ISA 763 Security Protocol Verification CSP Semantics ISA 763 Security Protocol Verification We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct this transparency
References The Theory and Practice of Concurrency by A. W. Roscoe, available at web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/68b.pdf Chapters 4 and 5 of Modeling and analysis of security protocols by Peter Ryan and Steve Schneider. The FDR2 User Manual available at http://www.fsel.com/documentation/fdr2/html/fdr2manual.html#SEC_Top Formal Systems, FDR download, http://www.fsel.com/ M. Morgenthal: Design and Validation of Computer Protocols, http://wwwtcs.inf.tu-dresden.de/~morgen/sem-ws02.html CSP Semantics
CSP Semantics - 1 Operational Semantics Denotational Semantics Interprets the language on an (abstract) machine: such as the ones used in imperative languages using a program counter, next instruction stack etc. Denotational Semantics The language is translated to another abstract domain Translate the basic constructs Translate the combinators to constructs in the target domain Use a compositionality principle to construct the denotation of the whole program from translated parts Algebraic Semantics Translate the language into a normal from by rewriting all programs in that form Describe how to execute the program in normal form CSP Semantics
CSP Semantics - 2 Operational Semantics Denotational Semantics Interprets the language on an (abstract) machine: Construct a labeled transition system (LTS) Denotational Semantics The language is translated to another abstract domain Trace semantics, Failure Divergence Semantics Algebraic Semantics Translate the language into a normal from by rewriting all programs in that form Proof rules CSP Semantics
Operational Semantics Labeled transition system (LTS) Nodes: state of the process Directed edges: events Visible events Internal transitions Recall Trace Refinement: S ⊑T T iff trace(T) trace(S) CSP Semantics
An example LTS Image from M. Morgenthal CSP Semantics
Another LTS Example Image from M. Morgenthal CSP Semantics
Connection between LTS Examples An Implementation of S as: A ||| B where AB = a b AB and AC = a c AC where AA corresponds to AB ||| AC BA corresponds to b→ AB ||| AC AC corresponds to AB||| (c → AC) BC corresponds to b → AB||| (c → AC) CSP Semantics
AA corresponds to AB ||| AC BA corresponds to b→ AB ||| AC AC corresponds to AB||| (c → AC) BC corresponds to b → AB||| (c → AC) CSP Semantics
Traces Refinement Check Image from M. Morgenthal CSP Semantics
Trace Refinements An implementation refines the trace of a process Hence we would like an implementation to satisfy the specification Which properties? For his class, those trace properties used to specify security properties. CSP Semantics
Denotational Semantics Recall Trace Semantics for CSP processes Could not reason the difference between external choice and internal choice Example: consider S={a,b} and Q1 ≡(a→STOP) □ (b→STOP) Q1 ≡(a→STOP) Π (b→STOP) Q3 ≡STOP Π(a→STOP) □(b→STOP) Refusal set of Q1={} Q2 can refuse {a} and {b} but not {a,b} Q3 can refuse any subset of S. CSP Semantics
Refusal Sets P1 {c} P2 {c} a b t b {a, c} {b, c} {b, c} b a t a {a, b, c} {a, b, c} {a, b, c} {a, b, c} P4 {c} P3 {c} c c t t {b, c} {a, c} {b, c} {a, c} a b a b {a, b, c} {a, b, c} {a, b, c} {a, b, c} CSP Semantics
Refusal Sets P1 ≡ (a → b→ STOP) □ (b → a → STOP) ≡ (a → STOP) ||| (b → STOP) Failure Sets = (<>,{}), (<>,c), (<a>, {a,c}), (<ba>,{a,b,c}) P2 ≡ (c→a→STOP)□(b→c→STOP)\ c Failure sets ={(<>,X| X {b,c}} U {(<a>,X),(<b>,X)| X {a,b,c}} Internal actions introduce nondterminism CSP Semantics
Refusal Sets P3 ≡ (a → STOP) Π (b → STOP) Must accept one of {a} or {b} if both {a,b} are offered Different from P1 - must accept either P2 - must accept a P4 ≡ (c→a→STOP)□(c→b→STOP) After <c> refuses {X|{a,b}⊈X} Failure allows us to distinguish between internal and external choice –traces could not do this! CSP Semantics
Failure Semantics failure(P) = {(s,X)| s∈Σ* and P/s does not accept any x∈X} Failure Refinement: P⊑FQ (read Q failure refines P) iff trace(Q) trace(P) and failure(Q) failure(p) CSP Semantics
Divergence t a S S p≡(mp.a→p)\{a} Cannot observe a externally. Diverges – i.e. looks like a t-loop We do not care what happens after a process diverges a t S S CSP Semantics
Failure and Divergence Add extra symbol ✔ to Σ to indicate that the process has terminated Interpretation: ✔ is emitted by the process to the environment to indicate normal termination P ⇒s⇒ Q means process P becomes Q Stable State: a state that does not accept t CSP Semantics
Failure and Divergence trace(P)≡{s∈ Σ*U{✔} | ∃Q.P ⇒s⇒ Q} trace⊥(P)≡{s: (t,X)∈F} is a prefix closed set diveregnce(P)≡{s^t|s∈ Σ*,t∈ Σ*U{✔} ∃Q.P ⇒s⇒ Q, Q div} Extension closed sets of traces that has an infinite set of t actions failure⊥(P)={(s,X)| s is a trace and X is set of actions that can be refused in a stable state of P} CSP Semantics
The Failures Divergence Model ⊥ℕ=(Σ*U{✔} x ℘(ΣU{✔}), Σ*U{✔} ) Refers to ( (s, actions: D): Failure, strings: Divergent string ) Any non-empty subset S of ℕ has an infimum given by ⊓ S =(⋃{F|(F,D)∈S}, ⋃ {D |(F,D)∈S}) Supremum of a directed set △ is given by ⊔S =(∩{F|(F,D)∈ △}, ∩{D |(F,D)∈ △}) Theorem: If Σ is finite then (ℕ, ⊑FD, ⊓, ⊔) is a complete partial order CSP Semantics
Computing the FD Semantics-1 failures⊥(STOP)={(<>,X)|XΣ*U{✔} } divergences(STOP)={} failures⊥(SKIP)={(<>,X)|XΣ*U{✔} } divergences(SKIP)={} failures⊥(a→p)={(<>,X)|a∉X} U {(<a>^s,X):a∈ failures⊥(P)} divergences(a→p)= {(<a>^s,X):s∈divergence(P)} CSP Semantics
Computing the FD Semantics-2 failures⊥(?x:A→p)={(<>,X)|X∩A={}} U {(<a>^s,X):a∈ failures⊥(P)} divergences(?x:A→p)= {(<a>^s,X):s∈divergence(P[a/x])} failures⊥(P⊓Q)=failures⊥(P) U failures⊥(Q) divergences(P⊓Q)= divergence(P) U divergence(Q) CSP Semantics
Computing the FD Semantics-3 divergences(P□Q) = divergence(P) U divergence(Q) failures⊥(P□Q)= {(<>,x)| (<>,x)∈ failures⊥(P)∩failures⊥(Q)} U {(s,X): s≠<>,(s,X)∈failures⊥(P)Ufailures⊥(Q)} U {(s,X):<>∈diveregence(P)Udiveregence(Q)} U {(s,X):X XΣ, <✔> )∈trace⊥(P)U trace⊥(Q)} CSP Semantics
Computing the FD Semantics-4 divergences(P||XQ) ={u^v|s∈ trace⊥(P), t∈trace⊥(Q), u∈(s||Xt)∩ Σ*, s∈divergence(P) or t∈divergence(Q) } failures⊥(P||XQ)={(u,YUZ)| u∈ s||Xt Y\(XU {✔}) = Z\(XU {✔}) /\ s,t (s,Y)∈failures⊥(P), (t,Z)∈failures⊥(Q) {(u,Y)|u∈diveregence(P||XQ)} CSP Semantics
Computing the FD Semantics-5 divergences(P\X) = {(s\X)^t| s∈divergence(P)} U {(u\X)^t| u∈Σw /\ (u\x) is finite /\ ∀s< u, s∈trace⊥(P)} failures⊥(P\X)= {(s\X,Y)| (s,YUX)∈failures⊥(P)} U {(s,X)|s∈diveregence(P\X)} CSP Semantics
Deterministic Processes A process is said to be deterministic if t^<a>∈trace(P) ⇒ (t,{a})∉failure(P) divergence(P) ={} That is, never diverges and do not have the choice of accepting and refusing an action Deterministic processes are the maximal elements under ⊑FD Example: (a→STOP)□(a→a→STOP) is non-deterministic CSP Semantics
Deterministic Processes and LTS Two nondeterministic LTS whose behavior is deterministic CSP Semantics
Abstraction - 1 Abstraction = hide details Example: many-to-one renaming [(a→c→STOP)□(b→d→STOP)] [[b/a]] = (a→c→STOP) □(a→d→STOP)] = a→( (c→STOP)⊓(d→STOP) ) Eager abstraction: hiding operator ℰH(P)=p\H – assumes that events in H pass out of sight CSP Semantics
Abstraction - 2 Lazy abstraction: Projection of P into L ℒH(P)= P@L= {(s\H,X)|(s,X∩L)∈ failures⊥(P)} Example: L={l1,l2}, H={h} P ≡ (l1→P) □ (l2→h→P) □ (h→P) ℒH(P)= Q ≡ (l1→Q) □ l2→(STOP⊓Q) Finite traces of ℒH(P) are precisely {s\H| s ∈ traces(P)} CSP Semantics
Casper Compiler Easy to specify protocols and security properties E.g., Yahalom protocol Input: 1 page protocol and security spec. Output (CSP): 10 pages CSP Semantics
Casper Protocol Definition: Components: protocol operation, including messages between the agents, tests performed by the agents, types of data, initial knowledge, specification of the protocol’s goals, algebraic equivalences over the types Components: Protocol description Free variables Processes Specification CSP Semantics
Casper System definition: actual system to be checked, including agents, their roles, actual data types, intruder’s abilities Components: Actual variables Functions System Intruder information CSP Semantics
Protocol Description Image from M. Morgenthal CSP Semantics
Free Variables Image from M. Morgenthal CSP Semantics
Processes Image from M. Morgenthal CSP Semantics
Specification Image from M. Morgenthal CSP Semantics
System specs: Variables Image from M. Morgenthal CSP Semantics
System specs: Functions CSP Semantics Image from M. Morgenthal
System specs: The System Image from M. Morgenthal CSP Semantics
System specs: The Intruder Image from M. Morgenthal CSP Semantics