The%20Formal%20Method%20CAPSL - PowerPoint PPT Presentation

About This Presentation
Title:

The%20Formal%20Method%20CAPSL

Description:

The Formal Method CAPSL Kyle Taylor Zhenxiao Yang ... – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 41
Provided by: taylo162
Learn more at: http://www.cse.msu.edu
Category:

less

Transcript and Presenter's Notes

Title: The%20Formal%20Method%20CAPSL


1
The Formal Method CAPSL
  • Kyle Taylor
  • Zhenxiao Yang

2
CAPSL
  • Common Authentication Protocol Specification
    Language
  • Message list protocol description

3
Overview
4
CAPSL Notation
  • Declarations
  • Imports
  • Types
  • Variables
  • Functions
  • Constants
  • Modules
  • Typespec
  • Protocol
  • Environment

5
Typespec
TYPESPEC PPK IMPORTS SPKE TYPES PKUser
Principal Functions pk(PKUser) Pkey
sk(PKUser) Pkey, PRIVATE VARIABLES A
PKUser X Field Axioms ped(sk(A),
ped(pk(A), X)) X ped(pk(A), ped(sk(A), X))
X INVERT ped(pk(A), X) X sk(A) INVERT
ped(sk(A), X) X pk(A)
  • Introduce New Types
  • Define Functions for a Type
  • Extend Existing Types
  • Syntax
  • Declarations
  • Axioms

6
Protocol
  • The Message List
  • Syntax
  • Declaration
  • Assumptions
  • Messages
  • Goals

PROTOCOL Simple VARIABLES A, B Principal
K Skey, FRESH, CRYPTO F Field ASSUMPTIONS
HOLDS A B MESSAGES A -gt B A,Kpk(B) GOALS
SECRET K
7
Protocol Declaration and Assumptions
  • Declaration
  • Denotes
  • Allows a variable to be defined as the value of
    an expression
  • Assumptions
  • Boolean-valued terms or equalities
  • BELIEVES
  • Used to indicate a initial belief
  • HOLDS
  • Used to indicate knowledge of another entity
  • KNOWS
  • Belief plus truth
  • Example BELIEVES A BELIEVES B HOLDS A K

8
Protocol Messages
  • Message Format
  • id. sender -gt receiver field,
  • Concatenation of Fields
  • , denotes associative concatenation
  • , denotes non-associative concatenation
  • Encryption
  • Built in functions ped(), pk(), se(), sd()
  • A, Kpk(B) ped(pk(B), A, K)
  • XK se(K, X) and XK sd(K, X)

9
Protocol Messages Continued
  • Arithmetic
  • Allows , -, , /, and with built in type Skey
  • -operator
  • Distinguishes between the senders and the
    receivers view of a message
  • AB, CD
  • Sender constructs A, C
  • Receiver constructs B, D

10
Protocol Messages Continued
  • Actions
  • Assignment or comparison test
  • Assume and Prove
  • Assumptions and Goals that are associated with
    intermediate states rather than initial and final
    states
  • Phrases
  • Phrase message actions before and after it
  • / used to separate receiver actions from sender
    actions
  • A -gt B X
  • X lt Y/
  • A -gt C Z

11
Protocol Messages Continued
  • Subprotocols
  • A protocol may invoke a different protocol using
    the INCLUDE P
  • No statements may follow and INCLUDE
  • Conditional Selection
  • IF AB THEN INCLUDE P2
  • ELSE INCLUDE P3 ENDIF

12
Protocol Goals
  • States security objectives
  • SECRET V P1,
  • Variable V is a secret shared only by P1,
  • PRECEDES A B V1, V2
  • If B reaches its final state, it agrees with A on
    V1, V2
  • AGREE A, B V1, W1,
  • If A and B agree on W1 then they must agree on V1

13
Environment
ENVIORNMENT Test IMPORTS NSPK CONSTANTS
Alice, Bob PKUser Mallory PKUser,
EXPOSED AGENT A1 HOLDS A Alice B
Bob AGENT B1 HOLDS B Bob EXPOSED
Bobsk(Alice) END
  • Used for setup
  • Syntax
  • Declaration
  • Agent
  • Define Roles
  • Exposed
  • Defines initial knowledge of an attacker
  • Axioms
  • Defines assumptions about constants
  • Order
  • Species series parrallel sequencing of agents

14
Needham-Schroeder Public Key Handshake
PROTOCOL NSPK Variables A, B PKUser
Na, Nb Nonce, CRYPTO ASSUMPTIONS HOLDS A
B MESSAGES A-gt B A, Napk(B) B-gt A
Na, Nbpk(A) A-gt B Nbpk(B) GOALS
SECRET Na SECRET Nb PRECEDES A B
Na PRECEDES B A Nb END
ENVIORNMENT Test IMPORTS NSPK CONSTANTS
Alice, Bob PKUser Mallory PKUser,
EXPOSED AGENT A1 HOLDS A Alice B
Bob AGENT B1 HOLDS B Bob EXPOSED
Bobsk(Alice) END
15
CIL
  • CAPSL Intermediate Language
  • Two purposes
  • Defines CAPSL Semantics
  • Interface to tool support
  • Uses Multiset Term Rewriting Rules

16
CIL Design
  • General and Expressive enough to represent a wide
    range of protocols
  • At a low enough level to be useful to
    verification and model checking tools
  • Represents state-transitions in a
    pattern-matching style, with symbolic terms to
    represent encryption and other computations

17
Rewrite Rules
  • Rewrite Rules
  • 0 x -gt x
  • s(x) y -gt s(x y)
  • 0 x -gt 0
  • s(x) y -gt y (x y)
  • fact(0) -gt s(0)
  • fact(s(x)) -gt s(x) fact(x)
  • gcd(0, x) -gt x
  • gcd(x, xy) -gt gcd(x, y)

Examples
Fact(s(s(0)))) -gts(s(0)) fact(s(0)) -gts(s(0))
s(0) fact(0) -gts(s(0)) s(0) s(0) -gts(s(0))
s(0) (0 s(0)) -gts(s(0)) s(0)
0 -gts(s(0)) s(0) -gts(s(0)) (0
s(s(0))) -gts(s(0)) 0 -gts(s(0) 2
s(s(s(0))) 3
s(0) (0 s(0)) -gts(0) 0 -gts(0) 1
gcd(s(s(s(s(0)))), s(s(0))) -gtgcd(s(s(0)),
s(s(0))) -gtgcd(0, s(s(0))) -gts(s(0)) 2
18
Multi-Set Rewrite
  • F1, , Fk ? ( X1, , Xm) G1, , Gn
  • " i,j Fi and Gj are facts
  • Existentially quantified variables are
    instantiated with fresh (unused) constants
  • A rule is eligible to fire when the facts on the
    left side can be matched with facts in the
    multiset
  • When a rule fires, facts on the left side of the
    rule are removed from the multiset and facts on
    the right side of the rule are inserted into the
    multiset after being instantiated according to
    the substitution required by the pattern match.

19
MSR Example
  • Rule that defines two new agents
  • ?A0(A, B),B0(B)
  • The message A ? B A, Nsk(A) results in at
    least two rules
  • A0(A,B) ? (N)A1(A,B,N), M(A, B, A, Nsk(A)
  • B0(B), M(X, B, A, Nsk(A)) ? B1(B, A, N)

20
Translation Output
  • Slot Table
  • Maps each protocol variable to an argument
    position in the state predicate of each role
  • Symbol Table
  • Contains all identifiers declared in all the
    specification modules
  • Axioms
  • Single list generated form Typespec and
    Environment
  • Localized Assumptions and Goals
  • Axioms localized to a particular state
  • Protocol Rewrite Rules
  • MSR rules
  • Environment Information
  • CIL AST representation of an Environment

21
Translation Stages
  • Parsing
  • Checks syntax and produces a parse tree
  • Type Checking
  • Confirms consistency of type and signature
    declarations
  • Syntax Transformations
  • Syntactical sugar is removed
  • Rule Generation
  • Creation of rewrite rules from messages and
    actions
  • Local Assertions
  • Transformation of Assertions from interleaved to
    Associated
  • Optimization
  • Reduces the number or rules and the number of
    states per role by 50

22
CAPSL Example AP1.0
23
CAPSL Example AP1.0 (contd)
  • PROTOCOL AP10
  • VARIABLES
  • A, B Principal
  • ASSUMPTIONS
  • HOLDS AB
  • MESSAGES
  • A -gt B A
  • END

24
CAPSL Example AP2.0
25
CAPSL Example AP2.0 (contd)
  • PROTOCOL AP20
  • VARIABLES
  • A, B Principal
  • IP Field
  • ASSUMPTIONS
  • HOLDS A B, IP
  • MESSAGES
  • A -gt B A,IP
  • END

26
CAPSL Example AP3.0
27
CAPSL Example AP3.0 (contd)
  • PROTOCOL AP30
  • VARIABLES
  • A, B Principal
  • C Field
  • P Field, CRYPTO
  • ASSUMPTIONS
  • HOLDS A B, P
  • HOLDS B C
  • MESSAGES
  • A -gt B A, P
  • B -gt A C
  • END

28
CAPSL Example AP4.0
29
CAPSL Example AP4.0 (contd)
  • PROTOCOL AP40
  • VARIABLES
  • A, B Principal
  • R Nonce
  • K Skey
  • S Field
  • ASSUMPTIONS
  • HOLDS A B, K
  • HOLDS B K, S
  • MESSAGES
  • A -gt B A
  • B -gt A R
  • A -gt B RK
  • B -gt A S
  • END

30
CAPSL Example AP5.0
31
CAPSL Example AP5.0 (contd)
  • PROTOCOL AP50
  • VARIABLES
  • A, B PKUser
  • R Nonce
  • C, S Field
  • ASSUMPTIONS
  • HOLDS A B
  • HOLDS B S, C
  • MESSAGES
  • A -gt B A
  • B -gt A R
  • A -gt B Rsk(A)
  • B -gt A S
  • A -gt B pk(A)
  • B -gt A C
  • END

32
CAPSL Example AP5.0 (contd)
33
CAPSL Example AP5.0 (contd)
34
Tools Support
  • Translators
  • Connectors
  • Maude, PVS, NRL, etc.

35
Translator
  • CAPSL Parser and Type Checker
  • Checks syntax and type consistency
  • Rule Generator
  • Uses maude to generate CIL rewrite rules
  • CIL Optimizer
  • Optimizes CIL while preserving behavior

36
Connectors
  • Objective
  • A bridge between CIL and various analyzer tools
  • Example Connectors
  • cil2pvs
  • cil2maude

37
Maude
  • Rewriting Logic Interpreter
  • Contains an LTL Model Checker
  • Reflective Computation Through Meta-Level Modules

38
Conclusion and Discussions
  • Good Idea
  • Unambiguous because of CIL
  • Simple to describe protocols
  • Inflexible in that it only specifies protocols
  • The power of this language is in the tool support
  • Insightful in the abstraction of the tool support
  • More Connectors Needed
  • Better documentation of Tool Support
  • MuCAPSL

39
References
  • CAPSL Homepage
  • http//www.csl.sri.com/users/millen/capsl/
  • G. Denker and J. Millen. CAPSL intermediate
    language. In N. Heintze and E. Clarke, editor,
    Workshop on Formal Methods and Security Protocols
    (FMSP99), Trento, Italy, 1999.
  • URL http//www.csl.sri.com/denker/pub_99.
    html
  • G. Denker, J. Millen, and H. Ruess. The CAPSL
    integrated protocol environment. Technical Report
    SRI-CSL-2000-02, Oct. 2000.
  • URL http//www.csl.sri.com/papers/sri-csl-
    2000-02/

40
References
  • Grit Denker. Design of a CIL connector to maude.
    In 2000 Workshop on Formal Methods and Computer
    Security, Chicago, USA, July 2000.
  • URL http//www.csl.sri.com/papers/den00
  • Narciso Mart-Oliet and Jos Meseguer. Rewriting
    logic Roadmap and bibliography. Theoretical
    Computer Science, 285(2)121-154, Aug. 2002.
  • URL http//citeseer.nj.nec.com/486097.html
Write a Comment
User Comments (0)
About PowerShow.com