SAFE: A Declarative Trust-Agile System with Linked Credentials

Abstract

Secure Access For Everyone (SAFE), is an integrated system for managing trustusing a logic-based declarative language. Logical trust systems authorize eachrequest by constructing a proof from a context---a set of authenticated logicstatements representing credentials and policies issued by various principalsin a networked system. A key barrier to practical use of logical trust systemsis the problem of managing proof contexts: identifying, validating, andassembling the credentials and policies that are relevant to each trustdecision. SAFE addresses this challenge by (i) proposing a distributed authenticated datarepository for storing the credentials and policies; (ii) introducing aprogrammable credential discovery and assembly layer that generates theappropriate tailored context for a given request. The authenticated datarepository is built upon a scalable key-value store with its contents named bysecure identifiers and certified by the issuing principal. The SAFE languageprovides scripting primitives to generate and organize logic sets representingcredentials and policies, materialize the logic sets as certificates, and linkthem to reflect delegation patterns in the application. The authorizer fetchesthe logic sets on demand, then validates and caches them locally for furtheruse. Upon each request, the authorizer constructs the tailored proof contextand provides it to the SAFE inference for certified validation.Delegation-driven credential linking with certified data distribution providesflexible and dynamic policy control enabling security and trust infrastructureto be agile, while addressing the perennial problems related to today'scertificate infrastructure: automated credential discovery, scalablerevocation, and issuing credentials without relying on centralized authority.We envision SAFE as a new foundation for building secure network systems. Weused SAFE to build secure services based on case studies drawn from practice:(i) a secure name service resolver similar to DNS that resolves a name acrossmulti-domain federated systems; (ii) a secure proxy shim to delegate accesscontrol decisions in a key-value store; (iii) an authorization module for anetworked infrastructure-as-a-service system with a federated trust structure(NSF GENI initiative); and (iv) a secure cooperative data analytics servicethat adheres to individual secrecy constraints while disclosing the data. Wepresent empirical evaluation based on these case studies and demonstrate thatSAFE supports a wide range of applications with low overhead.