Reducing search space for trace equivalence checking FOSAD 2013 - - PowerPoint PPT Presentation

Reducing search space for trace equivalence checking

FOSAD 2013 Lucca Hirschi

LSV, ENS Cachan

September 5, 2013

David Baelde Stéphanie Delaune

joint work with and LSV LSV

Introduction Model Big Picture Differentiation Conclusion

Context

Prove automatically security properties of cryptographic protocols using formal methods.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 2 / 20

Introduction Model Big Picture Differentiation Conclusion

Context

Prove automatically security properties of cryptographic protocols using formal methods.

Tools

Applied-π models protocols (Dolev-Yao model);

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 2 / 20

Introduction Model Big Picture Differentiation Conclusion

Context

Prove automatically security properties of cryptographic protocols using formal methods.

Tools

Applied-π models protocols (Dolev-Yao model); reachability or equivalence model security properties;

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 2 / 20

Introduction Model Big Picture Differentiation Conclusion

Context

Prove automatically security properties of cryptographic protocols using formal methods.

Tools

Applied-π models protocols (Dolev-Yao model); reachability or equivalence model security properties; algorithms check reachability or equivalence.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 2 / 20

Introduction Model Big Picture Differentiation Conclusion

Context

Prove automatically security properties of cryptographic protocols using formal methods.

Tools

Applied-π models protocols (Dolev-Yao model); reachability or equivalence model security properties; algorithms check reachability or equivalence.

Issue

Main bottleneck: size of search space (interleavings).

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 2 / 20

Introduction Model Big Picture Differentiation Conclusion

Context

Prove automatically security properties of cryptographic protocols using formal methods.

Tools

Applied-π models protocols (Dolev-Yao model); reachability or equivalence model security properties; algorithms check reachability or equivalence.

Issue

Main bottleneck: size of search space (interleavings).

Our Contribution

Reduce search space of equivalence checking using POR ideas by eliminating a lot of redundancies.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 2 / 20

Introduction Model Big Picture Differentiation Conclusion

Our Contribution

Reduce search space of equivalence checking using POR ideas by eliminating a lot of redundancies. Sebastian Mödersheim, Luca Vigano, and David Basin. Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols. Journal of Computer Security, 18(4):575–618, 2010.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 3 / 20

Introduction Model Big Picture Differentiation Conclusion

Outline

1

Introduction

2

Model

3

Big Picture

4

Differentiation

5

Conclusion

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 4 / 20

Introduction Model Big Picture Differentiation Conclusion

Outline

1

Introduction

2

Model

3

Big Picture

4

Differentiation

5

Conclusion

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 5 / 20

Introduction Model Big Picture Differentiation Conclusion

Applied-π

Terms

T : a given set of terms modulo an equational theory. E.g. dec(enc(m, k), k) = m.

Simple Processes

Pc ::= 0 | [T]in(c, x) | [T]out(c, m).Pc m 2 T Ps ::= Pc1|Pc2| . . . Pcn ci 6= cj

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 6 / 20

Introduction Model Big Picture Differentiation Conclusion

Applied-π

Terms

T : a given set of terms modulo an equational theory. E.g. dec(enc(m, k), k) = m.

Simple Processes

Pc ::= 0 | [T]in(c, x) | [T]out(c, m).Pc m 2 T Ps ::= Pc1|Pc2| . . . Pcn ci 6= cj Process: (Ps; Φ) (Φ set of messages revealed to the intruder).

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 6 / 20

Introduction Model Big Picture Differentiation Conclusion

Applied-π

Terms

T : a given set of terms modulo an equational theory. E.g. dec(enc(m, k), k) = m.

Simple Processes

Pc ::= 0 | [T]in(c, x) | [T]out(c, m).Pc m 2 T Ps ::= Pc1|Pc2| . . . Pcn ci 6= cj Process: (Ps; Φ) (Φ set of messages revealed to the intruder).

Semantics

({[T].out(c, m).P} ] P; Φ)

νw.out(c,w)

• !({P} ] P; Φ [ {w B m})

if T ^ w fresh in Φ ({in(c, x).P} ] P; Φ)

in(c,t)

• !({P[x 7! u]} [ P; Φ)

if tΦ = u ^ fv(t) ✓ dom(Φ)

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 6 / 20

Introduction Model Big Picture Differentiation Conclusion

Equivalence

Trace equivalence

Φ ⇠ Φ0 ( ) 8M, N, MΦ = NΦ ( ) MΦ0 = NΦ0 and conversely; A ⇡ B ( ) 8A

s

• !A0, 9B0, B

s

• !B0 ^ ΦA0 ⇠ ΦB0 and conversely.

Trace equivalence allows to model anonymity, unlikability, etc.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 7 / 20

Introduction Model Big Picture Differentiation Conclusion

Equivalence

Trace equivalence

Φ ⇠ Φ0 ( ) 8M, N, MΦ = NΦ ( ) MΦ0 = NΦ0 and conversely; A ⇡ B ( ) 8A

s

• !A0, 9B0, B

s

• !B0 ^ ΦA0 ⇠ ΦB0 and conversely.

Trace equivalence allows to model anonymity, unlikability, etc.

Our aim

Improve algorithms/programs checking trace equivalence (for simple processes).

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 7 / 20

Introduction Model Big Picture Differentiation Conclusion

Symbolic calculus - 1

Inputs messages: infinitely branching symbolic calculus.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 8 / 20

Introduction Model Big Picture Differentiation Conclusion

Symbolic calculus - 1

Inputs messages: infinitely branching symbolic calculus.

System of Constraints

Constraints: (X B x); u = v, (fv?(X) : dom(Φ)); System of constraints: (Φ, D).

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 8 / 20

Introduction Model Big Picture Differentiation Conclusion

Symbolic calculus - 1

Inputs messages: infinitely branching symbolic calculus.

System of Constraints

Constraints: (X B x); u = v, (fv?(X) : dom(Φ)); System of constraints: (Φ, D). P = out(c, k).in(c, x).out(c, hk, xi).in(c, y) leads to D = {X B x; Y B y; (fv?(X) : {w}); (fv?(Y) = {w; w0})} Φ = {w B k; w0 B hk, xi}

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 8 / 20

Introduction Model Big Picture Differentiation Conclusion

Symbolic calculus - 1

Inputs messages: infinitely branching symbolic calculus.

System of Constraints

Constraints: (X B x); u = v, (fv?(X) : dom(Φ)); System of constraints: (Φ, D). P = out(c, k).in(c, x).out(c, hk, xi).in(c, y) leads to D = {X B x; Y B y; (fv?(X) : {w}); (fv?(Y) = {w; w0})} Φ = {w B k; w0 B hk, xi}

Symbolic processes

(P; Φ; D; tr)

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 8 / 20

Introduction Model Big Picture Differentiation Conclusion

Symbolic Calculus - 2

Semantics:

({[T].out(c, m).P} ] P; Φ; D; tr)

νw.out(c,X)

• !s

({P} ] P; Φ [ {w B m}; D [ {T}; tr.νw.out(c, X)) if w fresh in φ ({[T].in(c, x).P} ] P; Φ; D; tr)

in(c,X)

• !s

(P; Φ; D [ {T; (X B x); (fv?(X) : dom(Φ))}; tr.in(c, X))

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 9 / 20

Introduction Model Big Picture Differentiation Conclusion

Symbolic Calculus - 2

Semantics:

({[T].out(c, m).P} ] P; Φ; D; tr)

νw.out(c,X)

• !s

({P} ] P; Φ [ {w B m}; D [ {T}; tr.νw.out(c, X)) if w fresh in φ ({[T].in(c, x).P} ] P; Φ; D; tr)

in(c,X)

• !s

(P; Φ; D [ {T; (X B x); (fv?(X) : dom(Φ))}; tr.in(c, X))

Symbolic equivalence

A ⇡s B ( ) 8A

s

• !s A0 8Θ 2 Sol(ΦA0, DA0), 9B0 B

s

• !s B0, Θ 2

Sol(ΦB0, DB0) and ΦA0 ⇠ ΦB0 and conversely.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 9 / 20

Introduction Model Big Picture Differentiation Conclusion

Outline

1

Introduction

2

Model

3

Big Picture

4

Differentiation

5

Conclusion

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 10 / 20

Introduction Model Big Picture Differentiation Conclusion

• !

⇡

Compression

= = = = = = = = )

Thm 1: ⇡=⇡c

!c ⇡c

Symbolic

= = = = = )

⇡c=⇡s

!s ⇡s

Differentiation

= = = = = = = = )

Thm 2: ⇡s=⇡d

s

!d

s

⇡d

s

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 11 / 20

Introduction Model Big Picture Differentiation Conclusion

• !

⇡

Compression

= = = = = = = )

Thm 1: ⇡=⇡c

!c ⇡c

Symbolic

= = = = = )

⇡c=⇡s

!s ⇡s

Differentiation

= = = = = = = = )

Thm 2: ⇡s=⇡d

s

!d

s

⇡d

s

| {z }

Apply optimizations to SPEC: adpat its formalism; constraints solving.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 11 / 20

Introduction Model Big Picture Differentiation Conclusion

• !

⇡

Compression

= = = = = = = )

Thm 1: ⇡=⇡c

!c ⇡c

Symbolic

= = = = = )

⇡c=⇡s

!s ⇡s

Differentiation

= = = = = = = = )

Thm 2: ⇡s=⇡d

s

!d

s

⇡d

s

| {z }

Apply optimizations to SPEC: adpat its formalism; constraints solving.

| {z }

Implementation

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 11 / 20

Introduction Model Big Picture Differentiation Conclusion

• !

⇡

Compression

= = = = = = = )

Thm 1: ⇡=⇡c

!c ⇡c

Symbolic

= = = = = )

⇡c=⇡s

!s ⇡s

Differentiation

= = = = = = = = )

Thm 2: ⇡s=⇡d

s

!d

s

⇡d

s

| {z }

Apply optimizations to SPEC: adpat its formalism; constraint reduction.

| {z }

Implementation

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 12 / 20

Introduction Model Big Picture Differentiation Conclusion

Outline

1

Introduction

2

Model

3

Big Picture

4

Differentiation

5

Conclusion

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 13 / 20

in(a,x)

• ut(b,w)

in(b,y)

• ut(b,w)

in(b,y)

• ut(a,v)

in(a,x)

• ut(a,v)

P = in(a, x).out(a, k).Pa | in(b, y).out(b, k0).Pb

in(a,x)

• ut(a,v)
• ut(b,w)

w x in(b,y)

• ut(b,w)

in(b,y)

• ut(a,v)

in(a,x)

P = in(a, x).out(a, k).Pa | in(b, y).out(b, k0).Pb

Dependency constraints

in(b,y) in(a,x)

• ut(b,w)
• ut(a,v)
• ut(b,w)

in(a,x) in(b,y)

• ut(a,v)

x w

Dependency constraint: w 2 message of x We can add constraints on the fly.

Dependency constraints

in(b,y) in(a,x)

• ut(b,w)
• ut(a,v)
• ut(b,w)

in(a,x) in(b,y)

• ut(a,v)

x w

Dependency constraint: w 2 message of x We can add constraints on the fly. Eliminate symmetric traces;

Dependency constraints

in(b,y) in(a,x)

• ut(b,w)
• ut(a,v)
• ut(b,w)

in(a,x) in(b,y)

• ut(a,v)

x w

Dependency constraint: w 2 message of x We can add constraints on the fly. Eliminate symmetric traces; Do not remove too much information (intruder can observe the

• rder).

P = IO(a)|IO(b)|IO(c) where IO(x) = in(x, X).out(x, wx)

IO(a) IO(b) IO(b) IO(a) IO(b) IO(c) IO(c) IO(b) IO(a) IO(a) IO(c) IO(a) IO(c) IO(b) IO(c)

P = IO(a)|IO(b)|IO(c) where IO(x) = in(x, X).out(x, wx)

IO(a) IO(b) IO(b) IO(a) IO(b) IO(c) IO(c) IO(b) IO(a) IO(a) IO(c) IO(a) IO(c) IO(b) IO(c)

P = IO(a)|IO(b)|IO(c) where IO(x) = in(x, X).out(x, wx)

IO(a) IO(b) IO(c) IO(b) IO(c) IO(a) IO(b) IO(c) IO(a) IO(c) IO(c) IO(a) IO(b) IO(b) IO(a)

P = IO(a)|IO(b)|IO(c) where IO(x) = in(x, X).out(x, wx)

IO(a) IO(b) IO(c) IO(b) IO(c) IO(a) IO(b) IO(c) IO(a) IO(c) IO(c) IO(a) IO(b) IO(b) IO(a)

t=IO(c1).IO(c2)...IO(cn)

• !s

IO(cn).IO(c1)...IO(cn1)

• !s

cn < c1; c2, c3 . . . cn−1 < cn G(t) = there exists 1  i < n such that wi 2 message of xn

Introduction Model Big Picture Differentiation Conclusion

Differentiation

Differentiated semantics

Symbolic semantics + dependency constraints built on the fly.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 17 / 20

Introduction Model Big Picture Differentiation Conclusion

Differentiation

Differentiated semantics

Symbolic semantics + dependency constraints built on the fly. ({in(c, x).out(c, m).P} ] P; D; Φ; t)

io(c,X,w)

• !s

d

({P} ] P; D [ {(X B x), G(t.io(c, X, w))}; Φ [ {w B m}; t.io(c, X, w)) less solutions, less traces/interleavings to check.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 17 / 20

Introduction Model Big Picture Differentiation Conclusion

Differentiation

Differentiated semantics

Symbolic semantics + dependency constraints built on the fly. ({in(c, x).out(c, m).P} ] P; D; Φ; t)

io(c,X,w)

• !s

d

({P} ] P; D [ {(X B x), G(t.io(c, X, w))}; Φ [ {w B m}; t.io(c, X, w)) less solutions, less traces/interleavings to check.

Theorem

⇡d

s = ⇡s

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 17 / 20

Idea of the proof

[t]: set of traces modulo valid permutations; Min([t]): lexico. minimum of the class.

Lemma 1

If P has an trace t then it has all traces of [t].

Lemma 2

If P has an trace t then it has a differentiated trace Min(t); P has no other differentiated trace in [t].

Introduction Model Big Picture Differentiation Conclusion

Outline

1

Introduction

2

Model

3

Big Picture

4

Differentiation

5

Conclusion

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 19 / 20

Introduction Model Big Picture Differentiation Conclusion

Conclusion

Better differentiation (compression, semantics, extended patterns) for simple processes; applied to trace equivalence checking. implementation in SPEC.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 20 / 20

Introduction Model Big Picture Differentiation Conclusion

Conclusion

Better differentiation (compression, semantics, extended patterns) for simple processes; applied to trace equivalence checking. implementation in SPEC.

Protocol # ac .

• T. REF (s)
• T. OPT (s)

3 parallels 8 44.59 5.88 7 parallels 16 1 370.65 depth 4 10 42.87 8.42 depth 10 22 1 122.27 WMF, auth. false, 1 sess. 12 30.89 1.87 WMF, auth., 1 sess. 14 51.54 6.43 WMF, strong secr., 1 sess. 16 65.20 8.09 WMF, false, 2 sess. 24 7742.24 3.30 NSSK, auth., 1 session 10 76.68 22.99 Yahalom, auth., 1 session 10 6602.82 237.10

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 20 / 20

Introduction Model Big Picture Differentiation Conclusion

Conclusion

Better differentiation (compression, semantics, extended patterns) for simple processes; applied to trace equivalence checking. implementation in SPEC.

Protocol # ac .

• T. REF (s)
• T. OPT (s)

3 parallels 8 44.59 5.88 7 parallels 16 1 370.65 depth 4 10 42.87 8.42 depth 10 22 1 122.27 WMF, auth. false, 1 sess. 12 30.89 1.87 WMF, auth., 1 sess. 14 51.54 6.43 WMF, strong secr., 1 sess. 16 65.20 8.09 WMF, false, 2 sess. 24 7742.24 3.30 NSSK, auth., 1 session 10 76.68 22.99 Yahalom, auth., 1 session 10 6602.82 237.10

Future Work

Richer class of processes; improve constraints solving.

Lucca Hirschi FOSAD 2013: Reducing search space for trace equivalence checking 20 / 20