![Page 1: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/1.jpg)
Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited
Radu GrosuSUNY at Stony Brook
Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang
June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols
![Page 2: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/2.jpg)
Talk Outline
1. LTL Model Checking
2. Monte Carlo Model Checking
3. Needham-Schroeder
4. Implementation & Results
5. Conclusions & Future Work
![Page 3: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/3.jpg)
Model Checking
|S ?
Is system S a model of formula φ?
![Page 4: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/4.jpg)
Model Checking
• S is a nondeterministic/concurrent system.
is (in our case) an LTL (Linear Temporal Logic) formula.
• Basic idea: intelligently explore S’s state space in attempt to establish S ⊨ .
• Fly in the ointment: State Explosion!
![Page 5: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/5.jpg)
LTL Model Checking
• An LTL formula is made up of atomic propositions p, boolean connectives , , and temporal modalities X (neXt) and U (Until).
• Every LTL formula can be translated to a Büchi automaton whose language is set of infinite words satisfying .
• Automata-theoretic approach:
S ⊨ iff L(BS) L(B ) iff L(BS B )
![Page 6: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/6.jpg)
Emptiness Checking
• Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso).
• Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly!
s1 s2 s3 sksk-2 sk-1
sk+1sk+2sk+3sn
DFS2
DFS1
![Page 7: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/7.jpg)
Monte Carlo Model Checking (MC2)
• Sample Space: lassos in BS B
• Random variable Z :
– Outcome = 0 if randomly chosen lasso accepting
– Outcome = 1 otherwise
• μZ = ∑ pi Zi (weighted mean)
• Compute (ε,δ)-approx. of μZ Z~
![Page 8: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/8.jpg)
Monte Carlo Model Checking (MC2)
L1 = abcb, L2 = abcdb, L3 = abcdea
Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼
μZ = ½
a cb d
e
![Page 9: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/9.jpg)
Monte Carlo Approximation
• Problem: Compute the mean value μZ of a random variable Z distributed in [0,1] when an exact computation of μZ proves intractable.
with error margin and confidence ratio .
Z• Solution: Compute an (,)-approximation of Z:
1 1 1 Pr[ ( ) ( )] Z Z Z
• Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, expectation that S ⊨ !
![Page 10: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/10.jpg)
Original Solution[Karp, Luby & Madras: Journal of Algorithms 1989]
• Compute as the mean value of N independent random variables (samples) identically distributed according to Z:
Z
• Determine N using the Zero-One estimator theorem:
( ... ) /Z N1
Z Z N
24 2 ln( / )/ Z
N
• Problems: is unknown and can be large.21/1/Z
![Page 11: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/11.jpg)
Stopping Rule Algorithm (SRA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000]
• Innovation: computes correct N without using 1/Z
• Theorem:
E[N] ≤ 4 ln(2/) / μZ2;
= 4 ln(2/) / 2;
for (N=0, S=0; S≤; N++) S=S+ZN;
= S/N; return ;
Z Z
21/• Problem: is in most interesting cases too large.
1 1 1 Pr[ ( ) ( )] Z Z Z
![Page 12: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/12.jpg)
Optimal Approx Algorithm (OOA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000]
• Compute N using generalized Zero-One estimator:
2
4 2
4 2
ln( / )/
ln( / )/
2Z Z Z
Z
if
otherwise
σN
• Apply sequential analysis (prediction/correction):
1. Assume 2 is small and compute with SRA( )
2. Compute using and
3. Use to correct N and .
Z , 2
Z 4 2 ˆln( / )/ Z
N
2Z
• Expected number of samples is optimal to within a constant factor!
![Page 13: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/13.jpg)
Monte Carlo Model Checking
Theorem: MC2 computes an (ε,δ)-approximation
of μZ in expected time O(N∙D) and uses
expected space O(D), where D is the
recurrence diameter of B = BS B .
Cf. DDFS which runs in O(2|S|+|φ|) time and space.
![Page 14: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/14.jpg)
Needham-Schroeder
1. A B : { Na, A } KB
2. B A : { Na, Nb } KA
3. A B : { Nb } KB
![Page 15: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/15.jpg)
Breaking & Fixing Needham-Shroeder
• In 1997, Lowe discovered a replay attack that involves an intruder I masquerading as A in its communication with B.
• As shown by Lowe, protocol is easily fixed by including identity of responder (B) in 2nd msg:
2´. B A : { B, Na, Nb } KA
![Page 16: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/16.jpg)
Implementation
• Implemented DDFS and MC2 in jMocha model checker for synchronous systems specified using Reactive Modules.
• Specified NS as a reactive module; all communications go through intruder.
• Intruder obeys Dolev-Yao model: besides normal communications, can intercept, overhear, and fake messages.
![Page 17: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/17.jpg)
DDFS MC2nonce time entries time exp avg
(0..1) 1 31 20 1 12(0..4) 1 607 33 2 29(0..8) 2 2527 34 9 30
(0..20) 11 24031 34 12 30(0..32) 32 85279 70 24 30(0..36) 46 18111 141 37 30(0..60) oom 4200 467 30
Time and space requirements for DDFS and MC2
Experimental Results
![Page 18: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/18.jpg)
nonce sat cntr mu_Z(0..1) 2915 171 0.9445(0..4) 2955 18 0.9939(0..8) 2969 4 0.9986
(0..20) 2970 3 0.9989(0..32) 6288 3 0.9995(0..36) 12975 3 0.9997(0..60) 194937 9 0.9999
Variation of µZ for MC2
Zμ
Experimental Results
~
![Page 19: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/19.jpg)
Related Approaches
• NRL Protocol Analyzer [Meadows 96]
• Spi-Calculus [Abadi Gordon 97]
• FDR [Lowe 97]
• The Strand Space Method [Guttman et al. 98]
• Isabelle Theorem Prover [Paulson 98]
• Backward Induction [Kurkowski Mackow 03]
![Page 20: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/20.jpg)
Conclusions
• Applied Monte Carlo model checking to Needham-Schroeder.
• Results indicate may be more effective than traditional approaches in discovering attacks.
• Further experimentation required to draw definitive conclusions.
• Other Future Work: Use BDDs to improve run time. Also, take samples in parallel!
![Page 21: Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang](https://reader034.vdocuments.us/reader034/viewer/2022051115/56814c56550346895db970b0/html5/thumbnails/21.jpg)
Monte Carlo Model Checking
• Randomized algorithm for LTL model checking utilizing automata-theoretic approach.
• Basic idea: Take N samples: sample = lasso = random walk through BS B ending in a cycle.
• If accepting lasso (counter-example) found, return false.
• Else return true with certain confidence.