1 / 30

Process Theory: Strands

This tutorial delves into the use of Formal Methods (FM) in academia and industry, discussing syntax, semantics, and real-world applications. Understand how FM can prove security protocols and bridge the gap between theoretical concepts and practical implementations.

vaughanj
Download Presentation

Process Theory: Strands

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Process Theory: Strands A Tutorial Presented by: Brian Kellogg and Jack G. Nestell Michigan State University Computer Science and Engineering Course CSE914 Professor: Dr. Cheng

  2. Tutorial Overview: • Brief FM discussion Academia vs. Industry • Strands Introduction • Concepts • Syntax and semantics • Example • Tool support-Athena • Strands as applied to real-world • Conclusion • References

  3. Informal Discussion on Formal Methods It is critical that one understand terms, syntax, and semantics.Build the foundation. 1 ½ hour is not nearly Enough to go into much depth and detail on syntax and semantics on any language. At this point, for our presentations, it is critical to understand the ideas and utilization, and differences, between each FM, specification languages, and support tools. How are these FM's currently being used? What is potential for the “real-world”? The two different worlds of computer science: That of industry/commercial and that of academia. “That of industry/commercial and that of academics. I think that ultimately industry determines to a great extent what the needs are and how they can/will be used. But, academics is able to developed and deliver those needs and new technologies. I want to know how this "cool stuff" is being applied to my world and my IT collogues out here implementing, managing, and maintaining IT solutions everyday of our lives. Who really cares about something (technology) that has no potential of ever doing anything for folks like me and the companies we work for? “ Two different ways to approach our discussion: In our lectures are we trying to build support for what our FM's and specification language is capable of? Or, are we trying to defend the specification language and stating that it is worthy? The objective of this course is to demonstrate how these FM's and specification languages can used to prove security protocols under a given dynamic and often unique environment.

  4. Informal Discussion on Formal Methods Due to the dynamic and unique environment, FM’s need to be put to the test by the authors in a real-world proof, not by a bench-mark. I know the value of benchmarks in my world, the computer networking world. I was hoping that the authors actually proved how well and how valuable Formal Methods are, by testing, validating, and proving the correctness of some neat, new, security protocol. This, to me, is what I crave. Ultimately the language has to be used in a real world if it is to prove the correctness of real world protocols. Our job here as researchers, scholars and academics is to prove the correctness of real-world protocols that will keep my company that I work for and our partners from having performance, fault-tolerant and security issues and breeches “What has it done and where is it used. FM's have to be proven and designed and security protocols have to be proven and designed as well. How was this benchmark designed? Who designed it? What security protocol is it modeled after? Is if modeled after an existing security protocol at all? If not, what good is the benchmark? If not, what good is the specification language? If so, tell me more. Convince me that the purpose of the specification language and the benchmark and therefore the security protocol That my companies uses on our Extranet and VPN is all good. Convince me that I am doing my job by using this protocol solution.” “I am not saying to go into detail on a complicated security protocol. But, using it against a benchmark is boring me. Let's face it, you don't do something at this level to have it be forgotten and deemed useless. I understand the value of a good benchmark and I also understand its purpose. We are studying/testing FM's, not protocols. Or are we? Or, visa versa? A security protocol benchmark is not something that is used to protect my company and our partners from the real-world. Then what good is it? It is good to test our FM, but for our FM to be proven doesn't it have to be tested against "real-world" data in a real world environment? That is my point. I just want to take our studies a step further. Don't tell me just how (I'll learn that in text books)..........tell me who, where, when, why and for what reasons. “ This “issue” is much more complex than it may first appear. How are FM's as applied to network security relate to its usefulness and intent in the world of IT management and industry ................. CONCLUSION: Real world case studies.

  5. Strands Introduction: Security protocols are often found later to have flaws. We need a way to eliminate poor design. Therefore, goal of any FM: We need to find errors in bad protocols and prove correct those protocols that contain no flaws. Strands utilizes both model checking and theorem proving techniques. Strand Space Model allows one to represent the problem domain in a very natural way. SSM Advantage: It contains the exact casual participant relation information. This allows one to Derive simply proofs of a protocols correctness (as compared to TBM). Under the conditions of a Strand concept: Proving or disproving a protocol must be expressed in terms of the interactions and connections between strands of different kinds.

  6. Assumptions Made by Authors • Certain data items (nonces and keys) are fresh and arise in more than one run of protocol • Work with an explicit model of potential penetrator actions • Allows one to prove the the notions of secrecy and authentication correctness. • Important point:A strand space models the assumption that some values are impossible for a penetrator to guess. • Strand must must be sent before it can be received. • Keys will be invented only once during the life time of the protocol. The effectiveness of a security protocol and the correctness of the protocol depends on the “freshness” and Validity of the data, keys, and nonces. • Only one strand “originates” the data by initially sending message containing it. • Goal of this tutorial: to demonstate how this method allows one to clearly observe why the • Protocol is correct, and the assumptions required.

  7. Strands Concepts: Term-used to represent the messages in a protocol. Text terms ():principal names, nonces, or data (bank account numbers) Key terms (): a set of keys disjoint from . Actions: The set of actions Act that protocol principles follow throughout the execution of a protocol. Include send(+) and receive(-). Events: A pair (action,a) where action  Act, and a  A is the argument of the action from the set of terms. +A and (+A)* Protocol-defines the sequence of events/rules for each principal’s role. Strand- A prinipals actions in a specific protocol run (is a instance of a role) a sequence of events. A representation of an execution by a Legitimate party in a security protocol or a sequenve of actions by a Penetrator. A sequence of events that a single principal may engage in. A linear structure, the squence on a principal’s message ‘sends’ and ‘recieves’. Strand Space- a collection of strands and a “graph structure”generated by casual interaction. A sequence of message Transmisions And receptions…with specific values of all data. Therefore, a Sequential process. Contains all the legitinate executions of the Protocol expected within it’s useful lifetime, together with penetrator Strands. Graph Structure- Explain in detail this graph structure. How is it Build?

  8. Strands Concepts: • Penetrator strand:term transmissions and receptions that model a basic capability that one may assume the • penetrator posses. • Penetrator Strands include: • Obtaining a symmetric key and a term encrypted using that key, and then being able to send the result of decrypted message. • Obtaining two terms and sending the result of concatenating them. How can this be a threat? • Sending a data item that the penetrator strand may know. • Penetrator actions are therefore modeled by connecting different penetrator strands.

  9. Strands Concepts: Bundles: “Agreement on the act of communication.” A portion of a strand space. Hooked together strands where one strand sends a message to another and another receives that same Message. Does this make sense? How could a security protocol be correct if one strand for each legitimate pricipal involved in session to agree on the the nonces, session keys and rules of the protocol. IMPORTANT Point: Penetrator strands may be included in a bundle of a correctly proven protocol. However, They should not keep legitimate parties from agree on data values or protecting the secrecy of the values Chosen. Why is this? As compared to strands: is a graph-structured entity, representing the communication between a number of Strands. Why do we have/need a linear and a graph-structered represention of strands? To validate the legitmacy of the strands……. Under the conditions of a Strand concept: Proving or disproving a protocol must be expressed in terms of the interactions and connections between strands of different kinds.

  10. Syntax, Semantics, and Definitions • Set A, elemnts are possible messages to be exchange between principles. • t0 t1 means t0 is a subterm of t1 • Transmission (or occurrence) of term with ‘+’ sign and reception with ‘-’. • Definition: A signed term is a pair (,a) with a  A and  one of the symbols +,-. Signed term • can be written as +t or –t. (+A)* is the set of finite sequences of signed terms. • Definition: A strand space over A (possible message) is a set  together with a trace mapping • tr:   (+A)*.

  11. Syntax, Semantics, and Definitions • Definition: For a fixed strand space: • A node is a pair (s,i), with s   and I is an integer satisfying 1 < I < length(tr(s)). Set of nodes denoted by N. • If n=(s,I)  N then index(n)=i and strand(n)=s. • There is an edge n1n2 if and only if term(n1)=+a and term(n2)=-a for some a  A. n1 sends a message to n2, recording a casual link between two strands. • When n1= (s,i) and n2=(s,i+1) are members of N, there is an edge n1  n2 • An unsigned term t occurs in n  N iff t  term(n). What is this stating? • Set I is a set of unsigned terms. The node n  N is an entry point for I iff term(n) = +t for some t  I, and whenever n‘+ n, term(n‘)  I. • An unsigned term t originates on n  N iff n is an entry point for the set I = {t’:t  t’}. • An unsigned term t is uniquely orininating iff t originates on a unique n  N. • IF A term t originates uniquely in a specific strand space, then it is allowed to be a session key • Or nonce.

  12. Syntax, Semantics, and Definitions • Bundles: • Definitions: Suppose c  ; suppose  c  ; and suppose C = (Nc, c   c)) is a subgraph • Of (N,(  )). C is a bundle if: • C is finite • If n2  Ncand term(n2) is negative, then there is a unique n1 cn2. • If n2  Ncand n1 n2 then n1c n2. • C is acyclic. • In conditions 2 and 3, n2  Ncbecause C is a graph. • Therefore, the above definition formalizes our strand process communication model with three properties: • A process (strand) may send or recive a message, but not at the same time. • When a strand recieves a message m, there is a unique node trnsmitting m from which the message was • immediately received; • When a strand tramsmits a message m, many strands may immediately receive m.

  13. Bundle Example: +b +a -a -c +c +c -d +d -e -e -f +f +g

  14. Syntax, Semantics, and Definitions A node n is in a bundle C=(Nc,c,  c), written n C, if n2  Nc; a strand s is in C if all of its nodes are in Nc. If C is a bundle, then C-height of a strand s is the largest i such that (s,i)  C. Definition: If S is a set of edges, I.e. S  ,then <sis the transitive closure of S, and < s is the reflexive, Transitive closure of S. Lemma: Suppose C is a bundle. Then < c is a partial order, I.e. a reflexive, antisymmetric, transitive relation. Every non-empty subset of the nodes in C has < c minimal members. “What did he know and when did he know it?” Lemma: Suppose C is a bundle, and S  C is a set of nodes such that uns_term(m) = uns_term(m’) implies that m  S iff m’  S, for all nodes m,m’. If n is a <c -minimal member of S, then the sign of n is positive. PROOF: If term(n) were negative, then by the bundle proprty, n’ n for some n’  C and sign apart, term(n) = term(n’). Hence, n’  S, violating the minimality property of n. Lemma: Suppose C is a bundle, t  A andn  C is a a <c -minimal element of {m  C: t term(m)}. The node n is an originating occurrence for t. PROOF: By Lemma 2.7, the sign of n is positive. If n’ < n lies on the strand of n, then n’  C, therefore by the minimality property of n, t term(n’). Thus n is originating for t. Terms and Encryption: (Examples to be given on board)

  15. Penetrator Strands Ideals: a method to prove additional bounds on the abilities of the penetrator. A penetrator’s effectiveness relies on a set of keys known initially to the penetrator and a set of strands that allow the penetrator create new messages from compromised messages. Atomic actions that a penetrator can envoke are encoded in a set of penetrator traces. Definition: Penetrator traces: M. Test message: (+t) where t  T F. Flushing: (-g) T. Tee: (-g,+g,+g) C. Concatenation: (-g,-h,+gh) S. Separation into components: (-gh,+g,+h) K. Key: (+K) where K  Kp. E. Encryption:(-K,-h,+{h}K). D. Decryption: (-K-1,-{h}K, +h). Definition: An infiltrated strand space is a pair (,P) with  a strand space and P   such that tr(p) is a penetrator trace for all p  P.

  16. Example: Needham-Schroeder Protocol 1. A 2. B 3. Note: The original protocol has 7 steps. This is reduced to 3 steps by removing communication to a key server.

  17. Flaw in Needham-Schroeder Protocol • Introduce an Intruder I • A establishes a session with I (AI, {NA, A}PK(I)) • I establishes a session with B using A’s info (IB, {NA, A}PK(B)) • B responds to I (BI, {NA, NB}PK(A)) • I uses A as an oracle (IA, {NA, NB}PK(A)) • A returns NB to I (AI, {NB}PK(I)) • I decrypts NB and returns it to B (IB, {NB}PK(B)) • B now believes it has successfully run the protocol with A

  18. Needham-Schroeder-Lowe Protocol 1. A 2. B 3.

  19. NSL Strand Spaces • Σ, Р in an infiltrated NSL space if Σ is the union of three types of strands • Penetrator strands s  P • Initiator strands with trace s  Init(A, B, Na, Nb) defined as: <+{NaA}KB, -{NaNbB}KA, +{Nb}KB> where A, B are  Tname, Na, Nb T but Na  Tname. • Responder strands with trace s  Resp(A, B, Na, Nb) defined as: <-{NaA}KB, +{NaNbB}KA, -{Nb}KB> where A, B are  Tname, Na, Nb T but Nb  Tname.

  20. Example: Responder’s Guarantee • Suppose the following: • Σ is an NSL space, C is a bundle in Σ, and s is a responder strand in Resp[A, B, Na, Nb] • Ka-1  KP • Na  Nb and Nb is uniquely originating in Σ • What we want to prove: • C contains the initiator’s strand t  Init[A, B, Na, Nb]

  21. Responder’s Guarantee Continued • A few definitions: • Node <s,2> outputs the value {NaNbB}KA and is referred to as node n0 with term v0 • Node <s,2> outputs the value {Nb}KB and is referred to as node n3 with term v3 • Nodes n1 and n2 will be introduced in the proof such that n0 < n1 < n2 < n3

  22. Responder’s Guarantee: First Lemma • Lemma 1: Nb originates at n0 • By assumptions made on last slide Nb v0 and n0 has a positive sign, so we only need to check that Nb n’, where n’ is the node <s,1> that comes before n0 on the same strand. • Proof: • n’ = {NaA}KB so we just need to make sure that Na  Nb and A  Nb • Na  Nb is part of the hypothesis • A  Nb is true because in the definition Nb  Tname

  23. Figure for Lemma 1 {NaA}KB <s,1> v0 {NaNbB}KA n0 . . . Nb . . . n2 v3 {Nb}KB n3

  24. Responder’s Guarantee: Second Lemma • Lemma 2: Establish that the crucial step is taken by a regular strand and not a penetrator strand such that set S = {n  C : Nb term(N) ^ v0 term(n)} has a -minimal node n2 that is a regular strand with a positive sign. • Proof: • We first establish that S is not an empty set • Since n3  C and n3 contains Nb but it is not a subterm of v0, S is non-empty • Due to lemmas stated earlier, S has at least a minimal element n2 and it is positive

  25. Second Lemma Continued • Now confirm n2 is a normal strand as opposed to a penetrator strand • M. <+t> where t  T. For NSL, it has trace tr(p) in the form of <+t> so t = Nb. This implies Nb originates on this strand but that is a contradiction of our first lemma. • F. The trace tr(p) has the form <-g>. But we have positive nodes so this is not valid. • (etc) Many other atomic actions a penetrator has available must be proven false.

  26. Outline of Rest of Proof The remainder of the proof is similar to the above adding more definitions and lemmas. It goes on to prove n1 precedes n2 on strand t and that t is the initiator strand. It also shows that term n1 contains {NaNbB}KA. This satisfies what we originally wanted to prove: C contains the initiator’s strand t  Init[A, B, Na, Nb]

  27. Tool Support: Athena • Implemented using Standard ML (Meta Language) of New Jersey • ML is a functional programming language written in the 1980’s by the Laboratory for Foundations of Computer Science (LFCS) • Attractive language for formal methods since it is “safe” i.e. all bugs are caught at compile time or handled gracefully at run time • Input consists of a protocol description and a set of security properties. You can also specify additional pruning theorems if available.

  28. Tool Support: Athena • Athena extends the Strand Space Model and uses model checking and theorem proving approaches • Able to determine error in the Needham-Schroeder protocol in a fraction of a second • Example of extension: Adds in the notation of an interm relation , such that a1 is an interm of a2 if a1 can be extracted from a2 without needing decryption. • Paper cites reference for information on Athena, but the link only links to the authors papers and research interest. Other than a link to the paper on Athena, there is no place to download this tool.

  29. Strands as applied to real-world Conclusion

  30. References 1) F. Javier Thayer Fábrega, Jonathon C. Herzog, and Joshua D. Guttman “Strand Spaces: Proving Security Protols Correct”, the MITRE Corporation, 1998 IEEE 2) F. Javier Thayer Fábrega, Jonathon C. Herzog, and Joshua D. Guttman “Strand Spaces: Proving security Protocols Correct”, Appears in Joutnal of Computer Security, 7 (1999) pages 191-230 3) †Dawn Song, ‡Sergey Berezin, †Adrian Perrig “Athena: a novel approach to efficient automatic security protocol analysis” † dept. of Computer Science, UC Berkley ‡dept. of Computer Science, Carnegie Mellon University 4) Dawn X. Song, “Athena: a New Efficient Automatic Checker for Security Protocol Analysis” 5) John Rushby, “Security Requirements Specifications: How and What?”, Computer Science Laboratory, SRI International 6) F. Javier Thayer Fábrega, Jonathon C. Herzog, and Joshua D. Guttman “Honest Ideals on strand Spaces”, The MITRE Corporation 7) Joshua D. Guttman, “Security Goals: Packet Trajectories and Strand Spaces” 8) Scott D. Stoller, “A bound on Attacks on Authentication Protocols”, January 15, 2001

More Related