin{center} + \begin{tabular}{c} + $\Gamma \vdash l_1 < l_2$ + \hspace{4mm} $\Gamma \vdash l_2 < l_3$\\\hline + $\Gamma \vdash l_1 < l_3$ + \end{tabular} + \end{center}}\bigskip + + \begin{itemize} + \item \bl{$slev(P) < slev (S)$} + \item \bl{$slev(S) < slev (T\!S)$} + \item[] \bl{$slev(P) < slev (T\!S)$} + \end{itemize} - %plots - \draw[color=blue] plot[mark=*, mark options={fill=white}] - file {re-internal.data}; - \only<1->{ - \draw[color=red] plot[mark=triangle*, mark options={fill=white} ] - file {re3.data};} - - %legend - \begin{scope}[shift={(2000,4)}] - \draw[color=blue] (0,0) -- - plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0) - node[right]{\footnotesize Scala Internal}; - \only<1->{ - \draw[yshift=6mm, color=red] (0,0) -- - plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0) - node[right]{\footnotesize Scala V3};} - \end{scope} -\end{tikzpicture} -\end{tabular}\bigskip\pause -\normalsize -\begin{itemize} -\item I needed a proof in order to make sure my program is correct -\end{itemize}\pause + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Reading Files} + + \begin{itemize} + \item Access policy for Bob for reading + \end{itemize} -\begin{center} -\bl{End Digression.\\ (Our small proof is 0.0005\% of the OS-proof.)} -\end{center} - -\end{frame}} - - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{One More Thing} + \bl{\begin{center} + \begin{tabular}{c} + \begin{tabular}{@ {}l@ {}} + $\forall f.\;slev(f)$ \only<1>{$<$}\only<2>{\textcolor{red}{$\le$}} $slev($Bob$)$ $\Rightarrow$\\ + \hspace{3cm}Bob controls Permitted $(f$, read$)$\\ + Bob says Permitted $($File, read$)$\\ + $slev($File$)$ $=$ \only<1>{$P$}\only<2>{\textcolor{red}{$T\!S$}}\\ + $slev($Bob$)$ $=$ $T\!S$\\ + $slev(P) < slev(S)$\\ + $slev(S) < slev(T\!S)$ + \end{tabular}\\ + \hline + Permitted $($File, read$)$ + \end{tabular} + \end{center}} -\begin{itemize} -\item I arrived at King's last year -\item Maxime Crochemore told me about a string algorithm (suffix sorting) that appeared at a -conference in 2007 (ICALP) -\item ``horribly incomprehensible'', no implementation, but claims to be the best \bl{$O(n + k)$} algorithm\bigskip\pause - -\item Jian Jiang found 1 error and 1 superfluous step in this algorithm -\item he received 88\% for the project and won the prize for the best 7CCSMPRJ project in the department -\item no proof \ldots{} yet -\end{itemize} - -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\mode{ -\begin{frame}[c] -\frametitle{Trusted Third Party} + \mode{ + \begin{frame}[c] + \frametitle{Writing Files} -Simple protocol for establishing a secure connection via a mutually -trusted 3rd party (server): + \begin{itemize} + \item Access policy for Bob for {\bf writing} + \end{itemize} -\begin{center} -\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l} -Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\ -Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\ -Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\ -Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\ -\end{tabular} -\end{center} + \bl{\begin{center} + \begin{tabular}{c} + \begin{tabular}{@ {}l@ {}} + $\forall f.\;slev($Bob$)$ $\le$ $slev(f)$ $\Rightarrow$\\ + \hspace{3cm}Bob controls Permitted $(f$, write$)$\\ + Bob says Permitted $($File, write$)$\\ + $slev($File$)$ $=$ $T\!S$\\ + $slev($Bob$)$ $=$ $S$\\ + $slev(P) < slev(S)$\\ + $slev(S) < slev(T\!S)$ + \end{tabular}\\ + \hline + Permitted $($File, write$)$ + \end{tabular} + \end{center}} -\end{frame}} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] \frametitle{Encrypted Messages} @@ -762,31 +423,91 @@ \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Trusted Third Party} + +Simple protocol for establishing a secure connection via a mutually +trusted 3rd party (server): + +\begin{center} +\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l} +Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\ +Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\ +Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\ +Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\ +\end{tabular} +\end{center} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Sending Rule} + + \bl{\begin{center} + \mbox{\infer{\Gamma \vdash Q \;\text{says}\; F} + {\Gamma \vdash P \;\text{says}\; F & \Gamma \vdash P \;\text{sends}\; Q : F}} + \end{center}}\bigskip\pause - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \bl{$P \,\text{sends}\, Q : F \dn$}\\ + \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$} + + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] \frametitle{Trusted Third Party} - \begin{itemize} - \item Alice calls Sam for a key to communicate with Bob - \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared) - \item Alice sends the message encrypted with the key and the second key it recieved - \end{itemize}\bigskip - \begin{center} - \bl{\begin{tabular}{lcl} - $A$ sends $S$ &:& $\textit{Connect}(A,B)$\\ - $S$ sends $A$ &:& $\{K_{AB}\}_{K_{AS}}$ \textcolor{black}{and} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\ - $A$ sends $B$ &:& $\{K_{AB}\}_{K_{BS}}$\\ - $A$ sends $B$ &:& $\{m\}_{K_{AB}}$ + \bl{\begin{tabular}{l} + $A$ sends $S$ : $\text{Connect}(A,B)$\\ + \bl{$S \,\text{says}\, (\text{Connect}(A,B) \Rightarrow$}\\ + \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge + \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\ + $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\ + $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\ + $A$ sends $B$ : $\{m\}_{K_{AB}}$ \end{tabular}} - \end{center} + \end{center}\bigskip\pause + + + \bl{$\Gamma \vdash B \,\text{says} \, m$}? + \end{frame}} + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + \mode{ + \begin{frame}[c] + \frametitle{Public/Private Keys} + + \begin{itemize} + \item Bob has a private and public key: \bl{$K_{Bob}^{pub}$}, \bl{$K_{Bob}^{priv}$}\bigskip + \begin{center} + \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m} + {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_{K_{Bob}^{pub}} & + \Gamma \vdash K_{Bob}^{priv}}}} + \end{center}\bigskip\pause + + \item this is {\bf not} a derived rule! + \end{itemize} \end{frame}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +% \begin{itemize} +% \item Alice calls Sam for a key to communicate with Bob +% \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared) + % \item Alice sends the message encrypted with the key and the second key it recieved + % \end{itemize}\bigskip + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \mode{ \begin{frame}[c] @@ -909,63 +630,462 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Another Challenge-Response} +\mode{ +\begin{frame}[c] + +A Man-in-the-middle attack in real life: + +\begin{itemize} +\item the card only says yes or no to the terminal if the PIN is correct +\item trick the card in thinking transaction is verified by signature +\item trick the terminal in thinking the transaction was verified by PIN +\end{itemize} + +\begin{minipage}{1.1\textwidth} +\begin{center} +\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png} +\includegraphics[scale=0.3]{pics/chipnpinflaw.png} +\end{center} +\end{minipage} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Problems with EMV} + +\begin{itemize} +\item it is a wrapper for many protocols +\item specification by consensus (resulted unmanageable complexity) +\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some +further parts are secret +\item other attacks have been found + +\item one solution might be to require always online verification of the PIN with the bank +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Problems with WEP (Wifi)\end{tabular}} + +\begin{itemize} +\item a standard ratified in 1999 +\item the protocol was designed by a committee not including cryptographers +\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce +\item WEP did not allocate enough bits for the nonce +\item for authenticating packets it used CRC checksum which can be easily broken +\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip +\item encryption was turned off by default +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Protocols are Difficult} + +\begin{itemize} +\item even the systems designed by experts regularly fail\medskip +\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip +\item the one who can fix a system should also be liable for the losses\medskip +\item cryptography is often not {\bf the} answer\bigskip\bigskip +\end{itemize} + +logic is one way protocols are studied in academia +(you can use computers to search for attacks) + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Public-Key Infrastructure} + +\begin{itemize} +\item the idea is to have a certificate authority (CA) +\item you go to the CA to identify yourself +\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip +\item CA must be trusted by everybody +\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign +explicitly limits liability to \$100.) +\end{itemize} -\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify -each other\bigskip +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Privacy, Anonymity et al} + +Some terminology: + +\begin{itemize} +\item \alert{secrecy} is the mechanism used to limit the number of +principals with access to information (eg, cryptography or access controls) + +\item \alert{confidentiality} is the obligation to protect the secrets of other people +or organizations (secrecy for the benefit of an organisation) + +\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret) + +\item \alert{privacy} is the ability or right to protect your personal secrets +(secrecy for the benefit of an individual) + +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Privacy vs Anonymity} + +\begin{itemize} +\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review) +\end{itemize}\bigskip\bigskip\pause + + +But privacy?\bigskip\bigskip + +``You have zero privacy anyway. Get over it.''\\ +\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\ + + +If you have nothing to hide, you have nothing to fear. + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Privacy} + +private data can be often used against me + +\begin{itemize} +\item if my location data becomes public, thieves will switch off their phones and help themselves in my home +\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages) +\item my employer might not like my opinions\bigskip\pause + +\item one the other hand, Freedom-of-Information Act +\item medical data should be private, but medical research needs data +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Privacy Problems} + +\begin{itemize} +\item Apple takes note of every dictation (send over the Internet to Apple) +\item markets often only work, if data is restricted (to build trust) +\item Social network can reveal data about you +\item have you tried the collusion extension for FireFox? +\item I do use Dropbox and store cards\bigskip +\item next week: anonymising data +\end{itemize} + +\begin{textblock}{5}(12,9.8) +\includegraphics[scale=0.2]{pics/gattaca.jpg}\\ +\small Gattaca (1997) +\end{textblock} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + - \begin{itemize} - \item \bl{$A \,\text{sends}\, B : A, N_A$} - \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$} - \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$} - \end{itemize} - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[t] +\frametitle{Privacy} + +\begin{minipage}{1.05\textwidth} +\begin{itemize} +\item we \alert{do} want that government data is made public (free maps for example) +\item we \alert{do not} want that medical data becomes public (similarly tax data, school +records, job offers)\bigskip +\item personal information can potentially lead to fraud +(identity theft) +\end{itemize}\pause + +{\bf ``The reality'':} +\only<2>{\begin{itemize} +\item London Health Programmes lost in June last year unencrypted details of more than 8 million people +(no names, but postcodes and details such as gender, age and ethnic origin) +\end{itemize}} +\only<3>{\begin{itemize} +\item also in June last year, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. +\end{itemize}} +\end{minipage} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Privacy and Big Data} + +Selected sources of ``Big Data'':\smallskip{} + +\begin{itemize} +\item Facebook +\begin{itemize} +\item 40+ Billion photos (100 PB) +\item 6 Billion messages daily (5 - 10 TB) +\item 900 Million users +\end{itemize} +\item Common Crawl +\begin{itemize} +\item covers 3.8 Billion webpages (2012 dataset) +\item 50 TB of data +\end{itemize} +\item Google +\begin{itemize} +\item 20 PB daily (2008) +\end{itemize} +\item Twitter +\begin{itemize} +\item 7 Million users in the UK +\item a company called Datasift is allowed to mine all tweets since 2010 +\item they charge 10k per month for other companies to target advertisement +\end{itemize} +\end{itemize}\pause + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Cookies\ldots} + +``We have published a new cookie policy. It explains what cookies are +and how we use them on our site. To learn more about cookies and +their benefits, please view our cookie policy.\medskip + +If you'd like to disable cookies on this device, please view our information +pages on 'How to manage cookies'. Please be aware that parts of the +site will not function correctly if you disable cookies. \medskip + +By closing this +message, you consent to our use of cookies on this device in accordance +with our cookie policy unless you have disabled them.'' + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Scare Tactics} + +The actual policy reads:\bigskip + +``As we explain in our Cookie Policy, cookies help you to get the most +out of our websites.\medskip + +If you do disable our cookies you may find that certain sections of our +website do not work. For example, you may have difficulties logging in +or viewing articles.'' + + + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Netflix Prize} + +Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip + +\begin{itemize} +\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm +\item dataset contained 10\% of all Netflix users (appr.~500K) +\item names were removed, but included numerical ratings as well as times of rating +\item some information was \alert{perturbed} (i.e., slightly modified) +\end{itemize} + +\hfill{\bf\alert{All OK?}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Re-identification Attack} + +Two researchers analysed the data: + +\begin{itemize} +\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the +records can be identified +\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause +\item they took 50 samples from IMDb (where people can reveal their identity) +\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates) +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{} + +\begin{itemize} +\item Birth data, postcode and gender (unique for\\ 87\% of the US population) +\item Preferences in movies (99\% of 500K for 8 ratings) +\end{itemize}\bigskip + +Therefore best practices / or even law (HIPAA, EU): + +\begin{itemize} +\item only year dates (age group for 90 years or over), +\item no postcodes (sector data is OK, similarly in the US)\\ +\textcolor{gray}{no names, addresses, account numbers, licence plates} +\item disclosure information needs to be retained for 5 years +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}<2>[c] +\frametitle{How to Safely Disclose Information?} + +\only<1>{ +\begin{itemize} +\item Assume you make a survey of 100 randomly chosen people. +\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the +Gangnam video on youtube.\bigskip + +\item What can you infer about the rest of the population? +\end{itemize}} +\only<2>{ +\begin{itemize} +\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause + +\item Not even releasing only aggregate information prevents re-identification attacks. +(GWAS was a public database of gene-frequency studies linked to diseases; +you only needed partial DNA information in order +to identify whether an individual was part of the study --- DB closed in 2008) +\end{itemize}} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Another Challenge-Response} -\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify -each other\bigskip - - \begin{itemize} - \item \bl{$A \,\text{sends}\, B : A, N_A$} - \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$} - \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$} - \end{itemize} - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - \mode{ - \begin{frame}[c] - \frametitle{Another Challenge-Response} - -Unfortunately, an intruder \bl{$I$} can impersonate \bl{$B$}. +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Differential Privacy} \begin{center} -\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}} -\begin{tabular}{@{}l@{}} -\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\ -\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\ -\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\ +User\;\;\;\; +\begin{tabular}{c} +tell me \bl{$f(x)$} $\Rightarrow$\\ +$\Leftarrow$ \bl{$f(x) + \text{noise}$} \end{tabular} -& -\begin{tabular}{@{}l@{}} -\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\ -\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\ -\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\ -\end{tabular} +\;\;\;\;\begin{tabular}{@{}c} +Database\\ +\bl{$x_1, \ldots, x_n$} \end{tabular} \end{center} - \end{frame}} - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\begin{itemize} +\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to +individual entries \bl{$x_1, \ldots, x_n$}\\ +\item Intuition: whatever is learned from the dataset would be learned regardless of whether +\bl{$x_i$} participates\bigskip\pause + +\item Noised needed in order to prevent queries:\\ Christian's salary $=$ +\begin{center} +\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian +\end{center} +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{Adding Noise} + +Adding noise is not as trivial as one would wish: + +\begin{itemize} +\item If I ask how many of three have seen the Gangnam video and get a result +as follows + +\begin{center} +\begin{tabular}{l|c} +Alice & yes\\ +Bob & no\\ +Charlie & yes\\ +\end{tabular} +\end{center} + +then I have to add a noise of \bl{$1$}. So answers would be in the +range of \bl{$1$} to \bl{$3$} + +\bigskip +\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots), +then one individual can change the dataset by \bl{$5$} +\end{itemize} + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}} + +According to Ross Anderson: \bigskip +\begin{itemize} +\item Privacy in a big hospital is just about doable.\medskip +\item How do you enforce privacy in something as big as Google +or complex as Facebook? No body knows.\bigskip + +Similarly, big databases imposed by government +\end{itemize} + + +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \end{document}