Storing Authenticated Attributes of Known Identities

[mrinalwadhwa]

A few quick definitions:

• Attribute: A name and value pair that describes some property of an entity.
• Identity: A set of attributes that uniquely describe a specific entity - within a given context.
• Identifier: An attribute that is unique to a specific entity - within a given context.
• Authentication: the process where one entity gains assurances about the attributes of another entity.
• Authorization: the process of deciding if a request to access a resource should be granted.
• Access Control: another term for authorization

We want to enable Attribute Based Access Control (ABAC).
In that setting access control / authorization decisions could look something like this:

is_authorized(subject, verb, object) -> bool

or

is_authorized(subject, action, resource) -> bool

The body of this function evaluates an authorization policy - it would look at attributes of the subject/object to decided if the requested action is allowed or denied.

For example:

subject = {identifier: 41931e43f51d11dfa9491437f7318d84, role: "reader", project: "green"}
action = "read"
resource = "/project/green/1234"

The policy enforced by the is_authorized function maybe

• allow only if subject.role == "reader" and subject.project == "green"
• deny otherwise

Authenticating that a request is in fact coming from someone with identifier: 41931e43f51d11dfa9491437f7318d84 AND that the subject with identifier: 41931e43f51d11dfa9491437f7318d84 has other attributes role: "reader", project: "green" can involve complex multistep protocols.

In order to decouple authentication of attributes from authorization decisions - I think every Ockam node will need a place to store Authenticated Attributes of Known Identities.

Data would land in this table when various authentication protocols complete.

Authorization steps like the is_authorized function above would simply lookup these pre-authenticated attributes given an identifier and attribute name. eg: 41931e43f51d11dfa9491437f7318d84, role or 41931e43f51d11dfa9491437f7318d84, project.

There are many inter-related questions here around how does authentication work, where do policies come from etc. Let's tackle those in separate discussion.

Let's focus the conversation below on:

• What should this storage of Authenticated Attributes of Known Identities look like?
• What can be its API?
• Can we decouple actual storage from the API so that storage could be plugged in?
  etc.

[thomcc]

This is great, and it's wonderful to start to see more of this coming together. I have some questions:

1. What does "within a given context" mean? Or rather, what is a context here?

2. When you say "Data would land in this table when various authentication protocols complete.", can you elaborate? Does this mean that the data is fixed after key exchange?

---

I... ended up accidentally doing a deep dive here, since this is very exciting and it began to crystalize in my mind. Note that this more of a suggestion for how it would work than saying it must be how it works.

Very important to note that the API sketches below are extremely rough. (Deliberately so -- the point is suggest what a API for storage might take, if we want to keep the ability to make it robust without exposing too many details about the underlying storage directly).

Storage Impl

What should this storage of Authenticated Attributes of Known Identities look like?
...
Can we decouple actual storage from the API so that storage could be plugged in?

Yes. What the storage is has a few cases:

1. A purely in-memory storage for testing, examples, fleshing out the API, ... and also for cases where persisted storage is either impossible or undesirable.

2. For real use outside embedded, I would say that SQLite should be used wherever possible. My experience has been that it is very very hard to write correct¹ storage modification code, even for programmers with domain experience. (Folks who doubt this, may find watching https://www.deconstructconf.com/2019/dan-luu-files informative -- it's the best reference I have here)

3. On embedded, we probably can't use SQLite much of the time². I'll have to look at some APIs for what's available, and see what we can do to avoid corrupting our own data.

   Sadly, I expect the cases where we would corrupt ourselves (power loss, random I/O errors, ...) will only be more common on embedded systems.

   A brief googling seems to indicate that popular APIs the rust embedded community uses for sd/flash/etc-based storage do not seem to include functionality to flush/sync/commit/whatever writes to the media (e.g. basically fsync). This is annoying, but I suppose it's the way things are. (@antoinevg, any ideas?)

   I think for these cases, we'd just have them give a very low level API. (I don't think we should be asking embedded users to implement our high level data storage API, and instead we just let them provide a generic low-level API that we implement the high level thing on top of).

4. On sandboxed WebAssembly environments without filesystem APIs, we may have no options. If the environment is a browser, then we can probably use IndexedDb for storage. But it may take some thought. I think this case may actually be better with in-memory most of the time.

   Note that even if we do have IndexedDb, it's very likely that the data stored will be discarded when the browser decides it's been a while since you visited whichever page stored the data.

Storage API

What can be its API?

Here's a rough sketch for a high-level storage API for this. This would be the thing implemented on top of the lower-level backend, like SQLite, an abstraction for block-based storage media on embedded, ...

The API is fundamentally transactional, and there are two types of transactions: read transactions and write transactions. We'd divide things up along these lines.

For concreteness, perhaps something like this. Note that essentially every part of this and the bit at the end are just vague suggestions -- all of this would need further thought and refinement, but it should suggest the API shape I'm imagining for storage.

impl Storage {
    // ReadTransaction has a methods for performing read-only queries.
    // - For example: iteration, fetching by identifier, fetching by property value(s) all seem plausible.
    // - prevents concurrent WriteTransactions until the transaction is finished/dropped.
    //
    // When evaluating is_authorized and such, I think you'd have access to a `&ReadTransaction<'_>`.
    // (rather than full `Storage` access and/or full)
    async fn begin_read(&self) -> ReadTransaction<'_> { ... }

    // WriteTransaction is more powerful:
    //
    // - While active all concurrent access (both read and write) are blocked.
    // - It can perform all the same read queries that ReadTransaction has access to...
    // - It can also perform (at a minimum) insert/replace/delete operations.
    //   (The complete set of mutation operations will need some experimentation to figure out)
    //
    // - Importantly, `WriteTransaction` must be explicitly committed using a `commit()` function.
    //   If the `WriteTransaction` is dropped without committing, the transaction is rolled back
    //   (auto-rollback is a good default in rust because `?` and the like cause early returns
    //   to be quite common for error cases)
    async fn begin_write(&self) -> WriteTransaction<'_> { ... }
}
// see end for slightly more completeness here

Sqlite-based storage impls would implement read transactions as BEGIN DEFERRED and write transactions as BEGIN EXCLUSIVE.

Most others are single-process and don't have builtin transactions, so they'd will just implement this on top of a Reader/Writer lock (the write transaction will keep a list of the changes needs to perform on commit, but note that they must appear to be present to the writetransaction prior to the commit)

Because the API is transactional, we don't need to provide functions to perform complex queries. Instead, we can just require that they be done in separate steps.

For example, it seems reasonable to need to query info about both subject and object when evaluating is_authorized(subject, verb, object). Rather than expose a fetch_two(first_identifier, second_identifier) -> Result<(Identity, Identity)>, the user would just fetch both within a read transaction, and be guaranteed a consistent view of the data

This keeps the impl fairly simple, while giving significant flexibility to the user in terms of what information they need to access.

Slightly more complete api sketch

As above, this is just a sketch. It's provided in case I was too handwavey before.

impl ReadTransaction<'_> {
    // Fetch by id
    async fn lookup(&self, id: &Identifier) -> Result<Option<Identity>>
    // iterate over all stored identities.
    async fn identities(&self) -> impl Stream<Item = Result<Identity>>
    // iterate over identities with matching attributes.
    async fn search(&self, required: &Attributes) -> impl Stream<Item = Result<Identity>>
    // ...
}

impl WriteTransaction<'_> {
    // must be called to apply the changeset.
    async fn commit(self) -> Result<()>;

	// Some write operations, for example:

    // insert new value, error on identifier collison.
    async fn insert(&self, identity: Identity) -> Result<()>;
    // insert new value or replaces existing. returning old.
    async fn replace(&self, identity: Identity) -> Result<Option<Identity>>;
    // delete by id
    async fn delete(&self, id: &Identifier) -> Result<bool>;
    // update identifier attributes (Might be the same as replace actually)
    async fn update(&self, id: &Identifier, attrs: &Attributes) -> Result<()>;


    // Also all the same ops as ReadTransaction:
    async fn lookup(&self, id: &Identifier) -> Result<Option<Identity>>
    async fn identities(&self) -> impl Stream<Item = Result<Identity>>
    async fn search(&self, required: &Attributes) -> impl Stream<Item = Result<Identity>>
}

type Attributes = BTreeMap<AttributeName, AttributeVaule>;

impl Identity {
    fn identifier(&self) -> &Identifier;
    fn attributes(&self) -> &Attributes;
}

Footnotes

1. The bare-minimum requirement for correctness is generally that modifications are performed atomically³. This is hard to do properly, such that we don't corrupt our own data in just because our program gets killed, or the machine gets shut down, or the disk returns an error in a middle part of a multi-part operation, etc.

   Obviously this does not count cases that cannot be handled like buggy os/filesystem/storage media, external corruption caused by cosmic rays/rogue processes/..., etc. (We hopefully can detect these cases, though) ↩

2. Although SQLite is surprisingly small, and can be configured to use a simple block-storage backend that is (in theory) compatible with embedded systems. So it may be worth eventually allowing it as an option for use on beefier no_std systems which can spare the ~800k (or 1MB depending on compile flags) of code that it takes to statically link a size-optimized build of SQLite. ↩

3. To be explicit, of the A, C, I, D properties, the "A" isn't optional (unless it is acceptable to discard/corrupt data), but C, I, and D can be optional for some situations. And seem like they probably are here. (C/D are just nice-to-haves, and our usage shouldn't involve concurrent multiprocess access to the same DB so I doesn't really matter either) ↩

[mrinalwadhwa]

Thank you for writing down these thoughts. While I think a bit about your design ideas above, here are answers to your questions:

1. What does "within a given context" mean? Or rather, what is a context here?

I wanted to convey that we don't need an Identity or an Identifier to be globally unique. In practice if we derive identifiers from public keys they may end up being unique.

2. When you say "Data would land in this table when various authentication protocols complete.", can you elaborate? Does this mean that the data is fixed after key exchange?

I tried to elaborate on this in #2632

[antoinevg]

3. A brief googling seems to indicate that popular APIs the rust embedded community uses for sd/flash/etc-based storage do not seem to include functionality to flush/sync/commit/whatever writes to the media (e.g. basically fsync). This is annoying, but I suppose it's the way things are. (@antoinevg, any ideas?)

I agree, it's still very early days for Embedded Rust and File I/O. 😛

There may be enough for (some) of our purposes though... this is how I'm currently seeing things:

Full-blown RTOS embedded targets (e.g. Zephyr, esp-idf)

• Ship with "proper" OS-style File I/O in the kernel
• Support a wide range of ioctl support including some kind of fsync() operation if there is a filesystem cache
• If there's no filesystem cache write() can usually be relied on to be atomic.
• Some availability of (usually paid & proprietary) structured storage solutions
• Access via C-FFI into manufacturer SDK

Minimal embedded C targets (e.g. FreeRTOS, STM32Cube)

• Doesn't support any kind of File I/O in the kernel
• Storage implementation happens in "user-land"
• Manufacturers usually support some kind of rudimentary FAT filesystem on top of block-based flash storage
• Implementations with caching features usually also a provide some kind of fsync() operation
• Non-caching implementations usually guarantee atomic write() operations
• Access via C-FFI into manufacturer SDK

Baremetal embbeded Rust targets

There are traits: embedded_storage, embedded_storage_async

• Methods add up to basically read()/write()/capacity()/erase().
• The reason there's no fsync() type method is that these traits are written for atomic raw block-based storage operations rather than file-based systems.
• e.g. The good folk at stm32f4xx-hal have done a nice implementation for the STM32F4's on-chip flash memory controller.

There's a crate: embedded-sdmmc-rs

• Rudimentary FAT filesystem implmentation for SD/MMC block-based storage.
• Typical File I/O API: mount()/unmount()/open_directory()/list_directory()/open()/close()/read()/write()/etc.
• Non-caching so no need for fsync()
• Whether write() is atomic or not is going to depend entirely on your SD/MMC card's SDIO controller. Though I think this is less of an issue these days.

Then, we also have these:

1. Secure storage using Secure Enclaves (e.g. MicroChip ATECC508A)

   • Provide key, certificate and usually some kind of general storage.
   • Usually very smol (e.g. 16 dedicated slots for keys + 10KB general storage on ATECC508A)
   • Storage operations are atomic
   • Stored data needs at least one CVE to compromise

2. MCU non-volatile storage

   • Most MCU's have a teensy region of non-volatile storage (e.g. 8KB on the ATSAME54P20A)
   • Most MCU's also support some kind of external EEPROM storage
   • Usually accessed via some kind of NVM (Non Volatile Memory) peripheral
   • Storage operations are atomic
   • Stored data can usually be compromised in seconds via JTAG

3. rustBoot

   • @mihalpasham is solving a lot of related problems at rustBoot.
   • It may be worth making some time to hang out with him.

Finally, on structured storage:

I agree with @thomcc that structured storage is non-negotiable.

Storage on embedded systems is a lot less complex than e.g. Linux but still subtle and quick to anger in surprising ways.

I think my biggest question - and this goes all the way back to our discussions on Ockam Object Capability model - is:

"What's the absolute minimum set of data objects an embedded node needs to hang onto between reboots to:

• still be useful *and/or*
• bootstrap its way to a secure channel with a beefier node running SQLite ?"

[twittner]

There are many inter-related questions here around how does authentication work, where do policies come from etc. Let's tackle those in separate discussion.

I wonder if we should think attribute storage and policy evaluation together? It may also be nice if we would not have to search for subjects (identities) but could rely exclusively on key lookup. If the ABAC implementations act more like oracles that decide based on a few inputs (subject, resource, action), we would not have to transfer attribute sets and policies. There is a short sketch in https://github.com/twittner/ockam/blob/abac/implementations/rust/ockam/ockam_abac/src/ with an implementation for in-memory storage. The trait would be:

#[async_trait]
pub trait Abac {
    async fn set_subject<I>(&self, s: Subject, attrs: I)
    where
        I: IntoIterator<Item = (String, Val)> + Send + 'static;
    async fn set_policy(&self, r: Resource, a: Action, c: Cond);
    async fn del_subject(&self, s: &Subject);
    async fn del_policy(&self, r: &Resource);
    async fn is_authorised(&self, s: &Subject, r: &Resource, a: &Action) -> bool;
}

The in-memory implementation contains a small example: https://github.com/twittner/ockam/blob/dd5441caa2bb764a817d54b66eb76d0840ae5f76/implementations/rust/ockam/ockam_abac/src/mem.rs#L82-L110

[mrinalwadhwa]

@twittner that looks extremely interesting!