yapa a generic tool for computing intruder knowledge
play

YAPA: A generic tool for computing intruder knowledge Mathieu Baudet - PowerPoint PPT Presentation

Apr 09, 2024 •341 likes •763 views

YAPA: A generic tool for computing intruder knowledge Mathieu Baudet 1 eronique Cortier 2 and St ephanie Delaune 3 Joint work with V 1 DCSSI, France 2 LORIA, CNRS & INRIA project Cassis, France 3 LSV, ENS Cachan & CNRS & INRIA,

  1. YAPA: A generic tool for computing intruder knowledge Mathieu Baudet 1 eronique Cortier 2 and St´ ephanie Delaune 3 Joint work with V´ 1 DCSSI, France 2 LORIA, CNRS & INRIA project Cassis, France 3 LSV, ENS Cachan & CNRS & INRIA, France RTA’2009, Braz´ ılia, June 29. 1 / 41

  2. Content of the talk 1 Motivations Why study static equivalence ? Why a new tool ? 2 Results Overview of the procedure Examples Proving termination and non-failure 3 Conclusion 2 / 41

  3. Motivations Content of the talk 1 Motivations Why study static equivalence ? Why a new tool ? 2 Results Overview of the procedure Examples Proving termination and non-failure 3 Conclusion 3 / 41

  4. Motivations Why study static equivalence ? Static equivalence (teaser) 1 A useful logical tool for security protocols. 2 A nice and general algebraic notion. 4 / 41

  5. Motivations Why study static equivalence ? Algebraic framework • Consider a set F pub of first-order symbols f : s × · · · × s → s . (Single sort s assumed for simplicity.) • A F pub -algebra is a set A together with functions f A : A × · · · × A → A . • Standard definitions : F pub -morphisms, generated sub-algebras F pub [ S ] ⊆ A , free algebra F pub [ X ], . . . 5 / 41

  6. Motivations Why study static equivalence ? Static equivalence (algebraic definition) • Consider the tuples ϕ = ( t 1 , . . . , t n ) in A n , also called frames and written ϕ = { w 1 ⊲ t 1 , . . . , w n ⊲ t n } . • A formal equation on A n is a pair M 1 ⊲ ⊳ M 2 where M 1 , M 2 ∈ F pub [w 1 , . . . , w n ] are terms built upon special constants w i . 6 / 41

  7. Motivations Why study static equivalence ? Static equivalence (algebraic definition) • Consider the tuples ϕ = ( t 1 , . . . , t n ) in A n , also called frames and written ϕ = { w 1 ⊲ t 1 , . . . , w n ⊲ t n } . • A formal equation on A n is a pair M 1 ⊲ ⊳ M 2 where M 1 , M 2 ∈ F pub [w 1 , . . . , w n ] are terms built upon special constants w i . Definition Two frames ϕ 1 and ϕ 2 in A n are statically equivalent (from [Abadi and Fournet, 2001]), written ϕ 1 ≈ ϕ 2 , iff eq( ϕ 1 ) = eq( ϕ 2 ) where eq( ϕ ) = { M 1 ⊲ ⊳ M 2 | M 1 ϕ = A M 2 ϕ } . 7 / 41

  8. Motivations Why study static equivalence ? A mathematical example Example Let n = 1, A = C and the terms M ∈ Q [w 1 ] be rational polynomials with single variable w 1 . We have ϕ 1 ≈ ϕ 2 iff ϕ 1 and ϕ 2 are both transcendental or are conjugated elements (i.e. have the same minimal polynomial over Q ). √ √ For instance, π ≈ e and 2 ≈ − 2. We are currently investigating further links with the fundamentals of algebraic geometry. (Ask me for more details !) 8 / 41

  9. Motivations Why study static equivalence ? Back to logics and security protocols I • We are interested in modeling cryptographic messages : we let A be an F -algebra of ground terms taken modulo an equational theory E, where F pub � F . • Typically, the symbols in F − F pub are free constants modeling secret keys or random numbers. • E is generated by a finite set of equations modeling the cryptographic primitives. 9 / 41

  10. Motivations Why study static equivalence ? Back to logics and security protocols II • Static equivalence models indistinguishability between messages from an attacker’s point of view. • Another classical problem is deducibility : Given ϕ ∈ A n and t ∈ A , does there exist M ∈ F pub [ w 1 , . . . , w n ] such that M ϕ = A t ? N.B. Such an M is often called a recipe of t . 10 / 41

  11. Motivations Why study static equivalence ? Example : deterministic symmetric encryption • M ∈ F pub [ w 1 , . . . , w n ] (recipes) ::= w i | enc( M 1 , M 2 ) | dec( M 1 , M 2 ) • t ∈ F [ ∅ ] ::= k j | enc( t 1 , t 2 ) | dec( t 1 , t 2 ) (plain terms) • Let E be generated by dec(enc( x , y ) , y ) = x . • Consider ϕ 1 = { w 1 ⊲ enc(k 1 , k 2 ) , w 2 ⊲ k 2 } (frames) and ϕ 2 = { w 1 ⊲ enc(k 1 , k 2 ) , w 2 ⊲ k 3 } . • We have ϕ 1 �≈ E ϕ 2 ( ϕ 1 , ϕ 2 not E-equivalent) because enc(dec( w 1 , w 2 ) , w 2 ) ϕ 1 = E w 1 ϕ 1 but enc(dec( w 1 , w 2 ) , w 2 ) ϕ 2 � = E w 1 ϕ 2 11 / 41

  12. Motivations Why study static equivalence ? Equational approach to security protocols I • Similar equational settings used in popular specification languages such as the applied pi calculus [Abadi and Fournet, 2001], or Proverif’s language [Blanchet, 2001, Blanchet et al., 2008]. • Studying full protocols requires a more general notion of observational equivalence. 12 / 41

  13. Motivations Why study static equivalence ? Equational approach to security protocols II • Proof techniques for observational equivalence include – labelled bisimulations built on the top of static equivalence [Abadi and Fournet, 2001], – and symbolic semantics based on a generalization of static equivalence [Baudet, 2005, Delaune et al., 2007]. • Static equivalence also applied to characterize guessing attacks [Corin et al., 2004, Baudet, 2005] • Correspondance between static equivalence and cryptographic (a.k.a. computational) indistinguishability investigated in several papers, e.g. [Abadi et al., 2006]. 13 / 41

  14. Motivations Why a new tool ? More equational theories I • More involved examples of cryptographic equational theories include (see e.g. [Cortier et al., 2006]) – public-key encryption : pdec(penc( x , pub( y ) , z ) , y ) = x – signatures : checksign(sign( x , y ) , pub( y )) = ok 14 / 41

  15. Motivations Why a new tool ? More equational theories I • More involved examples of cryptographic equational theories include (see e.g. [Cortier et al., 2006]) – public-key encryption : pdec(penc( x , pub( y ) , z ) , y ) = x – signatures : checksign(sign( x , y ) , pub( y )) = ok – XOR symbol : AC [ ⊕ ] x ⊕ x = 0 – XOR-homomorphic symbols : h ( x ⊕ y ) = h ( x ) ⊕ h ( y ) ( g x ) y = ( g y ) x – Diffie-Hellman exponents : 15 / 41

  16. Motivations Why a new tool ? More equational theories I • More involved examples of cryptographic equational theories include (see e.g. [Cortier et al., 2006]) – public-key encryption : pdec(penc( x , pub( y ) , z ) , y ) = x – signatures : checksign(sign( x , y ) , pub( y )) = ok – XOR symbol : AC [ ⊕ ] x ⊕ x = 0 – XOR-homomorphic symbols : h ( x ⊕ y ) = h ( x ) ⊕ h ( y ) ( g x ) y = ( g y ) x – Diffie-Hellman exponents : – pair-homomorphic encryption : . . . enc( � x , y � , z ) = � enc( x , z ) , enc( y , z ) � – prefix-homomorphic encryption : . . . pref(enc( � x , y � , z )) = enc( x , z ) – blind signatures : checksign(sign( x , y ) , pub( y )) = ok unblind(blind( x , y ) , y ) = x unblind(sign(blind( x , y ) , z ) , y ) = sign( x , z ) 16 / 41

  17. Motivations Why a new tool ? More equational theories II • Each of these theories yields new deduction and static-equivalence problems to decide. • So far the only applicable tool to static equivalence has been Proverif [Blanchet et al., 2008], but it does not make use of the specialized, existing decision procedures for static equivalence [Abadi and Cortier, 2006, Cortier and Delaune, 2007]. 17 / 41

  18. Motivations Why a new tool ? Our contributions Focusing on theories E generated by convergent rewrite systems R : • We present a uniform procedure for deducibility and static equivalence, that is – sound and complete, up to explicit failure cases, – provably non failing on a syntactic class of theories called layered , – “as much terminating as possible” in non-failing cases (termination implied by finite representation of deducible terms). • We provide an efficient Ocaml implementation : http://www.lsv.ens-cachan.fr/~baudet/yapa/ 18 / 41

  19. Results Content of the talk 1 Motivations Why study static equivalence ? Why a new tool ? 2 Results Overview of the procedure Examples Proving termination and non-failure 3 Conclusion 19 / 41

  20. Results Overview of the procedure Overview of the procedure I • We saturate a set of deduction facts Φ = { M i ⊲ t i } and a set of visible equations Ψ = {∀ x . M j ⊲ ⊳ N j } by ⇒ st ′ . means of transformation rules st = • The initial state Init( ϕ ) is (roughly) (Φ 0 , Ψ 0 ) ≃ ( ϕ ↓ R , ∅ ). • The final state is either ⊥ (failure) or a saturated state (Φ 1 , Ψ 1 ) (success). 20 / 41

  21. Results Overview of the procedure Overview of the procedure II • Saturated states are finite syntactic representations of the sets of deducible terms and equations of the initial frame ϕ . Theorem (soundness and completeness) ⇒ ∗ (Φ , Ψ) is saturated, then If Init( ϕ ) = 1 For all recipes M and ground terms t, M ϕ = E t ⇔ ∃ N s.t. Ψ ⊢ M ⊲ ⊳ N and N ⊲ Φ t ↓ R 2 For all recipes M and N, M ϕ = E N ϕ ⇔ Ψ ⊢ M ⊲ ⊳ N. � M = C [ M 1 , . . . , M n ] where M ⊲ Φ t ⇔ ∃ C , { M i ⊲ t i } ⊆ Φ , . t = C [ t 1 , . . . , t n ] 21 / 41

  22. Results Overview of the procedure Overview of the procedure III ⇒ ∗ (Φ i , Ψ i ), it is easy to From saturated states Init( ϕ i ) = deduce procedures to check whether (i) t is deducible from ϕ 1 , that is : t ↓ R ∈ F pub [im(Φ 1 )] (ii) eq E ( ϕ 1 ) ⊆ eq E ( ϕ 2 ), that is : for all ( ∀ x . M ⊲ ⊳ N ) ∈ Ψ 1 , ( M ϕ 2 ) ↓ R = ( N ϕ 2 ) ↓ R . 22 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder

Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder

Test Anxiety: The Silent Intruder, William B. Daigle, Ph.D. Test Anxiety The Silent Intruder Resources; St. Gerard Majella Catholic School, March 6, 2010 William B. Daigle, Ph.D. 8748 Quarters Lake Road Baton Rouge, LA 70809 (225)

91 views • 5 slides
Wide Area Network Programming q x q Pn Knowledge Intruder P1 Non-Functional Aspects

Wide Area Network Programming q x q Pn Knowledge Intruder P1 Non-Functional Aspects

1.1k views • 98 slides
Intruder on Campus Drills ALICE Training Grade 4-6 Student Information You are Safe Here

Intruder on Campus Drills ALICE Training Grade 4-6 Student Information You are Safe Here

Intruder on Campus Drills ALICE Training Grade 4-6 Student Information You are Safe Here Trainings Cameras Drills Fire Weather Evacuations (on and off site) Intruder on Campus Intruder on Campus What we will do if a

711 views • 13 slides
Sri Lanka Infrastructure Financing Policies and Opportunities Eng. Mangala P.B. Yapa Member,

Sri Lanka Infrastructure Financing Policies and Opportunities Eng. Mangala P.B. Yapa Member,

Sri Lanka Infrastructure Financing Policies and Opportunities Eng. Mangala P.B. Yapa Member, Board of Directors COUNTRY PROFILE Island Nation of 65,000 Sq. Kilometers (6-times of Singapore) Air Routes Population of 20.2 Million

243 views • 10 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
Parallel Computing in R and Simulations on the Cluster Computing Club April 30, 2019 Lamar Hunt

Parallel Computing in R and Simulations on the Cluster Computing Club April 30, 2019 Lamar Hunt

Parallel Computing in R and Simulations on the Cluster Computing Club April 30, 2019 Lamar Hunt Background Brand and Generic drugs are generally considered equivalent, however, the FDA does not require generic drug producers to

572 views • 18 slides
Generic programming in Haskell Bo Simonsen bo@geekworld.dk Department of Computing The

Generic programming in Haskell Bo Simonsen bo@geekworld.dk Department of Computing The

Outline Introduction Generic programming References Generic programming in Haskell Bo Simonsen bo@geekworld.dk Department of Computing The University of Copenhagen June 6, 2008 Outline Introduction Generic programming References

376 views • 14 slides
Intruder on Campus Drills ALICE Training Grade K-3 Student Information You are Safe Here

Intruder on Campus Drills ALICE Training Grade K-3 Student Information You are Safe Here

Intruder on Campus Drills ALICE Training Grade K-3 Student Information You are Safe Here Trainings Cameras Drills Fire Weather Evacuations (on and off site) Intruder on Campus A Better Way to Stay Safe My goal is for

690 views • 11 slides
Knowledge Model Basics Challenges in knowledge modeling Basic knowledge-modeling constructs

Knowledge Model Basics Challenges in knowledge modeling Basic knowledge-modeling constructs

Knowledge Model Basics Challenges in knowledge modeling Basic knowledge-modeling constructs Comparison to general software analysis Knowledge model specialized tool for specification of knowledge- intensive tasks abstracts from

758 views • 44 slides
Generic Programming with Adjunctions Ralf Hinze Computing Laboratory, University of Oxford

Generic Programming with Adjunctions Ralf Hinze Computing Laboratory, University of Oxford

Generic Programming with Adjunctions 0.0 Generic Programming with Adjunctions Ralf Hinze Computing Laboratory, University of Oxford Wolfson Building, Parks Road, Oxford, OX1 3QD, England ralf.hinze@comlab.ox.ac.uk

2.01k views • 172 slides
A generic ROOT monitoring tool for EUDAQ2 L. Forthomme (Helsinki Institute of Physics) on behalf

A generic ROOT monitoring tool for EUDAQ2 L. Forthomme (Helsinki Institute of Physics) on behalf

A generic ROOT monitoring tool for EUDAQ2 L. Forthomme (Helsinki Institute of Physics) on behalf of the CMS and TOTEM Collaborations 8th Beam Telescopes and Test Beam workshop, Tbilisi, Georgia January 27-31, 2020 L. Forthomme (Helsinki

377 views • 14 slides
Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type parameters Similar to declaring a generic type but type parameter's scope is limited to method where it is declared The following are

584 views • 6 slides
Terrorist & Violent Intruder Preparedness/Response Simplifying Your

Terrorist & Violent Intruder Preparedness/Response Simplifying Your

Terrorist & Violent Intruder Preparedness/Response Simplifying Your Response Based on A6acker Objec<ve Commonali<es www.intruderresponse.com Vaughn Baker Co-Founder Strategos

884 views • 52 slides
Layer Manufacturing as a Generic Tool for Microsystem Integration , Sjoerd Haasl 2 , Katrin

Layer Manufacturing as a Generic Tool for Microsystem Integration , Sjoerd Haasl 2 , Katrin

IVF Industrial Research and Development Corporation www.ivf.se Layer Manufacturing as a Generic Tool for Microsystem Integration , Sjoerd Haasl 2 , Katrin Persson 2 and Urban Harrysson 3 Per Johander 1 1 IVF- Industrial Research and Development

349 views • 20 slides
F LOW P ROPHET : Generic and Accurate Traffic Prediction for Data-parallel Cluster Computing Hao

F LOW P ROPHET : Generic and Accurate Traffic Prediction for Data-parallel Cluster Computing Hao

ICDCS15, Columbus, USA F LOW P ROPHET : Generic and Accurate Traffic Prediction for Data-parallel Cluster Computing Hao Wang 1,2 , Li Chen 2 , Kai Chen 2 , Ziyang Li 2,3 , Yiming Zhang 3 , Haibing Guan 1 , Zhengwei Qi 1 , Dongsheng Li 3 ,

943 views • 48 slides
What is it? Tool for computing CO 2 emissions from passenger air travel What is it used for?

What is it? Tool for computing CO 2 emissions from passenger air travel What is it used for?

What is it? Tool for computing CO 2 emissions from passenger air travel What is it used for? Knowing your aviation carbon footprint Can be used with offset programs Verification of reported emissions 3 Climate Neutrality

229 views • 10 slides
Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis

Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis

Terms Intruder Decidability Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis project, Universit e de Lorraine 1/13 Terms Intruder Decidability Messages Messages are abstracted by terms. Agents

295 views • 27 slides
Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research leonardo@microsoft.com nbjorner@microsoft.com Abstract This tutorial introduces the use of the state-of-the-art Satisfiability Modulo Theories Solver

1k views • 61 slides
On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and Abdessamad Imine CASSIS Team CASSIS Team INRIA-LORIA Grand-Est, Nancy, France INRIA-LORIA Grand-Est, Nancy, France 5TH INTERNATIONAL SYMPOSIUM ON

905 views • 30 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
Hardest-to-Round Cases Part 2 Vincent LEFVRE AriC, INRIA Grenoble Rhne-Alpes / LIP,

Hardest-to-Round Cases Part 2 Vincent LEFVRE AriC, INRIA Grenoble Rhne-Alpes / LIP,

Hardest-to-Round Cases Part 2 Vincent LEFVRE AriC, INRIA Grenoble Rhne-Alpes / LIP, ENS-Lyon Journes TaMaDi, Lyon, 2013-10-08 [tamadi2013.tex 64039 2013-10-08 01:41:24Z vinc17/xvii] Outline Hardest-to-Round Cases in binary64

572 views • 30 slides
Security Analysis of Electronic Exams Rosario Giustolisi 4 , Ali Kassem 1 , Gabriele Lenzini 4 ,

Security Analysis of Electronic Exams Rosario Giustolisi 4 , Ali Kassem 1 , Gabriele Lenzini 4 ,

Security Analysis of Electronic Exams Rosario Giustolisi 4 , Ali Kassem 1 , Gabriele Lenzini 4 , Peter Y. A. Ryan 4 , Jannik Dreier 3 , Ylis Falcone 2 and Pascal Lafourcade 5 1 Univ. Grenoble Alpes, VERIMAG, Grenoble, France 2 Univ. Grenoble

1.16k views • 111 slides
Algorithms for Tree Automata with Constraints Random Generation of Hard Instances of the

Algorithms for Tree Automata with Constraints Random Generation of Hard Instances of the

Algorithms for Tree Automata with Constraints Random Generation of Hard Instances of the Emptiness Problem for Tree Automata With Global Equality Constraints Pierre-Cyrille Ham, Vincent Hugot, Olga Kouchnarenko

1.02k views • 91 slides
. (

. (

. ( C. Faloutsos)

951 views • 74 slides

More recommend