Maude Implementation of MSR Mark-Oliver Stehr Stefan Reich University of Illinois, Urbana-Champaign (Iliano Cervesato) ITT Industries @ NRL http://theory.stanford.edu/~iliano/ IPCS - Savannah, GA October 1, 2004
What the What the What the What the What the customer project analyst programmer consultant explained manager designed delivered defined understood What was What was What the How it was What the installed client was maintained customer documented charged needed MSR in Maude From http://muetze.net/links/fun/kundenprojekte-e.html 1/28
Project Objectives MSR Uncommitted specification language Tabula rasa w.r.t. verification Implement MSR in compatible language • Maude Port range of verification methodologies • MSR implementation as verification middleware Compositional verification Verify large protocol suites • Kerberos (in fine detail) Too hard using a single methodology MSR in Maude 2/28
Big Picture Protocol specs. MSR Maude Security goals MSR Maude • • Protocol specification Flexible specification language framework Multiset rewriting Rewriting logic Dependent types Equational reasoning Existentials Reflection MSR in Maude 3/28
Implemented Architecture MSR OCC OCC Maude This MSR- RWLDT prototype work Simulation Parsing - Execution Type checking Security Analysis Goal DAS - Search engine - Model checker Analysis - Theorem provers MSR in Maude 4/28
Bestiary MSR- • MSR 2.0 with some restrictions and extensions RWLDT • Rewriting Logic with Dependent Types Typed version of Maude OCC • Open Calculus of Constructions Mark-Oliver’s thesis (589 pages) Prototype implemented in Maude MSR in Maude 5/28
Advantages over MSR Maude Separation of concerns • MSR -> RWLDT Preserves terms and types Maps operations RWLDT: takes care of type checking Maude: untyped execution Abstraction • MSR and RWLDT have similar types and terms Emulate MSR execution in RWLDT Shallow encoding Reasoning • Express verification tasks in OCC [future work] MSR in Maude 6/28
MSR MSR- Small changes to simplify encoding Work-arounds • Emulated via Subtyping pre-processing Coercions Omissions • Future work Data Access Specification Additions • Equations Beta version Definitions MSR in Maude 7/28
Supported Operations Parsing for MSR- • Minor limitations (currently worked on) Type reconstruction • Rule-level missing (currently worked on) Type checking • Simulation • Indirect via OCC (currently worked on) search [n] (goal) rew [n] (goal) choose n MSR in Maude 8/28
Example: Otway-Rees Protocol 1. A -> B: n A B {n A n A B} KA S 2. B -> S : n A B {n A n A B} KA S {n B n A B} KB S 3. S -> B: n {n A k AB } KA S {n B k AB } KB S 4. B -> A: n {n A k AB } KA S … A, B, C, … have keys to S S • A and B want to talk • C Use S to get common key • Key distribution B A Authentication MSR in Maude 9/28
1. A -> B: n A B {n A n A B} KA S 2. B -> S : n A B {n A n A B} KA S {n B n A B} KB S MSR Spec. 3. S -> B: n {n A k AB } KA S {n B k AB } KB S 4. B -> A: n {n A k AB } KA S Types • msg, princ, nonce: type. shK, stK, ltK: princ -> princ -> type. Subsorting princ, nonce, stK A B <: msg. stK A B, ltK A B <: shK A B. Constructors • _ _: msg -> msg -> msg. {_} _ : msg -> shK A B -> msg. S : princ. Predicates • N: msg -> state. Roles for • Next slide S A, B Principals • ... and keys MSR in Maude 10/28
1. A -> B: n A B X 2. B -> S : n A B X {n B n A B} KB S B’s Role 3. S -> B: n Y {n B k AB } KB S 4. B -> A: n Y ∀ B:princ. B S -> state . ∃ L: Π B:princ. nonce * nonce * ltK ∀ A:princ. ∀ n:nonce. ∀ k B S B S . ∀ X:msg. :ltK N(n A B X) ∃ n B :nonce. N(n A B X {n b n A B}k B S ), L(A, B, n, n B , k B S ) ∀ A:princ. ∀ n, n B :nonce. ∀ k B S :ltK B S . ∀ Y:msg. ∀ k AB :stK A B. N (n Y {n B k AB } kB S ), L(A, B, n, n B , k B S ) N (n Y) MSR in Maude 11/28
Main Features of MSR Open signatures More • • Multiset rewriting • Constraints Msets of F.O. formulas Modules Rules Equations ∀ (LHS ∃ n: τ . RHS) Static checks • Existentials Type checking Roles Data access spec. ∀ A. ∃ L: τ . r Types Execution • • Possibly dependent Subsorting Black = implemented Type reconstruction Brown = work-around Red = future work MSR in Maude 12/28
Rewriting Logic with Dep. Types Combination of methodologies • Conditional rewriting modulo equations ∀ x:S. A = B if C (generalizes equational logic) ∀ x:S. A => B if C (generalizes rewriting logic) Dependent type theory λ x:S. M : Π x:S T (generalizes simple types) Fragment of Open Calculus of Constructions Features • Open computation system Proposition-as-types interpretation ∀ x:S. P(x) interpreted as Π x:S. P(x) – Expressive higher-order logic Model-theoretic semantics MSR in Maude 13/28
Example: Commutative Monoid state: Type. empty: state. Structural union: state -> state -> state. equality state_comm: || {s 1 ,s 2 : state} (union s 1 s 2 ) = (union s 2 s 1 ). state_assoc: || {s 1 ,s 2 ,s 3 : state} (union s 1 (union s 2 s 3 )) = (union s 1 (union s 2 s 3 )). state_id: || {s : state} s:state. … Π (union s empty) = s. This implements MSR’s state • MSR in Maude 14/28
Encoding Strategy Types and terms • Homomorphic mapping Subsorting via coercions States • RWLDT terms Roles • Add 1 RWLDT rewrite axiom for role instantiation Simulate ∃ using counters Rules • Mapped to RWLDT rewrite axioms Simulate ∃ using counters Optimizations [not implemented] Reduce non-determinism MSR in Maude 15/28
Representing Fresh Objects In rules • (…) ∃ n,n’:nonce. (... n ... n’ …) (done using conditional rewriting) (…), next(c) (... nonce’(c) ... nonce’(c+1) …), next(c+2) nonce’ : nat -> nonce is an injection In roles • ∃ L 1 ,L 2 . (... (…, L 1 t ..., L 2 t’ ), ...) Rule j nextL(c) ..., T j ( λ t . L’ 1 c t , λ t . L’ 2 (c+1) t ), ..., nextL(c+2) T j (L 1 ,L 2 ), ..., L 1 t ..., L 2 t’ ... L’ i : nat -> τ i -> state are injections MSR in Maude 16/28
Representing Roles ∀ A:princ. ∃ Ls. (lhs 1 rhs 1 , …, lhs n rhs n ) princ(A), nextL(c) T 1 (A,Ls), ..., T n (A,Ls), princ(A), nextL(c’) T 1 (A,Ls), lhs 1 rhs 1 ... T n (A,Ls), lhs n rhs n Enhancement Force rule application upon activation • princ(A), nextL(c), lhs i T 1 (A,Ls), ..., rhs i ..., T n (A,Ls), princ(A), nextL(c’) T i (A,Ls), lhs i rhs i MSR in Maude 17/28
Representing Rules ∀ x: τ . lhs rhs τ (x) , ..., …, lhs τ (x) , ..., rhs Handles x’s occurring only in rhs • Allows encoding to untyped rewrite systems Types τ must be finite and enumerated in state Enhancement • Limit to x’s occurring only on rhs MSR in Maude 18/28
Optimizations [not implemented] Use single counter • ∀ A. ∃ L. (lhs ∃ n. rhs) Minimal control-flow analysis • Trace uses of L’s Do not generate unreachable rules T’s often duplicates L’s Substantial code reduction Could be further improved MSR in Maude 19/28
1. A -> B: n A B X 2. B -> S : n A B X {n B n A B} KB S Otway-Rees (1) 3. S -> B: n Y {n B k AB } KB S 4. B -> A: n Y <Initial context> <Declarations for types and terms> <Axioms for A> (LB : nat -> ({B : princ} princ -> nonce -> nonce -> (ltK B S) -> state)) (TB1: princ -> princ -> ({B:princ} princ -> nonce -> nonce -> (ltK B S) -> state) -> state) (TB2: princ -> princ -> ({B:princ} princ -> nonce -> nonce -> (ltK B S) -> state) -> state) ( B11 : ... ) ( B12 : ... ) Optimized away ( B21 : ... ) ( B22 : ... ) <Axioms for S> MSR in Maude 20/28
1. A -> B: n A B X 2. B -> S : n A B X {n B n A B} KB S Otway-Rees (2) 3. S -> B: n Y {n B k AB } KB S 4. B -> A: n Y B11 : !! {B : princ} {L : {B : princ} princ -> nonce -> nonce -> (ltK B S) -> state} {A : princ}{kBS : (ltK B S)}{X : msg} {fresh,fresh' : nat} {n,nB : nonce} (nB := (NONCE fresh)) -> (L := (LB (suc fresh))) -> (fresh' := (suc (suc fresh))) -> [LB11]: (union (EL (ltK B S) kBS) (union (F fresh) (union (START-2 B) (N (append (nonce-msg n) (append (princ-msg A) (append (princ-msg B) X))))))) => (union (EL (ltK B S) kBS) (union (F fresh') (union (N (append (nonce-msg n) (append (princ-msg A) (append (princ-msg B) (append X (encrypt B S (append (nonce-msg nB) (append (nonce-msg n) (append (princ-msg A) (princ-msg B)))) (ltK-shK B S kBS))))))) (union (L B A n nB kBS) (TB2 A B L))))) MSR in Maude 21/28
Recommend
More recommend