Embed Size (px)
Citation preview
The Formal Method CAPSL
Kyle Taylor
Zhenxiao Yang
CAPSL
Common Authentication Protocol Specification Language
Message list protocol description
•A B: {A, Na}PB
•B A: {Na, Nb}PA
•A B: {Nb}PB
A B
{A, Na}PB
{Na, Nb}PA
{Nb}PB
Overview
CAPSL Notation
Declarations– Imports– Types– Variables– Functions– Constants
Modules– Typespec– Protocol– Environment
Typespec
Introduce New Types Define Functions for a
Type Extend Existing Types Syntax
– Declarations– Axioms
TYPESPEC PPK;IMPORTS SPKE;TYPES PKUser : PrincipalFunctions pk(PKUser): Pkey; sk(PKUser): Pkey, PRIVATE;VARIABLES A: PKUser; X: Field;Axioms ped(sk(A), ped(pk(A), X)) = X; ped(pk(A), ped(sk(A), X)) = X; INVERT ped(pk(A), X): X | sk(A); INVERT ped(sk(A), X): X | pk(A);
Protocol
The Message List Syntax
– Declaration– Assumptions– Messages– Goals
PROTOCOL Simple;
VARIABLES
A, B: Principal;
K: Skey, FRESH, CRYPTO;
F: Field;
ASSUMPTIONS
HOLDS A: B;
MESSAGES
A -> B: {A,K}pk(B);
GOALS
SECRET K;
Protocol Declaration and Assumptions
Declaration– Denotes
Allows a variable to be defined as the value of an expression
Assumptions– Boolean-valued terms or equalities– BELIEVES
Used to indicate a initial belief– HOLDS
Used to indicate knowledge of another entity– KNOWS
Belief plus truth
Example: BELIEVES A : BELIEVES B : HOLDS A : K
Protocol Messages
Message Format– id. sender -> receiver : field, …;
Concatenation of Fields– {,} denotes associative concatenation – [,] denotes non-associative concatenation
Encryption– Built in functions ped(), pk(), se(), sd()– {A, K}pk(B) == ped(pk(B), {A, K})– {X}K == se(K, X) and {X}’K == sd(K, X)
Protocol Messages Continued
Arithmetic– Allows +, -, *, /, and ^ with built in type Skey
%-operator– Distinguishes between the senders and the
receivers view of a message– {A%B, C%D}
Sender constructs {A, C} Receiver constructs {B, D}
Protocol Messages Continued
Actions– Assignment or comparison test– Assume and Prove
Assumptions and Goals that are associated with intermediate states rather than initial and final states
Phrases– Phrase = message + actions before and after it– “/” used to separate receiver actions from sender
actions A -> B: X; X < Y;/ A -> C: Z;
Protocol Messages Continued
Subprotocols– A protocol may invoke a different protocol using the
INCLUDE P;– No statements may follow and INCLUDE
Conditional Selection– IF A=B THEN INCLUDE P2;– ELSE INCLUDE P3; ENDIF;
Protocol Goals
States security objectives SECRET V : P1, …
– Variable V is a secret shared only by P1, …
PRECEDES A : B | V1, V2
– If B reaches its final state, it agrees with A on V1, V2
AGREE A, B : V1, … | W1, …– If A and B agree on W1 then they must agree on V1
Environment
Used for setup Syntax
– Declaration– Agent
Define Roles– Exposed
Defines initial knowledge of an attacker
– Axioms Defines assumptions about
constants– Order
Species series parrallel sequencing of agents
ENVIORNMENT Test IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; EXPOSED {Bob}sk(Alice);END;
Needham-Schroeder Public Key Handshake
ENVIORNMENT Test IMPORTS NSPK; CONSTANTS Alice, Bob: PKUser; Mallory: PKUser, EXPOSED; AGENT A1 HOLDS A = Alice; B = Bob; AGENT B1 HOLDS B = Bob; EXPOSED {Bob}sk(Alice);END;
PROTOCOL NSPK;Variables A, B: PKUser; Na, Nb: Nonce, CRYPTO;ASSUMPTIONS HOLDS A: B;MESSAGES A-> B: {A, Na}pk(B); B-> A: {Na, Nb}pk(A); A-> B: {Nb}pk(B);GOALS SECRET Na; SECRET Nb; PRECEDES A: B | Na; PRECEDES B: A | Nb;END;
CIL
CAPSL Intermediate Language Two purposes
– Defines CAPSL Semantics– Interface to tool support
Uses Multiset Term Rewriting Rules
CIL Design
General and Expressive enough to represent a wide range of protocols
At a low enough level to be useful to verification and model checking tools
Represents state-transitions in a pattern-matching style, with symbolic terms to represent encryption and other computations
Rewrite Rules
Rewrite Rules
0 + x -> xs(x) + y -> s(x +y)0 * x -> 0s(x) * y -> y + (x * y)fact(0) -> s(0)fact(s(x)) -> s(x) * fact(x)gcd(0, x) -> xgcd(x, x+y) -> gcd(x, y)
Examples
Fact(s(s(0))))->s(s(0)) * fact(s(0))->s(s(0)) * s(0) * fact(0)->s(s(0)) * s(0) * s(0)->s(s(0)) * s(0) + (0 * s(0))->s(s(0)) * s(0) + 0->s(s(0)) * s(0)->s(s(0)) + (0 * s(s(0)))->s(s(0)) + 0->s(s(0) = 2
s(s(s(0))) = 3
s(0) + (0 * s(0)) ->s(0) + 0->s(0) = 1
gcd(s(s(s(s(0)))), s(s(0)))->gcd(s(s(0)), s(s(0)))->gcd(0, s(s(0)))->s(s(0)) = 2
Multi-Set Rewrite
F1, …, Fk (X1, …, Xm) G1, …, Gn
– i,j Fi and Gj are facts
– Existentially quantified variables are instantiated with fresh (unused) constants
A rule is eligible to fire when the facts on the left side can be matched with facts in the multiset
When a rule fires, facts on the left side of the rule are removed from the multiset and facts on the right side of the rule are inserted into the multiset after being instantiated according to the substitution required by the pattern match.
MSR Example
Rule that defines two new agents– A0(A, B),B0(B)
The message “A B: A, {N}sk(A) results in at least two rules– A0(A,B) (N)A1(A,B,N), M(A, B, { A, {N}sk(A)}
– B0(B), M(X, B, { A, {N}sk(A)}) B1(B, A, N)
Translation Output
Slot Table– Maps each protocol variable to an argument position in the state
predicate of each role Symbol Table
– Contains all identifiers declared in all the specification modules Axioms
– Single list generated form Typespec and Environment Localized Assumptions and Goals
– Axioms localized to a particular state Protocol Rewrite Rules
– MSR rules Environment Information
– CIL AST representation of an Environment
Translation Stages
Parsing– Checks syntax and produces a parse tree
Type Checking– Confirms consistency of type and signature declarations
Syntax Transformations– Syntactical sugar is removed
Rule Generation– Creation of rewrite rules from messages and actions
Local Assertions– Transformation of Assertions from interleaved to Associated
Optimization– Reduces the number or rules and the number of states per role by 50%
CAPSL Example AP1.0
CAPSL Example AP1.0 (cont’d)
PROTOCOL AP10; VARIABLES A, B: Principal; ASSUMPTIONS HOLDS A:B; MESSAGES A -> B: A; END;
CAPSL Example AP2.0
CAPSL Example AP2.0 (cont’d)
PROTOCOL AP20; VARIABLES A, B: Principal; IP: Field; ASSUMPTIONS HOLDS A: B, IP; MESSAGES A -> B: {A,IP}; END;
CAPSL Example AP3.0
CAPSL Example AP3.0 (cont’d)
PROTOCOL AP30; VARIABLES A, B: Principal; C: Field; P: Field, CRYPTO; ASSUMPTIONS HOLDS A: B, P; HOLDS B: C; MESSAGES A -> B: {A, P}; B -> A: C;END;
CAPSL Example AP4.0
CAPSL Example AP4.0 (cont’d)
PROTOCOL AP40; VARIABLES A, B: Principal; R: Nonce; K: Skey; S: Field; ASSUMPTIONS HOLDS A: B, K; HOLDS B: K, S; MESSAGES A -> B: A; B -> A: R; A -> B: {R}K; B -> A: S;END;
CAPSL Example AP5.0
CAPSL Example AP5.0 (cont’d)
PROTOCOL AP50; VARIABLES A, B: PKUser; R: Nonce; C, S: Field; ASSUMPTIONS HOLDS A: B; HOLDS B: S, C; MESSAGES A -> B: A; B -> A: R; A -> B: {R}sk(A); B -> A: S; A -> B: pk(A); B -> A: C;END;
CAPSL Example AP5.0 (cont’d)
CAPSL Example AP5.0 (cont’d)
Tools Support
Translators Connectors Maude, PVS, NRL, etc.
Translator
CAPSL Parser and Type Checker– Checks syntax and type consistency
Rule Generator– Uses maude to generate CIL rewrite rules
CIL Optimizer– Optimizes CIL while preserving behavior
Connectors
Objective– A bridge between CIL and various analyzer tools
Example Connectors– cil2pvs– cil2maude
Maude
Rewriting Logic Interpreter Contains an LTL Model Checker Reflective Computation Through Meta-Level
Modules
Conclusion and Discussions
Good Idea– Unambiguous because of CIL– Simple to describe protocols– Inflexible in that it only specifies protocols– The power of this language is in the tool support– Insightful in the abstraction of the tool support
More Connectors Needed Better documentation of Tool Support MuCAPSL
References
CAPSL Homepage: http://www.csl.sri.com/users/millen/capsl/
G. Denker and J. Millen. CAPSL intermediate language. In N. Heintze and E. Clarke, editor, Workshop on Formal Methods and Security Protocols (FMSP99), Trento, Italy, 1999.
URL: http://www.csl.sri.com/~denker/pub_99.html
G. Denker, J. Millen, and H. Ruess. The CAPSL integrated protocol environment. Technical Report SRI-CSL-2000-02, Oct. 2000.
URL: http://www.csl.sri.com/papers/sri-csl-2000-02/
References
Grit Denker. Design of a CIL connector to maude. In 2000 Workshop on Formal Methods and Computer Security, Chicago, USA, July 2000.
URL: http://www.csl.sri.com/papers/den00
Narciso Mart-Oliet and Jos Meseguer. Rewriting logic: Roadmap and bibliography. Theoretical Computer Science, 285(2):121-154, Aug. 2002.
URL: http://citeseer.nj.nec.com/486097.html
