Applying Predicate Logic to Monitoring Network Traffic

Size: px

Start display at page:

Download "Applying Predicate Logic to Monitoring Network Traffic"

Quentin Nelson
6 years ago
Views:

1 Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria Joint work with Temur Kutsia (RISC), Michael Krieger, Bashar Ahmad (RISC Software), Helmut Otto, and Martin Rummerstorfer (SecureGUARD). Supported by the FFG BRIDGE project LogicGuard. Wolfgang Schreiner 1/30

2 The Problem: Monitoring Network Traffic Specification Monitor Forward Package (yes/no)? Package Block (or just report) every package that triggers a violation of the specified safety property. Wolfgang Schreiner 2/30

3 Network Traffic Wolfgang Schreiner 3/30

4 General Idea Treat the problem as an application of runtime verification. Specify safety property in a high-level declarative form. What to detect, not how to detect it. Automatically translate the specification into an executable monitor. A program that surveils the traffic for violations of the property. Advantage: no manual low-level coding of monitors required. Tedious and error-prone, difficult to maintain. Challenge: time and space complexity of the monitor. Must operate with limited time and memory resources. Various specification formalisms have been devised for this purpose. Wolfgang Schreiner 4/30

5 Our Approach Predicate logic formulas interpreted over infinite streams. S p p p p p q i : q(s i ) j < i : p(s j ) Set-builder notation to construct new streams. S T Classical logic and set theory. T := f (S i, S i+2 ) i N i mod 4 < 2 Wolfgang Schreiner 5/30

6 The Monitoring Model Formulas are evaluated on streams, external as well as internally constructed (virtual) ones. stream IP : stream S1 = stream i in IP... S@i... : stream S2 = stream j in IP... S@j... : monitor i in S1... : monitor j in S2... :... S1@i... S2@j... S 1 Check S 2 IP monitor violations Internal streams to express properties on a higher level of abstraction. Wolfgang Schreiner 6/30

7 Example type int; int Square(int); bool isone(int); bool istwo(int); // the base stream and a derived virtual stream stream<int> IP; stream<int> S = construct X in IP with 0 in IP <= X value<int> M = IP.at(X) satisfying isone(m) istwo(m) : Square(IP.at(X)); // are 1s not more than 50 units apart? monitor M = position X in S : isone(s.at(x)) => exists Y in S with X<Y<=(X+50) : isone(s.at(y)); 000,2 010,1 020,0 030,0 040,0 050,2 060,1 070,0 080,2 090,0 100,2 110,0 120,2 130,1 140,2 150,1 160,2 170,0 180,2 190,0 200,2 210,1 220,2 000,4 010,1 050,4 060,1 080,4 100,4 120,4 130,1 140,4 150,1 160,4 180,4 200,4 A specification using the test runtime system. 210,1 220,4 Wolfgang Schreiner 7/30

8 Example // IntFunctions.cs using System; using LogicGuard.Network.IntTS; namespace External { class IntFunctions { public static bool iszero(inttsmessage m) { return m.payload == 0; } public static bool isone(inttsmessage m) { return m.payload == 1; }... } } The corresponding external functions. Wolfgang Schreiner 8/30

$Monitor Execution Main.Exe -test TranslatorTester\traces\PAS.$

9 Monitor Execution Main.Exe -test TranslatorTester\traces\PAS.txt TranslatorTester\specs\PAS.lgs External\bin\Debug\External.dll Wolfgang Schreiner 9/30

10 Abstract Specification Language P ::= (B S) M M ::= F monitor X : F F ::= XF B : F PC(TV ) true false F F 1 /\ F 2 F 1 \/ F 2 F 1 => F 2 F 1 <=> F 2 forall X : F exists X : F TS ::= XS B : TS FS(TS ) stream X : (TV TS) scombine(fc,tv ) X : TV TP ::= XP B : TP FP(TP ) TP+N TP-N min X : F max X : F TV ::= XV B : XV FV (TV ) TS@TP TS TP number X : F combine(fc,tv ) X :TV B ::= formula XF = F position XP = TP value XV = TV S ::= stream XS = TS X ::= XP in TS with TP 1 <= XP <= TP 2 (B satisfying F 1 ) (until F 2 )? A simplified and regularized version of the concrete language. Wolfgang Schreiner 10/30

11 Semantics of the Language Environment := Variable B Stream N Value Stream := Message ω Message Message := Value N [. ] : Monitor Environment P(N) [ monitor X : F ](e) := let (x, s, N) := [ X ](e) : {n N : [ F ](e[x n]) = false} [. ] : Formula Environment B [ forall X : F ](e) := let (x, s, N) := [ X ](e) : if n N : [ F ](e[x n]) = true then true else false... [. ] : TermValue Environment Value [ TS@TP ](e) := ([ TS ](e)([ TP ](e))).1 [ TS TP ](e) := ([ TS ](e)([ TP ](e))).2... Phrases are interpreted over variables that may be mapped to streams. Wolfgang Schreiner 11/30

12 Semantics of the Language [. ] : TermStream Environment Stream [ stream X : TV ](e) := let (x, s, N) := [ X ](e) : let S := {n N t N : istimeof (t, TV, e[x n])} such s Stream : timeincreases(s ) allmessages(s, S, TV, e, x) istimeof (t, TV, e) : // at time t, the value of TV is defined wrt. e e Environment : domain(e ) = domain(e) ( x domain(e) : if e(x) Stream then e (x) = e(x) else e (x) Stream i domain(e (x)) : e (x)(i).2 t e (x)(i) = e(x)(i)) [ TV ](e, s) = [ TV ](e, s) timeincreases(s ) : i, j domain(s ) : i < j s (i).2 s (j).2 allmessages(s, S, TV, e, x) : // s contains all TV (x) wrt. e with x from S p domain(s ) bij. S : i domain(s ) : s (i) = let t := min t N : istimeof (t, TV, e[x p(i)]) : ([ TV ](e[x p(i)]), t) The stream orders all values by the time they become defined. Wolfgang Schreiner 12/30

13 From Semantics to Operation Next Message Syntax Translation Engine New State Semantics Soundness Value We translate the various kinds of phrases to operational engines ; this translation preserves the semantics of the phrases. Wolfgang Schreiner 13/30

14 The Translation All phrases are translated to value-producing engines. Monitors: T : Monitor MonitorStep MonitorStep := PresentM MonitorResult MonitorResult := P(N ) (done + next of MonitorStep) At each step, vectors of violating positions are produced. Formulas: T : Formula FormulaStep FormulaStep := Present FormulaResult FormulaResult := done of B + next of FormulaStep At termination, a truth value is delivered. Streams: T : Stream StreamStep StreamStep := Present StreamResult StreamResult := P(Message) (done + next of StreamStep) At each step, messages are produced. At each new message received, the engines make an execution step. Wolfgang Schreiner 14/30

15 A Core Language For the further discussion, we reduce our language to a skeleton. M ::= monitor X : F F F F 1 /\ F 2 forall X in B 1..B 2 : F B ::= 0 infinity X B + N B N N ::= X ::= x y z... A core monitor is interpreted over a single stream of truth values. Wolfgang Schreiner 15/30

16 Translation of the Monitor PresentM := Message Message Present := Message Message Context Context := Variable partial (N B) Instance := N FormulaStep Context T (monitor X : F ) := TM(X, T (F ), ) where TM : Variable FormulaStep P(Instance) MonitorStep TM(X, f, fs)(ms, m) := let n := ms : let c := [X (n, m)] : let fs 0 := fs {(n, f, c)} : let rs := {n N g FormulaStep, c Context : (n, g, c) fs 0 case g(ms, m, c) of done(b) b = false _ false} : let fs 1 := {(n, g 0, c) Instance g FormulaStep : (n, g, c) fs 0 case g(ms, m, c) of next(g 1 ) g 0 = g 1 _ false} : (rs, next(tm(x, f, fs 1 ))) Report positions rs and maintain formula instances fs. Wolfgang Schreiner 16/30

17 Translation of Formulas T (@X ) := TV (X ) where TV : Variable FormulaStep TV (X )(ms, m, c) := if X domain(c) then done(c(x ).2) else done(false) T ( F ) := TN(T (F )) where TN : FormulaStep FormulaStep TN(f )(ms, m, c) := case f (ms, m, c) of done(false) done(true) done(true) done(false) next(f ) next(tn(f )) T (F 1 /\ F 2 ) := TC(T (F 1 ), T (F 2 )) where TC : FormulaStep FormulaStep FormulaStep TC(f 1, f 2 )(ms, m, c) := case f 1 (ms, m, c) of done(false) done(false) done(true) f 2 (ms, m, c) next(f 1 ) next(tc(f 1, f 2)) Maintain component steps f 1, f 2 and ultimately yield a truth value. Wolfgang Schreiner 17/30

18 A Concrete Formula Step TC : FormulaStep FormulaStep FormulaStep TC(f 1, f 2)(ms, m, c) := case f 1(ms, m, c) of done(false) done(false) done(true) f 2(ms, m, c) next(f 1 ) next(tc(f 1, f 2)) let rec monitorand (f1 : FormulaStep) (f2 : FormulaStep): FormulaStep = fun (present : Present) -> match f1 present with done(false) -> done(false) done(true) -> f2 present next(step1) -> next(monitorand step1 f2) Prototype implementation in F#. Wolfgang Schreiner 18/30

19 Translation of Quantifiers T (forall X in B 1..B 2 : F ) := TA(X, T (B 1 ), T (B 2 ), T (F )) where TA : Variable (Context N) 2 FormulaStep FormulaStep TA(X, b 1, b 2, f )(ms, m, c) := TA 0 (X, b1(c), b2(c), f )(ms, m, c) TA 0 : Variable N N FormulaStep FormulaStep TA0(X, n 1, n 2, f )(ms, m, c) := let n := ms : if n < n 1 then next(ta 0 (X, n 1, n 2, f )) else let fs := {(n 0, f, c[x (n 0, ms(n 0 ))]) n1 n 0 < min(n, n 2 + 1)} : TA 1 (X, n 2, f, fs)(ms, m, c) First determine iteration range, then set up formula instances fs. Wolfgang Schreiner 19/30

20 Translation of Quantifiers TA 1 : Variable N FormulaStep P(Instance) FormulaStep TA 1 (X, n 2, f, fs)(ms, m, c) := let n := ms : let fs 0 := if n > n 2 then fs else fs {(n, f, (c[x (n, m)]))} : if ( n N, g FormulaStep, c Context : (n, g, c) fs 0 case g(ms, m, c) of done(b) b = false _ false) then done(false) else let fs 1 := {(n, g 0, c) Instance g FormulaStep : (n, g, c) fs 0 case g(ms, m, c) of next(g 1 ) g 0 = g 1 _ false} : if fs 1 = n n 2 then done(true) else next(ta 1 (X, n 2, f, fs 1 )) Maintain formula instances fs and ultimately yield a truth value. Wolfgang Schreiner 20/30

21 Soundness of the Translation Semantics of Core Monitor: Operation of Core Monitor: [. ] : Monitor Stream P(N) [ M ](s) :=... run : N MonitorStep Message Stream P(N) run(n, M, ms, s) := if n = 0 then else case M(ms, hd(s)) of (rs, done) rs (rs, next(m )) rs run(n 1, M, ms hd(s), tl(s)) Soundness of Translation: n N, M Monitor, s Stream : run(n, T (M),, s) [ M ](s) Only violations of safety properties can be detected by monitoring. Wolfgang Schreiner 21/30

22 Efficiency of the Execution The described implementation is effective but not efficient. A monitor may in general require the full history of received messages for its execution: run(n, M, ms, s) :=... M(ms, hd(s)) run(n 1, M, ms hd(s), tl(s)) A monitor may in general keep track of an arbitrary number of monitor instances: T (monitor X : F ) := TM(X, T (F ), ) where TM : Variable FormulaStep P(Instance) MonitorStep TM(X, f, fs)(ms, m) :=... (rs, next(tm(x, f, fs 1))) In practice we are only interested in monitors that cope with a bounded amount of memory. Wolfgang Schreiner 22/30

23 Example monitor => monitor X: /\ exists X-1 <= Y <= X+2 : ~@X forall X-1 <= Y <= X+2 : ~@X) F [0] F [1] F [2] F [3] F [4] F [5] F [6] F [7] F [8] F [9]. The monitor needs a history of size 1 and preserves at most 2 instances. Wolfgang Schreiner 23/30

24 The Resource Analysis We are going to devise a rule-based analysis that determines whether the resources of the monitor can be bounded. Monitor : N N Environment Formula : N N Environment := Variable partial Z Z M : (h, d)... Monitor M needs history of at most size h and keeps at most d instances. e F : (h, d)... Formula F needs at most h past messages and at most d future messages for its evaluation to a truth value. e(x ) = (l, u)... Position X is in the interval [p + l, p + u] with respect to the position p of the current message. Wolfgang Schreiner 24/30

25 An abstract interpretation of the monitor. Wolfgang Schreiner 25/30 The Resource Analysis [[ X ] (0, 0)] F : (h, d) (monitor X : F ) : (h, d) : (0, 0) e F : (h, d) e F : (h, d) e F 1 : (h 1, d 1 ), e F 2 : (h 2, d 2 ) e F 1 /\ F 2 : (max (h 1, h 2 + d 1 ), max (d 1, d 2 )) e B 1 : (l 1, u 1 ), e B 2 : (l 2, u 2 ) e[[ X ] (l 1, u 2 )] F : (h, d ) h = max (h, N ( l 1 )) d = max (d, N (u 2 )) e (forall X in B 1..B 2 : F ) : (h, d) e 0 : (0, 0) e infinity : (, ) [ X ] domain(e) e X : (0, 0) [ X ] domain(e) e X : e([ X ]) e B : (l, u) e B+N : (l + [ N ], u + [ N ]) e B : (l, u) e B-N : (l [ N ], u [ N ])

26 Example We annotate first variables top-down and then formulas bottom-up. monitor X (0,0) : /\ forall X-1 < Y ( 1,2) <= X+2 (1,2) (1,2) (0,0) (1,2) (0,0) The analysis yields M : (1, 2) as required. Wolfgang Schreiner 26/30

27 The Effect of Delays Without delay in conjunction: monitor X (0,0) /\ forall Y (0,5) in X..X+5 : forall Z ( 3,4) in Y-3..Y-1 With delay in conjunction: monitor X (0,0) : (forall Y (0,3) in X..X+3 /\ forall Y (0,5) in X..X+5 : forall Z ( 3,4) in Y-3..Y-1 (3,5) (0,0) (3,5) (3,4) (0,0) (6,5) (0,3) (3,5) (3,4) (0,0) Delays in conjunctions let the history requirements increase. Wolfgang Schreiner 27/30

28 Soundness of the Resource Analysis The results of the analysis bound the resources of the monitor. M Monitor, Mt TMonitor, n N, s Stream, rs N, d N, h N : M : (h, d) (d N ( T (M) n,s,rs Mt instances(mt) d)) (h N ( T (M) n,s,rs Mt T (M) n,s,rs,h Mt)) Mt n,s,rs Mt Mt is the state of the monitor Mt after processing n messages from stream s (by which the violations rs are reported). Mt n,s,rs,h Mt Mt is the state of the monitor Mt after processing n messages from stream s (by which the violations rs are reported), if only the last h messages are preserved in the stream history. For the proof of soundness, an operational semantics of the monitor execution is derived from the previously presented denotational semantics. Wolfgang Schreiner 28/30

29 Proof of the Soundness of the Analysis 1. Prove an invariant of monitor execution. X Variable,... : T (monitor X : F ) n,s,rs TM(Y, Ft, It) X = Y Ft = T (F ) alldifferent(it) allnext(it) ((t, Ft, c) It c = [X (t, s(t))] (monitor X : F ) : (h, d) d N n d t n 1 b B, d N : d d Ft max(0,t+d n),n,s,c(x ).1 done(b)) 2. Prove soundness of analysis w.r.t. monitor execution. M Monitor, Mt TMonitor, n N, s Stream, rs N, d N, h N : M : (h, d) (d N ( T (M) n,s,rs Mt instances(mt) d)) (h N ( T (M) n,s,rs Mt T (M) n,s,rs,h Mt)) Use invariant as additional assumption. Derive required soundness statement for formula evaluation. 3. Prove soundness statement for formula evaluation. Wolfgang Schreiner 29/30

30 Conclusions Current status: Predicate-logic based monitor specification language developed. Prototype of monitor translation implemented. Resource analysis formulated (for a simplified language). Proof of soundness of analysis under way (for a core language). Future tasks: Implementation of soundness analysis. Verification of soundness of translation. Compilation of specifications (currently interpretation). More optimizations based on a more detailed formula analysis. Development of a catalogue of application examples. Performance analysis of application examples. Wolfgang Schreiner 30/30

LogicGuard Abstract Language

LogicGuard Abstract Language Temur Kutsia Wolfgang Schreiner RISC, Johannes Kepler University Linz {schreine,kutsia}@risc.jku.at Abstract The LogicGuard project aims at developing a specification and verification