Presentation is loading. Please wait.

Presentation is loading. Please wait.

A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini,"— Presentation transcript:

1 A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03

2 Objectives Briefly introduce MAUDE as a tool for exploring the Strand Space Model (SSM) for Security Protocol Analysis¹ Demonstrate preliminary results of using MAUDE in the multiset rewriting and strand space approaches Solicit some ideas for potential directions of work

3 Overview Research goals Introduction to MAUDE Multiset rewriting in Maude –Needham-Schroeder –Penetrator Strand Space Modeling in MAUDE –Needham-Schroeder –Penetrator Summary

4 Research Goals Automate Guttman’s Authentication Tests Analyze Kerberos protocol (possibly others) –Verify it passes automated authentication tests –Check for vulnerabilities based on modeling of penetrator strands –Athena ran numerous protocols in a short time frame; my focus is only on a few protocols Search for alternative way to model penetrator activity Don’t reinvent the wheel!

5 Introduction to MAUDE What is Maude? –Maude is a “reflective equational rewrite logic programming language” 3 Allows for concurrent execution of equations and rules Programs consist of functional and System modules –Functional modules define data types and operations by means of equational theories 4 –System modules specify rewrite theories 4 Reflection allows programmer to define operations and strategies at the meta level –Maude’s design maximizes three dimensions: Simplicity: Programs are easy to understand! Expressiveness: Allows for easy expression of a large variety of applications Performance: Fast execution for prototyping and real applications –Put together Needham-Schroeder model very quickly –Our code uses core Maude Maude also has something called Full Maude

6 Terms in MAUDE fmod TERM is sorts Key Text Term. subsorts Key Text < Term. vars A G H : Term. var K : Key. var T : Text. op __ : Term Term -> Term [ctor prec 40]. op {_}_ : Term Key -> Term [ctor]. eq {{H}K}inv(K) = H. eq {{H}inv(K)}K = H. op new : Text -> Text. op inv : Key -> Key. eq inv(inv(K)) = K. op _ Bool. … endfm

7 Needham-Schroeder in MSR Needham-Schroeder model using the multiset rewriting approach: *** ROLE: Initiator rl [init_0] : pr(A) pr(B) pubkeyof(B, Kb) prvkeyof(A, Ka-1) => pr(A) pr(B) pubkeyof(B, Kb) prvkeyof(A, Ka-1) I0(A, B, Ka-1, Kb). rl [init_1] : I0(A, B, Ka-1, Kb) => I1(A, B, Ka-1, Kb, new(A)) N({new(A) A}Kb). crl [init_2] : I1(A, B, Ka-1, Kb, Na) N(msg) => I2(A, B, Ka-1, Kb, Na, Nb) if (Na Nb) := {msg}Ka-1. rl [init_3] : I2(A, B, Ka-1, Kb, Na, Nb) => I3(A, B, Ka-1, Kb, Na, Nb) N({Nb}Kb). *** ROLE: Responder rl [resp_0] : pr(A) pr(B) pubkeyof(A, Ka) prvkeyof(B, Kb-1) => pr(A) pr(B) pubkeyof(A, Ka) prvkeyof(B, Kb-1) R0(A, B, Ka, Kb-1). crl [resp_1] : R0(A, B, Ka, Kb-1) N(msg) => R1(A, B, Ka, Kb-1, Na) if (Na A) := {msg}Kb-1. rl [resp_2] : R1(A, B, Ka, Kb-1, Na) => R2(A, B, Ka, Kb-1, Na, new(B)) N({Na new(B)}Ka). crl [resp_3] : R2(A, B, Ka, Kb-1, Na, Nb) N(msg) => R3(A, B, Ka, Kb-1, Na, Nb) if Nb := {msg}Kb-1.

8 Penetrator in MSR A multiset-rewriting model of a Penetrator as developed in Maude – Uses the "standard" theory where none of the rules consume or destroy the Penetrator's knowledge op I : Term -> State. rl [rec] : N(H) => I(H). rl [dcmp] : I(G H) => I(G) I(H) I(G H). rl [snd] : I(H) => N(H) I(H). rl [cmp] : I(G) I(H) => I(G H) I(G) I(H). rl [encr] : I(H) I(K) => I({H}K) I(H) I(K). rl [nnc] : S => I(new(Pen)) S.

9 MSR Traces Maude> search [20] init1 init2 =>* R2(Alice, Bob, Ka-1, Kb, Na, Nb) S. search [20] in NS-RUN : init1 init2 =>* S R2(Alice, Bob, Ka-1, Kb, Na, Nb). Solution 1 (state 42281) states: 42282 rewrites: 109014 in 5600ms cpu (5602ms real) (19466 rewrites/second) S --> pr(Alice) pr(Bob) pr(Carol) N({new(Alice) new(Bob)}K1) I(inv(K3)) pubkeyof(Alice, K1) pubkeyof(Bob, K2) pubkeyof(Carol, K3) prvkeyof(Alice, inv(K1)) prvkeyof(Bob, inv(K2)) prvkeyof(Carol, inv(K3)) I1(Alice, Bob, inv(K1), K2, new(Alice)) Ka-1 --> K1 Kb --> inv(K2) Na --> new(Alice) Nb --> new(Bob)

10 MSR Traces Maude> search [20] init1 init2 =>* I(new(Bob)) R2(Alice, Bob, Ka-1, Kb, Na, Nb) S. In this search, never found an answer in 24 hours! – State space explosion! Maude> search [20] init1 init2 =>* I(Na) S. In this search, found numerous examples of when the penetrator learned a nonce in a very short time

11 MSR Lessons Learned Maude suffered from state space explosion Did well when searching for individual states Good learning tool!

12 Strand Spaces in MAUDE A single rewrite rule “executes” a set of strands: var S T : Strand. var H : Term. rl [label-p-reduction] : + H S | - H T => S | T.

13 Needham-Schroeder in SSM Definition of the Needham-Schroeder protocol: var A B : Text. *** Think of A and B as names (certificates) var Na Nb : Text. *** Think of Na and Nb as nonces generated by A and B, resp. var Ka Kb Kp K : Key. *** Think of Ka and Kb as public keys owned by A and B, resp. ops nsInitiator nsResponder : Text Text Text Key Key -> Strand. op nsPenetrator : Text Text Text Key Key Key -> Strand. eq nsInitiator(A, Na, Nb, Ka, Kb) = + {| Na A |} Kb - {| Na Nb |} Ka + {| Nb |} Kb. eq nsResponder(A, Na, Nb, Ka, Kb) = - {| Na A |} Kb + {| Na Nb |} Ka - {| Nb |} Kb. eq nsPenetrator(A, Na, Nb, Ka, Kb, Kp) = D({| Na A |} Kp, inv(Kp)) | E(Na A, Kb) | D({| Nb |} Kp, inv(Kp)) | E(Nb, Kb).

14 Maude> rew nsNormal(A, Na, Nb, Ka, Kb). rewrite in NS-TEST : nsNormal(A, Na, Nb, Ka, Kb). *********** rule rl + H:Term S:Strand | - H:Term T:Strand => S:Strand | T:Strand [label label-p-reduction]. H:Term --> {| Na A |}Kb S:Strand --> - {| Na Nb |}Ka + {| Nb |}Kb T:Strand --> + {| Na Nb |}Ka - {| Nb |}Kb + {| Na A |}Kb - {| Na Nb |}Ka + {| Nb |}Kb | - {| Na A |}Kb + {| Na Nb |}Ka - {| Nb |}Kb ---> - {| Na Nb |}Ka + {| Nb |}Kb | + {| Na Nb |}Ka - {| Nb |}Kb *********** rule rl + H:Term S:Strand | - H:Term T:Strand => S:Strand | T:Strand [label label-p-reduction]. H:Term --> {| Na Nb |}Ka S:Strand --> - {| Nb |}Kb T:Strand --> + {| Nb |}Kb + {| Na Nb |}Ka - {| Nb |}Kb | - {| Na Nb |}Ka + {| Nb |}Kb ---> - {| Nb |}Kb | + {| Nb |}Kb *********** rule rl + H:Term S:Strand | - H:Term T:Strand => S:Strand | T:Strand [label label-p-reduction]. H:Term --> {| Nb |}Kb S:Strand --> empty T:Strand --> empty + {| Nb |}Kb | - {| Nb |}Kb ---> empty | empty rewrites: 6 result Bundle: empty | empty Maude> SSM Traces

15 Penetrator in SSM  Standard penetrator strands representation  Focus is on the key functions: Encrypt and Decrypt  Maude makes penetrator operation much easier Encrypt Decrypt  m  {m} k   k  k’   {m} k  m 

16 Penetrator in SSM, cont. This receives a key and message and sends out decrypted plaintext: op D : Term Key -> Strand. eq D(M, K) = - K - M + {| M |} K. This receives a key and message and sends out ciphertext: op E : Term Key -> Strand. eq E(M, K) = - K - M + {| M |} K.

17 SSM Traces Maude> rew nsSpoof(A, Na, Nb, Ka, Kb, Kp). rewrite in NS-TEST : nsSpoof(A, Na, Nb, Ka, Kb, Kp). *********** rule rl + H:Term S:Strand | - H:Term T:Strand => S:Strand | T:Strand [label label-p-reduction]. H:Term --> Nb S:Strand --> empty T:Strand --> empty + Nb | + Kb | + Kb | + inv(Kp) | + inv(Kp) | + Na A | + {| Nb |}Kb | + {| Na A |}Kb | - Nb | - Kb | - Kb | - inv(Kp) | - inv(Kp) | - Na A | - {| Nb |}Kp | - {| Na A |}Kp | + {| Na A |}Kp - {| Na Nb |}Ka + {| Nb |}Kp | - {| Na A |}Kb + {| Na Nb |}Ka - {| Nb |}Kb ---> (+ Kb | + Kb | + inv(Kp) | + inv(Kp) | + Na A | + {| Nb |}Kb | + {| Na A |}Kb | - Kb | - Kb | - inv(Kp) | - inv(Kp) | - Na A | - {| Nb |}Kp | - {| Na A |}Kp | + {| Na A |}Kp - {| Na Nb |}Ka + {| Nb |}Kp | - {| Na A |}Kb + {| Na Nb |}Ka - {| Nb |}Kb) | empty | empty

18 SSM Traces, cont. *********** rule rl + H:Term S:Strand | - H:Term T:Strand => S:Strand | T:Strand [label label-p-reduction]. H:Term --> {| Nb |}Kp S:Strand --> empty T:Strand --> empty empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | + {| Nb |}Kp | - {| Nb |}Kp ---> (empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty) | empty | empty rewrites: 25 result Bundle: empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty | empty

19 SSM Lessons Learned Maude accurately reduced states, verifying known weakness of Needham- Schroeder in very short time Allowed easy representation of strand space model Good learning tool! No search (which is good, and bad)

20 Course of Action Generate the code for the Authentication Tests Run automated tests against Needham-Schroeder Generate Maude code for Kerberos protocol Generate code for other protocols?

21 Summary Research goals Introduction to MAUDE Multiset rewriting in Maude Strand Space Modeling in MAUDE

22 Bibliography 1.Cervesato, Iliano and others. A Comparison between Strand Spaces and Multiset Rewriting for Security Protocol Analysis. July 2000. 2.Guttman, Joshua and F. J. Thayer Fabrega. Authentication Tests. March 2000. 3.Song, Dawn. Athena: A New Efficient Automatic Checker for Security Protocol Analysis. June 1999. 4.Clavel, Manuel and others. Maude 2.0 Manual: version 1. June 2003. 5.http://cliki.tunes.org/Maude.

Download ppt "A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini,"

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Developing Business Practice –302LON Delivering Successful Assessments Unit: 3 Knowledgecast: 2.

Developing Business Practice –302LON Delivering Successful Assessments Unit: 3 Knowledgecast: 2.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.

Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
The Function Design Recipe CS 5010 Program Design Paradigms “Bootcamp” Lesson 1.1 TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

The Function Design Recipe CS 5010 Program Design Paradigms “Bootcamp” Lesson 1.1 TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Alternate Software Development Methodologies

Alternate Software Development Methodologies
Presenter: PCLee – 2011.03.02. This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.

Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.

 Public key (asymmetric) cryptography o Modular exponentiation for encryption/decryption  Efficient algorithms for this o Attacker needs to factor large.
Case Study: Using PVS to Analyze Security Protocols Kyle Taylor.

Case Study: Using PVS to Analyze Security Protocols Kyle Taylor.

Similar presentations

Ads by Google