Presentation is loading. Please wait.

Presentation is loading. Please wait.

MSR 3: One Year Later Iliano Cervesato ITT Industries, NRL Washington, DC Protocol eXchange.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "MSR 3: One Year Later Iliano Cervesato ITT Industries, NRL Washington, DC Protocol eXchange."— Presentation transcript:

1 MSR 3: One Year Later Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano Protocol eXchange Seminar, UMBCMay 27-28, 2004

2 MSR 3: One Year Later1/28 NSPK in MSR 3  A: princ. {  L : princ   B:princ.pubK B  nonce  mset.  B: princ.  k B : pubK B.    n A : nonce. net ({n A, A} kB ), L (A, B, k B, n A )  B: princ.  k B : pubK B.  k A : pubK A.  k A ': prvK k A.  n A : nonce.  n B : nonce. net ({n A, n B } kA ), L (A, B, k B, n A )  net ({n B } kB ) } A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB Interpretation of L  Rule invocation  Implementation detail  Control flow  Local state of role  Explicit view  Important for DOS MSR 2 spec.

3 MSR 3: One Year Later2/28 NSPK in MSR 3  A:princ.  B: princ.  k B : pubK B.    n A : nonce. net ({n A, A} kB ), (  k A : pubK A.  k A ': prvK k A.  n B : nonce. net ({n A, n B } kA )  net ({n B } kB )) A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB  Succinct  Continuation-passing style  Rule asserts what to do next  Lexical control flow  State is implicit  Abstract Not an MSR 2 spec.

4 MSR 3: One Year Later3/28 Looks Familiar? A  B: {n A, A} kB B  A: {n A, n B } kA A  B: {n B } kB Process calculus  A:princ.  B: princ.  k B : pubK B.  k A : pubK A.  k A ': prvK k A.  n B : nonce. n A : nonce. net ({n A, A} kB ). net. net ({n B } kB ). 0 {N A, A} KB {N A, N B } KA {N B } KB Alice (A,B,N A,N B ) : N A Fresh,  A  (A,B) Parametric strand

5 MSR 3: One Year Later4/28 What is MSR 3? A new language for security protocols  Supports  State transition specs  Conservative over MSR 2  Process algebraic specs  Rewriting re-interpretation of logic  Rich composable set of connectives  Universal connector Neutral paradigm

6 MSR 3: One Year Later5/28 More than the Sum of its Parts Process- and transition-based specs. in the same language  Choose the paradigm  User’s preference  Highlight characteristics of interest  Support various verification techniques (FW)  Mix and match styles  Within a spec.  Within a protocol  Within a role

7 MSR 3: One Year Later6/28 What is in MSR 3 ?  Security-relevant signature  Network  Encryption, …  Typing infrastructure  Dependent types  Subsorting  Data Access Specification (DAS)  Module system  Equations From MSR 2 From MSR 1 From MSR 2 implementation  -Multisets MSR 2 Protocols Repr. gap

8 MSR 3: One Year Later7/28  -Multisets Specification language for concurrent systems  Crossroad of  State transition languages  Petri nets, multiset rewriting, …  Process calculi  CCS,  -calculus, …  (Linear) logic  Benefits  Analysis methods from logic and type theory  Common ground for comparing  Multiset rewriting  Process algebra  Allows multiple styles of specification  Unified approach  -Multisets MSR 2 Protocols Repr. gap

9 MSR 3: One Year Later8/28 Syntax A::= aatomic object | 1 [  ] empty |A  B [A, B] formation |A  B [A  B] rewrite |Tno-op |A & B [A || B] choice |  x. Ainstantiation |  x. Ageneration |! Areplication Generalizes FO multiset rewriting (MSR 1-2)  x 1 …x n. a(x)   y 1 …y k. b(x,y)

10 MSR 3: One Year Later9/28 State and Transitions  States  ;  ;   ;    is a list   and  are commutative monoids  Transitions  ;  ;    ’;  ’;  ’  ;  ;   *  ’;  ’  * for reflexive and transitive closure  Constructor: “,”  Empty: “  ” - logic - system  - rewriting - processes - security

11 MSR 3: One Year Later10/28 Transition Semantics  ;  ; ( , A, A  B)   ;  ; ( , B) T (no rule) &  ;  ; ( , A 1 & A 2 )   ;  ; ( , A i )  ;  ; ( ,  x. A)   ;  ; ( , [t/x]A) if  |- t  ;  ; ( ,  x. A)  ( , x) ;  ; ( , A) !  ;  ; ( , !A)   ; ( , A) ;   ; ( , A) ;    ; ( , A) ; ( , A)  ;  ;   *  ;   ;  ;   *  ’’  ;  ’’ if  ;  ;    ’  ;  ’ ;  ’ and  ’  ;  ’ ;  ’  *  ’’  ;  ’’

12 MSR 3: One Year Later11/28 Linear Logic  Formulas A, B ::= a | 1 | A  B | A  B | ! A | T | A & B |  x. A |  x. A  LV sequents  ;  -->  C Goal formula Signature Unrestricted context Linear context  Constructor: “,”  Empty: “  ” - logic - system  - rewriting - processes - security

13 MSR 3: One Year Later12/28 Logical Derivations  Proof of C from  and   Emphasis on C  C is input  Finite  Closed  Rules shown  Major premise  Preserves C  Minor premise  Starts subderivation  ;  -->  C  ’’;  ’’ -->  ’’ C  ’;  ’ -->  ’ C  ’’’; C -->  ’’’ C - logic - system  - rewriting - processes - security

14 MSR 3: One Year Later13/28 A Rewriting Re-Interpretation  Transition  From conclusion  To major premise  Emphasis on ,  and   C is output, at best  Does not change  Possibly infinite  Open  Minor premise  Auxiliary rewrite chain  Finite  Topped with axiom  ;  -->  C  ’’;  ’’ -->  ’’ C  ’;  ’ -->  ’ C  ’’’; C -->  ’’’ C - logic - system  - rewriting - processes - security

15 MSR 3: One Year Later14/28 Interpreting Unary Rules  ;  ; ( , !A)    ; ( , A);   ; , A --> ,x C  ; ,  x.A -->  C , A;  -->  C  ; , !A -->  C  |- t  ; , [t/x]A -->  C  ; ,  x.A -->  C  ; , A, B -->  C  ; , A  B -->  C  ;  ; ( , A  B )   ;  ; ( , A, B)  ;  ; ( ,  x. A)   ;  ; ( , [t/x]A) if  |- t  ;  ; ( ,  x. A)  ( , x);  ; ( , A) … … - logic - system  - rewriting - processes - security

16 MSR 3: One Year Later15/28 Binary Rules and Axiom  Minor premise  Auxiliary rewrite chain  Top of tree  Focus shifts to RHS  Axiom rule  Observation  ;  ’ -->  A  ; , B -->  C  ; ,  ’, A  B -->  C  ’; A -->  ’ A - logic - system  - rewriting - processes - security

17 MSR 3: One Year Later16/28 Observations  Observation states  ;   In , we identify , with    with 1 Categorical semantics  Identified with  x 1. …  x n.   For  = x 1, …, x n De Bruijn’s telescopes  Observation transitions  ;  ;   *  ’;  ’ A ,  ’; A’ --> ,  ’ A’  ;  -->   ’. A’  =    ;  = .   - logic - system  - rewriting - processes - security

18 MSR 3: One Year Later17/28 Interpreting Binary Rules  ;  ; ( ,  ’, A  B)   ;  ; ( , B) if  ;  ;  ’  *  ; A  ;  ’ -->  A  ; , B -->  C  ; ,  ’, A  B -->  C  ;  ’ -->  A  ;  A -->  C  ; ,  ’ -->  C  ;  ; ,  ’   ;  ; (A,  ) if  ;  ;  ’  *  ; A  ; A -->  A  ;  ;   *  ;   ;  ;   *  ’’;  ’’ if  ;  ;    ’;  ’;  ’ and  ’;  ’;  ’  *  ’’;  ’’ … … - logic - system  - rewriting - processes - security

19 MSR 3: One Year Later18/28 Formal Correspondence  Soundness If  ;  ;   * ,  ’;  ’ then  ;  -->   ’.  ’  Completeness?  No! We have only crippled right rules  ;  ; a  b, b  c  *  ; a  c - logic - system  - rewriting - processes - security

20 MSR 3: One Year Later19/28 System   With cut, rule for  can be simplified to  ;  ; ( , A, A  B)   ;  ; ( , B)  Cut elimination holds = in-lining of auxiliary rewrite chains  But …  Careful with extra signature symbols  Careful with extra persistent objects  No rule for  needs a premise  does not depend on  * - logic - system  - rewriting - processes - security

21 MSR 3: One Year Later20/28 Multiset Rewriting  Multiset: set with repetitions allowed a ::=  | a, a  Commutative monoid  Multiset rewriting (a.k.a. Petri nets)  Rewriting within the monoid  Fundamental model of distributed computing  Alternative: Process Algebras  Basis for security protocol spec. languages  MSR family  … several others  Many extensions, more or less ad hoc - logic - system  - rewriting - processes - security

22 MSR 3: One Year Later21/28 The Atomic Objects of MSR 3 Atomic terms  PrincipalsA  KeysK  NoncesN  Other  Raw data, timestamp, … Constructors  Encryption{_} _  Pairing(_, _)  Other  Signature, hash, MAC, … Fully definable Predicates  Network net  Memory M A  IntruderI  …  -Multisets MSR 2 Protocols Repr. gap

23 MSR 3: One Year Later22/28 Types Fully definable  Powerful abstraction mechanism  At various user-definable level  Finely tagged messages  Untyped: msg only  Simplify specification and reasoning  Automated type checking  Simple types  A : princ  n : nonce  m : msg, …  Dependent types  k : shK A B  K : pubK A  K’ : privK K, …  -Multisets MSR 2 Protocols Repr. gap

24 MSR 3: One Year Later23/28 Subsorting  Allows atomic terms in messages  Definable  Non-transmittable terms  Sub-hierarchies  Discriminant for type-flaw attacks  <:  ’  -Multisets MSR 2 Protocols Repr. gap

25 MSR 3: One Year Later24/28 Data Access Specification  Prevent illegitimate use of information  Protocol specification divided in roles –Owner = principal executing the role  A signing/encrypting with B’s key  A accessing B’s private data, …  Simple static check  Central meta-theoretic notion  Detailed specification of Dolev-Yao access model  Gives meaning to Dolev-Yao intruder  Current effort towards integration in type system  Definable  Possibility of going beyond Dolev-Yao model  -Multisets MSR 2 Protocols Repr. gap

26 MSR 3: One Year Later25/28 Modules and Equations  Modules  Bundle declarations with simple import/export interface  Keep specifications tidy  Reusable  Equations (For free from underlying Maude engine)  Specify useful algebraic properties  Associativity of pairs  Allow to go beyond free-algebra model  Dec(k, Enc(k, M)) = M  -Multisets MSR 2 Protocols Repr. gap

27 MSR 3: One Year Later26/28 State-Based vs. Process-Based  State-based languages  Multiset Rewriting  NRL Prot. Analyzer, CAPSL/CIL, Paulson’s approach, …  State transition semantics  Process-based languages  Process Algebra  Strand spaces, spi-calculus, …  Independent communicating threads  -Multisets MSR 2 Protocols Repr. gap

28 MSR 3: One Year Later27/28 MSR 3 Bridges the Gap  Difficult to go from one to the other  Different paradigms PB SB State vs. process distance Other distance MSR 3 PB SB State  Process translation done once and for all in MSR 3  -Multisets MSR 2 Protocols Repr. gap

29 MSR 3: One Year Later28/28 Summary  MSR 3.0  Language for security protocol specification  Succinct representations  Simpl specifications  Economy of reasoning  Bridge between  State-based representation  Process-based representation   -multisets  Logical foundation of multiset rewriting  Relationship with process algebras  Unified logical view  Better understanding of where we are  Hint about where to go next

Download ppt "MSR 3: One Year Later Iliano Cervesato ITT Industries, NRL Washington, DC Protocol eXchange."

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.

Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Architecture Representation

Architecture Representation
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Page 1 Building Reliable Component-based Systems Ivica Crnkovic Chapter 9 Component Composition and Integration.

Page 1 Building Reliable Component-based Systems Ivica Crnkovic Chapter 9 Component Composition and Integration.
A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,

A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,
Architecture-driven Modeling and Analysis By David Garlan and Bradley Schmerl Presented by Charita Feldman.

Architecture-driven Modeling and Analysis By David Garlan and Bradley Schmerl Presented by Charita Feldman.
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato ITT Industries, NRL Washington,

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato ITT Industries, NRL Washington,
1 Ivan Lanese Computer Science Department University of Bologna Roberto Bruni Computer Science Department University of Pisa A mobile calculus with parametric.

1 Ivan Lanese Computer Science Department University of Bologna Roberto Bruni Computer Science Department University of Pisa A mobile calculus with parametric.
December 7, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 9: Automated Verification Iliano Cervesato

December 7, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 9: Automated Verification Iliano Cervesato
Fine-Grained MSR Specifications for Quantitative Security Analysis Iliano Cervesato ITT Industries, NRL Washington, DC

Fine-Grained MSR Specifications for Quantitative Security Analysis Iliano Cervesato ITT Industries, NRL Washington, DC
Fault Tree Representation of Security Requirements0.

Fault Tree Representation of Security Requirements0.

Similar presentations

Ads by Google