A Framework for. Security Analysis. with Team Automata

Similar documents
Component-Interaction Automata as a Verification-Oriented Component-Based System Specification

Synchronizations in Team Automata for Groupware Systems

Algebraic Trace Theory

Algebraic Trace Theory

Angelo Troina. Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa)

Formal Methods for Specifying and Verifying Distributed Algorithms Process Algebra vs I/O Automata

Partial model checking via abstract interpretation

Reachability Results for Timed Automata with Unbounded Data Structures

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

Seamless Model Driven Development and Tool Support for Embedded Software-Intensive Systems

Automata-based analysis of recursive cryptographic protocols

Probabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption

Alan Bundy. Automated Reasoning LTL Model Checking

EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo

Trace Refinement of π-calculus Processes

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Hybrid I/O Automata. Nancy Lynch, MIT Roberto Segala, University of Verona Frits Vaandrager, University of Nijmegen.

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

An Algebraic Theory of Interface Automata

Monotonic Abstraction in Parameterized Verification

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Compositional Abstractions for Interacting Processes

Static Program Analysis using Abstract Interpretation

Timo Latvala. March 7, 2004

Liveness in Timed and Untimed Systems. Abstract. and its timed version have been used successfully, but have focused on safety conditions and

Specifying and Verifying Systems of Communicating Agents in a Temporal Action Logic

Lecture 4 Event Systems

The Underlying Semantics of Transition Systems

A framework based on implementation relations for implementing LOTOS specifications

Undecidability Results for Timed Automata with Silent Transitions

Homing and Synchronizing Sequences

From Featured Transition Systems to Modal Transition Systems with Variability Constraints: A Model Transformation

Automatic Synthesis of Distributed Protocols

TESTING is one of the most important parts of the

A logical framework to deal with variability

Classes and conversions

Notes on BAN Logic CSG 399. March 7, 2006

Semi-Automatic Distributed Synthesis

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1

6.852: Distributed Algorithms Fall, Class 10

Modelling and Analysing Variability in Product Families

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

Formal Verification of Mobile Network Protocols

Models of Concurrency

Formal Methods in Software Engineering

Supervisory Control: Advanced Theory and Applications

Finite State Machines 2

7. Queueing Systems. 8. Petri nets vs. State Automata

The Discrete EVent System specification (DEVS) formalism

Process Algebras and Concurrent Systems

Weighted Context-Free Grammars over Bimonoids

A simple procedure for finding guessing attacks (Extended Abstract)

On Supervisory Control of Concurrent Discrete-Event Systems

The State Explosion Problem

A Compositional Approach to Bisimulation of Arenas of Finite State Machines

Computer-Aided Program Design

Recent results on Timed Systems

A Brief Introduction to Model Checking

DISTINGUING NON-DETERMINISTIC TIMED FINITE STATE MACHINES

Extending Dolev-Yao with Assertions

Models and analysis of security protocols 1st Semester Security Protocols Lecture 6

Inductive Data Flow Graphs

Refinement and Asynchronous Composition of Modal Petri Nets

Generating Linear Temporal Logic Formulas for Pattern-Based Specifications

Robustness Analysis of Networked Systems

6.852: Distributed Algorithms Fall, Class 8

Finite-State Machines (Automata) lecture 12

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Methods for the specification and verification of business processes MPB (6 cfu, 295AA)

Complex Systems Design & Distributed Calculus and Coordination

Asynchronous Communication 2

Semantic Families for Cyber-physical Systems

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

Semi-asynchronous. Fault Diagnosis of Discrete Event Systems ALEJANDRO WHITE DR. ALI KARIMODDINI OCTOBER

Contracts-refinement proof system for component-based embedded systems

Synthesizing Reactive Systems from Hyperproperties

On Equilibria of Distributed Message-Passing Games

Streams and Coalgebra Lecture 2

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Flat counter automata almost everywhere!

CS61c: Representations of Combinational Logic Circuits

An Automatic Test Framework for Interactive Music Systems

Finally the Weakest Failure Detector for Non-Blocking Atomic Commit

On closures of lexicographic star-free languages. E. Ochmański and K. Stawikowska

Differential Privacy for Probabilistic Systems. Michael Carl Tschantz Anupam Datta Dilsun Kaynar. May 14, 2009 CMU-CyLab

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Layered Composition for Timed Automata

Automated Verification of Privacy in Security Protocols:

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

Hierarchy among Automata on Linear Orderings

Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds

Separating regular languages by piecewise testable and unambiguous languages

Software Verification with Abstraction-Based Methods

Compositionality for Probabilistic Automata

Models for Efficient Timed Verification

Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong

Automated Compositional Analysis for Checking Component Substitutability

Compositionality in SLD-derivations and their abstractions Marco Comini, Giorgio Levi and Maria Chiara Meo Dipartimento di Informatica, Universita di

Transcription:

A Framework for Security Analysis with Team Automata Marinella Petrocchi Istituto di Informatica e Telematica National Research Council IIT-CNR Pisa, Italy Tuesday 8 June 2004 DIMACS with Maurice ter Beek and Gabriele Lenzini (ISTI-CNR, Italy) (U. Twente, Netherlands)

Outline Team Automata (TA): origins, foundations, and examples TA applied to security analysis: origins and inspiration an insecure communication scenario Generalized Non Deducibility on Compositions (GNDC) from process algebras to TA compositional result for the insecure scenario Case study: integrity of EMSS protocol Conclusions and future work 2

Origins of TA Ellis informally introduced TA at ACM GROUP 97 (Team Automata for Groupware Systems) as an extension of the I/O automata (IOA) of Lynch & Tuttle, namely: TA are not required to be input-enabled TA may synchronize on output actions no fixed method of composition for TA Series of papers and Ph.D. thesis of ter Beek show that the usefulness of TA is not limited to modeling groupware, but: extends to modeling collaboration in reactive, distributed systems in general! 3

Foundations of TA model logical architecture of system design abstract from concrete data and actions describe behavior in terms of - state-action diagram (automaton) - role of actions (input, output, internal) - synchronizations (simultaneous execution of shared actions) crux: automata composition! + flexible (role of actions, choice of transitions) + scalable (modular construction, iteration) + extendible (time, probabilities, priorities) + verifiable (automata-theoretic results) no tool (yet) 4

Example TA over Component Automata C 1 : a, b external actions b a q 1 q 1 C 2 : b a q 2 q 2 TA T free & T ai over the composable system {C 1, C 2 } defined by choosing their transitions! T free : T ai : ( q1 q 2 ) b b ( q 1 q 2 ) ( q1 q 2 ) a ( q 1 q 2 ) a ( q1 q 2 ) a a a ( q 1 q 2 ) ( q1 q 2 ) b ( q 1 q 2 ) T ai = {C 1, C 2 } = composition like that of IOA every TA is a component automaton! 5

TA Applied to Security Analysis ter Beek et al. first applied TA to security at ECSCW 01 (Team Automata for Spatial Access Control) by specifying and analyzing a variety of access control strategies Inspired by Lynch approach to use IOA for specifying and analyzing (cryptographic) communication protocols at CSFW 99 (I/O Automaton Models and Proofs for Shared-Key Communication Systems) we started to apply TA in the same direction at WISP 03 (Team Automata for Security Analysis of Multicast/Broadcast Communication) which meanwhile has been extended and led to (A Framework for Security Analysis with Team Automata) 6

An Insecure Communication Scenario An informal description of TA by their interactions: {Reveal} assertions T S {Pub} {Pub } {Reveal } send/receive eavesdrop {Eve} T IC send/receive inject {Eve } T R T P assertions T X T I T IC insecure channel T S initiator Σ S com to communicate with T IC T R responder Σ R com to communicate with T IC T X intruder Σ I com to communicate with T IC Σ S com Σ R com Σ I com = Σ P com = Σ S com Σ R com T P = hide Σ P com ( {T S, T R, T IC }) secure and T I = hide Σ I com ( {T P, T X }) insecure scenario 7

Generalized Non Deducibility on Compositions (GNDC) P GNDC α(p ) iff (P Top φ C )\C α(p ) P term of a process algebra, modeling a system running in isolation behavioral relation (trace inclusion) α(p ) the expected (correct) behavior of P Top φ C term modeling the most general intruder φ the (bounded) initial knowledge of Top φ C C channels used by Top φ C to interact with P parallel composition operator ( )\C restriction to communication over channels other than C 8

GNDC in Terms of TA T P GNDC α(t P) iff O C hide C ( {T P,Top φ C }) α(t P) T P TA modeling secure communication scenario behavioral inclusion (set of traces/language) α(t P ) the expected (correct) behavior of T P Top φ C TA modeling the most general intruder φ the (bounded) initial knowledge of Top φ C C actions used by Top φ C to interact with T P {T P,Top φ C } (as before) composition like IOA hide C (T ) (as before) hides external actions C (as internal actions) of a TA T O C T observational behavior of a TA T (w.r.t. actions not in C) 9

Compositionality Compositional reasoning, useful for identifying sub-problems and separately treated them evaluating (security) properties over sub-components asserting the properties validity over the whole system (e.g., using theorems about automata composition) other... We decompose the insecure communication scenario, and... Result: the observational behaviour of the overall system is the shuffle of the observational behaviours of the sub-components! 10

Compositional Result for Insecure Scenario Recall: Σ P com = all public send/receive actions Let T 1 = hide Σ P com ( {T S, T IC }) and T 2 = hide Σ P com ( {T R, T IC }) Theorem: if T 1 GNDC OC T 1 and T 2 GNDC OC T 2 then {T 1, T 2 } GNDC {Σ T 1,Σ T 2 } {OC T 1,O C T 2 }, {Σ1,Σ 2 } {L 1, L 2 } full synchronized shuffle of language L i over alphabet Σ i Example: if L 1 ={abc} Σ 1 ={a, b, c} and L 2 = {cd} Σ 2 = {c, d}, then abc Σ1 Σ2 cd = {abcd} (i.e. words must synchronize on Σ 1 Σ 2 = {c}) shuffle/free interleaving: {abccd, acbcd, cdabc,...} 11

Case Study: Integrity of EMSS Protocol S P 0 {R n n 1} P 0 = m 0,, S P 1 {R n n 1} P 1 = m 1, h(p 0 ), S P i {R n n 1} P i = m i, h(p i 1 ), h(p i 2 ) 2 i last S P sign {R n n 1} P sign = {h(p last ), h(p last 1 )} sk(s) modeling sender and receiver as TA T S, T R embed T S, T R in the insecure communication scenario defining integrity as the ability of T R to to accept a message m i only as the ith message sent by T S evaluating the property over two subcomponents applying compositionality allowed us to prove that integrity is guaranteed in the EMSS protocol! 12

Conclusions and Future Work What has been done: Security analysis with TA by defining an insecure communication scenario reformulating GNDC in terms of TA formulating some effective compositional analysis strategies What we would like to do: extend the analysis to other security properties try to automate the currently manual specification and verification of properties promote TA for security analysis! :) Questions & suggestions are welcome! 13

Component Automaton C = (Q, (Σ inp, Σ out, Σ int ), δ, I) Q set of states Σ = Σ inp Σ out Σ int alphabet (a partition!) a δ Q Σ Q transition relation q q I Q set of initial states (q, q ) δ a Σ inp input actions Σ out output actions Σ int internal actions } Σ ext externally observable cannot be observed Composable System a set S = {C 1,..., C n } of component automata is a composable system if i {1,..., n}: Σ i,int j {1,...,n}\{i} Σ j = 14

Complete Transition Space The complete transition space of a Σ = i {1,...,n} (Σ i,inp Σ i,out Σ i,int ) in S is a (S) = {(q, q ) i {1,...,n} Q i i {1,...,n} Q i j {1,..., n} : (proj j (q), a, proj j (q )) δ j i {1,..., n} : (proj i (q), a, proj i (q )) δ i proj i (q) = proj i (q )} in every team transition at least 1 component acts according to its transition relation all other components either join or are idle 15

Transition Space of TA a (S) a Σ δ a the choices of team transition relations δ a, a Σ, define a specific TA! 16

Team Automaton T = ( Q i, (Σ inp, Σ out, Σ int ), δ, i {1,...,n} i {1,...,n} I i ) is a TA composed over composable system S if Σ int = i {1,...,n} Σ i,int Σ out = i {1,...,n} Σ i,out Σ inp = ( i {1,...,n} Σ i,inp) \ Σ out = Σ δ i {1,...,n} Q i Σ i {1,...,n} Q i such that a Σ δ a a (S) and δ a = a (S) if a Σ int every TA is a component automaton! 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback