Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

Published bySkylar Robertshaw Modified over 9 years ago

Similar presentations

Presentation on theme: "CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy."— Presentation transcript:

1 CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy

2 Running Murphi Elaine Machines  Murphi available at /usr/class/cs259/Murphi3.1/  HW1 code available at /usr/class/cs259/hw1/ Any issues so far?

3 Running Murphi If you are using another linux machine or cygwin  Copy the /usr/class/cs259/Murphi3.1/ directory to your home, lets say /home/cs259/Murphi3.1/  Copy the files ‘ns.m’ and ‘Makefile’ in /usr/class/cs259/hw1 to /home/cs259/hw1/  Modify paths in Makefile to reflect changes: MURPHI = /home/cs259/Murphi3.1/bin/mu INCLUDE = /home/cs259/Murphi3.1/include/

4 Running Murphi If you are using cygwin or a different distribution of Linux, you might have to recompile Murphi. To do this,  ‘cd’ to /home/cs259/Murphi3.1/src and do ‘make’ In the hw1 directory, modify paths in Makefile to reflect changes, e.g.: MURPHI = /home/cs259/Murphi3.1/bin/mu INCLUDE = /home/cs259/Murphi3.1/include/

5 Mur j [Dill et al.] Describe finite-state system  State variables with initial values  Transition rules  Communication by shared variables Scalable: choose system size parameters Automatic exhaustive state enumeration  Space limit: hash table to avoid repeating states

6 Caveat Emptor! A Murphi analysis coming up with no errors  does not prove security of the protocols  only provides the limited assurance that protocol secure with fixed limits on number of participants and operations However, errors found are most likely real bugs!

7 Needham-Schroeder Key Exchange { A, NonceA } { NonceA, NonceB } { NonceB} KaKa Kb Result: A and B share two private numbers not known to any observer without Ka -1, Kb -1 AB Kb

8 Applying Mur j to security protocols Formulate protocol  Model the honest party roles Add adversary  Control over “network” (shared variables)  Possible actions Intercept any message Remember parts of messages Generate new messages, using observed data and initial knowledge (e.g. public keys)

9 Needham-Schroeder in Mur j const NumInitiators: 1; -- number of initiators NumResponders: 1; -- number of responders NumIntruders: 1; -- number of intruders NetworkSize: 1; -- max. outstanding msgs in network MaxKnowledge: 10; -- number msgs intruder can remember type InitiatorId: scalarset (NumInitiators); ResponderId: scalarset (NumResponders); IntruderId: scalarset (NumIntruders); AgentId: union {InitiatorId, ResponderId, IntruderId};

10 N-S message format in Mur j MessageType : enum { -- types of messages M_NonceAddress, -- {Na, A}Kb nonce and addr M_NonceNonceAddress, -- {Na,Nb,B}Ka two nonces M_Nonce -- {Nb}Kb one nonce }; Message : record source: AgentId; -- source of message dest: AgentId; -- intended destination of msg key: AgentId; -- key used for encryption mType: MessageType; -- type of message nonce1: AgentId; -- nonce1 nonce2: AgentId; -- nonce2 OR sender id OR empty address: AgentId; -- sender identifier end;

11 Participant states InitiatorStates : enum { I_SLEEP, -- state after initialization I_WAIT, -- waiting for response from responder I_COMMIT -- initiator commits to session }; -- (thinks responder is authenticated) Initiator : record state: InitiatorStates; responder: AgentId; -- agent with whom the initiator end; -- starts the protocol Intruder : record nonces: array[AgentId] of boolean; -- known nonces messages: multiset[MaxKnowledge] of Message; -- known msgs end;

12 N-S protocol action in Mur j ruleset i: InitiatorId do ruleset j: AgentId do rule "initiator starts protocol" ini[i].state = I_SLEEP & multisetcount (l:net, true) var outM: Message; -- outgoing message begin undefine outM; outM.source := i; outM.dest := j; outM.key := j; outM.mType := M_NonceAddress; outM.nonce1 := i; outM.nonce2 := i; multisetadd (outM,net); ini[i].state :=I_WAIT; ini[i].responder := j; end; end; end;

13 Adversary Model Formalize “knowledge”  initial data  observed message fields  results of simple computations Optimization  only generate messages that others read

14 N-S attacker action in Mur j -- intruder i sends recorded message ruleset i: IntruderId do -- arbitrary choice of choose j: int[i].messages do -- recorded message ruleset k: AgentId do -- destination rule "intruder sends recorded message" !ismember(k, IntruderId) & -- not to intruders multisetcount (l:net, true) < NetworkSize ==> var outM: Message; begin outM := int[i].messages[j]; outM.source := i; outM.dest := k; multisetadd (outM,net); end; end;

15 Start State startstate -- initialize initiators undefine ini; for i: InitiatorId do ini[i].state := I_SLEEP; ini[i].responder := i; end; -- initialize responders undefine res; for i: ResponderId do res[i].state := R_SLEEP; res[i].initiator := i; end; -- initialize intruder, network... end;

16 Modeling Properties invariant "responder correctly authenticated" forall i: InitiatorId do ini[i].state = I_COMMIT & ismember(ini[i].responder, ResponderId) -> res[ini[i].responder].initiator = i & ( res[ini[i].responder].state = R_WAIT | res[ini[i].responder].state = R_COMMIT ) end;

17 Questions?

Download ppt "CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Security in Wireless Protocols Bluetooth, 802.11, ZigBee.

1 Security in Wireless Protocols Bluetooth, , ZigBee.
Model Checking for Security Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy.

Model Checking for Security Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Automated Analysis of Cryptographic Protocols Using Murphi Mingchen Zhao University of Pennsylvania.

Automated Analysis of Cryptographic Protocols Using Murphi Mingchen Zhao University of Pennsylvania.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.
Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 3 Protocol Goals Tom Chothia CWI.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Protocol analysis, wireless networking, and mobility John Mitchell Stanford University.

Protocol analysis, wireless networking, and mobility John Mitchell Stanford University.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

Similar presentations

Ads by Google