Aura: A programming language for authorization and audit · AURA: A programming language for...
Transcript of Aura: A programming language for authorization and audit · AURA: A programming language for...
![Page 1: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/1.jpg)
AURA: A programming language forauthorization and audit
Jeff VaughanLimin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,
Joseph Schorr, and Steve Zdancewic
Department of Computer and Information ScienceUniversity of Pennsylvania
ICFPSeptember 22, 2008
![Page 2: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/2.jpg)
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p: prin) → Unit
1/17
![Page 3: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/3.jpg)
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p: prin) → Unit
1/17
![Page 4: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/4.jpg)
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p: prin) → Unit
1/17
![Page 5: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/5.jpg)
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p: prin) → Unit
1/17
![Page 6: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/6.jpg)
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p: prin) → Unit
1/17
![Page 7: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/7.jpg)
A distributed access control example
Jukebox’s signature:
playFor raw: (s: Song) → (p: prin) → Unit
1/17
![Page 8: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/8.jpg)
International Cartel for Fonograph Players Policy
Policy Statement (Simple):Songs have one or more owners.An owner may authorize principals to play songs he owns.
Policy Enforcement Problems (Hard):distributed decision makingmutual distrustprominent use of delegation
2/17
![Page 9: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/9.jpg)
International Cartel for Fonograph Players Policy
Policy Statement (Simple):Songs have one or more owners.An owner may authorize principals to play songs he owns.
Policy Enforcement Problems (Hard):distributed decision makingmutual distrustprominent use of delegation
2/17
![Page 10: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/10.jpg)
AURA: Enforce policy with proof carrying access control.
Programs build proofs attesting to their access rights.
Proof componentsstandard rules of inferenceevidence capturing principal intent (e.g. signatures)
AURA runtime:checks proof structure (well-typedness)logs appropriate proofs for later audit
Proof Carrying Code [Necula+ 98], Grey Project [Bauer+ 05],Protocol Analysis [Fournet+ 07], Evidence-Based Audit [CSF 08]
3/17
![Page 11: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/11.jpg)
Encoding policy at the ICFP server
shareRule ≡ self says ((o: prin) → (s: Song) → (r: prin) →(Owns o s) →(o says (MayPlay r s)) →(MayPlay r s)))
playFor: (s: Song) → (p: prin) →pf (self says (MayPlay p s)) → Unit
Key Property
A program can only call playFor when it has an appropriateaccess control proof.
AURA features above: pf, self, says, dependency, effects. . .4/17
![Page 12: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/12.jpg)
Encoding policy at the ICFP server
shareRule ≡ self says ((o: prin) → (s: Song) → (r: prin) →(Owns o s) →(o says (MayPlay r s)) →(MayPlay r s)))
playFor: (s: Song) → (p: prin) →pf (self says (MayPlay p s)) → Unit
Key Property
A program can only call playFor when it has an appropriateaccess control proof.
AURA features above: pf, self, says, dependency, effects. . .4/17
![Page 13: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/13.jpg)
Using the ICFP policy.
5/17
![Page 14: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/14.jpg)
Using the ICFP policy.
5/17
![Page 15: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/15.jpg)
Using the ICFP policy.
5/17
![Page 16: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/16.jpg)
Using the ICFP policy.
sign(ICFP,shareRule): ICFP says shareRule
5/17
![Page 17: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/17.jpg)
Using the ICFP policy.
5/17
![Page 18: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/18.jpg)
Using the ICFP policy.
5/17
![Page 19: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/19.jpg)
Using the ICFP policy.
5/17
![Page 20: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/20.jpg)
Using the ICFP policy.
5/17
![Page 21: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/21.jpg)
Using the ICFP policy.
5/17
![Page 22: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/22.jpg)
Using the ICFP policy.
5/17
![Page 23: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/23.jpg)
Using the ICFP policy.
ICFP says ...
Alice says ...
shareRule
ICFP says (MayPlay Bob, TakeFive)
...
...
p
⎫⎜⎜⎬⎜⎜⎭5/17
![Page 24: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/24.jpg)
Using the ICFP policy.
5/17
![Page 25: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/25.jpg)
Using the ICFP policy.
5/17
![Page 26: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/26.jpg)
Using the ICFP policy.
5/17
![Page 27: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/27.jpg)
Using the ICFP policy.
5/17
![Page 28: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/28.jpg)
Using the ICFP policy.
Auditor
5/17
![Page 29: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/29.jpg)
Using the ICFP policy.
5/17
![Page 30: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/30.jpg)
Using the ICFP policy.
Signatures used to grant Bob access to TakeFive:
sign(ICFP,shareRule): ICFP says shareRule
sign(Alice, ...)
sign(ICFP, ...)
5/17
![Page 31: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/31.jpg)
Language Design and Features
6/17
![Page 32: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/32.jpg)
AURA’s type system is divided into two universes.
Type Contains computation expressions. Includesnon-termination and world effects.
Prop Contains pure expressions with a clearinterpretation as proofs.
7/17
![Page 33: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/33.jpg)
Aura’s says modality represents affirmation.
The proposition “principal Alice affirms proposition P.”
Alice says P: Prop
Principals may actively affirm propositions with signatures.
sign(Alice, P): Alice says P
Principals affirm “true” propositions
return Alice p: Alice says P
when p: P.
DCC [Abadi+ 06], Logic with Explicit Time [DeYoung+ 08]
8/17
![Page 34: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/34.jpg)
Dependent types allow for expressive rules.
Example (Bob acts for Alice)
Alice says ((P: Prop) → Bob says P → P)
Example (Bob acts for Alice only regarding jazz)
Alice says ((s: Song) → isJazz s →Bob says (MayPlay Bob s) → MayPlay Bob s)
Restricted formulation of dependent types:expressive enough for access controltoo weak for general correctness propertiesAURA feels more like ML than Coq
9/17
![Page 35: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/35.jpg)
Dependent types allow for expressive rules.
Example (Bob acts for Alice)
Alice says ((P: Prop) → Bob says P → P)
Example (Bob acts for Alice only regarding jazz)
Alice says ((s: Song) → isJazz s →Bob says (MayPlay Bob s) → MayPlay Bob s)
Restricted formulation of dependent types:expressive enough for access controltoo weak for general correctness propertiesAURA feels more like ML than Coq
9/17
![Page 36: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/36.jpg)
Dependent types allow for expressive rules.
Example (Bob acts for Alice)
Alice says ((P: Prop) → Bob says P → P)
Example (Bob acts for Alice only regarding jazz)
Alice says ((s: Song) → isJazz s →Bob says (MayPlay Bob s) → MayPlay Bob s)
Restricted formulation of dependent types:expressive enough for access controltoo weak for general correctness propertiesAURA feels more like ML than Coq
9/17
![Page 37: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/37.jpg)
Effect say reifies a program’s authority as a signature.
Programs manufacture new sign objects with say.Intuitively say uses the program’s (e.g. current user’s)private key to generate the signature.Special principal self stands in for the program.
say P: self says P
say P 7→ sign(self, P)
Technical PointThe pf monad protects the Prop universe from say’s worldeffect.
10/17
![Page 38: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/38.jpg)
Effect say reifies a program’s authority as a signature.
Programs manufacture new sign objects with say.Intuitively say uses the program’s (e.g. current user’s)private key to generate the signature.Special principal self stands in for the program.
say P: pf(self says P)
say P 7→ return(sign(self, P))
Technical PointThe pf monad protects the Prop universe from say’s worldeffect.
10/17
![Page 39: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/39.jpg)
AURA contains inductive types and assertions.
Inductive Types define complex data structures.
data List : Type → Type {| nil : ( t :Type) → (List t )| cons : ( t :Type) → t → (List t ) → (List t ) }
Inductive Props define simple inference systems subject toa (draconian) positivity constraint.
data And: Prop → Prop → Prop {| both: (P: Prop) → (Q: Prop) → P → Q → And P Q }
data False: Prop { }
Assertions define access control predicates
assert Owns: prin → Song → Prop
11/17
![Page 40: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/40.jpg)
Assertion types are uninhabited, but not false.
Inductive types admit pattern matching.
Example
λ f: Alice says False. λP: Prop. . . .match f with (P) {} . . .
: Alice says False → (P: Prop) → Alice says P
Assertions have no elimination form.Intuition: Assertions ≈ type variables.There is no analogous function of type
ICFP says (Owns Bob Thriller) →(P:Prop) → ICFP says P.
12/17
![Page 41: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/41.jpg)
Theory and Practice
13/17
![Page 42: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/42.jpg)
AURA’s metatheory: the view from 30,000 feet.
AURA is defined in a Pure-Type-Systems style.
t ::= Prop | Type . . .| (x: t ) → t | t says t . . .| λx: t . t | sign(t , t ) . . .
Call-by-value reduction ensures⊥ isn’t confused for a proof.
Theorem (Syntactic Soundness)
Reduction preserves typing; well-typed terms don’t get stuck.
Theorem (Decidability of typechecking)
Either Σ;Γ ` t1 : t2 or Σ;Γ 6 ` t1 : t2, constructively.
14/17
![Page 43: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/43.jpg)
Aura’s core metatheory formalized in Coq.
Terms locally nameless, with DeBruijn indexed boundvariables and named free variables.Formalized features: inductive data types, Prop and Typelanguage fragments, says and pf modalities. . . .
Development Size (in lines of commented Coq code)Definitions 1400Type Soundness 6000Decidability of Typechecking 5000
Engineering Formal Metatheory [Aydemir+ 08]
15/17
![Page 44: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/44.jpg)
Aura is real.
Current Features:Interpreter and typechecker for full languageForeign function interface
Coming Soon:Cryptographic implementation of signAutomatic logging
Future Research:Type inference?Surface syntax?Information flow?Effects tracking?
Demo
16/17
![Page 45: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/45.jpg)
Aura is real.
Current Features:Interpreter and typechecker for full languageForeign function interface
Coming Soon:Cryptographic implementation of signAutomatic logging
Future Research:Type inference?Surface syntax?Information flow?Effects tracking?
Demo
16/17
![Page 46: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/46.jpg)
Conclusion
The AURA language . . .unifies access control and computation.supports arbitrary domain-specific authorization policies.mixes weak dependency, effects, and authorization logic ina compelling way.
Interpreter, Coq scripts, and papers available fromhttp://www.cis.upenn.edu/~stevez/sol/aura.html
17/17
![Page 47: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/47.jpg)
Conclusion
The AURA language . . .unifies access control and computation.supports arbitrary domain-specific authorization policies.mixes weak dependency, effects, and authorization logic ina compelling way.
Interpreter, Coq scripts, and papers available fromhttp://www.cis.upenn.edu/~stevez/sol/aura.html
17/17
![Page 48: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/48.jpg)
Bonus Slides
Access Control Matrices and CapabilitiesMechanizing AURAwas a positive experience.
![Page 49: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/49.jpg)
Conventional techniques handle the ICFP policypoorly.
Access control matricesICFP server stores the list of owners and delegations.Owner must contact ICFP server directly to delegate.All participants must trust server’s records re: delegation.
Atomic capabilitiesUnforgeable, atomic tokens serve as tickets to play songs.Who issues the tokens?
![Page 50: Aura: A programming language for authorization and audit · AURA: A programming language for authorization and audit Jeff Vaughan Limin Jia, Karl Mazurak, Jianzhou Zhao, Luke Zarko,](https://reader030.fdocuments.us/reader030/viewer/2022041207/5d5f412d88c993f62b8bbfb3/html5/thumbnails/50.jpg)
Mechanizing AURA was a positive experience.
Aura is large.21 syntactic forms15 judgments63 inference rules
Mechanization helped us manage AURA’s complexity. Coqproofs. . .
provided assurance that we hadn’t make mistakes.enabled us to experiment without rechecking pages ofunaffected proofs.simplified collaboration (source control, etc.).