maude implementation of msr
play

Maude Implementation of MSR Mark-Oliver Stehr Stefan Reich - PowerPoint PPT Presentation

Maude Implementation of MSR Mark-Oliver Stehr Stefan Reich University of Illinois, Urbana-Champaign (Iliano Cervesato) ITT Industries @ NRL http://theory.stanford.edu/~iliano/ IPCS - Savannah, GA October 1, 2004 What the What the What


  1. Maude Implementation of MSR Mark-Oliver Stehr Stefan Reich University of Illinois, Urbana-Champaign (Iliano Cervesato) ITT Industries @ NRL http://theory.stanford.edu/~iliano/ IPCS - Savannah, GA October 1, 2004

  2. What the What the What the What the What the customer project analyst programmer consultant explained manager designed delivered defined understood  What was What was What the How it was What the installed client was maintained customer documented charged needed MSR in Maude From http://muetze.net/links/fun/kundenprojekte-e.html 1/28

  3. Project Objectives MSR  Uncommitted specification language  Tabula rasa w.r.t. verification Implement MSR in compatible language •  Maude Port range of verification methodologies •  MSR implementation as verification middleware  Compositional verification Verify large protocol suites •  Kerberos (in fine detail)  Too hard using a single methodology MSR in Maude 2/28

  4. Big Picture Protocol specs. MSR Maude Security goals MSR Maude • • Protocol specification Flexible specification   language framework Multiset rewriting Rewriting logic   Dependent types Equational reasoning   Existentials Reflection   MSR in Maude 3/28

  5. Implemented Architecture MSR OCC OCC Maude This MSR- RWLDT prototype work Simulation Parsing - Execution Type checking Security Analysis Goal DAS - Search engine - Model checker Analysis - Theorem provers MSR in Maude 4/28

  6. Bestiary MSR- •  MSR 2.0 with some restrictions and extensions RWLDT •  Rewriting Logic with Dependent Types  Typed version of Maude OCC •  Open Calculus of Constructions  Mark-Oliver’s thesis (589 pages)  Prototype implemented in Maude MSR in Maude 5/28

  7. Advantages over MSR  Maude Separation of concerns •  MSR -> RWLDT Preserves terms and types  Maps operations   RWLDT: takes care of type checking  Maude: untyped execution Abstraction •  MSR and RWLDT have similar types and terms  Emulate MSR execution in RWLDT  Shallow encoding Reasoning •  Express verification tasks in OCC [future work] MSR in Maude 6/28

  8. MSR  MSR- Small changes to simplify encoding Work-arounds • Emulated via  Subtyping pre-processing Coercions  Omissions • Future work  Data Access Specification Additions •  Equations Beta version  Definitions MSR in Maude 7/28

  9. Supported Operations Parsing for MSR- •  Minor limitations (currently worked on) Type reconstruction •  Rule-level missing (currently worked on) Type checking • Simulation • Indirect via OCC (currently worked on)   search [n] (goal)  rew [n] (goal)  choose n MSR in Maude 8/28

  10. Example: Otway-Rees Protocol 1. A -> B: n A B {n A n A B} KA S 2. B -> S : n A B {n A n A B} KA S {n B n A B} KB S 3. S -> B: n {n A k AB } KA S {n B k AB } KB S 4. B -> A: n {n A k AB } KA S … A, B, C, … have keys to S S • A and B want to talk • C Use S to get common key •  Key distribution B A  Authentication MSR in Maude 9/28

  11. 1. A -> B: n A B {n A n A B} KA S 2. B -> S : n A B {n A n A B} KA S {n B n A B} KB S MSR Spec. 3. S -> B: n {n A k AB } KA S {n B k AB } KB S 4. B -> A: n {n A k AB } KA S Types • msg, princ, nonce: type. shK, stK, ltK: princ -> princ -> type.  Subsorting princ, nonce, stK A B <: msg. stK A B, ltK A B <: shK A B. Constructors • _ _: msg -> msg -> msg. {_} _ : msg -> shK A B -> msg. S : princ. Predicates • N: msg -> state. Roles for • Next slide  S  A, B Principals • ... and keys MSR in Maude 10/28

  12. 1. A -> B: n A B X 2. B -> S : n A B X {n B n A B} KB S B’s Role 3. S -> B: n Y {n B k AB } KB S 4. B -> A: n Y ∀ B:princ. B S -> state . ∃ L: Π B:princ. nonce * nonce * ltK ∀ A:princ. ∀ n:nonce. ∀ k B S B S . ∀ X:msg. :ltK  N(n A B X) ∃ n B :nonce. N(n A B X {n b n A B}k B S ), L(A, B, n, n B , k B S ) ∀ A:princ. ∀ n, n B :nonce. ∀ k B S :ltK B S . ∀ Y:msg. ∀ k AB :stK A B. N (n Y {n B k AB } kB S ),  L(A, B, n, n B , k B S ) N (n Y) MSR in Maude 11/28

  13. Main Features of MSR Open signatures More • • Multiset rewriting • Constraints  Msets of F.O. formulas Modules   Rules  Equations  ∀ (LHS  ∃ n: τ . RHS) Static checks • Existentials  Type checking  Roles  Data access spec. ∀ A. ∃ L: τ . r  Types Execution • • Possibly dependent  Subsorting  Black = implemented Type reconstruction  Brown = work-around Red = future work MSR in Maude 12/28

  14. Rewriting Logic with Dep. Types Combination of methodologies • Conditional rewriting modulo equations  ∀ x:S. A = B if C (generalizes equational logic)  ∀ x:S. A => B if C (generalizes rewriting logic)  Dependent type theory  λ x:S. M : Π x:S T (generalizes simple types)  Fragment of Open Calculus of Constructions Features • Open computation system  Proposition-as-types interpretation  ∀ x:S. P(x) interpreted as Π x:S. P(x)  – Expressive higher-order logic Model-theoretic semantics  MSR in Maude 13/28

  15. Example: Commutative Monoid state: Type. empty: state. Structural union: state -> state -> state. equality state_comm: || {s 1 ,s 2 : state} (union s 1 s 2 ) = (union s 2 s 1 ). state_assoc: || {s 1 ,s 2 ,s 3 : state} (union s 1 (union s 2 s 3 )) = (union s 1 (union s 2 s 3 )). state_id: || {s : state} s:state. … Π (union s empty) = s. This implements MSR’s state • MSR in Maude 14/28

  16. Encoding Strategy Types and terms • Homomorphic mapping  Subsorting via coercions  States • RWLDT terms  Roles • Add 1 RWLDT rewrite axiom for role instantiation  Simulate ∃ using counters  Rules • Mapped to RWLDT rewrite axioms  Simulate ∃ using counters  Optimizations [not implemented] Reduce non-determinism  MSR in Maude 15/28

  17. Representing Fresh Objects In rules • (…)  ∃ n,n’:nonce. (... n ... n’ …) (done using conditional rewriting) (…), next(c)  (... nonce’(c) ... nonce’(c+1) …), next(c+2) nonce’ : nat -> nonce is an injection  In roles • ∃ L 1 ,L 2 . (... (…, L 1 t  ..., L 2 t’ ), ...) Rule j nextL(c)  ..., T j ( λ t . L’ 1 c t , λ t . L’ 2 (c+1) t ), ..., nextL(c+2) T j (L 1 ,L 2 ), ..., L 1 t  ..., L 2 t’ ... L’ i : nat -> τ i -> state are injections  MSR in Maude 16/28

  18. Representing Roles ∀ A:princ. ∃ Ls. (lhs 1  rhs 1 , …, lhs n  rhs n ) princ(A), nextL(c)  T 1 (A,Ls), ..., T n (A,Ls), princ(A), nextL(c’) T 1 (A,Ls), lhs 1  rhs 1 ... T n (A,Ls), lhs n  rhs n Enhancement Force rule application upon activation • princ(A), nextL(c), lhs i  T 1 (A,Ls), ..., rhs i ..., T n (A,Ls), princ(A), nextL(c’)  T i (A,Ls), lhs i  rhs i  MSR in Maude 17/28

  19. Representing Rules ∀ x: τ . lhs  rhs τ (x) , ..., …, lhs  τ (x) , ..., rhs Handles x’s occurring only in rhs •  Allows encoding to untyped rewrite systems  Types τ must be finite and enumerated in state Enhancement •  Limit to x’s occurring only on rhs MSR in Maude 18/28

  20. Optimizations [not implemented] Use single counter •  ∀ A. ∃ L. (lhs  ∃ n. rhs) Minimal control-flow analysis •  Trace uses of L’s  Do not generate unreachable rules T’s often duplicates L’s  Substantial code reduction  Could be further improved MSR in Maude 19/28

  21. 1. A -> B: n A B X 2. B -> S : n A B X {n B n A B} KB S Otway-Rees (1) 3. S -> B: n Y {n B k AB } KB S 4. B -> A: n Y <Initial context> <Declarations for types and terms> <Axioms for A> (LB : nat -> ({B : princ} princ -> nonce -> nonce -> (ltK B S) -> state)) (TB1: princ -> princ -> ({B:princ} princ -> nonce -> nonce -> (ltK B S) -> state) -> state) (TB2: princ -> princ -> ({B:princ} princ -> nonce -> nonce -> (ltK B S) -> state) -> state) ( B11 : ... ) ( B12 : ... ) Optimized away ( B21 : ... ) ( B22 : ... ) <Axioms for S> MSR in Maude 20/28

  22. 1. A -> B: n A B X 2. B -> S : n A B X {n B n A B} KB S Otway-Rees (2) 3. S -> B: n Y {n B k AB } KB S 4. B -> A: n Y B11 : !! {B : princ} {L : {B : princ} princ -> nonce -> nonce -> (ltK B S) -> state} {A : princ}{kBS : (ltK B S)}{X : msg} {fresh,fresh' : nat} {n,nB : nonce} (nB := (NONCE fresh)) -> (L := (LB (suc fresh))) -> (fresh' := (suc (suc fresh))) -> [LB11]: (union (EL (ltK B S) kBS) (union (F fresh) (union (START-2 B) (N (append (nonce-msg n) (append (princ-msg A) (append (princ-msg B) X))))))) => (union (EL (ltK B S) kBS) (union (F fresh') (union (N (append (nonce-msg n) (append (princ-msg A) (append (princ-msg B) (append X (encrypt B S (append (nonce-msg nB) (append (nonce-msg n) (append (princ-msg A) (princ-msg B)))) (ltK-shK B S kBS))))))) (union (L B A n nB kBS) (TB2 A B L))))) MSR in Maude 21/28

Recommend


More recommend