status report on maude-npa...
TRANSCRIPT
1
STATUS REPORT ON MAUDE-NPATOOL
Catherine Meadows Santiago Escobar Jose Meseguer
September 28, 2006
2
GOAL
• Extend standard free algebra model of cryptoprotocol analysis to deal with algebraicproperties– Encryption-decryption– Exclusive-or– Diffie Hellman– Etc.
• Provide tool that can be used to reason aboutthese in unbounded session model
3
Approach• Use rewriting logic as general theoretical framework
– Specify crypto protocols formally as rewrite rules andalgebraic identities as equational properties
• Use narrowing modulo equational theories assymbolic reachability analysis method
• Combine with state reduction techniques of NRLProtocol Analyzer
• Implement in Maude programming environment– Rewriting logic gives theoretical framework and
understanding– Maude implementation gives us tool support
4
PLANS• Formalize techniques in rewriting logic DONE
– Initial version of Maude-NPA tool• Grammar generation• Backwards narrowing reachability analysis• Soundness and completeness theorems
– Paper to appear in TCS special issue on ARSPA• Include state reduction techniques (NPA and new)
– Grammar generation DONE– Other techniques to improve efficiency (partially done)
• Extend model to different types of equational theories– Ongoing– Have implemented an initial AC version of tool in Maude– Need to extend grammars and other state reduction
techniques to these equational theories• Termination results for grammar generation (future)
5
Covered Today
• Overview of how NPA works• Description of optimizations• Where we are in AC Unification• Summing up
6
REWRITING LOGIC IN ANUTSHELL
7
NARROWING ANDBACKWARDS NARROWING
8
BASIC STRUCTURE OFMAUDE-NPA
• Uses strand space model• Searches backwards through strands from final state• Set of rewrite rules governs how search is conducted• Sensitive to past and future
– Used to prevent infinite loops– Learn-once rule says intruder can learn term only once– When an intruder learns term in a backwards search, tool
keeps track of this and doesn’t allow intruder to learn aboutit again
9
Specify Protocols as Strands
10
NOTION OF STATE IN NPASTRANDS
11
Protocol Rules and Their Execution
12
Introducing New Strands
13
Covered Today
• Overview of how NPA works• Description of optimizations• AC Unification• Summing up
14
Execute Rule 1 First (50%)
15
Partial Order Reduction (70%)
16
Using the Power of Strands (20% for each)
17
Lazy Intruder (30%)
18
A Refinement
• Kill the ghost if its variable subterms onlyappear in the future– In that case, there is no way they can be
instantiated• Another example of the power of strands: you
can see the past at a glance!
19
Conflict Between Ghosts and P.O.Reduction
• A state that dominates another could stopdoing once a ghost is revived
• Our solution: include the ghost whencomputing the partial order
• Potentially more powerful solution, in whichdominated states are part of the ghost, may beimplemented later
20
Major Slowdowns Remaining• In order to make experimentation with different
techniques easier, we use a “generate and test”strategy– Results in many more states generated than used– Once we have better understanding of optimizations, can
implement them in a more integral way• Lack of unification in Maude
– Unification implemented in tool– Once unification implemented in Maude, this should speed
things up
21
Covered Today
• Overview of how NPA works• Description of optimizations• AC Unification• Summing up
22
Status of AC Unification
• Have implemented AC unification viainterface to the CIME tool
• Two sources of inefficiency– Calls to CIME tool– CIME unification untyped, our unification typed
• However, is adequate for experimentation withAC
23
Recall How Languages Generated
• Search backwards from seed term• Look at terms intruder needs to know to learn
seed term• Use heuristics to create language rules saying
one of these terms is in the language• Iterate until you can prove that if the intruder
knows a term in the language, must havepreviously known term in language
24
An Observation onLanguage Generation Heuristics
25
But, keep on searching ….
26
Covered Today
• Overview of how NPA works• Description of optimizations• AC unification• Summing up
27
Summing Up
• We have the theoretical infrastructure in place• We have the basic implementation• We are starting to turn it into a working tool• We are starting to experiment with AC unification• To do
– More optimizations– Termination results– Verification on benchmarks: Clarke-Jacob, SPORE, Avispa– Tool integration