Download - MSR 3: One Year Later
MSR 3:One Year Later
Iliano [email protected]
ITT Industries, inc @ NRL Washington, DC
http://theory.stanford.edu/~iliano
Protocol eXchange Seminar, UMBC May 27-28, 2004
MSR 3.0:The Logical Meeting Point of MultisetRewriting and Process Algebra
I liano Cervesato [email protected]
I TT I ndustries, inc @ NRL Washington, DC
http:/ / www.cs.stanf ord.edu/ ~iliano
CS Department, UMBC February 27-28, 2003
MSR 3: One Year Later 2/28
NSPK in MSR 3
A: princ.
{ L: princ B:princ.pubK B nonce mset.
B: princ. kB: pubK B. nA: nonce.
net ({nA, A}kB), L (A, B, kB, nA)
B: princ. kB: pubK B.
kA: pubK A. kA': prvK kA.
nA: nonce. nB: nonce.
net ({nA, nB}kA), L (A, B, kB, nA)
net ({nB}kB)
}
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Interpretation of L Rule invocation
Implementation detail
Control flow Local state of
role Explicit view Important for
DOS
MSR 2 spec.
MSR 3: One Year Later 3/28
NSPK in MSR 3
A:princ. B: princ. kB: pubK B.
nA: nonce.
net ({nA, A}kB),
(kA: pubK A. kA': prvK kA. nB: nonce.
net ({nA, nB}kA) net ({nB}kB))
A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Succinct Continuation-passing style
Rule asserts what to do next Lexical control flow
State is implicit Abstract
Not an MSR 2 spec.
MSR 3: One Year Later 4/28
Looks Familiar?A B: {nA, A}kB
B A: {nA, nB}kA
A B: {nB}kB
Process calculus
A:princ.B: princ. kB: pubK B.
kA: pubK A. kA': prvK kA. nB: nonce.
nA: nonce.
net ({nA, A}kB) .
net <{nA, nB}kA> .
net ({nB}kB) . 0
{NA, A}KB
{NA, NB}KA
{NB}KB
Alice (A,B,NA,NB) :
NA Fresh, A(A,B)
Parametric strand
MSR 3: One Year Later 5/28
What is MSR 3?
A new language for security protocols
Supports State transition specs
Conservative over MSR 2Process algebraic specs
Rewriting re-interpretation of logicRich composable set of connectives
Universal connector
Neutral paradigm
MSR 3: One Year Later 6/28
More than the Sum of its Parts
Process- and transition-based specs.in the same language
Choose the paradigmUser’s preferenceHighlight characteristics of interestSupport various verification techniques (FW)
Mix and match stylesWithin a spec.Within a protocolWithin a role
MSR 3: One Year Later 7/28
What is in MSR 3 ?
Security-relevant signature Network Encryption, …
Typing infrastructure Dependent types Subsorting
Data Access Specification (DAS)
Module system Equations
FromMSR 2
FromMSR 1
From MSR 2implementation
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 8/28
-Multisets
Specification language for concurrent systems
Crossroad of State transition languages
Petri nets, multiset rewriting, … Process calculi
CCS, -calculus, … (Linear) logic
Benefits Analysis methods from logic and type theory Common ground for comparing
Multiset rewriting Process algebra
Allows multiple styles of specification Unified approach
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 9/28
SyntaxA ::= a atomic object
| 1 [] empty| A B [A, B] formation| A B [A B] rewrite| T no-op| A & B [A || B] choice| x. A instantiation| x. A generation| ! A replication
Generalizes FO multiset rewriting (MSR 1-2)x1…xn. a(x) y1…yk. b(x,y)
MSR 3: One Year Later 10/28
State and Transitions
States ; ;
; is a list and are
commutative monoids Transitions
; ; ’; ’; ’; ; * ’; ’
* for reflexive and transitive closure
Constructor: “,” Empty: “”- logic
- system - rewriting - processes- security
MSR 3: One Year Later 11/28
Transition Semantics
; ; (, A, A B) ; ; (, B)T (no rule)
& ; ; (, A1 & A2) ; ; (, Ai)
; ; (, x. A) ; ; (, [t/x]A)if |- t
; ; (, x. A) (, x) ; ; (, A)
! ; ; (, !A) ; (, A) ;
; (, A) ; ; (, A) ; (, A)
; ; * ; ; ; * ’’; ’’if ; ; ’; ’ ; ’ and ’; ’ ; ’ * ’’; ’’
MSR 3: One Year Later 12/28
Linear Logic
FormulasA, B ::= a | 1 | A B | A B | ! A
| T | A & B | x. A | x. A
LV sequents ; --> C
Goalformula
Signature
Unrestrictedcontext Linear
context
Constructor: “,” Empty: “”
- logic- system - rewriting - processes- security
MSR 3: One Year Later 13/28
Logical Derivations
Proof of C from and Emphasis on C
C is input
Finite Closed
Rules shown Major premise
Preserves C Minor premise
Starts subderivation; --> C
’’; ’’ -->’’ C
’; ’ -->’ C
’’’; C -->’’’ C
- logic- system - rewriting - processes- security
MSR 3: One Year Later 14/28
A Rewriting Re-Interpretation
Transition From conclusion To major premise
Emphasis on , and C is output, at best
Does not change
Possibly infinite Open
Minor premise Auxiliary rewrite chain
Finite Topped with axiom
; --> C
’’; ’’ -->’’ C
’; ’ -->’ C
’’’; C -->’’’ C
- logic- system - rewriting - processes- security
MSR 3: One Year Later 15/28
Interpreting Unary Rules
; ; (, !A) ; (, A);
; , A -->,x C
; , x.A --> C
, A; --> C
; , !A --> C
|- t ; , [t/x]A --> C
; , x.A --> C
; , A, B --> C
; , AB --> C; ; (, AB ) ; ; (, A, B)
; ; (, x. A) ; ; (, [t/x]A)if |- t
; ; (, x. A) (, x); ; (, A)
… …
- logic- system - rewriting - processes- security
MSR 3: One Year Later 16/28
Binary Rules and Axiom
Minor premiseAuxiliary rewrite
chain
Top of treeFocus shifts to
RHS Axiom rule
Observation
; ’ --> A ; , B --> C
; , ’ , AB --> C
’; A -->’ A
- logic- system - rewriting - processes- security
MSR 3: One Year Later 17/28
Observations
Observation states
; In , we identify
, with with 1
Categorical semantics
Identified with x1. … xn. For = x1, …, xn
De Bruijn’s telescopes
Observation transitions; ; * ’; ’
A
,’; A’ -->,’ A’
; --> ’. A’
=
; = . - logic- system - rewriting - processes- security
MSR 3: One Year Later 18/28
Interpreting Binary Rules
; ; (, ’, A B) ; ; (, B)if ; ; ’ * ; A
; ’ --> A ; , B --> C
; , ’ , AB --> C
; ’ --> A ; A --> C
; , ’ --> C
; ; , ’ ; ; (A, )if ; ; ’ * ; A
; A --> A; ; * ; ; ; * ’’; ’’
if ; ; ’; ’; ’and ’; ’; ’ * ’’; ’’
… …
- logic- system - rewriting - processes- security
MSR 3: One Year Later 19/28
Formal Correspondence
SoundnessIf ; ; * ,’; ’then ; --> ’. ’
Completeness?No! We have only crippled right rules
; ; a b, b c * ; a c
- logic- system - rewriting - processes- security
MSR 3: One Year Later 20/28
System
With cut, rule for can be simplified to; ; (, A, A B) ; ; (, B)
Cut elimination holds= in-lining of auxiliary rewrite chains
But … Careful with extra signature symbols Careful with extra persistent objects
No rule for needs a premise does not depend on *
- logic- system - rewriting - processes- security
MSR 3: One Year Later 21/28
Multiset Rewriting
Multiset: set with repetitions alloweda ::= | a, a
Commutative monoid
Multiset rewriting (a.k.a. Petri nets)Rewriting within the monoid Fundamental model of distributed computing
Alternative: Process AlgebrasBasis for security protocol spec. languages
MSR family … several others
Many extensions, more or less ad hoc
- logic- system - rewriting - processes- security
MSR 3: One Year Later 22/28
The Atomic Objects of MSR 3
Atomic termsPrincipals AKeys KNonces NOther
Raw data , timestamp, …
Constructors Encryption
{_}_
Pairing (_, _) Other
Signature, hash, MAC, …
Fully definable
PredicatesNetwork
netMemory
MA
Intruder I…
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 23/28
Types
Fully definable Powerful abstraction mechanism
At various user-definable level Finely tagged messages Untyped: msg only
Simplify specification and reasoning Automated type checking
Simple typesA : princn : noncem : msg, …
Dependent typesk : shK A BK : pubK AK’ : privK K, …
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 24/28
Subsorting
Allows atomic terms in messages
DefinableNon-transmittable termsSub-hierarchies
Discriminant for type-flaw attacks
<: ’
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 25/28
Data Access Specification
Prevent illegitimate use of information Protocol specification divided in roles
– Owner = principal executing the role A signing/encrypting with B’s key A accessing B’s private data, …
Simple static check
Central meta-theoretic notion Detailed specification of Dolev-Yao access model
Gives meaning to Dolev-Yao intruder
Current effort towards integration in type system Definable
Possibility of going beyond Dolev-Yao model
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 26/28
Modules and Equations
ModulesBundle declarations with simple
import/export interfaceKeep specifications tidyReusable
Equations(For free from underlying Maude engine)
Specify useful algebraic properties Associativity of pairs
Allow to go beyond free-algebra model Dec(k, Enc(k, M)) = M
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 27/28
State-Based vs. Process-Based
State-based languages Multiset Rewriting NRL Prot. Analyzer, CAPSL/CIL, Paulson’s approach,
…State
transitionsemantics
Process-based languages Process Algebra Strand spaces, spi-calculus, …
Independentcommunicatingthreads
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 28/28
MSR 3 Bridges the Gap
Difficult to go from one to the otherDifferent paradigms
PB
SB
State vs.processdistance
Otherdistance
MSR 3
PB
SB
State Process translation done once and for all in MSR 3
-Multisets
MSR 2
Protocols
Repr. gap
MSR 3: One Year Later 29/28
Summary
MSR 3.0 Language for security protocol specification Succinct representations
Simpl specifications Economy of reasoning
Bridge between State-based representation Process-based representation
-multisets Logical foundation of multiset rewriting Relationship with process algebras Unified logical view
Better understanding of where we are Hint about where to go next