executable specification of cryptofraglets with maude for security verification
DESCRIPTION
Executable specification of cryptofraglets with Maude for security verification. Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented by Daniel Schreckling (Univ. Passau, Germany) and Lidia Yamamoto (Univ. Basel, Switzerland). Overview. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/1.jpg)
Executable specification of cryptofraglets with Maude
for security verification
Fabio Martinelli and Marinella Petrocchi
IIT-CNR, Pisa Italy
presented by
Daniel Schreckling (Univ. Passau, Germany) and Lidia Yamamoto (Univ. Basel, Switzerland)
![Page 2: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/2.jpg)
Overview• Introduction: context, motivation, and goal
• The Fraglets language
– Cryptofraglets
– Threat model
• Maude specification language
– Cryptofraglets in Maude
– Case study: attack detection on Needham Schroeder Public Key (NSPK) protocol
• Conclusions, future work
![Page 3: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/3.jpg)
Introduction
• Adaptive and autonomic systems need:
– New methodologies to assess security and trustworthiness of network protocols and services in a potentially changing environment
– Techniques for automated security verification
• Chemical computing (e.g. Gamma, Fraglets) as a tool for specifying autonomic behavior
• Goal
– Development of a software tool supporting specification of crypto-protocols in Fraglets and their security analysis
![Page 4: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/4.jpg)
The Fraglets Language
• Programming language inspired by chemistry
– Code and data represented as molecules = strings = computation fragments
– Processing by chemical reactions that consume and produce molecules (code and data)
– Goal: automated synthesis and evolution of communication protocols
![Page 5: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/5.jpg)
Fraglets Basic Instruction Set
(educts) (products)
![Page 6: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/6.jpg)
The Fraglets Language
• Fraglets processing: chemical reactions perform string rewriting operations
– head of string fully determines rewriting operation
– analogous to packet header processing in network protocols
• Distributed computation: Fraglets (computation fragments) flow through a computer network
• Applications: active networks, self-modifying code, autonomic communication protocols
![Page 7: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/7.jpg)
Cryptofraglets
• Original Fraglets language lacked security features
• Cryptofraglets [BIONETICS 2006]: our extension of the Fraglets instruction set for
– symmetric/asymmetric cryptography
– hashing techinques
• Encryption [enc newtag k1 tail] → [newtag tail_k1]
• Decryption• [dec newtag k2 tail_k2] → [newtag tail]
• Hash [hash newtag tail] → [newtag h(tail)]
![Page 8: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/8.jpg)
Fraglets-Based Threat Model
• Protocol specification involving two honest roles
– initiator SS
– responder SR.
• Communication flow through untrusted store SX
• Secret keys initially contained in the legitimate store(s)
![Page 9: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/9.jpg)
Definition of Security Properties
• It is now possible to define security properties (secrecy, authentication, integrity…)
• Classical notion of intruder’s knowledge rephrased:
– the set of symbols that the intruder's store contains
– example: secrecy property: “at each point of the computation, a symbol is secret between initiator and responder if it is not possible for the intruder store to know that symbol”
(Formal definitions in the Bionetics 2009 paper)
![Page 10: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/10.jpg)
The Maude Rewrite System• Reflective Specification language and system based
on Rewriting Logic
• Distributed systems specified as:
– Algebraic data type axiomatizing system state
– Rewrite rules axiomatising system’s local transitions
• Provides executable semantics and toolkit allowing for formal reasoning
• User-defined execution strategies allow for state exploration strategies, e.g., breadth-first search
![Page 11: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/11.jpg)
What is a rewrite rule?
mod climate issort wheatercondition .
op sunnyday : -> wheatercondition . op rainyday : -> wheatercondition . rl [raincloud] : sunnyday => rainyday . Endm
![Page 12: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/12.jpg)
Maude “search” strategies
• Maude commands
– rewrite, can explore one possible sequence of rewrites
– search command looks for all the possible traces from an initial to a particular configuration of interest (e.g. set of fraglets in store X)
• Possibility to exploit built-in toolkits:
– model checker
– theorem prover,
– User-defined ad hoc search strategies
![Page 13: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/13.jpg)
We use Maude for…
• Encoding of fraglets (crypto)instructions into an executable specification
• Perform security analysis on this specification
• Case study
– Formulation of Needham Schroeder Public Key protocol
– Attack on flawed version of NSPK analyzed and detected
![Page 14: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/14.jpg)
Encoding
• Fraglets instructions become rewrite rules
• Example
– Dup (duplicate symbol)
– Send (transfer fraglet from to another store)
![Page 15: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/15.jpg)
Encoding
• En/decryption-instructions:
![Page 16: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/16.jpg)
Case Study: NSPK Protocol
• Protocol authenticates two agents A and B
• At the end of the protocol
– Agents know their identities
– Agents share a secret (nonces)
• Original protocol was vulnerable to a man-in-the-middle attack
• Implementation of vulnerable version in fraglets
![Page 17: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/17.jpg)
Flawed NSPK in Maude
• Translate fraglets version into Maude
• Command rewrite takes initial configuration of fraglets in stores A, B, and X
• Maude executes two interleaved sessions of NSPK
• At the end of computation:
–Store A contains newly received nonce nb
–Store B contains [what expected]
–Store X contains [auxtag5 nb]
• Maude detects secrecy violation
![Page 18: Executable specification of cryptofraglets with Maude for security verification](https://reader036.vdocuments.us/reader036/viewer/2022062520/56815810550346895dc57e50/html5/thumbnails/18.jpg)
Conclusions
• Main result:
– assessment of usefulness of executing fraglets specifications for security verification purposes
• Possible follow-ups:
– analyzing complex security protocols and properties;
– definition of the fraglets-based most powerful intruder to verify security properties over universal quantification