diff --git a/design/img/security design.svg b/design/img/security design.svg index 40c199d..96188a1 100644 --- a/design/img/security design.svg +++ b/design/img/security design.svg @@ -1,7 +1,7 @@ -security designBad actorsByzantineApp impersonationClock forgerytraceabilityrealisationfrom operationsaccess control by storenot offlineno APIparsing libraryrequires published message specificationvoided operations includedno native compressionallows any fusion strategyhard to correlate with statevoiding invisiblenotify voidsFinal list indexOK if intent preservede.g. insert then deleteBase graphoriginal signed operation messages(inc. constraint applys)decentralisation-agnosticpush to any storetriggerin messagingin remotesfrom updatesaccess control by storenot offlineAPIvoided operations includedno native compressionallows any fusion strategycan expose fusion utilityemitted updates ≠ signed op messagesfusion cutsconstraint applysnot decentralisedrequires a storee.g. RDBMSrequires leadercannot change leaderusing Journalno access controlse.g. read permission to partynot extensiblesupports offlineno APIcreate one!voided operations are removedcould be optionally retainedalready does compressionoverloaded strategydifferent for journal and auditno record of compression actmachine does not have identitymachine-processedstored operations ≠ signed op messagesfusionsfusion cutsalready decentralisedneed to configure 1..* 'audit master'but not to genesisaccess controlactor "party" visible to those with readactor visible to auditoraudited datacompression ok (for readability)causal orderall operations since genesisincluding voidedvisible atomic operationsidentityversions?for tracing to other systemsprincipalsused to signverification can be onlineverifiable object just receivedmust be able to sign offlinesigning secret must existmachineshow to detect malwareclone twinningholo: peers verify blockchaindo not have state for hashstart from well-known state hashrequires enough peersm-ld not a platformassociate user IDsandboxing on iOS, Androiduser responsible for malwarenativetoken from servermaybe malwareverified installno secretbrowsersession tokensame domain as JSpage server certno private key – cannot signactionsclone re-writesconstraintsfusion & fusion cut(if included in audit log)process defn and inputs must be knownapp-level procedurescf. smart contractsusersnativeuser tokenOS IDAppleIDPKIWebIDbrowseruser tokenPKIWebIDPrivacysignature verification requires identity tokenPrincipal extension point classnon-repudiableintegritywell-known state hashor more recent non-agreement state"well-known"baseline: agreement state + signed opsneed to prove a given state is consistentwith everyone else's state + some opsif no journal – how to detect forgerya recovering clone trusts one peeragreementsviewpointsCRDT: agree to start againledger: collaboration on the next blockconcurrent agreementearliest winsrequires total ordering of clocks3. leftmost ID wins2. total ticks1. cause < effectapp protocol for resolutionbut applies to manymeans is configuredrequires consensussimilar to incompatiblesplit-brainif you don't want it, lockthis is just CAPcolonies may divergeother clones may arrive at one or the otherand may transact!disjoint scope = no problemdetect: neither is caused-by the othercan arisemultiple users with authorityProof-of-Xin blockchain ≡ longest chain ruleafter agreement, no message canbe accepted which is not caused by itcan't tell if agreement was "authorised"until incompatible ops have been voidedauthority is statutoryagreement on authority cannotassert anything non-statutorycan replay if condition failsconditioncannot have authority oversomething non-statutoryit might have changedauthority is write permission over a statuteagreement condition is not a constraintso, can check agreement condition on current datastill have statutes from last agreementbased on prior agreementagreement pre-dates journalagreement is predicated on a statewhich may no longer exist anywhereprior to verifying agreementmust recover to snapshotstill have the voided opsnot atomicsusceptible to DOScan recover if interruptedcan replayACL is statutory - cannot have changedon incompatible agreement opOR incompatible recoveryvoid+ replayon failure...with constraint & access checksif in fusionvoid whole fusionagreement destroys its own proximal causeslocal causal history in conflict with agreementsend proximate causesmay be forgedapplies to rev-up cuts toohash-chain proofdeliveryon requestnormal rev-upnot if everyone backs-out at at the same timerisk of receiving the incompatible fusion again"revup to"agreement source always has"to" is agreementno extra in fusion"from" allows lte (as now)weird user experiencesometime later, 2. it partly reappears1. some stuff is backed-outmay be offlinetreat as disorderedrolled-upmay still be bigcomplicates journalcauses assigned to agreement processcomplicates proofU(...proximate causes, agree)packagedmay be bigexternalconsensusdef'nFederated (Istanbul BFT)local journal fusionnot specifiedProof-of-Xso, "proximate causes" need not includeany cause-of-proximate-causeproof by duhlocal fusion is always broken by anoperation from another process IDall causes must have been receivedraft / paxossince last agreementleader always availableGWT-referenced operationsproof by asking the leaderlike snapshotlockingbootstrap by otherinserted triple may have been deleted"prior agreement"lock is just datadon't know where in a fusion a triple was deletedextension of authoritymay need to void tail of a fusionauthoritylocal clock resetno consensus – quorum of oneLocal prev set to last-seen by agreementauthority ≡ permission to triggerRemote ID ticks set to agreementproof by signaturewhat if authority changesbreaks local integrityverifiable identity in datanature of agreementexisting statutegenesiscommits not sacrosanctafter agreement, no message canbe accepted which is not caused by iton incompatible agreement opOR incompatible recoveryreverse journal entryvoidinclude did-exist flag against deleted tripleskeyed to "rid" blank node+ replayon failure...don't know if a deleted triple-TID existedwith constraint & access checksif in fusionforkvoid whole fusionthis is in the m-ld core specificationagreement destroys its own proximal causesapp optionslocal causal history in conflict with agreement"revup to" recovers missing opsagreement source must havemay be offlinereplace with snapshot"to" is exact matchno extra in fusionattempt replay from journal"from" allows lte (as now)include proximate causesrolled-upretain forkmay still be bignotify appU(...proximate causes, agree)similar to snapshot notificationdisallow further txnson requestlike git conflictmay be offline≡ blockchain forkpackagednotify rejection to sendermay be bigagreement will have arrived first (FIFO)like snapshotinclude most recent agreement in recoveryinserted triple may have been deletedagreement has no datadon't know where in a fusion a triple was deletedeasy to voidmay need to void tail of a fusion≡ optimistic lock on data/domainbreaks local integrityconditionnature of agreementexternalcommits not sacrosanctconsensusreverse journal entryFederated (Istanbul BFT)include did-exist flag against deleted triplesProof-of-Xkeyed to "rid" blank nodeproof by duhraft / paxosdon't know if a deleted triple-TID existedleader always availableproof by asking the leaderforklockingthis is in the m-ld core specificationbootstrap by other"prior agreement"app optionslock is just datareplace with snapshotextension of authorityattempt replay from journalauthorityno consensus – quorum of oneretain forknotify appsimilar to snapshot notificationdisallow further txnslike git conflict≡ blockchain forknotify rejection to senderauthority ≡ permission to triggeragreement will have arrived first (FIFO)proof by signatureinclude most recent agreement in recoverywhat if authority changesagreement has no dataverifiable identity in dataeasy to voidexisting statute≡ optimistic lock on data/domaingenesissubjectchange typesDELETEINSERTdeclared in the databy propertyby property of reified tripleby queryuse @json for json-rql propertystatutesSignificant state changeTBox changeACL changeobjectall datalike a ledgersome datahow identifiedagreement applies to...speedcf. blockchainscf. not realtime txnshappen at "human speed"principle(does not require journal signatures)deliberate statute violations are ignored by correct clonesaccidental statute violationscan be revokedare unlikelyand you're not required for quorumneed to be partitioned from the agreementrules are encoded in statuteswhich change by agreementclones do not allow invalid ops according to visible rulessymmetric unilateral access control (SUAC)conflict-free constraintson merge, there could be many consequent operations to the violating stateprinciplealways violates one user's intentionmerge of a constraint change with a violationis an unviolating statepermissionsquery-based?fundamentally, what is allowed atone clone may not be at another"protest forking"should not revoke if original claim was validviolatorif not allowed, ermre-check permission (now have reason)receive protest(probably intervening messages)protester(ops caused-by violating update will enqueue)(allow app txns)stall app updatespublish "protest" messageidentifies suspect updatewith clockreceive update & check permissionanyone disagreeing can undoprotesting clone may not have permission to undo≡ constraintsame problems as constraint apply can violate local permissionswhat if bad actorpermission claim based on...datastatute"data that can be changed only by agreement"volatility hierarchyso, recipient likely to have preconditionbut not guaranteeda transaction cannot cross volatilitiesa permission claim can only bemade against less-volatile dataquery result hashuncheckable if query results have changedor during an attackbased on volatile dataeveryone has access control queriesand maintains hashesexpensiveclockbut...has causal historyuncheckable ifon another strandnot currentdata hashoperation bag hashcategoricalstate-basedclone permissions = user permissionsrequirementsno central controlmetadata is in the datadata"statutes"PermissioningACLdoes not matter if internal or externalConsensus(record of consensus is in the data)PermissionlessABoxTBoxrequirementsattacksincorrect setupapp trainingsocial engineeringapp traininginjectionapp input validationdenial-of-servicenetwork traffic analysisreplaycheck idempotency before signaturemessage service authenticationmessages signedidentify bad actorcommunication interceptionTLSsignature forgeryverified appsanti-malwarestorage tamperingrecoveryrevupcoherent but forgedwhole message with clock signedinvalid state from valid messagescannot forge signaturesincoherentSUACsnapshotSUAC (state hash)localuser OS accountmessage forgerymalwareremoteSUAClocalverified appsanti-malwareMITMmessagingidempotentnot able to signnetworkTLSidentity theftout of scope componente-invoicingauditingACLsignificant state changeslegal-docsACLconfidentialitydocument-centricfine-grained(sadly never promised)variable schemaPapersOn Mixing Eventual and Strong Consistency:Acute Cloud Typescheck referencesResearchSmart Contractsevery node executesfunction call is a txncode or code hash is on-chainPrinciplesDecentralised Extensibilityauthority modelNCSC Secure design5. Reduce the impact of compromiseMinimise cachingNo arbitrary queriesAnonymise for reportingSeparate dutiesEasy to rebuild cleanNo back doors for adminMinimise functional surfaceZone & segment network4. Make compromise detection easierMonitor for normal load, I/O, performance, transactionsMinimise access violation feedbackIndependent monitoringDetect malware C&CMonitor for normal commsLogging & events (+ integrity)3. Make Disruption DifficultPlan for failure of third partiesTest for high load (e.g. DOS)Identify bottlenecksDesign for elastic scalabilityResilience to both attack and failure2. Make Compromise DifficultEasy to do the right thingEasy management of access controlEasy maintenanceIndividually authoriseDon't do anything bespokeSeparate management from user interfacesVerify security controlsReduce attack surfaceExternal input (transform, validate or render safely)1. ContextGovernanceEnd-to-endDev/test/prod (esp. cyber-physical)Insecure networksCopies of dataNetwork-security devicesThird-party servicesDevicesRolesOperatorsDesignersShared risk propositionSuppliersThreatsAttacker capabilitiesAttack treesGoalsDefend, detect or recoverWhat risks are/not acceptableUnsafetyFraudUnavailabilityUnauthorised accessWhat is needed to operate itOther systemsPeopleConnectionsDataWhat the system is formld«extension point»StatutestatutoryClass : rdfs:Class [0..*]statutoryProperty : rdf:Property [0..*]statutoryUpdateVerb: 'DELETE' | 'INSERT' [1..2]Defines a scope of data requiring agreement.In other diagrams we'll use the «statutory»stereotype for statutory classes and properties.A class is statutory if astatutoryClass exists for it.A property is statutory ifa statutoryProperty exists.Is agreement required ondelete, insert or both?AgreementConditionstatuteStatuteStatutes and agreementconditions are themselvesstatutory.rdfsStatutestatutoryClass = rdfs:ClassstatutoryClass = rdf:PropertystatutoryProperty = rdf:typeClasses, property definitionsand the type of every subjectis statutory.accessControlStatutestatutoryClass = AccessControlstatutoryProperty = accessChoice of access controlmechanism is statutory.mld«extension point»StatutestatutoryClass : rdfs:Class [0..*]statutoryProperty : rdf:Property [0..*]statutoryUpdateVerb: 'DELETE' | 'INSERT' [1..2]Defines a scope of data requiring agreement.In other diagrams we'll use the «statutory»stereotype for statutory classes and properties.A class is statutory if astatutoryClass exists for it.A property is statutory ifa statutoryProperty exists.Is agreement required ondelete, insert or both?«extension point»AgreementConditionstatuteStatuteStatutes and agreementconditions are themselvesstatutory.rdfsStatutestatutoryClass = rdfs:ClassstatutoryClass = rdf:PropertystatutoryProperty = rdf:typeClasses, property definitionsand the type of every subjectis statutory.accessControlStatutestatutoryClass = AccessControlstatutoryProperty = accessChoice of access controlmechanism is statutory.sufficientCondition*statutoryClassrdf:typestatutoryClassrdf:typerdf:typesufficientCondition*statutoryClassrdf:typestatutoryClassrdf:typerdf:type "*" AgreementCondition : sufficientCondition object statuteStatute diff --git a/prototype/img/security prototype.svg b/prototype/img/security prototype.svg index 03be768..0dc5bb0 100644 --- a/prototype/img/security prototype.svg +++ b/prototype/img/security prototype.svg @@ -1,7 +1,7 @@ -security prototypeexpositionCLI PRPR descriptionextension option on startbranch -> mainSpec pre-releaserequired exports for candidate compliance testsJS engine PRw/CircleCIcompliance test"candidate" compliancelocal testextends Clonebasic docsunit testsPR descriptionlink to Spec PR(no data declaration of extension)pre-declaration of extensionbranch -> edgedata-driven authorisationmoving partsjson-rql literalshashingalso for base64Binary etc.canonicalisationor Graph Literals(discussion)Data extension installationConstraintsschemaTransport SecurityConstraint apply rejectionif reason = unauthorisedblacklist clock IDin GWC(and all forked)blacklist clone @iddoes not prevent re-joinnot in messageremove principalcan't if no permissionwith statutes, can only arise from a malicious cloneStatutes Constraintupgrades Update to AgreementvocabappliesTo: [DELETE | INSERT]Statute + AgreementConditionACL Constraintwriteable-if-patternchecks if pattern matches datawith ?s ?p ?o variables from updateO(permissions * triples)e.g. ?s a <restricted>checks insert matches patternCannot check data contexte.g. ?s <group> <restricted>e.g. ?s a <restricted>requires json-rql literalswriteable-if-class-party-roleinducable from -principaladd-only-propertycreates tombstonesesotericrequire ASKagree-if-class-principalmeans "Authority"writable-if-class-principalwritable-if-class-subject-propertye.g.subject-property = domain is-sales-orderclass = line-itemInfer statutesbecause rejection = blacklistrdf:type and subject-propertyshould be statuteschecks subject-property stateapplies-to a classAgreementsFork/Void MeldApp cbnot fundamental to prototypeapp can export or whateverresolve, rejectokToVoid(state, agreement, updatesToVoid)process before constraintsConstraints can upgrade to agreement≪agree≫ MeldOperationExplicit agreements(must have Authority, if ACL in place)= disallow concurrentany use-cases?isolate agreement feature for testingASK queriesanalysisRequirementsstatutesCICinvoice statusschemardf:typeonly applies to deleteassumes disjoint class constraintsworkaround for missing agreement objectsbatched garbage collectevery object insert/delete is an agreementpermissionsp2pl-doccomments: by author+reviewerschema: by ownercontent: by authorsmetadata: immutableCICStateParty-rolewhole domain authorisationmoving partsinit dataPrincipal, certificate, permission[domain] Subject, access, secretACL extensionwriteN/Areadneeds access to stateread permission checkoperation encryption secret in datamld:AccessControlListextensionsmanager[Proxied] implementationsAccessControl interfacedeclaration(<[extension id]> <rdf:type> <mld:Constraint>)<[extension id]> <rdf:type> <mld:AccessControl><[extension id]> <https://nodejs.org/api/module> "[module specifier]"<[domain]> <mld:extension> <[extension id]>Pubsubcalls AccessControl extensionop encryptionsig validationcalls-back appsignapp callbacksign bufferanalysisrecovery request signatureneeds sigs before dataapp callbackjust confignegotiateTLS-likecheck readPermissionverifysignchannel secretbuffer until setdo not connect until setEncrypt operationsidentity models(with sigs)WebCryptono secure storagevia generateKey+ e.g. OIDCWebAuthnno signaturesStrong support via FIDOUses Proof-of-PossessionWebIDsimulate with PKCS8Solid can use OIDC... but then no (guarantee of) signaturesrelies on HTML keygen! - + @@ -261,10 +261,14 @@ - + + + + +