Maude Implementation of MSR Demo Mark-Oliver Stehr Cast Stefan - PowerPoint PPT Presentation

Maude Implementation of MSR Demo Mark-Oliver Stehr Cast Stefan Reich University of Illinois, Analyst Urbana-Champaign (Iliano Cervesato) Programmer ITT Industries @ NRL Customer http://theory.stanford.edu/~iliano/ Protocol eXchange - UMBC September 21, 2004

What the What the What the What the What the customer project analyst programmer consultant explained manager designed delivered defined understood  What was What was What the How it was What the installed client was maintained client documented charged needed MSR in Maude From http://muetze.net/links/fun/kundenprojekte-e.html 1/22

Big Picture Protocol specs. MSR Maude Security goals MSR Maude • • Protocol specification Flexible specification   language framework Multiset rewriting Rewriting logic   Dependent types Equational reasoning   Existentials Reflection   MSR in Maude 2/22

Implemented Architecture MSR OCC OCC Maude This MSR- RWLDT prototype work Simulation Parsing - Execution Type checking Security Analysis Goal DAS? - Search engine - Model checker Analysis - Theorem provers MSR in Maude 3/22

Bestiary MSR- •  MSR (2) with some restrictions RWLDT •  Rewriting Logic with Dependent Types  Typed version of Maude OCC •  Open Calculus of Constructions  Mark-Oliver’s thesis (589 pages)  Prototype implemented in Maude MSR in Maude 4/22

Advantages over MSR  Maude Separation of concerns •  MSR -> RWLDT Preserves terms and types  Maps operations   RWLDT: takes care of type checking  Maude: untyped execution Abstraction •  MSR and RWLDT have similar types and terms  Emulate MSR execution in RWLDT  Shallow encoding Reasoning •  Express verification tasks in OCC [future work] MSR in Maude 5/22

MSR  MSR- Small changes to simplify encoding Work-arounds • Emulated via  Subtyping pre-processing Coercions  Omissions • Future work  Data Access Specification Additions • Beta version  Equations MSR in Maude 6/22

Supported Operations Parsing for MSR- •  Minor limitations (currently worked on) Type reconstruction •  Rule-level missing (currently worked on) Type checking • Simulation • Indirect via OCC (currently worked on)   search [n] (goal)  rew [n] (goal)  choose n MSR in Maude 7/22

Example: Otway-Rees Protocol 1. A -> B: n A B {n A n A B} KA S 2. B -> S : n A B {n A n A B} KA S {n B n A B} KB S 3. S -> B: n {n A k AB } KA S {n B k AB } KB S 4. B -> A: n {n A k AB } KA S … A, B, C, … have keys to S S • A and B want to talk • C Use S to get common key •  Key distribution B A  Authentication MSR in Maude 8/22

1. A -> B: n A B {n A n A B} KA S 2. B -> S : n A B {n A n A B} KA S {n B n A B} KB S MSR Spec. 3. S -> B: n {n A k AB } KA S {n B k AB } KB S 4. B -> A: n {n A k AB } KA S Types • msg, princ, nonce: type. shK, stK, ltK: princ -> princ -> type.  Subsorting princ, nonce, stK A B <: msg. stK A B, ltK A B <: shK A B. Constructors • _ _: msg -> msg -> msg. {_} _ : msg -> shK A B -> msg. S : princ. Predicates • N: msg -> state. Roles for • Next slide  S  A, B Principals • ... and keys MSR in Maude 9/22

1. A -> B: n A B X 2. B -> S : n A B X {n B n A B} KB S B’s Role 3. S -> B: n Y {n B k AB } KB S 4. B -> A: n Y ∀ B:princ. B S -> state . ∃ L: Π B:princ. nonce * nonce * ltK ∀ A:princ. ∀ n:nonce. ∀ k B S B S . ∀ X:msg. :ltK  N(n A B X) ∃ n B :nonce. N(n A B X {n b n A B}k B S ), L(A, B, n, n B , k B S ) ∀ A:princ. ∀ n, n B :nonce. ∀ k B S :ltK B S . ∀ Y:msg. ∀ k AB :stK A B. N (n Y {n B k AB } kB S ),  L(A, B, n, n B , k B S ) N (n Y) MSR in Maude 10/22

Main Features of MSR Open signatures More • • Multiset rewriting • Constraints  Msets of F.O. formulas Modules   Rules  Equations  ∀ (LHS  ∃ n: τ . RHS) Static checks • Existentials  Type checking  Roles  Data access spec. ∀ A. ∃ L: τ . r  Types Execution • • Possibly dependent  Subsorting  Black = implemented Type reconstruction  Brown = work-around Red = future work MSR in Maude 11/22

Rewriting Logic with Dep. Types Combination of methodologies • Conditional rewriting modulo equations  ∀ x:S. A = B if C (generalizes equational logic)  ∀ x:S. A => B if C (generalizes rewriting logic)  Dependent type theory  λ x:S. M : Π x:S T (generalizes simple types)  Fragment of Open Calculus of Constructions Features • Open computation system  Proposition-as-types interpretation  ∀ x:S. P(x) interpreted as Π x:S. P(x)  – Expressive higher-order logic Model-theoretic semantics  MSR in Maude 12/22

Example: Commutative Monoid state: Type. empty: state. Structural union: state -> state -> state. equality state_comm: || {s 1 ,s 2 : state} (union s 1 s 2 ) = (union s 2 s 1 ). state_assoc: || {s 1 ,s 2 ,s 3 : state} (union s 1 (union s 2 s 3 )) = (union s 1 (union s 2 s 3 )). state_id: || {s : state} s:state. … Π (union s empty) = s. This implements MSR’s state • MSR in Maude 13/22

Encoding Strategy Types and terms • Homomorphic mapping  Subsorting via coercions  States • RWLDT terms  Roles • Add 1 RWLDT rewrite axiom for role instantiation  Simulate ∃ using counters  Rules • Mapped to RWLDT rewrite axioms  Simulate ∃ using counters  Optimizations [not implemented] Reduce non-determinism  MSR in Maude 14/22

Representing Fresh Objects In rules • (…)  ∃ n,n’:nonce. (... n ... n’ …) (done using conditional rewriting) (…), next(c)  (... nonce(c) ... nonce(c+1) …), next(c+2) nonce : nat -> nonce is an injection  In roles • ∃ L 1 ,L 2 . (... (…, L 1 t  ..., L 2 t’ ), ...) Rule j nextL(c)  ..., T j ( λ t . L 1 c t , λ t . L 2 (c+1) t ), ..., nextL(c+2) T j (L 1 ,L 2 ), ..., L 1 t  ..., L 2 t’ ... L i : nat -> τ i -> state are injections  MSR in Maude 15/22

Representing Roles ∀ A:princ. ∃ Ls. (lhs 1  rhs 1 , …, lhs n  rhs n ) princ(A), nextL(c)  T 1 (A,Ls), ..., T n (A,Ls), princ(A), nextL(c’) T 1 (A,Ls), lhs 1  rhs 1 ... T n (A,Ls), lhs n  rhs n Enhancement Force rule application upon activation • princ(A), nextL(c), lhs i  T 1 (A,Ls), ..., rhs i ..., T n (A,Ls), princ(A), nextL(c’)  T i (A,Ls), lhs i  rhs i  MSR in Maude 16/22

Representing Rules ∀ x: τ . lhs  rhs τ (x) , ..., …, lhs  τ (x) , ..., rhs Handles x’s occurring only in rhs •  Allows encoding to untyped rewrite systems  Types τ must be finite and enumerated in state Enhancement •  Limit to x’s occurring only on rhs MSR in Maude 17/22

Optimizations [not implemented] Use single counter •  ∀ A. ∃ L. (lhs  ∃ n. rhs) Minimal control-flow analysis •  Trace uses of L’s  Do not generate unreachable rules T’s often duplicates L’s  Substantial code reduction  Could be further improved MSR in Maude 18/22

Trivia Versions • Alpha (this)  Partial reconstruction  Non-integrated search (exit MSR; call OCC)  No equations  Not-so-pretty-printing  Beta (mid-October – already working, mostly)  Space and Time • 3,700 lines of Maude (1,300 for testing)  6 months designing, 3 months coding  Examples • Otway-Rees  Needham-Schroeder PK  Kerberos (abstract, full, cross-realm – soon)  … more soon …  MSR in Maude 19/22

Wanna Play? http://formal.cs.uiuc.edu/stehr/msr.html http://theory.stanford.edu/~iliano/MSR/ Download •  Currently alpha-release  Soon beta-release Papers • News • MSR in Maude 20/22

Future Work Short-term •  Complete beta-released  Get degree (Stefan) Medium term – language •  Library of protocols  Data Access Specification  MSR 3 Embedded rules and more  Medium/long-term – Verification •  Implement various methodologies  MSR as verification middleware MSR in Maude 21/22

22/22 Demo Time!!! MSR in Maude