PCAL: Language support for proof-carrying authorization systems

Abstract. By shifting the burden of proofs to the user, a proof-carrying authorization (PCA) system can automatically enforce complex access control policies. Unfortunately, managing those proofs can be a daunting task for the user. In this paper we develop a Bash-like language, PCAL, that can automate correct and efficient use of a PCA interface. Given a PCAL script, the PCAL compiler tries to statically construct the proofs required for executing the commands in the script, while re-using proofs to the extent possible and rewriting the script to construct the remaining proofs dynamically. We obtain a formal guarantee that if the policy does not change between compile time and run time, then the compiled script cannot fail due to access checks at run time

Reasoning about Dynamic Policies

Abstract. People often need to reason about policy changes before they are adopted. For example, suppose a website manager knows that users want to enter her site without going through the welcome page. To decide whether or not to permit this, the wise manager will consider the consequences of modifying the policies (e.g., would this allow users to bypass advertisements and legal notices?). Similiarly, people often need to compare policy sets. For example, consider a person who wants to buy health insurance. Before choosing a provider, the customer will want to compare the different policies. In other words, the customer wants to reason about the effect of choosing one policy set over another. We introduce a logic, based on propositional dynamic logic, in which these tasks can be done. We give a sound and complete axiomatization for our logic, and also show that it is decidable. More precisely, the satisfiability problem is decidable in nondeterministic exponential time.