Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping."— Presentation transcript:

1 Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols

2 Talk Outline 1.LTL Model Checking 2.Monte Carlo Model Checking 3.Needham-Schroeder 4.Implementation & Results 5.Conclusions & Future Work

3 Model Checking ? Is system S a model of formula φ?

4 Model Checking S is a nondeterministic/concurrent system.  is (in our case) an LTL (Linear Temporal Logic) formula. Basic idea: intelligently explore S ’s state space in attempt to establish S ⊨ . Fly in the ointment: State Explosion!

5 LTL Model Checking An LTL formula is made up of atomic propositions p, boolean connectives , ,  and temporal modalities X (neXt) and U (Until). Every LTL formula  can be translated to a Büchi automaton whose language is set of infinite words satisfying . Automata-theoretic approach: S ⊨  iff L ( B S )  L ( B  ) iff L ( B S  B  )  

6 Emptiness Checking Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly! s1s1 s2s2 s3s3 sksk s k-2 s k-1 s k+1 s k+2 s k+3 snsn DFS 2 DFS 1

7 Monte Carlo Model Checking (MC 2 ) Sample Space: lassos in B S  B  Random variable Z : –Outcome = 0 if randomly chosen lasso accepting –Outcome = 1 otherwise μ Z = ∑ p i Z i (weighted mean) Compute ( ε,δ )-approx. of μ Z

8 Monte Carlo Model Checking (MC 2 ) L1 = abcb, L2 = abcdb, L3 = abcdea Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼ μ Z = ½ acbd e

9 Monte Carlo Approximation Problem: Compute the mean value μ Z of a random variable Z distributed in [0,1] when an exact computation of μ Z proves intractable. with error margin  and confidence ratio . Solution: Compute an ( ,  )-approximation of  Z : Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, expectation that S ⊨  !

10 Original Solution [Karp, Luby & Madras: Journal of Algorithms 1989] Compute as the mean value of N independent random variables (samples) identically distributed according to Z : Determine N using the Zero-One estimator theorem: Problems: is unknown and can be large.

11 Stopping Rule Algorithm (SRA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] Innovation: computes correct N without using Theorem: E[ N ] ≤ 4 ln(2/  ) / μ Z  2 ;  = 4 ln(2/  ) /  2 ; for (N=0, S=0; S≤  ; N++) S=S+Z N ; = S/N; return ; Problem: is in most interesting cases too large.

12 Optimal Approx Algorithm (OOA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] Compute N using generalized Zero-One estimator: Apply sequential analysis (prediction/correction): 1. Assume  2 is small and compute with SRA( ) 2. Compute  using and 3. Use to correct N and. Expected number of samples is optimal to within a constant factor!

13 Monte Carlo Model Checking Theorem: MC 2 computes an (ε,δ)-approximation of μ Z in expected time O(N∙D) and uses expected space O(D), where D is the recurrence diameter of B = B S  B . Cf. DDFS which runs in O(2 |S|+|φ| ) time and space.

14 Needham-Schroeder 1.A  B : { N a, A } K B 2.B  A : { N a, N b } K A 3.A  B : { N b } K B

15 Breaking & Fixing Needham-Shroeder In 1997, Lowe discovered a replay attack that involves an intruder I masquerading as A in its communication with B. As shown by Lowe, protocol is easily fixed by including identity of responder (B) in 2 nd msg: 2´. B  A : { B, N a, N b } K A

16 Implementation Implemented DDFS and MC 2 in jMocha model checker for synchronous systems specified using Reactive Modules. Specified NS as a reactive module; all communications go through intruder. Intruder obeys Dolev-Yao model: besides normal communications, can intercept, overhear, and fake messages.

17 Time and space requirements for DDFS and MC 2 Experimental Results

18 Variation of µ Z for MC 2 Experimental Results ~

19 Related Approaches NRL Protocol Analyzer [Meadows 96] Spi-Calculus [Abadi Gordon 97] FDR [Lowe 97] The Strand Space Method [Guttman et al. 98] Isabelle Theorem Prover [Paulson 98] Backward Induction [Kurkowski Mackow 03]

20 Conclusions Applied Monte Carlo model checking to Needham-Schroeder. Results indicate may be more effective than traditional approaches in discovering attacks. Further experimentation required to draw definitive conclusions. Other Future Work: Use BDDs to improve run time. Also, take samples in parallel!

21 Monte Carlo Model Checking Randomized algorithm for LTL model checking utilizing automata-theoretic approach. Basic idea: Take N samples: sample = lasso = random walk through B S  B  ending in a cycle. If accepting lasso (counter-example) found, return false. Else return true with certain confidence.

Download ppt "Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping."

Similar presentations

Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.

Pretty-Good Tomography Scott Aaronson MIT. Theres a problem… To do tomography on an entangled state of n qubits, we need exp(n) measurements Does this.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
An improved on-the-fly tableau construction for a real-time temporal logic Marc Geilen 12 July 2003 /e.

An improved on-the-fly tableau construction for a real-time temporal logic Marc Geilen 12 July 2003 /e.
Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.

Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
CLASSICAL PLANNING What is planning ?  Planning is an AI approach to control  It is deliberation about actions  Key ideas  We have a model of the.

CLASSICAL PLANNING What is planning ?  Planning is an AI approach to control  It is deliberation about actions  Key ideas  We have a model of the.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.

1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Markov Chains 1.

Markov Chains 1.
Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.

Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google