Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping.

Slides:



Advertisements
Similar presentations
Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.
Advertisements

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
An improved on-the-fly tableau construction for a real-time temporal logic Marc Geilen 12 July 2003 /e.
Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
CLASSICAL PLANNING What is planning ?  Planning is an AI approach to control  It is deliberation about actions  Key ideas  We have a model of the.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Markov Chains 1.
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Simulation Where real stuff starts. ToC 1.What, transience, stationarity 2.How, discrete event, recurrence 3.Accuracy of output 4.Monte Carlo 5.Random.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
OOTI Workshop on Model Checking and Static Analysis Day 3 Dragan Bošnački Eindhoven University of Technology The Netherlands.
AGVI Automatic Generation, Verification, and Implementation of security protocols By: Dawn Song, Adrian Perrig, and Doantam Phan. In: 13 th Conference.
On-the-fly Model Checking from Interval Logic Specifications Manuel I. Capel & Miguel J. Hornos Dept. Lenguajes y Sistemas Informáticos Universidad de.
Witness and Counterexample Li Tan Oct. 15, 2002.
Review of the automata-theoretic approach to model-checking.
1 Completeness and Complexity of Bounded Model Checking.
Witness and Counterexample Li Tan Oct. 15, 2002.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Monte Carlo Model Checking Scott Smolka SUNY at Stony Brook Joint work with Radu Grosu Main source of support: ARO – David Hislop.
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.
LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
Propositional Equivalence Goal: Show how propositional equivalences are established & introduce the most important such equivalences.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
Review of Statistical Inference Prepared by Vera Tabakova, East Carolina University ECON 4550 Econometrics Memorial University of Newfoundland.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, Open Implication.
Deep Random Search for Efficient Model Checking of Timed Automata Stony Brook University Radu Grosu Joint work with: X. Huang, S.A. Smolka, W. Tan and.
 1  Outline  stages and topics in simulation  generation of random variates.
Robust Network Supercomputing with Malicious Processes (Reliably Executing Tasks Upon Estimating the Number of Malicious Processes) Kishori M. Konwar*
1 Lesson 3: Choosing from distributions Theory: LLN and Central Limit Theorem Theory: LLN and Central Limit Theorem Choosing from distributions Choosing.
Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.
Quantitative Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
The Markov Chain Monte Carlo Method Isabelle Stanton May 8, 2008 Theory Lunch.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
NPC.
Linear Model Measurements with Application to Bird Flocking Scott A. Smolka Linear Model Measurements with Application to Bird Flocking Scott A. Smolka.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Monte Carlo Linear Algebra Techniques and Their Parallelization Ashok Srinivasan Computer Science Florida State University
Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Complexity Relief Techniques for Model Checking METU, Aug SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,
CS 541: Artificial Intelligence Lecture VII: Inference in Bayesian Networks.
Monte Carlo Linear Algebra Techniques and Their Parallelization Ashok Srinivasan Computer Science Florida State University
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
FORA: Simple and Effective Approximate Single­-Source Personalized PageRank Sibo Wang, Renchi Yang, Xiaokui Xiao, Zhewei Wei, Yin Yang School of Information.
Generating Optimal Linear Temporal Logic Monitors by Coinduction
Translating Linear Temporal Logic into Büchi Automata
Presentation transcript:

Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang June 8, DIMACS Workshop on Security Analysis of Protocols

Talk Outline 1.LTL Model Checking 2.Monte Carlo Model Checking 3.Needham-Schroeder 4.Implementation & Results 5.Conclusions & Future Work

Model Checking ? Is system S a model of formula φ?

Model Checking S is a nondeterministic/concurrent system.  is (in our case) an LTL (Linear Temporal Logic) formula. Basic idea: intelligently explore S ’s state space in attempt to establish S ⊨ . Fly in the ointment: State Explosion!

LTL Model Checking An LTL formula is made up of atomic propositions p, boolean connectives , ,  and temporal modalities X (neXt) and U (Until). Every LTL formula  can be translated to a Büchi automaton whose language is set of infinite words satisfying . Automata-theoretic approach: S ⊨  iff L ( B S )  L ( B  ) iff L ( B S  B  )  

Emptiness Checking Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly! s1s1 s2s2 s3s3 sksk s k-2 s k-1 s k+1 s k+2 s k+3 snsn DFS 2 DFS 1

Monte Carlo Model Checking (MC 2 ) Sample Space: lassos in B S  B  Random variable Z : –Outcome = 0 if randomly chosen lasso accepting –Outcome = 1 otherwise μ Z = ∑ p i Z i (weighted mean) Compute ( ε,δ )-approx. of μ Z

Monte Carlo Model Checking (MC 2 ) L1 = abcb, L2 = abcdb, L3 = abcdea Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼ μ Z = ½ acbd e

Monte Carlo Approximation Problem: Compute the mean value μ Z of a random variable Z distributed in [0,1] when an exact computation of μ Z proves intractable. with error margin  and confidence ratio . Solution: Compute an ( ,  )-approximation of  Z : Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, expectation that S ⊨  !

Original Solution [Karp, Luby & Madras: Journal of Algorithms 1989] Compute as the mean value of N independent random variables (samples) identically distributed according to Z : Determine N using the Zero-One estimator theorem: Problems: is unknown and can be large.

Stopping Rule Algorithm (SRA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] Innovation: computes correct N without using Theorem: E[ N ] ≤ 4 ln(2/  ) / μ Z  2 ;  = 4 ln(2/  ) /  2 ; for (N=0, S=0; S≤  ; N++) S=S+Z N ; = S/N; return ; Problem: is in most interesting cases too large.

Optimal Approx Algorithm (OOA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] Compute N using generalized Zero-One estimator: Apply sequential analysis (prediction/correction): 1. Assume  2 is small and compute with SRA( ) 2. Compute  using and 3. Use to correct N and. Expected number of samples is optimal to within a constant factor!

Monte Carlo Model Checking Theorem: MC 2 computes an (ε,δ)-approximation of μ Z in expected time O(N∙D) and uses expected space O(D), where D is the recurrence diameter of B = B S  B . Cf. DDFS which runs in O(2 |S|+|φ| ) time and space.

Needham-Schroeder 1.A  B : { N a, A } K B 2.B  A : { N a, N b } K A 3.A  B : { N b } K B

Breaking & Fixing Needham-Shroeder In 1997, Lowe discovered a replay attack that involves an intruder I masquerading as A in its communication with B. As shown by Lowe, protocol is easily fixed by including identity of responder (B) in 2 nd msg: 2´. B  A : { B, N a, N b } K A

Implementation Implemented DDFS and MC 2 in jMocha model checker for synchronous systems specified using Reactive Modules. Specified NS as a reactive module; all communications go through intruder. Intruder obeys Dolev-Yao model: besides normal communications, can intercept, overhear, and fake messages.

Time and space requirements for DDFS and MC 2 Experimental Results

Variation of µ Z for MC 2 Experimental Results ~

Related Approaches NRL Protocol Analyzer [Meadows 96] Spi-Calculus [Abadi Gordon 97] FDR [Lowe 97] The Strand Space Method [Guttman et al. 98] Isabelle Theorem Prover [Paulson 98] Backward Induction [Kurkowski Mackow 03]

Conclusions Applied Monte Carlo model checking to Needham-Schroeder. Results indicate may be more effective than traditional approaches in discovering attacks. Further experimentation required to draw definitive conclusions. Other Future Work: Use BDDs to improve run time. Also, take samples in parallel!

Monte Carlo Model Checking Randomized algorithm for LTL model checking utilizing automata-theoretic approach. Basic idea: Take N samples: sample = lasso = random walk through B S  B  ending in a cycle. If accepting lasso (counter-example) found, return false. Else return true with certain confidence.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.