CPSA+Maude+PDA + PVS
Carolyn Talcott & Sam Owre SRI International with help from Shaddin, Dusko, and Matthias and others Protocol exchange, June 2005 Plan
• Viewing CPSA skeletons
• PVS formalization Maude Display skeletons • Execution of PDA Ground execution of scenarios and attacks Protocols Symbolic execution processes Skeletons Protocols using homomorphisms Processes and inference rules .... CPSA Define protocol PDA Create role Derive protocol Verification and properties Discover conditions ... Compose/Refine ...
PVS Formal model Verify theorems Certify claims ... CSPA-Maude Viewing CPSA Skeletons
• CPSA -> Maude -> JLambda
• String -> Sexp -> Strand exp -> JLambda exp
• Two tricks to printing:
• ordering columns
• spacing rows Sexpression external form
(skeleton (identifiers (id original (sid resp 1))) (strands (strand (sid resp 1) (messages (sm - (conc (name A) (nonce Na))) ... ) )) (non (ltk (name B) (name S)) (ltk (name A) (name S))) (uniq (nonce Nb)) (order) (safe)) Converting to Strand Exp
op sexp2skeleton : Sexp -> Skeleton . ceq sexp2skeleton( [a("skeleton") [a("identifiers") idsexpl] [a("strands") ssexpl] .... [a("safe") sasexpl]]) = cpsa-skel(ids,ss,non,uniq,es,safe) if ids := sexpl2ids(idsexpl) /\ ss := sexpl2strands(ssexpl) ... . Ordering Columns
• For each permutation of strands sum crossings of strands between source and target of each edge
• Pick a permutation with the fewest crossings Spacing Rows: Setting up Constraints
Assume a skeleton with k strands Nodes: st(i,j) 1 <= i <= k, 1 <= j <= ht(i) Edges: e-i = src-i < tgt-i with src-i,tgt-i in Nodes
Causal order (CO) constraints for e-i in Edges y(tgt-i) = y(src-i)
Arrival order (AO) constraints for 1 <= i <= k y(st(i,j) >= y(st(i,j-1)) + 1 for 1 <= j <= ht(i)
More generally AO constraints look like y(nd) >= max{ y(nd-0) + i-0 ...} Spacing Rows: Solving Constraints
• Use CO equations: replace y(tgt-i) by y(src-i) in AO • Collect like terms • Use AO constraints: replace y(st(i,j)) by its rhs on rhs of remaining AO constraints
• If there is any AO of the form y(nd) >= y(nd) + nz fail, • drop some edge constraint and try again.
• Ow start at end of AO list, • assign rhs nodes 0 • compute max, • propagate assigned values up To Do (CPSA)
• Recognize when columns are not full height for better ordering.
• Start iop and have it run specified commands (under the hood).
• Resume implementation of homomorphism rewrite rules. Strands in PVS (Sam’s work) Summary
• Initially worked from the Strand Spaces 1999 paper
• Defined strand spaces, penetrators, and proved most of the NSL protocol
• Turned then to the Shapes of Bundles report
• So far have defined skeletons and homomorphisms, proving TCCs and lemmas along the way Strand Spaces 1999
• Mostly a direct formalization of the paper
• One problem is in Lemma 2.8, which is difficult to use directly in the proof of NSL (could not figure out how to discharge the hypothesis).
• One branch of NSL not proved: need to develop strategies to reduce tedium. Lemma 2.8 restated
Suppose C a bundle and S < C is a set of nodes such that forall m m’ with m in S
• uns_term(m) = uns_term(m’) implies ( m in S iff m’ in S )
• uns_term(m) = uns_term(m’) and m’ If n is a • This also closely follows the paper • Many of the previous theories could be reused Problems: • It's difficult to determine what key constraints are so they can be formalized. • After definition 2.2 (S ☺ α -1) ☺ α = S should be (S ☺ α -1) ☺ α < S • The definition of ☺ leads to TCCs that require making explicit assumptions about the underlying graph (no strand identification). To Do (PVS) • Finish formalizing and proving the Shapes of Bundles • Develop strategies for proving different protocols • Provide an interface to provide proof support for Maude specifications • Extend to PDA model PDA-Maude Progress • Representation of PDA terms, actions, programs (code) events, processes • Ground execution semantics • Symbolic execution semantics Representing PDA Programs • Terms: atoms, pairing, encryption • Actions: • send(tm,pa,pb) • rcv(var,pva,pvb) • newN(var) newK(kvar) • match(tm,vl,tm0) • Code: newK(v) ; (send(v,P,A) * send(v,P,B)) Representing PDA processes • Events: • e(eid,pid,actionClosure) -- ground • e(eid,pid,action) -- symbolic • History: event set (order implicit) -- ground • View: v(ix,events,order,cstrs) -- symbolic • Process: [pid, P | j, env, code, status | history/view ] Execution sematics crl[rcv]: [pid, P, parent | j, env, rcv(tmv,pva,pvb) ; code, ready | history] msg(gtm,A,B,pid' : j') => [pid, P, parent | s j, env', code, ready | history e(pid : j,P, rcvC(tmv,pva,pvb,gtm,A,B,pid' : j'))] **** bind rcv vars to values received if env' := addA(env, tmv : pva : pvb, gtm : A : B) . crl[srcv]: [pid, P | j, env, rcv(tmv,pva,pvb) ; code, ready | view ] => [pid, P | s j, env', code, ready | addEvent(incIx(addEdges(view, pid : sd(j,1) < pid : j),3), e(pid : j,P, rcv(tmv',pva',pvb'))) ] **** generating new variables to freshly instantiate the binding vars if pstr := pid2str(pid) /\ i := viewIx(view) /\ tmv' := newTVar(tmv,pstr,i) /\ pva' := newPVar(pva,pstr, s i) /\ pvb' := newPVar(pvb,pstr, s s i) /\ env' := addA(env, tmv : pva : pvb, tmv' : pva' : pvb') . Towards relating CPSA-PDA Strands > Code (programs) + tm0 ; - tm1 ... ==> send(tm0',pa,pb) ; rcv(x,pvc,pvd) ; match(x,vl,tm1') tm0' tm1' replace atom constants by fresh variables vl is the list of variables not bound by preceding receive a in unique ~ insertion of new(a) k in non ~ uncompromised constraint Conversely -- may need to restrict to sequential roles Some formalization issues • Constraints on matching inside encryptions • PDA axioms as rewrite rules • Matching becomes unification? • Exists becomes fresh variables (skolem) • Computational meaning of `forall’ To Do (PDA) • Interaction with PDA • Reasoning Rules as symbolic execution rules • Formalization in PVS To Do (Interoperation) • Relation of CPSA and PDA concepts/rules • Connecting components