--- a/progs/prove.scala Sun Nov 17 19:22:57 2013 +0000
+++ b/progs/prove.scala Tue Nov 19 03:05:48 2013 +0000
@@ -15,6 +15,8 @@
case class Says(p: String, f: Form) extends Form
case class And(f1: Form, f2: Form) extends Form
case class Or(f1: Form, f2: Form) extends Form
+case class Sends(p: String, q: String, f: Form) extends Form
+case class Enc(f1: Form, f2: Form) extends Form
case class Judgement(gamma: Set[Form], f: Form) {
def lhs = gamma
@@ -67,6 +69,8 @@
case And(f1, f2) =>
prove(j.lhs |- f1,
() => prove(j.lhs |- f2, sc))
+ case Sends(p, q, f) => prove(j.lhs + (p says f) |- (q says f), sc)
+ case Enc(f1, f2) => prove(j.lhs + f1 |- f2, sc)
case _ => ()
}
@@ -79,12 +83,19 @@
case Imp(f1, f2) =>
prove(lhs_rest |- f1,
() => prove(lhs_rest + f2 |- rhs, sc))
+ case Sends(p, q, f) =>
+ prove(lhs_rest |- (p says f),
+ () => prove(lhs_rest + (q says f) |- rhs, sc))
+ case Enc(f1, f2) =>
+ prove(lhs_rest |- f1,
+ () => prove(lhs_rest + f2 |- rhs, sc))
case Or(f1, f2) =>
prove(lhs_rest + f1 |- rhs,
() => prove(lhs_rest + f2 |- rhs, sc))
case Says(p, Imp(f1, f2)) =>
prove(lhs_rest |- Says(p, f1),
- () => prove(lhs_rest + Says(p, f2) |- rhs, sc))
+ () => prove(lhs_rest + Says(p, f2) |- rhs, sc))
+
case _ => ()
}
@@ -128,4 +139,40 @@
run (Set[Form](AtLib, Policy_HoD, Policy_Lib) |- Email)
+println("Server Example")
+val Alice = "Alice"
+//val Bob = "Bob" -- already defined
+val Server = "Server"
+
+def Connect(p: String, q: String) : Form =
+ Pred("Connect", List(Var(p), Var(q)))
+
+
+val A = "A"
+val B = "B"
+val S = "S"
+val CAB = Connect(A, B)
+val Msg = Pred("Msg", Nil)
+val KAS = Pred("Kas", Nil)
+val KBS = Pred("Kbs", Nil)
+val KAB = Pred("Kab", Nil)
+
+val Gamma_big : Set[Form] =
+ Set( A says CAB,
+ Sends(A, S, CAB),
+ S says (CAB -> Enc(KAB, KAS)),
+ S says (CAB -> Enc(Enc(KAB, KBS), KAS)),
+ Sends(S, A, Enc(KAB, KAS)),
+ Sends(S, A, Enc(Enc(KAB, KBS), KAS)),
+ Sends(A, B, Enc(KAB, KBS)),
+ Sends(A, B, Enc(Msg, KAB)),
+ A says KAS,
+ B says KBS,
+ S says KAS,
+ A says (Enc(Msg, KAB))
+ )
+
+run (Gamma_big |- (B says Msg))
+
+
--- a/slides/slides07.tex Sun Nov 17 19:22:57 2013 +0000
+++ b/slides/slides07.tex Tue Nov 19 03:05:48 2013 +0000
@@ -1,8 +1,8 @@
\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
+\usepackage{beamerthemeplaincu}
+%\usepackage[T1]{fontenc}
+%\usepackage[latin1]{inputenc}
\usepackage{mathpartir}
\usepackage{isabelle}
\usepackage{isabellesym}
@@ -27,6 +27,9 @@
\renewcommand{\isatagproof}{}
\renewcommand{\endisatagproof}{}
\renewcommand{\isamarkupcmt}[1]{#1}
+\newcommand{\isaliteral}[1]{}
+\newcommand{\isactrlisub}[1]{\emph{\isascriptstyle${}\sb{#1}$}}
+
% Isabelle characters
\renewcommand{\isacharunderscore}{\_}
@@ -93,126 +96,11 @@
showstringspaces=false}
% beamer stuff
-\renewcommand{\slidecaption}{APP 07, King's College London, 13 November 2012}
+\renewcommand{\slidecaption}{APP 07, King's College London, 19 November 2013}
\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-% The data files, written on the first run.
-\begin{filecontents}{re-python.data}
-1 0.029
-5 0.029
-10 0.029
-15 0.032
-16 0.042
-17 0.042
-18 0.055
-19 0.084
-20 0.136
-21 0.248
-22 0.464
-23 0.899
-24 1.773
-25 3.505
-26 6.993
-27 14.503
-28 29.307
-#29 58.886
-\end{filecontents}
-
-\begin{filecontents}{re1.data}
-1 0.00179
-2 0.00011
-3 0.00014
-4 0.00026
-5 0.00050
-6 0.00095
-7 0.00190
-8 0.00287
-9 0.00779
-10 0.01399
-11 0.01894
-12 0.03666
-13 0.07994
-14 0.08944
-15 0.02377
-16 0.07392
-17 0.22798
-18 0.65310
-19 2.11360
-20 6.31606
-21 21.46013
-\end{filecontents}
-
-\begin{filecontents}{re2.data}
-1 0.00240
-2 0.00013
-3 0.00020
-4 0.00030
-5 0.00049
-6 0.00083
-7 0.00146
-8 0.00228
-9 0.00351
-10 0.00640
-11 0.01217
-12 0.02565
-13 0.01382
-14 0.02423
-15 0.05065
-16 0.06522
-17 0.02140
-18 0.05176
-19 0.18254
-20 0.51898
-21 1.39631
-22 2.69501
-23 8.07952
-\end{filecontents}
-
-\begin{filecontents}{re-internal.data}
-1 0.00069
-301 0.00700
-601 0.00297
-901 0.00470
-1201 0.01301
-1501 0.01175
-1801 0.01761
-2101 0.01787
-2401 0.02717
-2701 0.03932
-3001 0.03470
-3301 0.04349
-3601 0.05411
-3901 0.06181
-4201 0.07119
-4501 0.08578
-\end{filecontents}
-
-\begin{filecontents}{re3.data}
-1 0.001605
-501 0.131066
-1001 0.057885
-1501 0.136875
-2001 0.176238
-2501 0.254363
-3001 0.37262
-3501 0.500946
-4001 0.638384
-4501 0.816605
-5001 1.00491
-5501 1.232505
-6001 1.525672
-6501 1.757502
-7001 2.092784
-7501 2.429224
-8001 2.803037
-8501 3.463045
-9001 3.609
-9501 4.081504
-10001 4.54569
-\end{filecontents}
-
\begin{document}
@@ -234,7 +122,7 @@
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
- Of$\!$fice: & S1.27 (1st floor Strand Building)\\
+ Office: & S1.27 (1st floor Strand Building)\\
Slides: & KEATS (also homework is there)\\
\end{tabular}
\end{center}
@@ -242,486 +130,259 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Judgements}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-
- \draw (0.0,0.0) node {\LARGE \bl{$\Gamma \vdash F$}};
- \onslide<2->{
- \draw (-1,-0.3) node (X) {};
- \draw (-2.0,-2.0) node (Y) {};
- \draw (0.7,-3) node {\begin{tabular}{l}Gamma\\stands for a collection of formulas\\(``assumptions'')\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y) -- (X);
- \draw (1.2,-0.1) node (X1) {};
- \draw (2.8,-0.1) node (Y1) {};
- \draw (4.5,-0.1) node {\begin{tabular}{l}a single formula\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y1) -- (X1);
-
- \draw (-0.1,0.1) node (X2) {};
- \draw (0.5,1.5) node (Y2) {};
- \draw (1,1.8) node {\begin{tabular}{l}entails sign\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y2) -- (X2);}
-
- \end{tikzpicture}
-\end{center}
-
-\pause\pause
-\footnotesize Gimel (Phoenician), Gamma (Greek), C and G (Latin), Gim (Arabic),\\[-2mm] ?? (Indian), Ge (Cyrillic)
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Inference Rules}
-
-\begin{center}
-\begin{tikzpicture}[scale=1]
-
- \draw (0.0,0.0) node
- {\Large\bl{\infer{\Gamma \vdash F_1 \wedge F_2}{\Gamma \vdash F_1 & \Gamma \vdash F_2}}};
-
- \draw (-0.1,-0.7) node (X) {};
- \draw (-0.1,-1.9) node (Y) {};
- \draw (-0.2,-2) node {\begin{tabular}{l}conclusion\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y) -- (X);
-
- \draw (-1,0.6) node (X2) {};
- \draw (0.0,1.6) node (Y2) {};
- \draw (0,1.8) node {\begin{tabular}{l}premisses\end{tabular}};
- \draw[red, ->, line width = 2mm] (Y2) -- (X2);
- \draw (1,0.6) node (X3) {};
- \draw (0.0,1.6) node (Y3) {};
- \draw[red, ->, line width = 2mm] (Y3) -- (X3);
- \end{tikzpicture}
-\end{center}
-
-\only<2>{
-\begin{textblock}{11}(1,13)
-\small
-\bl{$P \,\text{says}\, F \vdash Q\,\text{says}\, F\wedge P \,\text{says}\, G $}
-\end{textblock}}
-\only<3>{
-\begin{textblock}{11}(1,13)
-\small
-\bl{$\underbrace{P \,\text{says}\, F}_{\Gamma} \vdash \underbrace{Q\,\text{says}\, F}_{F_1} \,\wedge
- \underbrace{P \,\text{says}\, G}_{F_2} $}
-\end{textblock}}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-\begin{center}
-\Large
-\bl{\infer{\Gamma \vdash F_2}{\Gamma \vdash F_1\Rightarrow F_2 & \Gamma \vdash F_1}}\bigskip\bigskip\bigskip
-
-\bl{\infer{\Gamma\vdash P\,\text{says}\, F}{\Gamma \vdash F}}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[t]
-
-We want to prove
-
-\begin{center}
-\bl{$\Gamma \vdash \text{del\_file}$}
-\end{center}\pause
-
-There is an inference rule
-
-\begin{center}
-\bl{\infer{\Gamma \vdash P \,\text{says}\, F}{\Gamma \vdash F}}
-\end{center}\pause
-
-So we can derive \bl{$\Gamma \vdash \text{Alice} \,\text{says}\,\text{del\_file}$}.\bigskip\pause
-
-\bl{$\Gamma$} contains already \bl{$\text{Alice} \,\text{says}\,\text{del\_file}$}. \\
-So we can use the rule
-
-\begin{center}
-\bl{\infer{\Gamma, F \vdash F}{}}
-\end{center}
-
-\onslide<5>{\bf\alert{What is wrong with this?}}
-\hfill{\bf Done. Qed.}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Digression: Proofs in CS}
-
-Formal proofs in CS sound like science fiction? Completely irrelevant!
-Lecturers gone mad!\pause
-
-\begin{itemize}
-\item in 2008, verification of a small C-compiler
-\begin{itemize}
-\item ``if my input program has a certain behaviour, then the compiled machine code has the same behaviour''
-\item is as good as \texttt{gcc -O1}, but less buggy
-\end{itemize}
-\medskip
-\item in 2010, verification of a micro-kernel operating system (approximately 8700 loc)
-\begin{itemize}
-\item 200k loc of proof
-\item 25 - 30 person years
-\item found 160 bugs in the C code (144 by the proof)
-\end{itemize}
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{}
- \begin{tabular}{c@ {\hspace{2mm}}c}
- \\[6mm]
- \begin{tabular}{c}
- \includegraphics[scale=0.11]{harper.jpg}\\[-2mm]
- {\footnotesize Bob Harper}\\[-2.5mm]
- {\footnotesize (CMU)}
- \end{tabular}
- \begin{tabular}{c}
- \includegraphics[scale=0.37]{pfenning.jpg}\\[-2mm]
- {\footnotesize Frank Pfenning}\\[-2.5mm]
- {\footnotesize (CMU)}
- \end{tabular} &
-
- \begin{tabular}{p{6cm}}
- \raggedright
- \color{gray}{published a proof about a specification in a journal (2005),
- $\sim$31pages}
- \end{tabular}\\
-
- \pause
- \\[0mm]
-
- \begin{tabular}{c}
- \includegraphics[scale=0.36]{appel.jpg}\\[-2mm]
- {\footnotesize Andrew Appel}\\[-2.5mm]
- {\footnotesize (Princeton)}
- \end{tabular} &
+ Recall the following scenario:
- \begin{tabular}{p{6cm}}
- \raggedright
- \color{gray}{relied on their proof in a\\ {\bf security} critical application}
- \end{tabular}
- \end{tabular}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}
- \frametitle{Proof-Carrying Code}
-
- \begin{textblock}{10}(2.5,2.2)
- \begin{block}{Idea:}
- \begin{center}
- \begin{tikzpicture}
- \draw[help lines,cream] (0,0.2) grid (8,4);
-
- \draw[line width=1mm, red] (5.5,0.6) rectangle (7.5,4);
- \node[anchor=base] at (6.5,2.8)
- {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering user: untrusted code\end{tabular}};
-
- \draw[line width=1mm, red] (0.5,0.6) rectangle (2.5,4);
- \node[anchor=base] at (1.5,2.3)
- {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\centering developer ---\\ web server\end{tabular}};
-
- \onslide<3->{
- \draw[line width=1mm, red, fill=red] (5.5,0.6) rectangle (7.5,1.8);
- \node[anchor=base,white] at (6.5,1.1)
- {\small\begin{tabular}{@ {}p{1.9cm}@ {}}\bf\centering proof- checker\end{tabular}};}
-
- \node at (3.8,3.0) [single arrow, fill=red,text=white, minimum height=3cm]{\bf code};
- \onslide<2->{
- \node at (3.8,1.3) [single arrow, fill=red,text=white, minimum height=3cm]{\bf certificate};
- \node at (3.8,1.9) {\small\color{gray}{\mbox{}\hspace{-1mm}a proof}};
- }
+ \begin{itemize}
+ \item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file}}
+ should be deleted, then this file must be deleted.
+ \item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether
+ \textcolor{blue}{\isa{file}} should be deleted (delegation).
+ \item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file}}.
+ \end{itemize}\bigskip
-
- \end{tikzpicture}
- \end{center}
- \end{block}
- \end{textblock}
-
- %\begin{textblock}{15}(2,12)
- %\small
- %\begin{itemize}
- %\item<4-> Appel's checker is $\sim$2700 lines of code (1865 loc of\\ LF definitions;
- %803 loc in C including 2 library functions)\\[-3mm]
- %\item<5-> 167 loc in C implement a type-checker
- %\end{itemize}
- %\end{textblock}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- \tikzstyle{every node}=[node distance=25mm,text height=1.5ex, text depth=.25ex]
- \tikzstyle{node1}=[rectangle, minimum size=10mm, rounded corners=3mm, very thick,
- draw=black!50, top color=white, bottom color=black!20]
- \tikzstyle{node2}=[rectangle, minimum size=12mm, rounded corners=3mm, very thick,
- draw=red!70, top color=white, bottom color=red!50!black!20]
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}<2->[squeeze]
- \frametitle{}
-
- \begin{columns}
-
- \begin{column}{0.8\textwidth}
- \begin{textblock}{0}(1,2)
+ \small
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}},\\
+ \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
+ \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}\\
+ \end{tabular}}\medskip
- \begin{tikzpicture}
- \matrix[ampersand replacement=\&,column sep=7mm, row sep=5mm]
- { \&[-10mm]
- \node (def1) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}}; \&
- \node (proof1) [node1] {\large Proof}; \&
- \node (alg1) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}}; \\
-
- \onslide<4->{\node {\begin{tabular}{c}\small 1st\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
- \onslide<4->{\node (def2) [node2] {\large Spec$^\text{+ex}$};} \&
- \onslide<4->{\node (proof2) [node1] {\large Proof};} \&
- \onslide<4->{\node (alg2) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\
-
- \onslide<5->{\node {\begin{tabular}{c}\small 2nd\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
- \onslide<5->{\node (def3) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \&
- \onslide<5->{\node (proof3) [node1] {\large Proof};} \&
- \onslide<5->{\node (alg3) [node2] {\large Alg$^\text{-ex}$};} \\
+ \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}}
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \onslide<6->{\node {\begin{tabular}{c}\small 3rd\\[-2.5mm] \footnotesize solution\end{tabular}};} \&
- \onslide<6->{\node (def4) [node1] {\large\hspace{1mm}Spec\hspace{1mm}\mbox{}};} \&
- \onslide<6->{\node (proof4) [node2] {\large\hspace{1mm}Proof\hspace{1mm}};} \&
- \onslide<6->{\node (alg4) [node1] {\large\hspace{1mm}Alg\hspace{1mm}\mbox{}};} \\
- };
-
- \draw[->,black!50,line width=2mm] (proof1) -- (def1);
- \draw[->,black!50,line width=2mm] (proof1) -- (alg1);
-
- \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (def2);}
- \onslide<4->{\draw[->,black!50,line width=2mm] (proof2) -- (alg2);}
-
- \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (def3);}
- \onslide<5->{\draw[->,black!50,line width=2mm] (proof3) -- (alg3);}
-
- \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (def4);}
- \onslide<6->{\draw[->,black!50,line width=2mm] (proof4) -- (alg4);}
-
- \onslide<3->{\draw[white,line width=1mm] (1.1,3.2) -- (0.9,2.85) -- (1.1,2.35) -- (0.9,2.0);}
- \end{tikzpicture}
-
- \end{textblock}
- \end{column}
- \end{columns}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {\hspace{-2mm}}c@ {}}The Access Control Problem\end{tabular}}
- \begin{textblock}{3}(12,3.6)
- \onslide<4->{
- \begin{tikzpicture}
- \node at (0,0) [single arrow, shape border rotate=270, fill=red,text=white]{2h};
- \end{tikzpicture}}
- \end{textblock}
+\begin{center}
+ \begin{tikzpicture}[scale=1]
+
+ \draw[line width=1mm] (-.3, -0.5) rectangle (1.5,2);
+ \draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}};
+ \draw (4.2,1) node {\begin{tabular}{l}provable/\\not provable\end{tabular}};
+ \draw (0.6,0.8) node {\footnotesize \begin{tabular}{l}AC-\\ Checker:\\ applies\\ inference\\ rules\end{tabular}};
+
+ \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
+ \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
+ \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
+
+ \draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\boldmath\bl{$\Gamma$})\end{tabular}};
+
+ \end{tikzpicture}
+\end{center}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+
+\begin{itemize}
+\item \bl{$P \,\text{says}\, F$} means \bl{$P$} can send a ``signal'' \bl{$F$} through a wire, or
+can make a ``statement'' \bl{$F$}\bigskip\pause
+
+\item \bl{$P$} is entitled to do \bl{$F$}\smallskip\\
+\bl{$P \,\text{controls}\, F \,\dn\, (P\,\text{says}\, F) \Rightarrow F$}\medskip
+
+\begin{center}
+\bl{\infer{\Gamma \vdash F}{\Gamma \vdash P\,\text{controls}\, F & \Gamma \vdash P\,\text{says}\,F}}
+\end{center}
+
+
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
- \frametitle{Mars Pathfinder Mission 1997}
+ \frametitle{Security Levels}
+ \small
+
+ \begin{itemize}
+ \item Top secret (\bl{$T\!S$})
+ \item Secret (\bl{$S$})
+ \item Public (\bl{$P$})
+ \end{itemize}
\begin{center}
- \includegraphics[scale=0.15]{marspath1.png}
- \includegraphics[scale=0.16]{marspath3.png}
- \includegraphics[scale=0.3]{marsrover.png}
+ \bl{$slev(P) < slev(S) < slev(T\!S)$}\pause
\end{center}
-
+
\begin{itemize}
- \item despite NASA's famous testing procedure, the lander crashed frequently on Mars
- \item problem was an algorithm not used in the OS
+ \item Bob has a clearance for ``secret''
+ \item Bob can read documents that are public or sectret, but not top secret
\end{itemize}
\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Reading a File}
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ \only<2->{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$}}\\
+ \only<2->{\hspace{3cm}}Bob controls Permitted $($File, read$)$\\
+ Bob says Permitted $($File, read$)$\only<2->{\\}
+ \only<2>{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$}}%
+ \only<3>{\textcolor{red}{$slev($File$)$ $=$ $P$}\\}%
+ \only<3>{\textcolor{red}{$slev($Bob$)$ $=$ $S$}\\}%
+ \only<3>{\textcolor{red}{$slev(P)$ $<$ $slev(S)$}\\}%
+ \end{tabular}\\
+ \hline
+ Permitted $($File, read$)$
+ \end{tabular}
+ \end{center}}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
- \frametitle{Priority Inheritance Protocol}
+ \frametitle{Substitution Rule}
+ \small
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ $\Gamma \vdash slev(P) = l_1$ \hspace{4mm} $\Gamma \vdash slev(Q) = l_2$
+ \hspace{4mm} $\Gamma \vdash l_1 < l_2$\\\hline
+ $\Gamma \vdash slev(P) < slev(Q)$
+ \end{tabular}
+ \end{center}}\bigskip\pause
\begin{itemize}
- \item \ldots a scheduling algorithm that is widely used in real-time operating systems
- \item has been ``proved'' correct by hand in a paper in 1983
- \item \ldots but the first algorithm turned out to be incorrect, despite its ``proof''\bigskip\pause
-
- \item we specified the algorithm and then proved that the specification makes
- ``sense''
- \item we implemented our specification in C on top of PINTOS (used for teaching at Stanford)
- \item our implementation was much more efficient than their reference implementation
+ \item \bl{$slev($Bob$)$ $=$ $S$}
+ \item \bl{$slev($File$)$ $=$ $P$}
+ \item \bl{$slev(P) < slev(S)$}
\end{itemize}
\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Regular Expression Matching}
-\tiny
-
-\begin{tabular}{@ {\hspace{-6mm}}cc}
-\begin{tikzpicture}[y=.1cm, x=.15cm]
- %axis
- \draw (0,0) -- coordinate (x axis mid) (30,0);
- \draw (0,0) -- coordinate (y axis mid) (0,30);
- %ticks
- \foreach \x in {0,5,...,30}
- \draw (\x,1pt) -- (\x,-3pt)
- node[anchor=north] {\x};
- \foreach \y in {0,5,...,30}
- \draw (1pt,\y) -- (-3pt,\y)
- node[anchor=east] {\y};
- %labels
- \node[below=0.3cm] at (x axis mid) {\bl{a}s};
- \node[rotate=90, left=0.6cm] at (y axis mid) {secs};
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Reading a File}
- %plots
- \draw[color=blue] plot[mark=*, mark options={fill=white}]
- file {re-python.data};
- \only<1->{
- \draw[color=red] plot[mark=triangle*, mark options={fill=white} ]
- file {re1.data};}
- \only<1->{
- \draw[color=green] plot[mark=square*, mark options={fill=white} ]
- file {re2.data};}
-
- %legend
- \begin{scope}[shift={(4,20)}]
- \draw[color=blue] (0,0) --
- plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Python};
- \only<1->{\draw[yshift=6mm, color=red] (0,0) --
- plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala V1};}
- \only<1->{
- \draw[yshift=12mm, color=green] (0,0) --
- plot[mark=square*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala V2 with simplifications};}
- \end{scope}
-\end{tikzpicture} &
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ $slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$\\
+ \hspace{3cm}Bob controls Permitted $($File, read$)$\\
+ Bob says Permitted $($File, read$)$\\
+ $slev($File$)$ $=$ $P$\\
+ $slev($Bob$)$ $=$ $T\!S$\\
+ \only<1>{\textcolor{red}{$?$}}%
+ \only<2>{\textcolor{red}{$slev(P) < slev(S)$}\\}%
+ \only<2>{\textcolor{red}{$slev(S) < slev(T\!S)$}}%
+ \end{tabular}\\
+ \hline
+ Permitted $($File, read$)$
+ \end{tabular}
+ \end{center}}
-\begin{tikzpicture}[y=.35cm, x=.00045cm]
- %axis
- \draw (0,0) -- coordinate (x axis mid) (10000,0);
- \draw (0,0) -- coordinate (y axis mid) (0,6);
- %ticks
- \foreach \x in {0,2000,...,10000}
- \draw (\x,1pt) -- (\x,-3pt)
- node[anchor=north] {\x};
- \foreach \y in {0,1,...,6}
- \draw (1pt,\y) -- (-3pt,\y)
- node[anchor=east] {\y};
- %labels
- \node[below=0.3cm] at (x axis mid) {\bl{a}s};
- \node[rotate=90, left=0.6cm] at (y axis mid) {secs};
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Transitivity Rule}
+ \small
+
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ $\Gamma \vdash l_1 < l_2$
+ \hspace{4mm} $\Gamma \vdash l_2 < l_3$\\\hline
+ $\Gamma \vdash l_1 < l_3$
+ \end{tabular}
+ \end{center}}\bigskip
+
+ \begin{itemize}
+ \item \bl{$slev(P) < slev (S)$}
+ \item \bl{$slev(S) < slev (T\!S)$}
+ \item[] \bl{$slev(P) < slev (T\!S)$}
+ \end{itemize}
- %plots
- \draw[color=blue] plot[mark=*, mark options={fill=white}]
- file {re-internal.data};
- \only<1->{
- \draw[color=red] plot[mark=triangle*, mark options={fill=white} ]
- file {re3.data};}
-
- %legend
- \begin{scope}[shift={(2000,4)}]
- \draw[color=blue] (0,0) --
- plot[mark=*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala Internal};
- \only<1->{
- \draw[yshift=6mm, color=red] (0,0) --
- plot[mark=triangle*, mark options={fill=white}] (0.25,0) -- (0.5,0)
- node[right]{\footnotesize Scala V3};}
- \end{scope}
-\end{tikzpicture}
-\end{tabular}\bigskip\pause
-\normalsize
-\begin{itemize}
-\item I needed a proof in order to make sure my program is correct
-\end{itemize}\pause
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Reading Files}
+
+ \begin{itemize}
+ \item Access policy for Bob for reading
+ \end{itemize}
-\begin{center}
-\bl{End Digression.\\ (Our small proof is 0.0005\% of the OS-proof.)}
-\end{center}
-
-\end{frame}}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{One More Thing}
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ $\forall f.\;slev(f)$ \only<1>{$<$}\only<2>{\textcolor{red}{$\le$}} $slev($Bob$)$ $\Rightarrow$\\
+ \hspace{3cm}Bob controls Permitted $(f$, read$)$\\
+ Bob says Permitted $($File, read$)$\\
+ $slev($File$)$ $=$ \only<1>{$P$}\only<2>{\textcolor{red}{$T\!S$}}\\
+ $slev($Bob$)$ $=$ $T\!S$\\
+ $slev(P) < slev(S)$\\
+ $slev(S) < slev(T\!S)$
+ \end{tabular}\\
+ \hline
+ Permitted $($File, read$)$
+ \end{tabular}
+ \end{center}}
-\begin{itemize}
-\item I arrived at King's last year
-\item Maxime Crochemore told me about a string algorithm (suffix sorting) that appeared at a
-conference in 2007 (ICALP)
-\item ``horribly incomprehensible'', no implementation, but claims to be the best \bl{$O(n + k)$} algorithm\bigskip\pause
-
-\item Jian Jiang found 1 error and 1 superfluous step in this algorithm
-\item he received 88\% for the project and won the prize for the best 7CCSMPRJ project in the department
-\item no proof \ldots{} yet
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Trusted Third Party}
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Writing Files}
-Simple protocol for establishing a secure connection via a mutually
-trusted 3rd party (server):
+ \begin{itemize}
+ \item Access policy for Bob for {\bf writing}
+ \end{itemize}
-\begin{center}
-\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
-Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
-Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
-Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
-Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}
+ \bl{\begin{center}
+ \begin{tabular}{c}
+ \begin{tabular}{@ {}l@ {}}
+ $\forall f.\;slev($Bob$)$ $\le$ $slev(f)$ $\Rightarrow$\\
+ \hspace{3cm}Bob controls Permitted $(f$, write$)$\\
+ Bob says Permitted $($File, write$)$\\
+ $slev($File$)$ $=$ $T\!S$\\
+ $slev($Bob$)$ $=$ $S$\\
+ $slev(P) < slev(S)$\\
+ $slev(S) < slev(T\!S)$
+ \end{tabular}\\
+ \hline
+ Permitted $($File, write$)$
+ \end{tabular}
+ \end{center}}
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Encrypted Messages}
@@ -762,31 +423,91 @@
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Trusted Third Party}
+
+Simple protocol for establishing a secure connection via a mutually
+trusted 3rd party (server):
+
+\begin{center}
+\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
+Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
+Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
+Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
+Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
+\end{tabular}
+\end{center}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Sending Rule}
+
+ \bl{\begin{center}
+ \mbox{\infer{\Gamma \vdash Q \;\text{says}\; F}
+ {\Gamma \vdash P \;\text{says}\; F & \Gamma \vdash P \;\text{sends}\; Q : F}}
+ \end{center}}\bigskip\pause
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \bl{$P \,\text{sends}\, Q : F \dn$}\\
+ \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
+
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Trusted Third Party}
- \begin{itemize}
- \item Alice calls Sam for a key to communicate with Bob
- \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
- \item Alice sends the message encrypted with the key and the second key it recieved
- \end{itemize}\bigskip
-
\begin{center}
- \bl{\begin{tabular}{lcl}
- $A$ sends $S$ &:& $\textit{Connect}(A,B)$\\
- $S$ sends $A$ &:& $\{K_{AB}\}_{K_{AS}}$ \textcolor{black}{and} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
- $A$ sends $B$ &:& $\{K_{AB}\}_{K_{BS}}$\\
- $A$ sends $B$ &:& $\{m\}_{K_{AB}}$
+ \bl{\begin{tabular}{l}
+ $A$ sends $S$ : $\text{Connect}(A,B)$\\
+ \bl{$S \,\text{says}\, (\text{Connect}(A,B) \Rightarrow$}\\
+ \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
+ \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
+ $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
+ $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
+ $A$ sends $B$ : $\{m\}_{K_{AB}}$
\end{tabular}}
- \end{center}
+ \end{center}\bigskip\pause
+
+
+ \bl{$\Gamma \vdash B \,\text{says} \, m$}?
+ \end{frame}}
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ \mode<presentation>{
+ \begin{frame}[c]
+ \frametitle{Public/Private Keys}
+
+ \begin{itemize}
+ \item Bob has a private and public key: \bl{$K_{Bob}^{pub}$}, \bl{$K_{Bob}^{priv}$}\bigskip
+ \begin{center}
+ \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
+ {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_{K_{Bob}^{pub}} &
+ \Gamma \vdash K_{Bob}^{priv}}}}
+ \end{center}\bigskip\pause
+
+ \item this is {\bf not} a derived rule!
+ \end{itemize}
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% \begin{itemize}
+% \item Alice calls Sam for a key to communicate with Bob
+% \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
+ % \item Alice sends the message encrypted with the key and the second key it recieved
+ % \end{itemize}\bigskip
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
@@ -909,63 +630,462 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Another Challenge-Response}
+\mode<presentation>{
+\begin{frame}[c]
+
+A Man-in-the-middle attack in real life:
+
+\begin{itemize}
+\item the card only says yes or no to the terminal if the PIN is correct
+\item trick the card in thinking transaction is verified by signature
+\item trick the terminal in thinking the transaction was verified by PIN
+\end{itemize}
+
+\begin{minipage}{1.1\textwidth}
+\begin{center}
+\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
+\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
+\end{center}
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Problems with EMV}
+
+\begin{itemize}
+\item it is a wrapper for many protocols
+\item specification by consensus (resulted unmanageable complexity)
+\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
+further parts are secret
+\item other attacks have been found
+
+\item one solution might be to require always online verification of the PIN with the bank
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Problems with WEP (Wifi)\end{tabular}}
+
+\begin{itemize}
+\item a standard ratified in 1999
+\item the protocol was designed by a committee not including cryptographers
+\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
+\item WEP did not allocate enough bits for the nonce
+\item for authenticating packets it used CRC checksum which can be easily broken
+\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
+\item encryption was turned off by default
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Protocols are Difficult}
+
+\begin{itemize}
+\item even the systems designed by experts regularly fail\medskip
+\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
+\item the one who can fix a system should also be liable for the losses\medskip
+\item cryptography is often not {\bf the} answer\bigskip\bigskip
+\end{itemize}
+
+logic is one way protocols are studied in academia
+(you can use computers to search for attacks)
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Public-Key Infrastructure}
+
+\begin{itemize}
+\item the idea is to have a certificate authority (CA)
+\item you go to the CA to identify yourself
+\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
+\item CA must be trusted by everybody
+\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
+explicitly limits liability to \$100.)
+\end{itemize}
-\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
-each other\bigskip
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Privacy, Anonymity et al}
+
+Some terminology:
+
+\begin{itemize}
+\item \alert{secrecy} is the mechanism used to limit the number of
+principals with access to information (eg, cryptography or access controls)
+
+\item \alert{confidentiality} is the obligation to protect the secrets of other people
+or organizations (secrecy for the benefit of an organisation)
+
+\item \alert{anonymity} is the ability to leave no evidence of an activity (eg, sharing a secret)
+
+\item \alert{privacy} is the ability or right to protect your personal secrets
+(secrecy for the benefit of an individual)
+
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy vs Anonymity}
+
+\begin{itemize}
+\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review)
+\end{itemize}\bigskip\bigskip\pause
+
+
+But privacy?\bigskip\bigskip
+
+``You have zero privacy anyway. Get over it.''\\
+\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\
+
+
+If you have nothing to hide, you have nothing to fear.
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+
+private data can be often used against me
+
+\begin{itemize}
+\item if my location data becomes public, thieves will switch off their phones and help themselves in my home
+\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages)
+\item my employer might not like my opinions\bigskip\pause
+
+\item one the other hand, Freedom-of-Information Act
+\item medical data should be private, but medical research needs data
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy Problems}
+
+\begin{itemize}
+\item Apple takes note of every dictation (send over the Internet to Apple)
+\item markets often only work, if data is restricted (to build trust)
+\item Social network can reveal data about you
+\item have you tried the collusion extension for FireFox?
+\item I do use Dropbox and store cards\bigskip
+\item next week: anonymising data
+\end{itemize}
+
+\begin{textblock}{5}(12,9.8)
+\includegraphics[scale=0.2]{pics/gattaca.jpg}\\
+\small Gattaca (1997)
+\end{textblock}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+
+\begin{minipage}{1.05\textwidth}
+\begin{itemize}
+\item we \alert{do} want that government data is made public (free maps for example)
+\item we \alert{do not} want that medical data becomes public (similarly tax data, school
+records, job offers)\bigskip
+\item personal information can potentially lead to fraud
+(identity theft)
+\end{itemize}\pause
+
+{\bf ``The reality'':}
+\only<2>{\begin{itemize}
+\item London Health Programmes lost in June last year unencrypted details of more than 8 million people
+(no names, but postcodes and details such as gender, age and ethnic origin)
+\end{itemize}}
+\only<3>{\begin{itemize}
+\item also in June last year, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
+\end{itemize}}
+\end{minipage}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Privacy and Big Data}
+
+Selected sources of ``Big Data'':\smallskip{}
+
+\begin{itemize}
+\item Facebook
+\begin{itemize}
+\item 40+ Billion photos (100 PB)
+\item 6 Billion messages daily (5 - 10 TB)
+\item 900 Million users
+\end{itemize}
+\item Common Crawl
+\begin{itemize}
+\item covers 3.8 Billion webpages (2012 dataset)
+\item 50 TB of data
+\end{itemize}
+\item Google
+\begin{itemize}
+\item 20 PB daily (2008)
+\end{itemize}
+\item Twitter
+\begin{itemize}
+\item 7 Million users in the UK
+\item a company called Datasift is allowed to mine all tweets since 2010
+\item they charge 10k per month for other companies to target advertisement
+\end{itemize}
+\end{itemize}\pause
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Cookies\ldots}
+
+``We have published a new cookie policy. It explains what cookies are
+and how we use them on our site. To learn more about cookies and
+their benefits, please view our cookie policy.\medskip
+
+If you'd like to disable cookies on this device, please view our information
+pages on 'How to manage cookies'. Please be aware that parts of the
+site will not function correctly if you disable cookies. \medskip
+
+By closing this
+message, you consent to our use of cookies on this device in accordance
+with our cookie policy unless you have disabled them.''
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Scare Tactics}
+
+The actual policy reads:\bigskip
+
+``As we explain in our Cookie Policy, cookies help you to get the most
+out of our websites.\medskip
+
+If you do disable our cookies you may find that certain sections of our
+website do not work. For example, you may have difficulties logging in
+or viewing articles.''
+
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Netflix Prize}
+
+Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip
+
+\begin{itemize}
+\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
+\item dataset contained 10\% of all Netflix users (appr.~500K)
+\item names were removed, but included numerical ratings as well as times of rating
+\item some information was \alert{perturbed} (i.e., slightly modified)
+\end{itemize}
+
+\hfill{\bf\alert{All OK?}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Re-identification Attack}
+
+Two researchers analysed the data:
+
+\begin{itemize}
+\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
+records can be identified
+\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
+\item they took 50 samples from IMDb (where people can reveal their identity)
+\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{}
+
+\begin{itemize}
+\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
+\item Preferences in movies (99\% of 500K for 8 ratings)
+\end{itemize}\bigskip
+
+Therefore best practices / or even law (HIPAA, EU):
+
+\begin{itemize}
+\item only year dates (age group for 90 years or over),
+\item no postcodes (sector data is OK, similarly in the US)\\
+\textcolor{gray}{no names, addresses, account numbers, licence plates}
+\item disclosure information needs to be retained for 5 years
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{How to Safely Disclose Information?}
+
+\only<1>{
+\begin{itemize}
+\item Assume you make a survey of 100 randomly chosen people.
+\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
+Gangnam video on youtube.\bigskip
+
+\item What can you infer about the rest of the population?
+\end{itemize}}
+\only<2>{
+\begin{itemize}
+\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause
+
+\item Not even releasing only aggregate information prevents re-identification attacks.
+(GWAS was a public database of gene-frequency studies linked to diseases;
+you only needed partial DNA information in order
+to identify whether an individual was part of the study --- DB closed in 2008)
+\end{itemize}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Another Challenge-Response}
-\bl{$A$} and \bl{$B$} share the key \bl{$K_{AB}$} and want to identify
-each other\bigskip
-
- \begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, N_A$}
- \item \bl{$B\,\text{sends}\, A : \{N_A, K'_{AB}\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_A\}_{K'_{AB}}$}
- \end{itemize}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Another Challenge-Response}
-
-Unfortunately, an intruder \bl{$I$} can impersonate \bl{$B$}.
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Differential Privacy}
\begin{center}
-\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{1mm}}c@{}}
-\begin{tabular}{@{}l@{}}
-\onslide<1->{\bl{$A \,\text{sends}\, I : A, N_A$}}\\
-\onslide<4->{\bl{$I \,\text{sends}\, A : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<5->{\bl{$A \,\text{sends}\, I : \{N_A\}_{K'_{AB}}$}}\\
+User\;\;\;\;
+\begin{tabular}{c}
+tell me \bl{$f(x)$} $\Rightarrow$\\
+$\Leftarrow$ \bl{$f(x) + \text{noise}$}
\end{tabular}
-&
-\begin{tabular}{@{}l@{}}
-\onslide<2->{\bl{$I \,\text{sends}\, A : B, N_A$}}\\
-\onslide<3->{\bl{$A \,\text{sends}\, I : \{N_A,\!K'_{\!AB}\}_{K_{\!AB}}$}}\\
-\onslide<6->{\bl{$I \,\text{sends}\, A : \{N_A\}_{K'_{AB}}$}}\\
-\end{tabular}
+\;\;\;\;\begin{tabular}{@{}c}
+Database\\
+\bl{$x_1, \ldots, x_n$}
\end{tabular}
\end{center}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\begin{itemize}
+\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
+individual entries \bl{$x_1, \ldots, x_n$}\\
+\item Intuition: whatever is learned from the dataset would be learned regardless of whether
+\bl{$x_i$} participates\bigskip\pause
+
+\item Noised needed in order to prevent queries:\\ Christian's salary $=$
+\begin{center}
+\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian
+\end{center}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Adding Noise}
+
+Adding noise is not as trivial as one would wish:
+
+\begin{itemize}
+\item If I ask how many of three have seen the Gangnam video and get a result
+as follows
+
+\begin{center}
+\begin{tabular}{l|c}
+Alice & yes\\
+Bob & no\\
+Charlie & yes\\
+\end{tabular}
+\end{center}
+
+then I have to add a noise of \bl{$1$}. So answers would be in the
+range of \bl{$1$} to \bl{$3$}
+
+\bigskip
+\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots),
+then one individual can change the dataset by \bl{$5$}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}
+
+According to Ross Anderson: \bigskip
+\begin{itemize}
+\item Privacy in a big hospital is just about doable.\medskip
+\item How do you enforce privacy in something as big as Google
+or complex as Facebook? No body knows.\bigskip
+
+Similarly, big databases imposed by government
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}