The%20Formal%20Method%20CAPSL

1
The Formal Method CAPSL

• Kyle Taylor
• Zhenxiao Yang

2
CAPSL

• Common Authentication Protocol Specification
  Language
• Message list protocol description

3
Overview
4
CAPSL Notation

• Declarations
• Imports
• Types
• Variables
• Functions
• Constants

• Modules
• Typespec
• Protocol
• Environment

5
Typespec
TYPESPEC PPK IMPORTS SPKE TYPES PKUser
Principal Functions pk(PKUser) Pkey
sk(PKUser) Pkey, PRIVATE VARIABLES A
PKUser X Field Axioms ped(sk(A),
ped(pk(A), X)) X ped(pk(A), ped(sk(A), X))
X INVERT ped(pk(A), X) X sk(A) INVERT
ped(sk(A), X) X pk(A)

• Introduce New Types
• Define Functions for a Type
• Extend Existing Types
• Syntax
• Declarations
• Axioms

6
Protocol

• The Message List
• Syntax
• Declaration
• Assumptions
• Messages
• Goals

PROTOCOL Simple VARIABLES A, B Principal
K Skey, FRESH, CRYPTO F Field ASSUMPTIONS
HOLDS A B MESSAGES A -gt B A,Kpk(B) GOALS
SECRET K
7
Protocol Declaration and Assumptions

• Declaration
• Denotes
• Allows a variable to be defined as the value of
  an expression
• Assumptions
• Boolean-valued terms or equalities
• BELIEVES
• Used to indicate a initial belief
• HOLDS
• Used to indicate knowledge of another entity
• KNOWS
• Belief plus truth
• Example BELIEVES A BELIEVES B HOLDS A K

8
Protocol Messages

• Message Format
• id. sender -gt receiver field,
• Concatenation of Fields
• , denotes associative concatenation
• , denotes non-associative concatenation
• Encryption
• Built in functions ped(), pk(), se(), sd()
• A, Kpk(B) ped(pk(B), A, K)
• XK se(K, X) and XK sd(K, X)

9
Protocol Messages Continued

• Arithmetic
• Allows , -, , /, and with built in type Skey
• -operator
• Distinguishes between the senders and the
  receivers view of a message
• AB, CD
• Sender constructs A, C
• Receiver constructs B, D

10
Protocol Messages Continued

• Actions
• Assignment or comparison test
• Assume and Prove
• Assumptions and Goals that are associated with
  intermediate states rather than initial and final
  states
• Phrases
• Phrase message actions before and after it
• / used to separate receiver actions from sender
  actions
• A -gt B X
• X lt Y/
• A -gt C Z

11
Protocol Messages Continued

• Subprotocols
• A protocol may invoke a different protocol using
  the INCLUDE P
• No statements may follow and INCLUDE
• Conditional Selection
• IF AB THEN INCLUDE P2
• ELSE INCLUDE P3 ENDIF

12
Protocol Goals

• States security objectives
• SECRET V P1,
• Variable V is a secret shared only by P1,
• PRECEDES A B V1, V2
• If B reaches its final state, it agrees with A on
  V1, V2
• AGREE A, B V1, W1,
• If A and B agree on W1 then they must agree on V1

13
Environment
ENVIORNMENT Test IMPORTS NSPK CONSTANTS
Alice, Bob PKUser Mallory PKUser,
EXPOSED AGENT A1 HOLDS A Alice B
Bob AGENT B1 HOLDS B Bob EXPOSED
Bobsk(Alice) END

• Used for setup
• Syntax
• Declaration
• Agent
• Define Roles
• Exposed
• Defines initial knowledge of an attacker
• Axioms
• Defines assumptions about constants
• Order
• Species series parrallel sequencing of agents

14
Needham-Schroeder Public Key Handshake
PROTOCOL NSPK Variables A, B PKUser
Na, Nb Nonce, CRYPTO ASSUMPTIONS HOLDS A
B MESSAGES A-gt B A, Napk(B) B-gt A
Na, Nbpk(A) A-gt B Nbpk(B) GOALS
SECRET Na SECRET Nb PRECEDES A B
Na PRECEDES B A Nb END
ENVIORNMENT Test IMPORTS NSPK CONSTANTS
Alice, Bob PKUser Mallory PKUser,
EXPOSED AGENT A1 HOLDS A Alice B
Bob AGENT B1 HOLDS B Bob EXPOSED
Bobsk(Alice) END
15
CIL

• CAPSL Intermediate Language
• Two purposes
• Defines CAPSL Semantics
• Interface to tool support
• Uses Multiset Term Rewriting Rules

16
CIL Design

• General and Expressive enough to represent a wide
  range of protocols
• At a low enough level to be useful to
  verification and model checking tools
• Represents state-transitions in a
  pattern-matching style, with symbolic terms to
  represent encryption and other computations

17
Rewrite Rules

• Rewrite Rules
• 0 x -gt x
• s(x) y -gt s(x y)
• 0 x -gt 0
• s(x) y -gt y (x y)
• fact(0) -gt s(0)
• fact(s(x)) -gt s(x) fact(x)
• gcd(0, x) -gt x
• gcd(x, xy) -gt gcd(x, y)

Examples
Fact(s(s(0)))) -gts(s(0)) fact(s(0)) -gts(s(0))
s(0) fact(0) -gts(s(0)) s(0) s(0) -gts(s(0))
s(0) (0 s(0)) -gts(s(0)) s(0)
0 -gts(s(0)) s(0) -gts(s(0)) (0
s(s(0))) -gts(s(0)) 0 -gts(s(0) 2
s(s(s(0))) 3
s(0) (0 s(0)) -gts(0) 0 -gts(0) 1
gcd(s(s(s(s(0)))), s(s(0))) -gtgcd(s(s(0)),
s(s(0))) -gtgcd(0, s(s(0))) -gts(s(0)) 2
18
Multi-Set Rewrite

• F1, , Fk ? ( X1, , Xm) G1, , Gn
• " i,j Fi and Gj are facts
• Existentially quantified variables are
  instantiated with fresh (unused) constants
• A rule is eligible to fire when the facts on the
  left side can be matched with facts in the
  multiset
• When a rule fires, facts on the left side of the
  rule are removed from the multiset and facts on
  the right side of the rule are inserted into the
  multiset after being instantiated according to
  the substitution required by the pattern match.

19
MSR Example

• Rule that defines two new agents
• ?A0(A, B),B0(B)
• The message A ? B A, Nsk(A) results in at
  least two rules
• A0(A,B) ? (N)A1(A,B,N), M(A, B, A, Nsk(A)
• B0(B), M(X, B, A, Nsk(A)) ? B1(B, A, N)

20
Translation Output

• Slot Table
• Maps each protocol variable to an argument
  position in the state predicate of each role
• Symbol Table
• Contains all identifiers declared in all the
  specification modules
• Axioms
• Single list generated form Typespec and
  Environment
• Localized Assumptions and Goals
• Axioms localized to a particular state
• Protocol Rewrite Rules
• MSR rules
• Environment Information
• CIL AST representation of an Environment

21
Translation Stages

• Parsing
• Checks syntax and produces a parse tree
• Type Checking
• Confirms consistency of type and signature
  declarations
• Syntax Transformations
• Syntactical sugar is removed
• Rule Generation
• Creation of rewrite rules from messages and
  actions
• Local Assertions
• Transformation of Assertions from interleaved to
  Associated
• Optimization
• Reduces the number or rules and the number of
  states per role by 50

22
CAPSL Example AP1.0
23
CAPSL Example AP1.0 (contd)

• PROTOCOL AP10
• VARIABLES
• A, B Principal
• ASSUMPTIONS
• HOLDS AB
• MESSAGES
• A -gt B A
• END

24
CAPSL Example AP2.0
25
CAPSL Example AP2.0 (contd)

• PROTOCOL AP20
• VARIABLES
• A, B Principal
• IP Field
• ASSUMPTIONS
• HOLDS A B, IP
• MESSAGES
• A -gt B A,IP
• END

26
CAPSL Example AP3.0
27
CAPSL Example AP3.0 (contd)

• PROTOCOL AP30
• VARIABLES
• A, B Principal
• C Field
• P Field, CRYPTO
• ASSUMPTIONS
• HOLDS A B, P
• HOLDS B C
• MESSAGES
• A -gt B A, P
• B -gt A C
• END

28
CAPSL Example AP4.0
29
CAPSL Example AP4.0 (contd)

• PROTOCOL AP40
• VARIABLES
• A, B Principal
• R Nonce
• K Skey
• S Field
• ASSUMPTIONS
• HOLDS A B, K
• HOLDS B K, S
• MESSAGES
• A -gt B A
• B -gt A R
• A -gt B RK
• B -gt A S
• END

30
CAPSL Example AP5.0
31
CAPSL Example AP5.0 (contd)

• PROTOCOL AP50
• VARIABLES
• A, B PKUser
• R Nonce
• C, S Field
• ASSUMPTIONS
• HOLDS A B
• HOLDS B S, C
• MESSAGES
• A -gt B A
• B -gt A R
• A -gt B Rsk(A)
• B -gt A S
• A -gt B pk(A)
• B -gt A C
• END

32
CAPSL Example AP5.0 (contd)
33
CAPSL Example AP5.0 (contd)
34
Tools Support

• Translators
• Connectors
• Maude, PVS, NRL, etc.

35
Translator

• CAPSL Parser and Type Checker
• Checks syntax and type consistency
• Rule Generator
• Uses maude to generate CIL rewrite rules
• CIL Optimizer
• Optimizes CIL while preserving behavior

36
Connectors

• Objective
• A bridge between CIL and various analyzer tools
• Example Connectors
• cil2pvs
• cil2maude

37
Maude

• Rewriting Logic Interpreter
• Contains an LTL Model Checker
• Reflective Computation Through Meta-Level Modules

38
Conclusion and Discussions

• Good Idea
• Unambiguous because of CIL
• Simple to describe protocols
• Inflexible in that it only specifies protocols
• The power of this language is in the tool support
• Insightful in the abstraction of the tool support
• More Connectors Needed
• Better documentation of Tool Support
• MuCAPSL

39
References

• CAPSL Homepage
• http//www.csl.sri.com/users/millen/capsl/
• G. Denker and J. Millen. CAPSL intermediate
  language. In N. Heintze and E. Clarke, editor,
  Workshop on Formal Methods and Security Protocols
  (FMSP99), Trento, Italy, 1999.
• URL http//www.csl.sri.com/denker/pub_99.
  html
• G. Denker, J. Millen, and H. Ruess. The CAPSL
  integrated protocol environment. Technical Report
  SRI-CSL-2000-02, Oct. 2000.
• URL http//www.csl.sri.com/papers/sri-csl-
  2000-02/

40
References

• Grit Denker. Design of a CIL connector to maude.
  In 2000 Workshop on Formal Methods and Computer
  Security, Chicago, USA, July 2000.
• URL http//www.csl.sri.com/papers/den00
• Narciso Mart-Oliet and Jos Meseguer. Rewriting
  logic Roadmap and bibliography. Theoretical
  Computer Science, 285(2)121-154, Aug. 2002.
• URL http//citeseer.nj.nec.com/486097.html