Upload
phungthu
View
232
Download
4
Embed Size (px)
Citation preview
Secure Concurrent Constraint
Programming
H. Lopez , J. Perez, C. Rueda,Universidad Javeriana
C. PalamidessiINRIA and LIX Ecole Polytechnique
F. ValenciaCNRS and LIX Ecole Polytechnique.
ICLP, 2006
ICLP06
Motivation
The study of security uses tools and tech-
niques from constraint and logic programming.
• CP and LP Programming Languages.. Millen's Interrogator Prolog constraint solver [Mil95].
• Logic Programming.
. Compton et al [CD99] used LP for protocols.
. Blanchet uses Horn-Clauses for analyzing protocols.
• Constraint Programming : Soft Constraints byBistarelli et al [BB01].
ICLP06 1
Motivations
Want to explore Concurrent Constraint Pro-
gramming (CCP), a well-stablished concurrency frame-work, for reasoning about Security Protocols.
Reasons:
• Strinking resemblance with modern calculi for security.
• Matured Model with several reasoning techniques(specially reachability analysis, traces) and implementa-tions
. Final-store denotational semantics,
. Complete proof systems for veri�cation P |= F
. Declarative methods: Processes-as-FOL formulae.
. Decidability Results for Reachability
. Programming Languages.
ICLP06 2
Agenda
In this talk we report on our observations and prelimi-nary work on CCP as a framework for security protocols.
1. Security Protocols
2. Process Calculi for Security Protocols
3. CCP
4. Similarities between CCP and Modern Process Calculifor Security
5. CCP Extension to model Security Protocols
6. Conclusion
ICLP06 3
Background: Security protocols
• Message exchange via untrusted network
• Achieve authentication, secrecy, anonymity, etc.
• Needham-Schröder protocol
A −→ B : {m,A}Pub(B)
B −→ A : {m,n}Pub(A)
A −→ B : {n}Pub(B)
Two roles: initiator (A), responder (B)
Concurrent sessions among distributed agents
Uses cryptography to achieve security properties
• Secrecy property:n never appears on a run of the protocols.
ICLP06 4
The Dolev-Yao model Active intruder:
• Eavesdrop
• Disassemble and compose
• Encrypt and decrypt with available keys
BUT
• random numbers unguessable
• cryptography unbreakable
Properties can be di�cult to proveUndecidability of secrecy (even for class of simple prot.)
ICLP06 5
Security protocol veri�cation
Do it formally:
• 1) protocol formalisation,
• 2) property formalisation,
• 3) the proof (automatic or by hand)
An important approach within Concurrency Theory:
• Process Calculi (enriched with crypto primitives):Treat (concurrent) processes much like the lambda cal-culi treat computable functions.
ICLP06 6
Example: SPL
Syntax:
ICLP06 7
SPL Modelling
Alice and Bob and Dole-Yao Spy:
The System Modelling All Attacks:
ICLP06 8
SPL Monotonic Semantics
Semantics: < Process, Names, Store >
Remember: Monotonic Store Assumption andName Generation
ICLP06 9
Example: Boreale and Buscemi's
Syntax:
Message Inference System:
ICLP06 10
Boreale and Buscemi's Semantics
Semantics (Con�gurations Store . Process).
Remember: Monotonic Store, Parametric in InferenceSystem, and Name Generation.
ICLP06 11
CCP Scenario & Concurrency
• Concurrent Executions of Agents.
• Synchronization: Via Blocking-Ask.
ICLP06 12
CCP Syntax
Let x, y, ..., be variables and γ, σ, ... be constraints(i.e., FOL formulae)
Agents A,B, ... := true
| tell(σ)| ask(σ).A| (νx)A| A ‖ B| p(X)
De�nitions D := ε| p(X) :: A| D.D
Programs P,Q := D.A
ICLP06 13
Operational Semantics
A(s,s′)−→ B means: A in store s reduces to B in s′.
TELL: tell(σ)(s,s∧σ)−→ true
ASK: ask(σ).A(s,s)−→ A , if s ` σ
PAR: A(s,s′)−→A′
A‖B(s,s′)−→A′‖B
HIDE: A(s,s′)−→A′
(localX)A(s,s′)−→A′
If X is fresh
ICLP06 14
A program example
D = max(X, Y, Z) :: (ask(X ≥ Y ).tell(Z = X))‖ (ask(Y > X).tell(Z = Y ))
A1 = tell(X > 20) ‖ tell(Y > 10) ‖ max(X, Y, Z)
A2 = tell(X > 20) ‖ tell(Y < 10) ‖ max(X, Y, Z)
• In A1 (initiated in the empty store) both ask agents arestuck.
• In A2 (initiated in any store) tell(Z = X) is output.
ICLP06 15
Constraint Systems
CCP is parametric in a constraint system
De�nition. A constraint system consists of a sig-
nature Σ and �rst-order theory ∆ over Σ.
• Constraints: formulae over Σ.
• Relation `: decidable entailment relation betweenconstraints.
Example: Boreale-Buscemi's constraint system: Σ speci�esthe crypto primitives and ` is given by
ICLP06 16
Observations
Observation 1: Boreale's Inference System ` gives riseto a particular constraint system.
Observation 2: CCP has a Monotonic Store (like SPL,Boreale's calculus, and others)
ICLP06 17
Some Reasoning Techniques
Closure-Operator and Logic Interpretations
Denotation [[ · ]] Formula F (·)[[ tell(σ) ]]= {γ | γ ` σ} σ
[[ ask(σ).A ]]= {γ | γ ` σ ⇒ γ ∈ [[ A ]]} σ ⇒ F (A)
[[ (νx)A ]] = {γ | ∃σ ∈ [[ A ]] : ∃xσ ⇔ ∃xγ} ∃xF (A)
[[ A ‖ B ]] = [[ A ]] ∩ [[ B ]] F (A) ∧ F (B)
Remark 1. (Behavioral Charecterization)[[ A ]] = [[B ]] i� not context can operationallydistinguishA from B.
Remark 2. (Rechability Charecterization)A output σ i� and only if F (A) ⇒ σ
Notice the correspondence between (νx)A and ∃xF (A).
Other tools: Proof systems for Model Checking, PetriNet Semantics, True Concurrent Semantics.
ICLP06 18
Modelling Security Protocols with
CCP
A CCP Strategy for reasoning about protocols:
• Use CCP with Boreales's constraint system.
• Use Tells to output messages on the network and Asksto input them.
• Then use reasoning techniques of CCP.
Almost done. Do we have name (or nonce) generation andname passing as most of the calculi for security ?
• Can the CCP �(νx)�, i.e., existential quanti�cation
�(∃x)�, simulate the Pi-calculus (νx) ?
Not quite. But we will see to it.
ICLP06 19
Modelling the Pi (νx) in CCP
• Assume a constraint system with only predicates of theform out(.). The process
tell(out(42)) ‖ ask(out(y)).A.
does not execute A.
• Let us then extend the Ask to Persistent Universal Ask:
B = ∀~y ask(σ[~y]).A
Operationally:
B(s,s)−→ A[~x/~y] ‖ B, if s ` σ[~x/~y] .
• The logic counter-part is ∀~y σ[~y] ⇒ F (A).
• Now we have name passing. E.g., the process
tell(out(42)) ‖ ∀y ask(out(y)).A.
executes A[42/y].
ICLP06 20
Modelling the Pi (νx) in CCP
Do we have name generation? Can we now capture thepi-calculus ν with ∃ ?
Consider the the interpretation of a replicated versionof the π calculus in the logical counter-part of our extendedCCP:
Remark 1: π reduction as logic entailment.
if P → Q then [[ P ]] |= [[Q ]]
Remark 2: FOL Charecterization of π Barb Observability.
P ⇓ x if and only if [[ P ]] |= ∃z out(x, z)
ICLP06 21
Modelling the Pi (νx) in CCP
• Hence if we are interested in certain kind of reachabilityanalysis ∃ can capture the ν operator of the π-calculus.
• Application: Identi�cation of meaninful π-classes forwhich barbed reachability is decidable by using Classicresults from FOL. E.g.,
Example: Berney-Schon�nkel's process !x(y).(νz)!yzis a provider of fresh names. The Goedel's process(νz)(!xz | !z(u).u) waits on its secret channel.
ICLP06 22
Modelling the Pi (νx) in CCP
Example: Take P = (νz)(!xz | !z(u).u) and Q =x(y).yt and R = Q ‖ P. We have R ⇓t.
From the translation we get:
ICLP06 23
Modelling the Pi (νx) in CCP
But how robust is the interpretation of ν as ∃ ?
The correspondance holds in the absence of mistmatch.E.g., It would not hold for mistmatch [x 6= y].P with thenatural interpretation x 6= y ⇒ [[ P ]].
Let R = (νx)(νy)[x 6= y].!t.
• We have R ⇓t
• But [[ R ]] = ∃x∃y(x 6= y ⇒ out(t)) 6` out(t).
So if want a more faithfull correpondance we may have toconsider operators to reason about freshness, uniqueness,etc. E.g., Miller's ∇operator.
ICLP06 24
Conclusions
We believe that CCP + Universal Persistent Asks mayprovide a framework for reasoning about security protocols:
• Constraint System speci�es crypt primitives and spyknowledge.
• Monotonic store models the power of the spy (see andremember everything)
• Existential and Universal model nonce generation andname passing.
• The non-linear (i.e., persistent) nature of the frameworkmakes it suitable for protocols analysys with unboundedruns.
ICLP06 25
References
References
[BB01] G. Bella and S. Bistarelli. Soft constraints forsecurity protocol analysis: Con�dentiality. Lecture
Notes in Computer Science, 1990, 2001.
[CD99] K. Compton and S. Dexter. Proof techniques forcryptographic protocols. Lecture Notes in Com-
puter Science, 1644, 1999.
[Mil95] J. Millen. The Interrogator model. In IEEE Sym-
posium on Security and Privacy, pages 251�260.IEEE Computer Society, 1995.
ICLP06 26