MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

Similar documents
One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

The Logical Meeting Point of Multiset Rewriting and Process Algebra

Relating State-Based and Process-Based Concurrency through Linear Logic

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Typed MSR: Syntax and Examples

Abstract Specification of Crypto- Protocols and their Attack Models in MSR

MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

Lecture 7: Specification Languages

Time-Bounding Needham-Schroeder Public Key Exchange Protocol

Control Flow Analysis of Security Protocols (I)

CPSA and Formal Security Goals

Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

A Calculus for Control Flow Analysis of Security Protocols

Notes on BAN Logic CSG 399. March 7, 2006

Analysis of authentication protocols Intership report

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

A Proof Theory for Generic Judgments

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

A progress report on using Maude to verify protocol properties using the strand space model

A compositional logic for proving security properties of protocols

Extending Dolev-Yao with Assertions

A Logic of Authentication

Meta-reasoning in the concurrent logical framework CLF

Analysing privacy-type properties in cryptographic protocols

Specifying Properties of Concurrent Computations in CLF

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Skeletons and the Shapes of Bundles

A process algebraic analysis of privacy-type properties in cryptographic protocols

Meta-Reasoning in a Concurrent Logical Framework

Models for an Adversary-Centric Protocol Logic

Event structure semantics for security protocols

Verification of Security Protocols in presence of Equational Theories with Homomorphism

The Sizes of Skeletons: Security Goals are Decidable

Probabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

arxiv: v1 [cs.cr] 27 May 2016

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Automated Validation of Internet Security Protocols. Luca Viganò

Reasoning about the Consequences of Authorization Policies in a Linear Epistemic Logic

A decidable subclass of unbounded security protocols

Verification of the TLS Handshake protocol

Equational Tree Automata: Towards Automated Verification of Network Protocols

Review of The π-calculus: A Theory of Mobile Processes

Modular Multiset Rewriting in Focused Linear Logic

Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols

Automated Verification of Privacy in Security Protocols:

Analysing Layered Security Protocols

Mixing Finite Success and Finite Failure. Automated Prover

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

A Formalised Proof of Craig s Interpolation Theorem in Nominal Isabelle

185.A09 Advanced Mathematical Logic

Automata-based analysis of recursive cryptographic protocols

The TLA + proof system

Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison

A Multiple-Conclusion Specification Logic

Deriving Key Distribution Protocols and their Security Properties

Complexity of Checking Freshness of Cryptographic Protocols

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

An undecidability result for AGh

Lecture Notes on The Concurrent Logical Framework

Relating Reasoning Methodologies in Linear Logic and Process Algebra

From Operational Semantics to Abstract Machines

A simple procedure for finding guessing attacks (Extended Abstract)

CS 395T. Probabilistic Polynomial-Time Calculus

A Concurrent Logical Framework

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

Church and Curry: Combining Intrinsic and Extrinsic Typing

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Computing Symbolic Models for Verifying Cryptographic Protocols

A Cryptographic Decentralized Label Model

REASONING IN A LOGIC WITH DEFINITIONS AND INDUCTION RAYMOND CHARLES MCDOWELL COMPUTER AND INFORMATION SCIENCE

Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis

A Theory of Dictionary Attacks and its Complexity

An Undecidability Result for AGh

Specifying Properties of Concurrent Computations in CLF

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Proof Scores in the OTS/CafeOBJ Method

Proving Properties of Security Protocols by Induction

On the Automatic Analysis of Recursive Security Protocols with XOR

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

Extensions of Analytic Pure Sequent Calculi with Modal Operators

CS522 - Programming Language Semantics

A Tableau Calculus for Minimal Modal Model Generation

Logic Programming in a Fragment of Intuitionistic Linear Logic

Timed Automata VINO 2011

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Introduction to Kleene Algebras

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Deciding the Security of Protocols with Commuting Public Key Encryption

Models of Concurrency

On the Verification of Cryptographic Protocols

Report Documentation Page

Propositional Logic Language

Symbolic trace analysis of cryptographic protocols

System BV without the Equalities for Unit

Modeling and Verifying Ad Hoc Routing Protocols

07 Practical Application of The Axiomatic Method

Unifying Theories of Programming

Transcription:

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003, Tokyo, Japan November 4-6, 2003

Brief History of MSR MSR 1 [CSFW 99] To formalize security protocols specification First-order multiset rewriting with Undecidability of security protocol verification Comparison with Strand Spaces [MMM 01] Add typing infrastructure, liberalize syntax Specification of Kerberos V Completeness of Dolev-Yao attacker Subsorting view of type-flaw attacks Implementation (undergoing) Comparison with Process Algebra MSR 3.0 1/21

MSR 3 From multisets to ω-multisets Embeds multiset rewriting MSR 1, 2 Paulson s inductive traces Tool-specific languages NRL Protocol Analyzer Murφ, Encompasses Process Algebra Strand spaces Crypto-SPA Spi-calculus Founded on logic Indirect contributors - Fabio Martinelli - Dale Miller - Andre Scedrov - Frank Pfenning MSR 3.0 2/21

What is in MSR 3? Instance of ω-multisets for cryptographic protocol specification Security-relevant signature Network Encryption, Typing infrastructure Dependent types Subsorting Data Access Specification (DAS) Module system Equations From MSR 1 From From implementation MSR 3.0 3/21

Specification language for concurrent systems Crossroad of State transition languages Petri nets, multiset rewriting, Process calculi CCS, π-calculus, (Linear) logic Benefits Analysis methods from logic and type theory Common ground for comparing Multiset rewriting Process algebra Allows multiple styles of specification Unified approach MSR 3.0 4/21

Syntax a ::= P atomic object empty a, b formation a b rewrite x. a instantiation x. a generation Generalizes FO multiset rewriting (MSR 1-2) x 1 x n. a(x) y 1 y k. b(x,y) MSR 3.0 5/21

Judgments Base step Σ ; s R Σ ; s Finite iteration Σ ; s * R Σ ; s Reflexive and transitive closure of Useful for reachability analysis MSR 3.0 6/21

Operational Semantics Σ ; (s, a, a b) R Σ ; (s, b) Σ ; (s, x. a) R Σ ; (s, [t/x]a) if Σ - t Σ ; (s, x. a) R (Σ, x) ; (s, a) Σ ; s R,a Σ ; (s, a) Σ ; s * R Σ ; s Σ ; s * R Σ ; s if Σ ; s R Σ ; s and Σ ; s * R Σ ; s MSR 3.0 7/21

Logical Foundations is left sequent rules of linear logic 1, ο MSR 3 is logic Guideline for extensions with new operators Non-deterministic choice (+) Replication (!) more Related to Concurrent Logical Framework MSR 3.0 8/21

ω-multiset View of Derivations * Γ ; C --> Σ C Γ ; Δ --> Σ C Γ ; Δ --> Σ C Step up: Left rules Step across: * Axiom Γ; Δ --> Σ C Right rules not used MSR 3.0 9/21

The Atomic Objects of MSR 3 Atomic terms Principals A Keys K Nonces N Other Raw data, timestamp, Fully definable Constructors Encryption {_} _ Pairing (_, _) Other Signature, hash, MAC, Predicates Network Memory Intruder net M A I MSR 3.0 10/21

Types Simple types A : princ n : nonce m : msg, Dependent types k : shk AB K : pubk A K : privk K, Fully definable Powerful abstraction mechanism At various user-definable level Finely tagged messages Untyped: msg only Simplify specification and reasoning Automated type checking MSR 3.0 11/21

Subsorting τ <: τ Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Discriminant for type-flaw attacks MSR 3.0 12/21

Data Access Specification Prevent illegitimate use of information Protocol specification divided in roles Owner = principal executing the role A signing/encrypting with B s key A accessing B s private data, Simple static check Central meta-theoretic notion Detailed specification of Dolev-Yao access model Gives meaning to Dolev-Yao intruder Current effort towards integration in type system Definable Possibility of going beyond Dolev-Yao model MSR 3.0 13/21

Modules and Equations Modules Bundle declarations with simple import/export interface Keep specifications tidy Reusable Equations (For free from underlying Maude engine) Specify useful algebraic properties Associativity of pairs Allow to go beyond free-algebra model Dec(k, Enc(k, M)) = M MSR 3.0 14/21

Example Needham-Schroeder public-key protocol 1. A B: {n A, A} kb 2. B A: {n A, n B } ka 3. A B: {n B } kb Can be expressed in several ways State-based Explicit local state As in Process-based: embedded Continuation-passing style As in process algebra (Intermediate approaches) MSR 3.0 15/21

A B: {n A, A} kb State-Based B A: {n A, n B } ka A B: {n B } kb spec. A: princ. { L: princ B:princ.pubK B nonce mset. } B: princ. k B :pubkb. n A : nonce. net ({n A, A} kb ), L (A, B, k B, n A ) B: princ. k B : pubk B. k A :pubka. k A ': prvk k A. n A : nonce. n B : nonce. net ({n A, n B } ka ), L (A, B, k B, n A ) net ({n B } kb ) Interpretation of L Rule invocation Implementation detail Control flow Local state of role Explicit view Important for DOS MSR 3.0 16/21

A B: {n A, A} kb Process-Based B A: {n A, n B } ka A B: {n B } kb A:princ. B: princ. k B : pubk B. n A : nonce. net ({n A, A} kb ), ( k A :pubka. k A ': prvk k A. n B : nonce. net ({n A, n B } ka ) net ({n B } kb )) Succinct Continuation-passing style Rule asserts what to do next Lexical control flow State is implicit Abstract MSR 3.0 17/21

A B: {n A, A} kb NSPK in Process Algebra B A: {n A, n B } ka A B: {n B } kb A:princ. B: princ. k B : pubk B. k A :pubka. k A ': prvk k A. n B : nonce. νn A : nonce. net ({n A, A} kb ). net <{n A,n B } ka >. net ({n B } kb ). 0 Same structure! Not a coincidence MSR 3 very close to Process Algebra ω-multiset encodings of π-calculus Ties to Join Calculus MSR 3 is ideal middle-ground for relating State-based Process-based representations of a problem MSR 3.0 18/21

State-Based vs. Process-Based State-based languages Multiset Rewriting NRL Prot. Analyzer, CAPSL/CIL, Paulson s approach, State transition semantics Process-based languages Process Algebra Strand spaces, spi-calculus, Independent communicating threads MSR 3.0 19/21

MSR 3 Bridges the Gap Difficult to go from one to the other Different paradigms PB PB State vs. process distance SB SB Other distance MSR 3 State Process translation done once and for all in MSR 3 MSR 3.0 20/21

Summary MSR 3.0 Language for security protocol specification Succinct representations Simpl specifications Economy of reasoning Bridge between State-based representation Process-based representation ω-multisets Logical foundation of multiset rewriting Relationship with process algebras Unified logical view Better understanding of where we are Hint about where to go next MSR 3.0 21/21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback