1 / 21

Monte Carlo Analysis: Security Protocols Needham-Schroeder Revisited

Explore Monte Carlo and LTL model checking in security protocols. Includes implementation, results, and insights for future work.

williamanthony
Download Presentation

Monte Carlo Analysis: Security Protocols Needham-Schroeder Revisited

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Monte Carlo Analysis of Security Protocols: Needham-Schroeder RevisitedRadu GrosuSUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols

  2. Talk Outline • LTL Model Checking • Monte Carlo Model Checking • Needham-Schroeder • Implementation & Results • Conclusions & Future Work

  3. ? Model Checking Is systemS a model of formula φ?

  4. Model Checking • S is anondeterministic/concurrent system. •  is (in our case) an LTL (Linear Temporal Logic) formula. • Basic idea: intelligently explore S’s state space in attempt to establish S⊨ . • Fly in the ointment: State Explosion!

  5. LTL Model Checking • An LTL formula is made up of atomic propositions p, boolean connectives, ,  and temporal modalities X (neXt) and U (Until). • Every LTL formula can be translated to a Büchiautomaton whose language is set of infinite words satisfying . • Automata-theoretic approach: S⊨ iffL(BS)  L(B ) iffL(BS  B )=

  6. sn sk+3 sk+2 sk+1 DFS2 DFS1 s1 s2 s3 sk-2 sk-1 sk Emptiness Checking • Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). • Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly!

  7. Monte Carlo Model Checking (MC2) • Sample Space: lassos in BS  B • Random variable Z : • Outcome = 0 if randomly chosen lasso accepting • Outcome = 1 otherwise • μZ= ∑ pi Zi (weighted mean) • Compute (ε,δ)-approx. of μZ

  8. Monte Carlo Model Checking (MC2) L1 = abcb, L2 = abcdb, L3 = abcdea Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼ μZ = ½ a b c d e

  9. of Z: • Solution: Compute an (,)-approximation Monte Carlo Approximation • Problem: Compute the mean valueμZof a random variableZdistributed in [0,1] when an exact computation of μZ proves intractable. witherror marginandconfidence ratio. • Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, expectation that S ⊨ !

  10. Compute as the mean value of N independent • random variables (samples) identically distributed • according toZ: • Problems: is unknown and can be large. Original Solution[Karp, Luby & Madras: Journal of Algorithms 1989] • Determine Nusingthe Zero-One estimator theorem:

  11.  = 4 ln(2/) / 2; for(N=0, S=0; S≤; N++) S=S+ZN; = S/N; return ; • Problem: is in most interesting casestoo large. Stopping Rule Algorithm (SRA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000] • Innovation: computes correct Nwithout using • Theorem: • E[N] ≤ 4 ln(2/) / μZ2;

  12. Optimal Approx Algorithm (OOA)[Dagum, Karp, Luby & Ross: SIAM J Comput 2000] • Compute Nusinggeneralized Zero-One estimator: • Apply sequential analysis (prediction/correction): • 1.Assume2 is smalland compute with SRA( ) • 2.Compute  using and • 3.Use to correctNand . • Expected number of samplesis optimal to within • a constant factor!

  13. Monte Carlo Model Checking Theorem: MC2 computes an (ε,δ)-approximation of μZin expected time O(N∙D) and uses expected space O(D), where D is the recurrence diameter of B = BS  B . Cf. DDFS which runs in O(2|S|+|φ|) timeand space.

  14. Needham-Schroeder • A  B : { Na, A } KB • B  A : { Na, Nb } KA • A  B : { Nb } KB

  15. Breaking & Fixing Needham-Shroeder • In 1997, Lowe discovered a replay attack that involves an intruder I masquerading as A in its communication withB. • As shown by Lowe, protocol is easily fixed by including identity of responder (B) in 2nd msg: 2´. B  A : { B, Na, Nb } KA

  16. Implementation • Implemented DDFS and MC2 in jMocha model checker for synchronous systems specified using Reactive Modules. • Specified NS as a reactive module; all communications go through intruder. • Intruder obeys Dolev-Yao model: besides normal communications, can intercept, overhear, and fake messages.

  17. Experimental Results Time and space requirements for DDFS and MC2

  18. Experimental Results ~ Variation of µZ for MC2

  19. Related Approaches • NRL Protocol Analyzer [Meadows 96] • Spi-Calculus [Abadi Gordon 97] • FDR [Lowe 97] • The Strand Space Method [Guttman et al. 98] • Isabelle Theorem Prover [Paulson 98] • Backward Induction [Kurkowski Mackow 03]

  20. Conclusions • Applied Monte Carlo model checking to Needham-Schroeder. • Results indicate may be more effective than traditional approaches in discovering attacks. • Further experimentation required to draw definitive conclusions. • Other Future Work: Use BDDs to improve run time. Also, take samples in parallel!

  21. Monte Carlo Model Checking • Randomized algorithm for LTL model checking utilizing automata-theoretic approach. • Basic idea: Take N samples: sample = lasso = random walk through BS  Bending in a cycle. • If accepting lasso (counter-example) found, return false. • Else return true with certain confidence.

More Related