MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, - - PowerPoint PPT Presentation

MSR 3:

One Year Later

Iliano Cervesato

iliano@itd.nrl.navy.mil

ITT Industries, inc @ NRL Washington, DC

http://theory.stanford.edu/~iliano

Protocol eXchange Seminar, UMBC May 27-28, 2004

MSR 3.0:

The Logical Meeting Point of Multiset Rewriting and Process Algebra

Iliano Cervesato

iliano@itd.nrl.navy.mil

ITT Industries, inc @ NRL Washington, DC

http://www.cs.stanford.edu/~iliano

CS Department, UMBC February 27-28, 2003

MSR 3: One Year Later 1/28

NSPK in MSR 3

∀A: princ.

{ ∃L:

princ × B:princ.pubK B × nonce → mset. ∀B:

• princ. ∀kB

: pubK B.

• → ∃nA: nonce.

net ({nA , A}kB ), L (A, B, kB , nA )

∀B:

• princ. ∀kB

: pubK B. ∀kA : pubK A. ∀kA ': prvK kA . ∀nA : nonce. ∀nB : nonce.

net ({nA , nB }kA ), L (A, B, kB , nA ) → net ({nB }kB ) }

A → B: {nA , A}kB B → A: {nA , nB}kA A → B: {nB }kB

Interpretation

• f L
• Rule invocation
• Implementation

detail

• Control flow
• Local state of

role

• Explicit view
• Important for

DOS

MSR 2 spec.

MSR 3: One Year Later 2/28

NSPK in MSR 3

∀A:princ. ∀B:

• princ. ∀kB

: pubK B.

• → ∃nA: nonce.

net ({nA , A}kB ), (∀kA

: pubK A. ∀kA ': prvK kA . ∀nB : nonce.

net ({nA , nB }kA ) → net ({nB }kB ))

A → B: {nA , A}kB B → A: {nA , nB}kA A → B: {nB }kB

• Succinct
• Continuation-passing style
• Rule asserts what to do next
• Lexical control flow
• State is implicit
• Abstract

Not an MSR 2 spec.

MSR 3: One Year Later 3/28

Looks Familiar?

A → B: {nA , A}kB B → A: {nA , nB}kA A → B: {nB }kB

Process calculus

∀A:princ. ∀B:

• princ. ∀kB

: pubK B. ∀kA : pubK A. ∀kA ': prvK kA . ∀nB : nonce.

νnA: nonce. net ({nA , A}kB ) . net <{nA, nB }kA > . net ({nB }kB ) . 0

{NA , A}KB {NA , NB }KA {NB }KB Alice (A,B,NA ,NB ) : NA Fresh, πA (A,B) Parametric strand

MSR 3: One Year Later 4/28

What is MSR 3?

A new language for security protocols

• Supports
• State transition specs
• Conservative over MSR 2
• Process algebraic specs
• Rewriting re-interpretation of logic
• Rich composable set of connectives
• Universal connector

Neutral paradigm

MSR 3: One Year Later 5/28

More than the Sum of its Parts

Process- and transition-based specs. in the same language

• Choose the paradigm
• User’s preference
• Highlight characteristics of interest
• Support various verification techniques (FW)
• Mix and match styles
• Within a spec.
• Within a protocol
• Within a role

MSR 3: One Year Later 6/28

What is in MSR 3 ?

• Security-relevant signature
• Network
• Encryption, …
• Typing infrastructure
• Dependent types
• Subsorting
• Data Access Specification (DAS)
• Module system
• Equations

From MSR 2 From MSR 1 From MSR 2 implementation

MSR 3: One Year Later 7/28

ω-Multisets

Specification language for concurrent systems

• Crossroad of
• State transition languages
• Petri nets, multiset

rewriting, …

• Process calculi
• CCS, π-calculus, …
• (Linear) logic
• Benefits
• Analysis methods from logic and type theory
• Common ground for comparing
• Multiset

rewriting

• Process algebra
• Allows multiple styles of specification
• Unified approach

MSR 3: One Year Later 8/28

Syntax

A ::= a atomic object | 1

[•]

empty | A ⊗ B

[A, B]

formation | A ⎯ο B

[A → B]

rewrite | T no-op | A & B

[A || B]

choice | ∀x. A instantiation | ∃x. A generation | ! A replication Generalizes FO multiset rewriting (MSR 1-2) ∀x1 …xn . a(x) → ∃y1 …yk . b(x,y)

MSR 3: One Year Later 9/28

State and Transitions

• States

Σ ; Γ ; Δ Σ ; Δ

• Σ

is a list

• Γ

and Δ are commutative monoids

• Transitions

Σ; Γ; Δ  Σ’; Γ’; Δ’ Σ; Γ; Δ * Σ’; Δ’

• *

for reflexive and transitive closure

• Constructor: “,”
• Empty: “•”

MSR 3: One Year Later 10/28

Transition Semantics

⎯ο Σ ; Γ ; (Δ, A, A ⎯ο B)  Σ ; Γ ; (Δ, B) T (no rule) & Σ ; Γ ; (Δ, A1 & A2 )  Σ ; Γ ; (Δ, Ai ) ∀ Σ ; Γ ; (Δ, ∀x. A)  Σ ; Γ ; (Δ, [t/x]A) if Σ |- t ∃ Σ ; Γ ; (Δ, ∃x. A)  (Σ, x) ; Γ ; (Δ, A) ! Σ ; Γ ; (Δ, !A)  Σ ; (Γ, A) ; Δ Σ ; (Γ, A) ; Δ  Σ ; (Γ, A) ; (Δ, A) Σ ; Γ ; Δ * Σ ; Δ Σ ; Γ ; Δ * Σ’’ ; Δ’’ if Σ ; Γ ; Δ  Σ’ ; Γ’ ; Δ’ and Σ’ ; Γ’ ; Δ’ * Σ’’ ; Δ’’

MSR 3: One Year Later 11/28

Linear Logic

• Formulas

A, B ::= a | 1 | A ⊗ B | A ⎯ο B | ! A | T | A & B | ∀x. A | ∃x. A

• LV sequents

Γ ; Δ

• ->Σ C

Goal formula Signature Unrestricted context Linear context

• Constructor: “,”
• Empty: “•”

MSR 3: One Year Later 12/28

Logical Derivations

• Proof of C

from Δ and Γ

• Emphasis on C
• C

is input

• Finite
• Closed
• Rules shown
• Major premise
• Preserves C
• Minor premise
• Starts subderivation

Γ; Δ

• ->Σ

C

Γ’’; Δ’’

• ->Σ’’

C Γ’; Δ’

• ->Σ’

C

Γ’’’; C

• ->Σ’’’

C

MSR 3: One Year Later 13/28

A Rewriting Re-Interpretation

• Transition
• From conclusion
• To major premise
• Emphasis on Γ, Δ

and Σ

• C

is output, at best

• Does not change
• Possibly infinite
• Open
• Minor premise
• Auxiliary rewrite chain
• Finite
• Topped with axiom

Γ; Δ

• ->Σ

C

Γ’’; Δ’’

• ->Σ’’

C Γ’; Δ’

• ->Σ’

C

Γ’’’; C

• ->Σ’’’

C

MSR 3: One Year Later 14/28

Interpreting Unary Rules

Σ; Γ; (Δ, !A)  Σ; (Γ, A); Δ

Γ; Δ, A

• ->Σ,x

C Γ; Δ, ∃x.A

• ->Σ

C Γ, A; Δ -->Σ C Γ; Δ , !A -->Σ C Σ |- t Γ; Δ, [t/x]A -->Σ C Γ; Δ, ∀x.A

• ->Σ

C Γ; Δ, A, B

• ->Σ

C Γ; Δ, A⊗B

• ->Σ

C

Σ; Γ; (Δ, A⊗B )  Σ; Γ; (Δ, A, B) Σ; Γ; (Δ, ∀x. A)  Σ; Γ; (Δ, [t/x]A)

if Σ |- t

Σ; Γ; (Δ, ∃x. A)  (Σ, x); Γ; (Δ, A)

… …

MSR 3: One Year Later 15/28

Binary Rules and Axiom

• Minor premise
• Auxiliary rewrite

chain

• Top of tree
• Focus shifts to RHS
• Axiom rule
• Observation

Γ; Δ’

• ->Σ

A Γ; Δ, B

• ->Σ

C Γ; Δ, Δ’ , A⎯οB

• ->Σ

C

Γ’; A

• ->Σ’

A

MSR 3: One Year Later 16/28

Observations

• Observation states

Σ ; Δ

• In Δ, we identify
• ,

with ⊗

• with 1

Categorical semantics

• Identified with

∃x1 . … ∃xn . Δ

• For Σ

= x1 , …, xn

De Bruijn’s telescopes

• Observation transitions

Σ; Γ; Δ * Σ’; Δ’

A Γ,Γ’; A’

• ->Σ,Σ’

A’ Γ; Δ -->Σ ∃Σ’. A’

Δ = ⊗Δ Σ; Δ = ∃Σ.

⊗Δ

MSR 3: One Year Later 17/28

Interpreting Binary Rules

Σ; Γ; (Δ, Δ’, A ⎯ο B)  Σ; Γ; (Δ, B)

if Σ; Γ; Δ’ * Σ; A

Γ; Δ’ -->Σ A Γ; Δ, B

• ->Σ

C Γ; Δ, Δ’ , A⎯οB

• ->Σ

C Γ; Δ’

• ->Σ

A Γ; Δ, A

• ->Σ

C Γ; Δ, Δ’

• ->Σ C

Σ; Γ; Δ, Δ’  Σ; Γ; (A, Δ)

if Σ; Γ; Δ’ * Σ; A

Γ; A

• ->Σ

A

Σ; Γ; Δ * Σ; Δ Σ; Γ; Δ * Σ’’; Δ’’

if Σ; Γ; Δ  Σ’; Γ’; Δ’ and Σ’; Γ’; Δ’ * Σ’’; Δ’’ … …

MSR 3: One Year Later 18/28

Formal Correspondence

• Soundness

If Σ ; Γ ; Δ * Σ,Σ’; Δ’ then Γ ; Δ

• ->Σ

∃Σ’. ⊗ Δ’

• Completeness?
• No!

We have only crippled right rules

• ; •

; a ⎯ο b, b ⎯ο c * • ; a ⎯ο c

MSR 3: One Year Later 19/28

System ω

• With cut, rule for ⎯ο

can be simplified to

Σ; Γ; (Δ, A, A ⎯ο B)  Σ; Γ; (Δ, B)

• Cut elimination holds

= in-lining of auxiliary rewrite chains

• But …
• Careful with extra signature symbols
• Careful with extra persistent objects
• No rule for 

needs a premise

• 

does not depend on *

MSR 3: One Year Later 20/28

Multiset Rewriting

• Multiset: set with repetitions allowed

a ::= • | a, a

• Commutative monoid
• Multiset rewriting (a.k.a. Petri nets)
• Rewriting within the monoid
• Fundamental model of distributed computing
• Alternative: Process Algebras
• Basis for security protocol spec. languages
• MSR family
• … several others
• Many extensions, more or less ad hoc

MSR 3: One Year Later 21/28

The Atomic Objects of MSR 3

Atomic terms

• Principals

A

• Keys

K

• Nonces

N

• Other
• Raw data, timestamp, …

Constructors

• Encryption

{_}_

• Pairing

(_, _)

• Other
• Signature, hash, MAC, …

Fully definable

Predicates

• Network

net

• Memory

MA

• Intruder

I

• …

MSR 3: One Year Later 22/28

Types

Fully definable

• Powerful abstraction mechanism
• At various user-definable level
• Finely tagged messages
• Untyped: msg
• nly
• Simplify specification and reasoning
• Automated type checking
• Simple types
• A :

princ

• n

: nonce

• m

: msg, …

• Dependent types
• k

: shK A B

• K

: pubK A

• K’

: privK K, …

MSR 3: One Year Later 23/28

Subsorting

• Allows atomic terms in messages
• Definable
• Non-transmittable terms
• Sub-hierarchies
• Discriminant

for type-flaw attacks

τ <: τ’

MSR 3: One Year Later 24/28

Data Access Specification

• Prevent illegitimate use of information
• Protocol specification divided in roles

– Owner = principal executing the role

• A

signing/encrypting with B’s key

• A

accessing B’s private data, …

• Simple static check
• Central meta-theoretic notion
• Detailed specification of Dolev-Yao access model
• Gives meaning to Dolev-Yao intruder
• Current effort towards integration in type system
• Definable
• Possibility of going beyond Dolev-Yao model

MSR 3: One Year Later 25/28

Modules and Equations

• Modules
• Bundle declarations with simple import/export

interface

• Keep specifications tidy
• Reusable
• Equations

(For free from underlying Maude engine)

• Specify useful algebraic properties
• Associativity
• f pairs
• Allow to go beyond free-algebra model
• Dec(k, Enc(k, M)) = M

MSR 3: One Year Later 26/28

State-Based vs. Process-Based

• State-based languages
• Multiset

Rewriting

• NRL Prot. Analyzer, CAPSL/CIL, Paulson’s approach, …
• State

transition semantics

• Process-based languages
• Process Algebra
• Strand spaces, spi-calculus, …
• Independent

communicating threads

MSR 3: One Year Later 27/28

MSR 3 Bridges the Gap

• Difficult to go from one to the other
• Different paradigms

PB SB

State vs. process distance Other distance

MSR 3

PB SB

State ↔ Process translation done once and for all in MSR 3

MSR 3: One Year Later 28/28

Summary

• MSR 3.0
• Language for security protocol specification
• Succinct representations
• Simpl

specifications

• Economy of reasoning
• Bridge between
• State-based representation
• Process-based representation
• ω-multisets
• Logical foundation of multiset

rewriting

• Relationship with process algebras
• Unified logical view
• Better understanding of where we are
• Hint about where to go next