Automated Reasoning Program Verification Cryptographic Protocol Verification Chris Lynch

1
Automated ReasoningProgram VerificationCryptogra
phic Protocol VerificationChris Lynch
2
Contents

• Automated Reasoning
• Program and Algorithm Verification
• Cryptographic Protocol Verification

3
Automated Reasoning Program

• Tell it what you know
• Tell it what you want to prove
• It will do inferences
• Then answer YES or NO

4
Representing Information

• Use Logic
• doctor(jerry)
• likes(ben,sue)
• likes(brother(ben),sister(jerry))
• likes(ben,sue) ? likes(jerry,sue)
• father(ben,jerry),father(jerry,sue) ?
  grandpa(ben,sue)

5
Inferences

• Suppose you know likes(ben,sue) and you know
  likes(jerry,sue)
• Suppose you also know likes(ben,sue),
  likes(jerry,sue) ? popular(sue)
• Then you can infer popular(sue)

6
Decidability

• This Logic is decidable in O(n)
• Becomes co-NP complete if I allow OR and NOT
• likes(ben,sue) OR likes(jerry,sue)
• NOT likes(ben,sue)

7
Symbols are Uninterpreted

• Suppose I know father(ben,jerry) and I know
  father(jerry,sue)
• What can I infer from that?

8
Answer to Trick Question

• NOTHING
• I cant infer anything from that
• I dont know that a father of a father is a
  grandpa, unless you tell me
• That kind of knowledge is called a theory

9
Inference modulo Theory

• Grandpa Theory father(X,Y), father(Y,Z) ?
  grandpa(X,Z)
• Now if you know father(ben,jerry) and
  father(jerry,sue), then you can infer
  grandpa(ben,sue)
• This inference is modulo Grandpa Theory

10
Automated Reasoning modulo Theory

• Automated Reasoning modulo a theory is
  undecidable in general
• But may be decidable and efficient for particular
  theories
• Given a theory, we would like to know
  decidability and complexity of reasoning modulo
  that theory

11
My Result

• Given a theory, run my procedure on it
• If this process halts then reasoning in that
  theory is decidable
• And procedure will tell you the complexity

12
Equality

• Equality is the only symbol that always has a
  meaning
• ben ben
• ben doctor(jerry) ? doctor(jerry) ben
• doctor(jerry) ben, ben chef(sue) ?
  doctor(jerry) chef(sue)
• father(ben,doctor(jerry)), doctor(jerry) sue ?
  father(ben,sue)

13
Summary of Section 1

• Automated Theorem proving can be done efficiently
  by a computer
• But symbols (except for equality) have no meaning
• Need a Theory to give them meaning
• But that makes things undecidable
• Given a Theory of interest, we want to know if
  decidable and how efficient

14
Automated Theorem Provers

• Automated Reasoning Software exists (OTTER,
  SPASS, SETHEO, WALDMEISTER, VAMPIRE, E)
• They can handle Automated Reasoning modulo a
  theory
• But they might run forever

15
Part 2 Program Verification

• So far, everything I have said is boring,
  because what good is it
• So now I have to convince you that Automated
  Reasoning is useful for something
• It is, you know

16
Program Specification

• Description (in logic) of what your program (or
  algorithm) is supposed to do
• Example At the end of this program, a lt b and b
  lt c
• Or just statement of a property that should be
  true
• Example array never goes out of bounds or
  pointer never gets outside of memory

17
What is Program Verification?

• Given a Specification and a Program, use an
  Automated Reasoning Program to decide if the
  Program satisfies the Specification
• If the Program does not satisfy the
  Specification, then there is a bug in the Program

18
Why Automated Verification?

• Programs are Extremely Complex (Distributed
  Programs, for example)
• This is way too tedious for a human (more bugs in
  the proof than the program itself)
• Bugs in Programs kill people (literally)

19
Example 1

• a b
• 1. a a 1
• 2. b b 1
• a b
• Need to show that ab ? a1 b1
• We know a1 a1, so by substitution a1 b1

20
Example 2

• a b
• 1. a a 1
• 2. b b 2
• 3. a a 1
• a b
• Need to show a b ? a 1 1 b 2
• Cant do it without theory of Addition

21
Example 3

• 1. m b
• 2. if (a gt b)
• 3. m a
• m gt a and m gt b
• Need to show a gt b ? a gt a and a gt b
• Need to show b gt a ? bgta and bgtb
• For this you need a theory of inequalities

22
Example 4

• 1. m a
• 2. if (b gt m)
• 3. m b
• 4. if (c gt m)
• 5. m c
• mgta and mgtb and mgtc
• Here you need more properties like transitivity
  of inequalities

23
Summary of Part 2.1

• Program Verification is a problem of Automated
  Reasoning (and theories are crucially important)
• Program Verification is an important problem to
  solve
• By inference, Automated Reasoning is an important
  problem to solve

24
Some Problems

• Lots of IF statements generate lots of paths
  through program
• Programmer needs to give invariant for loops
• There are approaches to those issues, but not for
  me to talk about today

25
Another Problem

• I want more than a YES or NO answer. If there is
  a bug, I want to know what it is.
• As a programmer, I would also like to give
  information to specify what kind of bug I want to
  find
• If possible, I want to know all bugs
• I do have a solution to this problem

26
Example of Bad Program

• 1. if (a gt b)
• 2. swap(a,b)
• 3. if (b gt c)
• 4. swap(b,c)
• a lt b and b lt c
• P_sort does not satisfy S_sort, because c might
  be smallest value

27
Constructing a Model

• Verifier What should I verify?
• Programmer (P_sort, S_sort)
• Verifier Program does NOT meet specs
• Programmer Why not?
• Verifier Suppose agtb, bgtc and agtc
• Programmer Thanks, Ill fix it

28
Constructing Preferred Model

• Programmer (P_sort,S_sort)
• Verifier Program does not meet specs
• Programmer Why not?
• Verifier What are your preferences?
• Programmer altb, bltc and altc
• Verifier Suppose altb, bgtc and agtc

29
Query Example

• Programmer (P_sort,S_sort)
• Verifier Program does not meet specs
• Programmer Why not?
• Verifier What are your preferences?
• Programmer altb, bltc and altc
• Verifier Ask me some queries
• P altb? V YES
• V bltc? V NO
• P altc? V NO

30
Constructing All Models

• Programmer (P_sort,S_sort)
• Verifier Program does not meet specs
• Programmer Give me all models
• Verifier
• 1. altb, bgtc, agtc
• 2. agtb, bgtc, agtc
• Programmer Thanks, that was fast

31
Infinite Model

• a b lt 3
• 1. a b 1
• 2. b a 1
• a b lt 3
• P_sum3 does not satisfy S_sum3 if (a0,b1)
  (a0,b2) or (a1,b1)

32
Querying Sum3

• Programmer (P_sum3,S_sum3)
• Verifier Program does not meet specs
• Programmer Why not?
• Verifier What are your preferences?
• Programmer alt1, blt1
• Verifier Ask me some queries
• P alt1? V YES
• V blt1? V NO
• P blt2? V YES

33
Data Structures in Verification

• Data Structures can be represented with equations
• In that case, we use these equations as the
  theory we reason about

34
Theory of Lists

• car is first item of list, cdr is rest of list,
  cons adds an item onto a list
• car(cons(x,y)) x
• cdr(cons(x,y)) y
• cons(ca(rx),cdr(x)) x
• I showed you can reason modulo Theory of Lists in
  O(n lg n)

35
Reasoning with Lists

• If first element is greater than second then take
  first element of list then second element off
  list, then put second back on, then put first
  back on
• Prove that first 2 elements are now ordered
• Need to show car(L) gt car(cdr(L)) ? car(L) lt
  car(cdr(L)) where L cons(car(cdr(L)),cons(car(
  L),cdr(cdr(L))))

36
Theory of Arrays

• get(A,i) is the item at position i of array A
• Store(A,i,x) is the array resulting from storing
  item x at position i of array A
• get(store(A,i,x),i) x
• i ? j ? get(store(A,j,x),i) get(A,i)
• Reasoning in array theory NP-complete

37
E-unification

• Question Find all solutions for x such that x
  2 1 2
• Answer x 1
• Question Find all solutions for x such that x
  2 3
• Answer No solutions
• Question Find all solutions for x such that x
  2 3 modulo theory of Addition
• Answer x 1

38
Why E-unification

• Program Synthesis automatically creating a
  program from its specifications
• Protocol Verification Finding ways of making a
  protocol fail

39
Example of Program Synthesis

• Program to decide if there are two elements of a
  list of integers that add up to a given integer
• Find all x and y such that mem(x,cons(0,cons(1,nil
  ))) and mem(y,cons(0,cons(1,nil))) and xy2

40
Cryptographic Algorithm

• Perform functions like encrypt data
• Also sign data
• And other functions

41
Cryptographic Protocols

• Use Cryptographic Algorithms to perform
  interactions between people
• Protocols do things like exchanging information
  or keys and use Cryptographic Algorithms to
  ensure secrecy and guarantee you are dealing with
  the right person

42
Example Diffie Hellman Protocol

• A ? B xna
• B ? A xnb
• Now A and B can both calculate xnanb, and use
  it for a key to encrypt data, but nobody else can
  calculate it

43
Cryptographic Protocol Analysis

• Discover if there is any way an intruder can get
  secret information or fool somebody into
  believing something
• For example, in Diffie Hellman Protocol, an
  intruder can pretend to be A, and have a
  conversation with B

44
Cryptographic Protocol Analysis with Theories

• Most people do Cryptographic Protocol Analsysis
  without Theories
• NRL Protocol Analzyzer works modulo theories
  using E-unification, to model some properties of
  Cryptographic Algorithms
• For example, in Diffie Hellman Protocol, xnanb
  xnbna

45
My recent work

• Give conditions under which Cryptographic
  Protocol Analysis finds same attacks without
  theories as with theories
• It guarantees that properties modeled by theories
  do not create attacks
• Therefore, gives principles for protocol
  developers

46
Summary

• Theories are important for all kinds of
  verification, and therefore we must understand
  everything about them