msr 3
play

MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, - PowerPoint PPT Presentation

Dec 23, 2023 •371 likes •679 views

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One Year Later http://www.cs.stanford.edu/~iliano CS Department, UMBC

  1. MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC One Year Later http://www.cs.stanford.edu/~iliano CS Department, UMBC February 27-28, 2003 Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano Protocol eXchange Seminar, UMBC May 27-28, 2004

  2. A → B: {n A , A} kB B A: {n A , n B } kA → NSPK in MSR 3 A → B: {n B } kB MSR 2 spec. princ . ∀ A: { ∃ L : mset . princ  B:princ.pubK B × nonce → × Interpretation : pubK B . ∀ B: princ. ∀ k B of L • Rule invocation → ∃ n A : nonce .  Implementation net ({n A , A} kB ), L (A, B, k B , n A )  detail Control flow  ∀ B: princ. ∀ k B : pubK B. Local state of  ∀ k A : pubK A. ∀ k A ': prvK k A . role ∀ n A : nonce. ∀ n B : nonce. net ({n A , n B } kA ), L (A, B, k B , n A ) Explicit view  Important for  net ({n B } kB ) → DOS } MSR 3: One Year Later 1/28

  3. A → B: {n A , A} kB B A: {n A , n B } kA → NSPK in MSR 3 A → B: {n B } kB Not an MSR 2 spec. ∀ A:princ. ∀ B: princ. ∀ k B : pubK B. • → ∃ n A : nonce . net ({n A , A} kB ), ( ∀ k A : nonce . : pubK A. ∀ k A ': prvK k A . ∀ n B net ({n A , n B } kA ) → net ({n B } kB )) Succinct State is implicit • • Continuation-passing style Abstract •  Rule asserts what to do next  Lexical control flow  MSR 3: One Year Later 2/28

  4. A → B: {n A , A} kB B A: {n A , n B } kA → Looks Familiar? A → B: {n B } kB Process calculus Parametric strand ∀ A:princ. Alice (A,B,N A ,N B ) : ∀ B: princ. ∀ k B : pubK B. N A Fresh, π A (A,B) : nonce . ∀ k A : pubK A. ∀ k A ': prvK k A . ∀ n B ν n A : nonce . {N A , A} KB net ({n A , A} kB ) . net <{n A , n B } kA > . net ({n B } kB ) . 0 {N A , N B } KA {N B } KB MSR 3: One Year Later 3/28

  5. What is MSR 3? A new language for security protocols Supports •  State transition specs Neutral paradigm Conservative over MSR 2   Process algebraic specs Rewriting re-interpretation of logic •  Rich composable set of connectives Universal connector • MSR 3: One Year Later 4/28

  6. More than the Sum of its Parts Process- and transition-based specs. in the same language Choose the paradigm •  User’s preference  Highlight characteristics of interest  Support various verification techniques (FW) Mix and match styles •  Within a spec.  Within a protocol  Within a role MSR 3: One Year Later 5/28

  7. What is in MSR 3 ? Security-relevant signature • From Network  MSR 1 Encryption, …  Typing infrastructure • From Dependent types  MSR 2 Subsorting  Data Access Specification (DAS) • Module system • From MSR 2 implementation Equations • MSR 3: One Year Later 6/28

  8. ω -Multisets Specification language for concurrent systems Crossroad of • State transition languages  Petri nets, multiset rewriting, …  Process calculi  CCS, π -calculus, …  (Linear) logic  Benefits • Analysis methods from logic and type theory  Common ground for comparing  Multiset rewriting  Process algebra  Allows multiple styles of specification   Unified approach MSR 3: One Year Later 7/28

  9. Syntax A ::= a atomic object | 1 empty [ • ] | A ⊗ B formation [A, B] | A ⎯ο B rewrite [A → B] | T no-op | A & B choice [A || B] | ∀ x. A instantiation | ∃ x. A generation | ! A replication Generalizes FO multiset rewriting (MSR 1-2) ∀ x 1 …x n . a( x ) → ∃ y 1 …y k . b( x , y ) MSR 3: One Year Later 8/28

  10. State and Transitions States • ; Γ ; Δ Σ ; Δ Σ is a list  Σ and Δ are  Γ  Constructor: “,” commutative monoids  Empty: “ • ” Transitions • Σ ; Γ ; Δ Σ ’; Γ ’; Δ ’  Σ ; Γ ; Δ Σ ’; Δ ’  * for reflexive and transitive closure  * MSR 3: One Year Later 9/28

  11. Transition Semantics ; Γ ; ( Δ , A, A ⎯ο B) ; Γ ; ( Δ , B)  ⎯ο Σ Σ T (no rule) & ; Γ ; ( Δ , A 1 & A 2 ) ; Γ ; ( Δ , A i )  Σ Σ ; Γ ; ( Δ , ∀ x. A) ; Γ ; ( Δ , [t/x] A )  ∀ Σ Σ if Σ |- t ; Γ ; ( Δ , ∃ x. A) ( Σ , x) ; Γ ; ( Δ , A)  ∃ Σ ! ; Γ ; ( Δ , !A) ; ( Γ , A) ; Δ  Σ Σ ; ( Γ , A) ; Δ ; ( Γ , A) ; ( Δ , A)  Σ Σ Σ ; ; Σ ;  * Γ Δ Δ Σ ; ; Σ ’’ ; Δ ’’  * Γ Δ if Σ ; ; Σ ’ ; Γ ’ ; Δ ’ and Σ ’ ; Γ ’ ; Δ ’ Σ ’’ ; Δ ’’  *  Γ Δ MSR 3: One Year Later 10/28

  12. Linear Logic Formulas • A, B ::= a | 1 | A B | A ⎯ο B | ! A ⊗ | T | A & B | ∀ x. A | ∃ x. A LV sequents • Constructor: “,”  Empty: “ • ”  ; Δ --> Σ C Γ Goal Unrestricted formula context Linear Signature context MSR 3: One Year Later 11/28

  13. Logical Derivations Proof of C from Δ and Γ Γ ’’’; C --> Σ ’’’ C • Emphasis on C  C is input  Γ ’’; Δ ’’ --> Σ ’’ C Finite • Γ ’; Δ ’ --> Σ ’ C Closed  Rules shown • Major premise  Preserves C  Minor premise  Γ ; Δ --> Σ C Starts subderivation  MSR 3: One Year Later 12/28

  14. A Rewriting Re-Interpretation Transition • Γ ’’’; C --> Σ ’’’ C From conclusion  To major premise  Emphasis on Γ , Δ and Σ  Γ ’’; Δ ’’ --> Σ ’’ C C is output, at best  Γ ’; Δ ’ --> Σ ’ C Does not change  Possibly infinite • Open  Minor premise • Auxiliary rewrite chain  Finite Γ ; Δ --> Σ C  Topped with axiom  MSR 3: One Year Later 13/28

  15. Interpreting Unary Rules Γ ; Δ , A, B --> Σ C Σ ; Γ ; ( Δ , A ⊗ B )  Σ ; Γ ; ( Δ , A, B ) Γ ; Δ , A ⊗ B --> Σ C Σ ; Γ ; ( Δ , ∀ x. A) Σ ; Γ ; ( Δ , [t/x] A ) |- t Γ ; Δ , [t/x]A --> Σ C  Σ if Σ |- t Γ ; Δ , ∀ x.A --> Σ C Γ ; Δ , A --> Σ ,x C Σ ; Γ ; ( Δ , ∃ x. A) ( Σ , x); Γ ; ( Δ , A)  Γ ; Δ , ∃ x.A --> Σ C Γ , A; Δ --> Σ C Σ ; Γ ; ( Δ , !A)  Σ ; ( Γ , A); Δ Γ ; Δ , !A --> Σ C … … MSR 3: One Year Later 14/28

  16. Binary Rules and Axiom Minor premise • Γ ’; A --> Σ ’ A  Auxiliary rewrite chain Top of tree •  Focus shifts to RHS Γ ; Δ ’ --> Σ A Γ ; Δ , B --> Σ C Axiom rule  Γ ; Δ , Δ ’ , A ⎯ο B --> Σ C  Observation MSR 3: One Year Later 15/28

  17. Γ , Γ ’; A’ --> Σ , Σ ’ A’ Observations Γ ; Δ --> Σ ∃Σ ’. A’ Observation states • A ; Δ Σ In Δ , we identify  , with ⊗ = ⊗ Δ  Δ with 1  • Categorical semantics Identified with ∃ x 1 . … ∃ x n .  Δ Σ ; Δ = ∃Σ . ⊗ Δ For Σ = x 1 , …, x n  De Bruijn’s telescopes Observation transitions • Σ ; Γ ; Δ Σ ’; Δ ’  * MSR 3: One Year Later 16/28

  18. Interpreting Binary Rules Σ ; Γ ; Δ Σ ; Δ  * Γ ; A --> Σ A Σ ; Γ ; Δ Σ ’’; Δ ’’  * if Σ ; Γ ; Δ Σ ’; Γ ’; Δ ’  and Σ ’; Γ ’; Δ ’  * Σ ’’; Δ ’’ Γ ; Δ ’ --> Σ A Γ ; Δ , B --> Σ C Σ ; Γ ; ( Δ , Δ ’, A ⎯ο B) Σ ; Γ ; ( Δ , B)  if Σ ; Γ ; Δ ’  * Σ ; A Γ ; Δ , Δ ’ , A ⎯ο B --> Σ C Γ ; Δ ’ --> Σ A Γ ; Δ, A --> Σ C Σ ; Γ ; Δ , Δ ’ Σ ; Γ ; (A, Δ )  if Σ ; Γ ; Δ ’ Σ ; A  * Γ ; Δ , Δ ’ --> Σ C … … MSR 3: One Year Later 17/28

  19. Formal Correspondence Soundness • If ; Γ ; Δ  * Σ , Σ ’; Δ ’ Σ then ; Δ --> Σ ∃Σ ’. ⊗ Δ ’ Γ Completeness? •  No! We have only crippled right rules ; • ; a ⎯ο b, b ⎯ο c  * • ; a ⎯ο c • MSR 3: One Year Later 18/28

  20. System ω With cut, rule for ⎯ο can be simplified to • Σ ; Γ ; ( Δ , A, A ⎯ο B) Σ ; Γ ; ( Δ , B)  Cut elimination holds • = in-lining of auxiliary rewrite chains  But … Careful with extra signature symbols  Careful with extra persistent objects  No rule for  needs a premise • does not depend on  *  MSR 3: One Year Later 19/28

  21. Multiset Rewriting Multiset: set with repetitions allowed • a ::= • | a, a  Commutative monoid Multiset rewriting (a.k.a. Petri nets) •  Rewriting within the monoid  Fundamental model of distributed computing Alternative: Process Algebras   Basis for security protocol spec. languages MSR family  … several others   Many extensions, more or less ad hoc MSR 3: One Year Later 20/28

  22. The Atomic Objects of MSR 3 Atomic terms Constructors Encryption {_} _   Principals A Pairing (_, _)   Keys K Other   Nonces N Signature, hash, MAC, …   Other Raw data, timestamp, …  Predicates  Network net  Memory M A Fully definable  Intruder I  … MSR 3: One Year Later 21/28

Recommend

More recommend