STATUS REPORT ON MAUDE-NPA TOOL



Similar documents
Static Program Transformations for Efficient Software Model Checking

Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions

Properties of Real Numbers

APPLYING FORMAL METHODS TO CRYPTOGRAPHIC PROTOCOL ANALYSIS: EMERGING ISSUES AND TRENDS

8.2. Solution by Inverse Matrix Method. Introduction. Prerequisites. Learning Outcomes

26 Integers: Multiplication, Division, and Order

Formal Methods in Security Protocols Analysis

The Method of Partial Fractions Math 121 Calculus II Spring 2015

Clock Arithmetic and Modular Systems Clock Arithmetic The introduction to Chapter 4 described a mathematical system

Solving Systems of Linear Equations

Click on the links below to jump directly to the relevant section

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

Factoring Quadratic Expressions

Solving simultaneous equations using the inverse matrix

1.6 The Order of Operations

Software Verification: Infinite-State Model Checking and Static Program

MATH10212 Linear Algebra. Systems of Linear Equations. Definition. An n-dimensional vector is a row or a column of n numbers (or letters): a 1.

CHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs

5.5. Solving linear systems by the elimination method

Regression Verification: Status Report

Applications of Fermat s Little Theorem and Congruences

Chapter 2: Linear Equations and Inequalities Lecture notes Math 1010

Data Structures and Algorithms

ALGEBRA 2 CRA 2 REVIEW - Chapters 1-6 Answer Section

5 means to write it as a product something times something instead of a sum something plus something plus something.

Matrix Algebra. Some Basic Matrix Laws. Before reading the text or the following notes glance at the following list of basic matrix algebra laws.

Algebraic expressions are a combination of numbers and variables. Here are examples of some basic algebraic expressions.

Math Content by Strand 1

5 Systems of Equations

Theories of Homomorphic Encryption, Unification, and the Finite Variant Property

5.3 SOLVING TRIGONOMETRIC EQUATIONS. Copyright Cengage Learning. All rights reserved.

Lecture 2: Complexity Theory Review and Interactive Proofs

Grade 5 Math Content 1

Computing exponents modulo a number: Repeated squaring

Part 1 Expressions, Equations, and Inequalities: Simplifying and Solving

Language-oriented Software Development and Rewriting Logic

Cosmological Arguments for the Existence of God S. Clarke

Cost Model: Work, Span and Parallelism. 1 The RAM model for sequential computation:

General Framework for an Iterative Solution of Ax b. Jacobi s Method

Model Checking Security Protocols

Quotient Rings and Field Extensions

Translating Stochastic CLS into Maude

Tom wants to find two real numbers, a and b, that have a sum of 10 and have a product of 10. He makes this table.

Linear Programming Notes V Problem Transformations

Probability Using Dice

6.3 Conditional Probability and Independence

10.2 ITERATIVE METHODS FOR SOLVING LINEAR SYSTEMS. The Jacobi Method

Basic Proof Techniques

A Second Course in Mathematics Concepts for Elementary Teachers: Theory, Problems, and Solutions

What Is Singapore Math?

Notes on Complexity Theory Last updated: August, Lecture 1

Experiment 4 ~ Resistors in Series & Parallel

5 Homogeneous systems

6. LECTURE 6. Objectives

Lesson 18: Introduction to Algebra: Expressions and Variables

OPERATIONAL TYPE THEORY by Adam Petcher Prepared under the direction of Professor Aaron Stump A thesis presented to the School of Engineering of

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Linear Algebra Notes

WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?

CORRELATED TO THE SOUTH CAROLINA COLLEGE AND CAREER-READY FOUNDATIONS IN ALGEBRA

Formal Verification and Linear-time Model Checking

2.6 Exponents and Order of Operations

9.2 Summation Notation

VHDL Test Bench Tutorial

Bindings, mobility of bindings, and the -quantifier

Simple Examples. This is the information that we are given. To find the answer we are to solve an equation in one variable, x.

Elementary Logic Gates

0.0.2 Pareto Efficiency (Sec. 4, Ch. 1 of text)

Chapter 4.1 Parallel Lines and Planes

Lecture 11: Tail Recursion; Continuations

Scalable Automated Symbolic Analysis of Administrative Role-Based Access Control Policies by SMT solving

LS.6 Solution Matrices

Solution of Linear Systems

Chapter 11 Number Theory

Model Checking: An Introduction

Solving Systems of Linear Equations

Electronic Voting Protocol Analysis with the Inductive Method

Congruent Number Problem

AC : MATHEMATICAL MODELING AND SIMULATION US- ING LABVIEW AND LABVIEW MATHSCRIPT

Jieh Hsiang Department of Computer Science State University of New York Stony brook, NY 11794

POLYNOMIAL FUNCTIONS

Full and Complete Binary Trees

The Halting Problem is Undecidable

Two Fundamental Theorems about the Definite Integral

One advantage of this algebraic approach is that we can write down

Public Key Encryption Protocols And Their Models

BEST METHODS FOR SOLVING QUADRATIC INEQUALITIES.

of Nebraska - Lincoln

Basic Logic Gates Richard E. Haskell

Partial Fractions. Combining fractions over a common denominator is a familiar operation from algebra:

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Solving Equations by the Multiplication Property

Transcription:

STATUS REPORT ON MAUDE-NPA TOOL Catherine Meadows Santiago Escobar Jose Meseguer September 28, 2006 1

GOAL Extend standard free algebra model of crypto protocol analysis to deal with algebraic properties Encryption-decryption Exclusive-or Diffie Hellman Etc. Provide tool that can be used to reason about these in unbounded session model 2

Approach Use rewriting logic as general theoretical framework Specify crypto protocols formally as rewrite rules and algebraic identities as equational properties Use narrowing modulo equational theories as symbolic reachability analysis method Combine with state reduction techniques of NRL Protocol Analyzer Implement in Maude programming environment Rewriting logic gives theoretical framework and understanding Maude implementation gives us tool support 3

PLANS Formalize techniques in rewriting logic DONE Initial version of Maude-NPA tool Grammar generation Backwards narrowing reachability analysis Soundness and completeness theorems Paper to appear in TCS special issue on ARSPA Include state reduction techniques (NPA and new) Grammar generation DONE Other techniques to improve efficiency (partially done) Extend model to different types of equational theories Ongoing Have implemented an initial AC version of tool in Maude Need to extend grammars and other state reduction techniques to these equational theories 4 Termination results for grammar generation (future)

Covered Today Overview of how NPA works Description of optimizations Where we are in AC Unification Summing up 5

REWRITING LOGIC IN A NUTSHELL 6

NARROWING AND BACKWARDS NARROWING 7

BASIC STRUCTURE OF Uses strand space model MAUDE-NPA Searches backwards through strands from final state Set of rewrite rules governs how search is conducted Sensitive to past and future Used to prevent infinite loops Learn-once rule says intruder can learn term only once When an intruder learns term in a backwards search, tool keeps track of this and doesn t allow intruder to learn about it again 8

Specify Protocols as Strands 9

NOTION OF STATE IN NPA STRANDS 10

Protocol Rules and Their Execution 11

Introducing New Strands 12

Covered Today Overview of how NPA works Description of optimizations AC Unification Summing up 13

Execute Rule 1 First (50%) 14

Partial Order Reduction (70%) 15

Using the Power of Strands (20% for each) 16

Lazy Intruder (30%) 17

A Refinement Kill the ghost if its variable subterms only appear in the future In that case, there is no way they can be instantiated Another example of the power of strands: you can see the past at a glance! 18

Conflict Between Ghosts and P.O. Reduction A state that dominates another could stop doing once a ghost is revived Our solution: include the ghost when computing the partial order Potentially more powerful solution, in which dominated states are part of the ghost, may be implemented later 19

Major Slowdowns Remaining In order to make experimentation with different techniques easier, we use a generate and test strategy Results in many more states generated than used Once we have better understanding of optimizations, can implement them in a more integral way Lack of unification in Maude Unification implemented in tool Once unification implemented in Maude, this should speed things up 20

Covered Today Overview of how NPA works Description of optimizations AC Unification Summing up 21

Status of AC Unification Have implemented AC unification via interface to the CIME tool Two sources of inefficiency Calls to CIME tool CIME unification untyped, our unification typed However, is adequate for experimentation with AC 22

Recall How Languages Generated Search backwards from seed term Look at terms intruder needs to know to learn seed term Use heuristics to create language rules saying one of these terms is in the language Iterate until you can prove that if the intruder knows a term in the language, must have previously known term in language 23

An Observation on Language Generation Heuristics 24

But, keep on searching. 25

Covered Today Overview of how NPA works Description of optimizations AC unification Summing up 26

Summing Up We have the theoretical infrastructure in place We have the basic implementation We are starting to turn it into a working tool We are starting to experiment with AC unification To do More optimizations Termination results Verification on benchmarks: Clarke-Jacob, SPORE, Avispa Tool integration 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information