extending proverif s resolution algorithm for verifying
play

Extending ProVerifs Resolution Algorithm for Verifying Group - PowerPoint PPT Presentation

Apr 01, 2023 •131 likes •692 views

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup

  1. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerif’s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup´ erieure June 25, 2010 Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 1 / 24

  2. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Contents Introduction 1 Representation with Horn clauses Resolution Group Protocols 2 Generalized Horn Clauses 3 Syntax Resolution algorithm 4 Extension of the definition of Resolution Relation with Horn clauses The Algorithm Conclusions and Further works 5 Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 2 / 24

  3. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Cryptographic protocols and their Verification Cryptographic protocols are protocols that perform a security-related function and apply cryptographic methods. The confidence in these protocols can be increased by a formal analysis in order to verify security properties considering cryptographic primitives as black boxes. For an unbounded number of sessions � undecidability. Group protocols are protocols that involve an unbounded number of participants � the number of steps and the form of messages depend on the number of participants. Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 3 / 24

  4. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Overview of ProVerif Properties to prove: Protocol: Pi calculus + cryptography secrecy, authentication,... Automatic translator Derivability queries Horn clauses Resolution with selection The property is true Potential attack Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 4 / 24

  5. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  6. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  7. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  8. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  9. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  10. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  11. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  12. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( k , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , k ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  13. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , y ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  14. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Example Denning-Sacco Message 1 A → B : pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 2 B → A : sencrypt ( s , k ) attacker( pk ( x )) ⇒ attacker( pencrypt ( sign ( k [ pk ( x )] , sk A [ ]) , pk ( x )) Message 1 A → B : pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ])) Message 2 B → A : sencrypt ( s , y ) attacker( pencrypt ( sign ( y , sk A [ ]) , pk ( sk B [ ]))) ⇒ attacker( sencrypt ( s , y )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 5 / 24

  15. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Representation with Horn clauses Representation of a protocol Messages are represented by patterns p ::= x | a [ p 1 , . . . , p n ] | f ( p 1 , . . . , p n ) � a , b � , sencrypt ( s , pk ) Properties are represented by facts F ::= attacker( p ) The protocol and the abilities of the attacker are represented by Horn clauses F 1 ∧ · · · ∧ F n ⇒ F attacker( s ) ∧ attacker( pk ) ⇒ attacker( sencrypt ( s , pk )) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 6 / 24

  16. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Resolution Resolution Definition (Resolution) H 1 ⇒ C 1 F ∧ H 2 ⇒ C 2 σ ( H 1 ∧ H 2 ) ⇒ σ C 2 where σ is the most general unifier of C 1 and F . The selection function selects: a hypothesis not of the form attacker( x ) if possible, the conclusion otherwise Resolve until a fixpoint is reached. Keep clauses whose conclusion is selected. Theorem The obtained clauses derive the same facts as the initial clauses Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 7 / 24

  17. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Example Asokan-Ginzboorg protocol Let the set of players be { a i , i = 1 , . . . , n + 1 } for n ≥ 1 and a n +1 be the leader. The protocol describes the establishment of a session key between the leader and the other n participants. a n +1 → ALL : � a n +1 , sencrypt ( e , p ) � (1) a i → a n +1 : � a i , sencrypt ( � r i , s i � , e ) � (2) a n +1 → a i : sencrypt ( � s 1 , . . . , s n , s n +1 � , r i ) (3) a i → a n +1 : � a i , sencrypt ( � s i , h ( s 1 , . . . , s n +1 ) � , K ) � , for some i (4) where K = f ( s 1 , . . . , s n +1 ) Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 8 / 24

  18. Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Syntax Generalized Horn Clauses Syntax 1 p G , s , t ::= patterns x ( ι 1 ,...,ι h ) where 0 ≤ h variable f ( p G 1 , . . . , p G l ) function application a ι [ p G 1 , . . . , p G l ] indexed names mpair ( i , p G ) list constructor F G ::= facts attacker( p G ) fact ( i 1 ,..., i h ) ∈ I F G � conjunction fact R G ::= F G 1 ∧ · · · ∧ F G n ∧ δ ⇒ F G generalized Horn clause Extending ProVerif’s Resolution Algorithm, for Verifying Group Protocols 9 / 24

Recommend

Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01]

Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01]

Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages

727 views • 39 slides
Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but

Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but

First-order Predicate Logic Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but useless in practice. We upgrade resolution to make it work for predicate logic. 2 Recall: resolution in propositional

790 views • 32 slides
Verifying Richard Birds On building trees of The algorithm Implementation minimum

Verifying Richard Birds On building trees of The algorithm Implementation minimum

The pearl Verifying Richard Birds On building trees of The algorithm Implementation minimum height L.T. van Binsbergen J.P. Pizani Flor Department of Information and Computing Sciences, Utrecht University Wednesday 26 th June, 2013

234 views • 11 slides
Verifying an algorithm computing Discrete Vector Fields for digital imaging J. Heras, M. Poza,

Verifying an algorithm computing Discrete Vector Fields for digital imaging J. Heras, M. Poza,

Verifying an algorithm computing Discrete Vector Fields for digital imaging J. Heras, M. Poza, and J. Rubio Department of Mathematics and Computer Science, University of La Rioja Calculemus 2012 Partially supported by Ministerio de

797 views • 69 slides
Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ?

Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ?

Jet Vertex Resolution Study What is the ZVertex Algorithm used to pick the Jet Vertex ? Pros and Cons with respect to Double Parton Analysis. Resolution of the COT Only,SVX Only and COT+SVX Tracks in the Jets Calculating the Jet

326 views • 4 slides
Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics

Extending the GVW Algorithm to Local Ring Fanghui Xiao Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, CAS Joint work with Dong Lu, Dingkang Wang and Jie Zhou July 16-19, 2018, City University of New

571 views • 39 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Extending Hindley-Milner Type Inference with Coercive Structural Subtyping Dmitriy Traytel

Extending Hindley-Milner Type Inference with Coercive Structural Subtyping Dmitriy Traytel

Why coercions? A naive algorithm Constraint-based algorithm Conclusion Extending Hindley-Milner Type Inference with Coercive Structural Subtyping Dmitriy Traytel Stefan Berghofer Tobias Nipkow APLAS 2011 Isabelle nat<:int =

1.23k views • 61 slides
Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of

Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of

Introduction Verifying a Robot Swarm Algorithm Dealing with Uncertainty Conclusions Verifying Properties of Robot Swarms Clare Dixon Dept. of Computer Science University of Liverpool, UK cldixon@liverpool.ac.uk in collaboration with

289 views • 25 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq

verifying SHA using VST Freek Wiedijk last paper in the reading list of Type Theory & Coq 20152016 Radboud University Nijmegen June 16, 2016 0 SHA and VST SHA = Secure Hash Algorithm VST = Verified Software

740 views • 69 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
CCP Resolution: proposal for an EU Regulation and FSB Guidance on CCP Resolution 2ND EUROPEAN

CCP Resolution: proposal for an EU Regulation and FSB Guidance on CCP Resolution 2ND EUROPEAN

CCP Resolution: proposal for an EU Regulation and FSB Guidance on CCP Resolution 2ND EUROPEAN RECOVERY AND RESOLUTION SUMMIT Frankfurt, 5 July 2017 David Blache, Deputy Director for Resolution, ACPR (Resolution Authority, France) 1

292 views • 27 slides
Lecture Slides for MAT-60556 PART IV: First Order Logic: Resolution, Logic programming and Model

Lecture Slides for MAT-60556 PART IV: First Order Logic: Resolution, Logic programming and Model

Lecture Slides for MAT-60556 PART IV: First Order Logic: Resolution, Logic programming and Model theory Henri Hansen October 1, 2013 1 Resolution Resolution is a sound and complete algorithm for propositional logic: A formula in clausal

543 views • 40 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability

Extending CSP with tests for availability 01 Extending CSP with tests for availability Gavin Lowe Extending CSP with tests for availability 02 Testing for availability Many languages for message-passing concurrency allow programs to test

541 views • 19 slides
Hoare-like Logics for Verifying and Applications Inferring Conditional Information Flow Loops

Hoare-like Logics for Verifying and Applications Inferring Conditional Information Flow Loops

Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm Hoare-like Logics for Verifying and Applications Inferring Conditional Information Flow Loops and Arrays Foundations and Limitations Conclusion Torben Amtoft

456 views • 28 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
SIGBI Limited General Meeting 2019 Resolutions 1-6 Resolution 1 Resolution 2 Resolution 3

SIGBI Limited General Meeting 2019 Resolutions 1-6 Resolution 1 Resolution 2 Resolution 3

SIGBI Limited General Meeting 2019 Resolutions 1-6 Resolution 1 Resolution 2 Resolution 3 Resolution 4 Resolution 5 Resolution 6 SIGBI Articles SIGBI Byelaws SIGBI Byelaw SIGBI Region/ SIGBI Club Membership 8.1 NA/Network/

533 views • 8 slides
RESOLUTION OF LOCAL INCONSISTENCY IN IDENTIFICATION Douglas Ray Anderson # and Martin Zwick*

RESOLUTION OF LOCAL INCONSISTENCY IN IDENTIFICATION Douglas Ray Anderson # and Martin Zwick*

RESOLUTION OF LOCAL INCONSISTENCY IN IDENTIFICATION Douglas Ray Anderson # and Martin Zwick* Systems Science Ph.D. Program & Portland State University Portland OR 97027 Abstract This paper reports an algorithm for the resolution of local

273 views • 9 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
Extending MCTS 2-17-16 Reading Quiz (from Monday) What is the relationship between Monte Carlo

Extending MCTS 2-17-16 Reading Quiz (from Monday) What is the relationship between Monte Carlo

Extending MCTS 2-17-16 Reading Quiz (from Monday) What is the relationship between Monte Carlo tree search and upper confidence bound applied to trees? a) MCTS is a type of UCT b) UCT is a type of MCTS c) both (they are the same algorithm)

432 views • 16 slides

More recommend