Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Using PVS to Analyze Security Protocols Kyle Taylor.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Case Study: Using PVS to Analyze Security Protocols Kyle Taylor."— Presentation transcript:

1 Case Study: Using PVS to Analyze Security Protocols Kyle Taylor

2 Overview Using PVS: – Specify Communication – Specify Encryption – Specify Intruder – Specify Protocol – Analyze Results

3 What is PVS General – Prototype Verification System – Inductive Theorem Prover – Augments classical higher-order logic with an advanced type system – Implemented in Common Lisp – Based upon 20 years of experience – Emacs Interface

4 What is PVS Cont. Intended for the formalization of requirements and high level design Functional Specification Language – Haskell, Lisp, ML PVS consists of – Specification language – Predefined theories – Proof Checker

5 PVS Specification Language Type checking is undecidable because of constrained types – Generates proof obligations for the theorem prover Assumptions Definitions Axioms Conjectures Theorems Lemmas

6 PVS Proof Checker Provides a collection of powerful primitive inference procedures – Propositional and quantified rules – Induction – Rewriting – Decision procedures for linear arithmatic Requires Interactive proving – Contains automated proof strategies

7 PVS and Security PVS does not have built in security or communication primitives The primitives need to be defined when a specification is developed Luckily the definitions of the security primitives can be reused

8 Communication and Encryption Messages are defined as a function – Said(Sender: P, Receiver: P, Fields: F) Fields are constructed by type coercion – Agent(Principle: P): F – Num(num: nat): F – Pkey(pkey: K): F – Con(field: F, field: F): F – Ped(pkey: K, field: F): F

9 Communication and Encryption Cont Encryption – Pub(principle: P): K – Priv(principle: P): K – Invkey(key: K): K Axiom – Invkey(pub(A))=priv(A)

10 Specifying Security Parts(S) – All sub fields of a set S Analz(S) – All sub fields of a set S that is accessible to an attacker Synth(S) – The set of fields that is constructible for S Secret() – Basic secrets Initial() – Initial attacker knowledge

11 Specifying a Protocol Each protocol step is a function – The function accepts a Message and a Trace – The function returns a bool – The function constrains the Message and the Trace

12 Specifying an Intruder Done with a function – The function accepts a Message, a Trace, and a set of initial knowledge – The function returns a bool – Constructs messages from a set of initial knowledge and the set of derivable knowledge present in a trace – Constructed message is from the intruder

13 ffgg Protocol 1. A  B: A 2. B  A: B, N 1, N 2 3. A  B: A, {N 1, N 2, M} PKB % {N 1, X, Y} PKB 4. B  A: N 1, X, {X, Y, N 1 } PKB

14 Ffgg Attack A  B: A (A)  B’: A % masquerade B  (A): N 1, N 2 B’  (A): N’ 1, N’ 2 (B)  A: N 1, N’ 1 A  B: {N 1, N’ 1, M} PKB B  (A):N 1, N’ 1, {N’ 1, M, N 1 } PKB (A)  B’: {N’ 1, M, N 1 } PKB B’  (A): N’ 1, M, {M, N 1, N’ 1 } PKB

15 ffgg Specification a1(E,H): bool= EXISTS (A, B): A /= B AND E = Said(A, B, Con(Num(1), Agent(A)))

16 ffgg Specification Cont ffgg(Q: trace): RECURSIVE bool= CASES Q OF cons(E, H): ffgg(H) AND (Fake(E, H, initial) OR a1(E, H) OR b2(E, H) OR a3(E, H) OR b4(E, H)), null: TRUE ENDCASES MEASURE length

17 ffgg Results PVS derived a case enumerating a trace of the attack that the user would have to prove

18 Discussion Lessons Learned – Learning PVS is not trivial Specification and prover are not intuitive – Theorem proving has the ability to be very useful – Security is tricky Limitations – Amount of background required of the user – Amount of training time required – Ambiguity of specification

19 Future Work Develop a theorem prover that is specifically designed for Security protocols (Athena?) Provide a less powerful specification language to increase simplicity Provide better separation of modules

20 Conclusion 6 month estimate to learn PVS is very optimistic One on one training with a PVS guru is a must Limited use due to ambiguity of specifications

21 References Millen, “A Necessarily Parallel Attack”, FMSP ‘99, http://www.csl.sri.com/users/millen/capsl/ http://www.csl.sri.com/users/millen/capsl/ Crow, Owre, Rushby, Shankar, Srivas, “A Tutorial Introduction to PVS” WIFT ’95, http://pvs.csl.sri.com/http://pvs.csl.sri.com/ Butler, “An elementary tutorial on formal specification and verification using PVS”, http://pvs.csl.sri.com/http://pvs.csl.sri.com/ Owre, Shankar, Rushby, “The PVS Specification Language”, http://pvs.csl.sri.com/ http://pvs.csl.sri.com/ Owre, Shankar, Rushby, “Users Guide for the PVS Specification and Verification System”, http://pvs.csl.sri.com/http://pvs.csl.sri.com/

Download ppt "Case Study: Using PVS to Analyze Security Protocols Kyle Taylor."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.

Programmed Strategies for Program Verification Richard B. Kieburtz OHSU/OGI School of Science and Engineering and Portland State University.
Some Prolog Prolog is a logic programming language

Some Prolog Prolog is a logic programming language
ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.

ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.
Isabelle / HOL Theorem Proving System

Isabelle / HOL Theorem Proving System
Introduction to Proofs

Introduction to Proofs
ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS

ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS
Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Logic.

Logic.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.

Code-Carrying Proofs Aytekin Vargun Rensselaer Polytechnic Institute.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
CSE 914 - Michigan State University Extensions of BAN by Heather Goldsby Michelle Pirtle.

CSE Michigan State University Extensions of BAN by Heather Goldsby Michelle Pirtle.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
After today Week 9 –Tu: Pat Rondon –Th: Ravi/Nathan Week 10 –Tu: Nathan/Ravi –Th: Class canceled Finals week –Th: Zach, John.

After today Week 9 –Tu: Pat Rondon –Th: Ravi/Nathan Week 10 –Tu: Nathan/Ravi –Th: Class canceled Finals week –Th: Zach, John.
Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping.

Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping.
Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Inductive Verification of Protocols Anupam Datta CMU Fall A: Foundations of Security and Privacy.

Similar presentations

Ads by Google