A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo...

A Logic of Belief and a A Logic of Belief and a Model Checking Algorithm Model Checking Algorithm

for for Security ProtocolsSecurity Protocols

joint work with Massimo Benerecetti

Fausto GiunchigliaUniversity of [email protected]

mailto:[email protected]






Logics of Beliefs for Logics of Beliefs for Security ProtocolsSecurity Protocols

BAN Logic (Borrows, Abadi & Needham)

Concentrate on beliefs of trustworthy principals and on their evolution as consequence of communication




Some Extensions

Abadi & Tuttle (AT Logic) Gong, Needham & Yahalom (GNY Logic) Boyd & Mao




Some Extensions

Abadi & Tuttle (AT Logic) Gong, Needham & Yahalom (GNY Logic) Boyd & Mao

Attempts to automate reasoning in BAN

Kindred & Wing (Theory Building)

The ApproachThe Approach

Define a Logic of Belief and Time



A Model Checking Algorithm for this logic




Built on top of CTL model checking



Built on top of CTL model checking

Integration with existing tools

(e.g. NuSMV)


Example: The Andrew ProtocolExample: The Andrew Protocol

1 A B : {NA}KAB

2 B A : {NA,NB}KAB

3 A B : {NB}KAB

4 B A : {KAB,N

B}KAB

Example Property: at the end of the protocol session, A believes that B believes that K’

AB is a "good shared key" for communication between them.

Example: The Andrew ProtocolExample: The Andrew Protocol

1 A B : {NA}KAB

2 B A : {NA,NB}KAB

3 A B : {NB}KAB

4 B A : {KAB,N

B}KAB

1 A B : {NA}KAB

2 B A : {NA,NB}KAB

3 A B : {NB}KAB

4 B A : {KAB,N

B}KAB

Example: Attack to the Andrew Example: Attack to the Andrew Protocol Protocol

1 A B : {NA}KAB

2 B A : {NA,NB}KAB

3 A B : {NB}KAB

4 B A : {KAB,N

B}KAB

1 A B : {NA}Kab

2 B A : {NA,N

B}Kab

3 A B : {NB}KAB

4 I(B) A : {KAB,N

B}KAB

Example: Attack to the Andrew Example: Attack to the Andrew Protocol Protocol

Outline of the TalkOutline of the Talk

Intuitions


Intuitions

MultiAgent Temporal Logic (MATL)

MultiAgent Finite State Machine (MAFSM)

The Model Checking Algorithm (MAMC)


Intuitions




Model of the Andrew Protocol in MAFSM


Intuitions




Model of the Andrew Protocol in MAFSM

Conclusion and Future Work

IntuitionsIntuitions

IntuitionsIntuitionsPrincipals have two orthogonal aspects:

Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.



Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.




PrincipalA

PrincipalB


PrincipalA

PrincipalB

A' s Repr. of B

Principals have two orthogonal aspects:




PrincipalA

PrincipalB

A' s Repr. of B

BB?





PrincipalA

PrincipalB

A' s Repr. of B

?

BB?




MultiAgent Temporal LogicMultiAgent Temporal Logic(MATL)(MATL)

.........

BA BB

BBBA BBBBBABBBABA

...

To each level of nesting of beliefs we associate a Representation of a process evolving over time.

MATL: ViewsMATL: Views

.........

BA BB

BBBA BBBBBABBBABA

...

Each Representation is called a View


To each level of nesting of beliefs we associate a Representation of a process evolving over time.

Views represent the beliefs about a principal's evolution during the protocol

View the protocol as seen by the external observer (the analyser's point of view)

View BA 's beliefs about the evolution of principal A.

View BB 's beliefs about the evolution of principal B.

View BABB ('s beliefs about) A's beliefs about the evolution of principal B

....



.

BA BB

BBBA BBBBBABBBABA

.. .. .. ..

* is the set of (possibly empty)

strings of the form BX1···BXn

MATL: Language MATL: Language

We associate to each view a language

The language of each view allows for expressing properties of the process associated with that view

............

BA BB

BBBA BBBBBABBBABA

MATL: LanguageMATL: Language

............

BA BB

BBBA BBBBBABBBABA

BB


............

BA BB

BBBA BBBBBABBBABA

BABB

BB


......

......

BA BB

BBBA BBBBBABBBABA

BABB

BB

BBBA

BA



To each view we associate the smallest CTL language containing:

a finite set of Propositional Atoms

the set of Atoms = {BX| is a formula of BX}

that is the Belief Atoms of the form BX for each

formula of view BX


To each view we associate the smallest CTL language containing:

a finite set of Propositional Atoms

the set of Atoms = {BX| is a formula of BX}

that is the Belief Atoms of the form BX for each

formula of view BX

Example

AG(BABBP) is a formula of view


Definition: Given a family {} of sets of propositional atoms, the family of MATL languages on is the family of CTL languages {}


Definition: Given a family {} of sets of propositional atoms, the family of MATL languages on is the family of CTL languages {}

A MATL formula belonging to is denoted by

Example

AG(BABBP) denotes the formula AG(BABBP) of view

http://www.science.unitn.it/~fausto/talks/mamc/MATLSemantics.ppt

MultiAgent Finite State MachineMultiAgent Finite State Machine(MAFSM)(MAFSM)

MAFSM: IntuitionsMAFSM: Intuitions

Model Checking employs Finite State Machines

We extend the notion of FSM to accommodate beliefs

We associate the Finite State Machine of a process to each view

http://www.science.unitn.it/~fausto/talks/mamc/FSMs.ppt

MAFSM: IntuitionsMAFSM: Intuitions

Model Checking employs Finite State Machines

We extend the notion of FSM to accommodate beliefs

We associate the Finite State Machine of a process to each view

Restriction:

We consider only a finite number of views

MultiAgent Finite State MachineMultiAgent Finite State Machine

.

BA BB

BBBA BBBBBABBBABA

.. .. .. ..

* is the set of (possibly empty)

strings of the form BX1···BXn


.

BA BB

BBBA BBBBBABBBABA

.. .. .. ..

n


.

BA BB

BBBA BBBBBABBBABA

.. .. .. ..

n

n is a finite subset of strings in *

MultiAgent Finite State MachineMultiAgent Finite State MachineWe associate the Finite State Machine of a process to each view in n

BA BB

BA BB BBBA

MultiAgent Finite State MachineMultiAgent Finite State MachineWe associate the Finite State Machine of a process to each view in n

BA BB

BA BB BBBA

Problem: there's a infinite number of Belief Atoms in each view!

Explicit Belief AtomsExplicit Belief Atoms

Solution: chose a finite number of Belief Atoms (Explicit Beliefs Atoms) as state variables of the FSM of a view.

s

s' s''

BX

BX


Explicit Belief Atoms induce a Compatibility Relation among states in different views.

s

s' s''

BX

B

X

Implicit Belief AtomsImplicit Belief AtomsImplicit Belief Atoms are the infinite set of Belief Atoms which are not Explicit

BX

BXBX

B

X

Implicit Belief AtomsImplicit Belief AtomsSatisfiability of Implicit Belief Atims in a state is computed via Compatibility Relation

BX

BXBX

BX

Implicit Belief AtomsImplicit Belief Atoms

Explicit Belief Atoms are used to assess the truth of Implicit Belief Atoms

BX

BXBX

Satisfiability of Implicit Belief Atims in a state is computed via Compatibility Relation

BX

MultiAgent Finite State MachineMultiAgent Finite State MachineA MAFSM is a set of FSMs plus compatibility relations induced by Explicit Belief Atoms among them.

BA BB

BA BB BBBA

http://www.science.unitn.it/~fausto/talks/mamc/MAFSM.ppt

MAFSM: From Trees to GraphsMAFSM: From Trees to Graphs

The definition of MAFSM as a Tree of FSMs (one for each view):

does not allow for arbitrary nesting of beliefs: “a priori” bound on the length of each branch of the tree.


The definition of MAFS as a Tree of FSMs (one for each view):

does not allow for arbitrary nesting of beliefs: “a priori” bound on the length of each branch of the tree.

needs a distinct specification of each view even when it is not necessary: often in security protocol we can safely assume that the

protocol is publicly known and each (honest) principal behaviour is completely known to the other principals;

in some cases distinct views of that principal could be modelled by the same process (FSM).


Solution:

allow for cycles in MAFSM;

a MAFSM becomes a Graph of views

http://www.science.unitn.it/~fausto/talks/mamc/MAFSMCycles.ppt


A MAFSM is a set of FSMs plus compatibility relations induced by Explicit Belief Atoms among them.

BBBA

Model Checking AlgorithmModel Checking Algorithm(MAMC)(MAMC)

MultiAgent Model Checking MultiAgent Model Checking AlgorithmAlgorithm

To check the formula in view , the algorithm performs three steps:

recursively descend the tree of views performing Steps 2 and 3 on the sub-formulas inside the BDI atoms at each step.




compute for each state s the BDI atoms occurring in true at s.




compute for each state s the BDI atoms occurring in true at s.

call the standard CTL model checking algorithm (treating BDI atoms as atomic formulas).

MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm

BB

BA

AG (BA BB )


BB

BAImplicit Belief Atom

AG (BA BB )


BB

BA

Implicit Belief Atom

AG (BA BB )

BB


BB

BA

AG (BA BB )

BB

AG (BA BB )


BB

BA

BB

Model of the Andrew ProtocolModel of the Andrew Protocol

Beliefs in Security ProtocolsBeliefs in Security Protocols

Each Principal is seen as a process able to have Beliefs about other principal

BX means that principal "X believes " to be true




Beliefs evolve over time (as messages are sent/received)





Beliefs can be nested

Example (from BAN)

At the end of the protocol session:

A believes that B believes that K'AB is a "good shared

key" for communication between them.





Beliefs can be nested

Example (from BAN)

At the end of the protocol session:

A believes that B believes that K'AB is a "good shared

key" for communication between them.

recA {K'AB,N'B}KAB BA fresh NA BA BB shk K'AB


External Observer a process (the protocol) ascribing beliefs to agents A and B

Agent A a process ascribing beliefs to agent B

Agent B a process ascribing beliefs to agent A

1 A B : {NA}KAB

2 B A : {NA,NB}KAB

3 A B : {NB}KAB

4 B A : {KAB,N

B}KAB


All these entities are modeled as processes accessing other agents' representations (views).

External Observer a process (the protocol) ascribing beliefs to agents A and B

Agent A a process ascribing beliefs to agent B

Agent B a process ascribing beliefs to agent A

1 A B : {NA}KAB

2 B A : {NA,NB}KAB

3 A B : {NB}KAB

4 B A : {KAB,N

B}KAB


BA BBBA BB BABB

(BBBA , BA) (i.e. BBBA and BA are modelled by the same process)

(BABB , BB) (i.e. BABB and BB are modelled by the same process)


To specify a MAFSM we need to specify the following elements:

Propositional Atoms Message variables

Freshness variables




Freshness variables

Explicit Belief Atoms




Freshness variables

Explicit Belief Atoms

How Atoms’ truth values vary during the protocol execution

Propositional Atoms : Message Propositional Atoms : Message VariablesVariables

We need to model principal sending and receiving messages



Boolean varibles



Boolean varibles

View BA

send {NA}KAB

rec {NA,NB}KAB

... rec {K'AB,N'B}KAB


View BB

rec {NA}KAB

send {NA,NB}KAB

... send {K'AB,N'B}KAB

View BA

send {NA}KAB

rec {NA,NB}KAB

...rec {K'AB,N'B}KAB


Boolean varibles


View

recA {NA}KAB

sendAB {NA,NB}KAB

... sendAB {K'AB,N'B}KAB

View BA

send {NA}KAB

rec {NA,NB}KAB


View BB

rec {NA}KAB

send {NA,NB}KAB

...send {K'AB,N'B}KAB


Boolean varibles


Message Variables Evolution

Once they become true they remain stable

View BA

sendB {NA}KAB

rec {NA,NB}KAB


View BB

rec {NA}KAB

sendA {NA,NB}KAB

...sendA {K'AB,N'B}KAB

View

recA {NA}KAB

sendAB {NA,NB}KAB

...sendAB {K'AB,N'B}KAB


View BA

sendB {NA}KAB

rec {NA,NB}KAB


View BB

rec {NA}KAB

sendA {NA,NB}KAB

...sendA {K'AB,N'B}KAB

View

recA {NA}KAB

sendAB {NA,NB}KAB

...sendAB {K'AB,N'B}KAB

Message Variables Evolution


Evolve following the order of messages in the protocol

Example: Evolution of Message Example: Evolution of Message VariablesVariables

send {NA}KAB

rec {NA,NB}KAB

Message variables evolve following the order of messages in the protocol

A has not sent/received any message


send {NA}KAB

rec {NA,NB}KAB


A has sent Message 1

send {NA}KAB

rec {NA,NB}KAB


send {NA}KAB

rec {NA,NB}KAB


send {NA}KAB

rec {NA,NB}KAB

send {NA}KAB

rec {NA,NB}KAB

A has received Message 2

Propositional Atoms : Freshness Propositional Atoms : Freshness VariablesVariables

We need to express basic properties of messages: freshness

Boolean varibles

View BA

fresh NA

...

fresh{K'AB,N'B}KAB

shk K'AB


View BA

fresh NB

...

fresh{K'AB,N'B}KAB

shk K'AB

View BA

fresh NA

...

fresh{K'AB,N'B}KAB

shk K'AB


Boolean varibles


View BA

fresh NA

…

fresh{K'AB,N'B}KAB

shk K'AB

View

fresh NA

...

fresh{K'AB,N'B}KAB

shk K'AB

View BB

fresh NB

...

fresh{K'AB,N'B}KAB

shk K'AB


Boolean varibles


Freshness Variables Evolution


View BA

fresh NA

…

fresh{K'AB,N'B}KAB

shk K'AB

View BB

fresh NB

...

fresh{K'AB,N'B}KAB

shk K'AB

View

fresh NA

...

fresh{K'AB,N'B}KAB

shk K'AB


View BA

fresh NA

...

fresh{K'AB,N'B}KAB

shk K'AB

View BB

fresh NB

...

fresh{K'AB,N'B}KAB

shk K'AB

View

fresh NA

...

fresh{K'AB,N'B}KAB

shk K'AB

Freshness Variables Evolution


Must satisfy some additional contraints

Evolution of Freshness VariablesEvolution of Freshness Variables

fresh {NA,NB}KAB fresh NA fresh NB

...


BA

fresh {NA,NB}KAB (fresh NA fresh NB) rec{NA,NB}KAB

fresh {K'AB,N'B}KAB (fresh K'AB fresh N'B) rec{K'AB,N'B}KAB

…


...



...

BA

fresh {NA,NB}KAB (fresh NA fresh NB) rec{NA,NB}KAB

fresh {K'AB,N'B}KAB (fresh K'AB fresh N'B) rec{K'AB,N'B}KAB..

BB

fresh {K'AB,N'B}KAB (fresh K'AB fresh N'B) rec{K'AB,N'B}KAB

fresh {K'AB,N'B}KAB shk K'AB

...

Explicit Beliefs AtomsExplicit Beliefs Atoms

View BA

BB sendA {K'AB,N'B}KAB

...

We need to express beliefs about (other) principal sending/receiving messages

Boolean varibles

Explicit Beliefs AtomsExplicit Beliefs Atoms


Boolean varibles

View BA


...

View BB

BA sendB {NA}KAB

...



Boolean varibles

View BA


...

View BB

BA sendB {NA}KAB

…

View

BA rec {K'AB,N'B}KAB


...


Explicit Belief Atoms Evolution


Must satisfy some additional contraints

View

BA rec {K'AB,N'B}KAB


…

View BA


...

View BB

BA sendB {NA}KAB

…

Evolution of Explicit Belief AtomsEvolution of Explicit Belief Atoms

recA {K'AB,N'B}KAB BA rec {K'AB,N'B}KAB

…



...

BA

rec {K'AB,N'B}KAB BB sendA {K'AB,N'B}KAB

fresh {K'AB,N'B}KAB BB fresh {K'AB,N'B}KAB

…



...

BA



...

BB

rec {NB}KAB BA sendB {NB}KAB

fresh {NB}KAB BA fresh {NB}KAB

...

Checking the Andrew ProtocolChecking the Andrew Protocol

BB

BA

AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)

A security property for the Andrew Protocol


BB

BA

BB shk K'AB

shk K'AB



BB

BB shk K'AB

shk K'AB

fresh {K'AB,N'B}KAB shk K'AB


BA


BB

BB shk K'AB

shk K'AB



(fresh K'AB fresh N'B) rec {K'AB,N'B}KAB fresh {K'AB,N'B}KAB


BA


BB

BB shk K'AB

shk K'AB


BA



BB

BB shk K'AB

shk K'AB


BA


The property doesn’t holdof the Andrew Protocol

http://www.science.unitn.it/~fausto/talks/mamc/AndrewCorrected.ppt

ConclusionsConclusions

A Model-Checking based Verification Procedure for Security Protocols

Logic of Beliefs MultiAgent Finite State Machine Model Checking Algorithm

ConclusionsConclusions

A Model-Checking based Verification Procedure for Security Protocols

Logic of Beliefs MultiAgent Finite State Machine Model Checking Algorithm

Future Work Implementation (ongoing work) Experimental Analysis Extension of the logic and comparison with other

logics

A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo...

Documents

Transcript of A Logic of Belief and a Model Checking Algorithm for Security Protocols joint work with Massimo...