MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano CS Department, UMBC February 27-28, 2003 Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano Protocol exchange Seminar, UMBC May 27-28, 2004
A B: {n A, A} kb NSPK in MSR 3 B A: {n A, n B } ka A B: {n B } kb MSR 2 spec. A: princ. { L: princ B:princ.pubK B nonce mset. } B: princ. k B :pubkb. n A : nonce. net ({n A, A} kb ), L (A, B, k B, n A ) B: princ. k B : pubk B. k A :pubka. k A ': prvk k A. n A : nonce. n B : nonce. net ({n A, n B } ka ), L (A, B, k B, n A ) net ({n B } kb ) Interpretation of L Rule invocation Implementation detail Control flow Local state of role Explicit view Important for DOS MSR 3: One Year Later 1/28
A B: {n A, A} kb NSPK in MSR 3 B A: {n A, n B } ka A B: {n B } kb A:princ. B: princ. k B : pubk B. n A : nonce. net ({n A, A} kb ), Not an MSR 2 spec. ( k A :pubka. k A ': prvk k A. n B : nonce. net ({n A, n B } ka ) net ({n B } kb )) Succinct Continuation-passing style Rule asserts what to do next Lexical control flow State is implicit Abstract MSR 3: One Year Later 2/28
A B: {n A, A} kb Looks Familiar? B A: {n A, n B } ka A B: {n B } kb Process calculus Parametric strand A:princ. B: princ. k B : pubk B. k A :pubka. k A ': prvk k A. n B : nonce. νn A : nonce. net ({n A, A} kb ). net <{n A,n B } ka >. net ({n B } kb ). 0 Alice (A,B,N A,N B ) : N A Fresh, π A (A,B) {N A, A} KB {N A, N B } KA {N B } KB MSR 3: One Year Later 3/28
What is MSR 3? A new language for security protocols Supports State transition specs Conservative over MSR 2 Process algebraic specs Neutral paradigm Rewriting re-interpretation of logic Rich composable set of connectives Universal connector MSR 3: One Year Later 4/28
More than the Sum of its Parts Process- and transition-based specs. in the same language Choose the paradigm User s preference Highlight characteristics of interest Support various verification techniques (FW) Mix and match styles Within a spec. Within a protocol Within a role MSR 3: One Year Later 5/28
What is in MSR 3? Security-relevant signature Network Encryption, Typing infrastructure Dependent types Subsorting Data Access Specification (DAS) Module system Equations From MSR 1 From MSR 2 From MSR 2 implementation MSR 3: One Year Later 6/28
ω-multisets Specification language for concurrent systems Crossroad of State transition languages Petri nets, multiset rewriting, Process calculi CCS, π-calculus, (Linear) logic Benefits Analysis methods from logic and type theory Common ground for comparing Multiset rewriting Process algebra Allows multiple styles of specification Unified approach MSR 3: One Year Later 7/28
Syntax A ::= a atomic object 1 [ ] empty A B [A, B] formation A ο B [A B] rewrite T no-op A & B [A B] choice x. A instantiation x. A generation! A replication Generalizes FO multiset rewriting (MSR 1-2) x 1 x n. a(x) y 1 y k. b(x,y) MSR 3: One Year Later 8/28
State and Transitions States Σ ; Γ ; Δ Σ ; Δ Σ is a list Γ and Δ are Constructor:, commutative monoids Empty: Transitions Σ; Γ; Δ Σ ; Γ ; Δ Σ; Γ; Δ * Σ ; Δ * for reflexive and transitive closure MSR 3: One Year Later 9/28
Transition Semantics ο Σ ; Γ ; (Δ, A, A ο B) Σ ; Γ ; (Δ, B) T (no rule) & Σ ; Γ ; (Δ, A 1 &A 2 ) Σ ; Γ ; (Δ, A i ) Σ ; Γ ; (Δ, x. A) Σ ; Γ ; (Δ, [t/x]a) if Σ - t Σ ; Γ ; (Δ, x. A) (Σ, x) ; Γ ; (Δ, A)! Σ ; Γ ; (Δ,!A) Σ ; (Γ, A) ; Δ Σ ; (Γ, A) ; Δ Σ ; (Γ, A) ; (Δ, A) Σ ; Γ ; Δ * Σ ; Δ Σ ; Γ ; Δ * Σ ; Δ if Σ ; Γ ; Δ Σ ; Γ ; Δ and Σ ; Γ ; Δ * Σ ; Δ MSR 3: One Year Later 10/28
Linear Logic Formulas A, B ::= a 1 A B A ο B! A T A & B x. A x. A LV sequents Γ ; Δ --> Σ C Constructor:, Empty: Unrestricted context Linear context Signature Goal formula MSR 3: One Year Later 11/28
Logical Derivations Γ ; C --> Σ C Γ ; Δ --> Σ C Γ ; Δ --> Σ C Γ; Δ --> Σ C Proof of C from Δ and Γ Emphasis on C C is input Finite Closed Rules shown Major premise Preserves C Minor premise Starts subderivation MSR 3: One Year Later 12/28
A Rewriting Re-Interpretation Γ ; C --> Σ C Γ ; Δ --> Σ C Γ ; Δ --> Σ C Transition From conclusion To major premise Emphasis on Γ, Δ and Σ C is output, at best Does not change Possibly infinite Open Γ; Δ --> Σ C Minor premise Auxiliary rewrite chain Finite Topped with axiom MSR 3: One Year Later 13/28
Interpreting Unary Rules Γ; Δ, A, B --> Σ C Γ; Δ, A B --> Σ C Σ; Γ; (Δ, A B ) Σ; Γ; (Δ, A, B) Σ - t Γ; Δ, [t/x]a--> Σ C Γ; Δ, x.a --> Σ C Σ; Γ; (Δ, x. A) Σ; Γ; (Δ, [t/x]a) if Σ - t Γ; Δ, A --> Σ,x C Γ; Δ, x.a --> Σ C Σ; Γ; (Δ, x. A) (Σ, x); Γ; (Δ, A) Γ, A; Δ --> Σ C Γ; Δ,!A --> Σ C Σ; Γ; (Δ,!A) Σ; (Γ, A); Δ MSR 3: One Year Later 14/28
Binary Rules and Axiom Γ ; A --> Σ A Γ; Δ --> Σ A Γ; Δ, B --> Σ C Γ; Δ, Δ, A οb --> Σ C Minor premise Auxiliary rewrite chain Top of tree Focus shifts to RHS Axiom rule Observation MSR 3: One Year Later 15/28
Observations Γ,Γ ; A --> Σ,Σ A Observation states Σ ; Δ In Δ, we identify, with with 1 Categorical semantics Identified with For Σ = x 1,, x n De Bruijn s telescopes x 1. x n. Δ Γ; Δ --> Σ Σ. A A Δ = Δ Σ; Δ = Σ. Δ Observation transitions Σ; Γ; Δ * Σ ; Δ MSR 3: One Year Later 16/28
Interpreting Binary Rules Γ; A --> Σ A Σ; Γ; Δ * Σ; Δ Σ; Γ; Δ * Σ ; Δ if Σ; Γ; Δ Σ ; Γ ; Δ and Σ ; Γ ; Δ * Σ ; Δ Γ; Δ --> Σ A Γ; Δ, B --> Σ C Γ; Δ, Δ, A οb --> Σ C Σ; Γ; (Δ, Δ, A ο B) Σ; Γ; (Δ, B) if Σ; Γ; Δ * Σ; A Γ; Δ --> Σ A Γ; Δ, A --> Σ C Γ; Δ, Δ --> Σ C Σ; Γ; Δ, Δ Σ; Γ; (A, Δ) if Σ; Γ; Δ * Σ; A MSR 3: One Year Later 17/28
Formal Correspondence Soundness If Σ ; Γ ; Δ * Σ,Σ ; Δ then Γ ; Δ --> Σ Σ. Δ Completeness? No! We have only crippled right rules ; ; a ο b, b ο c * ; a ο c MSR 3: One Year Later 18/28
System ω With cut, rule for ο can be simplified to Σ; Γ; (Δ, A, A ο B) Σ; Γ; (Δ, B) Cut elimination holds = in-lining of auxiliary rewrite chains But Careful with extra signature symbols Careful with extra persistent objects No rule for needs a premise does not depend on * MSR 3: One Year Later 19/28
Multiset Rewriting Multiset: set with repetitions allowed a ::= a, a Commutative monoid Multiset rewriting (a.k.a. Petri nets) Rewriting within the monoid Fundamental model of distributed computing Alternative: Process Algebras Basis for security protocol spec. languages MSR family several others Many extensions, more or less ad hoc MSR 3: One Year Later 20/28
The Atomic Objects of MSR 3 Atomic terms Principals A Keys K Nonces N Other Raw data, timestamp, Fully definable Constructors Encryption {_} _ Pairing (_, _) Other Signature, hash, MAC, Predicates Network Memory Intruder net M A I MSR 3: One Year Later 21/28
Types Simple types A : princ n : nonce m : msg, Dependent types k : shk AB K : pubk A K : privk K, Fully definable Powerful abstraction mechanism At various user-definable level Finely tagged messages Untyped: msg only Simplify specification and reasoning Automated type checking MSR 3: One Year Later 22/28
Subsorting τ <: τ Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Discriminant for type-flaw attacks MSR 3: One Year Later 23/28
Data Access Specification Prevent illegitimate use of information Protocol specification divided in roles Owner = principal executing the role A signing/encrypting with B s key A accessing B s private data, Simple static check Central meta-theoretic notion Detailed specification of Dolev-Yao access model Gives meaning to Dolev-Yao intruder Current effort towards integration in type system Definable Possibility of going beyond Dolev-Yao model MSR 3: One Year Later 24/28
Modules and Equations Modules Bundle declarations with simple import/export interface Keep specifications tidy Reusable Equations (For free from underlying Maude engine) Specify useful algebraic properties Associativity of pairs Allow to go beyond free-algebra model Dec(k, Enc(k, M)) = M MSR 3: One Year Later 25/28
State-Based vs. Process-Based State-based languages Multiset Rewriting NRL Prot. Analyzer, CAPSL/CIL, Paulson s approach, State transition semantics Process-based languages Process Algebra Strand spaces, spi-calculus, Independent communicating threads MSR 3: One Year Later 26/28
MSR 3 Bridges the Gap Difficult to go from one to the other Different paradigms PB PB State vs. process distance SB SB Other distance MSR 3 State Process translation done once and for all in MSR 3 MSR 3: One Year Later 27/28
Summary MSR 3.0 Language for security protocol specification Succinct representations Simpl specifications Economy of reasoning Bridge between State-based representation Process-based representation ω-multisets Logical foundation of multiset rewriting Relationship with process algebras Unified logical view Better understanding of where we are Hint about where to go next MSR 3: One Year Later 28/28