Download presentation

Presentation is loading. Please wait.

Published bySammy Braddy Modified over 2 years ago

1
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

2
Purposes Make more explicit compositionality of the original compositional logic (Durgin-Mitchell-Pavlovic 2001, Datta-Derek-Mitchell-Pavlovic 2003) Divide an honest principal's role into primitive actions Simplify the inferences of compositional logic Do not use,, temporal operators Give a semantics which is sound for our system Distinguish the monotonic properties and the non- monotonic ones 1

3
Review of Compositional logic Durgin-Mitchell-Pavlovic (2001), Datta-Derek-Mitchell-Pavlovic (2003) Inference system based on Floyd-Hoare style logical framework to prove a protocol correctness An advantageous point: : "after a protocol action, holds from P 's view" For proving correctness of a compound protocol, we can reuse properties of its components. 2

4
: "if Q honestly follows his/her role- component, then holds". New idea of ours Divide an honest principal's role into primitive actions (sending, receiving, etc.) : "a principal Q is honest, then holds. " (cf.) Formalize honesty assumptions with explicit reference to a role-component 3

5
(denoted by ) The language (1): formulas Atomic formulas: atomic non-action formulas: atomic action formulas: (with n m) A sequence of actions: (described by a non-commutative conjunct of atomic action formulas) 4

6
: Q 's role-component : a sequence of actions performed by P : Q honestly follows a role-component : a property (a sequence of atomic action formulas or a non-action formula) : a set of properties The language (2): basic form of assertion If Q honestly follows his/her role-components, and if holds, after P performs a sequence of action holds from P 's view. 5

7
Receives, Fresh : monotonic properties Firstly Sends : non-monotonic properties is a monotonic property if we can freely apply the weakening rule. Weakening rule and monotonicity e.g. To include non-monotonic properties Require some restrictions on the weakening rule However, provide us more powerful derivations weakening 6

8
Axioms and inference rules 1. Logical inferences with equality 2. Action properties axioms axiom about actions axioms for relationship between properties 3. Honesty inferences 4. Weakening rule 7

9
1. Examples of Logical inference rules Cut Equality Inference rules for non-commutative conjunction ( ; ) 8

10
(for each i=1,...,n) 2. Action properties axioms (1) Axiom about actions: 9 Examples of axioms relationship between properties: Nonce verification 1: Freshness 1:

11
2. Action properties axioms (2) (related to the non-monotonic property "firstly sends") Firstly Sends: Ordering of actions: (Here is an action including.) These are useful to derive ordering of actions. 10

12
Idea of the Honesty Inference But, this is not enough. We need some inferences using assumptions about a principal's honesty. One can derive some performance of actions by a principal different from the viewer. (e.g.) P receives a message. is a secret part of Q's public key. contains a fresh value. Therefore, P knows that Q sends. We introduce the following three types of honesty inferences. 11 from P's view:

13
Substitution (sending): 3. Honesty inferences (1) receiving 12

14
Q honestly follows Q sends m'. Q does not follows Q sends m'' with m m'', m'' m'. Matching: 3. Honesty inferences (2) (where m m') does not appear below this inference. Condition: 13

15
Deriving another action (receiving): sending generating 3. Honesty inferences (3) 14

16
A composing process of honesty assumptions Other possibilities of combination: 15

17
Examples of correctness proofs Proof of the agreement property for the Needham- Schroeder public key protocol. Proof of the matching conversations for the Challenge Response protocol: 16

18
If the initiator (say, A) communicates with the responder (say, B) using the concrete values of nonces and, then there exists B actually performing the responder's role with the same nonces and. Example 1: Needham-Schroeder protocol (1) (Needham-Schroeder, 1978) initiator's concrete actions responder's role Agreement Property from A’s view: 17

19
Example 1: Needham-Schroeder protocol (2) A's view: by the information about key and nonce, by an equality inference, by the honesty inference (matching), with A’s roleQ’s role 18

20
Example 1: Needham-Schroeder protocol (3) On the other hand, by the information about key and nonce, by the honesty inference (substitution), A’s roleQ’s role 19

21
(Here.) Example 1: Needham-Schroeder protocol (4) Then by composition of honesty assumptions, Cut Comp(Hon) Honest(Role) Finally, A’s roleQ’s role A’s roleQ’s role 20

22
Example 2: CR protocol 3. Finally, we get 1. Following sequents are provable: 2. By “firstly sends” order 21

23
Soundness theorem Primitive state: State: a multiset of primitive states P has information m: Message m is transmitted through the network: Trace: a finite sequence of states Trace Semantics Theorem. If a sequent S is provable in our system, then S is true for any trace s which includes no duplicated atomic actions. 22

24
Conclusions and future work Made more explicit the compositionality of compositional logic Simplified the inference rules Gave a trace semantics Extend by adding,, temporal operators for more powerful derivations 23

Similar presentations

OK

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google