csp semantics

CSP SemanticsCSP Semantics

ISA 763ISA 763Security Protocol VerificationSecurity Protocol Verification

We thank Professor Csilla Farkas of USC for providing some We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct this transparencytransparencies that were used to construct this transparency

CSP SemanticsCSP Semantics 22

ReferencesReferences The Theory and Practice of Concurrency by A. W. The Theory and Practice of Concurrency by A. W.

Roscoe, available at Roscoe, available at web.comlab.ox.ac.uk/oucl/work/bill.web.comlab.ox.ac.uk/oucl/work/bill.roscoeroscoe/publications/6/publications/68b.pdf 8b.pdf

Chapters 4 and 5 of Modeling and analysis of security Chapters 4 and 5 of Modeling and analysis of security protocols by Peter Ryan and Steve Schneider. protocols by Peter Ryan and Steve Schneider.

The FDR2 User Manual available at The FDR2 User Manual available at http://www.fsel.com/documentation/fdr2/html/fdr2manual.http://www.fsel.com/documentation/fdr2/html/fdr2manual.html#SEC_Tophtml#SEC_Top

Formal Systems, FDR download, Formal Systems, FDR download, http://www.fsel.com/http://www.fsel.com/ M. Morgenthal: Design and Validation of Computer M. Morgenthal: Design and Validation of Computer

Protocols, Protocols, http://wwwtcs.inf.tu-dresden.de/~morgen/sem-ws02.htmlhttp://wwwtcs.inf.tu-dresden.de/~morgen/sem-ws02.html

http://www.fsel.com/documentation/fdr2/html/fdr2manual.html#SEC_Top

http://www.fsel.com/documentation/fdr2/html/fdr2manual.html#SEC_Top

http://www.fsel.com/

http://wwwtcs.inf.tu-dresden.de/~morgen/sem-ws02.html


CSP Semantics - 1CSP Semantics - 1 Operational SemanticsOperational Semantics

Interprets the language on an (abstract) machine:Interprets the language on an (abstract) machine: such as the ones used in imperative languages using a such as the ones used in imperative languages using a

program counter, next instruction stack etc.program counter, next instruction stack etc. Denotational SemanticsDenotational Semantics

The language is translated to another abstract domain The language is translated to another abstract domain Translate the basic constructsTranslate the basic constructs Translate the combinators to constructs in the target domainTranslate the combinators to constructs in the target domain Use a compositionality principle to construct the denotation of Use a compositionality principle to construct the denotation of

the whole program from translated partsthe whole program from translated parts Algebraic SemanticsAlgebraic Semantics

Translate the language into a Translate the language into a normal fromnormal from by rewriting by rewriting all programs in that formall programs in that form

Describe how to execute the program in normal formDescribe how to execute the program in normal form


CSP Semantics - 2CSP Semantics - 2 Operational SemanticsOperational Semantics

Interprets the language on an (abstract) machine:Interprets the language on an (abstract) machine: Construct a labeled transition system (LTS)Construct a labeled transition system (LTS)

Denotational SemanticsDenotational Semantics The language is translated to another abstract domain The language is translated to another abstract domain Trace semantics, Failure Divergence SemanticsTrace semantics, Failure Divergence Semantics

Algebraic SemanticsAlgebraic Semantics Translate the language into a Translate the language into a normal fromnormal from by rewriting by rewriting

all programs in that formall programs in that form Proof rulesProof rules


Operational SemanticsOperational Semantics

Labeled transition system (LTS)Labeled transition system (LTS)Nodes:Nodes: state of the process state of the processDirected edges:Directed edges: events events

Visible eventsVisible events Internal transitionsInternal transitions

Recall Trace Refinement:Recall Trace Refinement:S S ⊑⊑TT T T iff iff trace(T) trace(T) trace(S) trace(S)


An example LTSAn example LTS

Image from M. Morgenthal


Another LTS ExampleAnother LTS Example



Connection between LTS ExamplesConnection between LTS Examples

An Implementation of An Implementation of SS as: as: A ||| BA ||| B where where AB = a AB = a b b AB and AB and AC = a AC = a c c AC ACwherewhere AA corresponds to AA corresponds to AB ||| ACAB ||| AC BA corresponds to BA corresponds to bb→ AB ||| AC→ AB ||| AC AC corresponds to AC corresponds to AB||| (c → AC)AB||| (c → AC) BC corresponds to BC corresponds to b → AB||| (c → AC)b → AB||| (c → AC)


AAAA corresponds corresponds to to AB ||| ACAB ||| ACBABA corresponds corresponds to to b→ AB ||| ACb→ AB ||| ACACAC corresponds corresponds to to AB||| (c → AC)AB||| (c → AC)BCBC corresponds corresponds to to b → AB||| (c → b → AB||| (c → AC)AC)


Traces Refinement CheckTraces Refinement Check



Trace RefinementsTrace RefinementsAn implementation An implementation refinesrefines the trace of a the trace of a

processprocessHence we would like an implementation to Hence we would like an implementation to

satisfy the specificationsatisfy the specificationWhich properties? Which properties?

For his class, those trace properties used to For his class, those trace properties used to specify security properties.specify security properties.


Denotational SemanticsDenotational Semantics Recall Trace Semantics for CSP processesRecall Trace Semantics for CSP processes Could not reason the difference between Could not reason the difference between

external choice and internal choiceexternal choice and internal choice Example: consider Example: consider ={a,b} and={a,b} andQ1 Q1 ≡(a→STOP) ≡(a→STOP) □ □ (b→STOP) (b→STOP) Q1 Q1 ≡(a→STOP) ≡(a→STOP) ΠΠ (b→STOP)(b→STOP)Q3 Q3 ≡STOP ≡STOP ΠΠ(a→STOP) (a→STOP) □□(b→STOP)(b→STOP) Refusal set of Q1={}Refusal set of Q1={} Q2 can refuse {a} and {b} but not {a,b}Q2 can refuse {a} and {b} but not {a,b} Q3 can refuse any subset of Q3 can refuse any subset of ..


Refusal SetsRefusal SetsP1 {c}

{a, c}

{a, b, c} {a, b, c}

P2 {c}

{b, c}

{a, b, c} {a, b, c}

P3 {c}

{b, c} {a, c}

{a, b, c} {a, b, c}

P4 {c}

{b, c} {a, c}

{a, b, c} {a, b, c}

a b

b a

b

a

a b

c c

a b

{b, c}


Refusal SetsRefusal Sets P1 P1 ≡ (a → b→ STOP) ≡ (a → b→ STOP) □ □ (b → a → STOP)(b → a → STOP)

≡ ≡ (a → STOP) (a → STOP) ||| ||| (b → STOP)(b → STOP)Failure Sets = (<>,{}), (<>,c), Failure Sets = (<>,{}), (<>,c), (<a>, {a,c}), (<ba>,{a,b,c})(<a>, {a,c}), (<ba>,{a,b,c})

P2 ≡ (c→a→STOP)P2 ≡ (c→a→STOP)□□(b→c→STOP)\ c(b→c→STOP)\ c Failure sets ={(<>,X| X Failure sets ={(<>,X| X {b,c}} {b,c}} UU

{(<a>,X),(<b>,X)| {(<a>,X),(<b>,X)| X X {a,b,c}}{a,b,c}} Internal actions introduce nondterminismInternal actions introduce nondterminism


Refusal SetsRefusal Sets P3 P3 ≡ (a → STOP) ≡ (a → STOP) ΠΠ (b → STOP)(b → STOP) Must accept one of {a} or {b} if both {a,b} Must accept one of {a} or {b} if both {a,b}

are offeredare offered Different from Different from

P1 - must accept either P1 - must accept either P2 - must accept aP2 - must accept a

P4 ≡ (c→a→STOP)P4 ≡ (c→a→STOP)□□(c→b→STOP)(c→b→STOP) After <c> refuses {X|{a,b}⊈X}After <c> refuses {X|{a,b}⊈X} Failure allows us to distinguish between Failure allows us to distinguish between

internal and external choice –traces could internal and external choice –traces could not do this!not do this!


Failure SemanticsFailure Semantics failure(P)failure(P) = {(s,X)| s = {(s,X)| s∈∈ΣΣ* and P/s does not * and P/s does not

accept any x accept any x∈X}∈X}Failure Refinement:Failure Refinement: P⊑P⊑FFQQ (read Q (read Q

failure refines P) ifffailure refines P) ifftrace(Q) trace(Q) trace(P) andtrace(P) and failure(Q) failure(Q) failure(p)


DivergenceDivergence pp≡(≡(p.a→p)\{a}p.a→p)\{a} Cannot observe Cannot observe aa externally. externally. Diverges – i.e. looks like a Diverges – i.e. looks like a -loop-loop We do not care what happens after a We do not care what happens after a

process divergesprocess diverges

SS

aa

SS


Failure and DivergenceFailure and Divergence

Add extra symbol Add extra symbol ✔✔ to to ΣΣ to indicate that the to indicate that the process has terminatedprocess has terminated

Interpretation:Interpretation: ✔✔ is emitted by the process to is emitted by the process to the environment to indicate normal the environment to indicate normal terminationtermination

P P ⇒⇒ss⇒ Q means process P becomes Q⇒ Q means process P becomes QStable State:Stable State: a state that does not a state that does not

accept accept


Failure and DivergenceFailure and Divergence trace(P)≡{trace(P)≡{s∈ ∈ ΣΣ*U{*U{✔} | } | ∃Q.∃Q.P P ⇒⇒ss⇒ Q}⇒ Q} tracetrace⊥⊥(P)≡{(P)≡{s: (t,X)∈F} is a prefix closed set∈F} is a prefix closed set diveregnce(P)≡{diveregnce(P)≡{s^t|s∈ s^t|s∈ ΣΣ*,*,t∈ t∈ ΣΣ*U{*U{✔✔} }

∃∃Q.Q.P P ⇒⇒ss⇒ Q, Q div}⇒ Q, Q div}Extension closed sets of traces that has an infinite set of actions

failurefailure⊥⊥(P)(P)={(s,X)| s is a trace and X is set ={(s,X)| s is a trace and X is set of actions that can be refused in a of actions that can be refused in a stable state of P}state of P}


The Failures Divergence ModelThe Failures Divergence Model ⊥⊥ℕℕ=(=(ΣΣ*U{*U{✔}} x ℘( x ℘(ΣΣU{U{✔}), }), ΣΣ*U{*U{✔} )} )

Refers to ( (s, actions: D): Failure, Refers to ( (s, actions: D): Failure, strings: Divergent string )strings: Divergent string )

Any non-empty subset S of Any non-empty subset S of ℕ has an infimum ℕ has an infimum given bygiven by ⊓ ⊓ S =S =( {F|(F,D)⋃( {F|(F,D)⋃ ∈S}, ∈S}, {D |(F,D)⋃ {D |(F,D)⋃ ∈S})∈S})

Supremum of aSupremum of a directed set △ is given by directed set △ is given by ⊔⊔S =S =(∩{F|(F,D)(∩{F|(F,D)∈ △}, ∈ △}, ∩{D |(F,D)∩{D |(F,D)∈ △})∈ △})

Theorem:Theorem: If If ΣΣ is finite then is finite then ((ℕ, ⊑ℕ, ⊑FDFD,, ⊓, ⊔) ⊓, ⊔) is a is a complete partial ordercomplete partial order


Computing the FD Semantics-1Computing the FD Semantics-1

failuresfailures⊥(STOP)={(<>,X)|XΣΣ*U{*U{✔}} } } divergences(STOP)={}divergences(STOP)={} failuresfailures⊥(SKIP)={(<>,X)|XΣΣ*U{*U{✔}} } } divergences(SKIP)={}divergences(SKIP)={} failuresfailures⊥(a→pa→p)={(<>,X)|a∉X} U U

{(<a>^s,X):a∈ ∈ failuresfailures⊥(P)} divergences(divergences(a→pa→p)= )=

{(<a>^s,X):s∈divergence∈divergence(P)}



failuresfailures⊥(?x:A→p→p)={(<>,X)|X∩A={}} U U {(<a>^s,X):a∈ ∈ failuresfailures⊥(P)}

divergences(divergences(?x:A→p?x:A→p)= )= {(<a>^s,X):s∈∈divergence(P[a/x])}

failuresfailures⊥(P⊓Q)=failuresfailures⊥(P) U U failuresfailures⊥(Q) divergences(divergences(P⊓Q)= )=

divergencedivergence(P) U U divergencedivergence(Q)


Computing the FD Semantics-3Computing the FD Semantics-3 divergences(divergences(P□Q) ) = =

divergencedivergence(P) U U divergencedivergence(Q) failuresfailures⊥(P□Q)={(<>,x)| (<>,x)∈ ∈ failuresfailures⊥(P)∩failuresfailures⊥(Q)}

U {(s,X): s≠<>,(s,X)U {(s,X): s≠<>,(s,X)∈∈failuresfailures⊥(P)UUfailuresfailures⊥(Q)}

U {(s,X):<>U {(s,X):<>∈∈diveregencediveregence(P)UUdiveregencediveregence(Q)}U {(s,X):X U {(s,X):X XΣΣ, <, <✔> )> )∈∈tracetrace⊥(P)U U tracetrace⊥(Q)}



divergences(divergences(P||XQ) ) ={u^v|={u^v|ss∈ ∈ tracetrace⊥(P), tt∈∈tracetrace⊥(Q), u∈(s||∈(s||XXt)t)∩ ΣΣ*,*, ss∈∈divergencedivergence(P) or t t∈∈divergencedivergence(Q) }

failuresfailures⊥(P||XQ)={(u,YUZUZ)| u∈ s||∈ s||XXttY\(XU {U {✔})}) = = Z\(XU {U {✔})}) /\ /\s,t (s,Y)s,t (s,Y)∈failures∈failures⊥(P), (t,Z)(t,Z)∈∈failuresfailures⊥(Q)

{(u,Y)|u{(u,Y)|u∈∈diveregencediveregence(P||XQ)}


Computing the FD Semantics-5Computing the FD Semantics-5 divergences(divergences(P\X) ) = =

{(s\X)^t| ss∈∈divergencedivergence(P)} U {(u\X)^t| u{(u\X)^t| u∈∈ΣΣ /\ (u\x) is finite /\ /\ (u\x) is finite /\

∀∀s< u, s∈traces< u, s∈trace⊥(P)(P)} failuresfailures⊥(P\X)=

{(s\X,Y)| (s,Y(s,YUXUX))∈failures∈failures⊥(P)} U

{(s,X)|s{(s,X)|s∈∈diveregencediveregence(P\X)}


Deterministic ProcessesDeterministic Processes A process is said to be A process is said to be deterministicdeterministic if if 1.1. t^<a>t^<a>∈∈tracetrace(P) ⇒ (t,{a})∉(P) ⇒ (t,{a})∉failure(P)failure(P)2.2. divergence(P) ={}divergence(P) ={} That is, never diverges and do not have the That is, never diverges and do not have the

choice of accepting and refusing an actionchoice of accepting and refusing an action Deterministic processes are the maximal Deterministic processes are the maximal

elements under elements under ⊑⊑FDFD Example:Example: (a (a→STOP)□(a→a→STOP) is non-→STOP)□(a→a→STOP) is non-

deterministicdeterministic


Deterministic Processes and LTSDeterministic Processes and LTS

Two nondeterministic LTS whose behavior Two nondeterministic LTS whose behavior is deterministicis deterministic

aa a

a


Abstraction - 1Abstraction - 1Abstraction = hide detailsAbstraction = hide detailsExample:Example: many-to-one renamingmany-to-one renaming

[(a[(a→c→→c→STOPSTOP)□(b→d→)□(b→d→STOPSTOP)] [[b/a]])] [[b/a]]= (a→c→STOP) □(a→d→= (a→c→STOP) □(a→d→STOPSTOP)] )] = a→( (c→= a→( (c→STOPSTOP)⊓(d→)⊓(d→STOPSTOP) ) ) ) Eager abstractionEager abstraction: hiding operator: hiding operatorℰℰHH(P)=(P)=p\H – assumes that events in H p\H – assumes that events in H

pass out of sightpass out of sight


Abstraction - 2Abstraction - 2Lazy abstractionLazy abstraction: Projection of P into L: Projection of P into LℒℒHH(P)= P@L= (P)= P@L=

{(s\H,X)|(s,X∩L)∈ failures{(s\H,X)|(s,X∩L)∈ failures⊥(P)} Example: L={l1,l2}, H={h}

P ≡ (l1→P) □ (l2→h→P) □ (h→P) →P) □ (l2→h→P) □ (h→P) ℒℒHH(P)= Q (P)= Q ≡ (l1→Q) □ l2→(STOP⊓Q) →Q) □ l2→(STOP⊓Q)

Finite traces of Finite traces of ℒℒHH(P) are precisely {s\(P) are precisely {s\H| s ∈ tracesH| s ∈ traces(P)}


CasperCasperCompilerCompilerEasy to specify protocols and security Easy to specify protocols and security

propertiespropertiesE.g., Yahalom protocolE.g., Yahalom protocol

Input: 1 page protocol and security spec.Input: 1 page protocol and security spec.Output (CSP): 10 pagesOutput (CSP): 10 pages


Casper Casper Protocol Definition: Protocol Definition:

protocol operation, including protocol operation, including messages between the agents, messages between the agents, tests performed by the agents, tests performed by the agents, types of data, types of data, initial knowledge, initial knowledge, specification of the protocol’s goals, specification of the protocol’s goals, algebraic equivalences over the typesalgebraic equivalences over the types

Components:Components: Protocol descriptionProtocol description Free variablesFree variables ProcessesProcesses SpecificationSpecification


Casper Casper System definition:System definition: actual system to be actual system to be

checked, including agents, their roles, checked, including agents, their roles, actual data types, intruder’s abilitiesactual data types, intruder’s abilities

Components:Components:Actual variablesActual variablesFunctionsFunctionsSystemSystem Intruder informationIntruder information


Protocol DescriptionProtocol Description



Free VariablesFree Variables



ProcessesProcesses



SpecificationSpecification



System specs: VariablesSystem specs: Variables



System specs: Functions System specs: Functions



System specs: The System System specs: The System



System specs: The IntruderSystem specs: The Intruder


csp semantics

Documents