A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo Benerecetti Fausto Giunchiglia University of Trento

A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo Benerecetti Fausto Giunchiglia University of Trento fausto@cs.unitn.it

Logics of Beliefs for Security Protocols ê BAN Logic (Borrows, Abadi & Needham) ç Concentrate on beliefs of trustworthy principals and on their evolution as consequence of communication

Logics of Beliefs for Security Protocols ê BAN Logic (Borrows, Abadi & Needham) ç Concentrate on beliefs of trustworthy principals and on their evolution as consequence of communication ê Some Extensions ç Abadi & Tuttle (AT Logic) ç Gong, Needham & Yahalom (GNY Logic) ç Boyd & Mao

Logics of Beliefs for Security Protocols ê BAN Logic (Borrows, Abadi & Needham) ç Concentrate on beliefs of trustworthy principals and on their evolution as consequence of communication ê Some Extensions ç Abadi & Tuttle (AT Logic) ç Gong, Needham & Yahalom (GNY Logic) ç Boyd & Mao ê Attempts to automate reasoning in BAN ç Kindred & Wing (Theory Building)

The Approach ê Define a Logic of Belief and Time

The Approach ê Define a Logic of Belief and Time ê A Model Checking Algorithm for this logic

The Approach ê Define a Logic of Belief and Time ê A Model Checking Algorithm for this logic ê Built on top of CTL model checking

ê ê Define a Logic of Belief and Time ê ê A Model Checking Algorithm for this logic ê ê Built on top of CTL model checking Integration with existing tools (e.g. NuSMV)  The Approach

Example: The Andrew Protocol 1 A  B : {N A } K AB 2 B  A : {N A, N B } K AB 3 A  B : {N B } K AB 4 B  A : {K AB, N B } K AB

Example Property : at the end of the protocol session, A believes that B believes that K ’ AB is a "good shared key" for communication between them. Example: The Andrew Protocol 1 A  B : {N A } K AB 2 B  A : {N A, N B } K AB 3 A  B : {N B } K AB 4 B  A : {K AB, N B } K AB

1  A  B : {N A } K AB 2  B  A : {N A, N B } K AB 3  A  B : {N B } K AB 4  B  A : {K AB, N B } K AB Example: Attack to the Andrew Protocol

1  A  B : {N A } K AB 2  B  A : {N A, N B } K AB 3  A  B : {N B } K AB 4  B  A : {K AB, N B } K AB 1  A  B : {N  A } K ab 2  B  A : {N A, N  B } K ab 3  A  B : {N  B } K AB 4  I(B)  A : {K AB, N B } K AB Example: Attack to the Andrew Protocol

Outline of the Talk ê Intuitions

Outline of the Talk ê Intuitions ê MultiAgent Temporal Logic (MATL) ê MultiAgent Finite State Machine (MAFSM) ê The Model Checking Algorithm (MAMC)

Outline of the Talk ê Intuitions ê MultiAgent Temporal Logic (MATL) ê MultiAgent Finite State Machine (MAFSM) ê The Model Checking Algorithm (MAMC) ê Model of the Andrew Protocol in MAFSM

Outline of the Talk ê Intuitions ê MultiAgent Temporal Logic (MATL) ê MultiAgent Finite State Machine (MAFSM) ê The Model Checking Algorithm (MAMC) ê Model of the Andrew Protocol in MAFSM ê Conclusion and Future Work

Intuitions

Intuitions Principals have two orthogonal aspects: ê Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.

Intuitions Principals have two orthogonal aspects: ê Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions. ê Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.

Intuitions BB?BB? Principals have two orthogonal aspects: ê Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions. ê Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.

Intuitions ?? BB?BB? Principals have two orthogonal aspects: ê Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions. ê Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.

MultiAgent Temporal Logic (MATL)

.........  BABAB BBBABBBA BBBBBBBB BABBBABB BABABABA... To each level of nesting of beliefs we associate a Representation of a process evolving over time. MATL: Views

.........  BABAB BBBABBBA BBBBBBBB BABBBABB BABABABA... Each Representation is called a View MATL: Views To each level of nesting of beliefs we associate a Representation of a process evolving over time.

Views represent the beliefs about a principal's evolution during the protocol  View  the protocol as seen by the external observer (the analyser's point of view)  View B A   's beliefs about the evolution of principal A.  View B B   's beliefs about the evolution of principal B.  View B A B B  (  's beliefs about) A's beliefs about the evolution of principal B é.... MATL: Views

.  BABA B BBBABBBA BBBBBBBB BABBBABB BABABABA........  * is the set of (possibly empty) strings of the form B X 1 ···B X n

MATL: Language ê We associate to each view a language ê The language of each view allows for expressing properties of the process associated with that view

............  BABAB BBBABBBA BBBBBBBB BABBBABB BABABABA  MATL: Language

............  BABAB BBBABBBA BBBBBBBB BABBBABB BABABABA BBBB 

............  BABAB BBBABBBA BBBBBBBB BABBBABB BABABABA BABBBABB BBBB 

............  BABAB BBBABBBA BBBBBBBB BABBBABB BABABABA BABBBABB BBBB  BBBABBBA BABA 

To each view  we associate the smallest CTL language containing:  a finite set of Propositional Atoms    the set of Atoms    = {B X  |  is a formula of  B X } that is the Belief Atoms of the form B X  for each formula  of view  B X

MATL: Language To each view  we associate the smallest CTL language containing:  a finite set of Propositional Atoms    the set of Atoms    = {B X  |  is a formula of  B X } that is the Belief Atoms of the form B X  for each formula  of view  B X Example AG(B A B B P) is a formula of view 

MATL: Language Definition: Given a family {   } of sets of propositional atoms, the family of MATL languages on   is the family of CTL languages {   }

MATL: Language Definition: Given a family {   } of sets of propositional atoms, the family of MATL languages on   is the family of CTL languages {   } A MATL formula  belonging to   is denoted by  Example  AG(B A B B P) denotes the formula AG(B A B B P) of view 

MultiAgent Finite State Machine (MAFSM)

MAFSM: Intuitions ê Model Checking employs Finite State Machines ê We extend the notion of FSM to accommodate beliefs ê We associate the Finite State Machine of a process to each view

MAFSM: Intuitions ê Model Checking employs Finite State Machines ê We extend the notion of FSM to accommodate beliefs ê We associate the Finite State Machine of a process to each view Restriction: ê We consider only a finite number of views

MultiAgent Finite State Machine.  BABA B BBBABBBA BBBBBBBB BABBBABB BABABABA........  * is the set of (possibly empty) strings of the form B X 1 ···B X n

MultiAgent Finite State Machine.  BABA B BBBABBBA BBBBBBBB BABBBABB BABABABA........ nn

.  BABA B BBBABBBA BBBBBBBB BABBBABB BABABABA........ nn  n is a finite subset of strings in  *

MultiAgent Finite State Machine We associate the Finite State Machine of a process to each view in  n  BABAB B A B B BBBABBBA

MultiAgent Finite State Machine We associate the Finite State Machine of a process to each view in  n  BABAB B A B B BBBABBBA Problem: there's a infinite number of Belief Atoms in each view!

Explicit Belief Atoms Solution: chose a finite number of Belief Atoms (Explicit Beliefs Atoms) as state variables of the FSM of a view.  s s's'' BXBX BXBX

Explicit Belief Atoms Explicit Belief Atoms induce a Compatibility Relation among states in different views.  s s's'' BXBX  BXBX

Implicit Belief Atoms Implicit Belief Atoms are the infinite set of Belief Atoms which are not Explicit  BXBX BXBX BXBX  BXBX

Implicit Belief Atoms Satisfiability of Implicit Belief Atims in a state is computed via Compatibility Relation  BXBX  BXBX BXBX       BXBX

Implicit Belief Atoms Explicit Belief Atoms are used to assess the truth of Implicit Belief Atoms  BXBX BXBX BXBX       Satisfiability of Implicit Belief Atims in a state is computed via Compatibility Relation  BXBX 

MultiAgent Finite State Machine A MAFSM is a set of FSMs plus compatibility relations induced by Explicit Belief Atoms among them.  BABAB B A B B BBBABBBA

MAFSM: From Trees to Graphs The definition of MAFSM as a Tree of FSMs (one for each view): ê does not allow for arbitrary nesting of beliefs: ç “a priori” bound on the length of each branch of the tree.

MAFSM: From Trees to Graphs The definition of MAFS as a Tree of FSMs (one for each view): ê does not allow for arbitrary nesting of beliefs: ç “a priori” bound on the length of each branch of the tree. ê needs a distinct specification of each view even when it is not necessary: ç often in security protocol we can safely assume that the protocol is publicly known and each (honest) principal behaviour is completely known to the other principals; ç in some cases distinct views of that principal could be modelled by the same process (FSM).

MAFSM: From Trees to Graphs Solution: ê allow for cycles in MAFSM; ê a MAFSM becomes a Graph of views

MultiAgent Finite State Machine A MAFSM is a set of FSMs plus compatibility relations induced by Explicit Belief Atoms among them.  B BABA

Model Checking Algorithm (MAMC)

MultiAgent Model Checking Algorithm To check the formula  in view , the algorithm performs three steps: 1 recursively descend the tree of views performing Steps 2 and 3 on the sub-formulas inside the BDI atoms at each step.

MultiAgent Model Checking Algorithm To check the formula  in view , the algorithm performs three steps: 1 recursively descend the tree of views performing Steps 2 and 3 on the sub-formulas inside the BDI atoms at each step.  compute for each state s the BDI atoms occurring in  true at s.

MultiAgent Model Checking Algorithm To check the formula  in view , the algorithm performs three steps: 1 recursively descend the tree of views performing Steps 2 and 3 on the sub-formulas inside the BDI atoms at each step.  compute for each state s the BDI atoms occurring in  true at s. 3 call the standard CTL model checking algorithm (treating BDI atoms as atomic formulas).

MultiAgent Model Checking Algorithm  B BABA AG (B A B B  )

MultiAgent Model Checking Algorithm  B BABA Implicit Belief Atom AG (B A B B  )

MultiAgent Model Checking Algorithm  B BABA Implicit Belief Atom AG (B A B B  ) B B 

MultiAgent Model Checking Algorithm  B BABA AG (B A B B  ) B B  

AG (B A B B  ) MultiAgent Model Checking Algorithm  B BABA B B  

Model of the Andrew Protocol

Beliefs in Security Protocols ê Each Principal is seen as a process able to have Beliefs about other principal  B X  means that principal "X believes  " to be true

Beliefs in Security Protocols ê Each Principal is seen as a process able to have Beliefs about other principal  B X  means that principal "X believes  " to be true ê Beliefs evolve over time (as messages are sent/received)

Beliefs in Security Protocols ê Each Principal is seen as a process able to have Beliefs about other principal  B X  means that principal "X believes  " to be true ê Beliefs evolve over time (as messages are sent/received) ê Beliefs can be nested Example (from BAN) At the end of the protocol session: A believes that B believes that K ' AB is a "good shared key" for communication between them.

Beliefs in Security Protocols ê Each Principal is seen as a process able to have Beliefs about other principal  B X  means that principal "X believes  " to be true ê Beliefs evolve over time (as messages are sent/received) ê Beliefs can be nested Example (from BAN) At the end of the protocol session: A believes that B believes that K ' AB is a "good shared key" for communication between them. rec A {K' AB,N' B } K AB  B A fresh N A  B A B B shk K' AB

Model of the Andrew Protocol ê External Observer a process (the protocol) ascribing beliefs to agents A and B ê Agent A a process ascribing beliefs to agent B ê Agent B a process ascribing beliefs to agent A 1 A  B : {N A } K AB 2 B  A : {N A, N B } K AB 3 A  B : {N B } K AB 4 B  A : {K AB, N B } K AB

Model of the Andrew Protocol All these entities are modeled as processes accessing other agents' representations (views). ê External Observer a process (the protocol) ascribing beliefs to agents A and B ê Agent A a process ascribing beliefs to agent B ê Agent B a process ascribing beliefs to agent A 1 A  B : {N A } K AB 2 B  A : {N A, N B } K AB 3 A  B : {N B } K AB 4 B  A : {K AB, N B } K AB

Model of the Andrew Protocol  B A   B B B A B B   B A B B  (B B B A, B A ) (i.e. B B B A and B A are modelled by the same process)  (B A B B, B B ) (i.e. B A B B and B B are modelled by the same process)

Model of the Andrew Protocol To specify a MAFSM we need to specify the following elements: ê Propositional Atoms ê Message variables ê Freshness variables

Model of the Andrew Protocol To specify a MAFSM we need to specify the following elements: ê Propositional Atoms ê Message variables ê Freshness variables ê Explicit Belief Atoms

Model of the Andrew Protocol To specify a MAFSM we need to specify the following elements: ê Propositional Atoms ê Message variables ê Freshness variables ê Explicit Belief Atoms ê How Atoms’ truth values vary during the protocol execution

Propositional Atoms : Message Variables ê We need to model principal sending and receiving messages

Propositional Atoms : Message Variables ê We need to model principal sending and receiving messages ê Boolean varibles

Propositional Atoms : Message Variables ê We need to model principal sending and receiving messages ê Boolean varibles View B A send {N A } K AB rec {N A,N B } K AB... rec {K' AB,N' B } K AB

Propositional Atoms : Message Variables View B B rec {N A } K AB send {N A,N B } K AB... send {K' AB,N' B } K AB View B A send {N A } K AB rec {N A,N B } K AB... rec {K' AB,N' B } K AB ê We need to model principal sending and receiving messages ê Boolean varibles

Propositional Atoms : Message Variables View  rec A {N A } K AB send AB {N A,N B } K AB... send AB {K' AB,N' B } K AB View B A send {N A } K AB rec {N A,N B } K AB... rec {K' AB,N' B } K AB View B B rec {N A } K AB send {N A,N B } K AB... send {K' AB,N' B } K AB ê We need to model principal sending and receiving messages ê Boolean varibles

Propositional Atoms : Message Variables Message Variables Evolution ê Once they become true they remain stable View B A send B {N A } K AB rec {N A,N B } K AB... rec {K' AB,N' B } K AB View B B rec {N A } K AB send A {N A,N B } K AB... send A {K' AB,N' B } K AB View  rec A {N A } K AB send AB {N A,N B } K AB... send AB {K' AB,N' B } K AB

Propositional Atoms : Message Variables View B A send B {N A } K AB rec {N A,N B } K AB... rec {K' AB,N' B } K AB View B B rec {N A } K AB send A {N A,N B } K AB... send A {K' AB,N' B } K AB View  rec A {N A } K AB send AB {N A,N B } K AB... send AB {K' AB,N' B } K AB Message Variables Evolution ê Once they become true they remain stable ê Evolve following the order of messages in the protocol

Example: Evolution of Message Variables  send {N A } K AB  rec {N A,N B } K AB Message variables evolve following the order of messages in the protocol A has not sent/received any message

Example: Evolution of Message Variables send {N A } K AB  rec {N A,N B } K AB Message variables evolve following the order of messages in the protocol A has sent Message 1  send {N A } K AB  rec {N A,N B } K AB

Example: Evolution of Message Variables send {N A } K AB rec {N A,N B } K AB Message variables evolve following the order of messages in the protocol send {N A } K AB  rec {N A,N B } K AB  send {N A } K AB  rec {N A,N B } K AB A has received Message 2

Propositional Atoms : Freshness Variables ê We need to express basic properties of messages: freshness ê Boolean varibles View B A fresh N A... fresh{K' AB,N' B } K AB shk K' AB

Propositional Atoms : Freshness Variables View B A fresh N B... fresh{K' AB,N' B } K AB shk K' AB View B A fresh N A... fresh{K' AB,N' B } K AB shk K' AB ê We need to express basic properties of messages: freshness ê Boolean varibles

Propositional Atoms : Freshness Variables View B A fresh N A … fresh{K' AB,N' B } K AB shk K' AB View  fresh N A... fresh{K' AB,N' B } K AB shk K' AB View B B fresh N B... fresh{K' AB,N' B } K AB shk K' AB ê We need to express basic properties of messages: freshness ê Boolean varibles

Propositional Atoms : Freshness Variables Freshness Variables Evolution ê Once they become true they remain stable View B A fresh N A … fresh{K' AB,N' B } K AB shk K' AB View B B fresh N B... fresh{K' AB,N' B } K AB shk K' AB View  fresh N A... fresh{K' AB,N' B } K AB shk K' AB

Propositional Atoms : Freshness Variables View B A fresh N A... fresh{K' AB,N' B } K AB shk K' AB View B B fresh N B... fresh{K' AB,N' B } K AB shk K' AB View  fresh N A... fresh{K' AB,N' B } K AB shk K' AB Freshness Variables Evolution ê Once they become true they remain stable ê Must satisfy some additional contraints

Evolution of Freshness Variables   fresh {N A, N B } K AB  fresh N A  fresh N B...

Evolution of Freshness Variables ê B A fresh {N A, N B } K AB  (fresh N A  fresh N B )  rec{N A, N B } K AB fresh {K' AB,N' B } K AB  (fresh K' AB  fresh N' B )  rec{K' AB,N' B } K AB …   fresh {N A, N B } K AB  fresh N A  fresh N B...

Evolution of Freshness Variables   fresh {N A, N B } K AB  fresh N A  fresh N B... ê B A fresh {N A, N B } K AB  (fresh N A  fresh N B )  rec{N A, N B } K AB fresh {K' AB,N' B } K AB  (fresh K' AB  fresh N' B )  rec{K' AB,N' B } K AB.. ê B B fresh {K' AB,N' B } K AB  (fresh K' AB  fresh N' B )  rec{K' AB,N' B } K AB fresh {K' AB,N' B } K AB   shk K' AB...

Explicit Beliefs Atoms View B A B B send A {K' AB,N' B } K AB... ê We need to express beliefs about (other) principal sending/receiving messages ê Boolean varibles

Explicit Beliefs Atoms ê We need to express beliefs about (other) principal sending/receiving messages ê Boolean varibles View B A B B send A {K' AB,N' B } K AB... View B B B A send B {N A } K AB...

Explicit Belief Atoms ê We need to express beliefs about (other) principal sending/receiving messages ê Boolean varibles View B A B B send A {K' AB,N' B } K AB... View B B B A send B {N A } K AB … View  B A rec {K' AB,N' B } K AB B B send A {K' AB,N' B } K AB...

Explicit Belief Atoms Explicit Belief Atoms Evolution ê Once they become true they remain stable ê Must satisfy some additional contraints View  B A rec {K' AB,N' B } K AB B B send A {K' AB,N' B } K AB … View B A B B send A {K' AB,N' B } K AB... View B B B A send B {N A } K AB …

Evolution of Explicit Belief Atoms   rec A {K' AB,N' B } K AB   B A rec {K' AB,N' B } K AB …

Evolution of Explicit Belief Atoms   rec A {K' AB,N' B } K AB  B A rec {K' AB,N' B } K AB... ê B A r ec {K' AB,N' B } K AB  B B send A {K' AB,N' B } K AB fresh {K' AB,N' B } K AB  B B fresh {K' AB,N' B } K AB …

Evolution of Explicit Belief Atoms   rec A {K' AB,N' B } K AB   B A rec {K' AB,N' B } K AB... ê B A rec {K' AB,N' B } K AB   B B send A {K' AB,N' B } K AB fresh {K' AB,N' B } K AB   B B fresh {K' AB,N' B } K AB... ê B B rec {N B } K AB  B A send B {N B } K AB fresh {N B } K AB  B A fresh {N B } K AB...

Checking the Andrew Protocol  B BABA AG(rec {K' AB,N' B } K AB  B A fresh N A  B A B B shk K' AB ) A security property for the Andrew Protocol

Checking the Andrew Protocol  B BABA B B shk K' AB shk K' AB AG(rec {K' AB,N' B } K AB  B A fresh N A  B A B B shk K' AB )

Checking the Andrew Protocol  B B B shk K' AB shk K' AB fresh {K' AB,N' B } K AB  shk K' AB AG(rec {K' AB,N' B } K AB  B A fresh N A  B A B B shk K' AB ) BABA

Checking the Andrew Protocol  B B B shk K' AB shk K' AB rec {K' AB,N' B } K AB  B B send A {K' AB,N' B } K AB fresh {K' AB,N' B } K AB  B B fresh {K' AB,N' B } K AB (fresh K' AB  fresh N' B )  rec {K' AB,N' B } K AB  fresh {K' AB,N' B } K AB AG(rec {K' AB,N' B } K AB  B A fresh N A  B A B B shk K' AB ) BABA

Checking the Andrew Protocol  B B B shk K' AB shk K' AB AG(rec {K' AB,N' B } K AB  B A fresh N A  B A B B shk K' AB ) BABA rec A {K' AB,N' B } K AB  B A rec {K' AB,N' B } K AB

Checking the Andrew Protocol  B B B shk K' AB shk K' AB AG(rec {K' AB,N' B } K AB  B A fresh N A  B A B B shk K' AB ) BABA rec A {K' AB,N' B } K AB  B A rec {K' AB,N' B } K AB The property doesn’t hold of the Andrew Protocol

Conclusions A Model-Checking based Verification Procedure for Security Protocols ê Logic of Beliefs ê MultiAgent Finite State Machine ê Model Checking Algorithm

Conclusions A Model-Checking based Verification Procedure for Security Protocols ê Logic of Beliefs ê MultiAgent Finite State Machine ê Model Checking Algorithm Future Work ê Implementation (ongoing work) ê Experimental Analysis ê Extension of the logic and comparison with other logics

A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo Benerecetti Fausto Giunchiglia University of Trento

Similar presentations

Presentation on theme: "A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo Benerecetti Fausto Giunchiglia University of Trento"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo Benerecetti Fausto Giunchiglia University of Trento

Similar presentations

Presentation on theme: "A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo Benerecetti Fausto Giunchiglia University of Trento"— Presentation transcript:

Similar presentations

About project

Feedback