Access Control Based on Code Identity for Open Distributed Systems Andrew Cirillo and James Riely ⋆ CTI, DePaul University {acirillo,jriely}@cs.depaul.edu Abstract. In computing systems, trust is an expectation on the dynamic behavior of an agent; static analysis is a collection of techniques for establishing static bounds on the dynamic behavior of an agent. We study the relationship between code identity, static analysis and trust in open distributed systems. Our primary result is a robust safety theorem expressed in terms of a distributed higher-order pi-calculus with code identity and a primitive for remote attestation; types in the language make use of a rich specification language for access control policies. Keywords. Trusted Computing, Remote Attestation, Access Control, Authoriza- tion Logic, Compound Principals, Higher-Order Pi Calculus, Typing 1 Introduction Trust is an important concept in computer security. One may think of trust as an expec- tation on the behavior of some agent. We say that an agent is trusted if the achievement of a security goal is dependent on the agent behaving in the expected way. An agent is trustworthy if it behaves in the expected way in all circumstances. An effective way to determine that an agent is trustworthy is to establish bounds on its behavior through static analysis of its software components. Many important security-related behavioral properties can be usefully established statically, including memory and type safety, non-interference, compliance with mandatory and discre- tionary access control policies and adherence to an ad-hoc logical policy specification. An open system is one in which software components are under the control of mul- tiple parties whose interests do not necessarily coincide. The use of static analysis in these systems is more complicated than in closed systems, where all components are under the control of a single party. To discuss the issues involved, we find it useful to distinguish software components according to their relative roles. Given a particular unit of code and a statically derivable property, we distinguish four primary roles: the producer is the original author of the code; a host is a system that executes, or is considering executing, the code; a certifier is a third party capable of performing an analysis directly on the code that determines whether the property holds; and a relying party is the entity whose safe operation de- pends on the property holding for the code. When code is distributed in a compiled format, it may be the case that only the producer, who has the original source, is able to tractably certify many important prop- erties. A host for the compiled code, if it is a relying party, may not able to establish the properties it needs. ⋆ This work was supported by the National Science Foundation under Grant No. 0347542.