Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 763 Security Protocol Verification

Published byEthelbert Rogers Modified over 6 years ago

Similar presentations

Presentation on theme: "ISA 763 Security Protocol Verification"— Presentation transcript:

1 ISA 763 Security Protocol Verification
CSP Semantics ISA 763 Security Protocol Verification We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct this transparency

2 References The Theory and Practice of Concurrency by A. W. Roscoe, available at web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/68b.pdf Chapters 4 and 5 of Modeling and analysis of security protocols by Peter Ryan and Steve Schneider. The FDR2 User Manual available at Formal Systems, FDR download, M. Morgenthal: Design and Validation of Computer Protocols, CSP Semantics

3 CSP Semantics - 1 Operational Semantics Denotational Semantics
Interprets the language on an (abstract) machine: such as the ones used in imperative languages using a program counter, next instruction stack etc. Denotational Semantics The language is translated to another abstract domain Translate the basic constructs Translate the combinators to constructs in the target domain Use a compositionality principle to construct the denotation of the whole program from translated parts Algebraic Semantics Translate the language into a normal from by rewriting all programs in that form Describe how to execute the program in normal form CSP Semantics

4 CSP Semantics - 2 Operational Semantics Denotational Semantics
Interprets the language on an (abstract) machine: Construct a labeled transition system (LTS) Denotational Semantics The language is translated to another abstract domain Trace semantics, Failure Divergence Semantics Algebraic Semantics Translate the language into a normal from by rewriting all programs in that form Proof rules CSP Semantics

5 Operational Semantics
Labeled transition system (LTS) Nodes: state of the process Directed edges: events Visible events Internal transitions Recall Trace Refinement: S ⊑T T iff trace(T)  trace(S) CSP Semantics

6 An example LTS Image from M. Morgenthal CSP Semantics

7 Another LTS Example Image from M. Morgenthal CSP Semantics

8 Connection between LTS Examples
An Implementation of S as: A ||| B where AB = a  b  AB and AC = a  c  AC where AA corresponds to AB ||| AC BA corresponds to b→ AB ||| AC AC corresponds to AB||| (c → AC) BC corresponds to b → AB||| (c → AC) CSP Semantics

9 AA corresponds to AB ||| AC BA corresponds to b→ AB ||| AC
AC corresponds to AB||| (c → AC) BC corresponds to b → AB||| (c → AC) CSP Semantics

10 Traces Refinement Check
Image from M. Morgenthal CSP Semantics

11 Trace Refinements An implementation refines the trace of a process
Hence we would like an implementation to satisfy the specification Which properties? For his class, those trace properties used to specify security properties. CSP Semantics

12 Denotational Semantics
Recall Trace Semantics for CSP processes Could not reason the difference between external choice and internal choice Example: consider S={a,b} and Q1 ≡(a→STOP) □ (b→STOP) Q1 ≡(a→STOP) Π (b→STOP) Q3 ≡STOP Π(a→STOP) □(b→STOP) Refusal set of Q1={} Q2 can refuse {a} and {b} but not {a,b} Q3 can refuse any subset of S. CSP Semantics

13 Refusal Sets P1 {c} P2 {c} a b t b {a, c} {b, c} {b, c} b a t a
{a, b, c} {a, b, c} {a, b, c} {a, b, c} P {c} P {c} c c t t {b, c} {a, c} {b, c} {a, c} a b a b {a, b, c} {a, b, c} {a, b, c} {a, b, c} CSP Semantics

14 Refusal Sets P1 ≡ (a → b→ STOP) □ (b → a → STOP)
≡ (a → STOP) ||| (b → STOP) Failure Sets = (<>,{}), (<>,c), (<a>, {a,c}), (<ba>,{a,b,c}) P2 ≡ (c→a→STOP)□(b→c→STOP)\ c Failure sets ={(<>,X| X  {b,c}} U {(<a>,X),(<b>,X)| X  {a,b,c}} Internal actions introduce nondterminism CSP Semantics

15 Refusal Sets P3 ≡ (a → STOP) Π (b → STOP)
Must accept one of {a} or {b} if both {a,b} are offered Different from P1 - must accept either P2 - must accept a P4 ≡ (c→a→STOP)□(c→b→STOP) After <c> refuses {X|{a,b}⊈X} Failure allows us to distinguish between internal and external choice –traces could not do this! CSP Semantics

16 Failure Semantics failure(P) = {(s,X)| s∈Σ* and P/s does not accept any x∈X} Failure Refinement: P⊑FQ (read Q failure refines P) iff trace(Q)  trace(P) and failure(Q)  failure(p) CSP Semantics

17 Divergence t a S S p≡(mp.a→p)\{a} Cannot observe a externally.
Diverges – i.e. looks like a t-loop We do not care what happens after a process diverges a t S S CSP Semantics

18 Failure and Divergence
Add extra symbol ✔ to Σ to indicate that the process has terminated Interpretation: ✔ is emitted by the process to the environment to indicate normal termination P ⇒s⇒ Q means process P becomes Q Stable State: a state that does not accept t CSP Semantics

19 Failure and Divergence
trace(P)≡{s∈ Σ*U{✔} | ∃Q.P ⇒s⇒ Q} trace⊥(P)≡{s: (t,X)∈F} is a prefix closed set diveregnce(P)≡{s^t|s∈ Σ*,t∈ Σ*U{✔} ∃Q.P ⇒s⇒ Q, Q div} Extension closed sets of traces that has an infinite set of t actions failure⊥(P)={(s,X)| s is a trace and X is set of actions that can be refused in a stable state of P} CSP Semantics

20 The Failures Divergence Model
⊥ℕ=(Σ*U{✔} x ℘(ΣU{✔}), Σ*U{✔} ) Refers to ( (s, actions: D): Failure, strings: Divergent string ) Any non-empty subset S of ℕ has an infimum given by ⊓ S =(⋃{F|(F,D)∈S}, ⋃ {D |(F,D)∈S}) Supremum of a directed set △ is given by ⊔S =(∩{F|(F,D)∈ △}, ∩{D |(F,D)∈ △}) Theorem: If Σ is finite then (ℕ, ⊑FD, ⊓, ⊔) is a complete partial order CSP Semantics

21 Computing the FD Semantics-1
failures⊥(STOP)={(<>,X)|XΣ*U{✔} } divergences(STOP)={} failures⊥(SKIP)={(<>,X)|XΣ*U{✔} } divergences(SKIP)={} failures⊥(a→p)={(<>,X)|a∉X} U {(<a>^s,X):a∈ failures⊥(P)} divergences(a→p)= {(<a>^s,X):s∈divergence(P)} CSP Semantics

22 Computing the FD Semantics-2
failures⊥(?x:A→p)={(<>,X)|X∩A={}} U {(<a>^s,X):a∈ failures⊥(P)} divergences(?x:A→p)= {(<a>^s,X):s∈divergence(P[a/x])} failures⊥(P⊓Q)=failures⊥(P) U failures⊥(Q) divergences(P⊓Q)= divergence(P) U divergence(Q) CSP Semantics

23 Computing the FD Semantics-3
divergences(P□Q) = divergence(P) U divergence(Q) failures⊥(P□Q)= {(<>,x)| (<>,x)∈ failures⊥(P)∩failures⊥(Q)} U {(s,X): s≠<>,(s,X)∈failures⊥(P)Ufailures⊥(Q)} U {(s,X):<>∈diveregence(P)Udiveregence(Q)} U {(s,X):X XΣ, <✔> )∈trace⊥(P)U trace⊥(Q)} CSP Semantics

24 Computing the FD Semantics-4
divergences(P||XQ) ={u^v|s∈ trace⊥(P), t∈trace⊥(Q), u∈(s||Xt)∩ Σ*, s∈divergence(P) or t∈divergence(Q) } failures⊥(P||XQ)={(u,YUZ)| u∈ s||Xt Y\(XU {✔}) = Z\(XU {✔}) /\ s,t (s,Y)∈failures⊥(P), (t,Z)∈failures⊥(Q) {(u,Y)|u∈diveregence(P||XQ)} CSP Semantics

25 Computing the FD Semantics-5
divergences(P\X) = {(s\X)^t| s∈divergence(P)} U {(u\X)^t| u∈Σw /\ (u\x) is finite /\ ∀s< u, s∈trace⊥(P)} failures⊥(P\X)= {(s\X,Y)| (s,YUX)∈failures⊥(P)} U {(s,X)|s∈diveregence(P\X)} CSP Semantics

26 Deterministic Processes
A process is said to be deterministic if t^<a>∈trace(P) ⇒ (t,{a})∉failure(P) divergence(P) ={} That is, never diverges and do not have the choice of accepting and refusing an action Deterministic processes are the maximal elements under ⊑FD Example: (a→STOP)□(a→a→STOP) is non-deterministic CSP Semantics

27 Deterministic Processes and LTS
Two nondeterministic LTS whose behavior is deterministic CSP Semantics

28 Abstraction - 1 Abstraction = hide details
Example: many-to-one renaming [(a→c→STOP)□(b→d→STOP)] [[b/a]] = (a→c→STOP) □(a→d→STOP)] = a→( (c→STOP)⊓(d→STOP) ) Eager abstraction: hiding operator ℰH(P)=p\H – assumes that events in H pass out of sight CSP Semantics

29 Abstraction - 2 Lazy abstraction: Projection of P into L ℒH(P)= P@L=
{(s\H,X)|(s,X∩L)∈ failures⊥(P)} Example: L={l1,l2}, H={h} P ≡ (l1→P) □ (l2→h→P) □ (h→P) ℒH(P)= Q ≡ (l1→Q) □ l2→(STOP⊓Q) Finite traces of ℒH(P) are precisely {s\H| s ∈ traces(P)} CSP Semantics

30 Casper Compiler Easy to specify protocols and security properties
E.g., Yahalom protocol Input: 1 page protocol and security spec. Output (CSP): 10 pages CSP Semantics

31 Casper Protocol Definition: Components: protocol operation, including
messages between the agents, tests performed by the agents, types of data, initial knowledge, specification of the protocol’s goals, algebraic equivalences over the types Components: Protocol description Free variables Processes Specification CSP Semantics

32 Casper System definition: actual system to be checked, including agents, their roles, actual data types, intruder’s abilities Components: Actual variables Functions System Intruder information CSP Semantics

33 Protocol Description Image from M. Morgenthal CSP Semantics

34 Free Variables Image from M. Morgenthal CSP Semantics

35 Processes Image from M. Morgenthal CSP Semantics

36 Specification Image from M. Morgenthal CSP Semantics

37 System specs: Variables
Image from M. Morgenthal CSP Semantics

38 System specs: Functions
CSP Semantics Image from M. Morgenthal

39 System specs: The System
Image from M. Morgenthal CSP Semantics

40 System specs: The Intruder
Image from M. Morgenthal CSP Semantics

Download ppt "ISA 763 Security Protocol Verification"

Similar presentations

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
Completeness and Expressiveness

Completeness and Expressiveness
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Theory of Computing Lecture 23 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 23 MAS 714 Hartmut Klauck.
Theory of Computation CS3102 – Spring 2014 A tale of computers, math, problem solving, life, love and tragic death Nathan Brunelle Department of Computer.

Theory of Computation CS3102 – Spring 2014 A tale of computers, math, problem solving, life, love and tragic death Nathan Brunelle Department of Computer.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Pushdown Automata Chapter 12. Recognizing Context-Free Languages Two notions of recognition: (1) Say yes or no, just like with FSMs (2) Say yes or no,

Pushdown Automata Chapter 12. Recognizing Context-Free Languages Two notions of recognition: (1) Say yes or no, just like with FSMs (2) Say yes or no,
Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 11: An introduction to CSP.

Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 11: An introduction to CSP.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture7: PushDown Automata (Part 1) Prof. Amos Israeli.
Transparency No. 2-1 Formal Language and Automata Theory Chapter 2 Deterministic Finite Automata (DFA) (include Lecture 3 and 4)

Transparency No. 2-1 Formal Language and Automata Theory Chapter 2 Deterministic Finite Automata (DFA) (include Lecture 3 and 4)
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]

1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]
Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.

Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
CS5371 Theory of Computation Lecture 8: Automata Theory VI (PDA, PDA = CFG)

CS5371 Theory of Computation Lecture 8: Automata Theory VI (PDA, PDA = CFG)
Describing Syntax and Semantics

Describing Syntax and Semantics

Similar presentations

Ads by Google