A Framework for Security Analysis with Team Automata Marinella Petrocchi Istituto di Informatica e Telematica National Research Council IIT-CNR Pisa, Italy Tuesday 8 June 2004 DIMACS with Maurice ter Beek and Gabriele Lenzini (ISTI-CNR, Italy) (U. Twente, Netherlands)
Outline Team Automata (TA): origins, foundations, and examples TA applied to security analysis: origins and inspiration an insecure communication scenario Generalized Non Deducibility on Compositions (GNDC) from process algebras to TA compositional result for the insecure scenario Case study: integrity of EMSS protocol Conclusions and future work 2
Origins of TA Ellis informally introduced TA at ACM GROUP 97 (Team Automata for Groupware Systems) as an extension of the I/O automata (IOA) of Lynch & Tuttle, namely: TA are not required to be input-enabled TA may synchronize on output actions no fixed method of composition for TA Series of papers and Ph.D. thesis of ter Beek show that the usefulness of TA is not limited to modeling groupware, but: extends to modeling collaboration in reactive, distributed systems in general! 3
Foundations of TA model logical architecture of system design abstract from concrete data and actions describe behavior in terms of - state-action diagram (automaton) - role of actions (input, output, internal) - synchronizations (simultaneous execution of shared actions) crux: automata composition! + flexible (role of actions, choice of transitions) + scalable (modular construction, iteration) + extendible (time, probabilities, priorities) + verifiable (automata-theoretic results) no tool (yet) 4
Example TA over Component Automata C 1 : a, b external actions b a q 1 q 1 C 2 : b a q 2 q 2 TA T free & T ai over the composable system {C 1, C 2 } defined by choosing their transitions! T free : T ai : ( q1 q 2 ) b b ( q 1 q 2 ) ( q1 q 2 ) a ( q 1 q 2 ) a ( q1 q 2 ) a a a ( q 1 q 2 ) ( q1 q 2 ) b ( q 1 q 2 ) T ai = {C 1, C 2 } = composition like that of IOA every TA is a component automaton! 5
TA Applied to Security Analysis ter Beek et al. first applied TA to security at ECSCW 01 (Team Automata for Spatial Access Control) by specifying and analyzing a variety of access control strategies Inspired by Lynch approach to use IOA for specifying and analyzing (cryptographic) communication protocols at CSFW 99 (I/O Automaton Models and Proofs for Shared-Key Communication Systems) we started to apply TA in the same direction at WISP 03 (Team Automata for Security Analysis of Multicast/Broadcast Communication) which meanwhile has been extended and led to (A Framework for Security Analysis with Team Automata) 6
An Insecure Communication Scenario An informal description of TA by their interactions: {Reveal} assertions T S {Pub} {Pub } {Reveal } send/receive eavesdrop {Eve} T IC send/receive inject {Eve } T R T P assertions T X T I T IC insecure channel T S initiator Σ S com to communicate with T IC T R responder Σ R com to communicate with T IC T X intruder Σ I com to communicate with T IC Σ S com Σ R com Σ I com = Σ P com = Σ S com Σ R com T P = hide Σ P com ( {T S, T R, T IC }) secure and T I = hide Σ I com ( {T P, T X }) insecure scenario 7
Generalized Non Deducibility on Compositions (GNDC) P GNDC α(p ) iff (P Top φ C )\C α(p ) P term of a process algebra, modeling a system running in isolation behavioral relation (trace inclusion) α(p ) the expected (correct) behavior of P Top φ C term modeling the most general intruder φ the (bounded) initial knowledge of Top φ C C channels used by Top φ C to interact with P parallel composition operator ( )\C restriction to communication over channels other than C 8
GNDC in Terms of TA T P GNDC α(t P) iff O C hide C ( {T P,Top φ C }) α(t P) T P TA modeling secure communication scenario behavioral inclusion (set of traces/language) α(t P ) the expected (correct) behavior of T P Top φ C TA modeling the most general intruder φ the (bounded) initial knowledge of Top φ C C actions used by Top φ C to interact with T P {T P,Top φ C } (as before) composition like IOA hide C (T ) (as before) hides external actions C (as internal actions) of a TA T O C T observational behavior of a TA T (w.r.t. actions not in C) 9
Compositionality Compositional reasoning, useful for identifying sub-problems and separately treated them evaluating (security) properties over sub-components asserting the properties validity over the whole system (e.g., using theorems about automata composition) other... We decompose the insecure communication scenario, and... Result: the observational behaviour of the overall system is the shuffle of the observational behaviours of the sub-components! 10
Compositional Result for Insecure Scenario Recall: Σ P com = all public send/receive actions Let T 1 = hide Σ P com ( {T S, T IC }) and T 2 = hide Σ P com ( {T R, T IC }) Theorem: if T 1 GNDC OC T 1 and T 2 GNDC OC T 2 then {T 1, T 2 } GNDC {Σ T 1,Σ T 2 } {OC T 1,O C T 2 }, {Σ1,Σ 2 } {L 1, L 2 } full synchronized shuffle of language L i over alphabet Σ i Example: if L 1 ={abc} Σ 1 ={a, b, c} and L 2 = {cd} Σ 2 = {c, d}, then abc Σ1 Σ2 cd = {abcd} (i.e. words must synchronize on Σ 1 Σ 2 = {c}) shuffle/free interleaving: {abccd, acbcd, cdabc,...} 11
Case Study: Integrity of EMSS Protocol S P 0 {R n n 1} P 0 = m 0,, S P 1 {R n n 1} P 1 = m 1, h(p 0 ), S P i {R n n 1} P i = m i, h(p i 1 ), h(p i 2 ) 2 i last S P sign {R n n 1} P sign = {h(p last ), h(p last 1 )} sk(s) modeling sender and receiver as TA T S, T R embed T S, T R in the insecure communication scenario defining integrity as the ability of T R to to accept a message m i only as the ith message sent by T S evaluating the property over two subcomponents applying compositionality allowed us to prove that integrity is guaranteed in the EMSS protocol! 12
Conclusions and Future Work What has been done: Security analysis with TA by defining an insecure communication scenario reformulating GNDC in terms of TA formulating some effective compositional analysis strategies What we would like to do: extend the analysis to other security properties try to automate the currently manual specification and verification of properties promote TA for security analysis! :) Questions & suggestions are welcome! 13
Component Automaton C = (Q, (Σ inp, Σ out, Σ int ), δ, I) Q set of states Σ = Σ inp Σ out Σ int alphabet (a partition!) a δ Q Σ Q transition relation q q I Q set of initial states (q, q ) δ a Σ inp input actions Σ out output actions Σ int internal actions } Σ ext externally observable cannot be observed Composable System a set S = {C 1,..., C n } of component automata is a composable system if i {1,..., n}: Σ i,int j {1,...,n}\{i} Σ j = 14
Complete Transition Space The complete transition space of a Σ = i {1,...,n} (Σ i,inp Σ i,out Σ i,int ) in S is a (S) = {(q, q ) i {1,...,n} Q i i {1,...,n} Q i j {1,..., n} : (proj j (q), a, proj j (q )) δ j i {1,..., n} : (proj i (q), a, proj i (q )) δ i proj i (q) = proj i (q )} in every team transition at least 1 component acts according to its transition relation all other components either join or are idle 15
Transition Space of TA a (S) a Σ δ a the choices of team transition relations δ a, a Σ, define a specific TA! 16
Team Automaton T = ( Q i, (Σ inp, Σ out, Σ int ), δ, i {1,...,n} i {1,...,n} I i ) is a TA composed over composable system S if Σ int = i {1,...,n} Σ i,int Σ out = i {1,...,n} Σ i,out Σ inp = ( i {1,...,n} Σ i,inp) \ Σ out = Σ δ i {1,...,n} Q i Σ i {1,...,n} Q i such that a Σ δ a a (S) and δ a = a (S) if a Σ int every TA is a component automaton! 17