the maude nrl protocol analyzer
play

The Maude-NRL Protocol Analyzer Santiago Escobar 1 Catherine Meadows - PowerPoint PPT Presentation

Jan 09, 2024 •179 likes •939 views

The Maude-NRL Protocol Analyzer The Maude-NRL Protocol Analyzer Santiago Escobar 1 Catherine Meadows 2 e Meseguer 3 Jos Sonia Santiago 1 Ralf Sasse 3 1 Universidad Polit ecnica de Valencia (Spain) 2 Naval Research Laboratory (USA) 3

  1. The Maude-NRL Protocol Analyzer The Maude-NRL Protocol Analyzer Santiago Escobar 1 Catherine Meadows 2 e Meseguer 3 Jos´ Sonia Santiago 1 Ralf Sasse 3 1 Universidad Polit´ ecnica de Valencia (Spain) 2 Naval Research Laboratory (USA) 3 University of Illinois at Urbana-Champaign (USA) FOSAD 2011, Bertinoro, August 29- September 3 1 / 72

  2. The Maude-NRL Protocol Analyzer Purpose of These Lectures Introduce you to a particular protocol tool for crypto protocol analysis, Maude-NPA Tool for automatic analysis of crypto protocols that takes into account equational theories of crypto operators Based on unification and rewrite rules On the way, point out connections between research on the tool and open problems in crypto protocol analysis, rewriting logic, and unification 2 / 72

  3. The Maude-NRL Protocol Analyzer Outline Approach 1 Introduction to Rewriting Logic and Unification 2 How Maude-NPA Works 3 Specifying Protocols and States in Maude-NPA Backwards Narrowing and Rewrite Semantics Sequential Composition in Maude-NPA Unification techniques used in Maude-NPA Controlling the Search Space 4 Enabling Syntactic Checks Via Asymmetric Unification Basic Tools : Learn-Only-Once and Grammars Other Ways of Reducing the Search Space 3 / 72

  4. The Maude-NRL Protocol Analyzer Approach Example: Diffie-Hellman Without Authentication 1 A → B : g N A 2 B → A : g N B 3 A and B compute g N A ∗ N B = g N B ∗ N A Well-known attack 1 A → I B : g N A 2 I A → B : g N I 3 B → I A : g N B 4 I B → A : g N I A thinks she shares g N I ∗ N A with B , but she shares it with I B thinks he shares g N I ∗ N A with A , but he shares it with I Commutative properties of ∗ and fact that ( G X ) Y = G X ∗ Y crucial to understanding both the protocol and the attack 4 / 72

  5. The Maude-NRL Protocol Analyzer Approach ”Dolev-Yao”Model for Automated Cryptographic Protocol Analysis Start with a signature, giving a set of function symbols and variables For each role, give a program describing how a principal executing that role sends and receives messages Give a set of inference rules the describing the deductions an intruder can make E.g. if intruder knows K and e ( K , M ), can deduce M Assume that all messages go through intruder who can Stop or redirect messages Alter messages Create new messages from already sent messages using inference rules This problem well understood since about 2005 5 / 72

  6. The Maude-NRL Protocol Analyzer Approach Background Crypto protocol analysis with the standard free algebra model (Dolev-Yao) well understood. But, not adequate to deal with protocols that rely upon algebraic properties of cryptosystems Cancellation properties, encryption-decryption 1 Abelian groups 2 Diffie-Hellman (exponentiation, Abelian group properties) 3 Homomorphic encryption (distributes over an operator with 4 also has algebraic properties, e.g. Abelian group) Etc. .., 5 In many cases, a protocol uses some combination of these 6 / 72

  7. The Maude-NRL Protocol Analyzer Approach Goal of Maude-NPA Provide tool that can be used to reason about protocols with different algebraic properties in the unbounded session model supports combinations of algebraic properties to the greatest degree possible 7 / 72

  8. The Maude-NRL Protocol Analyzer Approach Our approach Use rewriting logic as general theoretical framework crypto protocols are specified using rewrite rules algebraic identities as equational theories Use narrowing modulo equational theories as a symbolic reachability analysis method Combine with state reduction techniques of Maude-NPA’s ancestor, the NRL Protocol Analyzer (grammars, optimizations, etc.) Implement in Maude programming environment Rewriting logic gives us theoretical framework and understanding Maude implementation gives us tool support 8 / 72

  9. The Maude-NRL Protocol Analyzer Approach Maude-NPA A tool to find or prove the absence of attacks using backwards search Analyzes infinite state systems Active intruder No abstraction or approximation of nonces Unbounded number of sessions Intruder and honest protocol transitions represented using strand space model. So far supports a number of equational theories: cancellation (e.g. encryption-decryption), AC, exclusive-or, Diffie-Hellman, bounded associativity. homormorphic encryption over a free theory, various combinations, working on including more 9 / 72

  10. The Maude-NRL Protocol Analyzer Introduction to Rewriting Logic and Unification Outline Approach 1 Introduction to Rewriting Logic and Unification 2 How Maude-NPA Works 3 Specifying Protocols and States in Maude-NPA Backwards Narrowing and Rewrite Semantics Sequential Composition in Maude-NPA Unification techniques used in Maude-NPA Controlling the Search Space 4 Enabling Syntactic Checks Via Asymmetric Unification Basic Tools : Learn-Only-Once and Grammars Other Ways of Reducing the Search Space 10 / 72

  11. The Maude-NRL Protocol Analyzer Introduction to Rewriting Logic and Unification A Little Background on Unification Given a signature Σ and an equational theory E , and two terms s and t built from Σ: A unifier of s = E ? t is a substitution σ to the variables in s and t s.t. σ s can be transformed into σ t by applying equations from E to σ s and its subterms Example: Σ = { d / 2 , e / 2 , m / 0 , k / 0 } , E = { d ( K , e ( K , X )) = X } . The substitution σ = { Z �→ e ( T , Y ) } is a unifier of d ( K , Z ) and Y . The set of most general unifiers of s =? t is the set Γ s.t. any unifier σ is of the form ρτ for some ρ , and some τ in Γ. Example: { Z �→ e ( T , Y ) , Y �→ d ( T , Z ) } mgu’s of d ( T , Z ) and Y . Given the theory, can have: at most one mgu (empty theory) a finite number (AC) an infinite number (associativity) Unification problem in general undecidable 11 / 72

  12. The Maude-NRL Protocol Analyzer Introduction to Rewriting Logic and Unification Rewriting Logic in a Nutshell A rewrite theory R is a triple R = (Σ , E , R ), with: (Σ , R ) a set of rewrite rules of the form t → s e.g. e ( K A , N A ; X ) → e ( K B , X ) (Σ , E ) a set of equations of the form t = s e.g. d ( K , e ( K , Y )) = Y Intuitively, R specifies a concurrent system, whose states are elements of the initial algebra T Σ / E specified by (Σ , E ), and whose concurrent transitions are specified by the rules R . Narrowing gives us the rules for executing transitions concurrently. 12 / 72

  13. The Maude-NRL Protocol Analyzer Introduction to Rewriting Logic and Unification Narrowing and Backwards Narrowing Narrowing: t � σ, R , E s if there is a non-variable position p ∈ Pos ( t ); a rule l → r ∈ R ; a unifier σ (modulo E ) of t | p = E ? l such that s = σ ( t [ r ] p ). Example: R = { X → d ( k , X ) } , E = { d ( K , e ( K , Y )) = Y } e ( k , t ) � ∅ , R , E d ( k , e ( k , t )) = E t Backwards Narrowing: narrowing with rewrite rules reversed 13 / 72

  14. The Maude-NRL Protocol Analyzer Introduction to Rewriting Logic and Unification A Warning About Narrowing Full narrowing (narrowing in every possible non-variable location) is often inefficient and even nonterminating We need to construct our rewrite systems so that efficient narrowing strategies can be chosen Maude-NPA has led to some major advances in this area 14 / 72

  15. The Maude-NRL Protocol Analyzer Introduction to Rewriting Logic and Unification Narrowing Reachability Analysis Narrowing can be used as a general deductive procedure for solving reachability problems of the form x ) → t ′ x ) → t ′ ( ∃ � x ) t 1 ( � 1 ( � x ) ∧ . . . ∧ t n ( � n ( � x ) in a given rewrite theory. The terms t i and t ′ i denote sets of states. For what subset of states denoted by t i are the states denoted by t ′ i reachable? No finiteness assumptions about the state space. Maude-NPA rewrite system supports topmost narrowing for state reachability analysis Narrowing steps only need to be applied to entire state 15 / 72

  16. The Maude-NRL Protocol Analyzer Introduction to Rewriting Logic and Unification E -Unification In order to apply narrowing to search, need an E unification algorithm Two approaches: Built-in unification algorithms for each theory and combination 1 of theories. Hybrid approach with E = ∆ ⊎ B 2 Hybrid Approach B has built-in unification algorithm ∆ confluent and terminating rules modulo B Confluent: Always reach same normal form modulo B , no matter in which order you apply rewrite rules Terminating: Sequence of rewrite rules is finite This allows us to use narrowing as a general method for E -unification But still need to develop new narrowing methods for theories of interest to crypto protocol verification 16 / 72

  17. The Maude-NRL Protocol Analyzer How Maude-NPA Works Specifying Protocols and States in Maude-NPA Outline Approach 1 Introduction to Rewriting Logic and Unification 2 How Maude-NPA Works 3 Specifying Protocols and States in Maude-NPA Backwards Narrowing and Rewrite Semantics Sequential Composition in Maude-NPA Unification techniques used in Maude-NPA Controlling the Search Space 4 Enabling Syntactic Checks Via Asymmetric Unification Basic Tools : Learn-Only-Once and Grammars Other Ways of Reducing the Search Space 17 / 72

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Introduction to Maude Joe Hendrix An Introduction to Maude p. 1/12 Talk Outline Maude is

An Introduction to Maude Joe Hendrix An Introduction to Maude p. 1/12 Talk Outline Maude is

An Introduction to Maude Joe Hendrix An Introduction to Maude p. 1/12 Talk Outline Maude is many things: Program Language Can be used for representing sequential and concurrent computation. Meta Language Maude can be used to write

137 views • 12 slides
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Inform aticos y Computaci on Universitat Polit` ecnica de Val` encia sescobar@dsic.upv.es Santiago Escobar (UPV)

892 views • 68 slides
The FDA MAUDE Database Who reports & what biases does this create? Lindsay Calderon, PhD, MPH

The FDA MAUDE Database Who reports & what biases does this create? Lindsay Calderon, PhD, MPH

The FDA MAUDE Database Who reports & what biases does this create? Lindsay Calderon, PhD, MPH Eastern Kentucky University FDA MAUDE Database MAUDE: Manufacturer and User Facility Device Experience Intended to safeguard patient

422 views • 26 slides
Rewriting Logic and Maude I: An Approach to Formal Modeling and Analysis Carolyn Talcott SRI

Rewriting Logic and Maude I: An Approach to Formal Modeling and Analysis Carolyn Talcott SRI

Rewriting Logic and Maude I: An Approach to Formal Modeling and Analysis Carolyn Talcott SRI International Ancona, April 2007 Plan About rewriting logic Maude features Using Maude Specifying data types Specifying

907 views • 58 slides
Maude Implementation of MSR Demo Mark-Oliver Stehr Cast Stefan Reich University of Illinois,

Maude Implementation of MSR Demo Mark-Oliver Stehr Cast Stefan Reich University of Illinois,

Maude Implementation of MSR Demo Mark-Oliver Stehr Cast Stefan Reich University of Illinois, Analyst Urbana-Champaign (Iliano Cervesato) Programmer ITT Industries @ NRL Customer http://theory.stanford.edu/~iliano/ Protocol eXchange -

341 views • 23 slides
Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type:

Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type:

Arbitraryrangesettingisallowedwithinspecifiedrange. Stand-alone type Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type: ZKJ High performance type Ideal for combustion

278 views • 4 slides
T1 E1 Analyzer Special Applications 818 West Diamond Avenue - Third Floor, Gaithersburg, MD

T1 E1 Analyzer Special Applications 818 West Diamond Avenue - Third Floor, Gaithersburg, MD

T1 E1 Analyzer Special Applications 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com Index Playback File Protocol Analysis

970 views • 83 slides
Making Maude Definitions more Interactive Andrei Arusoaie 1 a 1 , 2 Traian Florin S erb anut

Making Maude Definitions more Interactive Andrei Arusoaie 1 a 1 , 2 Traian Florin S erb anut

Introduction Adding I/O to Maude How it works in K Conclusions and Future Work Making Maude Definitions more Interactive Andrei Arusoaie 1 a 1 , 2 Traian Florin S erb anut Chucky Ellison 2 su 2 Grigore Ro 1 University Alexandru

418 views • 23 slides
BC-5300 Auto Hematology Analyzer Satisfaction in test BC-5300 Auto Hematology Analyzer The new

BC-5300 Auto Hematology Analyzer Satisfaction in test BC-5300 Auto Hematology Analyzer The new

BC-5300 Auto Hematology Analyzer Satisfaction in test BC-5300 Auto Hematology Analyzer The new BC-5300 Auto Hematology Analyzer is a bench top system, combining three mainstream technologies: laser scatter, flow cytometry and chemical dye to

276 views • 4 slides
Rewriting logic with Maude Lars Tveito June 1, 2015 Introduction Maude is a system for writing

Rewriting logic with Maude Lars Tveito June 1, 2015 Introduction Maude is a system for writing

Rewriting logic with Maude Lars Tveito June 1, 2015 Introduction Maude is a system for writing system specifications. Introduction Maude is a system for writing system specifications. Systems are modeled using equational and rewriting logic.

482 views • 44 slides
Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de Sistemas Informticos y Computacin Universidad Complutense de Madrid gorka.suarez@ucm.es Table of Contents 1. Introduction 2. The Maude

512 views • 22 slides
BC-5380 Auto Hematology Analyzer Satisfaction in test BC-5380 Auto Hematology Analyzer The new

BC-5380 Auto Hematology Analyzer Satisfaction in test BC-5380 Auto Hematology Analyzer The new

BC-5380 Auto Hematology Analyzer Satisfaction in test BC-5380 Auto Hematology Analyzer The new BC-5380 Auto Hematology Analyzer provides rapid and reliable test from just 20uL of blood. Utilizing three mainstream technologies: laser scatter,

668 views • 4 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs

Developing the Clang Static Analyzer Artem Dergachev, Apple Clang Static Analyzer Finds bugs at compile time by inspecting your source code Bugs it finds are more sophisticated than warnings or Clang-Tidy Clang Static Analyzer 1

544 views • 29 slides
DI MA- -Maude: Maude: DI MA Toward a Formal Framework Toward a Formal Framework for

DI MA- -Maude: Maude: DI MA Toward a Formal Framework Toward a Formal Framework for

DI MA- -Maude: Maude: DI MA Toward a Formal Framework Toward a Formal Framework for Specifying and Validating for Specifying and Validating DI MA Agents DI MA Agents Farid Mokhati Farid Mokhati, , Noura Noura Boudiaf Boudiaf Mourad

588 views • 23 slides
valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to

valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to

valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to do analysis of run time based on counts of clock cycles or machine code instructions run Can also be used to do analysis of

1.42k views • 7 slides
DOT: Dependent Object Types Semester Project, Spring 2012 Nada Amin EPFL Nada Amin (EPFL) DOT:

DOT: Dependent Object Types Semester Project, Spring 2012 Nada Amin EPFL Nada Amin (EPFL) DOT:

DOT: Dependent Object Types Semester Project, Spring 2012 Nada Amin EPFL Nada Amin (EPFL) DOT: Dependent Object Types 1 / 21 Introduction What is DOT? DOT: Dependent Object Types type-theoretic foundation of Scala and languages like it

346 views • 21 slides
Maude-NPA: Tutorial Catherine Meadows, Naval Research Laboratory (USA) Jos e Meseguer,

Maude-NPA: Tutorial Catherine Meadows, Naval Research Laboratory (USA) Jos e Meseguer,

Maude-NPA: Tutorial Catherine Meadows, Naval Research Laboratory (USA) Jos e Meseguer, University of Illinois at Urbana-Champaign (USA) Santiago Escobar, Universidad Polit ecnica de Valencia (Spain) P ROTOCOL E X CHANGE , J ANUARY 23, 2008

385 views • 37 slides
Overlapping Rules and Logic Variables in Functional Logic Programs Michael Hanus

Overlapping Rules and Logic Variables in Functional Logic Programs Michael Hanus

ICLP 2006 Overlapping Rules and Logic Variables in Functional Logic Programs Michael Hanus Christian-Albrechts-Universit at Kiel (joint work with Sergio Antoy, Portland State University) F UNCTIONAL L OGIC L ANGUAGES Approach to amalgamate

681 views • 42 slides
Well-typed programs cant be blamed (ESOP 2009) Robert Bruce Findler Northwestern University

Well-typed programs cant be blamed (ESOP 2009) Robert Bruce Findler Northwestern University

Well-typed programs cant be blamed (ESOP 2009) Robert Bruce Findler Northwestern University Philip Wadler University of Edinburgh Aussois, 1418 October 2013 Part I Evolving a program An untyped program let x = 2 f = y. y + 1 h =

537 views • 35 slides
A plan to slow down traffic on West Bay Drive by reducing the lane widths is facing

A plan to slow down traffic on West Bay Drive by reducing the lane widths is facing

A plan to slow down traffic on West Bay Drive by reducing the lane widths is facing opposition from some commission members. The proposal also includes the addition of bike lanes in the space saved by the lane reductions. The West Bay

275 views • 3 slides
Probability Theory Probability Models for random phenomena Phenomena Non-deterministic

Probability Theory Probability Models for random phenomena Phenomena Non-deterministic

Probability Theory Probability Models for random phenomena Phenomena Non-deterministic Deterministic Deterministic Phenomena There exists a mathematical model that allows perfect prediction the phenomenas outcome.

1.47k views • 113 slides
Narrowing Gaps Our Greatest Challenge One Schools Case Study Alison Garner Principal

Narrowing Gaps Our Greatest Challenge One Schools Case Study Alison Garner Principal

Narrowing Gaps Our Greatest Challenge One Schools Case Study Alison Garner Principal Goffs School VIP V alues I nnovation P artnership About Goffs Based in Cheshunt, Hertfordshire Diverse population Majority are first

513 views • 34 slides
Businesses Need From Policymakers in COVID-19 WEDNESDAY, SEPTEMBER 9, 2020 R E B U I L D I N G

Businesses Need From Policymakers in COVID-19 WEDNESDAY, SEPTEMBER 9, 2020 R E B U I L D I N G

What New & Small Businesses Need From Policymakers in COVID-19 WEDNESDAY, SEPTEMBER 9, 2020 R E B U I L D I N G B E T T E R @ S T A R T U S U P N O W @ K A U F F M A N F D N Todays Speakers JASON WIENS CAROLINE CUMMINGS MEAGAN

542 views • 30 slides

More recommend