One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

Similar documents
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

The Logical Meeting Point of Multiset Rewriting and Process Algebra

Relating State-Based and Process-Based Concurrency through Linear Logic

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Typed MSR: Syntax and Examples

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Lecture 7: Specification Languages

Control Flow Analysis of Security Protocols (I)

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Notes on BAN Logic CSG 399. March 7, 2006

CPSA and Formal Security Goals

Propositional Logic Language

Meta-Reasoning in a Concurrent Logical Framework

07 Equational Logic and Algebraic Reasoning

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

First-Order Theorem Proving and Vampire

A Formalised Proof of Craig s Interpolation Theorem in Nominal Isabelle

Modular Multiset Rewriting in Focused Linear Logic

Meta-reasoning in the concurrent logical framework CLF

A Calculus for Control Flow Analysis of Security Protocols

Extending Dolev-Yao with Assertions

A Proof Theory for Generic Judgments

A Tableau Calculus for Minimal Modal Model Generation

Analysing privacy-type properties in cryptographic protocols

A compositional logic for proving security properties of protocols

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

185.A09 Advanced Mathematical Logic

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

Logic for Computational Effects: work in progress

Equational Tree Automata: Towards Automated Verification of Network Protocols

07 Practical Application of The Axiomatic Method

3 Propositional Logic

A Logic of Authentication

First-Order Theorem Proving and Vampire. Laura Kovács (Chalmers University of Technology) Andrei Voronkov (The University of Manchester)

A process algebraic analysis of privacy-type properties in cryptographic protocols

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

On the Automatic Analysis of Recursive Security Protocols with XOR

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

CS 395T. Probabilistic Polynomial-Time Calculus

The Consistency and Complexity of. Multiplicative Additive System Virtual

Relations to first order logic

A Cryptographic Decentralized Label Model

Relating Reasoning Methodologies in Linear Logic and Process Algebra

Verification of the TLS Handshake protocol

Automated Validation of Internet Security Protocols. Luca Viganò

Verification of Security Protocols in presence of Equational Theories with Homomorphism

The TLA + proof system

CS522 - Programming Language Semantics

Uniform Schemata for Proof Rules

The Locally Nameless Representation

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Fuzzy Description Logics

Algebraic Trace Theory

Theoretical Computer Science. Representing model theory in a type-theoretical logical framework

A progress report on using Maude to verify protocol properties using the strand space model

Hypersequent Calculi for some Intermediate Logics with Bounded Kripke Models

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Algebraic Trace Theory

Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison

Automata-based analysis of recursive cryptographic protocols

Beyond First-Order Logic

Causality Interfaces and Compositional Causality Analysis

Review of The π-calculus: A Theory of Mobile Processes

02 The Axiomatic Method

Introduction to lambda calculus Part 6

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

A simple proof that super-consistency implies cut elimination

Algebraic Abstract Data Types

Adjoint Logic and Its Concurrent Semantics

Negative applications of the ASM thesis

Encoding Graph Transformation in Linear Logic

Propositional and Predicate Logic - V

AN ALTERNATIVE NATURAL DEDUCTION FOR THE INTUITIONISTIC PROPOSITIONAL LOGIC

BiLog: Spatial Logics for Bigraphs 1

Reasoning about the Consequences of Authorization Policies in a Linear Epistemic Logic

Specifying Properties of Concurrent Computations in CLF

First-Order Logic. Chapter Overview Syntax

Proof Theoretical Studies on Semilattice Relevant Logics

Formal Methods for Java

FROM AXIOMS TO STRUCTURAL RULES, THEN ADD QUANTIFIERS.

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Grammatical resources: logic, structure and control

03 Review of First-Order Logic

Analysis of authentication protocols Intership report

KLMLean 2.0: a Theorem Prover for KLM Logics of Nonmonotonic Reasoning

A few bridges between operational and denotational semantics of programming languages

distinct models, still insists on a function always returning a particular value, given a particular list of arguments. In the case of nondeterministi

Foundations of Artificial Intelligence

The Curry-Howard Isomorphism

Foundations of Artificial Intelligence

First Order Logic: Syntax and Semantics

Introduction to Kleene Algebras

Cut-elimination for Provability Logic GL

A derivation system and compositional logic for security protocols

ACLT: Algebra, Categories, Logic in Topology - Grothendieck's generalized topological spaces (toposes)

Outline. Overview. Syntax Semantics. Introduction Hilbert Calculus Natural Deduction. 1 Introduction. 2 Language: Syntax and Semantics

7. Propositional Logic. Wolfram Burgard and Bernhard Nebel

Transcription:

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano CS Department, UMBC February 27-28, 2003 Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano Protocol exchange Seminar, UMBC May 27-28, 2004

A B: {n A, A} kb NSPK in MSR 3 B A: {n A, n B } ka A B: {n B } kb MSR 2 spec. A: princ. { L: princ B:princ.pubK B nonce mset. } B: princ. k B :pubkb. n A : nonce. net ({n A, A} kb ), L (A, B, k B, n A ) B: princ. k B : pubk B. k A :pubka. k A ': prvk k A. n A : nonce. n B : nonce. net ({n A, n B } ka ), L (A, B, k B, n A ) net ({n B } kb ) Interpretation of L Rule invocation Implementation detail Control flow Local state of role Explicit view Important for DOS MSR 3: One Year Later 1/28

A B: {n A, A} kb NSPK in MSR 3 B A: {n A, n B } ka A B: {n B } kb A:princ. B: princ. k B : pubk B. n A : nonce. net ({n A, A} kb ), Not an MSR 2 spec. ( k A :pubka. k A ': prvk k A. n B : nonce. net ({n A, n B } ka ) net ({n B } kb )) Succinct Continuation-passing style Rule asserts what to do next Lexical control flow State is implicit Abstract MSR 3: One Year Later 2/28

A B: {n A, A} kb Looks Familiar? B A: {n A, n B } ka A B: {n B } kb Process calculus Parametric strand A:princ. B: princ. k B : pubk B. k A :pubka. k A ': prvk k A. n B : nonce. νn A : nonce. net ({n A, A} kb ). net <{n A,n B } ka >. net ({n B } kb ). 0 Alice (A,B,N A,N B ) : N A Fresh, π A (A,B) {N A, A} KB {N A, N B } KA {N B } KB MSR 3: One Year Later 3/28

What is MSR 3? A new language for security protocols Supports State transition specs Conservative over MSR 2 Process algebraic specs Neutral paradigm Rewriting re-interpretation of logic Rich composable set of connectives Universal connector MSR 3: One Year Later 4/28

More than the Sum of its Parts Process- and transition-based specs. in the same language Choose the paradigm User s preference Highlight characteristics of interest Support various verification techniques (FW) Mix and match styles Within a spec. Within a protocol Within a role MSR 3: One Year Later 5/28

What is in MSR 3? Security-relevant signature Network Encryption, Typing infrastructure Dependent types Subsorting Data Access Specification (DAS) Module system Equations From MSR 1 From MSR 2 From MSR 2 implementation MSR 3: One Year Later 6/28

ω-multisets Specification language for concurrent systems Crossroad of State transition languages Petri nets, multiset rewriting, Process calculi CCS, π-calculus, (Linear) logic Benefits Analysis methods from logic and type theory Common ground for comparing Multiset rewriting Process algebra Allows multiple styles of specification Unified approach MSR 3: One Year Later 7/28

Syntax A ::= a atomic object 1 [ ] empty A B [A, B] formation A ο B [A B] rewrite T no-op A & B [A B] choice x. A instantiation x. A generation! A replication Generalizes FO multiset rewriting (MSR 1-2) x 1 x n. a(x) y 1 y k. b(x,y) MSR 3: One Year Later 8/28

State and Transitions States Σ ; Γ ; Δ Σ ; Δ Σ is a list Γ and Δ are Constructor:, commutative monoids Empty: Transitions Σ; Γ; Δ Σ ; Γ ; Δ Σ; Γ; Δ * Σ ; Δ * for reflexive and transitive closure MSR 3: One Year Later 9/28

Transition Semantics ο Σ ; Γ ; (Δ, A, A ο B) Σ ; Γ ; (Δ, B) T (no rule) & Σ ; Γ ; (Δ, A 1 &A 2 ) Σ ; Γ ; (Δ, A i ) Σ ; Γ ; (Δ, x. A) Σ ; Γ ; (Δ, [t/x]a) if Σ - t Σ ; Γ ; (Δ, x. A) (Σ, x) ; Γ ; (Δ, A)! Σ ; Γ ; (Δ,!A) Σ ; (Γ, A) ; Δ Σ ; (Γ, A) ; Δ Σ ; (Γ, A) ; (Δ, A) Σ ; Γ ; Δ * Σ ; Δ Σ ; Γ ; Δ * Σ ; Δ if Σ ; Γ ; Δ Σ ; Γ ; Δ and Σ ; Γ ; Δ * Σ ; Δ MSR 3: One Year Later 10/28

Linear Logic Formulas A, B ::= a 1 A B A ο B! A T A & B x. A x. A LV sequents Γ ; Δ --> Σ C Constructor:, Empty: Unrestricted context Linear context Signature Goal formula MSR 3: One Year Later 11/28

Logical Derivations Γ ; C --> Σ C Γ ; Δ --> Σ C Γ ; Δ --> Σ C Γ; Δ --> Σ C Proof of C from Δ and Γ Emphasis on C C is input Finite Closed Rules shown Major premise Preserves C Minor premise Starts subderivation MSR 3: One Year Later 12/28

A Rewriting Re-Interpretation Γ ; C --> Σ C Γ ; Δ --> Σ C Γ ; Δ --> Σ C Transition From conclusion To major premise Emphasis on Γ, Δ and Σ C is output, at best Does not change Possibly infinite Open Γ; Δ --> Σ C Minor premise Auxiliary rewrite chain Finite Topped with axiom MSR 3: One Year Later 13/28

Interpreting Unary Rules Γ; Δ, A, B --> Σ C Γ; Δ, A B --> Σ C Σ; Γ; (Δ, A B ) Σ; Γ; (Δ, A, B) Σ - t Γ; Δ, [t/x]a--> Σ C Γ; Δ, x.a --> Σ C Σ; Γ; (Δ, x. A) Σ; Γ; (Δ, [t/x]a) if Σ - t Γ; Δ, A --> Σ,x C Γ; Δ, x.a --> Σ C Σ; Γ; (Δ, x. A) (Σ, x); Γ; (Δ, A) Γ, A; Δ --> Σ C Γ; Δ,!A --> Σ C Σ; Γ; (Δ,!A) Σ; (Γ, A); Δ MSR 3: One Year Later 14/28

Binary Rules and Axiom Γ ; A --> Σ A Γ; Δ --> Σ A Γ; Δ, B --> Σ C Γ; Δ, Δ, A οb --> Σ C Minor premise Auxiliary rewrite chain Top of tree Focus shifts to RHS Axiom rule Observation MSR 3: One Year Later 15/28

Observations Γ,Γ ; A --> Σ,Σ A Observation states Σ ; Δ In Δ, we identify, with with 1 Categorical semantics Identified with For Σ = x 1,, x n De Bruijn s telescopes x 1. x n. Δ Γ; Δ --> Σ Σ. A A Δ = Δ Σ; Δ = Σ. Δ Observation transitions Σ; Γ; Δ * Σ ; Δ MSR 3: One Year Later 16/28

Interpreting Binary Rules Γ; A --> Σ A Σ; Γ; Δ * Σ; Δ Σ; Γ; Δ * Σ ; Δ if Σ; Γ; Δ Σ ; Γ ; Δ and Σ ; Γ ; Δ * Σ ; Δ Γ; Δ --> Σ A Γ; Δ, B --> Σ C Γ; Δ, Δ, A οb --> Σ C Σ; Γ; (Δ, Δ, A ο B) Σ; Γ; (Δ, B) if Σ; Γ; Δ * Σ; A Γ; Δ --> Σ A Γ; Δ, A --> Σ C Γ; Δ, Δ --> Σ C Σ; Γ; Δ, Δ Σ; Γ; (A, Δ) if Σ; Γ; Δ * Σ; A MSR 3: One Year Later 17/28

Formal Correspondence Soundness If Σ ; Γ ; Δ * Σ,Σ ; Δ then Γ ; Δ --> Σ Σ. Δ Completeness? No! We have only crippled right rules ; ; a ο b, b ο c * ; a ο c MSR 3: One Year Later 18/28

System ω With cut, rule for ο can be simplified to Σ; Γ; (Δ, A, A ο B) Σ; Γ; (Δ, B) Cut elimination holds = in-lining of auxiliary rewrite chains But Careful with extra signature symbols Careful with extra persistent objects No rule for needs a premise does not depend on * MSR 3: One Year Later 19/28

Multiset Rewriting Multiset: set with repetitions allowed a ::= a, a Commutative monoid Multiset rewriting (a.k.a. Petri nets) Rewriting within the monoid Fundamental model of distributed computing Alternative: Process Algebras Basis for security protocol spec. languages MSR family several others Many extensions, more or less ad hoc MSR 3: One Year Later 20/28

The Atomic Objects of MSR 3 Atomic terms Principals A Keys K Nonces N Other Raw data, timestamp, Fully definable Constructors Encryption {_} _ Pairing (_, _) Other Signature, hash, MAC, Predicates Network Memory Intruder net M A I MSR 3: One Year Later 21/28

Types Simple types A : princ n : nonce m : msg, Dependent types k : shk AB K : pubk A K : privk K, Fully definable Powerful abstraction mechanism At various user-definable level Finely tagged messages Untyped: msg only Simplify specification and reasoning Automated type checking MSR 3: One Year Later 22/28

Subsorting τ <: τ Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Discriminant for type-flaw attacks MSR 3: One Year Later 23/28

Data Access Specification Prevent illegitimate use of information Protocol specification divided in roles Owner = principal executing the role A signing/encrypting with B s key A accessing B s private data, Simple static check Central meta-theoretic notion Detailed specification of Dolev-Yao access model Gives meaning to Dolev-Yao intruder Current effort towards integration in type system Definable Possibility of going beyond Dolev-Yao model MSR 3: One Year Later 24/28

Modules and Equations Modules Bundle declarations with simple import/export interface Keep specifications tidy Reusable Equations (For free from underlying Maude engine) Specify useful algebraic properties Associativity of pairs Allow to go beyond free-algebra model Dec(k, Enc(k, M)) = M MSR 3: One Year Later 25/28

State-Based vs. Process-Based State-based languages Multiset Rewriting NRL Prot. Analyzer, CAPSL/CIL, Paulson s approach, State transition semantics Process-based languages Process Algebra Strand spaces, spi-calculus, Independent communicating threads MSR 3: One Year Later 26/28

MSR 3 Bridges the Gap Difficult to go from one to the other Different paradigms PB PB State vs. process distance SB SB Other distance MSR 3 State Process translation done once and for all in MSR 3 MSR 3: One Year Later 27/28

Summary MSR 3.0 Language for security protocol specification Succinct representations Simpl specifications Economy of reasoning Bridge between State-based representation Process-based representation ω-multisets Logical foundation of multiset rewriting Relationship with process algebras Unified logical view Better understanding of where we are Hint about where to go next MSR 3: One Year Later 28/28

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback