Applying Predicate Logic to Monitoring Network Traffic Wolfgang - PowerPoint PPT Presentation

Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Joint work with Temur Kutsia (RISC), Michael Krieger, Bashar Ahmad (RISC Software), Helmut Otto, and Martin Rummerstorfer (SecureGUARD). Supported by the FFG BRIDGE project “LogicGuard”. Wolfgang Schreiner http://www.risc.jku.at 1/30

The Problem: Monitoring Network Traffic Specification Forward Package Monitor (yes/no)? Package Block (or just report) every package that triggers a violation of the specified safety property. Wolfgang Schreiner http://www.risc.jku.at 2/30

Network Traffic Wolfgang Schreiner http://www.risc.jku.at 3/30

General Idea Treat the problem as an application of “runtime verification”. Specify safety property in a high-level declarative form. What to detect, not how to detect it. Automatically translate the specification into an executable monitor. A program that surveils the traffic for violations of the property. Advantage: no manual low-level coding of monitors required. Tedious and error-prone, difficult to maintain. Challenge: time and space complexity of the monitor. Must operate with limited time and memory resources. Various specification formalisms have been devised for this purpose. Wolfgang Schreiner http://www.risc.jku.at 4/30

Our Approach Predicate logic formulas interpreted over infinite streams. S p p p p p q ∀ i : q ( S i ) ⇒ ∃ j < i : ¬ p ( S j ) Set-builder notation to construct new streams. S T T := � f ( S i , S i + 2 ) | i ∈ N ∧ i mod 4 < 2 � Classical logic and set theory. Wolfgang Schreiner http://www.risc.jku.at 5/30

The Monitoring Model Formulas are evaluated on streams, external as well as internally constructed (virtual) ones. IP stream IP : stream S1 = monitor S 1 S 2 stream i in IP ... S@i ... : stream S2 = stream j in IP ... S@j ... : monitor i in S1 ... : Check monitor j in S2 ... : ... S1@i ... S2@j ... violations Internal streams to express properties on a higher level of abstraction. Wolfgang Schreiner http://www.risc.jku.at 6/30

Example 000,2 000,4 type int; 010,1 010,1 int Square(int); 020,0 bool isOne(int); bool isTwo(int); 030,0 040,0 // the base stream and a derived virtual stream 050,2 050,4 stream<int> IP; 060,1 060,1 070,0 stream<int> S = 080,2 080,4 construct X in IP with 0 in IP <= X 090,0 value<int> M = IP.at(X) 100,2 100,4 satisfying isOne(M) || isTwo(M) : 110,0 Square(IP.at(X)); 120,2 120,4 130,1 130,1 // are 1s not more than 50 units apart? 140,2 140,4 150,1 150,1 monitor M = 160,2 160,4 position X in S : 170,0 isOne(S.at(X)) => 180,2 180,4 exists Y in S with X<Y<=(X+50) : isOne(S.at(Y)); 190,0 200,2 200,4 A specification using the test runtime system. 210,1 210,1 220,2 220,4 Wolfgang Schreiner http://www.risc.jku.at 7/30

Example // IntFunctions.cs using System; using LogicGuard.Network.IntTS; namespace External { class IntFunctions { public static bool isZero(IntTSMessage m) { return m.Payload == 0; } public static bool isOne(IntTSMessage m) { return m.Payload == 1; } ... } } The corresponding external functions. Wolfgang Schreiner http://www.risc.jku.at 8/30

Monitor Execution Main.Exe -test TranslatorTester\traces\PAS.txt TranslatorTester\specs\PAS.lgs External\bin\Debug\External.dll Wolfgang Schreiner http://www.risc.jku.at 9/30

Abstract Specification Language P ::= ( B | S ) ∗ M ∗ M ::= F | monitor X : F | B : F | PC ( TV ∗ ) | true | false F ::= XF | ˜ F | F 1 /\ F 2 | F 1 \/ F 2 | F 1 => F 2 | F 1 <=> F 2 | forall X : F | exists X : F TS ::= XS | B : TS | FS ( TS ∗ ) | stream X : ( TV | TS ) | scombine( FC , TV ) X : TV TP ::= XP | B : TP | FP ( TP ∗ ) | TP + N | TP - N | min X : F | max X : F | B : XV | FV ( TV ∗ ) | TS @ TP | TS � TP TV ::= XV | number X : F | combine( FC , TV ) X : TV B ::= formula XF = F | position XP = TP | value XV = TV S ::= stream XS = TS X ::= XP in TS with TP 1 <= XP <= TP 2 ( B | satisfying F 1 ) ∗ ( until F 2 )? A simplified and regularized version of the concrete language. Wolfgang Schreiner http://www.risc.jku.at 10/30

Semantics of the Language Environment := Variable → B ∪ Stream ∪ N ∪ Value Stream := Message ω ∪ Message ∗ Message := Value × N [ . ] : Monitor → Environment → P ( N ) [ monitor X : F ] ( e ) := let ( x , s , N ) := [ X ] ( e ) : { n ∈ N : [ F ] ( e [ x �→ n ]) = false } [ . ] : Formula → Environment → B [ forall X : F ] ( e ) := let ( x , s , N ) := [ X ] ( e ) : if ∀ n ∈ N : [ F ] ( e [ x �→ n ]) = true then true else false . . . [ . ] : TermValue → Environment → Value [ TS @ TP ] ( e ) := ( [ TS ] ( e )( [ TP ] ( e ))) . 1 [ TS � TP ] ( e ) := ( [ TS ] ( e )( [ TP ] ( e ))) . 2 . . . Phrases are interpreted over variables that may be mapped to streams. Wolfgang Schreiner http://www.risc.jku.at 11/30

Semantics of the Language [ . ] : TermStream → Environment → Stream [ stream X : TV ] ( e ) := let ( x , s , N ) := [ X ] ( e ) : let S := { n ∈ N | ∃ t ∈ N : isTimeOf ( t , TV , e [ x �→ n ]) } such s ′ ∈ Stream : timeIncreases ( s ′ ) ∧ allMessages ( s ′ , S , TV , e , x ) isTimeOf ( t , TV , e ) : ⇔ // at time t , the value of TV is defined wrt. e ∀ e ′ ∈ Environment : domain ( e ′ ) = domain ( e ) ∧ ( ∀ x ∈ domain ( e ) : if e ( x ) �∈ Stream then e ′ ( x ) = e ( x ) else e ′ ( x ) ∈ Stream ∧ ∀ i ∈ domain ( e ′ ( x )) : e ′ ( x )( i ) . 2 ≤ t ⇒ e ′ ( x )( i ) = e ( x )( i )) ⇒ [ TV ] ( e , s ) = [ TV ] ( e ′ , s ) timeIncreases ( s ′ ) : ⇔ ∀ i , j ∈ domain ( s ′ ) : i < j ⇒ s ′ ( i ) . 2 ≤ s ′ ( j ) . 2 allMessages ( s ′ , S , TV , e , x ) : ⇔ // s ′ contains all TV ( x ) wrt. e with x from S bij . ∃ p ∈ domain ( s ′ ) → S : ∀ i ∈ domain ( s ′ ) : − s ′ ( i ) = let t := min t ∈ N : isTimeOf ( t , TV , e [ x �→ p ( i )]) : ( [ TV ] ( e [ x �→ p ( i )]) , t ) The stream orders all values by the time they become defined. Wolfgang Schreiner http://www.risc.jku.at 12/30

From Semantics to Operation Next Message Syntax Translation Engine New State Value Semantics Soundness We translate the various kinds of phrases to operational “engines”; this translation “preserves” the semantics of the phrases. Wolfgang Schreiner http://www.risc.jku.at 13/30

The Translation All phrases are translated to value-producing engines. Monitors: T : Monitor → MonitorStep MonitorStep := PresentM → MonitorResult MonitorResult := P ( N ∗ ) × ( done + next of MonitorStep ) At each step, vectors of violating positions are produced. Formulas: T : Formula → FormulaStep FormulaStep := Present → FormulaResult FormulaResult := done of B + next of FormulaStep At termination, a truth value is delivered. Streams: T : Stream → StreamStep StreamStep := Present → StreamResult StreamResult := P ( Message ) × ( done + next of StreamStep ) At each step, messages are produced. At each new message received, the engines make an execution step. Wolfgang Schreiner http://www.risc.jku.at 14/30

A Core Language For the further discussion, we reduce our language to a “skeleton”. M ::= monitor X : F F ::= @ X | ˜ F | F 1 /\ F 2 | forall X in B 1 .. B 2 : F B ::= 0 | infinity | X | B + N | B − N N ::= 0 | 1 | 2 | . . . X ::= x | y | z | . . . A core monitor is interpreted over a single stream of truth values. Wolfgang Schreiner http://www.risc.jku.at 15/30

Translation of the Monitor PresentM := Message ∗ × Message Present := Message ∗ × Message × Context partial − → ( N × B ) Context := Variable Instance := N × FormulaStep × Context T ( monitor X : F ) := TM ( X , T ( F ) , ∅ ) where TM : Variable × FormulaStep × P ( Instance ) → MonitorStep TM ( X , f , fs )( ms , m ) := let n := | ms | : let c := [ X �→ ( n , m )] : let fs 0 := fs ∪ { ( n , f , c ) } : let rs := { n ∈ N | ∃ g ∈ FormulaStep , c ∈ Context : ( n , g , c ) ∈ fs 0 ∧ case g ( ms , m , c ) of done ( b ) → b = false | _ → false } : let fs 1 := { ( n , g 0 , c ) ∈ Instance | ∃ g ∈ FormulaStep : ( n , g , c ) ∈ fs 0 ∧ case g ( ms , m , c ) of next ( g 1 ) → g 0 = g 1 | _ → false } : ( rs , next ( TM ( X , f , fs 1 ))) Report positions rs and maintain formula instances fs . Wolfgang Schreiner http://www.risc.jku.at 16/30

Translation of Formulas T ( @ X ) := TV ( X ) where TV : Variable → FormulaStep TV ( X )( ms , m , c ) := if X ∈ domain ( c ) then done ( c ( X ) . 2 ) else done ( false ) T ( ˜ F ) := TN ( T ( F )) where TN : FormulaStep → FormulaStep TN ( f )( ms , m , c ) := case f ( ms , m , c ) of done ( false ) → done ( true ) done ( true ) → done ( false ) next ( f ′ ) → next ( TN ( f ′ )) T ( F 1 /\ F 2 ) := TC ( T ( F 1 ) , T ( F 2 )) where TC : FormulaStep × FormulaStep → FormulaStep TC ( f 1 , f 2 )( ms , m , c ) := case f 1 ( ms , m , c ) of done ( false ) → done ( false ) done ( true ) → f 2 ( ms , m , c ) next ( f ′ 1 ) → next ( TC ( f ′ 1 , f 2 )) Maintain component steps f 1 , f 2 and ultimately yield a truth value. Wolfgang Schreiner http://www.risc.jku.at 17/30