Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alternating Temporal Logic and Game-Based Properties CS 259 John Mitchell with slides from Vitaly Shmatikov.

Published byJodie Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "Alternating Temporal Logic and Game-Based Properties CS 259 John Mitchell with slides from Vitaly Shmatikov."— Presentation transcript:

1 Alternating Temporal Logic and Game-Based Properties CS 259 John Mitchell with slides from Vitaly Shmatikov

2 Traces vs trees uMur , Paulson’s method, constraint tool, etc. Protocol + attacker define a set of traces Security properties are predicates on states –Is there a state where attacker knows Alice’s nonce? –Is there a state where Bob says that he’s authenticated Alice, but Alice did not start the protocol with Bob? uLinear-time temporal logic Did Alice send a message before Bob received it? Is nonce secret until Charlie reveals it? uAlternating-time temporal logic After Alice commits, can Alice prevent Bob from getting a contract?

3 Overview uProtocols as games Review: contract signing example Security as presence or absence of certain strategies uAlternating transition systems Formal model for adversarial protocols uAlternating-time temporal logic Logic for reasoning about alternating transition systems Example: game-based properties of fair exchange uLast part of class meeting Adam Barth describes Mocha, last year’s project

4 The Problem of Fair Exchange Signature A (contract) Signature B (contract) uMalicious participant vs. external intruder Fair exchange protocols are designed to provide protection against misbehavior by protocol participants uA protocol can be viewed as a game Adversarial behavior (e.g., Alice vs. Bob) Cooperative behavior (e.g., Bob controls communication channel) Sorry, you are fooled ;-)

5 Game-Theoretic Model uEach protocol message is a game move Different sets of moves for different participants –Honest players follow the protocol –Dishonest players can make additional moves Send any message they can compute Wait instead of responding uFour possible outcomes (for signature exchange) A has B’s signature, B has A’s signature A has B’s signature, B doesn’t have A’s signature, etc. uReason about players’ game strategies

6 Protocol as a Game Tree... (Y,N)(Y,Y)(Y,Y)(Y,Y)(Y,Y)(N,Y) (N,N) uEvery possible execution of the protocol is a path in the tree uPlayers may alternate their moves First A sends a message, then B, then A … Adversary “folded” into dishonest player uEvery leaf labeled by an outcome (Y,Y) if A has B’s signature and B has A’s (Y,N) if only A has B’s signature, etc. uNatural concept of strategy A has a strategy for getting B’s signature if, for any move B can make, A has a response move such that the game always terminates in some leaf state labeled (Y,…)

7 Define Properties on Game Trees No leaf node is labeled (Y,N) or (N,Y) Fairness B never has a strategy to reach (Y,Y) AND a strategy to reach (N,N) Balance (for A) B cannot prove that it has advantage Abuse-freeness (for A) uNot trace-based properties (unlike secrecy and authentication) uVery difficult to verify with symbolic analysis or process algebras... (Y,N)(Y,Y)(Y,Y)(Y,Y)(Y,Y)(N,Y) (N,N)

8 Alternating Transition Systems uGame variant of Kripke structures R. Alur, T. Henzinger, O. Kupferman. “Alternating- time temporal logic”. FOCS 1997. uStart by defining state space of the protocol  is a set of propositions  is a set of players Q is a set of states Q 0  Q is a set of initial states  : Q  2  maps each state to the set of propositions that are true in the state uSo far, this is very similar to Mur 

9 Transition Function u  : Q   2 2 Q maps a state and a player to a nonempty set of choices, where each choice is a set of possible next states When the system is in state q, each player chooses a set Q a  (q,a) The next state is the intersection of choices made by all players  a   (q,a) The transition function must be defined in such a way that the intersection contains a unique state uInformally, a player chooses a set of possible next states, and his opponents choose one of them

10 Example: Two-Player ATS  = {Alice, Bob}  p   q  p  q p   q p  q A’s choices B’s choices

11 Example: Computing Next State  = {Alice, Bob}  p   q  p  q p   q p  q If A chooses this set… … B can choose either state Next state Next state

12 Alternating-Time Temporal Logic uPropositions p   u  or  1  2 where ,  1,  2 are ATL formulas u  A   ,  A   ,  A  1 U  2 where A  is a set of players, ,  1,  2 are ATL formulas These formulas express the ability of coalition A to achieve a certain outcome , , U are standard temporal operators: next state, all states in the future, until uDefine  A    as  A  true U 

13 Strategies in ATL uA strategy for a player a  is a mapping f a :Q +  2 Q such that for all prefixes  Q* and all states q  Q, f a (  q)  (q,a) For each player, strategy maps any sequence of states to a set of possible next states uInformally, the strategy tells the player in each state what to do next Note that the player cannot choose the next state. He can only choose a set of possible next states, and opponents will choose one of them as the next state.

14 Temporal ATL Formulas (I) u  A    iff there exists a set F a of strategies, one for each player in A, such that for all future executions  out(q,F a )  holds in first state [1] Here out(q,F a ) is the set of all future executions assuming the players follow the strategies prescribed by F a, i.e., =q 0 q 1 q 2 …  out(q,F a ) if q 0 =q and  i q i+1   a  A f a ( [0,i]) uInformally,  A    holds if coalition A has a strategy such that  always holds in the next state

15 Temporal ATL Formulas (II) u  A    iff there exists a set F a of strategies, one for each player in A, such that for all future executions  out(q,F a )  holds in all states Informally,  A    holds if coalition A has a strategy such that  holds in every execution state u  A    iff there exists a set F a of strategies, one for each player in A, such that for all future executions  out(q,F a )  eventually holds in some state Informally,  A    holds if coalition A has a strategy such that  is true at some point in every execution

16 B A m1= sign(A,  c, hash(r_A)  ) sign(B,  m1, hash(r_B)  ) r_A r_B Agree A B Network T Abort ??? ResolveAttack? B A Net T sig T (m 1, m 2 ) m1m1 ??? m2m2 A T Asokan-Shoup-Waidner protocol If not already resolved a 1 sig T (a 1,abort)

17 B A PCS A (text,B,T) PCS B (text,A,T) sig A (text) sig B (text ) Agree A B Network T m 1 = PCS A (text,B,T) Abort ??? ResolveAttack B A Net T PCS A (text,B,T) sig B (text) PCS A (text,B,T) ??? PCS B (text,A,T) B T sig T (abort) abort AND sig B (text) abort Leaked by T Garay, Jakobsson, MacKenzie

18 Desirable properties uFair If one can get contract, so can other uAccountability If someone cheats, message trace shows who cheated uAbuse free No party can show that they can determine outcome of the protocol

19 Fairness in ATL  B,Com   (contract A  A h   contract B ) Bob in collaboration with communication channels does not have a strategy to reach a state in which Bob has Alice’s signature but honest Alice does not have a strategy to reach a state in which Alice has Bob’s signature

20 Timeliness + Fairness in ATL  A h   (stop A  (  contract B  B,Com   contract A )) Honest Alice always has a strategy to reach a state in which she can stop the protocol and if she does not have Bob’s contract then Bob does not have a strategy to obtain Alice’s signature even if he controls communication channels

21 Abuse-Freeness in ATL  A   (proveToC   A   contract B   A   (aborted   B h   contract A )) Alice doesn’t have a strategy to reach state in which she can prove to Charlie that she has a strategy to obtain Bob’s contract AND a strategy to abort the protocol, i.e., reach a state where Alice has received abort token and Bob doesn’t have a strategy to obtain Alice’s signature

22 Modeling TTP and Communication uTrusted third party is impartial This is modeled by defining a unique TTP strategy TTP has no choice: in every state, the next action is uniquely determined by its only strategy uCan model protocol under different assumptions about communication channels Unreliable: infinite delay possible, order not guaranteed –Add “idle” action to the channel state machine Resilient: finite delays, order not guaranteed –Add “idle” action + special constraints to ensure that every message is eventually delivered (rule out infinite delay) Operational: immediate transmission

23 MOCHA Model Checker uModel checker specifically designed for verifying alternating transition systems System behavior specified as guarded commands –Essentially the same as PRISM input, except that transitions are nondeterministic (as in in Mur  ), not probabilistic Property specified as ATL formula uSlang scripting language Makes writing protocol specifications easier uTry online implementation! http://www-cad.eecs.berkeley.edu/~mocha/trial/

24 Bibliography uR. Alur, T. Henzinger, O. Kupferman. “Alternating-time temporal logic”. FOCS ’97. Introduces alternating transition systems and ATL logic uR. Alur, T. Henzinger, F. Mang, S. Qadeer, S. Rajamani, S. Tasiran. “MOCHA: modularity in model checking”. CAV ’98. Introduces MOCHA model checker for alternating transition systems uhttp://www.cis.upenn.edu/~mocha/ MOCHA web page uS. Kremer and J.-F. Raskin. “A game-based verification of non- repudiation and fair exchange protocols”. J. of Computer Security 11(3), 2003. Detailed study of fair exchange protocols using ATL and MOCHA uS. Kremer and J.-F. Raskin. “Game-based analysis of abuse-free contract signing”. CSFW ’03. Model checking abuse-freeness with MOCHA

Download ppt "Alternating Temporal Logic and Game-Based Properties CS 259 John Mitchell with slides from Vitaly Shmatikov."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Contract-Signing Protocols John Mitchell Stanford TECS Week2005.

Contract-Signing Protocols John Mitchell Stanford TECS Week2005.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2, Steve Kremer 3,4, Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Probabilistic Contract Signing CS 259 Vitaly Shmatikov.

Probabilistic Contract Signing CS 259 Vitaly Shmatikov.
Probabilistic Model Checking CS 395T. Overview uCrowds redux uProbabilistic model checking PRISM model checker PCTL logic Analyzing Crowds with PRISM.

Probabilistic Model Checking CS 395T. Overview uCrowds redux uProbabilistic model checking PRISM model checker PCTL logic Analyzing Crowds with PRISM.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Similar presentations

Ads by Google