1. Executable specification of cryptofraglets with Maude for security verification Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented by Daniel Schreckling (Univ. Passau, Germany) and Lidia Yamamoto (Univ. Basel, Switzerland)

2. Overview Introduction: context, motivation, and goal The Fraglets language – Cryptofraglets – Threat model Maude specification language – Cryptofraglets in Maude – Case study: attack detection on Needham Schroeder Public Key (NSPK) protocol Conclusions, future work

3. Introduction Adaptive and autonomic systems need: – New methodologies to assess security and trustworthiness of network protocols and services in a potentially changing environment – Techniques for automated security verification Chemical computing (e.g. Gamma, Fraglets) as a tool for specifying autonomic behavior Goal – Development of a software tool supporting specification of crypto-protocols in Fraglets and their security analysis

4. The Fraglets Language Programming language inspired by chemistry – Code and data represented as molecules = strings = computation fragments – Processing by chemical reactions that consume and produce molecules (code and data) – Goal: automated synthesis and evolution of communication protocols

5. Fraglets Basic Instruction Set (educts)(products)

6. The Fraglets Language Fraglets processing: chemical reactions perform string rewriting operations – head of string fully determines rewriting operation – analogous to packet header processing in network protocols Distributed computation: Fraglets (computation fragments) flow through a computer network Applications: active networks, self-modifying code, autonomic communication protocols

7. Cryptofraglets Original Fraglets language lacked security features Cryptofraglets [BIONETICS 2006]: our extension of the Fraglets instruction set for – symmetric/asymmetric cryptography – hashing techinques Encryption [enc newtag k1 tail] → [newtag tail_k1] Decryption [dec newtag k2 tail_k2] → [newtag tail] Hash [hash newtag tail] → [newtag h(tail)]

8. Fraglets-Based Threat Model Protocol specification involving two honest roles – initiator S S – responder S R. Communication flow through untrusted store S X Secret keys initially contained in the legitimate store(s)

9. Definition of Security Properties It is now possible to define security properties (secrecy, authentication, integrity…) Classical notion of intruder’s knowledge rephrased: – the set of symbols that the intruder's store contains – example: secrecy property: “at each point of the computation, a symbol is secret between initiator and responder if it is not possible for the intruder store to know that symbol” (Formal definitions in the Bionetics 2009 paper)

10. The Maude Rewrite System Reflective Specification language and system based on Rewriting Logic Distributed systems specified as: – Algebraic data type axiomatizing system state – Rewrite rules axiomatising system’s local transitions Provides executable semantics and toolkit allowing for formal reasoning User-defined execution strategies allow for state exploration strategies, e.g., breadth-first search

11. What is a rewrite rule? mod climate is sort wheatercondition. op sunnyday : -> wheatercondition. op rainyday : -> wheatercondition. rl [raincloud] : sunnyday => rainyday. Endm

12. Maude “search” strategies Maude commands – rewrite, can explore one possible sequence of rewrites – search command looks for all the possible traces from an initial to a particular configuration of interest (e.g. set of fraglets in store X) Possibility to exploit built-in toolkits: – model checker – theorem prover, – User-defined ad hoc search strategies

13. We use Maude for… Encoding of fraglets (crypto)instructions into an executable specification Perform security analysis on this specification Case study – Formulation of Needham Schroeder Public Key protocol – Attack on flawed version of NSPK analyzed and detected

14. Encoding Fraglets instructions become rewrite rules Example – Dup (duplicate symbol) – Send (transfer fraglet from to another store)

15. Encoding En/decryption-instructions:

16. Case Study: NSPK Protocol Protocol authenticates two agents A and B At the end of the protocol – Agents know their identities – Agents share a secret (nonces) Original protocol was vulnerable to a man-in-the-middle attack Implementation of vulnerable version in fraglets

17. Flawed NSPK in Maude Translate fraglets version into Maude Command rewrite takes initial configuration of fraglets in stores A, B, and X Maude executes two interleaved sessions of NSPK At the end of computation: – Store A contains newly received nonce nb – Store B contains [what expected] – Store X contains [auxtag5 nb] Maude detects secrecy violation

18. Fraglets-Based NSPK: Execution in Maude

19. Conclusions Main result: – assessment of usefulness of executing fraglets specifications for security verification purposes Possible follow-ups: – analyzing complex security protocols and properties; – definition of the fraglets-based most powerful intruder to verify security properties over universal quantification

20. Acknowledgements! The authors would like to thank SO MUCH Daniel and Lidia for their precious help in physically presenting this work and carefully preparing this presentation! Clap Clap!!!