210 likes | 279 Views
Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook. Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang. June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols. Talk Outline. LTL Model Checking Monte Carlo Model Checking
E N D
Monte Carlo Analysis of Security Protocols: Needham-Schroeder RevisitedRadu GrosuSUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols
Talk Outline • LTL Model Checking • Monte Carlo Model Checking • Needham-Schroeder • Implementation & Results • Conclusions & Future Work
? Model Checking Is systemS a model of formula φ?
Model Checking • S is anondeterministic/concurrent system. • is (in our case) an LTL (Linear Temporal Logic) formula. • Basic idea: intelligently explore S’s state space in attempt to establish S⊨ . • Fly in the ointment: State Explosion!
LTL Model Checking • An LTL formula is made up of atomic propositions p, boolean connectives, , and temporal modalities X (neXt) and U (Until). • Every LTL formula can be translated to a Büchiautomaton whose language is set of infinite words satisfying . • Automata-theoretic approach: S⊨ iffL(BS) L(B ) iffL(BS B )=
sn sk+3 sk+2 sk+1 DFS2 DFS1 s1 s2 s3 sk-2 sk-1 sk Emptiness Checking • Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). • Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly!
Monte Carlo Model Checking (MC2) • Sample Space: lassos in BS B • Random variable Z : • Outcome = 0 if randomly chosen lasso accepting • Outcome = 1 otherwise • μZ= ∑ pi Zi (weighted mean) • Compute (ε,δ)-approx. of μZ
Monte Carlo Model Checking (MC2) L1 = abcb, L2 = abcdb, L3 = abcdea Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼ μZ = ½ a b c d e
of Z: • Solution: Compute an (,)-approximation Monte Carlo Approximation • Problem: Compute the mean valueμZof a random variableZdistributed in [0,1] when an exact computation of μZ proves intractable. witherror marginandconfidence ratio. • Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, expectation that S ⊨ !
Compute as the mean value of N independent • random variables (samples) identically distributed • according toZ: • Problems: is unknown and can be large. Original Solution[Karp, Luby & Madras: Journal of Algorithms 1989] • Determine Nusingthe Zero-One estimator theorem:
= 4 ln(2/) / 2; for(N=0, S=0; S≤; N++) S=S+ZN; = S/N; return ; • Problem: is in most interesting casestoo large. Stopping Rule Algorithm (SRA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000] • Innovation: computes correct Nwithout using • Theorem: • E[N] ≤ 4 ln(2/) / μZ2;
Optimal Approx Algorithm (OOA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000] • Compute Nusinggeneralized Zero-One estimator: • Apply sequential analysis (prediction/correction): • 1.Assume2 is smalland compute with SRA( ) • 2.Compute using and • 3.Use to correctNand . • Expected number of samplesis optimal to within • a constant factor!
Monte Carlo Model Checking Theorem: MC2 computes an (ε,δ)-approximation of μZin expected time O(N∙D) and uses expected space O(D), where D is the recurrence diameter of B = BS B . Cf. DDFS which runs in O(2|S|+|φ|) timeand space.
Needham-Schroeder • A B : { Na, A } KB • B A : { Na, Nb } KA • A B : { Nb } KB
Breaking & Fixing Needham-Shroeder • In 1997, Lowe discovered a replay attack that involves an intruder I masquerading as A in its communication withB. • As shown by Lowe, protocol is easily fixed by including identity of responder (B) in 2nd msg: 2´. B A : { B, Na, Nb } KA
Implementation • Implemented DDFS and MC2 in jMocha model checker for synchronous systems specified using Reactive Modules. • Specified NS as a reactive module; all communications go through intruder. • Intruder obeys Dolev-Yao model: besides normal communications, can intercept, overhear, and fake messages.
Experimental Results Time and space requirements for DDFS and MC2
Experimental Results ~ Variation of µZ for MC2
Related Approaches • NRL Protocol Analyzer [Meadows 96] • Spi-Calculus [Abadi Gordon 97] • FDR [Lowe 97] • The Strand Space Method [Guttman et al. 98] • Isabelle Theorem Prover [Paulson 98] • Backward Induction [Kurkowski Mackow 03]
Conclusions • Applied Monte Carlo model checking to Needham-Schroeder. • Results indicate may be more effective than traditional approaches in discovering attacks. • Further experimentation required to draw definitive conclusions. • Other Future Work: Use BDDs to improve run time. Also, take samples in parallel!
Monte Carlo Model Checking • Randomized algorithm for LTL model checking utilizing automata-theoretic approach. • Basic idea: Take N samples: sample = lasso = random walk through BS Bending in a cycle. • If accepting lasso (counter-example) found, return false. • Else return true with certain confidence.