joint work with xiaowan huang, scott smolka, & ping yang

Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited

Radu GrosuSUNY at Stony Brook

Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang

June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols

Talk Outline

1. LTL Model Checking

2. Monte Carlo Model Checking

3. Needham-Schroeder

4. Implementation & Results

5. Conclusions & Future Work

Model Checking

|S ?

Is system S a model of formula φ?

Model Checking

• S is a nondeterministic/concurrent system.

is (in our case) an LTL (Linear Temporal Logic) formula.

• Basic idea: intelligently explore S’s state space in attempt to establish S ⊨ .

• Fly in the ointment: State Explosion!

LTL Model Checking

• An LTL formula is made up of atomic propositions p, boolean connectives , , and temporal modalities X (neXt) and U (Until).

• Every LTL formula can be translated to a Büchi automaton whose language is set of infinite words satisfying .

• Automata-theoretic approach:

S ⊨ iff L(BS) L(B ) iff L(BS B )

Emptiness Checking

• Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso).

• Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly!

s1 s2 s3 sksk-2 sk-1

sk+1sk+2sk+3sn

DFS2

DFS1

Monte Carlo Model Checking (MC2)

• Sample Space: lassos in BS B

• Random variable Z :

– Outcome = 0 if randomly chosen lasso accepting

– Outcome = 1 otherwise

• μZ = ∑ pi Zi (weighted mean)

• Compute (ε,δ)-approx. of μZ Z~

Monte Carlo Model Checking (MC2)

L1 = abcb, L2 = abcdb, L3 = abcdea

Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼

μZ = ½

a cb d

e

Monte Carlo Approximation

• Problem: Compute the mean value μZ of a random variable Z distributed in [0,1] when an exact computation of μZ proves intractable.

with error margin and confidence ratio .

Z• Solution: Compute an (,)-approximation of Z:

1 1 1 Pr[ ( ) ( )] Z Z Z

• Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, expectation that S ⊨ !

Original Solution[Karp, Luby & Madras: Journal of Algorithms 1989]

• Compute as the mean value of N independent random variables (samples) identically distributed according to Z:

Z

• Determine N using the Zero-One estimator theorem:

( ... ) /Z N1

Z Z N

24 2 ln( / )/ Z

N

• Problems: is unknown and can be large.21/1/Z

Stopping Rule Algorithm (SRA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000]

• Innovation: computes correct N without using 1/Z

• Theorem:

E[N] ≤ 4 ln(2/) / μZ2;

= 4 ln(2/) / 2;

for (N=0, S=0; S≤; N++) S=S+ZN;

= S/N; return ;

Z Z

21/• Problem: is in most interesting cases too large.

1 1 1 Pr[ ( ) ( )] Z Z Z

Optimal Approx Algorithm (OOA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000]

• Compute N using generalized Zero-One estimator:

2

4 2

4 2

ln( / )/

ln( / )/

2Z Z Z

Z

if

otherwise

σN

• Apply sequential analysis (prediction/correction):

1. Assume 2 is small and compute with SRA( )

2. Compute using and

3. Use to correct N and .

Z , 2

Z 4 2 ˆln( / )/ Z

N

2Z

• Expected number of samples is optimal to within a constant factor!

Monte Carlo Model Checking

Theorem: MC2 computes an (ε,δ)-approximation

of μZ in expected time O(N∙D) and uses

expected space O(D), where D is the

recurrence diameter of B = BS B .

Cf. DDFS which runs in O(2|S|+|φ|) time and space.

Needham-Schroeder

1. A B : { Na, A } KB

2. B A : { Na, Nb } KA

3. A B : { Nb } KB

Breaking & Fixing Needham-Shroeder

• In 1997, Lowe discovered a replay attack that involves an intruder I masquerading as A in its communication with B.

• As shown by Lowe, protocol is easily fixed by including identity of responder (B) in 2nd msg:

2´. B A : { B, Na, Nb } KA

Implementation

• Implemented DDFS and MC2 in jMocha model checker for synchronous systems specified using Reactive Modules.

• Specified NS as a reactive module; all communications go through intruder.

• Intruder obeys Dolev-Yao model: besides normal communications, can intercept, overhear, and fake messages.

DDFS MC2nonce time entries time exp avg

(0..1) 1 31 20 1 12(0..4) 1 607 33 2 29(0..8) 2 2527 34 9 30

(0..20) 11 24031 34 12 30(0..32) 32 85279 70 24 30(0..36) 46 18111 141 37 30(0..60) oom 4200 467 30

Time and space requirements for DDFS and MC2

Experimental Results

nonce sat cntr mu_Z(0..1) 2915 171 0.9445(0..4) 2955 18 0.9939(0..8) 2969 4 0.9986

(0..20) 2970 3 0.9989(0..32) 6288 3 0.9995(0..36) 12975 3 0.9997(0..60) 194937 9 0.9999

Variation of µZ for MC2

Zμ

Experimental Results

~

Related Approaches

• NRL Protocol Analyzer [Meadows 96]

• Spi-Calculus [Abadi Gordon 97]

• FDR [Lowe 97]

• The Strand Space Method [Guttman et al. 98]

• Isabelle Theorem Prover [Paulson 98]

• Backward Induction [Kurkowski Mackow 03]

Conclusions

• Applied Monte Carlo model checking to Needham-Schroeder.

• Results indicate may be more effective than traditional approaches in discovering attacks.

• Further experimentation required to draw definitive conclusions.

• Other Future Work: Use BDDs to improve run time. Also, take samples in parallel!

Monte Carlo Model Checking

• Randomized algorithm for LTL model checking utilizing automata-theoretic approach.

• Basic idea: Take N samples: sample = lasso = random walk through BS B ending in a cycle.

• If accepting lasso (counter-example) found, return false.

• Else return true with certain confidence.