Formal Aspects of Security and Trust, 7th International Workshop, FAST 2010 Pisa, Italy, September 16-17, 2010 Revised

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbruecken, Germany

6561

Pierpaolo Degano Sandro Etalle Joshua Guttman (Eds.)

Formal Aspects of Security and Trust 7th International Workshop, FAST 2010 Pisa, Italy, September 16-17, 2010 Revised Selected Papers

13

Volume Editors Pierpaolo Degano Università di Pisa, Dipartimento di Informatica Largo Bruno Pontecorvo, 3, 56127 Pisa, Italy E-mail: [email protected] Sandro Etalle Technical University of Eindhoven Faculty of Mathematics and Computer Science P.O. Box 513, 5600 MB Eindhoven, The Netherlands E-mail: [email protected] Joshua Guttman Worcester Polytechnic Institute, Computer Science 100 Institute Road, Worcester, MA 01609, USA E-mail: [email protected]

ISSN 0302-9743 e-ISSN 1611-3349 ISBN 978-3-642-19750-5 e-ISBN 978-3-642-19751-2 DOI 10.1007/978-3-642-19751-2 Springer Heidelberg Dordrecht London New York Library of Congress Control Number: 2011922329 CR Subject Classification (1998): C.2.0, K.6.5, D.4.6, E.3, K.4.4, H.3-4 LNCS Sublibrary: SL 4 – Security and Cryptology

© Springer-Verlag Berlin Heidelberg 2011 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com)

Preface

The present volume contains the proceedings of the seventh international workshop on Formal Aspects of Security and Trust (FAST 2010), held in Pisa, Italy, 16–17 September 2010, as part of the 8th IEEE International Conference on Software Engineering and Formal Methods (SEFM 2010). FAST aims to foster cooperation among researchers in the areas of security and trust. As computing and network infrastructures become increasingly pervasive, and as they carry increasing economic activity, society needs well-matched security and trust mechanisms. These interactions increasingly span several enterprises and involve loosely structured communities of individuals. Participants involved in these activities must control interactions with their partners based on trust policies and business logic. Trust-based decisions effectively determine the security goals for shared information and for access to sensitive or valuable resources. FAST sought original papers focusing on formal aspects of the following topics: security and trust policy models; security protocol design and analysis; formal models of trust and reputation; logics for security and trust; distributed trust management systems; trust-based reasoning; digital assets protection; data protection; privacy and id issues; information flow analysis; language-based security; security and trust aspects of ubiquitous computing; validation/analysis tools; web service security/trust/privacy; grid security; security risk assessment; and case studies. The proceedings of this, the seventh FAST workshop, contains a paper by Dusko Pavlovic based on his invited talk. It also comprises 14 revised papers selected out of 42 submissions. Each paper was reviewed by at least three members of the Program Committee, whom we wish to thank for their valuable efforts. We are also grateful to the organizers of SEFM 2010 for having accepted FAST 2010 as an affiliated event and for providing a perfect environment for running the workshop. Last but not least, many thanks to Andrei Voronkov, who allowed us to use the free conference software system EasyChair, which greatly simplified the work of the Program Committee. December 2010

Pierpaolo Degano Sandro Etalle Joshua Guttman

Conference Organization

Program Chairs Pierpaolo Degano Sandro Etalle Joshua Guttman

Program Committee Gilles Barthe Massimo Bartoletti Lujo Bauer Cas Cremers Fr´ed´eric Cuppens Pierpaolo Degano Sandro Etalle, Eindhoven Joshua Guttman Chris Hankin Bart Jacobs Christian Damsgaard Jensen Fabio Martinelli Sjouke Mauw Catherine Meadows Ron van der Meyden Mogens Nielsen Dusko Pavlovic Riccardo Pucella Peter Ryan Steve Schneider Jean-Marc Seigneur Luca Vigan`o

Local Organization Ilaria Matteucci

IMDEA Software, Spain University of Cagliari, Italy CMU, USA ETH Zurich, Switzerland T´el´ecom Bretagne, France University of Pisa, Italy (Program Co-chair) The Netherlands (Program Co-chair) Worcester Polytechnic Institute, USA (Program Co-chair) Imperial College London, UK Radboud University Nijmegen, The Netherlands DTU, Denmark CNR, Italy University of Luxembourg, Luxembourg Naval Research Lab, USA University of New South Wales, Australia Aarhus, Denmark Kestrel Institute, USA, and Oxford, UK Northeastern, USA Luxembourg Surrey, UK University of Geneva, Switzerland University of Verona, Italy

VIII

Conference Organization

External Reviewers Maurizio Atzori Tom Chothia David Clark Gabriele Costa Nora Cuppens-Boulahia Stephanie Delaune Hugo Jonker Gerhard de Koning Gans Pierre Ganty Daniel Hedin Leanid Krautsevich Pascal Lafourcade Gabriele Lenzini Ilaria Matteucci

Wojciech Mostowski Catuscia Palamidessi Alessandra Di Pierro Jun Pang Marc Pouly Mark Ryan Wolter Pieters Sjaak Smetsers Xavier Titi Jan Willemson Simon Winwood Damiano Zanardini Chenyi Zhang Roberto Zunino

Table of Contents

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks (Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dusko Pavlovic Bounded Memory Dolev-Yao Adversaries in Collaborative Systems . . . . . Max Kanovich, Tajana Ban Kirigin, Vivek Nigam, and Andre Scedrov Efficient Decision Procedures for Message Deducibility and Static Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bruno Conchinha, David Basin, and Carlos Caleiro

1 18

34

Understanding Abstractions of Secure Channels . . . . . . . . . . . . . . . . . . . . . . Allaa Kamil and Gavin Lowe

50

Information Flow Analysis via Path Condition Refinement . . . . . . . . . . . . Mana Taghdiri, Gregor Snelting, and Carsten Sinz

65

Foundations of Attack–Defense Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Barbara Kordy, Sjouke Mauw, Saˇsa Radomirovi´c, and Patrick Schweitzer

80

Reasoning with Past to Prove PKCS#11 Keys Secure . . . . . . . . . . . . . . . . Sibylle Fr¨ oschle and Nils Sommer

96

A Formal Analysis of Authentication in the TPM . . . . . . . . . . . . . . . . . . . . St´ephanie Delaune, Steve Kremer, Mark D. Ryan, and Graham Steel

111

Modeling Identity-Related Properties and Their Privacy Strength . . . . . . Meilof Veeningen, Benne de Weger, and Nicola Zannone

126

Semantics of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tim Muller

141

Semi-automatic Synthesis of Security Policies by Invariant-Guided Abduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cl´ement Hurlin and H´el`ene Kirchner

157

Corrective Enforcement of Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . Raphael Khoury and Nadia Tawbi

176

Cryptographic Enforcement of Role-Based Access Control . . . . . . . . . . . . . Jason Crampton

191

X

Table of Contents

A Calculus for the Analysis of Wireless Network Security Protocols . . . . Francesco Ballardin and Massimo Merro

206

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Naipeng Dong, Hugo Jonker, and Jun Pang

223

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

239

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks Dusko Pavlovic Universities of Oxford and Twente [email protected]

Abstract. In a previous FAST paper, I presented a quantitative model of the process of trust building, and showed that trust is accumulated like wealth: the rich get richer. This explained the pervasive phenomenon of adverse selection of trust certificates, as well as the fragility of trust networks in general. But a simple explanation does not always suggest a simple solution. It turns out that it is impossible to alter the fragile distribution of trust without sacrificing some of its fundamental functions. A solution for the vulnerability of trust must thus be sought elsewhere, without tampering with its distribution. This observation was the starting point of the present paper. It explores different methods for securing trust: not by redistributing, but by qualifying it. The methods used to break privacy can be used to secure trust.

1 Introduction 1.1 What Is Trust? Trust is an internal assumption of honesty. In protocol analysis, we often assume that a principal Bob is honest. This usually means that Bob acts according to the prescriptions of a role in a given protocol. The notion of trust internalizes this assumption as a belief of another protocol participant Alice. We say that Alice trusts Bob when she believes that Bob will act according to a given protocol; e.g., – when Alice is a shopper, she trusts that the shop Bob will deliver the goods; – when Alice is a shop, she trusts that the shopper Bob will pay for the goods; – when Alice uses public key infrastructure, she trusts that Bob’s key is not compromised; – in an access control system, Alice trusts that Bob will not abuse resources. Trust process. In economics and game theory, trust is the instrument for transitioning from static rationality of non-cooperative behaviors to dynamics of cooperation [2]. To limit the risk exposure of the participants, trust is built gradually, keeping the cost of an attack at each point below a certain threshold of risk. Once the accumulated trust is above the required threshold, then it can be used as a basis for cooperation. Trust can thus be viewed as a process in two phases, trust building and trust service, that alternate as on Fig. 1. P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 1–17, 2011. c Springer-Verlag Berlin Heidelberg 2011 

2

D. Pavlovic

Trust building feedback

scores Trust service Fig. 1. Trust cycle

– Trust building is a process of incremental testing of another party’s honesty, viz her readiness to cooperate within the framework of a given protocol. The output of this process are the trust scores, which record whether the party behaved honestly in the past transactions. This process was analyzed in [35]. – Trust service uses the trust scores to guide some further transactions: a higher trust score attracts more transactions. The feedback about their outcome can be used to update the trust scores. Remarks. There is a sense in which the process of trust building can be viewed as a foundation for authentication. When realized by means of a protocol, authentication is always based on a secret (”something you know”), or a token (”something you have”), or a biometric property (”something you are”). But the secret, the token, or the property must be previously authenticated to assure the current authentication. Every authentication must be preceded by another authentication. So a formal authentication is then a process of infinite regression, ”turtles all the way down”1?! The notion of trust resolves this infinite regression. The process of trust building can be viewed as a primordial form of authentication, usually very weak, traversed in small, risk limiting steps. Of course, it generates trust, rather than a secret; but a first authentication protocol between two parties, which does generate a secret, is usually based on some form of trust; and the further, stronger secrets are then derived from each other. Indeed, the first SSH tunnel to an unknown server requires a leap of trust from the client; the first contact with a new certificate authority can only be based on trust, and so on. Trust service has many different forms, which lead to the diverse forms of trust research. In the simplest case, a user records her own experience in an individual trust vector, and uses it to make her own choices. In large networks, and in processes with many participants, a wider range of choices is made possible by a trust service which records collaborative trust vectors, and supplies trust guidance for users and providers that had no previous experience with each other. This leads to the distinction between direct and indirect trust [3,40,20]. In practice, indirect trust can be extracted from user 1

The idea of a world standing on the back of a giant turtle is attributed to early Hindu philosophers. The idea that the turtle may be supported by another turtle, and so on, ”turtles all the way down”, is attributed to a mythical old lady who attended a lecture of a mythical philosopher, varying from William James to Bertrand Russell. This idea may have been sparked by Lewis Carroll’s use of tortoise in the regression arguments [6].

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

3

feedback submitted to a trust server; or by surveillance and interpretation of the network structure and transactions: e.g., a return customer conveys trust by returning to the same shop, whereas she conveys dissatisfaction by returning the purchased goods. Each of the approaches to aggregating indirect trust has its vulnerabilities and shortcomings. On the other hand, indirect trust service is indispensable not only for web commerce, but also for Public Key Infrastructure [19,37]. 1.2 The Problem of Trust and the Paradox of Trust Services Breaches of trust have been one of the hardest problems of social interaction since the dawn of mankind. Treason and betrayal attract the harshest punishments in all civilizations; and Dante reserved for these sins the deepest, Ninth Circle of Hell. But the problem of trust is not that it can be breached and abused. That is a part of its normal functioning. The problem of trust is that it can be farmed, transferred, marketed, and hijacked for the purpose of being breached and abused. With the advent of networks and web commerce, the social processes of trust extend into cyberspace, engineered into various trust services, including feedback, recommender, and reputation systems [13,21,22,38], as well as the public infrastructures and web of trust [19]. This escalates the problem of trust to a new level. Oversimplifying a little, the problem can now be stated as a ”paradox”, namely that – trust is not transferrable, but that – trust services must transfer trust. On one hand, Alice’s trust that Bob is honest is distilled from the experience of their past interactions, in order to guide their future interactions. If the purpose of trust is thus to record Alice’s view of Bob’s behavior, then transferring trust defeats this purpose. Indeed, if Bob has been honest towards Alice, it does not mean that his friend Dave will also be honest, or that Bob will also be honest towards Alice’s friend Carol; or that Bob will be honest in a different kind of interaction. On the other hand, in a large network, only a small portion of the participants can be expected to have direct previous interactions. For all others, the trust guidance must be somehow extrapolated. This is the task of a trust service. So if Alice and Bob never met, the trust service must derive a prediction of a future trust between them from Carol and Dave’s available trust data, assuming that they met, and that they are somehow related with Alice and Bob. So the trust service must transfer trust. The compromises needed to resolve this paradox of trust lead to insecure trust services. But the vulnerabilities of trust services are different from the vulnerabilities usually studied in security research, where distinct attackers launch structured attacks. We first describe some examples of trust service, and then their vulnerabilities. The simplest forms of trust transfer. The most general form of transferrable trust is reputation. Bob’s reputation is a statement about his honesty established by freely sharing the informations from the participants who interacted with him. If Alice never met Bob, she can rely upon his reputation, built and distributed in a peer to peer process, or by a devoted reputation service. E.g., Google’s PageRank algorithm [4] can be viewed as a reputation service, derived by interpreting the hyperlinks as implicit trust

4

D. Pavlovic

statements [26,36]. The main idea of Google’s trustworthy search is to present the pages where the queried keyword is found ordered according to their reputation. Another simple method of trust transfer are trust certificates. Instead of keeping her trust in Bob’s honesty for herself, Carol states this in a trust certificate, which she gives to Bob. Bob shows the certificate to Alice, and if Alice trusts Carol’s recommendations, she will also trust Bob. Adverse selection is perhaps the most striking manifestation of the problem of trust. In the social processes of reputation, it manifests itself through the observations that ”the pillars of the society” (to use the title of Ibsen’s play [16]), the most trusted social hubs, seem more likely to turn out malicious or corrupt than the average members of the group. In online trust services, this moral problem from old novels and stage tragedies becomes a technical problem for security researchers and engineers. It also becomes a harder and more pernicious problem, because the commercial aspects of trust services provide additional incentives for strategic behavior, and concrete payoffs for focused attacks. The adverse selection of trust certificates in web commerce was empirically documented in [9]. Through a battery of measurements and statistical analyses, it has been established that the web merchants with trust certificates are on the average twice as likely to scam their customers as those without such certificates. The claim was confirmed, with inessential variations, for all major trust certificate issuers. The phenomenon does not seem to be due to a lack of diligence, conflict of interest, or to a conspiracy between the merchants and the trust authorities, as it persists for other forms of trust certification. E.g., the sponsored links served by any of major search engines in response to a query are also on the average twice as likely to lead to scam as the organic results served in response to the same query, although the former are implicitly certified by the engine. An explanation of adverse selection in terms of a basic model of dynamics of trust building was offered in [35]. Since trust is built by updating the trust ratings following the positive or the negative interactions with the selected servers, and the selection of these servers is based on the previous trust ratings, it follows that trust attracts more trust: the servers with a higher trust rating are more likely to attract transactions, and thus to subsequently accumulate more trust, provided that they remain honest. This ”rich get richer” schema [34] results in a power law, or scale-free distribution of trust ratings [32,33]. Its structural consequence is that there is a significant ”heavy tail”, consisting of the servers with very high trust ratings. Such distributions are well known to be robust under random perturbations, but extremely vulnerable to adaptive attacks [8]. Intuitively, theft is more attractive and more harmful if very wealthy victims are available. The fragility of scale-free networks, and the vulnerabilities arising from their distribution, cannot be mitigated by direct policy measures that would change the network structure. The power law distributions are not just a source of vulnerabilities, but also the basis of robustness of some networks. Such distributions are a pervasive manifestation of evolutionary dynamics of networks that arise from biological, social and economic processes. Modifying this dynamics is not a way to security. The heavy tails of wealth were, of course, redistributed many times throughout history, but they always reemerged. The problems of heavy tails and adverse selection, and the problem of trust, require a different solution.

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

5

1.3 Mining for Trust The data mining methods are often viewed as the main threat to privacy. We explore ways to make trust less abstract, and thus more secure, using the same methods. The idea is that trust and privacy are, in a sense, two sides of the same coin: the need for privacy arises from a lack of trust. Following this crude idea, we mine the trust concepts from the trust scores, to better control the trust transfer and to fine tune the trust services. Related work. Initially, the trust relationships were analyzed mainly in the frameworks of access control [1,25] and public key infrastructure [3,40,27,31,37]. The idea of trust network, and the elements of a probabilistic analysis of trust dynamics, go back to [3]. The emergence of peer-to-peer and business-to-business service networks reawoke interest for this line of research, and amplified its impact [13,22,23,30]. A different family of methods has been used to analyze the logical structure of the trust relationships, which are now viewed as the statements of principals’ beliefs about each other. The various forms of uncertainty arising in such beliefs lead to the various nonstandard logical features [5,14,18,25,28,29,10]. The two types of trust research can be viewed as two projections of the trust network structure. The former type studies global dynamics of the trust relations in the form a → , projecting away2 the trust concepts Φ. The latter type studies logics of trust r

Φ

and the local trust relations in the form a →  as a rely-guarantee exchange, projecting away the trust ratings r. Our previous analysis in [35] was of the former type, as we ignored trust concepts and focused on quantitative dynamics of trust ratings. In the present paper we show how the qualitative distinctions of trust concepts Φ naturally arise from this quantitative dynamics of trust ratings r. The idea to mine them using the Singular Value Decomposition [11, Sec. 5.4.5] can be viewed as an extension of Latent Semantic Analysis [7] to the domain of trust. Outline of the paper. In Sec. 2, we motivate by a toy example and introduce the formal framework of trust graphs. In Sec.3 we spell out the connection between the trust formalism and a similarity formalism, which explains and justifies the methods we use to mine trust concepts from trust data. The main formal result is Prop. 3.1. Its main consequences are drawn in Sec. 3.4. The results are applied on the toy example in Sec.3.5. As always, the final section contains a summary of the result and some comments about the future work.

2 Trust Graphs In web commerce and social networks, trust services are provided through feedback, recommender, and reputation systems [13,21,22,38], deployed as an integral part of a wider environment (such as Netflix, Amazon, eBay, or Facebook), or as a devoted service (on the span from TrustE and Verisign, to Epinions and Yelp). They are the 2

In [27,31,37] the trust concepts are present, but they carry very little structure: they are just labels used to distinguish, e.g., the delegation certificates from the binding certificates.

6

D. Pavlovic

cyberspace complement of the social processes of trust. The central component of most such systems is a network of users and providers, connected by trust ratings. This is what we call a trust network. Its purpose is to support transfer of trust, and supply trust recommendations, or support or refine the existing trust scores. 2.1 A Toy Example An example of a trust network is given in Fig. 2. Let us suppose that it is derived from the market transactions in a small town, deep in the World Wild West. The market consists of four web shops, say O = {i, j, k, }, and five shopping agents S = {a, b, c, d, e}. A local bank clears all payments in town, and the diligent banker maintains the matrix of trust scores, like in Table 1. Suppose that the scores are derived from the total value of the transactions and from user feedback, in a uniform way. The fields are empty where there are no data. The negative entries result from negative feedback, or returned goods. The scale of the scores is irrelevant, provided they are all obtained in the same way. The banker provides some trust recommendations, in support of a stable market. Some of the typical tasks are: – Predict the missing trust scores: E.g., how will the shopper d like the shop ? – Refine the existing trust scores: Suppose that the merchant I acquires the shop II, with the intention to deliver the same services through both outlets. Which shop should now be recommended to the shopper b when he decides to fill her virtual pantry? S

O 1.25

a −.12

.83

0

i

1.05

b

1.13 .35 1.12

c

j 1.02

.21

d

k

.35

1.57 −.56 .18

e



1.02

.98

Fig. 2. A trust network Table 1. Trust scores

i j k 

a 1.25 .83 0 -.12

b 1.05 1.13 .35

c 1.12 1.02 .21

d e 1.57 .35 .18 -.56 1.02 .98

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

7

We study the second type of query here in detail. The approach to the first query is sketched in the final section, but the details must be left for the sequel to this paper. 2.2 Formalizing Trust Formally, and a little more generally, a trust score, or trust statement, can be viewed as Φ

a quadruple a → , where r

– – – –

a is the trustor,  is the trustee, Φ is the entrusted protocol (concept, property), and r is the trust rating. Φ

The trust statements a →  can be viewed as the edges of a bipartite labelled graph, i.e. r the elements of a set B given with the structure   M = E×R←B→S×O where – S and O are the sets of trustors and trustees (or subjects and objects) respectively, – E is a lattice of entrusted concepts, – R is an ordered ring of ratings, usually the field of real numbers. We call such a bipartite graph a trust graph. This is what a trust services works with. 2.3 Idea: Qualifying Trust Φ

In a trust statement a → , the trust score r quantifies a’s trust for . The trust concept Φ r qualifies it. Qualified trust is less abstract, and thus less vulnerable to unwarranted transfers. We develop an algebra of trust concepts, as a tool for mitigating the vulnerabilities of trust transfer. The strategy is to first mine for trust cliques from the trust graph data. Intuitively, a trust clique is a set of trustees who trust the same trustors; or a set of trustors trusted by the same trustees. In the second step, a trust concept will be defined as a pair of trust cliques, one of trustors, one of trustees, correlated by trust. An abstract framework for clustering the trustors and the trustees sets the stage for recognizing the trust cliques and concepts.

3 Clusters and Concepts 3.1 Similarity Networks Definition 3.1. A similarity network is a set A together with a similarity map s = sA : A × A → [0, 1] such that for all x, y ∈ A holds s(x, x) = 1

s(x, y) = s(y, x)

8

D. Pavlovic

A similarity morphism between similarity networks A and B is a map f : A → B such that for all x, y ∈ A holds sA (x, y) ≤ sB ( f x, f y) Definition 3.2. For similarity networks A and C, a clustering c : A  C is a pair of similarity morphisms c = c , c , where – c : C → A satisfies sC (x, y) = sA (c x, c y) for all x, y ∈ C, and – c : A → C satisfies c ◦ c = idC . Intuitively, the surjection c : A → C maps each node z ∈ A into a unique cluster c z ∈ C, whereas the injection c : C → A picks a representative c x ∈ A from each cluster z ∈ C, in such a way that the similarity of the clusters sC (x, y) is just the similarity of their representatives sA (c x, c y). Some similarity morphisms determine a canonical clustering for both networks that they connect. Definition 3.3. The spectral decomposition of a similarity morphism f : A → B is a u v pair of clusterings A   f   B such that f = v ◦ u f

A u

B v

u

v

f The similarity network  f  is the cluster range of f . Lemma 3.1. Whenever it exists, the spectral decomposition of is unique up to a simiu v s t larity isomorphism. More precisely, if both A  H  B and A  K  are spectral decompositions of the same similarity morphism, then there is an isomorphism ι : H → K such that u = ι ◦ s and v = ι ◦ t (which implies s = ι ◦ u and t = ι ◦ v ). K s

t s

t ∼ι

A u

B v

u

v

H

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

9

3.2 From Trust Graph to Similarity Networks The spectral decomposition will turn out to be useful for mining and extrapolating trust concepts in a trust graph. At this stage, though, we ignore the task of extrapolating the missing trust scores, and restrict attention to complete submatrices of the given trust graph. E.g., from Table 1, we first just take the matrix ⎛ ⎞ ⎜⎜⎜1.25 1.05 1.12 1.57 ⎟⎟⎟ ⎜ ⎟ M = ⎜⎜⎜⎜ .83 1.13 1.02 .35 ⎟⎟⎟⎟ ⎝ ⎠ 0 .35 .21 −.56 corresponding to the subnetwork spanned by the trustors a, b, c, d and the trustees i, j, k. Over these two sets, we first form vector spaces R{a,b,c,d} and R{i, j,k} . We are actually only interested in unit vectors, i.e. in the sets Σ = {ϕ ∈ R{a,b,c,d} | |ϕ| = 1} Θ = {ϑ ∈ R{i, j,k} | |ϑ| = 1} The elements of Σ represent the communities of trustors; the elements of Θ are the communities of trustees. The components of a community ϕ = ϕa ϕb ϕc ϕd quantify the participation of each member. Both Σ and Θ can be naturally viewed as similarity networks, as the similarity of two communities can be measured using their inner product: sΣ (ϕ, ψ) = |ϕ|ψ |

sΘ (ϑ, τ) = |ϑ|τ |

Remark. The absolute value in the definition of similarity means that, strictly speaking, each community is represented by two unit vectors ϕ and −ϕ, which are indistinguishable since sΣ (ϕ, ψ) = sΣ (−ϕ, ψ) for all ψ ∈ Σ. Geometrically, a community is thus actually not a unit vector, but a ray, i.e. the 1-dimensional subspace generated by it. When the confusion is unlikely, we tacitly identify rays and the pairs of unit vectors that represent them. All this begins to make sense when we observe that the linear operator M : : R{a,b,c,d} → R{i, j, j} , determined by the matrix M of trust scores, induces a map M Σ → Θ, defined = Mϕ Mϕ |Mϕ| But unfortunately, this is not a similarity morphism. E.g., it strictly decreases the similarity of ⎛ ⎞ ⎛ ⎞ ⎜⎜⎜⎜ 0 ⎟⎟⎟⎟ ⎜⎜⎜⎜ .25 ⎟⎟⎟⎟ ⎜⎜ .5 ⎟⎟ ⎜⎜ .5 ⎟⎟⎟ ⎟ ϕ = ⎜⎜⎜⎜ ⎟⎟⎟⎟ and ψ = ⎜⎜⎜⎜ ⎜⎜⎝ .3 ⎟⎟⎠ ⎜⎜⎝ .4 ⎟⎟⎟⎟⎠ −.8 −.15

10

D. Pavlovic

3.3 Concepts Generate Clusters The following definition formalizes the intuition from Sec. 2.3. Definition 3.4. Let A and B be finite dimensional real vector spaces, M : A → B a linear operator, and M : B → A its transpose. Let A and B be the sets of 1dimensional subspaces, i.e. rays in A and B respectively. A pair α, β ∈ A × B is called a concept with respect to M if Mα = β and M β = α. The concept spectrum E M is the set of all concepts with respect to M. Now we circumvent the obstacle noted at the end of the preceding Section, and relate concepts with clusters. Proposition 3.1. Let A and B be finite dimensional vector spaces and A and B the induced similarity networks. Then every linear operator M : A → B induces a unique linear operator F = F M : A → B such that : A → B, defined by Fϕ = – the map F

Fϕ |Fϕ| ,

is a similarity morphism, v – there is a spectral decomposition A  F  B, and is generated by the concept spectrum E M , in the sense that – the cluster range F is a convex combination of concepts with respect to M. every element of F u

Proof. By the Singular Value Decomposition [11, Sec. 2.5.,5.4.5], the matrix M can be decomposed in the form M = VΛU M

A

B

U

V



U

V

Aˆ

Bˆ

Λ

where – U and V are isometries, i.e. U U = id and V V = id, whereas – Λ is a positive diagonal matrix. The latter implies that Λ is an isomorphism, so we can take Aˆ = Bˆ without loss of generality. The operator F = F M can now be defined F = V ◦ U F

A

B V

U U

V

Aˆ = Bˆ The claims follow by passing from vector spaces to the induced similarity networks of rays.

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

11

Comment. The preceding Proposition has some interesting conceptual and technical repercussions, that may not be immediately obvious. Conceptually, it displays the connection between clustering in the style of mathematical taxonomy [17], and concept mining in the style of Latent Semantic Analysis [7]. By showing how the Singular Value Decomposition extracts the similarity invariants, it explains why the abstract algebra of matrix decomposition yields semantically meaningful results. The proof also determines the formal sense in which the singular values are semantically irrelevant — the statement often heard from the practitioners. We shall see below what kind of information the singular values do carry, and also how factoring them out opens up an alley towards gluing spectra, and towards extrapolating the missing trust scores. The technical repercussions of Prop. 3.1 follow from there. 3.4 Trust Qualified The first consequence of Prop. 3.1 for trust is that any trust matrix M can be decomposed into qualified trust matrices. Corollary 3.1. The similarity preserving matrix F induced by a matrix M from Prop. 3.1 decomposes in the form

F= F Φ with Φ∈E M

FΦ = VΦ ◦ UΦ where – E M is the concept spectrum of M, – VΦ and U Φ denote the columns of V and U. The matrices FΦ are called qualified trust matrices induced by M. The matrix M itself decomposes as

M= λΦ F Φ Φ∈EM

where λΦ are its singular values. Comment. Componentwise, the above decomposition means that each trust rating Ma is thus decomposed in the form

rΦ with Ma = Φ∈EM

rΦ = λΦ U aΦ VΦ The component rΦ measures the contribution of the trust concept Φ to the trust rating Ma . When Ma is viewed as the edge a →  of the corresponding trust graph, then the r above decomposition becomes  Φ rΦ Φ

a −−−−−−→  The vector



Φ rΦ Φ

r=

Φ rΦ

is in the range space of M, generated by its concept spectrum.

12

D. Pavlovic

3.5 Mining for Concepts in the World Wild West To apply Prop. 3.1, the banker in our town in the World Wild West first decomposes the matrix M from Sec. 3.2 to the form M = VΛU , where ⎞ ⎛ ⎜⎜⎜.83 −.4⎟⎟⎟ ⎟ ⎜⎜⎜ V = ⎜⎜.55 .6 ⎟⎟⎟⎟ ⎠ ⎝ 0 .7

⎞ ⎛ ⎜⎜⎜.5 0 ⎟⎟⎟ ⎜⎜⎜.5 .5 ⎟⎟⎟⎟ ⎟ U = ⎜⎜⎜⎜ ⎜⎜⎝.5 .3 ⎟⎟⎟⎟⎠ .5 −.8



 30 Λ= 01

The trust graph corresponding to M and its decomposition are displayed on Figures 3 and 4 (with the 0 links omitted). The new nodes in-between the shopping agents S and S a

O 1.25

a .83

b

d

j 1.02

.21 1.57

.35

−.56

Fig. 3. Trust graph M

.5

Φ1

b

1.13

c k

.5

3

.5

.3

.83

i

−.4 .55

.5

.5

d

O

EM

i

1.05 .35 1.12

c

S

j

.6

1 Φ2

.7

k

−.8

Fig. 4. Decomposition of M

the shops O emerge from the trust concept spectrum E M = {Φ1 , Φ2 }. The decomposition shows that, e.g., c’s total trust rating 1.12 for the shop i turns out to consist of a positive qualified trust rating .5 × 3 × .83 = 1.24 for the concept Φ1 and a negative qualified component .3 × 1 × (−.4) = −.12 for the concept Φ2 . The concepts induce the qualified trust matrices ⎞ ⎛ ⎛ ⎞ ⎜⎜⎜.41 .41 .41 .41⎟⎟⎟ ⎜⎜⎜.83⎟⎟⎟

 ⎟ ⎜⎜⎜ ⎜⎜⎜ ⎟⎟⎟ F1 = ⎜⎜.55⎟⎟ .5 .5 .5 .5 = ⎜⎜.27 .27 .27 .27⎟⎟⎟⎟ ⎠ ⎝ ⎝ ⎠ 0 0 0 0 0 ⎞ ⎛ ⎛ ⎞ ⎜⎜⎜0 −.2 −.12 .32 ⎟⎟⎟ ⎜⎜⎜−.4⎟⎟⎟

 ⎟ ⎜⎜⎜ ⎜⎜⎜ ⎟⎟⎟ F2 = ⎜⎜ .6 ⎟⎟ 0 .5 .3 −.8 = ⎜⎜0 .3 .18 −.48⎟⎟⎟⎟ ⎠ ⎝ ⎝ ⎠ 0 .35 .21 −.56 7 The similarity preserving matrix from Prop. 3.1 is F = F1 + F 2 . On the other hand, the trust matrix M is decomposed as M = 3F1 + F2 . What has the banker learned by decomposing the trust matrix in this way? Whether he was aware of the trust concepts Φ1 and Φ2 or not, they are the intrinsic coordinate axes of trust in his town. It may be that the shoppers in the World Wild West mainly

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

13

shop for two things, say guns and food (like in the Old Wild West). If the trust ratings in the matrix M are proportional to the value of the transactions from which they are derived, then the trust concept Φ1 , corresponding to the singular value λ1 = 3, may correspond to guns, and the trust concept Φ2 to food, with the singular value λ2 = 1, reflecting the fact that the average cost in a gun purchase is 3 times higher than the average cost in a food purchase. If the trust ratings are based on user feedback, then the eigenvalues tell that the shoppers assign 3 times higher value to guns; or that the gun community is 3 times more influential than the food community. Most shoppers and most shops belong to both communities, but the former one is more important for them. In any case, the banker now reads off from the matrix decomposition that shop i sells high quality guns, and carries the highest qualified trust rating .83 for Φ1 ; but that it also carries very bad food, as the negative qualified trust rating of -.4 for Φ2 shows. On the other hand, the shop k, whose total trust ratings are the lowest of all, actually supplies the best food, as reflected by the highest qualified trust rating .7 for Φ2 . So if the banker wants to support an efficient market, he will recommend the shopper b to go to k if he needs to fill his virtual pantry, and to i if he needs a gun. In general, the shoppers shopping for food should use the qualified trust matrix F1 ; the shoppers shopping for guns should use the qualified trust matrix F2 . 3.6 Effectiveness and Scalability of the Approach The described spectral decomposition is based on the Singular Value Decomposition. The Singular Value Decomposition of a large matrix M can be effectively computed, up to any desired precision, by the standard iterative methods. Kleinberg’s HITS algorithm [24] is an example of such a method, previously used for recognizing web spam [15]. If a finite precision suffices, then a matrix can be decomposed much faster, in a single sweep, by bidiagonalization followed by some eigenvalue algorithm. Bidiagonalization of an O × S-matrix M is quadratic in S and linear in O [39, Chap. 31]. The eigenvalues of bidiagonal matrices are computed in linear time. Several versions of this approach, applicable to large examples, are implemented, e.g., in the GNU Scientific Library [12, Sec. 14.4].

4 Final Comments and Future Work 4.1 Summary In [35] and in Sec. 1.2 we saw that the fragile distribution of trust arises from the fact that it is like money: money makes money, and trust attracts more trust. In fact, the roles of money and of trust in a market essentially depend on their main shared feature, that they are both abstractions of past interactions. Both trust and money are acquired in exchange for concrete goods and services; but these origins are ”laundered”, abstracted away, so that money and trust can be used for any type of goods or services3 . In the case of money, this abstraction is what allows the flow of the investments towards 3

Vespasian pointed out that ”Pecunia non olet”: the money that he collected from the taxes on urinals bears no smell of its origin.

14

D. Pavlovic

more profitable areas. In the case of trust, this abstraction allows trust transfer, which is needed to facilitate new interactions. But it also leads to the vulnerabilities of trust, and to the paradox of the trust services, discussed in the Introduction. Arguably, the scale-free distribution of trust facilitates its adverse selection; but it is actually the abstraction of trust that enables this adverse selection. Moreover, the profitability of farming, selling and hijacking trust is increased because the trust ratings accumulated for one service can be used for another one. It is therefore not surprising that a market of trust is rapidly developing among the web merchants, e.g. on eBay and Amazon. The shops with high ratings and good feedback are often sold to new owners, for whom the accumulated trust has a higher value. They usually keep the same name and appearance, but they are consolidated into chains, and sometimes offer new goods and services. The difference in the valuation of trust between the old and the new owners is in some cases due to economy of scale: the chains are more profitable because they have lower maintenance costs. In other cases a higher trust valuation arises from using the purchased trust for a more profitable type of service. Some trusted services are acquired by scammers, who have a very high valuation for trust. Hence adverse selection. One way to make trust more reliable is thus to make it less abstract, by binding it to the trust concept for which it was accumulated. We showed how trust concepts can be reconstructed from the structure of a trust graph even when only records the scores. Such a trust network, recording the trust between some users and some providers4 can be built collaboratively, or by surveillance of the network transactions, indexing network links, with or without a direct participation of the users. For simplicity, we presented the trust mining algorithm on a trust network spanned by the trust relations a → , with the trust concepts initially abstracted away. The trust r concepts Φ were then reconstructed by mining. However, for the price of some techniΦ

cal complexity, the same approach extends to trust relations in the form a → , with the r trust concepts previously qualified from a given lattice of concepts E given in advance. After a period of trust building, recorded in a trust network, the lattice E is refined to capture the additional trust concepts that emerge from the new interactions. In this way, the concept lattice E evolves. While E can be thought of as a propositional logic of concept, it should be noted that is obtained as a lattice of subspaces of a vector space. Such lattices are modular, but not distributive. In other words, the logic of concepts does not support a deduction theorem. This phenomenon is known to reflect the presence of hidden variables. Explaining it, and developing concept logic in general, is an interesting task for future work. But there is much more. 4.2 Future Work The problem of extrapolating the missing trust ratings, predicting how much Alice can trust Bob for her particular requirements, and providing a trust recommendation even if they never met, is probably the most important part of mining for trust. There is no space to continue with that task in the present paper. It should be noted, though, that the 4

The users and the providers may or may not be drawn from the same set.

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

15

approach through similarity networks and spectral decomposition of their morphisms provides a crucial tool for this task. It arises from the universal property of the spectral decomposition. If the similarity morphisms f0 : A0 → B0 and f1 : A1 → B1 are are both contained within a partial similarity morphism f : A → B, along the inclusions of A0 and A1 in A, and of B0 and B1 in B, then the universal property implies that the spectral decompositions of f0 and f1 can be glued together. This allows us to extrapolate the values of f from the available parts of its spectral decomposition. A similar gluing of Singular Value Decompositions of submatrices of a sparse matrix is hampered by their different singular values.

References 1. Benantar, M.: Access Control Systems: Security, Identity Management and Trust Models. Springer, Heidelberg (2006) 2. Berg, J., Dickhaut, J., McCabe, K.: Trust, reciprocity, and social history. Games and Economic Behavior 10(1), 122–142 (1995) 3. Beth, T., Borcherding, M., Klein, B.: Valuation of trust in open networks. In: Gollmann, D. (ed.) ESORICS 1994. LNCS, vol. 875, pp. 3–18. Springer, Heidelberg (1994) 4. Brin, S., Page, L.: The anatomy of a large-scale hypertextual Web search engine. Computer Networks and ISDN Systems 30(1-7), 107–117 (1998) 5. Carbone, M., Nielsen, M., Sassone, V.: A formal model for trust in dynamic networks. In: Cerone, A., Lindsay, P. (eds.) Proceedings of the First International Conference on Software Engineering and Formal Methods (2003) 6. Carroll, L.: What the Tortoise Said to Achilles. Mind 4, 278–280 (1895) 7. Deerwester, S.C., Dumais, S.T., Landauer, T.K., Furnas, G.W., Harshman, R.A.: Indexing by latent semantic analysis. Journal of the American Society of Information Science 41(6), 391–407 (1990) 8. Doyle, J.C., Alderson, D.L., Li, L., Low, S., Roughan, M., Shalunov, S., Tanaka, R., Willinger, W.: The robust yet fragile nature of the Internet. Proceedings of the National Academy of Sciences of the United States of America 102(41), 14497–14502 (2005) 9. Edelman, B.: Adverse selection in online ”trust” certifications. In: ICEC 2009: Proceedings of the 11th International Conference on Electronic Commerce, pp. 205–212. ACM, New York (2009) 10. Etalle, S., Winsborough, W.H.: Maintaining control while delegating trust: Integrity constraints in trust management. ACM Trans. Inf. Syst. Secur. 13(1) (2009) 11. Golub, G.H., Van Loan, C.F.: Matrix Computations, 3rd edn. Johns Hopkins Studies in Mathematical Sciences. The Johns Hopkins University Press, Baltimore (October 1996) 12. GSL Team. GNU Scientific Library Reference Manual (2010), http://www.gnu.org/software/gsl/manual 13. Guha, R., Kumar, R., Raghavan, P., Tomkins, A.: Propagation of trust and distrust. In: WWW 2004: Proceedings of the 13th International Conference on World Wide Web, pp. 403–412. ACM, New York (2004) 14. Guttman, J.D., Thayer, F.J., Carlson, J.A., Herzog, J.C., Ramsdell, J.D., Sniffen, B.T.: Trust management in strand spaces: A rely-guarantee method. In: Schmidt, D.A. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 325–339. Springer, Heidelberg (2004)

16

D. Pavlovic

15. Gy¨ongyi, Z., Garcia-Molina, H., Pedersen, J.O.: Combating web spam with trustrank. In: ¨ Nascimento, M.A., Ozsu, M.T., Kossmann, D., Miller, R.J., Blakeley, J.A., Schiefer, K.B. (eds.) VLDB, pp. 576–587. Morgan Kaufmann, San Francisco (2004) 16. Ibsen, H.: Pillars of Society. Kissinger Publishing (2004) 17. Jardine, N., Sibson, R.: Mathematical Taxonomy. John Wiley & Sons, Ltd., Chichester (1971) 18. Jøsang, A.: A subjective metric of authentication. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 329–344. Springer, Heidelberg (1998) 19. Jøsang, A.: An algebra for assessing trust in certification chains. In: NDSS. The Internet Society (1999) 20. Jøsang, A., Gray, E., Kinateder, M.: Simplification and analysis of transitive trust networks. Web Intelligence and Agent Systems 4(2), 139–161 (2006) 21. Jøsang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43, 618–644 (2007) 22. Kamvar, S.D., Schlosser, M.T., Garcia-Molina, H.: The Eigentrust algorithm for reputation management in P2P networks. In: WWW 2003: Proceedings of the 12th International Conference on World Wide Web, pp. 640–651. ACM Press, New York (2003) 23. Karabulut, Y., Kerschbaum, F., Massacci, F., Robinson, P., Yautsiukhin, A.: Security and trust in it business outsourcing: a manifesto. Electr. Notes Theor. Comput. Sci. 179, 47–58 (2007) 24. Kleinberg, J.M.: Authoritative sources in a hyperlinked environment. Journal of the ACM 46(5), 604–632 (1999) 25. Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: theory and practice. SIGOPS Oper. Syst. Rev. 25(5), 165–182 (1991) 26. Langville, A.N., Meyer, C.D.: Google’s PageRank and Beyond: The Science of Search Engine Rankings. Princeton University Press, Princeton (2006) 27. Levien, R., Aiken, A.: Attack-resistant trust metrics for public key certification. In: SSYM 1998: Proceedings of the 7th Conference on USENIX Security Symposium, p. 18. USENIX Association, Berkeley (1998) 28. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 114. IEEE Computer Society, Los Alamitos (2002) 29. Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond proof-of-compliance: security analysis in trust management. J. ACM 52(3), 474–514 (2005) 30. Marti, S., Garcia-Molina, H.: Taxonomy of trust: categorizing P2P reputation systems. Comput. Netw. 50(4), 472–484 (2006) 31. Maurer, U.: Modelling a public-key infrastructure. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 325–350. Springer, Heidelberg (1996) 32. Mitzenmacher, M.: A brief history of generative models for power law and lognormal distribution. Internet Math. 1, 226–251 (2004) 33. Newman, M.: Power laws, Pareto distributions and Zipf’s law. Contemporary Physics 46, 323 (2005) 34. Pareto, V.: Cours d’Economie Politique. Druz (1896) 35. Pavlovic, D.: Dynamics, Robustness and Fragility of Trust. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 97–113. Springer, Heidelberg (2009) 36. Pavlovic, D.: Network as a Computer: Ranking Paths to Find Flows. In: Hirsch, E.A., Razborov, A.A., Semenov, A., Slissenko, A. (eds.) Computer Science – Theory and Applications. LNCS, vol. 5010, pp. 384–397. Springer, Heidelberg (2008)

Quantifying and Qualifying Trust: Spectral Decomposition of Trust Networks

17

37. Reiter, M.K., Stubblebine, S.G.: Authentication metric analysis and design. ACM Trans. Inf. Syst. Secur. 2(2), 138–158 (1999) 38. Resnick, P., Varian, H.R.: Recommender systems. Commun. ACM 40, 56–58 (1997) 39. Trefethen, L.N., Bau III., D. (eds.): Numerical Linear Algebra. Society for Industrial and Applied Mathematics, Philadelphia, PA, USA (1997) 40. Yahalom, R., Klein, B., Beth, T.: Trust-based navigation in distribution systems. Computing Systems 7(1), 45–73 (1994)

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems Max Kanovich1, Tajana Ban Kirigin2 , Vivek Nigam3 , and Andre Scedrov3 1

Queen Mary, University of London, UK [email protected] 2 University of Rijeka, HR [email protected] 3 University of Pennsylvania, Philadelphia, USA {vnigam,scedrov}@math.upenn.edu

Abstract. This paper extends existing models for collaborative systems. We investigate how much damage can be done by insiders alone, without collusion with an outside adversary. In contrast to traditional intruder models, such as in protocol security, all the players inside our system, including potential adversaries, have similar capabilities. They have bounded storage capacity, that is, they can only remember at any moment a bounded number of facts. This is technically imposed by only allowing balanced actions, that is, actions that have the same number of facts in their pre and post conditions. On the other hand, the adversaries inside our system have many capabilities of the standard Dolev-Yao intruder, namely, they are able, within their bounded storage capacity, to compose, decompose, overhear, and intercept messages as well as update values with fresh ones. We investigate the complexity of the decision problem of whether or not an adversary is able to discover secret data. We show that this problem is PSPACE-complete when all actions are balanced and can update values with fresh ones. As an application we turn to security protocol analysis and demonstrate that many protocol anomalies, such as the Lowe anomaly in the Needham-Schroeder public key exchange protocol, can also occur when the intruder is one of the insiders with bounded memory.

1 Introduction A major concern in any system where agents do not trust each other completely is whether or not the system is secure, that is, whether or not any confidential information or secret of any agent can be leaked to a malicious agent. This paper investigates the complexity of this problem in the context of collaborative system with confidentiality policies [17,18]. Following [18], we assume here that all actions in our system are balanced, that is, they have the same number of facts in their pre and post conditions. This implies that all players inside our system, including adversaries, have a bounded storage capacity, that is, they can only remember at any moment a bounded number of facts. This contrasts with traditional intruder models, which normally include a powerful Dolev-Yao intruder [11] that has an unbounded memory. On the other hand, our adversaries and the standard Dolev-Yao intruder [11] share many capabilities, namely, they are able, P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 18–33, 2011. c Springer-Verlag Berlin Heidelberg 2011 

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

19

within their bounded storage capacity, to compose, decompose, overhear, and intercept messages as well as update values with fresh ones. This paper shows that the secrecy problem of whether or not an adversary can discover a secret is PSPACE-complete when actions are balanced and can update values with fresh ones. This contrasts with previous results in protocol security literature [12], where it is shown that the same problem is undecidable. However, there the actions of the intruder were possibly unbalanced, or in other words, they assumed that the intruder’s memory is not necessarily bounded. In order to obtain a secret, an adversary might need to perform exponentially many actions. Since actions might update values with fresh ones, there might be an exponential number of fresh constants involved in an anomaly, which in principle precludes PSPACE membership. To cope with this problem, we show in Section 3 how to reuse obsolete constants instead of updating with fresh constants. Although our initial efforts were in collaborative systems, we realized that our results have important consequences for the domain of protocol security. In particular, we demonstrate that when our adversary has enough storage capacity, then many protocol anomalies, such as the Lowe anomaly [19] in the Needham-Schroeder public key exchange protocol, can also occur in the presence of a bounded memory intruder. We believe that this is one reason for the successful use in the past years of model checkers in protocol verification. Moreover, we also provide some quantitative measures for the security of protocols, namely, the smallest amount of memory needed by the intruder to carry out anomalies for a number of protocols. This paper is structured as follows: in Section 2 we review the main definitions of local state transition systems used to model collaborative systems. We formalize the notion of fresh values in Section 3, and in Section 4 we summarize the main theoretical results involving the complexity of the different problems considered. We show in Sections 5 that many protocol anomalies can also be carried by our bounded memory intruder. Finally, in Sections 6 and 7, we discuss related work and conclude by pointing out some future work. Full details of our results are in a technical report [15].

2 Preliminaries In this section we review the main vocabulary and concepts introduced in [17,18], extend their definitions to accommodate actions that can update values with fresh ones, and we introduce an adversary. Local State Transition Systems. At the lowest level, we have a first-order signature Σ that consists of a set of sorts together with the predicate symbols P1 , P2 , . . ., function symbols f1 , f2 , . . ., and constant symbols c1 , c2 , . . . all with specific sorts. The multisorted terms over the signature are expressions formed by applying functions to arguments of the correct sort. Since terms may contain variables, all variables must have associated sorts. A fact is a ground, atomic predicate over multi-sorted terms. Facts have the form P (t) where P is an n-ary predicate symbol and t is an n-tuple of terms, each with its own sort. A state, or configuration of the system is a finite multiset W of facts. We use both W X and W, X to denote the multiset resulting from the multiset union of W and X.

20

M. Kanovich et al.

Definition 1. The size of a fact is the number of term and predicate symbols it contains. We count one for each predicate and function name, and one for each variable or constant symbol. We use |P | to denote the size of a fact P . For example, |P (x, c)| = 3, and |P (f (x, n), z)| = 5. In this paper, we will assume an upper bound on the size of facts, as in [12,17,18]. Following [17,18], we assume that the global configuration is partitioned into different local configurations each of which is accessible only to one agent. There is also a public configuration, which is accessible to all agents. This separation of the global configuration is done by partitioning the set of predicate symbols in the signature and it will be usually clear from the context. However, differently from [17,18], we assume that among the agents in the system, there is an adversary M . We also assume the existence of a special constant s in Σ denoting the secret that should not be discovered by the adversary. As in [17,18], each agent has a finite set of actions or rules which transform the global configuration. Here, as in [12,16], we allow agents to have more general actions which can update values with fresh ones. These values are often called nonces in protocol security literature. Such fresh values are often used in administrative processes. For example, when one opens a new bank account, the number assigned to the account has to be fresh, that is, it has to be different from all other existing bank account numbers. Similarly, whenever a bank transaction is initiated, a fresh number is assigned to the transaction, so that it can be uniquely identified. Fresh values are also used in the execution of protocols. At some moment in a protocol run an agent might need to update a value with a fresh one, or nonce, that is not known to any other agent in the network. This nonce, when encrypted in a message, is then usually used to establish a secure communication among agents. Actions that belong to an agent A have the form: XA Xpub →A ∃t.YA Ypub . The multisets XA and YA contain facts belonging to the agent A and the multisets Xpub and Ypub contain only public facts. Actions work as multiset rewrite rules. All free variables in a rule are treated as universally quantified. XA Xpub are the pre-conditions of the action and YA Ypub are the postconditions of the action. By applying the action for a ground substitution (σ), the pre-condition applied to this substitution (XA σXpub σ) is replaced with the post-conditions applied to the same substitution (YA σYpub σ). In this process, the existentially quantified variables (t) appearing in the post-condition are replaced by fresh variables. The rest of the configuration remains untouched. Thus, we can apply the action PA (x) Qpub (y) →A ∃z.RA (x, z) Qpub (y) to the global configuration V PA (t) Qpub (s) to get the global configuration V RA (t, c) Qpub (s), where the constant c is fresh. For simplicity, we often omit the name of the agent from the action and predicates when the agent is clear from the context. Definition 2. A local state transition system (LSTS) T is a tuple Σ, I, M, RT , s, where Σ is the signature of the language, I is a set of agents, M ∈ I is the adversary, RT is the set of actions owned the agents in I, and s is the secret. We classify a rule as balanced if the number of facts in its precondition is the same as the number of facts in its postcondition. As discussed in [18], if we restrict actions to be balanced, then the size of the configurations in a run remains the same as in the

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

21

initial configuration. Since we assume facts to have a bounded size, the use of balanced actions imposes a bound on the storage capacity of the agents in the system. We use the notation W >T U or W >r U to mean that there is an action r in T which can be applied to the configuration W to transform it into the configuration U . ∗ We let >+ T and >T denote the transitive closure and the reflexive, transitive closure of >T respectively. Usually, however, agents do not care about the entire configuration of the system, but only whether a configuration contains some particular facts. Therefore we use the notion of partial goals. We write W T Z or W r Z to mean that W >r ZU for some multiset of facts U . For example with the action r : X →A Y , we ∗ find that W X r Y , since W X >r W Y . We define + T and T to be the transitive closure and the reflexive, transitive closure of T respectively. We say that the partial configuration Z is reachable from configuration W using T if W ∗T Z. Finally, given an initial configuration W and a partial configuration Z, we call a plan any sequence of actions that leads from configuration W to a configuration containing Z. In order to achieve a final goal, it is often necessary for an agent to share some private knowledge with another agent. However, although agents might be willing to share some private information with some agents, they might not be willing to do the same with other agents. For example, a patient might be willing to share his medical history with his doctor, but not with all agents, such as the doctor’s secretary. One is, therefore, interested in determining if a system complies with some confidentiality policies, such as a patient’s medical history should not be publicly available. We call critical configuration any configuration that conflicts with some given confidentiality policies, and we classify any plan that does not reach any critical configuration as compliant. In this paper, we make an additional assumption that critical configurations are closed under renaming of nonce names, that is, if W is a critical configuration and W σ = W  where σ is substitution renaming the nonces in W , then W  is also critical. This is a reasonable assumption since critical configurations are normally defined without taking into account the names of nonces used in a particular plan, but only how they relate in a configuration to the initial set of symbols in Σ and amongst themselves. For instance, in the medical example above consider the following configuration {P aul(n1, hist), Sec(n1 , hist), Sec(n1 , paul)}. This configuration is critical because the secretary knows Paul’s medical history, hist, since she knows his idendity number, denoted by the nonce n1 , and the medical history associated to this identifier. Using the same reasoning, one can easily check that the configuration resulting from renaming n1 is also critical. This paper additionally assumes that the initial and the goal configurations are also closed under renaming of nonces. In [17,18] several notions of plan compliances were proposed. Here, we consider only the weakest one, called weak plan compliance: Given a local state transition system T , an initial configuration W , a (partial) goal configuration Z, and a set of critical configurations, is there a compliant plan which leads from W to Z? Regarding protocol security, we will be interested in the following secrecy problem, which is basically an instantiation of the weak plan compliance problem with no critical configurations: Is there a plan from the initial configuration to a configuration in which the adversary M owns the fact M (s) where s is a secret originally owned by another participant? It is interesting to note that this problem can also be seen as a kind of dual to the weak plan compliance problem; is there a plan from the initial configuration to a

22

M. Kanovich et al.

critical configuration in which the adversary M owns the fact M (s) where s is a secret originally owned by another participant?

3 Formalizing Freshness for LSTSes with Balanced Actions In principle a plan can be exponentially long. Consider the following example encoding the Towers of Hanoi puzzle.1 Example 1. Towers of Hanoi is a well-known mathematical puzzle. It consists of three pegs b1 , b2 , b3 and a number of disks a1 , a2 , a3 , . . . of different sizes which can slide onto any peg. The puzzle starts with the disks neatly stacked in ascending order of size on one peg, the smallest disk at the top. The objective is to move the entire stack stacked on one peg to another peg, obeying the following rules: (a) Only one disk may be moved at a time. (b) Each move consists of taking the upper disk from one of the pegs and sliding it onto another peg, on top of the other disks that may already be present on that peg. (c) No disk may be placed on top of a smaller disk. The puzzle can be played with any number of disks and it is known that the minimal number of moves required to solve a Tower of Hanoi puzzle is 2n − 1, where n is the number of disks. The problem can be represented by an LSTS: We introduce the type disk for the disks, type diskp for either disks or pegs, with disk being a subtype of diskp. The constants a1 , a2 , a3 , ..., an are of type disk and b1 , b2 , b3 of type diskp. We use facts of the form On(x, y), where x is of type disk and y is of type diskp, to denote that the disk x is either on top of the disk or on the peg y, and facts of the form Clear(x), where x is of type diskp, to denote that the top of the disk x is clear, i.e., no disk is on the top of or on x, or that no disk is on the peg x. Since disks need to be placed according to their size, we also use facts of the form S(x, y), where x is of type disk and y is of type diskp, to denote that the disk x can be put on top of y. In our encoding, we make sure that one is only allowed to put a disk on top of a larger disk or on an empty peg, i.e., that x is smaller than y in the case of y being a disk. This is encoded by the following facts in the initial configuration: S(a1 , a2 ) S(a1 , a3 ) S(a1 , a4 ) S(a2 , a3 ) S(a2 , a4 )

... ... .. .

S(a1 , an ) S(a1 , b1 ) S(a1 , b2 ) S(a1 , b3 ) S(a2 , an ) S(a2 , b1 ) S(a2 , b2 ) S(a2 , b3 )

S(an−1 , an ) S(an−1 , an ) S(an−1 , b1 ) S(an−1 , b2 ) S(an−1 , b3 ) The initial configuration also contains the facts that describe the initial placing of the disks: On(a1 , a2 ) On(a2 , a3 ) . . . On(an−1 , an ) On(an , b1 ) Clear(a1 ) Clear(b2 ) Clear(b3 ) , 1

In the technical report [15], we also provide an example of an exponentially long anomaly in the context of protocol security.

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

23

The goal configuration consists of the following facts and encodes the state where all the disks are stacked on the peg b3 : On(a1 , a2 ) On(a2 , a3 ) . . . On(an−1 , an ) On(an , b3 ) Clear(a1 ) Clear(b1 ) Clear(b2 ) Finally, the only action in our system is: Clear(x) On(x, y) Clear(z) S(x, z) → Clear(x) Clear(y) On(x, z) S(x, z) where x has type disk, while y and z have type diskp. Notice that the action above is balanced. This action specifies that if there is a disk, x, that has no disk on top, it can be either moved to the top of another disk, z, that also has no disk on top, provided that x is smaller than y, specified by predicate S(x, z), or onto a clear peg. The encoding above of the Towers of Hanoi illustrates that plans can be exponentially long. Moreover, we can easily adapt that example to illustrate that in such plans exponentially many fresh values are used. Example 2. We modify the LSTS used before to model the Towers of Hanoi puzzle so that each move is identified/accompanied by replacing an old identifier, t, with a fresh identifier, t : P (t) Clear(x) On(x, y) Clear(z) S(x, z) → ∃t.P (t ) Clear(x) Clear(y) On(x, z) S(x, z)

As already stated, given n disks, all plans must be of the exponential length 2n − 1, at least. Consequently, within the modified version, a plan includes an exponential number of fresh values. The use of an exponential number of fresh values seems to prelude PSPACE membership of the secrecy and weak compliance problems. We circumvent this problem by showing how to reuse obsolete constants instead of updating with fresh values. Consider as an intuitive example the scenario where customers are waiting at a counter. Whenever a new customer arrives, he picks a number and waits until his number is called. Since only one person is called at a time, usually in a first come first serve fashion, a number that is picked has to be a fresh value, that is, it should not belong to any other customer in the waiting room. However, since only a bounded number of customers wait at the counter in a period of time, one only needs a bounded number of tickets: once a customer is finished, his number can be in fact reused and assigned to another customer. We can generalize the idea illustrated by the above example to systems with balanced actions. Since in such systems all configurations have the same number of facts and the size of facts is bounded, in practice we do not need an unbounded number of new constants in order to reach a goal, but just a small number of them. This is formalized by the following theorem: Theorem 1. Given an LSTS with balanced actions that can update nonces, any plan leading from an initial configuration W to a partial goal Z can be transformed into another plan also leading from W to Z that uses only a polynomial number of nonces with respect to the number of facts in W and an upper bound on the size of facts.

24

M. Kanovich et al.

The proof of Theorem 1 relies on the observation that from the perspective of an insider of the system two configurations can be considered the same whenever they only differ in the names of the nonces used. Consider for example the following two configurations, where the ni s are nonces and ti s are constants in the initial signature: {A(t1 , n1 ), B(n2 , n1 ), C(n3 , t2 )}

and {A(t1 , n4 ), B(n5 , n4 ), C(n6 , t2 )}

Since these configurations only differ in the nonce’s names used, they can be regarded as equivalent: the same fresh value, n1 in the former configuration and n4 in the latter, is shared by the agents A and B, and similarly, for the new values n2 and n5 , and n3 and n6 . Inspired by a similar notion in λ-calculus [8], we say that these configurations above are α-equivalent. Definition 3. Two configurations S1 and S2 are α-equivalent, denoted by S1 =α S2 , if there is a bijection σ that maps the set of all nonces appearing in one configuration to the set of all nonces appearing in the other configuration, such that the set S1 σ = S2 . The two configurations given above are α-equivalent because of the following the bijection {(n1 , n4 ), (n2 , n5 ), (n3 , n6 )}. It is easy to show that the relation =α is indeed an equivalence, that is, it is symmetric, transitive, and reflexive. The following lemma formalizes the intuition described above, namely, from the point of view of an insider two α-equivalent configurations are the same. That is, one can apply the same action to one or the other and the resulting configurations are also equivalent. This is similar to the notion of bisimulation in process calculi [20]. Lemma 1. Let m be the number of facts in a configuration S1 and a be an upper bound on the size of facts. Let Nm,a be a fixed set of 2ma nonce names. Suppose that the configuration S1 is α-equivalent to a configuration S1 and, in addition, each of the nonce names occurring in S1 belongs to Nm,a . Let an instance of the action r transform the configuration S1 into the configuration S2 . Then there is a configuration S2 such that: (1) an instance of action r transforms S1 into S2 ; (2) S2 is α-equivalent to S2 ; and (3) each of the nonce names occurring in S2 belongs to Nm,a . Proof. The most interesting case is when a rule updates nonces. Let r be a balanced action that updates nonces. Suppose that some occurrences of nonces n1 within S1 are updated with fresh nonces n2 resulting in S2 . Note that other places may still keep some of these old nonces n1 . Take the corresponding occurrence of say n1 σ in S1 (in accordance with our α-equivalence). Since the number of all places is bounded by ma, we can find enough elements (at most ma in the extreme case where all nonces are supposed to be updated simultaneously) n2 in Nm,a that do not occur in S1 . We update the particular occurrences in question with n2 , resulting in the desired S2 . Moreover, from the assumption that critical configurations are closed under renaming of nonces and that S2 is not critical, the configuration S2 is also not critical. 2 We are now ready to prove Theorem 1: Proof (of Theorem 1). The proof is by induction on the length of a plan and it is based on Lemma 1. Let T be a LSTS with balanced actions that can update nonces, m the number of facts in a configuration, and a the bound on size of each fact. Let Nm,a be a fixed set of 2ma nonce names. Given a plan P leading from W to a partial goal Z we adjust it so that all nonces updated along the plan P are taken from Nm,a .

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

25

For the base case, assume that the plan is of the length 0, that is, the configuration W already contains Z. Since we assume that goal and initial configurations are closed under renaming of nonces, we can rename the nonces in W by nonces from Nm,a . The resulting plan is compliant. Assume that any plan of length n can be transformed into a plan that uses the fixed number of nonces. Let a plan P of the length n + 1 be such that W >∗T ZU . Let r be the last action in P and Z1 >r ZU . By induction hypothesis along W >∗T Z1 , we only have nonces from the set Nm,a . We can then apply Lemma 1 to the configuration Z1 and conclude that all nonces in ZU belong to Nm,a . Therefore all nonces updated along the plan P are taken from Nm,a . Notice that no critical configuration is reached in this process, since we assume that critical configurations are closed under nonce names. 2 Corollary 1. For LSTSes with balanced actions that can update nonces, we only need to consider the planning problem with a polynomial number of fresh nonces, which can be fixed in advance, with respect to the number of facts in the initial configuration and the upper bound on the size of facts.

4 Complexity Results We start this section by improving the PSPACE lower-bound in [18, Theorem 6.1] for the weak plan compliance and secrecy problems. While their result allowed LSTSes with any type of balanced actions, we show next that the weak plan compliance and secrecy problems are also PSPACE-hard for LSTSes with balanced actions that can modify a single fact and in the process check whether another fact is present in the configuration. The main challenge here is to simulate operations over a non-commutative structure by using a commutative one. i.e.. to simulate the behavior of a Turing machine that uses a sequential, non-commutative tape in our formalism that uses commutative multisets. Please note that in this theorem no nonce updates are allowed. Theorem 2. Given an LSTS with only actions of the form ab → a b, the weak plan compliance problem and the secrecy problem are PSPACE-hard. The PSPACE upper bound for this problem can be inferred directly from [18]. Proof. In order to prove the lower bound, we encode a non-deterministic Turing machine M that accepts in space n within actions of the form ab → a b. In our proof, we do not use critical configurations and we need just one agent A. For each n, we design a local state transition system Tn as follows: First, we introduce the following propositions: Ri,ξ which denotes that “the i-th cell contains symbol ξ”, where i = 0, 1, .., n+1, ξ is a symbol of the tape alphabet of M, and Sj,q denotes that “the j-th cell is scanned by M in state q”, where j = 0, 1, .., n+1, q is a state of M. Assume without loss of generality that M has only one accepting state, qf , and that all accepting configurations in space n are of one and the same form. Given a machine configuration of M in space n such that M scans j-th cell in state q and that the string ξ0 ξ1 ξ2 ..ξi ..ξn ξn+1 is written left-justified on the tape, we will represent such a state of the machine by a configuration of Tn of the form (here ξ0 and ξn+1 are the end markers):

26

M. Kanovich et al.

Sj,q R0,ξ0 R1,ξ1 R2,ξ2 · · · Rn,ξn Rn+1,ξn+1 .

(1)



Second, each instruction γ in M of the form qξ → q ηD, denoting “if in state q looking at symbol ξ, replace it by η, move the tape head one cell in direction D along the tape, and go into state q  ”, is specified by the set of 5(n+2) actions of the form: Si,q Ri,ξ →A Fi,γ Ri,ξ , Fi,γ Ri,ξ →A Fi,γ Hi,γ , Fi,γ Hi,γ →A Gi,γ Hi,γ , (2) Gi,γ Hi,γ →A Gi,γ Ri,η , Gi,γ Ri,η →A SiD ,q Ri,η , where i = 0, 1, .., n+1, Fi,γ , Gi,γ , Hi,γ are auxiliary atomic propositions, iD := i+1 if D is right, iD := i−1 if D is left, and iD := i, otherwise. The idea behind this encoding is that by means of such five actions, applied in succession, we can simulate any successful non-deterministic computation in space n that leads from the initial configuration, Wn , with a given input string x1 x2 ..xn , to the accepting configuration, Zn . The faithfulness of our encoding heavily relies on the fact that any machine configuration includes exactly one machine state q. Namely, because of the specific form of our actions in (2), any configuration reached by using a plan P, leading from Wn to Zn , has exactly one occurrence of either Si,q or Fi,γ or Gi,γ . Therefore the actions in (2) are necessarily used one after another as below: Si,q Ri,ξ →A Fi,γ Ri,ξ →A Fi,γ Hi,γ →A Gi,γ Hi,γ →A Gi,γ Ri,η →A SiD ,q Ri,η . Moreover, any configuration reached by using the plan P is of the form similar to (1), and, hence, represents a configuration of M in space n. Passing through this plan P from its last action to its first v0 , we prove that whatever intermediate action v we take, there is a successful non-deterministic computation performed by M leading from the configuration reached to the accepting configuration represented by Zn . In particular, since the first configuration reached by P is Wn , we can conclude that the given input string x1 x2 ..xn is accepted by M. 2 We turn our attention to the case when actions can update nonces. We show that the weak plan compliance and the secrecy problems for LSTSes with balanced actions that can update nonces are in PSPACE. From Theorem 2, we can infer that these problems are indeed PSPACE-complete. To determine the existence of a plan we only need to consider plans that never reach α-equivalent configurations more than once. If a plan loops back to a previously reached configuration, there is a cycle of actions which could have been avoided. The following lemma imposes an upper bound on the number of different configurations given an initial finite signature. Such a upper bound provides us with the maximal length of a plan one needs to consider. Lemma 2. Given an LSTS T under a finite signature Σ, then the number of configurations with m facts (counting repeatitions), LT (m, a), that are pairwise not α-equivalent is such that LT (m, a) ≤ J m (D + 2ma)ma , where J and D are, respectively, the number of predicate and the number of constant and function symbols in the initial signature Σ; and a is an upper bound on the size of facts. Proof. There are m slots for predicate names and at most ma slots for constants and function symbols. Constants can be either constants in the initial signature Σ or nonce names. Following Theorem 1, we need to consider only 2ma nonces. 2

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

27

Clearly, the upper bound above on the number of configurations is an overestimate. It does not take into account, for example, the equivalence of configurations that only differ in the order of facts. For our purposes, however, it will be enough to assume such a bound. In particular, we show next that the secrecy problem for LSTSes with balanced actions that can update nonces is in PSPACE. Although the secrecy problem is stated as a decision problem, we prove more than just PSPACE decidability. Ideally we would also be able to generate a plan in PSPACE when there is a solution. Unfortunately, the number of actions in the plan may already be exponential in the size of the inputs, see Example 1, precluding PSPACE membership of plan generation. For this reason we follow [18] and use the notion of “scheduling” a plan in which an algorithm will also take an input i and output the i-th step of the plan. Definition 4. An algorithm is said to schedule a plan if it (1) finds a plan if one exists, and (2) on input i, if the plan contains at least i actions, then it outputs the ith action of the plan, otherwise it outputs no. Following [18], we assume that when given an LSTS, there are three programs, C, G, and T , such that they return the value 1 in polynomial space when given as input, respectively, a configuration that is critical, a configuration that contains the goal configuration, and a transition that is valid, that is, an instance of an action in the LSTS, and return 0 otherwise. Theorem 3. The weak compliance problem and the secrecy problem for LSTSes with balanced actions that can update nonces are in PSPACE. Proof. Assume as inputs an initial configuration W containing m facts, an upper bound, a, on the size of facts, programs G, C, and T , as described above, and a natural number 0 ≤ i ≤ LT (m, a). We modify the algorithm proposed in [18] in order to accommodate the updating of nonces. The algorithm must return “yes” whenever there is compliant plan from the initial configuration W to a goal configuration, that is, a configuration S such that G(S) = 1. In order to do so, we construct an algorithm that searches non-deterministically whether such configuration is reachable. Then we apply Savitch’s Theorem to determinize this algorithm. The algorithm begins with W0 := W . For any t ≥ 0, we first check if C(Wt ) = 1. If this is the case, then the algorithm outputs “no”. We also check whether the configuration Wt is a goal configuration, that is, if G(Wt ) = 1. If so, we end the algorithm by returning“yes”. Otherwise, we guess a transition r such that T (r) = 1 and that is applicable using the configuration Wt . If no such action exists, then the algorithm outputs “no”. Otherwise, we replace Wt by the configuration Wt+1 resulting from applying the action r to Wt . Following Lemma 2 the goal configuration is reached in at most LT (m, a) steps. We use a global counter, called step-counter, to keep track of the number of actions used in a partial plan constructed by this algorithm. In order to accommodate nonce update, we need a way to enforce that whenever an action updates nonces, these are considered fresh. This is done, as in the proof of Theorem 1, by replacing the relevant nonce occurrence(s) with nonces from a fixed set of nonce names so that they are different from any of the nonces in the enabling configuration.

28

M. Kanovich et al.

Table 1. Summary of the complexity results for the weak compliance and the secrecy problems. We mark the new results appearing here with a .

Balanced Actions

Bounded N of Nonces

o

Any No of Nonces Possibly Unbalanced Actions

Weak Plan Compliance Problem

Secrecy Problem

PSPACEcomplete [18]

PSPACEcomplete [18]

PSPACEcomplete

PSPACEcomplete

Undecidable [17]

Undecidable [12]

We now show that this algorithm runs in polynomial space. We start with the stepcounter: The greatest number reached by this counter is LT (m, a). When stored in binary encoding, this number takes only space polynomial to the given inputs: log2 (LT (m, a)) ≤ log2 (J m (D + 2ma)ma ) = log2 (J m ) + log2 ((D + 2ma)ma ) = m log2 (J) + ma log2 (D + 2ma). Therefore, one only needs polynomial space to store the values in the step-counter. Following Theorem 1 there are at most polynomialy many nonces updated in any run, namely at most 2ma. Hence nonces can also be stored in polynomial space. We must also be careful to check that any configuration, Wt , can also be stored in polynomial space with respect to the given inputs. Since our system is balanced and we assume that the size of facts is bounded, the size of a configuration remains the same throughout the run. Finally, the algorithm needs to keep track of the action r guessed when moving from one configuration to another and for the scheduling of a plan. It has to store the action that has been used at the ith step. Since any action can be stored by remembering two configurations, one can also store these actions in space polynomial to the inputs. A similar algorithm can be used for the secrecy problem. The only modification to the previous algorithm is that one does not need to check for critical configurations as in the secrecy problem there are no such configurations. 2 Our PSPACE-complete result contrast with results in [12], where the secrecy problem is shown to be undecidable. Although they also impose an upper bound on the size of facts, they did not restrict the actions of their systems to be balanced. Therefore, it is possible for their intruder to remember an unbounded number of facts, while the memory of all our agents is bounded. Moreover, in the DEXPTIME result in [12] a fixed bound is imposed on the number of nonces that can be created, whereas we do not impose such a bound here. Table 1 summarizes the complexity results for the weak plan compliance and secrecy problems.

5 Application: Protocol Theories with a Bounded Memory Intruder Although the results above were motivated by collaborative systems, we then noticed that our results have important consequences for protocol security analysis. In particular,

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

29

we show that many protocol anomalies, such as Lowe’s anomaly [19], can also occur when using our bounded memory adversary. We assume that the reader is familiar with such anomalies, see [9,12,19]. The complete details appear in [15]. As in [12], we assume that all messages are transmitted by passing first through the intruder, that is, the intruder acts as the network of the system. We use the public predicate names NS and NR to denote messages that are, respectively, sent from an agent to the intruder and from the intruder to another agent. On the other hand, the predicates C, D, and M are private to intruder. The first two are used when he is composing and decomposing messages, respectively, while the third predicate is used to denote some data learned by the intruder. Since the memory of agents is bounded, it is important to keep track of how many facts they can store. In particular, the public fact P (∗) denotes a free memory-slot available to any agent and the private fact R(∗) denotes a free memory-slot available only to the intruder. The use of the two distinct facts for free memory-slots helps us to formalize precise upper-bounds on the space needed by the intruder to realize an anomaly, see [15]. There, we also prove that the secrecy problem is PSPACE-hard when using intruder models, similar to those in [12], but that contain only balanced actions. We use balanced actions to model the intruder’s actions. In particular, our bounded memory Dolev-Yao intruder is also two-phased [12], that is, he first decomposes messages that are intercepted in the network and only then he starts composing new messages. For example, the following rules belong to the intruder: REC : NS (x)R(∗) → D(x)P (∗) DCMP : D(x, y)R(∗) → D(x)D(y) USE : M (x)R(∗) → C(x)M (x) GEN : R(∗) → ∃n.M (n)

SND : C(x)P (∗) → NR (x)R(∗) COMP : C(x)C(y) → C(x, y)R(∗) LRN : D(x) → M (x)

The rules REC and SND specify, respectively, the intruder’s actions of intercepting a message from and sending a message to the network. The rules DCMP and COMP specify the intruder’s actions of decomposing and composing messages. The rules USE and LRN specify the intruder’s actions of using known data to compose a message and learn some data from an intercepted message. Finally, the rule GEN specifies that the intruder can update with fresh values. Notice the role of the facts P (∗) and R(∗) in the rules. For instance, in the REC rule, when the intruder intercepts a message from the network, one of the the intruder’s free memory slots, R(∗), is replaced by a decomposable fact, D(x), while the fact representing data on the network, NS (x), is replaced by a free memory slot, P (∗), belonging to the other agents. The intruder is not allowed to intercept a new network fact if he does not have any free memory slot left. Therefore, differently from [12] where the intruder had only persistent facts, the bounded memory intruder might have to forget data. That is, he has actions that replace some facts stored in his memory with the empty fact R(∗), allowing hence the adversary to store eventually new information. For instance, the following rule specifies the intruder’s action of forgeting data known to the intruder: M (x) → R(∗). The complete set of rules for the adversary, including rules involving encryption and decryption, is given in [15]. Regarding protocol anomalies, the main observation is that when the adversary has enough R(∗) facts, then anomalies can also occur using adversaries with bounded

30

M. Kanovich et al.

Table 2. Table containing the total number of facts, the number of R(∗) facts, and the largest size of facts needed to encode protocol runs and known anomalies when using LSTSes with balanced actions. The largest size of facts needed to encode an anomaly is the same as in the corresponding normal run of the protocol. In the cases for the Otway-Rees and the Kerberos 5 protocols, we encode different anomalies, which are identified by the numbering, as follows: (1) The type flaw anomaly in [9]; (2) The replay anomaly from [24]; (3) The ticket anomaly and (4) the replay anomaly in [5]; (5) The PKINIT anomaly also for Kerberos 5 described in [6].

Protocol

Needham Schroeder

Yahalom

Otway Rees

Woo Lam

Kerberos 5

PKINIT(5)

Normal

No of facts Size of facts

9 6

8 16

8 26

7 6

15 16

18 28

Anomaly

No of facts No of R(∗)

19 7

15 9

11(1) , 17(2) 5(1) , 9(2)

8 2

22(3) , 20(4) 9(3) , 4(4)

31 10

memory. We believe that this is one reason for the successful use in the past years of model checkers for protocol verifications. In the technical report [15], we show that many anomalies can be realized using our bounded memory intruder. Table 2 summarizes the number of P (∗) and R(∗) facts and the upper bound on the size of facts needed to encode normal runs, where no intruder is present, and to encode the anomalies where the bounded memory intruder is present. We specify protocols using rules that handle encryption and decryption, as in [12]. For instance, to realize the Lowe anomaly to the Needham-Schroeder protocol, the intruder requires only seven R(∗) facts.2 Since all players in our system have bounded memory, the role generation phase in well-founded theories [12] necessarily yields a bounded number of protocols roles in our system, using here the terminology from [12]. This is because in such theories all protocol roles that are used in a run are created at the beginning. Since the size of configurations when using balanced actions is bounded, the number of roles that can be created is also bounded. Thus, under well founded theories, our PSPACE upper bound result (Theorem 3) reduces to the NP upper bound from [12, Theorem 3]. We therefore do not use well-founded theories, but rather allow protocol roles to be created not necessarily at the beginning of the run, but also after a protocol session is finished. Once a protocol session is finished it can be deleted, creating a free memory slot to be (possibly) used to create new protocol roles. Existing protocol analysis tools seem to proceed in a similar fashion.

6 Related Work As previously discussed, we build on the framework described in [18,17]. In particular, here we investigate the use of actions that can update values with nonces, providing new complexity results for the partial reachability problem. In [3,4], a temporal logic formalism for modeling organizational processes is introduced. In their framework, one 2

Notice that here we only encode standard anomalies described in the literature [5,9,24]. This does not mean, however, that there are not any other anomalies that can be carried out by an intruder with less memory, that is, with less R(∗) facts.

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

31

relates the scope of privacy to the specific roles of agents in the system. We believe that our system can be adapted or extended to accommodate such roles depending on the scenario considered. In [22], Roscoe formalized the intuition of reusing nonces to model-check protocols where an unbounded number of nonces could be used, by using methods from data independence. We confirm his initial intuition by providing tight complexity results and demonstrating that many protocol anomalies can be specified when using our model that reuses nonces. Harrison et al. present a formal approach to access control [14]. In their proofs, they faithfully encode a Turing machine in their system. However, in contrast to our encoding, they use a non-commutative matrix to encode the sequential, non-commutative tape of a Turing machine. We, on the other hand, encode Turing machine tapes by using commutative multisets. Specifically, they show that if no restrictions are imposed to the systems, the reachability problem is undecidable. However, if actions are not allowed to update values with fresh ones, then they show that the same problem is PSPACEcomplete. Furthermore, if actions can delete or insert exactly one fact and in the process one can also check for the presence of other facts and even update values with nonces, then they show the problem is NP-complete, but in their proof they implicitly impose a bound on the number of nonces that can be used. In their proofs, the non-commutative nature of their encoding plays an important role. Our paper is closely related to frameworks based on multiset rewriting systems used to specify and verify security properties of protocols [1,2,7,10,12,23]. While here we are concerned with systems where agents are in a closed room and collaborate, in those papers, the concern was with systems in an open room where an intruder tries to attack the participants of the system by manipulating the transmitted messages. This difference is reflected in the assumptions used by the frameworks. In particular, the security research considers a powerful intruder that has an unbounded memory and that can, for example, accumulate messages at will. On the other hand, we assume here that each agent has a bounded memory, technically imposed by the use of balanced actions. Much work on reachability related problems has been done within the Petri nets (PNs) community, see e.g., [13]. Specifically, we are interested in the coverability problem which is closely related to the partial goal reachability problem in LSTSes [17]. To our knowledge, no work that captures exactly the conditions in this paper has yet been proposed. For instance, [13,21] show that the coverability problem is PSPACEcomplete for 1-conservative PNs. While this type of PNs is related to LSTSes with balanced actions, it does not seem possible to provide direct, faithful reductions between LSTSes and PNs in this case.

7 Conclusions and Future Work This paper extended existing models for collaborative systems with confidentiality policies to include actions that can update values with fresh ones. Then, given a system with balanced actions, we showed that one only needs a polynomial number of constants with respect to the number of facts in the initial configuration and an upper bound on the size of facts to formalize the notion of fresh values. Furthermore, we proved that the weak plan compliance problem and the secrecy problem for systems with balanced actions

32

M. Kanovich et al.

that can update values with fresh ones are PSPACE-complete. As an application of our results, we showed that a number of anomalies for traditional protocols can be carried by a bounded memory intruder, whose actions are all balanced. There are many directions to follow from here, which we are currently working on. Here, we only prove the complexity results for the secrecy problem. We are searching for complexity bounds for the weak plan compliance and other policy compliances problems proposed in [17]. We would also like to understand better the impact of our work to existing protocol analysis tools, in particular, our PSPACE upper-bound result. Moreover, we are currently working on determining more precise bounds on the memory needed by an intruder to find an attack on a given protocol. Finally, despite of our idealized model, we believe that the numbers appearing in Table 2 provide some measure on the security of protocols. In general, we seek to provide further quantitative information on the security of protocols. Some of these parameters appear in existing model checkers, such as Murφ. We are investigating precise connections to such tools. Acknowledgments. We thank Elie Bursztein, Iliano Cervesato, Anupam Datta, Ante Derek, George Dinolt, F. Javier Thayer Fabrega, Joshua Guttman, Jonathan Millen, Dale Miller, John Mitchell, Paul Rowe, and Carolyn Talcott for helpful discussions. Scedrov, Nigam, and Kanovich were partially supported by ONR Grant N00014-071-1039, by AFOSR MURI ”Collaborative policies and assured information sharing”, and by NSF Grants CNS-0524059 and CNS-0830949. Nigam was also supported by the Alexander von Humboldt Foundation.

References 1. Amadio, R.M., Lugiez, D.: On the reachability problem in cryptographic protocols. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 380–394. Springer, Heidelberg (2000) 2. Amadio, R.M., Lugiez, D., Vanack`ere, V.: On the symbolic reduction of processes with cryptographic functions. Theor. Comput. Sci. 290(1), 695–740 (2003) 3. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: IEEE Symposium on Security and Privacy (2006) 4. Barth, A., Mitchell, J.C., Datta, A., Sundaram, S.: Privacy and utility in business processes. In: CSF, pp. 279–294 (2007) 5. Butler, F., Cervesato, I., Jaggard, A.D., Scedrov, A., Walstad, C.: Formal analysis of Kerberos 5. Theor. Comput. Sci. 367(1-2), 57–87 (2006) 6. Cervesato, I., Jaggard, A.D., Scedrov, A., Tsay, J.-K., Walstad, C.: Breaking and fixing public-key Kerberos. Inf. Comput. 206(2-4), 402–424 (2008) 7. Chevalier, Y., K¨usters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. Theor. Comput. Sci. 338(1-3), 247–274 (2005) 8. Church, A.: A formulation of the simple theory of types. J. Symbolic Logic 5, 56–68 (1940) 9. Clark, J., Jacob, J.: A survey of authentication protocol literature: Version 1.0 (1997), http://www.cs.york.ac.uk/˜jac/papers/drareview.ps.gz 10. Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: LICS 2003, p. 271. IEEE Computer Society, Los Alamitos (2003) 11. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)

Bounded Memory Dolev-Yao Adversaries in Collaborative Systems

33

12. Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security 12(2), 247–311 (2004) 13. Esparza, J., Nielsen, M.: Decidability issues for Petri nets - a survey. Bulletin of the EATCS 52, 244–262 (1994) 14. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: On protection in operating systems. In: SOSP 1975, pp. 14–24. ACM, New York (1975) 15. Kanovich, M., Kirigin, T.B., Nigam, V., Scedrov, A.: Bounded memory Dolev-Yao adversaries in collaborative systems (2010), ftp://ftp.cis.upenn.edu/pub/papers/scedrov/FAST2010-TR.pdf 16. Kanovich, M., Kirigin, T.B., Nigam, V., Scedrov, A.: Progressing collaborative systems. In: FCS-PrivMod (2010) 17. Kanovich, M., Rowe, P., Scedrov, A.: Policy compliance in collaborative systems. In: CSF 2009, pp. 218–233. IEEE Computer Society, Los Alamitos (2009) 18. Kanovich, M., Rowe, P., Scedrov, A.: Collaborative planning with confidentiality. Journal of Automated Reasoning (2010) (to appear); This is an extended version of a previous paper which appeared in CSF 2007 19. Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996) 20. Milner, R.: Communicating and Mobile Systems: The π-calculus. Cambridge University Press, New York (1999) 21. Jones, Y.L.N.D., Landweber, L.H.: Complexity of some problems in Petri nets. Theoretical Computer Science 4, 277–299 (1977) 22. Roscoe, A.W.: Proving security protocols with model checkers by data independence techniques. In: CSFW, pp. 84–95 (1998) 23. Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions and composed keys is NP-complete. Theor. Comput. Sci. 299(1-3), 451–475 (2003) 24. Wang, G., Qing, S.: Two new attacks against Otway-Reese protocol. In: IFIP/SEC 2000, Information Security, pp. 137–139 (2000)

Efficient Decision Procedures for Message Deducibility and Static Equivalence Bruno Conchinha1 , David Basin1 , and Carlos Caleiro2 1

2

Information Security Group, ETH Z¨ urich, Z¨ urich, Switzerland [email protected], [email protected] SQIG - Instituto de Telecomunica¸co ˜es, Department of Mathematics, IST, TU Lisbon, Portugal [email protected]

Abstract. We consider two standard notions in formal security protocol analysis: message deducibility and static equivalence under equational theories. We present new polynomial-time algorithms for deciding both notions under subterm convergent equational theories and under a theory representing symmetric encryption with the prefix property. For these equational theories, polynomial-time algorithms for the decision problems associated to both notions are well-known (although this has not been proven for static equivalence under the prefix theory). However, our algorithms have a significantly better asymptotic complexity than existing approaches. As an application, we use our algorithm for static equivalence to discover off-line guessing attacks on the Kerberos protocol when implemented using a symmetric encryption scheme for which the prefix property holds. Keywords: security protocols, equational theories, deducibility, static equivalence.

1

Introduction

Formal methods and associated tools are now well established for analyzing security protocols. In symbolic approaches, the messages exchanged by agents are represented by terms in an algebra and properties of cryptographic operators are formalized equationally. This sets the scene for different analysis approaches. Message deducibility and static equivalence are two relations, formulated in the equational setting, with direct applications to security protocol analysis. Procedures for analyzing the security of cryptographic protocols use algorithms for deduction [6, 5, 17, 14], and static equivalence has been used to study cryptographic indistinguishability [9] and to model and reason about off-line guessing attacks [20, 7, 1]. Contributions. In this paper, we give new algorithms for deciding both deduction and static equivalence in two practically relevant cases: subterm convergent P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 34–49, 2011. c Springer-Verlag Berlin Heidelberg 2011 

Efficient Algorithms for Deciding Deduction and Static Equivalence

35

theories and theories for symmetric encryption with the prefix property. Our algorithms have better asymptotic complexity than existing approaches. Our algorithms for the prefix theory are a simple generalization of those for subterm convergent theories. As an application, we analyze the security of the Kerberos protocol against offline guessing attacks. Although it was previously known that Kerberos admits an off-line guessing attack [24], we are able to find numerous new attacks by considering an implementation with a symmetric encryption scheme for which the prefix property holds, e.g., if ECB or CBC modes of operation are used. Identifying such attacks highlights design and implementation issues (such as message ordering, modes, etc.) that may not appear important. Automating such analysis requires static equivalence procedures for different theories and highlights the importance of efficient, automated methods for this task. Background and Related Work. The notions of deduction and static equivalence that we consider were originally introduced in the context of the pi-calculus [4]. Considerable work has been devoted to proving the decidability of both deduction and static equivalence for a wide range of equational theories. [2] gives polynomial-time algorithms for both decision problems under equational theories generated by subterm convergent rewriting systems. For other equational theories there are few polynomial-time results; however, decidability results exist under fairly general conditions, e.g., [3, 14, 15, 16, 17, 18, 22, 23, 25, 26]. Despite the considerable prior work in this area, there have been few implementations of these algorithms, particularly for static equivalence. For some time, ProVerif [10, 11] was the only tool capable of deciding static equivalence. General algorithms for deduction and static equivalence have more recently been implemented by the YAPA [8] and KISS [16] tools. Although the precise set of equational theories and conditions under which these algorithms terminate is unclear, they seem able to handle most theories previously studied. We provide a detailed comparison of our algorithms with those implemented by these tools. Even less attention has been devoted to improving the efficiency of algorithms for these problems. Given the interest in tools for solving these problems, complexity issues are not only theoretically interesting but also practically relevant. Organization. In Section 2, we introduce basic definitions and notation. In Section 3, we present our algorithms and their properties. In Section 4, we extend the methods of Section 3 to handle symmetric encryption with the prefix property. As a case study, we analyze the security of the Kerberos protocol against off-line guessing attacks. We draw conclusions in Section 5. For reasons of space and readability, full proofs are given in the technical report [19].

2

Background and Basic Definitions

Given a function g, we denote by dom(g) and by ran(g) its domain and range, respectively. When X ⊆ dom(g), we write g[X] for the image of X under g.

36

B. Conchinha, D. Basin, and C. Caleiro

 We consider signatures Σ = n∈N Σn consisting of finitely many function symbols, where Σi contains the functions symbols of arity i. For each f ∈ Σ, the function ar: Σ → N returns the arity ar(f ) of f . Function symbols are used to represent publicly known functions over messages, including cryptographic operators. Constant function symbols (i.e., symbols in Σ0 ) represent publicly known constants. We also fix infinite, disjoint sets Var and Name of variables and names, and assume that x, y, z ∈ Var and that {xi | i ∈ N} ⊆ Var. Example 1. The signature Σ DY , representing a Dolev-Yao model with an hash function h, a pairing function pair, the projections π1 and π2 , and symmetric and asymmetric encryption and decryption, is given by Σ DY = Σ1DY ∪ Σ2DY , where Σ1DY = {h, π1 , π2 , pub, priv} and Σ2DY = {encsym , decsym , pair, encasym , decasym }. The functions pub and priv represent the generation of public and private keys. We will use the following abbreviations: xpub for pub(x); xpriv for priv(x); s s,−1 x, y for pair(x, y); {P }K for encsym (P, K); {C}K for decsym (C, K); {P }K for −1 encasym (P, K); {C}K for decasym (C, K); and x1 , . . . , xn  for . . . x1 , x2  . . . , xn . As usual, given a set X, T (Σ, X) is the set of Σ-terms over X, i.e., the smallest set such that X ⊆ T (Σ, X) and f (t1 , . . . , tn ) ∈ T (Σ, X) for all t1 , . . . , tn ∈ T (Σ, X) and all f ∈ Σn . We use the symbol = to denote syntactic equality. Given t ∈ T (Σ, X), we define the set sub(t) of subterms of t as usual: if t ∈ X, then sub(t) = {t}; ift = f (t1 , . . . , tn ) for some f ∈ Σn and t1 , . . . , tn ∈ T (Σ, X), n then sub(t) = {t} ∪ i=1 sub(ti ). We denote by vars(t) = sub(t) ∩ Var the set of variables occurring in t. We use the standard notion of substitution as a partial function σ: Var  T (Σ, X). We abuse notation by using the same symbol σ for a substitution and its homomorphic extension to T (Σ, X), where dom(σ) ⊆ X. As usual, we write tσ instead of σ(t). A frame is a pair (˜ n, σ), written υ˜ n.σ, where n ˜ ⊆ Name is a finite set of names and σ: Var  T (Σ, Name) is a substitution with finite domain. Intuitively, names in n ˜ represent fresh data generated by agents and thus unavailable to the attacker, while σ represents the messages learned by the attacker by eavesdropping on the network. Given a frame φ = υ˜ n.σ, we define Tφ = T (Σ, (Name \ n ˜ ) ∪ dom(σ)). We say that terms in Tφ are φ-recipes. The terms in σ[Tφ ] are the concrete terms that the attacker can obtain and we refer to them as terms constructible from φ. A rewriting system R over Σ is a set of rewrite rules of the form l → r, where l, r ∈ T (Σ, Var). We assume that rewriting systems have only finitely many rules. Given a rewriting system R, we define the relation →R ⊆ T (Σ, Name) × T (Σ, Name) as the smallest relation such that: – if (l → r) ∈ R and σ: vars(l) → T (Σ, Name) is a substitution, then lσ →R rσ, and – if t1 , . . . , tn , ti ∈ T (Σ, Name), ti →R ti , and f ∈ Σn , then f (t1 , . . . , ti , . . . , tn ) →R f (t1 , . . . , ti , . . . , tn ). We drop the R from →R when it is clear from context.

Efficient Algorithms for Deciding Deduction and Static Equivalence

37

A rewriting system R is convergent if it is terminating and confluent. In this case, each term t has a unique normal form t ↓R ∈ T (Σ, Name). Given a convergent rewriting system R, we define ≈R ⊆ T (Σ, Name) × T (Σ, Name) as the relation such that t ≈R t if and only if t ↓R = t ↓R . Note that we adopt the usual convention of writing t ≈R t instead of (t, t ) ∈ ≈R . It is simple to check that ≈R is an equational theory (i.e., an equivalence relation closed under the application of contexts). We call ≈R the equational theory generated by R. A rewriting system R is subterm convergent if it is convergent and, for each (l → r) ∈ R, either r ∈ sub(l) or r ∈ T (Σ, ∅) is a term in normal form. Permitting terms in T (Σ, ∅) on the right-hand side follows [8]. Example 2. The rewriting system RDY over Σ DY , formalizing the standard capabilities of the Dolev-Yao intruder, is given by   s,−1 −1   s → x, {x}ypub →x . RDY = π1 (x, y) → x, π2 (x, y) → y, {x}y y

s {π1 ({x, y}z )

ypriv

s

The rewriting system Rp , given by Rp = RDY ∪ → {x}z }, represents a Dolev-Yao attacker in the presence of symmetric encryption satisfying the prefix property. RDY and Rp are convergent rewriting systems. However, only RDY is subterm convergent. For readability, we write ≈DY and ≈p instead of ≈RDY and ≈Rp , respectively. Our definitions of deduction and static equivalence differ slightly from those introduced in [4] and used, e.g., in [2, 3, 20]. However, they are equivalent to the original ones and fit our methods better. Definition 1. Given a frame φ, a term t ∈ T (Σ, Name), and an equational theory ≈, we say that t is deducible from φ under ≈, and write φ ≈ t, if there is a t ∈ σ[Tφ ] such that t ≈ t. The equational theories ≈ that we use are those generated by rewriting systems R; thus, we write φ R t instead of φ ≈R t. n .σ  and an equational Definition 2. Given two frames φ = υ˜ n.σ and φ = υ˜  theory ≈, we say that φ and φ are statically equivalent under ≈, and write φ ≈s φ , if Tφ = Tφ ( i.e., n ˜=n ˜  and dom(σ) = dom(σ  )) and, for all t, t ∈ Tφ ,     tσ ≈ t σ if and only if tσ ≈ t σ . The corresponding decision problems are defined as expected. Definition 3 (Deduction Problem). Given a frame φ, an equational theory ≈, and a term t, does φ ≈ t hold? Definition 4 (Static Equivalence Problem). Given frames φ and φ and an equational theory ≈, does φ ≈s φ hold? Static equivalence is well-suited for modeling off-line guessing attacks [1, 7, 20]. Suppose that a nonce g has low entropy: for example, g is a human-picked password. Then, an attacker may choose a small set of bitstrings with a high

38

B. Conchinha, D. Basin, and C. Caleiro

probability of containing the bitstring represented by g. The attacker can then use each of these bitstrings as his guess for the password. The attack is successful if he can verify which of these guesses is correct. The following definition, in the spirit of [7, 20], captures this intuition. Definition 5. Let ≈ be an equational theory, φ = υ˜ n.σ be a frame, and g ∈ Name be a name. Fix some fresh name w ∈ Name \ (sub(ran(σ)) ∪ {g}) and define φg and φw by φg = υ(˜ n ∪ {w}).(σ ∪ {xn+1 → g}), φw = υ(˜ n ∪ {w}).(σ ∪ {xn+1 → w}). We say that φ allows an off-line guessing attack of g under ≈ if φg ≈s φw . Note that this definition is independent of the particular choice of the name w. Section 4.1 presents an application of static equivalence to the study of off-line guessing attacks. In order to obtain polynomial complexity bounds for our algorithms, we will work with DAG (directed acyclic graph) representations of terms, as in [2]. Definition 6. Let t ∈ T (Σ, X) be a term. Let V be a set of vertices, λ: V → Σ ∪ X a labeling function, E ⊆ V × V × N a set of edges, and v ∈ V a vertex. If t ∈ X, then (V, λ, E, v) is a DAG-representation of t if λ(v) = t and (v, v , n) ∈ / E for all v  ∈ V and all n ∈ N. If t = f (t1 , . . . , tn ), then (V, λ, E, v) is a DAG-representation of t if λ(v) = f , there are edges (v, v1 , 1), . . . , (v, vn , n) ∈ E such that, for each i ∈ {1, . . . , n}, (V, λ, E, vi ) is a DAG-representation of ti , and there are no other edges (v, v  , m) ∈ E for any v  ∈ V and any m ∈ N. A tuple T = (V, λ, E) is a DAG-forest if, for all v ∈ V , (V, λ, E, v) represents some term t ∈ T (Σ, X). If T = (V, λ, E) is a DAG-forest and v ∈ V , we use the following notions: termT (v) is the (unique) term represented by (V, λ, E, v); ei,T (v) is the (only) v  ∈ V such that (v, v  , i) ∈ E; inT (v) = {w ∈ V | (w, v, i) ∈ E, for some i}; outT (v) = {w ∈ V | (v, w, i) ∈ E, for some i}; leaves(T ) = {v ∈ V | outT (v) = ∅}; roots(T ) = {v ∈ V | inT (v) = ∅}. If T has only one root, we may refer to it as a DAG-tree. Let T = (V, λ, E) be a DAG-forest. If roots(T ) = {v}, we say that T is a DAG-representation of the term termT (v). When no confusion can arise, we may abuse notation and use the same symbol for such a DAG-tree and the term represented by it. T is minimal if there are no distinct vertices v, v ∈ V such that termT (v) = termT (v  ). T is in normal form if, for each vertex v in T , termT (v) is in normal form. A normal form of T is a DAG-forest Tnf such that, for all v ∈ roots(T ), there is a vertex vnf in Tnf such that termT (v)↓ = termTnf (vnf ), and for each vnf ∈ roots(Tnf ), there is a v ∈ roots(T ) such that termT (v)↓= termTnf (vnf ). The minimal normal form of a DAG-forest is unique up to renaming of vertices.

Efficient Algorithms for Deciding Deduction and Static Equivalence

39

Example 3. The diagram pair x FFF2 xx FF x F" |xx

1 ppp

1

x

y h

decsym KKK2 KKK K%

p wppp encsym OOO 2 1 rrr OOO r OOO r r yr 'x

x

1 y depicts a DAG-forest containing DAG-representations of the terms x, y and s s,−1 {{h(y)}x }x . Its minimal normal form is shown below. uu uu zu u 1

x

pair I h II2 II 1 I$  y

Our complexity results depend on the rewriting system and are stated in terms of the size of terms and frames. n If t ∈ T (Σ, Name) is a term, then the size |t| of t is 1 if t ∈ X and 1 + i=1 |ti | if t  = f (t1 , . . . , tn ). If φ = υ˜ n.σ is a frame, then the size |φ| of φ is given by |φ| = x∈dom(σ) |xσ|. If T = (V, λ, E) is a DAG-forest, we define |T | = |V |. If R is a rewriting system, we define nvars(R) = max(l→r)∈R |vars(l)|. In order to take advantage of DAGs, we always assume a random-access machine model in our complexity analysis.

3

Decision Procedures for Subterm Convergent Rewriting Systems

Throughout this section we assume fixed a subterm convergent rewriting system R, such that nvars(R) ≥ 1, and a frame φ = υ˜ n.σ, such that σ = {x1 → t1 , . . . , xn → tn } and the terms t are all in normal form. We also fix a set Υ = i

τ1 , . . . , τnvars(R) of fresh names, i.e., Υ ∩ (˜ n ∪ sub(ran(σ))) = ∅. 3.1

Frame Saturation

In this section, we present our frame saturation algorithm. Frame saturation is an established technique for deciding both deduction and static equivalence [2,8,16]. Our procedure is less general than those implemented in [8, 16], but it is more efficient for subterm convergent equational theories. Definition 7. We say that t is a φ-recipe (under R) for t if t is a φ-recipe and tσ ≈R t . We say that a frame φs = υ˜ n.σs is a saturation of φ (under R) if there is a φ-recipe for each t ∈ ran(σs ) and, for all t ∈ Tφ , (tσ)↓ ∈ σs [Tφs ].

40

B. Conchinha, D. Basin, and C. Caleiro

The following simple lemma justifies the usefulness of saturation. Lemma 1. Let φs be a saturation of φ and t ∈ T (Σ, Name) be a term. Then, φ R t if and only if t↓∈ σs [Tφs ]. The first step in our saturation algorithm is to build a forest Tφ,R = (Vφ,R , λφ,R , Eφ,R ) (line 1 in Algorithm 1) and compute functions ζ and rw. Algorithms for computing Tφ,R , rw and ζ are given in the technical report [19]. Lemma 2 summarizes their relevant properties. Lemma 2. The forest Tφ,R = (Vφ,R , λφ,R , Eφ,R ) and the functions rw and ζ are such that: (1) Tφ,R is minimal, can be obtained in time O(|φ|nvars (R) log2 |φ|), and |Tφ,R | ∈ O(|φ|nvars (R) ); (2) rw can be computed in time O(log |φ|); (3) ζ can be computed in time O(log |φ|); for each v ∈ dom(ζ), |ζ(v)| = 1; (4) for each s ∈ sub(ran(σ)) ∪ Υ , there is an unique v such that termTφ,R (v) = s; (5) for each v ∈ dom(rw), termTφ,R (v) →R termTφ,R (rw(v)); (6) for each t ∈ ran(σ) ∪ Υ , there is a v such that termTφ,R (v) = t and v ∈ dom(ζ); (7) for each v ∈ dom(ζ), termζ(v) (v) is a φ-recipe for termTφ,R (v); (8) for each rule (l → r) ∈ R and each substitution σl : vars(l) → sub(ran(σ)) ∪ Υ , there is a unique v ∈ Vφ,R ∩ dom(rw) such that termTφ,R (v) = lσl and termTφ,R (rw(v)) = rσl . Our saturation algorithm traverses the forest Tφ,R bottom-up. Whenever a recipe for a term termTφ,R (v) is found, v is added to the range of ζ (with ζ(v) being a DAG-representation of a φ-recipe for that term), and all vertices v  with an outgoing edge (v  , v, i) to v are added to the list of vertices to visit in the next iteration of the visiting loop. At the end of the process, a term t ∈ sub(ran(σ)) is deducible from φ if and only if the (unique) vertex representing that term is in the domain of ζ. The algorithm also stores the functions σs and ζs . σs is such that φs = υ˜ n.σs is a saturation of φ, and ζs is such that dom(ζs ) = dom(σs ) and, for each x ∈ dom(σs ), ζs (x) is a DAG-representation of a φ-recipe for xσs . Furthering our abuse of notation, we use the symbol ζs as the substitution that assigns, to each x ∈ dom(ζs ), the term represented by (the DAG-forest) ζs (x). In this case, we use postfix notation and write xζs . The tree Tφ,R has at most O(|φ|nvars (R) ) vertices, and each vertex v ∈ Vφ,R is visited at most |inTφ,R (v)| times. Thus, the total number of visits to vertices is at most O(|φ|nvars (R) ). By using suitable data structures, we can ensure that each visit takes at most time O(log2 |φ|). We thus obtain an asymptotic complexity of O(|φ|nvars (R) log2 |φ|). We state the algorithm’s properties and complexity in Lemma 3.

Efficient Algorithms for Deciding Deduction and Static Equivalence

41

Algorithm 1 (Saturating a Frame) Input: a frame φ = υ˜ n.σ, with σ = {x1 → t1 , . . . , xn → tn } Output: a saturation φs = υ˜ n.σs of φ and a function ζs 1: compute Tφ,R = (Vφ,R , λφ,R , Eφ,R ), rw, ζ 2: ζs ← {x → ({vx } , {vx → x} , ∅) | x ∈ dom(σ)}, where the vx are such that termTφ,R (vx ) = xσ 3: σs ← σ  4: visitnow ← leaves(Tφ,R ) ∪ ( v∈dom(ζ) inTφ,R (v)), visitnext ← ∅ 5: while visitnow = ∅ 6: for all v ∈ visitnow 7: if λ(v) ∈ X \ n ˜ and v ∈ / dom(ζ) then 8: ζ ← ζ ∪ {v → (v, {v → λ(v)} , ∅)} 9: visitnext ← visitnext ∪ inTφ,R (v) 10: if outTφ,R (v) ⊆ dom(ζ) and v ∈ / dom(ζ) then 11: let (Vi , λi , Ei ) = ζ(ei,Tφ,R (v)) for i ∈ {1, . . . , ar(λφ,R (v))} ar(λ (v)) ζ ← ζ ∪ {v → (v ∪ i=1 φ,R Vi , ar(λφ,R (v)) 12: {v → λ(v)} ∪ i=1 λ,

iar(λφ,R (v)) v (v), i) ∪ Ei )} (v, e i,Tφ,R i=1 i=1 13: if v ∈ dom(rw) and rw(v) ∈ / dom(ζ) then 14: ζ ← ζ ∪ {rw(v) → ζ(v)} 15: if termTφ,R (rw(v)) ∈ sub(ran(σ)) 16: then choose x ∈ Var \ dom(σs )

17: σs ← σs ∪ x → termTφ,R (rw(v)) 18: ζs ← ζs ∪ {x → ζ(rw(v))} 19: visitnext ← visitnext ∪ inTφ,R (rw(v)) 20: else visitnext ← visitnext ∪ inTφ,R (v) 21: return ζs , φs = υ˜ n.σs Lemma 3. Algorithm 1 terminates in time O(|φ|nvars (R) log2 |φ|). φs is a saturation of φ (under R), dom(ζs ) = dom(σs ), and, for each x ∈ dom(σs ), ζs (x) ∈ Tφ and ζs (x) is a DAG-representation of a φ-recipe for xσs with size |ζs (x)| ∈ O(|φ|). For each v ∈ dom(ζ), there is a φs -recipe t for termTφ,R (v) such that ζ(v) = tζs is a φ-recipe for termTφ,R (v). If termTφ,R (v) ∈ σs [Tφs ], then v ∈ dom(ζ). 3.2

Decision Procedure for Deduction

In light of Lemma 1, to solve the deduction problem under R for a frame φ and a term t, it suffices to (1) compute t↓R , (2) compute the saturated frame φs = ν n ˜ .σs (using Algorithm 1), and (3) decide whether t↓R ∈ σs [Tφs ]. In the technical report [19] we show that the complexities of these three computations are, respectively, O(|t| log2 |t|), O(|φ|nvars (R) log2 |φ|), and O(|t||φ|2 ). Theorem 1 sums up these observations. Theorem 1. Given a frame φ and a term t, the complexity of deciding whether φ R t is at most O(|t| log2 |t| + |t||φ|2 + |φ|nvars(R) log2 |φ|).

42

3.3

B. Conchinha, D. Basin, and C. Caleiro

Decision Procedure for Static Equivalence

Throughout this section, Tφ,R is as described in the previous sections, φs and ζs are as output by Algorithm 1, and φ = ν n ˜ .σ  is a frame such that dom(σ  ) = dom(σ) = {x1 , . . . , xn }. We assume that dom(σs ) = {x1 , . . . , xms } and that σs is an extension of σ. Υ will be used as in the previous section. Algorithm 2 summarizes our procedure for deciding static equivalence. Note that some of the operations performed by this algorithm must use the DAGrepresentation of terms to ensure polynomial-time complexity. We refer to the technical report [19] for these details. Algorithm 2 (Decision Procedure for ≈sR ) Input: two frames φ = υ˜ n.σ and φ = υ˜ n.σ  such that dom(σ) = dom(σ ) = {x1 , . . . , xn } Output: true if φ ≈sR φ and false otherwise 1: compute Tφ,R , ζ, rw, ζs and φs 2: choose a permutation π: {1, . . . , ms } → {1, . . . , ms } such that 1 ≤ i < j ≤ ms ⇒ |xπ(i) σs | ≤ |xπ(j) σs | 3: for each k ∈ {1, . . . , ms }, let

φs,k = υ˜ n. xπ(1) → xπ(1) σs , . . . , xπ(k) → xπ(k) σs 4: for all k ∈ {1, . . . , ms } 5: if xπ(k) σs ∈ σs [Tφs,k−1 ] then 6: choose t ∈ Tφs,k−1 such that xπ(k) σs = tσs 7: if xπ(k) ζs σ  ≈R tζs σ  then return false 8: for all v ∈ dom(rw) 9: then if (ζ(v))σ ≈R (ζ(rw(v)))σ 10: then return false 11: Repeat once lines 1–10, exchanging φ and φ 12: return true The first loop (lines 4–7) tests whether syntactical equality between terms yielded by two distinct φ-recipes under φ implies that these two recipes yield equationally equal terms under φ . The condition in lines 8–10 tests whether there are two recipes representing instances of the left and right-hand sides of a rule under φ but that do not represent equal terms (modulo R) under φ . If either of the two loops outputs false then the two frames are not statically equivalent. Otherwise, we conclude that all equalities (between recipes, modulo R) satisfied by φ are also satisfied by φ . Repeating the procedure, exchanging the roles of φ and φ , allows one to decide whether φ ≈sR φ . The correctness of this procedure and its complexity analysis are provided by Theorem 2. Theorem 2. Algorithm 2 decides whether φ ≈sR φ in time O((|φ| + |φ |)3 log2 (|φ| + |φ |) + (|φ| + |φ |)nvars (R)+1 log2 (|φ| + |φ |)). O((|φ| + |φ |)3 ) is an upper bound for the complexity of the first loop (lines 4–7) of Algorithm 2; O((|φ| + |φ |)nvars(R)+1 log2 (|φ| + |φ |)) is an upper bound for the complexity of the second (lines 8–10).

Efficient Algorithms for Deciding Deduction and Static Equivalence

4

43

The Prefix Theory

We now investigate how our methods can be extended to deal with theories resulting from other convergent rewriting systems. In particular, we examine the system Rp presented in Example 2, which represents symmetric encryption with the prefix property. Encryption modes designed to encrypt large messages using block ciphers often have the prefix property, namely ECB and CBC. The decidability of deduction for this theory has been studied in [14]. As before, we assume here that φ = υ˜ n.σ is a frame, with σ = {x1 → t1 , . . . , xn → tn }, and fix a set Υ = {τ1 , τ2 , τ3 } of fresh names (note that nvars(Rp ) = 3, s since |vars(π1 ({x, y}z ))| = 3). We begin by defining p-subterms, which extend the usual notion of subterm. Definition 8. Let t ∈ T (Σ DY , Name). We define the set of p-subterms of t inductively as follows: – if t ∈ Name, then sub p (t) = {t}; s – if t = {t1 , t2 }t3 for some t1 , t2 , t3 ∈ T (Σ, Name), then sub p (t) = {t, t3 } ∪ s sub p ({t1 }t3 ) ∪ sub p (t1 , t2 ); – if t = f (t1 , . . . , tn ) for some f and some t1 , . . . , tn and t = {t1 , t2 }st for 3 n all t1 , t2 , t3 ∈ T (Σ, Name), then sub p (t) = {t} ∪ i=1 sub p (ti ). We extend this definition to sets of terms as usual. Our algorithms for the prefix theory are similar to the algorithms for subterm convergent rewriting systems. As before, we start by building a minimal DAGforest Tφ,p and computing functions rwp and ζp . Tφ,p , rwp , and ζp satisfy properties analogous to those given in Lemma 2 for Tφ,R , rw, and ζ, after replacing some critical instances of sub by sub p . A summary of these properties and details of the construction can be found in the technical report [19]. Let Algorithm 1p be Algorithm 1 after replacing R by Rp , Tφ,R by Tφ,p , and sub by sub p in line 15. Algorithm 1p computes a saturated frame under Rp . Our algorithms for deduction and static equivalence also work for the prefix theory. We summarize these results in the following theorems. Note, in our complexity analysis, that nvars(Rp ) = 3. Hence, the complexity of our algorithms is not affected by the fact that Rp is not subterm convergent. Lemma 4. Algorithm 1p terminates in time O(|φ|3 log2 |φ|). φs is a saturation of φ (under Rp ), dom(ζs ) = dom(σs ), and, if x ∈ dom(ζs ), then xζs is a DAG-representation of a φ-recipe for xσs with size |xζs | ∈ O(|φ|). For each v ∈ dom(ζ), there is a φs -recipe t for termTφ,p (v) such that ζ(v) = tζs is a φ-recipe for termTφ,p (v). If termTφ,p (v) ∈ σs [Tφs ], then v ∈ dom(ζ). Theorem 3. Given a frame φ and a term t, the complexity of deciding whether φ Rp t is at most O(|t| log2 |t| + |t||φ|2 + |φ|3 log2 |φ|).

44

B. Conchinha, D. Basin, and C. Caleiro

Theorem 4. Algorithm 2 decides whether φ ≈sRp φ in time O((|φ| + |φ |)4 log2 (|φ| + |φ |)). 4.1

Off-Line Guessing Attacks on a Version of Kerberos

We now present multiple off-line guessing attacks on a version of Kerberos. Kerberos is known to be insecure against off-line guessing attacks [24]. However, our formal analysis of its security when implemented with a symmetric encryption scheme satisfying the prefix property is novel. Kerberos Variant. The version of Kerberos we consider is adapted from [12]. We present a short description of the protocol, in standard notation. 1. A → KAS: A,  KAS, T1  s 2. KAS → A: {A, TGS, KA,TGS , T2 }sKKAS,TGS , KA,TGS , TGS, T2  3. A → TGS: {A, TGS, KA,TGS , T2 }sKKAS,TGS , {A, T3 }sKA,TGS , B s  4. TGS → A: KA,B , B, T4 , {A, B, KA,B , T4 }sKB,TGS  5. A → B: {A, B, KA,B , T4 }sKB,TGS , {A, T5 }sKA,B  6. B → A: {T5 }sKA,B

KA,KAS

KA,TGS

A is a name (e.g., of a client of a single-sign-on service). KAS is the Kerberos authentication server. TGS is the ticket-granting server. B is some service provider. KA,KAS (respectively KKAS,TGS , KB,TGS ) is a long-term key shared between A and KAS (respectively between KAS and TGS and between B and TGS). KA,TGS (respectively KA,B ) is a short-term key shared between A and TGS (respectively between A and B), freshly generated for each session by KAS (respectively by TGS). Finally, T1 , . . . , T5 are timestamps. Note that for our purposes, it suffices to view them as freshly generated nonces, even if this representation is imprecise. The only difference between the protocol presented and the model of Kerberos (version IV) presented in [12] is that, in the term sent in step 2, the encryption s {A, TGS, KA,TGS , T2 }KKAS,TGS is the first (instead of the last) term in the encrypted tuple. Although this may appear to be a small and harmless change, it gives rise to guessing attacks if a symmetric encryption scheme with the prefix property is used. One of our attacks relies on the double encryption used in version IV of the protocol and is thus prevented by Version V. The signature Σ ker we use is obtained by simply adding the set Σ0 = {A, B, KAS, TGS} of agent names to the signature Σ DY . We assume that {Ti | i ∈ N} ⊆ Name. We also represent the long-term keys KA,KAS, KKAS,TGS ∈ Name and the  short-term keys KA,TGS , KA,TGS ∈ Name (corresponding to the keys generated by KAS for use between A and TGS in two distinct sessions) as names. The Attacker’s Knowledge. We consider an attacker who eavesdrops on two different protocol sessions, both executed between an agent A and the server KAS. For simplicity, we assume that the attacker stores only the second

Efficient Algorithms for Deciding Deduction and Static Equivalence

45

message of each session. This is enough to present our off-line guessing attacks. n.σ, where  We represent the attacker’s knowledgeby the frame φ = υ˜  n ˜ = KA,TGS , KA,TGS , KA,KAS , KKAS,TGS , T1 , T2 and  s s σ = { x0 → {A, TGS, KA,TGS , T1 }KKAS,TGS , KA,TGS , TGS, T1  , KA,KAS   s s   x1 →  A, TGS, KA,TGS , T2  , KA,TGS , TGS, T2  }. KKAS,TGS

KA,KAS

We are interested in determining whether this frame allows an off-line guessing attack of KA,KAS . This is a (potentially) weak key, since it is often chosen by human users or derived from such a key. We take g = KA,KAS and w = a0 and, throughout our example, we work with the frames φg = υ˜ n .σg and φw = υ˜ n .σw ,  where n ˜ =n ˜ ∪ {a0 }, σg = σ ∪ {x2 → KA,KAS }, and σw = σ ∪ {x2 → a0 }. Saturation of φw and φg . In [19] we present tables with the results of saturating the frames. Table 1. (Sample) Off-line Guessing Attacks to Kerberos Attack 1 2 3 4



t π2 (π1 ({x0 }s,−1 x2 ))

{π1 (x0 )}s,−1 , π2 ({x0 }s,−1 x2 x2 )

s

{π1 (π1 (x0 ))}s,−1 , TGS x2 π1 (π1 (π1 (π1 (π1 ({x0 }s,−1 x2 )))))

x2

t TGS x0 π1 ({x0 }s,−1 x2 ) π1 (π1 (π1 (π1 (π1 ({x1 }s,−1 x2 )))))

Off-line Guessing Attacks to Kerberos. It is clear that φw ≈sRp φg . Thus, Kerberos allows an off-line-guessing attack of KA,KAS . In fact, an attacker has multiple pairs of recipes t, t ∈ Tφg that he can use to validate his guess; we present a few illustrative examples in Table 1. Note that, of the four attacks presented, all but Attack 1 rely on the prefix property of the encryption scheme. Only Attack 4 relies on the fact that we use version IV instead of version V and exchange the order of the messages of the original Kerberos protocol. How feasible are these attacks in practice? First of all, CBC encryption mode uses a random initialization vector. To prevent Attack 4 it is enough that the initialization vectors used in the two messages are different (they may even be public). We can reason about initialization vectors in this model by representing symmetric encryption as a function encsym with three arguments (an initialization vector, the message, and the key) and adapting the rewriting rules accordingly. Furthermore, consider the recipes t and t given in Attack 4. We have tσg = s  t σg = {A, TGS}KKAS,TGS . However, in practice, the attacker can only obtain an encryption of the first block of the plaintext. Thus, this attack is only feasible if the first encrypted block is equal in both messages. This depends on the length of the encryption blocks and the names, as well as the padding techniques used.

46

B. Conchinha, D. Basin, and C. Caleiro

Note also that Attack 2 (respectively 3) is only feasible if the encryption of the first three (respectively two) elements of the tuple occupy disjoint encryption blocks from the encryption of the remaining elements. Modeling such details would fall outside of the scope of the theories we consider. The relevance of such implementation details in the study of off-line guessing attacks has been pointed out in [13]. We believe that reasoning about these kinds of possible weaknesses is an important challenge for symbolic methods.

5

Related Work and Conclusion

Our algorithms quite compare favorably to previously existing algorithms. [2] presents the first proof that the problems we address can be decided in polynomial-time. However, efficiency is not a main concern and thus it is not surprising that our algorithms have a better asymptotic complexity. For example, for the theory ≈DY , the complexities of our algorithms are O(|t| log |t| + |φ|2 |t| + |φ|2 log2 |φ|) and O((|φ| + |φ |)3 log2 (|φ| + |φ |)) for deduction and static equivalence (respectively), whereas our best estimates for the complexity of the algorithms in [2] are O(|φ|10 + |φ|2 |t| + |t|4 ) and O((|φ| + |φ |)15 ). The complexity of the YAPA tool [8] is not polynomial, as it uses a straightforward representation of terms, as opposed to DAGs. Furthermore, our saturation technique is also more efficient: in YAPA, for each (n, p, q)-decomposition of the left-hand side of a rewrite rule and each assignment of the first n + p parameters to recipes in the frame, it may be necessary to compute the normal form of a term t. We are not aware of any general algorithms for this task that have a complexity better than O(|t|4 ) (see discussion below). If we denote by Y (R) the greatest value of n + p for all (n, p, q)-decompositions of rewriting rules in R, we obtain a complexity of O(|φ|Y (R)+4 ) for YAPA’s saturation procedure; the complexity of our saturation procedure is O(|φ|nvars (R) log2 |φ|) (note that nvars(R) ≤ Y (R) in general). For the rewriting system RDY , this amounts to a complexity of O(|φ|7 ) for YAPA and O(|φ|2 log |φ|) for our algorithm. Note that these estimates assume that DAGs are implemented; the exact implementation of DAGs and the algorithms to compute normal forms may affect the complexity of the procedure. It may also be possible to provide better bounds, e.g., on the number of recipes for which we need to perform this reduction. Our saturation procedure is also more efficient than that implemented by the KISS tool. In this tool, the rule Narrowing generates a number of deduction facts for each rewriting rule in R. If we denote by K(R) the maximum number of side conditions in deduction facts generated by any rewriting rule in R, we again have nvars(R) ≤ K(R) in general: for example, K(RDY ) = 3. The terms in these sideconditions must then be instantiated (via the rule F − Solving) with terms that are heads of some deduction fact. There are at least O(|φ|) such terms, which implies that the saturated frame may have O(|φ|K(R) ) deduction facts. Testing the premise of the rules F − Solving, E-Solving, and Unifying requires selecting two deduction facts from the frame and performing an operation with lineartime complexity. Since there are O(|φ|2K(R) ) such pairs, we obtain a complexity

Efficient Algorithms for Deciding Deduction and Static Equivalence

47

of at least O(|φ|2K(R)+1 ). For the rewriting system RDY , this amounts to a complexity of O(|φ|7 ) for KISS, in contrast to the complexity of O(|φ|2 log2 |φ|) for our algorithms. Here it may also be possible to improve this complexity bound, for example by limiting the number of pairs of rules that must be tested. Finally, we note that all the algorithms discussed here require deciding the equality of two terms t and t under the given equational theory. Our algorithms rely on the subterm convergence of the rewriting system to perform this task with complexity O((|t| + |t |) log(|t| + |t |)). This constitutes a marked advantage over algorithms for more general rewriting systems, for which we are not aware of any algorithm improving the complexity of O((|t| + |t |)4 ) achieved in [2]. As future work, we plan to implement our algorithms. We also plan to study how our approach can be adapted to other equational theories. The simplicity of extending our methods to the prefix theory suggests that it may be possible to generalize our approach for a much larger class of equational theories, possibly improving upon existing complexity results for the two decision problems, when such results exist.

Acknowledgements This work was partly supported by FCT and EU FEDER, namely via the project KLog PTDC/MAT/68723/2006 of SQIG-IT and the project UTAustin/MAT/ 0057/2008 AMDSC of IST. The first author acknowledges the support of FCT via the PhD grant SFRH/BD/44204/2008.

References 1. Abadi, M., Baudet, M., Warinschi, B.: Guessing Attacks and the Computational Soundness of Static Equivalence. In: Aceto, L., Ing´ olfsd´ ottir, A. (eds.) FOSSACS 2006. LNCS, vol. 3921, pp. 398–412. Springer, Heidelberg (2006) 2. Abadi, M., Cortier, V.: Deciding Knowledge in Security Protocols Under Equational Theories. In: D´ıaz, J., Karhum¨ aki, J., Lepist¨ o, A., Sannella, D. (eds.) ICALP 2004. LNCS, vol. 3142, pp. 46–58. Springer, Heidelberg (2004) 3. Abadi, M., Cortier, V.: Deciding Knowledge in Security Protocols Under (Many More) Equational Theories. In: Proc. Workshop on Computer Security Foundations (CSFW 2005), pp. 62–76 (2005) 4. Abadi, M., Fournet, C.: Mobile Values, New Names and Secure Communications. ACM SIGPLAN Notices 36, 104–115 (2001) 5. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P., He´ am, P., Kouchnarenko, O., Mantovani, J., M¨ odersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Vigan` o, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005) 6. Basin, D., M¨ odersheim, S., Vigan` o, L.: OFMC: A Symbolic Model Checker for Security Protocols. Int. Journal of Information Security 4(3), 181–208 (2005)

48

B. Conchinha, D. Basin, and C. Caleiro

7. Baudet, M.: Deciding Security of Protocols against Off-line Guessing Attacks. In: Proc. 12th ACM Conf. on Computer and Communications Security, pp. 16–25 (2005) 8. Baudet, M., Cortier, V., Delaune, S.: YAPA: A Generic Tool for Computing Intruder Knowledge. In: Treinen, R. (ed.) RTA 2009. LNCS, vol. 5595, pp. 148–163. Springer, Heidelberg (2009) 9. Baudet, M., Cortier, V., Kremer, S.: Computationally Sound Implementations of Equational Theories Against Passive Adversaries. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 652–663. Springer, Heidelberg (2005) 10. Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th Computer Security Foundations Workshop (CSFW 2001), pp. 82–96. IEEE Computer Society, Los Alamitos (2001) 11. Blanchet, B., Abadi, M., Fournet, C.: Automated Verification of Selected Equivalences for Security Protocols. In: Symposium on Logic in Computer Science (2005); Journal of Logic and Algebraic Programming 75(1), 3–51 12. Bella, G., Paulson, L.C.: Using Isabelle to Prove Properties of the Kerberos Authentication System. In: DIMACS Workshop on Design and Formal Verification of Security Protocols (1997) 13. Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992) 14. Chevalier, Y., K¨ usters, R., Rusinowitch, M., Turuani, M.: An NP Decision Procedure for Protocol Insecurity with XOR. In: Proc. 18th Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 261–270 (2003) 15. Chevalier, Y., K¨ usters, R., Rusinowitch, M., Turuani, M.: Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 124–135. Springer, Heidelberg (2003) 16. Ciobˆ ac˘ a, S ¸ ., Delaune, S., Kremer, S.: Computing Knowledge in Security Protocols under Convergent Equational Theories. In: Schmidt, R.A. (ed.) CADE-22. LNAI, vol. 5663, pp. 355–370. Springer, Heidelberg (2009) 17. Comon-Lundh, H., Shmatikov, V.: Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive Or. In: 18th Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 271–280 (2003) 18. Comon-Lundh, H., Treinen, R.: Easy Intruder Deductions. In: Dershowitz, N. (ed.) Verification: Theory and Practice. LNCS, vol. 2772, pp. 225–242. Springer, Heidelberg (2004) 19. Conchinha, B., Basin, D., Caleiro, C.: Efficient Algorithms for Deciding Deduction and Static Equivalence, Technical Reports 680 ETH Z¨ urich, Information Security Group D-INFK (2010), ftp://ftp.inf.ethz.ch/pub/publications/tech-reports/6xx/680.pdf 20. Corin, R., Doumen, J., Etalle, S.: Analyzing Password Protocol Security Against Off-line Dictionary Attacks. In: Proc. of the 12th ACM Conf. on Computer and Communications Security (CCS 2005). ENTCS, vol. 121, pp. 47–63 (2005) 21. Cortier, V., Delaune, S., Lafourcade, P.: A Survey of Algebraic Properties Used in Cryptographic Protocols. Journal of Computer Security 14, 1–43 (2006) 22. Cortier, V., Delaune, S.: Deciding Knowledge in Security Protocols for Monoidal Equational Theories. In: Dershowitz, N., Voronkov, A. (eds.) LPAR 2007. LNCS (LNAI), vol. 4790, pp. 196–210. Springer, Heidelberg (2007)

Efficient Algorithms for Deciding Deduction and Static Equivalence

49

23. Delaune, S., Lafourcade, P., Lugiez, D., Treinen, R.: Symbolic Protocol Analysis for Monoidal Equational Theories. Information and Computation 206, 312–351 (2009) 24. Gong, L., Lomas, M.A., Needham, R.M., Saltzer, J.H.: Protecting Poorly Chosen Secrets From Guessing Attacks. IEEE Journal on Selected Areas in Communications 11, 648–656 (1993) 25. Lafourcade, P.: Intruder Deduction for the Equational Theory of Exclusive-or with Commutative and Distributive Encryption. In: Proc. 1st International Workshop on Security and Rewriting Techniques (SecReT 2006). ENTCS, vol. 171, pp. 37–57 (2007) 26. Millen, J., Shmatikov, V.: Symbolic Protocol Analysis With an Abelian Group Operator or Diffie–Hellman Exponentiation. Journal of Computer Security 13, 515–564 (2005)

Understanding Abstractions of Secure Channels Allaa Kamil and Gavin Lowe Oxford University Computing Laboratory Wolfson Building, Parks Road, Oxford, OX1 3QD, United Kingdom [email protected], [email protected] Abstract. Many security architectures make use of layered security protocols, where a special-purpose application protocol is layered on top of a general-purpose secure transport protocol. When analysing such an architecture, it makes sense to abstract away from the implementation details of the secure transport protocol and just model the services it provides. But is this abstraction sound, or might it risk losing attacks? This is the question we consider in this paper. We show that —under certain assumptions— the abstraction is sound, in the sense that it correctly models the application-layer behaviour as seen by honest principals.

1

Introduction

Many security architectures make use of layering of protocols: a special-purpose application layer protocol is layered on top of a general-purpose secure transport layer protocol, such as SSL/TLS [25]. The secure transport protocol provides a secure channel to the application layer, i.e., it provides a communication channel with some extra security services; for example, the secure channel may prevent an attacker from faking messages, hijacking messages (redirecting them to an unintended recipient, or reascribing them so that they seem to have come from a different sender), or learning the content of messages. The application layer protocol builds on this to provide extra functionality and security guarantees. There are two ways in which one could analyse such a layered architecture, within the context of the Dolev-Yao Model: a low-level approach, explicitly modelling both protocols; or a high-level, approach, abstracting away the implementation details of the secure transport protocol, and just modelling the services it provides to the application layer. The latter approach has clear advantages in simplifying the analysis. Further, such an analysis produces more general results: it allows us to deduce the security of the application layer protocol when layered on top of an arbitrary secure transport protocol that provides (at least) the assumed services. However, is this abstract approach sound? Or might the abstraction lose attacks upon the protocol that would be found under the low-level approach but not under the high-level one? This is the question we address in this paper. We show that, under certain assumptions, the approach is sound: every lowlevel behaviour is reflected by a high-level behaviour that describes the same application-layer behaviour of honest principals. We base our work on the Strand Spaces Model [24], and the high-level abstract model from [18]. P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 50–64, 2011. c Springer-Verlag Berlin Heidelberg 2011 

Understanding Abstractions of Secure Channels

51

A number of previous papers have adopted this abstract approach, producing powerful yet understandable techniques for reasoning about layered architectures, and in some cases finding attacks upon them. Bella et al. [5] adapt the inductive approach to model authenticated and confidential channels, and use these ideas to verify a certified e-mail delivery protocol. Dilloway and Lowe [12,11] capture the properties of secure transport protocols using CSP [23], and define a hierarchy of different secure channels. Armando et al. [3] use LTL to specify security properties of channels, and then use SATMC, a model checker for security protocols, to analyse a fair exchange protocol. In [4] they analyse the SAML Single Sign-On Protocol [22] and the Google Apps variant [13] using the same techniques, finding a flaw in the latter. Bugliesi and Focardi [6] model secure channels within a variant of the asynchronous pi-calculus. In earlier work [18], we describe an abstract strand spaces model for layered protocols, and describe how to use it to capture the properties of secure transport protocols. Perhaps the work closest to the current paper is [21]: M¨ odersheim and Vigan` o present a language of idealised secure channels, and consider the composition of protocols that implement secure channels and protocols that use secure channels (in a slightly less general setting to us). They define a notion vertically composable under which abstracting away from the implementation of the secure channel is sound: if there’s no attack against either the transport or application protocol, then there’s no attack against the composed system. Abadi et al. [1] describe an implementation of secure channels in terms of encryption and decryption. Subject to certain assumptions on the implementation, they prove a full abstraction result: that if two high-level processes are equivalent, so are their low-level implementations. They consider just a single type of secure channel, and, unlike us, do not consider interactions between the transport and application layer protocols. There has also been much interesting work on protocol composition, more generally, e.g. [10,14,2,8,9]. The rest of this paper is organised as follows. We describe the low-level approach in Section 2: we describe low-level bundles, and how they can model layered protocols. We describe the high-level approach in Section 3: this abstracts away the implementation of the transport layer protocol, and for each message models just the identity of the (claimed) sender, the identity of the (intended) receiver, the application layer message, and an identifier for the secure transport channel. The abstraction is independent of the precise properties provided by the transport protocol; these properties are captured by restricting the range of activities available to the high-level penetrator. We describe the relationship between the low- and high-level models in Section 4, by presenting an abstraction mapping from low-level bundles to appropriate high-level bundles. Abstracting away from the implementation of the secure transport protocol produces a proof obligation: that the transport protocol does indeed provide the claimed services. The formalisation of the abstraction helps to clarify precisely what needs to be proved.

52

A. Kamil and G. Lowe

In Section 5 we prove our main result: for every low-level bundle, there is a corresponding high-level bundle that describes the same application-layer behaviour by honest principals. Hence reasoning about high-level bundles is sufficient to deduce security properties. The result depends upon some assumptions, which we now describe informally, and capture formally later. We assume that the application layer term is a subterm of the transport layer term that transports it: this is likely to be true of any realistic secure transport protocol. Many pairs of protocols are not independent: it is possible for the penetrator to attack one by interacting with the other, if the protocols have messages of the same form [20,7]. Dealing with such interactions is one of the biggest challenges in this paper. When abstracting low-level bundles, our aim is to hide the implementation details of secure channels in the abstract model; but this is possible only if the protocols are independent in this sense. We therefore make an independence assumption, which will prevent cross-channel attacks where the penetrator utilises a transport layer message of one channel in order to insert a transport layer message in a different channel, and multi-layer attacks where the penetrator utilises a transport layer message in order to produce an application layer message, or vice versa. We present a semantic characterisation of the independence assumption. We conjecture that this property can be enforced by ensuring that the different protocols use disjoint encryption [15]; we leave this as future work. We also assume that different secure channels and application messages use disjoint messages (in each bundle).

2

The Low-Level Model

In this section we describe the low-level model of a layered security architecture. The model captures explicitly the data passed across the network, in the Dolev-Yao Model. We begin by recalling the basics of the Strand Spaces Model from [24]. Messages exchanged between principals are referred to as terms. The set of terms is denoted A, and is freely generated from two disjoint sets, T (representing tags, texts, nonces, and principals) and K (representing keys), by means of concatenation and encryption. The term {t }k denotes term t encrypted with key k , and t1ˆt2 denotes the concatenation of t1 and t2 . The set K of keys is equipped with a unary injective symmetric operator: the inverse of k is denoted k −1 . We let Tname be the set of principals’ names. The subterm relation  is defined inductively, as the least reflexive transitive relation such that: (a) r  r ; (b) r  {t }k if r  t ; and (c) r  t0ˆt1 if r  t0 or r  t1 . A participant in a protocol can send and receive terms. In the strand spaces model a positive term is used to represent a transmission while a negative term is used to denote reception. A strand is a sequence of message transmissions and receptions. A strand space is a set of strands. Definition 1. [24] A directed term is a pair σ, a with σ ∈ {+, −} and a ∈ A. A directed term is written as +t or −t . (±A)∗ is the set of finite sequences

Understanding Abstractions of Secure Channels

53

of directed terms. A strand space over A is a set Σ with a trace mapping tr : Σ → (±A)∗ . Fix a strand space Σ. A node is a pair st , i, with st ∈ Σ and i an integer satisfying 1 ≤ i ≤ length(tr (st )). The set of nodes is denoted by N . We will say the node st , i belongs to the strand st . We define msg(st , i) = tr (st )(i). There is an edge n1 → n2 if and only if msg(n1 ) = +a and msg(n2 ) = −a for some a ∈ A; the edge means that node n1 sends the message a, which is received by n2 . When n1 = st , i, and n2 = st , i + 1 are members of N , there is an edge n1 ⇒ n2 ; the edge expresses that n1 is an immediate causal predecessor of n2 on the strand st . n  ⇒+ n is used to denote that n  precedes n (not necessarily immediately) on the same strand. Let I be a set of undirected terms. The node n ∈ N is an entry point for I iff msg(n) = +t for some t ∈ I, and whenever n  ⇒+ n, msg(n  ) ∈ / I. An undirected term t originates on n ∈ N iff n is an entry point for the set I = {t  | t  t  }. An undirected term t is uniquely originating in a set of nodes S ⊂ N iff there is a unique n ∈ S such that t originates on n. (A term originating uniquely in a set of nodes can play the role of a nonce or a session key in that structure.) An undirected term t is non-originating in a set of nodes S ⊂ N iff there is no n ∈ S such that t originates on n. (Long term keys are normally non-originating.) A strand space will normally contain a mix of regular strands, capturing the behaviour of honest principals, and penetrator strands, capturing the behaviour of the penetrator, which we will define below. The set N of nodes together with both sets of edges forms a directed graph N , (→ ∪ ⇒). A bundle is a finite subgraph for which we can regard the edges as expressing the causal dependencies of the nodes. Definition 2. [24] Suppose →B ⊂ →, ⇒B ⊂ ⇒, and B = NB , (→B ∪ ⇒B ) is a subgraph of N , (→ ∪ ⇒). B is a bundle if (1) NB and (→B ∪ ⇒B ) are finite; (2) If n2 ∈ NB and msg(n2 ) is negative, then there is a unique n1 such that n1 →B n2 ; (3) If n2 ∈ NB and n1 ⇒ n2 then n1 ⇒B n2 ; and (4) B is acyclic. We write B for (→B ∪ ⇒B )∗ . We now define the powers of the penetrator. These powers are parametrised by the sets KP of keys and TP of atomic terms he knows initially. The following strands allow the penetrator to generate new messages from the messages he knows initially and the messages he intercepts. Definition 3. [24] A penetrator trace is one of the following: M K C S E D

Text message: +r  where r ∈ TP ; Key: +k  where k ∈ KP ; Concatenation: −t0 , −t1 , +t0ˆt1 ; Separation into components: −t0ˆt1 , +t0 , +t1 ; Encryption: −k , −t , + {t }k  where k ∈ K; Decryption: −k −1 , − {t }k , +t  where k ∈ K.

54

A. Kamil and G. Lowe

The lower part of Figure 1 shows several penetrator strands combined together to transform the term Sˆ{AˆN }PK (P ) into Sˆ{PˆN }PK (B ) . Many security properties can be formalised in terms of just the regular strands, which justifies the following definition of equivalence. Definition 4. [16] Bundles B, B  on a strand space Σ are equivalent iff they have the same regular nodes. Bundles can contain redundancies, such as an encryption strand immediately followed by a decryption strand. It is useful to be able to eliminate such redundancies, and consider an equivalent bundle without such redundancies. Definition 5. [16] A ⇒+ edge is constructive if it is a part of an E or C strand; it is destructive if it is part of a D or S strand. A path in a bundle B is a sequence of nodes with consecutive elements related by →B ∪ ⇒B . A penetrator path is a path in which all nodes other than possibly the first and last are penetrator nodes. A bundle is normal if for every penetrator path, every destructive edge precedes every constructive edge. Proposition 6. [16] For every bundle B there is an equivalent normal bundle B  . The proof of Proposition 6 shows that all redundancies contain either an E strand immediately followed by a D strand, or a C strand immediately followed by a S strand; each such redundancy can be replaced by a transmission edge. We now specialise the Strand Spaces Model to deal with layered protocols. We illustrate some of the ideas with a running example. Consider a simple transport layer protocol c that encodes the application layer message am from X to Y as Xˆ{am}PK (Y ) . Suppose we layer on top of c an application layer protocol that starts with the message Srv →c Cl : AˆN where A is a principal’s identity, N is a nonce, and “→c ” indicates that the message is sent over c. The lower part of Figure 1 represents a low-level bundle, where the penetrator transforms such a message from S with intended recipient P (the penetrator) into a (faked) message intended for B , with contents PˆN , over c: both the application layer message and the transport layer packaging are modelled explicitly. (Some nodes in this bundle are named for later reference; others are simply denoted by a bullet.) We assume a distinguished set of application layer nodes Σapp ⊆ Σ that correspond to the transmission or reception of application layer data within transport layer messages. In Figure 1, Σapp = {n0 , n1 , n11 , n12 }. We let Aapp be the set of application layer terms, and Atprt be the set of transport layer messages with application layer payloads (which appear on nodes from Σapp ). As noted in the introduction, we assume Aapp and Atprt are disjoint. We assume a set Channel of channel identifiers, including a distinguished value ⊥ representing that no secure channel is used. We assume a function chanOf : Atprt → Channel − {⊥} that returns the channel of a transport layer term. The existence of this function depends upon our assumption that the

Understanding Abstractions of Secure Channels Srv

n0

(S ,P,AˆN ,c)

RV

/ n1

S

 ( n2 o

Srv n0

/



o

S



•

 n4  n5

D

n1 •

/ n3

, ,AˆN ,⊥)

( , ,A,⊥)

S

Sˆ{AˆN }PK (P)

55

o

K

•

/ • 

SK (P)

C

M

( , ,P,⊥) n7 o n6  8 n8 qqq FK ( , ,N ,⊥)  ( , ,PˆN ,⊥) qqq / n10 n9 Cl  (S ,B,PˆN ,c) / n12 n11

•

{AˆN }PK (P)

n2

o

AˆN

A

/

S

C

n3

n7

 n o7 8 o o  oooN 

o

M

P

n6



n4 n5

n9

K •

PˆN PK (B)

/

E n10

C / • • o  {PˆN }PK (B)/  •

M

S

•

•



Cl

Sˆ{PˆN }PK (B) n11 n12

/

Fig. 1. High- and low-level bundles

transport protocols and application protocols use disjoint messages in each bundle. We also assume functions sender , receiver : Atprt → Tname that give the claimed sender and intended receiver of a transport layer term (i.e. we assume the sender and receiver can be deduced from the text of the message). In the running example, sender (Aˆ{am}PK (B ) ) = A and receiver (Aˆ{am}PK (B ) ) = B . We further assume, for each pair of principal names X and Y , a partial function decodeX ,Y : Channel × Atprt → Aapp that extracts the application layer message from a transport layer message apparently from X to Y . We assume (c, m) ∈ dom decodeX ,Y iff c = chanOf (m), X = sender (m) and Y = receiver (m). If n is an application layer node, we write appmsg(n) for decodeX ,Y (c, msg(n)). In the example of Figure 1, appmsg(n0 ) = AˆN . As noted in the introduction, we assume that appmsg(n) is a subterm of msg(n).

3

The High-Level Model

We now describe the high-level model from [18]. Definition 7. [18] A high-level term is a 4-tuple (X , Y , am, c) where: am ∈ Aapp is the application layer message; X ∈ Tname is the claimed sender of the

56

A. Kamil and G. Lowe

message; Y ∈ Tname is the intended recipient of the message; c ∈ Channel is the identifier of the secure channel over which the message is communicated. We write Aˆ for the set of high-level terms. We use an underscore ( ) in the first or second position of the tuple for terms sent over the channel ⊥ to indicate that the term is not associated with a particular sender or receiver respectively. High-level nodes, strands, strand spaces and bundles are defined exactly as in Definitions 1 and 2, except using high-level terms in place of standard terms. ˆ etc.— ˆ B, We use the convention of using identifiers with hats —such as nˆ , st, for high-level nodes, strands, bundles, etc. We now consider the capabilities of the penetrator in the high-level model. Let Tpname be the set of identities used by the penetrator. Definition 8. [18] An application-layer penetrator strand in a high-level bundle is used to construct or pick apart application layer messages; it takes one of the following forms: M K C S E D

Text message: +( , , r, ⊥) for r ∈ TP ; Key: +( , , k , ⊥) for k ∈ KP ; Concatenation: −( , , t0 , ⊥), −( , , t1 , ⊥), +( , , t0ˆt1 , ⊥); Separation: −( , , t0ˆt1 , ⊥), +( , , t0 , ⊥), +( , , t1 , ⊥); Encryption: −( , , k , ⊥), −( , , t, ⊥), +( , , {t}k , ⊥) for k ∈ K; Decryption: −( , , k −1 , ⊥), −( , , {t }k , ⊥), +( , , t, ⊥) for k ∈ K.

A transport-layer penetrator strand in a high-level bundle is used to handle high-level terms, affecting the transport layer “packaging” without modifying the corresponding application layer messages; it takes one of the following forms, for P ∈ Tpname and A, B ∈ / Tpname : SD RV LN FK TX HJ

Sending: −( , , m, ⊥), +(P , B , m, c); Receiving: −(A, P , m, c), +( , , m, ⊥); Learning: −(A, B, m, c), +( , , m, ⊥); Faking: −( , , m, ⊥), +(A, B , m, c); Transmitting: −(X , Y , m, c), +(X , Y , m, c); Hijacking: −(X , Y , m, c), +(X  , Y  , m, c) for X = X  or Y = Y  .

Properties of secure channels can be captured in high-level models by restricting the range of penetrator strands. For example, a channel that keeps its application layer payload confidential —like the running example— can be captured by not allowing any LN strands. We address this question further at the end of Section 4. The upper part of Figure 1 shows several high-level penetrator strands combined together to transform the high-level term (S , P , AˆN , c) into (S , B , PˆN , c); in particular, it uses a RV strand to receive the application layer term, and a FK strand to fake the final high-level term. The nodes nˆ0 , . . . , nˆ12 correspond to the low-level nodes n0 , . . . , n12 , respectively, in a way that we make precise in the next section. Definition 9. [18] High-level bundles Bˆ and Bˆ are equivalent iff they have the same regular strands.

Understanding Abstractions of Secure Channels

4

57

Relating High- and Low- Level Bundles

In this section we formalise the relationship between high- and low-level bundles, in order to define when a high-level bundle abstracts a low-level one. We present an abstraction mapping from the nodes of a low-level bundle to those of an appropriate high-level bundle. For example, in Figure 1, the abstraction mapping maps nodes n0 ,. . . ,n12 to nˆ0 ,. . . ,ˆ n12 , respectively. ˆ Fix a low-level bundle B and a high-level bundle B. Definition 10. The term mapping function α ˆ : A → Aˆ that maps lowlevel terms to the corresponding high-level terms is defined as follows: (1) for m ∈ Atprt , α ˆ (m) = (A, B , am, c) where A = sender (m), B = receiver (m), am = decode A,B (c, m), and c = chanOf (m); (2) for m ∈ A − Atprt , α ˆ (m) = ( , , m, ⊥); (3) if m is a directed term, then α(m) ˆ has the same direction as m. In the running example, α ˆ (Xˆ{am}PK (Y ) ) = (X , Y , am, c). Definition 11. A regular node map is a partial function φˆ that maps the regular ˆ and such that: nodes of a low-level bundle B onto those of a high-level bundle B, (1) the domain of φˆ is the regular nodes of B that lie in Σapp ; (2) α(msg(n)) ˆ = ˆ ˆ ˆ msg(φ(n)); (3) φ is injective and surjective onto the regular nodes of B; (4) for ˆ n ⇒+ n  iff φ(n) ˆ ˆ  ). n, n  ∈ dom φ, ⇒+ φ(n For example, in Figure 1 the function that maps n0 and n12 onto nˆ0 and n ˆ12 , respectively, is a regular node map. Note that the high-level bundle may contain fewer regular nodes than the corresponding low-level bundle: some nodes in the low-level bundle may be responsible for key establishment and initiating secure channels, rather than transferring application-level data, and are therefore abstracted away when defining high-level regular strands. The left-hand part of Figure 2 gives an example: the first two nodes in each strand are used to establish a fresh session key K , which is used to exchange application layer messages M 1 and M 2 in the later nodes (so Σapp = {n4 , . . . , n7 }). The high-level model abstracts away the regular nodes involved in the boot-strapping phase. The function that maps n4 , . . . , n7 to nˆ4 , . . . , nˆ7 , respectively, is a regular node map. High-level application-layer penetrator strands correspond to low-level strands of the same type (for example, an E strand corresponds to an E strand). A n0

A,B ,N

/

B n1

,N ,A}SK (B ) }PK (A)   {{K o n3

n2



n4

 o

n7

{M 1}K

{M 2}K

/ n5 

n6

A

n4  n7 o

(A,B ,M 1,c  )

(B ,A,M 2,c  )

B

/ n5  n6

Fig. 2. A secure transport protocol with a key-establishment phase, and its abstraction

58

A. Kamil and G. Lowe

Definition 12. An application-layer penetrator node map is a partial injective ˆ whose domain is a subset function βˆ1 from penetrator nodes of B to those of B, ˆ of Σ − Σapp , and such that if n ∈ dom β1 then: (1) α ˆ (msg(n)) = msg(βˆ1 (n)) = ˆ ( , , msg(n), ⊥); (2) β1 (n) is on the same type of strand as n; (3) βˆ1 respects the strand structure: for n, n  ∈ dom βˆ1 , n ⇒ n  iff βˆ1 (n) ⇒ βˆ1 (n  ). In Figure 1, one choice of βˆ1 (the only choice that is compatible with Definition 16, below) maps n3 , . . . , n9 onto nˆ3 , . . . , nˆ9 , respectively. Each transport-layer penetrator strand in the high-level bundle will correspond to a penetrator subpath (i.e., a sequence of penetrator nodes, linked by → ∪ ⇒) in the low-level bundle; for example, in Figure 1, the RV strand corresponds to the subpath from n1 to n2 . We define a type of subpath corresponding to each such penetrator strand. Definition 13. A penetrator subpath p in a low-level bundle is: (a) normal if every destructive edge precedes every constructive edge in p; (b) constructive if it only traverses constructive edges; and (c) destructive if it only traverses destructive edges. Definition 14. A penetrator subpath p in a low-level bundle is a Receive subpath1 if it: (1) is destructive; (2) starts at a negative penetrator node n such that msg(n) ∈ Atprt and receiver (msg(n)) ∈ Tpname ; and (3) ends at a positive penetrator node n  such that msg(n  ) = appmsg(n). A penetrator subpath p in a low-level bundle is a Learn subpath if it: (1) is destructive; (2) starts at a negative penetrator node n such that msg(n) ∈ Atprt and receiver (msg(n)) ∈ / Tpname ; and (3) ends at a positive penetrator node n   such that msg(n ) = appmsg(n). A penetrator subpath in a low-level bundle is a Fake subpath2 if it: (1) is constructive; (2) starts at a negative penetrator node n such that msg(n) ∈ Aapp ; (3) ends at a positive penetrator node n  such that msg(n  ) ∈ Atprt , sender (msg(n  )) ∈ / Tpname , and msg(n) = appmsg(n  ). A penetrator subpath in a low-level bundle is a Send subpath if it: (1) is constructive; (2) starts at a negative penetrator node n such that msg(n) ∈ Aapp ; (3) ends at a positive penetrator node n  such that msg(n  ) ∈ Atprt , sender (msg(n  )) ∈ Tpname , and msg(n) = appmsg(n  ). A penetrator subpath p in a low-level bundle is a Hijack subpath if it is normal, starts at a negative penetrator node n and ends at a positive penetrator node n  such that: (1) msg(n), msg(n  ) ∈ Atprt and appmsg(n  ) = appmsg(n); (2) chanOf (msg(n  )) = chanOf (msg(n)); (3) appmsg(n)  pi where 1 ≤ i ≤ length(p); (4) sender (msg(n)) = sender (msg(n  )) ∨ receiver (msg(n)) = receiver (msg(n  )). A penetrator subpath in a low-level bundle is a Transmit subpath if it is normal, starts at a negative penetrator node n and ends at a positive penetrator node n  such that: (1) msg(n), msg(n  ) ∈ Atprt and appmsg(n  ) = 1 2

For example, in Figure 1 the subpath from n1 to n2 is a receive subpath. For example, in Figure 1 the subpath from n10 to n11 is a fake subpath.

Understanding Abstractions of Secure Channels

59

appmsg(n); (2) chanOf (msg(n  )) = chanOf (msg(n)); (3) sender (msg(n)) = sender (msg(n  )) ∧ receiver (msg(n)) = receiver (msg(n  )). For example, suppose the application layer message am from X to Y is packaged as the transport layer message {{am}PK (Y ) }SK (X ) ; then the penetrator can transform this into {{am}PK (Y ) }SK (P ) by decrypting with PK (X ) and encrypting with SK (P ): this path is a Hijack path. We now define a relation that maps the above types of subpaths onto the corresponding high-level strands. Definition 15. A transport-layer penetrator node map is a relation βˆ2 between ˆ that: (1) maps the first and last nodes of Send, the penetrator nodes of B and B, Receive, Learn, Fake, Hijack and Transmit subpaths to the first and last nodes of high-level SD, RV, LN, FK, HJ and TX strands respectively, and relates no other nodes; and (2) α ˆ (msg(n)) = msg(βˆ2 (n)) = ( , , msg(n), ⊥) for n ∈ dom βˆ2 . In Figure 1, the relation that maps n1 , n2 , n10 , n11 onto nˆ1 , nˆ2 , n ˆ10 , n ˆ11 , respectively, satisfies this condition. Note that βˆ2 is defined as a relation, rather than a function, since low-level penetrator nodes and edges can be common between more than one subpath. We now combine the previous mappings to define the abstraction mapping between bundles. ˆ Definition 16. A node map is a partial relation ψˆ between the nodes of B and B, ˆ ˆ ˆ ˆ ˆ ˆ ˆ such that: (1) ψ is of the form φ∪ β1 ∪ β2 , where φ, β1 and β2 are as in Definitions ˆ (3) ψˆ respects the strand 11, 12 and 15; (2) ψˆ is surjective onto the nodes of B;   ˆ structure: (a) if n, n ∈ dom ψ and n → n , then ∃ nˆ , nˆ  • n ψˆ nˆ ∧n  ψˆ nˆ  ∧ n ˆ → nˆ  ;      and (b) if nˆ → nˆ , then ∃ n, n • n ψˆ n ˆ ∧ n ψˆ nˆ ∧ n → n . In Figure 1, the relation that maps n0 ,. . . ,n12 onto nˆ0 ,. . . ,ˆ n12 , respectively, is a node map. When one analyses a particular application layer protocol in a high-level strand space, one captures the assumptions about the underlying transport layer protocol by restricting the range of transport-layer penetrator strands. For example, if the transport protocol keeps application data confidential, then the analysis can consider only high-level bundles with no LN strands. The abstraction mapping in this paper helps to clarify the requirements of the transport-layer protocol: it should admit no Learn paths in low-level bundles. Other properties of the transport layer protocol can be captured in a similar way. Note that this analysis has to be done only once per secure transport protocol. In [19], we show —in effect— that bilateral TLS (in encrypted key transport mode) allows no Learn, Fake or Hijack paths. Therefore, when one analyses an application layer protocol layered on top of TLS, one should consider only high-level bundles that contain no LN, FK or HJ strands.

5

The Adequacy of High-Level Bundles

In this section we show that —subject to the independence assumption— reasoning about high-level bundles can be enough to deduce results about the

60

A. Kamil and G. Lowe

corresponding low-level bundles. We will show that every low-level bundle has the same application-layer behaviour as a bundle that is abstractable: Definition 17. High-level bundle Bˆ abstracts low-level bundle B if there exists ˆ Low-level bundle B is abstractable a node map ψˆ between the nodes of B and B. ˆ if there is a high-level bundle B that abstracts B. Abstract equivalence. Two bundles are abstractly equivalent if, essentially, they have the same application-layer behaviour, and so map onto the same highlevel bundle. We will need the following auxiliary definition. Definition 18. An undirected term t originates in the application layer at positive low-level application layer node n ∈ Σapp iff t  appmsg(n), and for every node n  such that n  ⇒+ n, t  appmsg(n  ). An undirected term t uniquely originates in the application layer iff there exists a unique node n such that t originates in the application layer at n. An undirected term t is non-originating in the application layer iff there is no node n such that t originates in the application layer at n. In Figure 1, N uniquely originates in the application layer at n0 . Note that origination in the application layer means that the term must not have been used earlier in the transport layer packaging. When application layer protocols use some of the values that have originated earlier (e.g. during the key establishment phase) some of the implementation details of the secure channel (which we intend to hide in the abstract model) may escape to the high-level bundle. More importantly, the application protocol cannot be verified since appropriate origination assumptions cannot be derived in the abstract model. Many security properties of application protocols can be formalised in terms of just the regular high-level strands, subject to unique-origination or non-origination assumptions. We define a notion of equivalence between low-level bundles that captures that the regular strands can be mapped onto the same high-level regular strands with the same unique-origination or non-origination properties. Definition 19. Bundles B and B  are abstractly equivalent iff there exist regular node maps φˆ and φˆ over the regular nodes of B and B  such that(1) ran φˆ = ran φˆ ; (2) for all atomic terms a, a uniquely originates in the application layer in B iff a uniquely originates in the application layer in B  ; and (3) for all atomic terms a, a is non-originating in the application layer in B iff a is non-originating in the application layer in B  . Abstract equivalence is more liberal than equivalence in a high-level strand space (Definition 9) since the application layer nodes are not required to have the same terms, but only need map to the same high-level nodes: they may differ in transport-layer details, such as the values of keys or nonces; for example, the bundle in the left part of Figure 2 is abstractly equivalent to a bundle that uses different values for K and/or N . Proposition 20. Let B, B  be equivalent low-level bundles; then B and B  are abstractly equivalent.

Understanding Abstractions of Secure Channels

61

Proof. Pick high-level regular strands that correspond to those in B as in Definition 11, and let φˆ be the corresponding regular node map. Then φˆ also maps the regular strands of B  onto those strands, so item (1)of Definition 19 is satisfied. Items (2) and (3)are clearly satisfied by equivalent bundles. Interference-free bundles. We now present our assumption, that different secure transport protocols and the application protocols are independent. Recall that our aim is to not allow cross-channel or multi-layer penetrator paths. Definition 21. Let B be a low-level bundle. B is interference-free iff for every penetrator path p in B that starts at a regular node n1 and ends at a regular application layer node n2 : 1. appmsg(n1 ) = appmsg(n2 ) ∧ chanOf (msg(n1 )) = chanOf (msg(n2 )); or 2. p traverses two nodes n1 and n2 such that n1  n2 , msg(n1 ) = appmsg(n1 ), and msg(n2 ) = appmsg(n2 ); or 3. p traverses the key edge of either an E strand used in transport-layer construction of msg(n2 ) or a D strand used in the transport-layer unpacking of msg(n1 ). This condition says that the bundle contains no penetrator path that starts at a non-application layer regular node and ends at an application layer node, so no multi-layer attacks exists. Further, every penetrator path that transforms a message from one application layer message into another either (case 1) leaves the application layer message and the channel unmodified (i.e. a Hijack or Transmit path), or (case 2) the penetrator path extracts the application layer message of the first node (a Learn or Receive subpath) in order to construct the application layer message of the last node (a Fake or Send subpath), or (case 3) provides the keys used within other paths; hence no cross-channel attack exists. In order to abstract low-level bundles, we introduce the following assumption to restrict the class of multi-layer protocols considered. Assumption 22. For every low-level bundle in the multi-layer strand space Σ, there exists an abstractly equivalent interference-free low-level bundle. In [15], Guttman and Thayer prove an independence result for traditional protocols under the assumption of disjoint encryption, i.e. that the different protocols use textually disjoint encrypted messages. In [19] we prove that the TLS Protocol satisfies Assumption 22 subject to certain assumptions, principally disjoint encryption between TLS and the application layer protocol. We believe that this result can be generalised, to show that all protocols that satisfy disjoint encryption also satisfy this assumption. We leave proving this for future work. The main result. We now prove that every normal, interference-free bundle is abstractable, and that every interference-free low-level bundle is equivalent to a normal, interference-free bundle, so as to deduce our main result: that every low-level bundle is abstractly equivalent to an abstractable bundle.

62

A. Kamil and G. Lowe

Lemma 23. Every normal, interference-free low-level bundle is abstractable. Proof. Let B be an normal, interference-free bundle. We want to prove that ˆ We can construct the regular B can be abstracted by a high-level bundle B. strands of Bˆ directly from those of B, following Definition 11. We need to ensure that Bˆ contains enough penetrator strands so that it does not contain lonely negative regular nodes; i.e. we should prove that for every negative application layer node n in B, there is some path p that ends at n and ˆ ˆ We perform that maps to a high-level penetrator path that ends at φ(n) in B. a case analysis on the penetrator paths leading to n. Suppose there is no constructive subpath, ending at n and starting at a node n  such that msg(n  ) = appmsg(n). Then necessarily there is a path p ending at n such that appmsg(n) is a subterm of the term of every node on p. This path p must start at a regular node n0 . Using Definition 21, in particular item 1, p meets the requirements of a Hijack or Transmit path, and so can be mapped to a HJ or TX strand. Otherwise, there is a constructive subpath, ending at n and starting at some node n  such that msg(n  ) = appmsg(n). This subpath is a Fake or Send subpath, so maps to a FK or SD strand. We now consider the subpaths leading to n  . B may contain subpaths p  that start at a regular node n0 and end at n  . Using Definition 21 on the concatenation of p  and p, it must be the case that each such p  either: (Case 2) is formed from a Learn or Receive subpath that produces appmsg(n0 ), followed by a (possibly empty) subpath to n  ; or (Case 3) provides keys to such a Learn or Receive subpath. The Learn or Receive subpath maps to a LN or RV strand. The penetrator strands that produce msg(n  ) therefore contain a collection of strands rooted in nodes that either (a) have term appmsg(n0 ) for some earlier regular node n0 , produced by Learn or Receive subpaths as above; or (b) are initial penetrator nodes, (i.e. on M or K strands). These strands can be mapped to the same type of strands, following Definition 12.   Lemma 24. Every interference-free low-level bundle is equivalent to a normal bundle that is also interference-free. Proof. (Sketch.) It suffices to show that the graph operations used to eliminate redundancies in Proposition 6 preserve interference-freedom. This is mostly straight-forward since the operations simply shorten paths. For case 2 of Definition 21, we should ensure that eliminating redundancies does not eliminate the nodes n1 and n2 . We choose n1 to be the first node in p such that msg(n1 ) = appmsg(n1 ), and n2 to be the last node in p such that msg(n2 ) = appmsg(n2 ). Eliminating the redundancies in the subpath between n1 and n1 results in a destructive penetrator subpath; eliminating the redundancies between n1 and n2 results in a normal subpath; eliminating the redundancies between n2 and n2 results in a constructive subpath. The resulting penetrator path between n1 and n2 is normal without eliminating the nodes n1 and n2 . Therefore, the resulting normal bundle is still interference-free.  

Understanding Abstractions of Secure Channels

63

Theorem 25. Every low-level bundle is abstractly equivalent to an abstractable bundle. Proof. Let B be a low-level bundle. By Assumption 22, B is abstractly equivalent to an interference-free bundle B  . By Lemma 24, B  is equivalent to a normal, interference-free bundle B  . By Lemma 23, B  is abstractable. By Proposition 20, B and B  are abstractly equivalent.  

6

Summary

In this paper we have studied the relationship between abstract models of secure transport protocols —that model just the services the transport protocols provide— and more concrete models —that model their implementation, within the Dolev-Yao Model. We have formalised the relationship, and shown that, subject to reasonable assumptions, for every low-level bundle, there is a corresponding high-level bundle with the same application layer behaviour by honest principals. Most security properties for application layer protocols talk only about the existence of certain high-level strands, and the application layer terms transmitted, under high-level unique origination and non-origination assumptions. Such properties are preserved by the abstraction process. For example, in [18,17] we consider several different single sign-on protocols, and (under appropriate assumptions) prove properties such as that for every high-level service provider strand, there is a corresponding high-level user strand, agreeing upon certain data; the abstract model makes these proofs reasonably straightforward. We can then use the results of this paper to deduce that the corresponding properties hold in the concrete model. Acknowledgements. We would like to thank the anonymous reviewers for their useful comments.

References 1. Abadi, M., Fournet, C., Gonthier, G.: Secure implementation of channel abstractions. In: Proceedings of Logic in Computer Science (LICS 1998), pp. 105–116 (1998) 2. Andova, S., Cremers, C., Gjøsteen, K., Mauw, S., Mjølsnes, S., Radomirovi´c, S.: A framework for compositional verification of security protocols. Information and Computation 206, 425–459 (2008) 3. Armando, A., Carbone, R., Compagna, L.: LTL model checking for security protocols. In: 20th IEEE Computer Security Foundations Symposium (2007) 4. Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: Breaking the SAML-based single sign-on for Google Apps. In: The 6th ACM Workshop on Formal Methods in Security Engineering, FMSE 2008 (2008) 5. Bella, G., Longo, C., Paulson, L.C.: Verifying second-level security protocols. In: Basin, D., Wolff, B. (eds.) TPHOLs 2003. LNCS, vol. 2758, pp. 352–366. Springer, Heidelberg (2003)

64

A. Kamil and G. Lowe

6. Bugliesi, M., Focardi, R.: Language based secure communication. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (2008) 7. Canetti, R., Meadows, C., Syverson, P.F.: Environmental requirements for authentication protocols. In: Okada, M., Babu, C. S., Scedrov, A., Tokuda, H. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 339–355. Springer, Heidelberg (2003) 8. Cortier, V., Delaitre, J., Delaune, S.: Safely composing security protocols. In: Arvind, V., Prasad, S. (eds.) FSTTCS 2007. LNCS, vol. 4855, pp. 352–363. Springer, Heidelberg (2007) 9. Ciobˆ ac˘ a, S ¸ ., Cortier, V.: Protocol composition for arbitrary primitives. In: Proc. 23rd IEEE Computer Security Foundations Symposium, CSF 2010 (2010) (forthcoming) 10. Datta, A., Derek, A., Mitchell, J.C., Pavlovic, D.: Secure protocol composition. In: Proc. FMSE 2003, pp. 11–23 (2003) 11. Dilloway, C.: On the Specification and Analysis of Secure Transport Layers. DPhil thesis, Oxford University (2008) 12. Dilloway, C., Lowe, G.: Specifying secure transport layers. In: 21st IEEE Computer Security Foundations Symposium, CSF 21 (2008) 13. Google. Web-based reference implementation of SAML-based SSO for Google Apps. (2008), http://code.google.com/apis/apps/sso/saml_reference_implementation_ web.html 14. Guttman, J.D.: Cryptographic protocol composition via the authentication tests. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 303–317. Springer, Heidelberg (2009) 15. Guttman, J.D., Thayer, F.J.: Protocol independence through disjoint encryption. In: Proceedings of the 13th IEEE Computer Security Foundations Workshop (CSFW), Washington, DC, USA. IEEE Computer Society, Los Alamitos (2000) 16. Guttman, J.D., Thayer, F.J.: Authentication tests and the structure of bundles. Theoretical Computer Science (2001) 17. Kamil, A.: The Modelling and Analysis of Layered Security Architectures in Strand Spaces. DPhil thesis, Oxford University (2010) 18. Kamil, A., Lowe, G.: Specifying and modelling secure channels in strand spaces. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 233–247. Springer, Heidelberg (2010) 19. Kamil, A., Lowe, G.: Analysing TLS in the strand spaces model (2010) (in preparation) 20. Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocol attack. In: International Workshop on Security Protocols (1997) 21. M¨ odersheim, S., Vigan` o, L.: Secure pseudonymous channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 337–354. Springer, Heidelberg (2009) 22. OASIS Security Services Technical Committee. Security assertion markup language (SAML) v2.0 technical overview (2005), http://www.oasis-open.org/committees/security/ 23. Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice Hall, Englewood Cliffs (1998) 24. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Why is a security protocol correct? In: IEEE Symposium on Research in Security and Privacy, pp. 160–171. IEEE Computer Society Press, Los Alamitos (1998) 25. Thomas, S.: SSL and TLS: Securing the Web. Wiley, Chichester (2000)

Information Flow Analysis via Path Condition Refinement Mana Taghdiri, Gregor Snelting, and Carsten Sinz Karlsruher Institut f¨ ur Technologie 76128 Karlsruhe, Germany {mana.taghdiri,gregor.snelting,carsten.sinz}@kit.edu Abstract. We present a new approach to information flow control (IFC), which exploits counterexample-guided abstraction refinement (CEGAR) technology. The CEGAR process is built on top of our existing IFC analysis in which illegal flows are characterized using program dependence graphs (PDG) and path conditions (as described in [12]). Although path conditions provide an already precise abstraction that can be used to generate witnesses to the illegal flow, they may still cause false alarms. Our CEGAR process recognizes false witnesses by executing them and monitoring their executions, and eliminates them by automatically refining path conditions in an iterative way as needed. The paper sketches the foundations of CEGAR and PDG-based IFC, and describes the approach in detail. An example shows how the approach finds illegal flow, and demonstrates how CEGAR eliminates false alarms. Keywords: Information flow control, CEGAR, program dependence graph, path condition, abstraction refinement, constraint solving.

1

Introduction

Information flow control (IFC) is an important technique for discovering security leaks in software. IFC analyzes the program source code and either discovers a potential illegal flow of information, or guarantees that an illegal flow is impossible. While IFC can take advantage of several well-established program analysis techniques, due to undecidability problems, all sound IFC methods may produce false alarms. Since false alarms can have a devastating effect on practicability of a security analysis [15], new approaches try to better exploit program analysis and verification technology.1 The goal is to optimize precision while at the same time, maintaining scalability. In particular, theoretical and practical studies in program analysis have shown that flow-sensitivity, context-sensitivity and objectsensitivity greatly improve the precision of an analysis. However, sensitivity and precision are expensive and can easily destroy scalability, thus, limiting the size of the analyzed program. Therefore, the engineer must carefully decide what hurts more: false alarms or limited program size. 1

The new DFG Priority Program “Reliably Secure Software” (SPP 1496) represents such an approach in Germany.

P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 65–79, 2011. c Springer-Verlag Berlin Heidelberg 2011 

66

M. Taghdiri, G. Snelting, and C. Sinz

One popular choice is the use of type theory. Many IFC methods are based on security type systems [3, 14, 22], some of which are also available as practical implementations (e.g. [2, 18]). Type systems are sound and reasonably efficient. However, they are not always flow sensitive and context sensitive, and may generate false alarms in the presence of exceptions or recursive methods. A more precise alternative is an IFC method based on program dependence graphs (PDGs) [12, 23, 25]. PDGs are flow-sensitive, context-sensitive, and objectsensitive, resulting in fewer false alarms; they also need less annotations than type-based tools such as JIF [11]. PDG-based IFC is sound (it is guaranteed to discover all potential leaks [27]), but much more expensive than type systems. In order to reduce the cost, IBM Research developed a simplified PDG-based IFC that ignores implicit flows (by arguing that they are rare in practice); thus, by sacrificing “a little bit” of soundness, they gain precision (dramatically reduced number of false alarms) as well as scalability up to 500MLOC Java [25]. In this paper, we follow an alternative approach: we explore how to improve precision while maintaining soundness. Our starting point is the PDG-based IFC as described in [10, 12] and implemented in the JOANA analysis tool. JOANA can handle full Java bytecode, and scales up to 50kLOC [10, 11]. JOANA’s analysis is based on path conditions. PDGs give only a binary answer to the information flow problem: either “there is a potential flow” or “it is guaranteed that no flow exists”. To provide a more precise feedback, we have introduced path conditions [10, 23] as a device to characterize the circumstances under which a flow may occur. Path conditions are built on top of PDG, exploiting the fact that a flow can happen only along PDG paths. They express conditions over program variables that must be satisfied in order to have an (illegal) flow between two program points. The conditions can be solved using a constraint solver; any satisfying solution provides values to program’s input variables which act as a witness to illegal flow. Path conditions considerably improve the precision of PDG, but may still generate false alarms due to certain conservative abstractions. In this paper, we describe a novel approach to eliminating false alarms that may occur in path condition-based IFC. We extend PDGs and path conditions by an instantiation of the counterexample guided abstraction refinement (CEGAR) framework [6]. CEGAR has been successfully used to improve the precision of software model checking [1, 13, 19] and data structure analysis [21, 24]. A number of CEGAR-based program analysis tools (such as [1, 19]) has been successfully used in industry. To our knowledge, however, it has never been exploited in software security and IFC before. We introduce a novel instantiation of CEGAR that can be applied in the context of information flow analysis. Our approach checks for an (illegal) flow between two given program points by iteratively solving and refining path conditions. It starts from the path condition generated by JOANA for a given pair of program points and solves it using an off-the-shelf, complete constraint solver. Since path conditions are sound, lack of a satisfying solution guarantees that the program contains no flows between the given points. However, if a solution is

Information Flow Analysis via Path Condition Refinement

67

found, it must be checked for validity to ensure that it is not a false witness. This is done by executing the program on the input values provided by the solution, and monitoring the program state during the execution. A false alarm will be eliminated by using the constraint solver again, to refine the path condition and reveal more details about the program behavior. This solve-validate-refine process continues until either a valid witness is found, or it is shown that the code contains no flows between the given program points. The refinement process is monotonic, and thus guarantees termination (for terminating programs). Furthermore, the on-demand nature of our refinement guarantees that only as much code will be analyzed as necessary to check flow between two certain program points. However, the path conditions of larger programs may become intractable after several refinements. Therefore, the analysis time is bounded by a user-provided time-out threshold. In a time-out case, the technique outputs the last satisfying solution as a potential witness for flow. Compared to the expressive, but purely static PDGs and path conditions, the CEGAR-based approach can eliminate false alarms by incorporating constraint solving, automated test runs, and automatic path condition refinement. The result is a considerable improvement in precision. In this paper, we focus on describing the approach and the underlying ideas and will elaborate on the details of the technique using an example. The technical details of the implementation, and experimental results will follow in a future paper.

2

Program Dependence Graphs

It is a difficult task to construct precise PDGs for full C++ or Java. In particular, context-sensitivity and object-sensitivity require complex and quite expensive (O(n3 )) algorithms. We will not describe full details of advanced PDG construction here (see [17] for an overview). Instead, we use a simple example in an imperative subset of Java without objects or procedures to demonstrate the essential aspects of PDGs, as needed to describe our CEGAR-based approach. Consider the small program of Figure 1 (left). The PDG of this program is given in Figure 1 (bottom). Nodes represent program statements, and there are two kinds of arcs: control dependencies (given by dashed arcs) and data dependencies (given by solid arcs). A statement s is control dependent on a statement t iff s will be executed only if a certain expression of t has a specific value. For example, the statements in the body of an if or a while statement will be executed only if the condition expression evaluates to true. In Figure 1, there are control dependencies from node 10 to nodes 11 and 13, and from node 11 to node 12. A statement s is data dependent on a statement t iff a variable is assigned in statement t and is used in statement s without being re-assigned in between. That is, data dependencies express nonlocal information transport. In Figure 1, sum in statement 8 is used in statements 11 and 12, and sum in the left-hand side of statement 12 is used in the right-hand side of the same statement. The latter represents both a so-called loop-carried dependency, and a self-loop.

68

M. Taghdiri, G. Snelting, and C. Sinz 0. int main(String[] argv) { 1. int[] a = new int[3]; // a[0] PUBLIC // a[1], a[2] PRIVATE 2. a[0] = System.in.read(); 3. a[1] = System.in.read(); 4. a[2] = System.in.read(); 5. assert(a[0] > 0); 6. assert(a[1] > 0); 7. assert(a[2] > 0); 8. int sum = 0; 9. int i = 0; 10. while (i < 3) { 11. if (sum == 0) 12. sum = sum+a[i]; 13. i = i+1; } 14. System.out.println(sum); }

int main(String[] argv1 ){ a1 [0] = System.in.read(); a2 [1] = System.in.read(); a3 [2] = System.in.read(); int sum1 = 0; int i1 = 0; while [i2 = Φ (i1 , i3 ) ; sum2 = Φ (sum1 , sum4 )] (i2 <3) { if (sum2 ==0) sum3 = sum2 + a3 [i2 ]; [sum4 = Φ (sum2 , sum3 )] i3 = i2 + 1; } System.out.println(sum2);

Fig. 1. An example Java fragment, its SSA form, and its PDG

For simplicity, in this example, asserts are not part of the PDG, and additional control flow due to exceptions is not shown. In general, asserts, exceptions and gotos make the construction of control dependencies much more difficult; the same is true for complex data structures such as arrays, pointers, and objects. Post-dominator trees and a precise points-to analysis are needed to compute dependencies in those cases. The fundamental property of PDG that makes it relevant for IFC is the slicing theorem: If a statement x can influence a statement y in a program P , there must be a path x →∗ y in the PDG of P . If there is no path, it is guaranteed that x cannot influence y. In particular, classical noninterference holds if none of the low security outputs can be reached via any path from a high security variable. Noninterference means that if two initial program states are equivalent on public variables (“low-equivalent”), the final program states after execution must be low-equivalent as well. Noninterference is an effective, if not too strict, security criterion (a discussion of different variants and extensions of noninterference is out of the scope of this paper, see [20] for an overview). The following theorem states that PDGs provide a sound criterion for noninterference:   ∀x, y ∈ Expression : x ∈ HIGH , y ∈ LOW Output =⇒ x →∗ y   =⇒ ∀s, s ∈ State : s ∼ =LOW s ⇒ [[P ]](s) ∼ =LOW [[P ]](s )

Information Flow Analysis via Path Condition Refinement

69

Both the intraprocedural and the interprocedural versions of this theorem have been shown correct using machine-checked proofs [26, 27]. It should be noted that in the presence of procedures, the simple concept of a PDG path must be replaced by a so-called context-sensitive backward slice or chop, which guarantees context-sensitivity [12]. Consider the example of Figure 1 again. Suppose that we need to know whether the secret value in a[1] can flow to the public output sum or not. Since the PDG contains a path (given by thick arcs in Figure 1) from the assignment to a[1] in line 3 to the output of sum in line 14, it indicates the existence of an illegal flow. This flow, however, is a false alarm. PDGs are precise, but yet, cannot distinguish between different iterations of a loop. In this example, after the first loop iteration, we have (sum > 0) and so a[1] is never added to sum. 2.1

Path Conditions

Path conditions are conditions over program variables, which are necessary for flow along a set of PDG paths. They are computed on top of PDGs to increase the IFC precision. If a path condition P C(x, y) is not satisfiable, it is guaranteed that there is no flow from x to y, even if the PDG contains a path x →∗ y. Path conditions are generated from the control conditions in the statements that govern the execution of a PDG path. The full details are described in [23]; here we only give the essential ideas. As an example, consider the code fragment: 1. 2. 3.

a[i+3] = x; if (i>10 && j<5) y = a[2*j-42];

The PDG of this code (not shown) contains an edge 1 → 3 because – depending on the values of i, j – the array element assigned in line 1 may be used in line 3. The path condition is P C(1, 3) ≡ (i > 10) ∧ (j < 5) ∧ (i + 3 = 2j − 42) ≡ false, proving that flow is impossible even though the PDG indicates otherwise. Note that all variables in path conditions are implicitly existentially quantified. In order to compute path conditions, the program must first be transformed into static single assignment form (SSA)[7]. The SSA form of the example program of Figure 1 (left) is given in Figure 1 (right). Note that assert statements are not part of the SSA form, but contribute to path conditions (see below). A path condition P C(x, y) is then computed by considering all PDG paths from x to y, and collecting all the conditions that are necessary for each arc in a particular path to be executed. These conditions can result from data flows, control predicates, or the Φ functions in the SSA form. In Figure 1, the path condition for a flow from the initial value of a[1] in line 3 to sum in line 14 is as follows: PC (3, 14) ≡ (sum1 = 0) ∧ (i1 = 0) ∧ (i2 = 1) ∧ (sum2 = sum3 ) ∧ (i2 < 3) ∧ (sum2 = 0) ∧ (a[0] > 0) ∧ (a[1] > 0) ∧ (a[2] > 0) ∧ (i2 = i1 ∨ i2 = i3 ) ∧ (sum2 = sum1 ∨ sum2 = sum4 ) ∧ (sum4 = sum2 ∨ sum4 = sum3 ) ≡ (i1 = 0) ∧ (i2 = i3 = 1) ∧ (sum1 = sum2 = sum3 = sum4 = 0) ∧ (a[0] > 0) ∧ (a[1] > 0) ∧ (a[2] > 0)

70

M. Taghdiri, G. Snelting, and C. Sinz

The constraints sum1 = 0 and i1 = 0 come from the built-in constant propagation (lines 8, 9), i2 = 1 is attached to the edge 3 → 12 (see [23]), sum2 = sum3 is attached to 12 → 14 (see [23]), the “∨” constraints come from Φ functions, and the other constraints are control conditions of the path or the assert predicates. This path condition is satisfiable, implying that the secret can allegedly flow to the public output. Hence, although incorporating path conditions into PDGbased IFC reduces many false alarms and makes the analysis considerably more precise, it may still cause false alarms due to conservative abstractions. This example was chosen to demonstrate the dynamic effects (multiple loop iterations) that cannot be captured by static analysis alone, and thus path condition alone cannot eliminate this false alarm. We will describe in the following section how CEGAR refines the path condition, and eliminates the false alarms. The actual implementation of path condition generation incorporates various optimizations to make the technique scalable to large PDGs. In fact, this IFC analysis is fully implemented in the tool JOANA, and is based on the precise PDG algorithms for concurrent programs as described in [9, 16]. The JOANA PDG can handle full Java bytecode and scales up to 50kLOC. As of today, path conditions can handle an imperative subset of Java and scale to a few kLOC.

3

Path Condition Analysis

The goal of our analysis is to make path condition-based IFC more precise, i.e. if we report that a flow is possible, we will generate a witness whose execution truly illustrates the information flow. To achieve this goal, we eliminate false witnesses fully automatically. However, because analyzing the full code of a program often becomes intractable, we introduce a novel approach in which the precision of the analysis increases incrementally: the technique keeps looking for better witnesses – those that represent the program behavior more closely – in an iterative fashion, ensuring that only as much information about the code is analyzed as actually necessary to establish or refute a flow between two certain program points. Our analysis is a novel instantiation of the counterexample guided abstraction refinement (CEGAR) framework[6]. It starts with an initial (possibly imprecise) path condition, and follows a fully automatic solve-validate-refine loop until either a definite outcome is reached, or the analysis time exceeds a user-provided threshold. In the former case, an absolutely valid witness is returned, or the program is guaranteed not to contain a flow. In the latter case, the last witness found will be returned as a potential witness. Figure 2 gives an overview of the technique. It consists of the following steps: – Generating path conditions. The technique described in the previous section is used to generate path conditions as an initial approximation of the conditions necessary for an information flow to occur. – Checking path conditions. A constraint solver, namely a SAT Modulo Theory (SMT) solver, is used to check the satisfiability of the path condition. Since the input logic of the SMT solver is decidable, the solver is guaranteed to find a solution when one exists. If the solver cannot find a solution that satisfies

Information Flow Analysis via Path Condition Refinement

generate path condition (PC)

path condition

no

check PC with SMT solver

satisfiable?

71

no information flow

yes refined path condition

refine PC using proof

check solution by executing code no

valid program run?

yes

witness for information flow

Fig. 2. Path Condition Refinement Loop

the path condition, no flow exists between the two program points, and the analysis terminates. This is because path conditions soundly abstract the necessary conditions for flow. – Checking validity of a solution. If the solver finds a solution, it represents a potential information flow. The solution will be checked for validity to ensure that it is real and not just a spurious alarm. This is done by executing the program code, setting input variables according to the solution provided by the SMT solver, and monitoring the program state as the code runs. If the solution conforms to the actual execution, the analysis terminates, and the solution is returned as an absolutely valid witness to the flow. – Refining path conditions. If the execution of the solution fails, i.e. we arrive at a program state that contradicts the solution, the path condition must be refined to exclude the current solution. To do this, the SMT solver is used again, to compute a proof of unsatisfiability [28] out of the failed execution attempt. The proof encodes those parts of the program that make the current solution spurious. It is conjoined with the previous condition to form a refined path condition which will be solved by the next iteration of our analysis loop. Each iteration of the algorithm monotonically extends the path condition. The path condition is an abstraction of the code, so in the limit, it is equivalent to the code, and termination is therefore guaranteed for all terminating programs. In practice, however, the path condition can become intractable, and thus, a user-defined run-time threshold is needed for termination. 3.1

Path Condition Checking

A path condition is an expression in a quantifier-free fragment of first-order logic involving equalities and inequalities, arithmetic (linear and non-linear, integer and floating point), arrays, and uninterpreted functions (to model object attributes). Many quantifier-free fragments of first-order logic are decidable. For example, when arithmetic operations are limited to linear arithmetic, or when the data types are represented by fixed-length bit-vectors (e.g. by modeling Java integers as bit vectors of size 32), the formulas become decidable. Combinations of such decidable first-order logics (theories) can be solved using SMT (satisfiability modulo theory) solvers (see e.g. [4, 5, 8]). Common combinations include

72

M. Taghdiri, G. Snelting, and C. Sinz

QF AUFLIA (quantifier-free linear integer arithmetic, integer arrays, and uninterpreted functions) and QF AUFBV (quantifier-free formulas over the theory of bitvectors, bitvector arrays, and uninterpreted functions). Translation of path conditions to the input language of an SMT solver requires handling scalars, arrays, object attributes, and their operations. For these purposes, a solver for the theory QF AUFBV is sufficient, as it can handle integers (with a fixed bit-width), arrays, and object-oriented attributes (via uninterpreted functions). Using range-restricted integers is an advantage for our application, as it (i) enables a precise handling of Java integers, including range overflows, and (ii) supports non-linear operations such as multiplication, division, or bitoperations. Arrays in SMT solvers for QF AUFBV are modeled as functions mapping bitvectors (the indices of the array) to bit-vectors (the values of the array)2. The array a of Figure 1, for example, is represented as a : B2 → B32 where B2 denotes a bit-vector of size 2 that encodes the indices, and B32 denotes a bit-vector of size 32 that encodes the integer values. Object attributes are translated using uninterpreted functions over fixed-sized bit-vectors, following a relational view [24] of the heap. 3.2

Code Execution and Witness Validation

Having found a solution to the path condition, we know that there is a potential information flow. To check whether the solution represents a real flow or not, we only need to check whether it gives a valid execution of the code; the conditions necessary for the flow were already encoded in the initial path condition, and thus hold in any solution. We execute the program, setting input values as indicated by the solution3 . During the execution, we compare the program state to the variable assignment provided by the solution, looking for discrepancy. We run the program step by step, like a debugger does, and at each step observe the variables that also occur in the path condition. In order to check for a contradiction with the solver’s solution, we have to map program variables to variables present in the path condition. To achieve this, we use a function SSA(x, π), which associates a program variable x at program location π with its SSA counterpart xi = SSA(x, π). This function can be created during the SSA transformation of the program. As the solution from the SMT solver provides concrete values for all variables occurring in the path condition, it can easily be checked against the variables’ values of the current program state. Having found a contradiction at some program state, we store that program state, say πi0 , and stop the witness validation process. (For statements inside loops we have to check further iterations to detect a contradiction because the flow into the loop need not happen in the first iteration.) If no contradiction occurs and the program terminates, the program 2 3

Note that arrays with large index ranges are not a problem, as the computational complexity depends on the number of array accesses, and not the range of the indices. If an input variable is not in the path condition, it can be set to any arbitrary value.

Information Flow Analysis via Path Condition Refinement

73

run is valid, and thus an information flow really occurs. We can thus report the SMT solver’s solution as a witness for this information flow. 3.3

Path Condition Refinement

The refinement phase strengthens the current path condition to guarantee that the current spurious solution (witness) will never be found by the solver again. It conjoins the path condition with additional constraints that encode the reason that this solution does not represent a valid behavior of the program. In order to compute those additional constraints, we perform a symbolic execution of the program. The symbolic execution mimics the actual concrete trace that was executed in the validation phase (see Sec. 3.2), but starts from symbolic inputs rather than concrete ones. During the execution, when a variable (or an object attribute) is updated, its value is computed symbolically. The computed symbolic expressions, however, are valid only for this particular execution trace; the values of variables in other traces are unknown. Therefore, the symbolic execution also keeps track of all branch conditions that are taken during this execution trace. Consider the following code fragment as an example: 1. 2. 3. 4.

x = input(); if (x>0) y = x+5; z = y + 1;

Suppose that the concrete execution trace uses x=5 as the actual input and thus, the branch condition holds in this trace. The symbolic execution starts by using a symbolic, uninterpreted constant for the input, namely X0, and mimics the concrete trace. That is, after line 2, it collects the condition (X0>0), after line 3, it computes X0+5 for the variable y, and after line 4, it computes X0+6 for z. The final symbolic values of x, y and z, denoted by x’, y’ and z’ respectively, are given by: x’ = x = X0

(1)

y’ = if (X0 > 0) then X0 + 5 else ANY

(2)

z’ = if (X0 > 0) then X0 + 6 else ANY

(3)

We define an execution point αt to refer to a point in an execution trace t. Since a trace can execute the same program point several times – for example, those that are included in a loop body – several execution points can correspond to the same point in the program. We use exect (π) to denote the set of all execution points of a trace t that correspond to a program point π. Furthermore, we use sym(v, αt ) to represent the symbolic expression computed for a variable v at an execution point αt , and guard(αt ) to denote the conjunction of all symbolic branch conditions under which the control reaches an execution point αt of a trace t. Assuming that the current solution represents a false witness, the concrete execution trace contains an invalid program point πi0 whose executions do not match the variable assignment of the solution. Consequently, the symbolic state at none of the executions of πi0 will match the SSA variables of πi0 either.

74

M. Taghdiri, G. Snelting, and C. Sinz

More precisely, at any execution point αt that corresponds to πi0 , the symbolic expression sym(vi , αt ) of some variable vi will not be equal to SSA(vi , πi0 ). Thus, the following logical formula will be unsatisfiable with respect to the current solution: 



SSA(vi , πi0 ) = if guard(αt ) then sym(vi , αt ) else ANY



∀αt ∈exect (πi0 ) ∀vi

The use of the guard conditions ensures that the symbolic expressions computed along different execution traces do not contradict each other, and thus the constraints that will be added to refine the path condition are sound. The above formula is then simplified by transforming if expressions to logical implications, and normalized so that the top-level operator is a conjunction. We use the SMT solver again to solve the resulting formula with respect to the current solution sol. The solution sol defines a partial instance for this formula: it defines values for those variables of the formula that occurred in the path condition, i.e. SSA(vi , πi0 ). Since the program point πi0 is invalid, none of the executions of πi0 gives a program state equal to the one defined by sol, and the above formula is unsatisfiable with respect to sol 4 . A solver capable of generating proofs (e.g. [8]) can be asked for a proof of unsatisfiability [28] – a formula weaker than the solved formula that is still unsatisfiable with respect to the given partial instance. Suppose that a formula f is unsatisfiable with respect to a partial instance i, and that, in the normal form, it consists of a conjunction of a set of clauses C, then the unsatisfiability proof will be a subset C  ⊆ C which is still unsatisfiable with respect to i. Consider again the above-mentioned example fragment along with the values x=5 for the initial input, and x’=5, y’=3, z’=18 for the final values. We can solve the formulas (1)-(3) with respect to these values. However, because the values do not represent a valid execution of the code, the solver cannot find a satisfying solution. Instead, it returns an unsatisfiability proof like (x = X0) ∧ (X0 > 0 =⇒ y  = X0 + 5), which is equivalent to (x > 0 =⇒ y  = x + 5). It highlights a small portion of the original formula that contradicts the given values, i.e. it is still unsatisfiable with respect to the values. Intuitively, the unsatisfiability proof encodes the reason that the current solution sol is not consistent with the program. Because the proof is unsatisfiable with respect to sol, when conjoined with the current path condition, it prevents this invalid solution from ever being found again. The conjunction of the path condition and the proof constitutes the refined path condition and will be solved for a solution in the next iteration of our algorithm. An ideal unsatisfiability proof is “minimal”, meaning that any formula strictly weaker than the proof is satisfiable with respect to the partial instance. A minimal proof guarantees that each iteration of our algorithm grows the path condition by only a minimal amount of information about the code. No proofgenerating SMT solver, however, is guaranteed to produce minimal proofs. Nevertheless, experiments show that the generated proofs are small enough to be used in practice[24]. 4

Since the guard conditions evaluate to true given the current solution, leaving the else branches unconstrained does not affect the satisfiability of the formula.

Information Flow Analysis via Path Condition Refinement 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.

int[] a = new int[3]; a[0] = System.in.read(); [a[0] = 15] a[1] = System.in.read(); [.., a[1] = 5] a[2] = System.in.read(); [.., a[2] = 42] assert(a[0] > 0); assert(a[1] > 0); assert(a[2] > 0); int sum = 0; [.., sum = 0] int i = 0; [.., i = 0] if (i < 3) { if (sum = 0) sum = sum + a[i]; [.., sum = 15] i = i + 1; [.., i = 1] if (i < 3) { if (sum = 0) sum = sum + a[i]; i = i + 1; [.., i = 2] if (i < 3) { if (sum = 0) sum = sum + a[i]; i = i + 1; [.., i = 3] if (i < 3) { if (sum = 0) sum = sum + a[i]; i = i + 1; }}}} 26. System.out.println(sum); (a)

[a[0] → A0] [.., a[1] → A1] [.., a[2] → A2]

[.., sum → 0] [.., i → 0] [.., sum → A0] [.., i → 1]

[.., i → 2]

[.., i → 3]

75

{(A0 > 0)} {.. ∧ (A1 > 0)} {.. ∧ (A2 > 0)} {.. ∧ (0 < 3)} {.. ∧ (0 = 0)} {.. ∧ (1 < 3)} {.. ∧ ¬(A0 = 0)} {.. ∧ (2 < 3)} {.. ∧ ¬(A0 = 0)} {.. ∧ ¬(3 < 3)}

(b)

Fig. 3. (a) Execution trace of the code for the given solution, (b) its symbolic execution

4

Example

Consider again the program of Figure 1, together with its SSA form and its PDG. The question was whether the secret value in a[1] could flow to the public output sum or not. As mentioned before, the path condition P C(3, 14) given in Section 2 is satisfiable, indicating a potential illegal flow. But this is a false alarm, caused by the fact that the PDG cannot distinguish between different iterations of a loop. In fact, because the input values are expected to be positive, after the first iteration, we have sum>0, and thus the secret value a[1] is not added to sum, hence does not influence the public output. Suppose that an SMT solver produces the following solution to the path condition: a[0] = 15, a[1] = 5, a[2] = 42, i1 = 0, i2 = i3 = 1, sum1 = sum2 = sum3 = sum4 = 0, which is in fact a false witness for flow. This solution is checked for validity by executing the original code. The execution trace is given in Figure 3(a): executed statements are given in bold, and updates to the program state after each statement are given in square brackets. During the execution, the program state is monitored and compared against the solution to determine invalid program points. Here the first invalid point is the loop entry. That is because, based on the semantics of the SSA form of Figure 1, the values i2 = 1 and sum2 = 0 must happen at the beginning of some loop iteration. But that is not the case, and thus this program point is invalid. Based on the trace of Figure 3(a), a symbolic execution is performed as shown in Figure 3(b). The symbolic execution maintains (1) a mapping from variables to their symbolic expressions, and (2) a collection of all branch conditions taken.

76

M. Taghdiri, G. Snelting, and C. Sinz

Figure 3(b) uses square brackets to represent the updates to the mapping after each statement is executed, and curly braces to represent branch conditions as added to the collection. The execution starts by introducing the symbolic constants A0, A1, and A2 for the initial values of the input variables, which are then used to compute subsequent expressions. Numerical expressions are simplified on the fly. The branch conditions are computed symbolically and denote which branch of a conditional has been taken. That is, any time an else branch is taken, the negation of the condition is stored. At the end of the symbolic execution, a formula is generated to express the fact that sum2 and i2 must be the same as the symbolic values computed for sum and i at the beginning of some loop iteration. A conjunction of branch conditions is necessary for soundness. Conditions over constant values are evaluated on the fly. The resulting formula is given below: (a[0] = A0) ∧ (a[1] = A1) ∧ (a[2] = A2) ∧

(Initial symbolic values)

let c = (A0 > 0) ∧ (A1 > 0) ∧ (A2 > 0) and c = c ∧ ¬(A0 = 0) in ((sum2 = if c then 0 else ANY) ∧ (i2 = if c then 0 else ANY))

(Line 10)

∨ ((sum2 = if c then A0 else ANY) ∧ (i2 = if c then 1 else ANY))

(Line 14)

∨ ((sum2 = if c then A0 else ANY) ∧ (i2 = if c then 2 else ANY)) (Line 18) ∨ ((sum2 = if c then A0 else ANY) ∧ (i2 = if c then 3 else ANY)) (Line 22)

The intermediate variables c and c are used only to improve readability of the formula. Note that, in this example, c and c are equivalent and thus, all expressions use the same guard condition. The formula is then transformed to use logical implications rather than ternary if expressions. A proof-generating SMT solver is used to solve this formula with respect to the witness, which was a[0] = 15, a[1] = 5, a[2] = 42, i1 = 0, i2 = i3 = 1, sum1 = sum2 = sum3 = sum4 = 0. Since the witness is spurious, the solver cannot find a solution. Instead, it produces the following proof of unsatisfiability: P roof ≡((a[0] > 0) ∧ (a[1] > 0) ∧ (a[2] > 0)) =⇒ ((sum2 = 0 ∧ i2 = 0) ∨ sum2 = a[0])

The proof is a consequence of the solved formula that is still unsatisfiable with respect to the given witness. Intuitively, it expresses the fact that if the program is executed (i.e. the assert conditions hold), the values of sum and i at the loop entry must both be 0 (for the very first loop iteration), or the value of sum must be the same as a[0] (for any subsequent loop iterations). Neither of these cases is true for the given witness, and that is why it is spurious. This proof is then conjoined with the original path condition to form the refined path condition. P C  (3, 14) ≡ P C(3, 14) ∧ P roof ≡ (a[0] > 0) ∧ (a[1] > 0) ∧ (a[2] > 0) ∧ (i1 = 0) ∧ (i2 = i3 = 1) ∧ (sum1 = sum2 = sum3 = sum4 = 0) ∧ ((a[0] > 0) ∧ (a[1] > 0) ∧ (a[2] > 0) =⇒ (sum2 = 0 ∧ i2 = 0) ∨ sum2 = a[0])

This refined path condition is again solved for a satisfying solution. This time the path condition is unsatisfiable, and thus, the analysis terminates with no

Information Flow Analysis via Path Condition Refinement

77

solutions found, proving that there are no flows from a[1] to sum. Although in this example, the path condition became unsatisfiable after the first refinement, that is not always the case. In general, depending on the order in which the solver searches the space and the richness of the unsatisfiability proofs that it generates, several refinements might be needed to reach a conclusive outcome.

5

Related Work

Most IFC tools are based on security type systems [2, 3, 14, 18, 22], which opened the door into the whole field of language-based security. The Mobius project [2] developed a complete security infrastructure based on type systems and proof-carrying code. However, extending security type systems with a CEGAR approach seems difficult, as type systems do not generate logical formulae which can be refined as in our approach. On the PDG side, the TAJ project [25] implemented an IFC for full Java which scales to 500MLOC; but since TAJ is based on thin slicing, it does not discover implicit flow. As classical noninterference is very restrictive, many information flow systems allow declassifications. Declassifications are controlled violations of legal flow. Our PDG-based IFC allows declassification at any PDG node, thus offering fine-grained control “where” declassification should take place. We have shown that PDG-based declassification respects monotonicity of release [12]. If path conditions are computed for declassification paths, they answer “when” a declassification happens. If a witness can be generated from the condition, this gives insight into the “what” of a declassification. CEGAR-based program analysis has had tremendous success over the past few years. The software model checker SLAM [1], for example, analyzes C programs by iteratively refining a predicate abstraction of code, represented as a boolean program. BLAST [13] applies lazy abstraction and local refinements to achieve better performance. ARMC [19] uses a Prolog system with CLP extensions to perform predicate abstraction refinement. Although these tools have been successfully applied to substantial programs, they focus on checking code against temporal safety properties. We have previously used unsatisfiability proofs to refine abstractions of Java code in order to check precise data structure properties [24]. This paper builds on a similar approach of using unsatisfiability proofs, but in the context of information flow analysis. To our knowledge, this is the first time that CEGAR has been applied to IFC and software security.

6

Conclusion and Future Work

We presented the foundations of a new approach to IFC that improves the precision of our previous PDG-based analysis by incorporating a fully automatic refinement technique. The technique is a novel instantiation of CEGAR built on path conditions. It follows a solve-validate-refine loop to find witnesses for flow, check their validity, and eliminate the false ones. While our previous path condition-based IFC was already context-sensitive, flow-sensitive, and objectsensitive, it was purely static and could generate false alarms. The new approach

78

M. Taghdiri, G. Snelting, and C. Sinz

uses constraint solving, concrete and symbolic executions, and unsatisfiability proofs to detect and eliminate false alarms, and thus to increase IFC’s precision. Currently, our PDG-based IFC is fully implemented, and a path condition generator for Java is available as a prototype. As mentioned above, the implementation supports declassification. The implementation of the new CEGARbased approach, however, has just begun. Once a prototype implementation is completed, we can evaluate its precision and scalability on large programs. We expect the approach to be much more expensive than the PDG-based IFC alone, as it includes many solver queries and detailed dynamic and symbolic program runs. The run-time, however, is not really an issue for IFC where the analysis of a critical core may as well run overnight. We expect the approach to scale to a few kLOC – enough to check security-critical software cores. Note also that declassification is not yet integrated into our CEGAR approach. We will explore two options for translating undecidable program expressions to the decideable solver logic. First, for many program constructs, such as 32bit arithmetics, there are precise translations to bitvectors, which can be solved efficiently. Second, undecideable subexpressions can always be abstracted away using uninterpreted variables – but this may reduce precision again. Future work will investigate and evaluate these methods. In case the scalability of the approach is shown to be insufficient, some techniques are possible to decrease the complexity of the generated constraints, and thus to reduce the time spent by the constraint solver. One such technique is to partition the symbolic execution into smaller pieces and introduce intermediate uninterpreted constants to simplify the expressions computed in each piece. Evaluating the effects of such optimizations is left for future work. The fundamental idea of a CEGAR-based IFC, however, opens the door to an IFC precision that cannot be achieved by a static analysis alone, neither type systems nor PDGs.

References 1. Ball, T., Rajamani, S.: Automatically validating temporal safety properties of interfaces. In: SPIN Workshop on Model Checking of Software, pp. 103–122 (2001) 2. Barthe, G., Beringer, L., Cr´egut, P., Gr´egoire, B., Hofmann, M.O., M¨ uller, P., Poll, E., Puebla, G., Stark, I., V´etillard, E.: Mobius: Mobility, ubiquity, security. In: Montanari, U., Sannella, D., Bruni, R. (eds.) TGC 2006. LNCS, vol. 4661, pp. 10–29. Springer, Heidelberg (2007) 3. Barthe, G., Nieto, L.P.: Secure information flow for a concurrent language with scheduling. Journal of Computer Security 15(6), 647–689 (2007) 4. Bofill, M., Nieuwenhuis, R., Oliveras, A., Rodr´ıguez-Carbonell, E., Rubio, A.: The barcelogic SMT solver. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 294–298. Springer, Heidelberg (2008) 5. Bruttomesso, R., Cimatti, A., Franz´en, A., Griggio, A., Sebastiani, R.: The mathSAT 4 SMT solver. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 299–303. Springer, Heidelberg (2008) 6. Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)

Information Flow Analysis via Path Condition Refinement

79

7. Cytron, R., Ferrante, J., Rosen, B., et al.: Efficiently computing static single assignment and control dependence graph. TOPLAS 13(4), 451–490 (1991) 8. Dutertre, B., de Moura, L.: A fast linear-arithmetic solver for DPLL(T). In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 81–94. Springer, Heidelberg (2006) 9. Giffhorn, D., Hammer, C.: Precise slicing of concurrent programs, an evaluation of precise slicing algorithms for concurrent programs. JASE 16(2), 197–234 (2009) 10. Hammer, C.: Information Flow Control for Java, A Comprehensive Approach on Path Conditions in Dependence Graphs. PhD thesis, Universit¨ at Karlsruhe (2009) 11. Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010) 12. Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. J. of Information Security 8(6), 399–422 (2009) 13. Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002) 14. Hunt, S., Sands, D.: On flow-sensitive security types. In: POPL 2006, pp. 79–90. ACM, New York (2006) 15. Jackson, D.: Hazards of verification. In: Chockler, H., Hu, A.J. (eds.) HVC 2008. LNCS, vol. 5394, p. 1. Springer, Heidelberg (2009) 16. Krinke, J.: Context-sensitive slicing of concurrent programs. In: ESEC/FSE 2003, pp. 178–187. ACM, New York (2003) 17. Krinke, J.: Program slicing. In: Handbook of Software Engineering and Knowledge Engineering. Recent Advances, vol. 3. World Scientific Publishing, Singapore (2005) 18. Myers, A.C.: JFlow: practical mostly-static information flow control. In: POPL 1999, pp. 228–241. ACM Press, New York (1999) 19. Podelski, A., Rybalchenko, A.: Armc: The logical choice for software model checking with abstraction refinement. In: Hanus, M. (ed.) PADL 2007. LNCS, vol. 4354, pp. 245–259. Springer, Heidelberg (2006) 20. Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1) (January 2003) 21. Seghir, M., Podelski, A., Wies, T.: Abstraction refinement for quantified array assertions. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 3–18. Springer, Heidelberg (2009) 22. Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: POPL 1998, San Diego, CA, pp. 355–364 (January 1998) 23. Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. TOSEM 15(4), 410–457 (2006) 24. Taghdiri, M., Jackson, D.: Inferring specifications to detect errors in code. Journal of Automated Software Engineering 14(1), 87–121 (2007) 25. Tripp, O., Pistoia, M., Fink, S., Sridharan, M., Weismani, O.: TAJ: effective taint analysis of web applications. In: PLDI 2009, pp. 87–97. ACM, New York (2009) 26. Wasserrab, D., Lohner, D.: Proving information flow noninterference by reusing a machine-checked correctness proof for slicing. In: VERIFY 2010 (2010) 27. Wasserrab, D., Lohner, D., Snelting, G.: On PDG-based noninterference and its modular proof. In: PLAS 2009. ACM, New York (2009) 28. Zhang, L., Malik, S.: Validating SAT solvers using an independent resolution-based checker. In: DATE 2003, pp. 10880–10886 (2003)

Foundations of Attack–Defense Trees Barbara Kordy, Sjouke Mauw, Saša Radomirović, and Patrick Schweitzer CSC and SnT, University of Luxembourg, 6, rue Coudenhove–Kalergi, 1359 Luxembourg {barbara.kordy,sjouke.mauw,sasa.radomirovic,patrick.schweitzer}@uni.lu

Abstract. We introduce and give formal definitions of attack–defense trees. We argue that these trees are a simple, yet powerful tool to analyze complex security and privacy problems. Our formalization is generic in the sense that it supports different semantical approaches. We present several semantics for attack–defense trees along with usage scenarios, and we show how to evaluate attributes.

1

Introduction

It is a well-known fact that the security of any sufficiently valuable system is not static. In order to keep a system secure, it has to be defended against a growing number of attacks. As better defensive measures get deployed, more sophisticated attacks are developed, leading to an endless arms race and an increasingly complex system. A mature, large, and complex system poses several challenges. How can it be decided whether a costly defensive measure implemented in the distant past is still necessary today? What are the best defensive measures worth currently investing in? How can newly discovered attacks and implemented defenses be efficiently and systematically documented? These types of challenges are not new. Similar challenges had to be overcome by safety-critical systems. Moreover, the complexity of safety-critical systems in aviation and nuclear power plants easily rivals the most complex security applications. In the 1960s, fault tree analysis [1] was developed to evaluate the safety of systems. Since the 1990s, similar structures have been used to support system security engineering. One such structure are attack trees. The root of an attack tree corresponds to an attacker’s goal. The children of a node in the tree are refinements of the node’s goal into sub-goals. The leaves of the tree are the attacker’s actions. Attack trees were popularized by Schneier [2] as a tool for evaluating the security of systems and subsequently formalized by Mauw and Oostdijk [3]. An obvious limitation of attack trees is that they cannot capture the interaction between attacks carried out on a system and the defenses put in place to fend off the attacks. This consequently limits the precision with which the  

B. Kordy was supported by the grant No. C08/IS/26 from FNR Luxembourg. P. Schweitzer was supported by the grant No. PHD−09−167 from FNR Luxembourg.

P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 80–95, 2011. c Springer-Verlag Berlin Heidelberg 2011 

Foundations of Attack–Defense Trees

81

best defensive strategies can be analyzed, since it does not take into account the effects of existing defensive measures which may have been overcome by new attacks. Similarly, a pure attack tree does not allow for the visualization and consideration of the evolution of a system’s security, since the evolution can only be understood in view of both, the attacker’s, as well as the defender’s, actions. These limitations can be overcome by introducing defensive actions as countermeasures to attacks. In order to model the ongoing arms race between attacks and defenses, it is necessary to allow for arbitrary alternation between these two types of actions. We therefore introduce and formalize attack–defense trees (ADTrees) as a graphical representation of possible measures an attacker might take in order to attack a system and the defenses that a defender can employ to protect the system. Our formalization of ADTrees extends attack trees as defined in [3], in two ways. It introduces defenses as described above and it generalizes the interpretations and semantics of attack trees based on [3]. Consequently, our formalism provides a single framework covering the attributes and semantics of attack trees used in [4,5,6], including the notion of defense trees from [7,8]. The main contribution of this paper is the development of a complete attack– defense language. Our design of this language includes an algebra of attack– defense terms (ADTerms), a graphical syntax (ADTrees), semantics derived from first order models, semantics derived from algebraic specifications, and a methodology to analyze properties of attack–defense terms (attributes). Aside from the specific semantics that we present here, several additional semantics are expected to be useful for the analysis of an attack–defense tree. Two such examples would be a temporal and a probabilistic semantics. The variety of semantics is a consequence of different interpretations of what an attack–defense tree represents. In the existing attack trees literature, several distinct interpretations have been made. The present approach accommodates all these interpretations rather than prescribing a single one. Related Work. Fault trees have been introduced in the 1960s, and a formal framework was given by Vesely et al. [1]. They have been used by Moore et al. [9] to model attacks on systems, and by Cervesato and Meadows [10] to graphically represent attacks on security protocols. Amoroso [11] considered so-called threat trees on hospital computer systems and a simplified aircraft computer system. Schneier [2] used the fault tree approach to describe security vulnerabilities of systems coining the term attack trees. In [3], Mauw and Oostdijk have formalized attack trees. Edge et al. [5] have shown how to compute the probability, cost, risk, and impact of an attacker’s goal using attack trees. They have shown how to translate this information into protection trees in order to evaluate probability and cost for protection against the attacker’s goal. Morais et al. [12] applied attack trees to test an implementation of WTLS, a wireless security protocol. Sheyner et al. [13] have automatically generated and analyzed attack graphs from the output of a model checker for an intrusion detection system.

82

B. Kordy et al.

Willemson and Jürgenson [4] have extended the attack trees framework by introducing an order on the set of leaves which helps to solve the optimization problem of selecting the best attack given an attack tree. Bistarelli et al. [14] have generalized attack trees, considering defensive measures against basic actions. They have shown which measures to employ by using answer set programming, a form of declarative programming oriented towards difficult (primarily NP-hard) search problems. In [15] it was shown that attack–defense trees and binary zero-sum two-player extensive form games can be converted into each other. Both formalisms have their advantages: attack–defense trees are more intuitive, because refinements can be explicitly modeled, whereas the game theoretical approach benefits from the well-studied methodology used in games. Structure. The paper is organized as follows. In Section 2 we introduce attack– defense trees, give an example and define attack–defense terms which are a formal representation of attack–defense trees. Section 3 introduces semantics for attack– defense trees. In Section 4 we evaluate attributes on attack–defense trees.

2

Attack–Defense Trees

We start by defining the terminology used throughout this paper. Then we describe an example of an attack–defense scenario. We end this section by defining attack–defense terms. 2.1

Terminology

An ADTree is a node-labeled rooted tree describing the measures an attacker might take in order to attack a system and the defenses that a defender can employ to protect the system. An ADTree has nodes of two opposite types: attack nodes and defense nodes. The two key features of an ADTree are the representation of refinements and countermeasures. Every node may have one or more children of the same type representing a refinement into sub-goals of the node’s goal. If a node does not have any children of the same type, it is called a non-refined node. Non-refined nodes represent basic actions. Every node may also have one child1 of opposite type, representing a countermeasure. Thus, an attack node may have several children which refine the attack and one child which defends against the attack. The defending child in turn may have several children which refine the defense and one child that is an attack node and counters the defense. The refinement of a node of an ADTree is either disjunctive or conjunctive. The goal of a disjunctively refined node is achieved when at least one of its 1

Note that allowing any number of children of opposite type leads to an equally expressive, but more complicated formalism.

Foundations of Attack–Defense Trees

83

children’s goals is achieved. The goal of a conjunctively refined node is achieved when all of its children’s goals are achieved. The purpose of ADTrees is to analyze an attack–defense scenario. An attack– defense scenario is a game between two players, the proponent (denoted by p) and the opponent (denoted by o). The root of an ADTree represents the main goal of the proponent. When the root is an attack node, the proponent is an attacker and the opponent is a defender. Conversely, when the root is a defense node, the proponent is a defender and the opponent is an attacker. In ADTrees, we depict attack nodes by circles and defense nodes by rectangles, as shown in Figure 1. Refinement relations are indicated by solid edges between nodes, and countermeasures are indicated by dotted edges. We depict a conjunctive refinement of a node by connecting the edges going from this node to its children of the same type with an arc. 2.2

Example

To demonstrate the features of ADTrees, we consider the following fictitious scenario covering a collection of attacks on bank accounts.  attack node  defense node disjunctive refinement conjunctive refinement countermeasure

Bank Account

Online

ATM

Card

PIN

Eavesdrop

Find Note

Memorize

Force

Phishing

Password

User Name

Key Logger

2nd Auth Factor

Key Fobs

PIN Pad

Malware

Browser

OS

Fig. 1. Example of an ADTree: an attack on a bank account

A bank wants to protect its customers’ bank accounts from theft. Two forms of attacks on an individual’s bank account are considered. An attacker can steal money from the account either by attacking online or through an ATM. In order to steal money through an ATM, the attacker needs both, a PIN and a bank card.

84

B. Kordy et al.

We ignore how an attacker might obtain a bank card and focus on the PIN. The PIN could be observed by eavesdropping on a customer while the customer types her PIN. Alternatively, the attacker might acquire a note on which the customer’s PIN is written up. A simple defensive measure against exposing a note to an attacker is to memorize one’s PIN. This defense is of little use if an attacker forces the customer to reveal the PIN. For online banking attacks, an attacker needs to acquire a customer’s online banking credentials, consisting of a user name and a password. While the user name can be retrieved easily, retrieving a user’s password requires either a phishing email or a key logger. To defend against lost or stolen passwords, the bank introduces a second authentication factor. Two factor authentication can be implemented using key fobs which have a built-in cryptographic token with a pre-shared key known only to the token and the customer’s bank. An alternative to key fobs are PIN pads. Two factor authentication, however, is useless, if the customer has malware on her computer. To install malware on a victim’s computer, the attacker could attack either the browser or the operating system. The ADTree representing the described state is shown in Figure 1. While this ADTree is obviously incomplete, it is also clear that it would be very simple to extend the ADTree with new attacks and defenses. 2.3

Formal Representation

In order to formally represent attack–defense scenarios, we define attack–defense terms. We make use of the notion of an unranked function. An unranked function f with domain D and range R denotes a family of functions (fk )k∈N , where fk : D k → R for k ∈ N. Given a set S, we denote by S ∗ the set of all strings over S, where ε stands for the empty string. We use ∪˙ to denote a disjoint set union. Definition 1. An AD–signature is a pair Σ = (S, F ), such that – S = {p, o} is a set of types, (we set p = o and o = p), – F = {(∨pk )k∈N , (∧pk )k∈N , (∨ok )k∈N , (∧ok )k∈N , cp , co } ∪˙ Bp ∪˙ Bo is a set of function symbols, equipped with a mapping type : F → S ∗ × S, which expresses the type of each function symbol, as follows. For every k ∈ N, type(∨pk ) = (pk , p),

type(∨ok ) = (ok , o),

type(∧pk ) = (pk , p), type(cp ) = (p o, p),

type(∧ok ) = (ok , o), type(co ) = (o p, o),

type(b) = (ε, p), for b ∈ Bp ,

type(b) = (ε, o), for b ∈ Bo .

The elements of Bp and Bo are typed constants, which we call proponent’s (p) and ˙ o . The opponent’s (o) basic actions, respectively. By B we denote the union Bp ∪B p p o o unranked functions ∨ , ∧ , ∨ , and ∧ represent disjunctive (∨) and conjunctive

Foundations of Attack–Defense Trees

85

(∧) refinement operators for a proponent and an opponent, respectively. The binary function cs , where s ∈ S, connects actions of type s with actions of the opposite type s. Intuitively, cs (a, d) expresses that there exists an action d (of type s) that counteracts the action a (of type s). By TΣ we denote the set of all typed ground terms over the AD–signature Σ. The elements of TΣ are called attack–defense terms (ADTerms). We have TΣ = TΣp ∪TΣo , where TΣp is the set of ADTerms of the proponent’s type, and TΣo is the set of ADTerms of the opponent’s type. The terms from TΣp constitute formal representations of ADTrees. Tables 1 and 2 show how to obtain the ADTerm corresponding to an ADTree, and vice versa. Given an ADTree T , we denote by ι(T ) the ADTerm representing T . Given an ADTerm t, we denote by I(t) the corresponding ADTree. In Tables 1 and 2 we assume that the proponent is an attacker. If the proponent is a defender, circle nodes have to be replaced with square nodes and vice versa. To condense the presentation even further, we leave out the arcs, denoting conjunctions, in the cases where f = ∧s , for s ∈ {p, o}. Since the computations, as well as the internal structure of ADTrees, do not depend on the names of the refined sub-goals, we represent the refined nodes with the associated function symbols, only. Note that it is always possible to also decorate the refined nodes with intuitive labels. Table 1. Transformation from ADTrees to ADTerms T

b

b

f

f

where b ∈ Bp

where b ∈ Bo

... Tk where f ∈ {∨p , ∧p }, k ≥ 1

. . . Tk where f ∈ {∨o , ∧o }, k ≥ 1

ι(T )

b

b

f (ι(T1 ), . . . , ι(Tk ))

f (ι(T1 ), . . . , ι(Tk ))

T

b

b

f

f

T1 where b ∈ Bp

T1 where b ∈ Bo

T1

T1

...

Tk

T

where f ∈ {∨p , ∧p }, k ≥ 1

T1

...

Tk T where f ∈ {∨o , ∧o }, k ≥ 1

T1

ι(T ) cp (b, ι(T1 )) co (b, ι(T1 )) cp (f (ι(T1 ), . . . , ι(Tk )), ι(T  )) co (f (ι(T1 ), . . . , ι(Tk )), ι(T  ))

Example 1. The ADTerm representing the ADTree from Figure 1 is the following       p p p p o ∨ ∧ ∨ Eavesdrop, c FindNote, c (Memorize, Force) , Card ,     o  p p p o p ∧ c ∨ (Phish, KLog), c ∨ (KFob, PPad), ∨ (Br, OS) , UName .

86

B. Kordy et al. Table 2. Transformation from ADTerms to ADTrees t I(t)

b ∈ Bp

b ∈ Bo

f (t1 , . . . , tk ), where f ∈ {∨p , ∧p }, k ≥ 1

f (t1 , . . . , tk ), where f ∈ {∨o , ∧o }, k ≥ 1

b

b

f

f

I(t1 ) t

I(t)

cp (b, t ), co (b, t ), b ∈ Bp b ∈ Bo b

b

I(t )

I(t )

t

I(tk )

I(t1 )

...

I(tk )

cp (t0 , t ), where t0 = f (t1 , . . . , tk ) and f ∈ {∨p , ∧p }, k ≥ 1

co (t0 , t ), where t0 = f (t1 , . . . , tk ) and f ∈ {∨o , ∧o }, k ≥ 1

f

f

I(t1 )

...

I(tk )

I(t )

...

I(t1 )

I(tk )

cp (t0 , t ), where t0 = cp (t1 , t2 )

co (t0 , t ), where t0 = co (t1 , t2 )

∨p1

∨o1

I(t) I(t0 )

3

...

I(t )

I(t0 )

I(t )

I(t )

Semantics for Attack–Defense Terms

The main purpose of an ADTree is to specify and analyze an attack–defense scenario. It is possible that two distinct ADTrees describe the same scenario. In order to deal with such situations, we introduce the notion of equivalent ADTrees. For instance, the ADTrees represented by ∧p (a, b) and ∧p (b, a) are equivalent, if and only if the order of executing the sub-goals is irrelevant for the achievement of the parent goal. Hence, we consider ADTerms modulo an equivalence relation. This makes it possible to, e.g., transform an ADTerm into a simpler or more appealing form. Definition 2. A semantics for ADTerms is an equivalence relation on TΣ that preserves types. 3.1

Models for Attack–Defense Terms

Several different approaches, like propositional logics or multiset interpretations, were proposed in the literature to define semantics for attack trees [4,16,3]. In this section, we extend them to attack–defense trees. This is achieved with the help of first order models, cf. [17]. Definition 3. Consider the AD–signature Σ = (S, F ). A model for ADTerms is a pair M = (M, IM ) consisting of a non-empty set M and a function IM defined on F , called interpretation, such that – IM (b) ∈ M , for b ∈ B,

Foundations of Attack–Defense Trees

87

– IM (fk ) : M k → M , for fk ∈ {∨sk , ∧sk | s ∈ S}, – IM (cs ) : M 2 → M , for s ∈ S. Let M = (M, IM ) be a model for ADTerms, and let t, t be ADTerms. The interpretation of t in M is an element IM (t) ∈ M , defined as follows

IM (b), if t = b ∈ B IM (t) = IM (fk )(IM (t1 ), . . . , IM (tk )), if t = fk (t1 , . . . , tk ). Since the objective of introducing semantics is to decide which ADTerms are indistinguishable, we are interested in formulas of the form t = t . By definition, the formula t = t is satisfied in M if IM (t) = IM (t ). In this case we write M |= t = t . Definition 4. Let M = (M, IM ) be a model for ADTerms. The equivalence relation ≡M on TΣ , defined by t ≡M t iff M |= t = t , is called the semantics induced by the model M. The equivalence class defined by an ADTerm t under this relation is denoted by [t]M . Propositional Model. The most commonly used model for attack trees is based on propositional logic, cf. [4,16]. Here, we propose an extension of this model to attack–defense trees. To every basic action b ∈ B, we associate a propositional variable xb , and we denote by F the set of propositional formulas over these variables. Recall that two propositional formulas ψ and ψ are equivalent (ψ ≈ ψ  ) iff for every valuation ν of propositional variables, we have ν(ψ) = ν(ψ  ). By F/≈ we denote the quotient space defined by the relation ≈, and [ψ]≈ ∈ F/≈ stands for the equivalence class defined by a formula ψ. Definition 5. The propositional model for ADTerms is the pair P = (F/≈ , IP ), such that, for b ∈ B and s ∈ {p, o} IP (b) = [xb ]≈ ,

IP (∨s ) = ∨,

IP (∧s ) = ∧,

IP (cs ) = ,

where [ψ]≈ ∨ [ψ  ]≈ = [ψ ∨ ψ  ]≈ , [ψ]≈ ∧ [ψ ]≈ = [ψ ∧ ψ  ]≈ and [ψ]≈  [ψ  ]≈ = [ψ ∧ ¬ψ  ]≈ , for all ψ, ψ ∈ F. The semantics ≡P induced by the propositional model P is called the propositional semantics. The interpretation of an ADTerm in P is a set of equivalent propositional formulas expressing the satisfiability of the proponent’s goal. Example 2. Consider t = cp (b, ∧o (d, e)) and t = cp (∧p (b, b), ∧o (d, e)), where b ∈ Bp and d, e ∈ Bo . The interpretation of t in the propositional model is the equivalence class IP (t) = [xb ∧ ¬(xd ∧ xe )]≈ . The propositional formulas defining this equivalence class are all satisfied iff variable xb is set to true and at least one of the variables xd or xe is set to false. It models the fact that in order to achieve his goal, the proponent has to execute the action depicted by b and at least one counteraction, depicted by d or e, must not be executed by the opponent. Since, xb ∧ ¬(xd ∧ xe ) ≈ (xb ∧ xb ) ∧ ¬(xd ∧ xe ), we have IP (t) = IP (t ), i.e., t ≡P t . Thus, t and t are indistinguishable with respect to the propositional semantics.

88

B. Kordy et al.

As shown in Example 2, the propositional model assumes that the multiplicity of a sub-goal is irrelevant (by idempotency of ∨ and ∧). This assumption, however, might not be intended in all applications of ADTrees. It might, for instance, depend on whether parallel or sequential execution of sub-goals is modeled. In the multiset semantics, which we introduce next, we distinguish multiple occurrences of the same actions. Multiset Model. The model introduced in this paragraph extends the attack trees model defined in [3]. It is suitable for analyzing scenarios in which multiple occurrences of the same sub-goal are significant. Given a set X, we use 2X to denote the power set of X, and M(X) to denote the set of all multisets of elements in X. We use {|a1 , . . . , an}| to denote a multiset composed of elements a1 , . . . , an . The symbol stands for the multiset union. A pair (P, O) ∈ M(Bp ) × M(Bo ) is called a bundle, and it encodes how the proponent can achieve his goal. A bundle (P, O) represents the following situation: in order to reach his goal, the proponent must perform all actions in P while the opponent must not perform any of the actions in O. In the multiset model p o we interpret terms with sets of bundles, i.e., with elements from 2M(B )×M(B ) . Sets of bundles represent alternative possibilities for the proponent to achieve his goal. A term representing a basic action b of the proponent’s type is thus interpreted as a singleton {({|b|}, ∅)}, because in order to achieve his goal it is sufficient for the proponent to execute the action b. A term representing a basic action b of the opponent’s type is interpreted as {(∅, {|b|})}, because in order for the proponent to be successful, the counteraction b must not be executed by the opponent. To define the set of bundles that interprets a disjunctive proponent’s goal, it is sufficient to take the union of the sets of bundles corresponding to its sub-goals. To define the set of bundles that interprets a conjunctive proponent’s goal we introduce the distributive product. The distributive product of two sets of bundles S and Z is the following set of bundles S ⊗ Z = {(PS PZ , OS OZ ) | (PS , OS ) ∈ S and (PZ , OZ ) ∈ Z}. The distributive product can be extended to any finite number of sets of bundles. The construction given in the preceding paragraph leads to the multiset model for ADTerms. Definition 6. The multiset model for ADTerms is the following pair MS = p o (2M(B )×M(B ) , IMS ), where IMS (b) = {({|b|}, ∅)}, for b ∈ Bp , IMS (∨p ) = ∪,

IMS (b) = {(∅, {|b|})}, for b ∈ Bo , IMS (∨o ) = ⊗,

IMS (∧p ) = ⊗, IMS (cp ) = ⊗,

IMS (∧o ) = ∪, IMS (co ) = ∪.

The equivalence relation on ADTerms induced by the multiset model is called the multiset semantics, and is denoted by ≡MS . Note that IMS (∨s ) = IMS (∧s ), for s ∈ {p, o}. This can be explained as follows: in order to achieve his disjunctive

Foundations of Attack–Defense Trees

89

goal, the proponent has to achieve only one among the corresponding sub-goals, whereas in order to successfully prevent a disjunctive countermeasure of the opponent, the proponent has to prevent all the corresponding sub-countermeasures. A similar reasoning holds for conjunctive goals. Example 3. Consider the ADTerms t and t introduced in Example 2, that have been shown equivalent with respect to the propositional semantics. We have, IMS (t) = {({|b|}, {|d|}), ({|b|}, {|e|})} and IMS (t ) = {({|b, b|}, {|d|}), ({|b, b|}, {|e|})}. Since, IMS (t) = IMS (t ), we have MS |= t = t . Thus, the ADTerms t and t are not equivalent with respect to the multiset semantics. 3.2

Comparing Semantics

In order to compare two semantics, we define what it means that one semantics is finer than a second one. Such a relation allows us to import results about a semantics into any semantics which is coarser. Definition 7. Let ≡1 and ≡2 be two semantics for ADTerms. The semantics ≡1 is finer than the semantics ≡2 iff ≡1 ⊆≡2 , i.e., for t, t ∈ TΣ , t ≡1 t ⇒ t ≡2 t . The propositional semantics, as opposed to the multiset semantics, does not distinguish multiple occurrences of a basic action. Thus, for instance, absorption laws hold in the propositional but not in the multiset semantics. The relationship between these two semantics is captured by the following proposition. Proposition 1. The multiset semantics for ADTerms is finer than the propositional semantics for ADTerms. In order to prove the proposition, we use the following lemma. p

Lemma 1. Consider a function f : 2M(B

)×M(Bo )

→ F defined as follows

1 n f ({({|p11 , . . . , pk11 }| , {|o11 , . . . , om | ), . . . , ({|p1n , . . . , pknn }| , {|o1n , . . . , om | )}) = n } 1 }

(xp11 ∧ · · ·∧ xpk1 ∧ ¬xo11 ∧ · · ·∧ ¬xom 1 ) ∨ · · ·∨ (xp1 ∧ · · ·∧ x kn ∧ ¬xo1 ∧ · · ·∧ ¬xomn ), n pn n n 1 1

and let t be an ADTerm. Then



f (IMS (t)) ∈

IP (t), ¬IP (t),

if t ∈ TΣp , if t ∈ TΣo ,

(1)

where ¬[ψ]≈ = [¬ψ]≈ , for all ψ ∈ F. Proof. The proof is by induction on the structure of t. Suppose t = b ∈ B, then – if b ∈ Bp , we get: f (IMS (b)) = f ({({|b|}, ∅)}) = xb ∈ [xb ]≈ = IP (b), – if b ∈ Bo , we get: f (IMS (b)) = f ({(∅, {|b|})}) = ¬xb ∈ ¬[xb ]≈ = ¬IP (b). Let us now assume that t ∈ B, and suppose that (1) holds for all the sub-terms of t. The following observations, resulting from the definition of f , are crucial for the remaining part of the proof. For all ADTerms t1 , . . . , tk , we have

90

f

B. Kordy et al.

k 

k k k         IMS (tj ) = f IMS (tj ) , f IMS (tj ) = DNF f IMS (tj ) ,

j=1

j=1

j=1

j=1

where DNF (ψ) denotes a disjunctive normal form of the formula ψ. We give a complete proof for an ADTerm of the form t = co (∨o (t1 , . . . , tk ), t ). The proofs for the remaining cases are similar. Since t is of the opponent’s type, we show that f (IMS (t)) ∈ ¬IP (t). From the type of the function symbol co , we deduce that t1 , . . . , tk ∈ TΣo and t ∈ TΣp . We have f (IMS (t)) = =f

k 

k       IMS (tj ) ∪ IMS (t ) = f IMS (tj ) ∨ f IMS (t )

j=1

= DNF



j=1

k 

    f IMS (tj ) ∨ f IMS (t )

j=1

∈



k 

k    ¬IP (tj ) ∨ IP (t ) = ¬ IP (tj ) ∨ IP (t )

j=1

 =¬

j=1 k

k       IP (tj ) ∧ ¬IP (t ) = ¬ IP (tj )  IP (t ) = ¬IP (t).

j=1

 

j=1

Proof of Proposition 1. Suppose t ≡MS t . Thus, by definition we have IMS (t) = IMS (t ). Using the function f from Lemma 1, we have IP (t)  f (IMS (t)) = f (IMS (t )) ∈ IP (t ), for t, t ∈ TΣp , IP (t)  ¬f (IMS (t)) = ¬f (IMS (t )) ∈ IP (t ), for t, t ∈ TΣo , Thus, IP (t) = IP (t ), i.e., t ≡P t , which concludes the proof.

 

Examples 2 and 3 show that the reciprocal of Proposition 1 does not hold. Thus, the propositional semantics and the multiset semantics are not equal. 3.3

Equational Semantics

The propositional and multiset semantics were obtained by mapping ADTerms to specific mathematical domains. An alternative way to define a semantics is to directly specify an equivalence relation on ADTerms through a set of equations. This approach covers a concept from [3], which uses a specific set of rewrite rules to encode allowed tree transformations. Our framework is more general in that we allow any set of equations to define an equivalence relation on ADTerms. With the help of equations it is possible to implement tools that support iterative transformations and modifications of ADTrees. Let VAR denote a set of typed variables ranged over by X, Xi , Y, Z. We extend the set TΣ to the set TΣVAR of typed ADTerms over the variables from VAR. An equation is a pair (t, t ) ∈ TΣVAR × TΣVAR , where t and t have the same type. We use t = t to denote the equation (t, t ). An algebraic specification for ADTerms

Foundations of Attack–Defense Trees

91

is a pair (Σ, E), where Σ is the AD–signature and E is a set of equations. Given  the set of equations derivable an algebraic specification (Σ, E), we denote by E from E, which is the smallest set satisfying the following  – if t = t ∈ E, then t = t ∈ E, VAR  then σ(t) = σ(t ) ∈ E,  is a substitution, and t = t ∈ E, – if σ : VAR → TΣ   – if t = t ∈ E, and C[ ] is a context (i.e., a term with a hole of the same type  as t), then C[t] = C[t ] ∈ E,  for every t ∈ T VAR , – t = t ∈ E, Σ  then t = t ∈ E,  – if t = t ∈ E,  and t = t ∈ E,  then t = t ∈ E.  – if t = t ∈ E We now define a semantics for ADTerms induced by an algebraic specification. Definition 8. The equational semantics for ADTerms induced by an algebraic specification (Σ, E) is the equivalence relation ≡E on TΣ , defined by  t ≡E t iff t = t ∈ E. Example 4. Consider the equational semantics induced by an algebraic specification (Σ, E), where E = {∨p (X1 , . . . , Xk ) = ∨p (Xσ(1) , . . . , Xσ(k) ) | ∀ permutation σ of {1, . . . , k} }. The equations in E encode the commutativity of the disjunctive operator for the proponent. Thus, for t1 = ∨p (a, b) and t2 = ∨p (b, a), a, b ∈ Bp , we have t1 ≡E t2 . In contrast, t1 = ∧p (a, b) ≡E t2 = ∧p (b, a), because the commutativity of the conjunctive operator for the proponent is not modeled by E. Consider two algebraic specifications (Σ, E) and (Σ, E  ), such that E ⊆ E  . ⊆E  , the semantics ≡E is finer then ≡E  . Since we have E

4

Attributes

In order to analyze an attack–defense scenario represented by an ADTerm we use attributes. An attribute is a value assigned to an ADTerm, expressing a useful property, such as the minimal cost of an attack, expected impact, whether special equipment is required, or whether a considered scenario is feasible. In [2], Schneier introduces an intuitive, bottom-up algorithm for calculating the value of an attribute on an attack tree. This idea is formalized in [3]. In this section we extend it to attack–defense trees. 4.1

Bottom-Up Evaluation

Let Σ = (S, F ) be the AD–signature. An attribute domain is a pair Aα = (Dα , Iα ), where Dα is a set of values, and Iα is a function,which to every fk ∈ F with k > 0, associates a k-ary operation Iα (fk ) on Dα . An attribute for ADTerms is a pair α = (Aα , βα ) formed by an attribute domain Aα and a function βα : B → Dα called a basic assignment for α. The next definition formalizes the bottom-up procedure of calculating attribute values.

92

B. Kordy et al.

Definition 9. Let α = ((Dα , Iα ), βα ) be an attribute. The function α : TΣ → Dα which calculates the value of the attribute α for every ground ADTerm t, is defined recursively as follows

if t ∈ B, βα (t), α(t) = Iα (fk )(α(t1 ), . . . , α(tk )), if t = fk (t1 , . . . , tk ). The following example illustrates the bottom-up evaluation of attribute values. Example 5. Consider the ADTerm t = cp (∧p (a, b), co (d, e)), where a, b, e ∈ Bp , d ∈ Bo are independent basic actions. We define the following operations on the interval [0, 1]: ⊕(x, y) = x + y − xy, (x, y) = xy and (x, y) = x(1 − y). Using the attribute domain APr = ([0, 1], IPr ), where IPr (∨s ) = ⊕, IPr (∧s ) =  and IPr (cs ) = , for s ∈ {p, o}, we calculate the success probability of the attack–defense scenario represented by t. The success probabilities of basic actions are set as follows βPr(a) = 0.2, βPr (b) = 0.7, βPr (e) = 0.1, and βPr (d) = 0.9. According to Definition 9, we obtain Pr(t) = Pr(cp (∧p (a, b), co (d, e))) = ((0.2, 0.7), (0.9, 0.1)) = 0.0266. 4.2

Semantics Preserving Attribute Values

In our framework, we consider equivalent ADTrees as indistinguishable. Thus, the evaluation of attributes for equivalent ADTerms should be consistent, i.e., should yield the same values. This issue has already been discussed in case of attack trees, cf. [18,3]. In [18], the evaluation of the attacker’s expected outcome (based on cost, probabilities, expected penalties and gains) is considered. Using the propositional semantics, Jürgenson and Willemson propose a nonbottom-up procedure ensuring that the expected outcome attribute is calculated consistently. In their approach, optimization becomes necessary, because the corresponding computations are exponential with respect to the size of a tree. In [3], Mauw and Oostdijk consider a bottom-up way of calculating attributes, as defined in Definition 9. They show that when using the multiset semantics on attack trees, the attribute evaluation is consistent if the considered attribute domain is distributive, i.e., if it constitutes a semi-ring. In the current paper, we extend this result to any semantics for ADTrees. We introduce a notion of compatibility between a semantics and an attribute domain, which guarantees that the intuitive properties modeled by the semantics are preserved by the attribute domain. The compatibility is a necessary condition for consistent bottom-up evaluation of attributes on ADTrees. Definition 10. Let (Σ, E) be an algebraic specification, and let ≡ be a semantics for ADTerms. The set E is called a complete set of axioms for ≡, iff the relations  ∩ (TΣ × TΣ ) are equal. ≡ and E Example 6. Consider the equational semantics ≡E induced by an algebraic specification (Σ, E). It follows directly from Definition 8 that the set E is a complete set of axioms for ≡E .

Foundations of Attack–Defense Trees

93

Let Aα = (Dα , Iα ) be an attribute domain. Given t ∈ TΣVAR , we denote by tα an expression, composed of the elements from B ∪ VAR (here considered as variables) and operators Iα (fk ), where fk ∈ F , k ≥ 1, defined as follows

t, if t ∈ B ∪ VAR, 1    tα = k Iα (fk ) tα , . . . , tα , if t = fk t1 , . . . , tk . Definition 11. An equivalence relation ≡ on TΣ is compatible with an attribute domain Aα = (Dα , Iα ) iff for all ADTerms t, t such that t ≡ t , the equality tα = tα holds in Dα . Consider a complete set of axioms E for a semantics ≡. It follows from Definitions 11 and 10, that the semantics ≡ is compatible with an attribute domain Aα iff for every equation t = t from E, the equality tα = tα holds in Dα . In the following, we show that when considering a semantics that is compatible with a given attribute domain, the evaluation of attributes on equivalent ADTerms yields the same values. Theorem 1. Let α = ((Dα , Iα ), βα ) be an attribute, and t, t be ADTerms. If tα = tα holds in Dα , then α(t) = α(t ). Proof. Since tα = tα holds in Dα , we have σ(tα ) = σ(tα ), for every substitution σ : B ∪ VAR → Dα . Thus, it suffices to show that for every ADTerm t, we have βα (tα ) = α(t).

(2)

The proof of (2) is by induction on the structure of t. If t ∈ B, then tα = t, thus βα (tα ) = βα (t) = α(t). Suppose now, that for all ADTerms composing t, we have (2), and let t = fk (t1 , . . . , tk ). We have βα (tα ) = βα (Iα (fk )(t1α , . . . , tkα )) = Iα (fk )(βα (t1α ), . . . , βα (tkα )) = Iα (fk )(α(t1 ), . . . , α(tk )) = α(t).

 

Corollary 1. Let α = (Aα , βα ) be an attribute and let ≡ be a semantics for ADTerms compatible with Aα . If t ≡ t , then α(t) = α(t ). Corollary 1 guarantees that, given an attribute domain and a compatible semantics, the attributes can be calculated in a consistent way, In Example 7 we show how the compatibility notion defined in Definition 11 covers the result obtained by Mauw and Oostdijk in [3]. Example 7. The multiset semantics for attack trees used in [3] can be axiomatized with the following set of rules, for fi ∈ {∨pi , ∧pi }, i ≥ 1, fk (X1 , . . . , Xk ) = fk (Xσ(1) , . . . , Xσ(k) ), for every permutation σ of {1, . . . , k}, fk+1 (X1 , . . . , Xk , fn (Y1 , . . . , Yn )) = fk+n (X1 , . . . , Xk , Y1 , . . . , Yn ), ∧p (X, ∨p (X1 , . . . , Xk )) = ∨p (∧p (X, X1 ), . . . , ∧p (X, Xk )), ∨p (X, X, X1 , . . . , Xk ) = ∨p (X, X1 , . . . , Xk ).

94

B. Kordy et al.

Note that the corresponding equalities always hold in every attribute domain Aα = (Dα , Iα ), such that (Dα , Iα (∨p ), Iα (∧p )) constitutes a semi-ring. Thus, the multiset semantics for attack trees is compatible with any attribute domain being a semi-ring.

5

Conclusion and Future Work

We introduce attack–defense trees as a new formal approach for security assessment. These ADTrees provide an intuitive and visual representation of interactions between an attacker and a defender of a system, as well as the evolution of the security mechanisms and vulnerabilities of a system. The attack–defense language is based on ADTerms, i.e., the term algebra for ADTrees. We define semantics for ADTrees as equivalence relations on ADTerms. This general framework unifies different approaches [3,4,5] to attack trees that have been proposed in the literature, because they all rely upon an underlying equivalence relation. Furthermore, analysis of ADTrees is supported through attributes and their bottom-up evaluation. This extends the approach proposed for attack trees in [3]. Finally, we formulate a necessary condition guaranteeing that equivalent ADTerms yield the same attribute value. The purpose of this paper is to lay a formal foundation for attack–defense trees. To demonstrate the applicability of attack–defense trees on a real-world example is impossible without a tool, due to the large size of the resulting attack– defense trees. Examples for the applicability of a similar approach can, at present, be found in works on attack trees, e.g., [5,12,19,20]. In order to allow for meaningful case-studies with attack–defense trees, a computer tool will be developed next. It will facilitate the construction of large ADTrees, support their graphical representation, and assist in the analysis of ADTrees by combining information assigned to the basic actions in an ADTree into a single value for the analyzed scenario. Furthermore, automated generation and analysis of ADTrees is planned for particular domains, such as network security. The feasibility of such a work has been demonstrated by Sheyner et al. [13], who have shown how to automatically generate and analyze attack graphs from the output of a model checker for an intrusion detection system. We also plan to extend the attack–defense framework to attack–defense DAGs. Using DAGs one can model dependencies between the sub-goals. This issue is crucial when taking the execution order of sub-goals into account or when analyzing an attack–defense scenario from a probabilistic point of view.

References 1. Vesely, W.E., Goldberg, F.F., Roberts, N., Haasl, D.: Fault Tree Handbook. Technical Report NUREG-0492, U.S. Regulatory Commission (1981) 2. Schneier, B.: Attack Trees. Dr. Dobb’s Journal of Software Tools 24(12), 21–29 (1999) 3. Mauw, S., Oostdijk, M.: Foundations of Attack Trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006)

Foundations of Attack–Defense Trees

95

4. Jürgenson, A., Willemson, J.: Serial Model for Attack Tree Computations. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 118–128. Springer, Heidelberg (2010) 5. Edge, K.S., Dalton II, G.C., Raines, R.A., Mills, R.F.: Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security. In: Military Communications Conference, MILCOM 2006, pp. 1–7. IEEE, Los Alamitos (2006) 6. Saini, V., Duan, Q., Paruchuri, V.: Threat Modeling Using Attack Trees. Journal of Computing in Small Colleges 23(4), 124–131 (2008) 7. Bistarelli, S., Fioravanti, F., Peretti, P.: Defense Trees for Economic Evaluation of Security Investments. In: ARES, pp. 416–423. IEEE Computer Society, Los Alamitos (2006) 8. Bistarelli, S., Dall’Aglio, M., Peretti, P.: Strategic Games on Defense Trees. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 1–15. Springer, Heidelberg (2007) 9. Moore, A.P., Ellison, R.J., Linger, R.C.: Attack Modeling for Information Security and Survivability. Technical Report CMU/ SEI-2001-TN-001, CMU Software Eng (2001) 10. Cervesato, I., Meadows, C.: One Picture Is Worth a Dozen Connectives: A FaultTree Representation of NPATRL Security Requirements. IEEE Transactions on Dependable and Secure Computing 4, 216–227 (2007) 11. Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall, Inc., Upper Saddle River (1994) 12. Morais, A.N.P., Martins, E., Cavalli, A.R., Jimenez, W.: Security Protocol Testing Using Attack Trees. In: CSE (2), pp. 690–697. IEEE Computer Society, Los Alamitos (2009) 13. Sheyner, O., Haines, J.W., Jha, S., Lippmann, R., Wing, J.M.: Automated Generation and Analysis of Attack Graphs. In: IEEE Symposium on Security and Privacy, pp. 273–284. IEEE Computer Society, Los Alamitos (2002) 14. Bistarelli, S., Peretti, P., Trubitsyna, I.: Analyzing Security Scenarios Using Defence Trees and Answer Set Programming. Electronic Notes in Theoretical Computer Science 197(2), 121–129 (2008) 15. Kordy, B., Mauw, S., Melissen, M., Schweitzer, P.: Attack–defense trees and twoplayer binary zero-sum extensive form games are equivalent. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds.) GameSec 2010. LNCS, vol. 6442, pp. 245–256. Springer, Heidelberg (2010) 16. Rehák, M., Staab, E., Fusenig, V., Pěchouček, M., Grill, M., Stiborek, J., Bartoš, K., Engel, T.: Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 61–80. Springer, Heidelberg (2009) 17. Doets, K.: Basic Model Theory. CSLI Publications, Stanford (1996) 18. Jürgenson, A., Willemson, J.: Computing Exact Outcomes of Multi-parameter Attack Trees. In: Chung, S. (ed.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1036–1051. Springer, Heidelberg (2008) 19. Amenaza: SecurITree, http://www.amenaza.com/ 20. Isograph: AttackTree+, http://www.isograph-software.com/atpover.htm

Reasoning with Past to Prove PKCS#11 Keys Secure Sibylle Fr¨ oschle1 and Nils Sommer2 1

Department of Informatics, University of Oldenburg 2 MWR InfoSecurity, Basingstoke, UK

Abstract. PKCS#11 is a widely adopted standard that defines a security API for accessing devices such as smartcards and hardware security modules. Motivated by experiments on several devices we develop an approach that allows us to formally establish security properties of keys stored on such devices. We use first-order linear time logic extended by past operators. The expressiveness of a first-order language allows us to model the security API and its features close to how it is specified while the past operators enable proof by backwards analysis. We apply this approach to prove that keys that initially have the attribute extractable set to false are secure.

1

Introduction

RSA Laboratories Public Key Standard (PKCS) #11 [10] defines a generic API to access devices that hold cryptographic keys and can perform cryptographic functions. The name of the API itself is Cryptoki, which is short for cryptographic token interface. PKCS#11 is designed to be platform and hardware independent. By now the standard is widely-accepted, and employed on a wide range of devices, from simple smartcards to complex hardware security modules. Several security vulnerabilities have been identified against the standard [4, 6], many of which could, in theory, compromise sensitive keys stored on a PKCS#11 device. On the positive side, the existence of these attacks does not necessarily mean that a real device is vulnerable against them. Since Cryptoki is a generic API for a wide range of devices and use cases it leaves it up to the device, which functionality it indeed provides. In the end, security is always up to the particular configuration of PKCS#11 implemented by a security module. We have run experiments on several real devices such as smartcards and USB keys to find out how these devices are configured and whether they are vulnerable against any attack. We find that some tokens do have configurations that allow an attacker to obtain a sensitive key in plaintext (by the wrap/decrypt attack of [4, 6]). However, in each case the pre-configured key objects (assumed to be loaded onto the device during a secure setup phase) are not vulnerable against any of the known attacks. The reason is that these key objects have 

This work is partially supported by DFG SFB/TR14 AVACS and the BMBF/DAAD project 50725248.

P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 96–110, 2011. © Springer-Verlag Berlin Heidelberg 2011

Reasoning with Past to Prove PKCS#11 Keys Secure

97

their attribute extractable set to false, which ensures that the corresponding key values cannot be exported from the device. One could say that the tokens adopt a key-focused configuration, which concentrates on protecting certain key objects rather than tries to protect any key object to be generated on the device. Based on these findings we wished to develop an approach that allows us to formally establish properties such as “If a key object has been generated on the device with the attribute extractable set to false then the value of the key object will never be known to the attacker, independent of the configuration”. One may think such properties are trivial to prove, however, reasoning about secrecy of keys in PKCS#11 is complicated by the fact that the same key can occur as the value of several different key objects, which may have their attributes set in a conflicting way. So one has always to distinguish between the key value and a particular key object. The recent works on formal analysis of PKCS#11 are not suited to our goal: the model-checking approach [6] scales only to a small number of keys, and thus is more suited to finding attacks than to verifying a security property. The approach of [7] shows that for static attribute policies a bounded number of keys covers all attacks, however, we wish to make statements without restricting the configuration (which includes the attribute policy). Crystallizing our informal proofs of security properties such as the one above into a logically sound approach, we were led to a new verification method. One novelty of this approach is that we not only draw from security protocol analysis but also from program verification. The idea behind it is threefold: (1) Model the data types used by the security API by a first-order language. This allows us to model the security API and its features close to how it is specified. (2) Draw from the methodology used in program verification, and use FOLTL (first-order linear time logic) to specify and verify security properties. (We are inspired by Kr¨ oger and Merz’s “Temporal Logic and State Systems” [9].) (3) Draw from the success of backwards analysis in security protocol analysis (such as the strand space method of [11]) and use FOLTL extended by past operators. (4) Recover monotonicity of state by a slight sound overapproximation of the model. In Section 2 we give an informal introduction to Cryptoki and some of its known security vulnerabilities. In Section 3 we give our abstract view of the API as a first-order state transition system. In Section 4 we introduce FOLTL with past operators together with the proof method we will use. In Section 5 we present a theory that axiomatizes Cryptoki behaviour. In Section 6 we apply our approach to prove that keys that are generated with the attribute extractable set to false are secure. We conclude the paper with a discussion and summary of future work. A full version of the paper will be made available at [1].

2

Introduction to Cryptoki

Cryptoki provides a logical view of a security module, or token, as a store of objects such as key, certificate, and data objects. A key object is defined by the value of the key and a set of attributes. The attribute object class specifies

98

S. Fröschle and N. Sommer

whether the key is a symmetric key (secretKey), private key (privateKey), or public key (publicKey). A set of boolean attributes defines how the key object can be used: e.g., if a key object can be used to export another key from the token its attribute wrap must be set to true, while the key object to be exported must have its attribute extractable set to true. Key objects are accessed via object handles. Cryptoki provides the usual functionality of security APIs such as export and import of keys, generation of session keys, encryption and decryption of data. To export a key k encrypted under a key kw the API programmer issues the following command from the host system to the token, where hw and h are handles referencing key objects with key value kw , and k respectively. The command will only be successful if the corresponding attributes are set as indicated below. H -> T: wrapKey hw h T -> H: {k}kw

hw

kw wrap=true ...

h

k extract.=true ...

To encrypt data d under a key ke the API programmer issues the following command: H -> T: encrypt he d T -> H: {d}ke

he

ke encrypt=true ...

There are inverse commands: unwrapKey to import a key into the token, and decrypt to decrypt encrypted data. It is well-known that, in general, Cryptoki is vulnerable to attacks. One of the simplest logical attacks is the key separation attack by Clulow [4]. Assume the token contains the key objects depicted on the left. Then an attacker can use the fact that kc is available in two roles that should be separated to reveal the sensitive key k: hc

kc wrap=true decrypt=true ...

h

k extract.=true ...

H T H T

-> -> -> ->

T H T H

: wrapKey hc h : {k}kc : decrypt hc {k}kc :k

One can avoid this attack by ensuring that no key object has ever the conflicting attributes wrap and decrypt both set. However, the situation is complicated by the fact that there are commands that allow the attacker to manipulate the role in which a key is available: the function SetAttributeValue to modify the attributes of a key object, and the function CopyObject to copy a key object while possibly modifying its attributes. Both of these functions take an attribute template as argument, which specifies the attributes of the modified or new key object. The success of these commands depends on whether the object is modifyable, and copyable respectively, and whether the configuration of the device supports the modification. As we will see Cryptoki also imposes some constraints, e.g., for key objects that have their extractable attribute set to false. A third, very subtle, way of manipulating the roles of a key is provided by first exporting a key and then importing it with new attributes, also specified by an

Reasoning with Past to Prove PKCS#11 Keys Secure

99

attribute template. The three methods are illustrated in Fig. 1. Note that in each case it is still possible to use key kc to mount the wrap/decrypt attack even though there is never a key object with conflicting attributes set. (The function CreateObject provides a fourth way of modifying the roles of a key but only concerns keys the attacker already knows.)

hc

kc wrap=true decrypt=false ...

H -> T : setAttributeValue hc t in t: wrap=false, decrypt=true T -> H : okay

hc

kc wrap=true decrypt=false ...

H -> T : copyObject hc t in t: wrap=false, decrypt=true T -> H : hn where hn is a new handle

hc

kc wrap=true decrypt=false extract.=true ...

hw

kw wrap=true unwrap=true ...

H -> T : wrapKey hw hc T -> H : {kc }kw H -> T : unwrapKey hw {kc }kw t in t: wrap=false, decrypt=true T -> H : hn where hn is a new handle

hc

kc wrap=false decrypt=true ...

hc

kc wrap=true decrypt=false ...

hc

kc wrap=true decrypt=false extract.=true ...

hw

kw wrap=true unwrap=true ...

hn

kc wrap=false decrypt=true ...

hn

kc wrap=false decrypt=true ...

Fig. 1. Manipulating the roles of a key

Many variations of the wrap/decrypt attack and other attacks using subtle changes of attributes can be found in [6]. There seem principally to be two ways to avoid such attacks: (1) to use a robust attribute policy and a more secure version of wrap/unwrap that exports and imports a key together with its attributes; the latter is not provided by PKCS#11 itself, but by proprietary extensions such as the Eracom protectServer; (2) to protect sensitive key objects from being wrapped and unwrapped ‘arbitrarily’. To this end PKCS#11 offers two mechanisms: key objects can be protected with the attribute extractable set to false from being wrapped at all; key objects with the attribute wrapWithTrusted can only be wrapped with trusted keys. The first approach has been studied in [7]. Here we present a theorem-proving approach that is suited to analyse configurations that take the second policy. In particular, we will investigate the extractable mechanism.

3

Modelling Security API Systems

We use the term security API system to refer to the network of security modules under investigation, where the communication channels are assumed to be controlled by an intruder. (As pointed out by [2] it is not sufficient to analyse one

100

S. Fröschle and N. Sommer

module in isolation.) We abstractly view a security API system as a first-order labelled state transition system (FOSTS) over a temporal signature. Our definitions of temporal signature and FOSTS are similar to those of [9]; however, we additionally work with action predicate symbols, which induce transitions labelled by action predications. As usual a signature SIG = (S, F, P) is given by a set S of (possibly ordered) sorts, a set F of function symbols, and a set P of predicate symbols, where symbols of F and P are typed over S. A temporal signature TSIG = (SIG, R, A) is given by a signature SIG = (S, F, P), a set R of flexible predicate symbols, and a set A of action predicate symbols, where symbols of R and A are again typed over S. We write f (s1 ...sn s) and p(s1 ...sn ) to denote the type of a function symbol f ∈ F, and a predicate symbol p of P, R or A respectively. SIG models the data types of the security API system. The flexible predicate symbols are used to describe the states of the security API system, which typically involves the current contents of the security module and the current knowledge of the intruder. The action predicates describe the possible actions of the system: all commands of the security API as well as the intruder’s own set of actions, such as his power to decrypt an encryption when he has the key. SIG CK = extend SIG MESG , SIG ASET SIG MESG = S KEY, CIPHER, MESG where KEY < MESG and CIPHER < MESG F

k, k1 , k2 , . . . : KEY enc : KEY × KEY → CIPHER

P

inv : KEY × KEY - - to specify that one key is the inverse of another

SIG ASET = S BOOL+ , ATTR TYPE, OBJ CLASS, ASET F

true, false, undefined : BOOL+ encrypt, decrypt, wrap, unwrap, trusted, copyable, modifyable, extractable, sensitive : ATTR TYPE secretKey, publicKey, privateKey : OBJ CLASS · .class : ASET → OBJ CLASS - - Example: t.class = secretKey · . · : ASET × ATTR TYPE → BOOL+ - - Example: t.extractable = true Fig. 2. The signature SIG CK

Example 1. The syntax of a Cryptoki system is given by the following temporal signature: TSIG Ck = (SIG Ck , RCK , ACK ), where – SIG CK is shown in Fig. 2. It involves a data type ASET to model the attribute set of a key object, and a data type MESG to model messages. To model messages we follow the typed approach of [6, 7].

Reasoning with Past to Prove PKCS#11 Keys Secure

101

– RCK = {iknows(MESG) , tcontains(KEY ASET) }, where iknows(m) expresses that the intruder knows m, and tcontains(k, t) expresses that the token contains a key object with value k and attribute set or template t. – ACK contains action predicates for all commands for object management, encryption and decryption, and key management (apart from DeriveKey) as well as the intruder actions IntrEncrypt and IntrDecrypt. (The complete list can be taken from the exec axioms in Fig. 6.) A structure S for a signature SIG = (S, F, P) is defined  as usual. We write |S|s for the domain that interpretes sort s ∈ S, and |S| for s∈S |S|s . A first-order (labelled) state transition system (FOSTS) Γ = (S, W, w0 , T, L) over temporal signature TSIG = (SIG, R, A) is given by a structure S for SIG, a set W of system states, an initial state w0 ∈ W , a total binary relation T ⊆ W × atomsA × W , called (labelled) transition relation, where atomsA is the set of ground action predications, and a function L that associates with each state wi ∈ W and every flexible predicate q (s1 ...sn ) ∈ R a mapping q L(wi ) : |S|s1 × . . . × |S|sn → {ff, tt}. A (labelled) execution sequence of Γ is an infinite sequence of states and action predications, K = (w0 , a1 , w1 , a2 , w2 , . . .) such that (wi , ai , wi+1 ) ∈ T for every i ∈ Nat. Example 2. A concrete FOSTS ΓCK over TSIG CK is provided in the full version of the paper (c.f. [1]). It is induced by a conditional rewriting system, which models all the commands of Cryptoki for object management, encryption and decryption and key management (apart from DeriveKey).

4

First-Order Linear Temporal Logic with Past Operators

Syntax and Informal Semantics. We now introduce FOLTL+p (first-order temporal logic with past operators). Let TSIG = (SIG, R, A) be a temporal signature. Let LFOL(SIG) denote the standard first-order language over SIG. TSIG gives rise to a language LFOLTL+p (TSIG) in the following way. Terms (with their sorts) are the terms of LFOL(SIG) . Atomic formulas are one of the following: – an atomic formula of LFOL(SIG) , – q(t1 , . . . , tn ), where q (s1 ···sn ) ∈ R is a flexible predicate symbol, and each ti is a term of sort si for 1 ≤ i ≤ n, or – exec a(t1 , . . . , tn ), where a(s1 ···sn ) ∈ A is an action predicate symbol, and each ti is a term of sort si for 1 ≤ i ≤ n. Formulas are inductively defined from the atomic formulas by first-order quantifiers, the usual propositional connectives, and the standard LTL temporal operators extended by past operators. Thus, apart from the standard LTL operators (‘next’) and (‘always’) we also use their past versions: (‘previous’) and (‘has-always-been’). We also use the derived operators (‘eventually’) and its past version (‘once’).







102

S. Fröschle and N. Sommer

Conceptually, formulas of FOLTL+p(TSIG) describe properties of labelled execution sequences of FOSTSs over TSIG. We now fix TSIG CK as described in the previous section, and give some examples. State formulas (i.e., formulas without temporal operators) express properties about the current state of an execution sequence: about the current intruder knowledge, the current state of the token or the action to be executed next on the sequence, for example: – “The intruder knows message m”: iknows(m) – “The token contains a key object with value k and attribute extractable set to true”: hasRole(k, extractable) ≡ ∃t. tcontains(k, t) ∧ t.extractable = true – “As next action the key k will be exported under kw ”: exec WrapKey(kw , k) The exec predications and past operators allow us to formulate axioms that describe consequences of constraints specified in the PKCS#11 standard as well as implicit constraints such as that keys will be generated ‘freshly’. – “If as next action the key k will be exported under key kw then the token must contain a key object with value k and attribute extractable set to true and a key object with value kw and attribute wrap set to true”: exec WrapKey(kw , k) → hasRole(k, extractable) ∧ hasRole(kw , wrap) – “If as next action a key k will be generated on the token then this key will be ‘fresh’, i.e., at all past states of the execution sequence including the current state, key k does not occur in the intruder knowledge and neither on the token”: exec GenerateKey(k, t) → fresh(k), where fresh(k) ≡

(¬iknows(k) ∧ ∀k¬iknows(enc(k, k)) ∧ ∀k¬iknows(enc(k, k)) ∧ ∀t¬tcontains(k, t))

Furthermore, we can axiomatize how an intruder can obtain a new situation that may be beneficial for his attack, e.g., by which actions he can obtain a key k in a role in which k is not available on the token yet. – “If key k is on the token and not available in role a but at the next state it will be available in role a then as next action either CreateObject, CopyObject, SetAttributeValue, or UnwrapKey will occur with arguments k and t where t is some attribute template specifying a true:”



tcontains(k) ∧ ¬hasRole(k, a) ∧ hasRole(k, a) → ∃t. t.a = true ∧ (exec CreateObject(k, t) ∨ exec CopyObject(k, t) ∨ exec SetAttributeValue(k, t) ∨ ∃ku exec UnwrapKey(ku , k, t)) Finally, we can formulate security properties such as: – “If a key is generated on the token with extractable set to false then it has always been and will always remain secret:” exec GenerateKey(k, t) ∧ t.extractable = false →

¬iknows(k) ∧ ¬iknows(k)

Reasoning with Past to Prove PKCS#11 Keys Secure

103

Such properties can be proved very naturally by backwards analysis. We begin by assuming the opposite, which gives us two time points along our execution sequence: a time point τ0 where the key is about to be generated and a time point τl where the intruder knows k. We then analyse how we could have got to the ‘bad’ time point τl . For this we apply reasoning such as: if the intruder knows key k at τl but the key was secret at τ0+1 , the time point just after generation, then there must be a time point τ  between τ0 and τl where the intruder is about to obtain k, i.e., where ¬iknows(k) ∧ iknows(k) holds. We can then analyse by which action he could have obtained k, and further analyse what could have happened under the induction hypothesis that the intruder does not know k. We proceed in this fashion until we reach a contradiction on all ‘branches’.



Labelled Formulas and Constraints. To be able to reason in this fashion we need to have explicit names for time points, and refer to them and the way they are related. The standard way to do this is to use the LDS (labelled deductive system) approach of Gabbay [8], where, in general, one can use labels to name worlds and a labelling language to describe patterns of worlds. For our lineartime framework the syntax and semantics is similar to that in [3]. We assume a sort of time, which will be interpreted by the natural numbers; the linear structure of time will be reflected by a successor function +1, a predecessor function −1 (since we work with past), and a binary relation ≤. This gives rise to the following syntax of labels and constraints, where V  is a set of time variables. lab ::= 0 | t | lab + 1 | lab − 1 . cst ::= lab ≤ lab | lab = lab

where t ∈ V 

In the following, we let τ range over labels, possibly annotated with subscripts. We call formulas as defined above logical formula. If F is a logical formula then τ : F is a labelled formula. Informally, τ : F means “F is true at time τ ”. Logical formula, labelled formula, and constraints collectively form the set of formulas of FOLTL+p(TSIG). Semantics. We define the semantics of FOLTL+p(TSIG) with respect to a FOSTS Γ = (S, W, w0 , T, L) over TSIG. A variable valuation ξ with respect to S (which is a mapping ξ : X → |S|) defines a mapping Sξ , which associates a value Sξ (t) ∈ |S| for every term t and a truth value Sξ (A) ∈ {ff, tt} for every non-flexible atomic formula A. It is inductively defined as usual. An execution sequence K of Γ together with a variable valuation ξ with respect to S defines, for every state wi in K a mapping S(ξ,wi ) , which associates a truth value S(ξ,wi ) (A) ∈ {ff, tt} for every flexible atomic formula A as follows: 1. S(ξ,wi ) (q(t1 , . . . , tn )) = q L(wi ) (Sξ (t1 ), . . . , Sξ (tn )) for q ∈ R, 2. S(ξ,wi ) (exec a(t1 , . . . , tn )) = tt iff (wi , a(Sξ (t1 ), . . . , Sξ (tn )), wi+1 ) ∈ T .

104

S. Fröschle and N. Sommer

A time variable valuation ξ  (which is a mapping ξ  : V  → Nat) defines a   mapping Tξ from labels to Nat in the obvious way. Tξ (τ −1) is only defined if   . Tξ (τ ) is defined and Tξ (τ ) > 0. = is mapped to the standard equality relation over Nat and ≤ denotes the standard less-than-or-equal binary relation. Now we are ready to define for every formula F the truth value of F in K under ξ. A formula F is true in K under the variable valuation ξ and time variable valuation ξ  , written K, ξ |= F , if and only if: . K, ξ |= τ = τ  K, ξ |= τ ≤ τ  K, ξ |= τ : A K, ξ K, ξ K, ξ K, ξ K, ξ K, ξ K, ξ K, ξ K, ξ





iff Tξ (τ ) = Tξ (τ  )   iff Tξ (τ ) ≤ Tξ (τ  ) iff Sξ (A) = tt for every non-flexible atomic formula A  |= τ : A iff S(ξ,wi ) (A) = tt where i = Tξ (τ ) for every flexible atomic formula A |= τ : ¬F iff K, ξ |= τ : F |= τ : F → G iff if K, ξ |= τ : F then K, ξ |= τ : G |= τ : F iff K, ξ |= τ +1 : F |= τ : F iff for all τ  , K, ξ |= τ ≤ τ  implies K, ξ |= τ  : F  |= τ : F iff if Tξ (τ ) > 0 then K, ξ |= τ −1 : F |= τ : F iff for all τ  , K, ξ |= τ  ≤ τ implies K, ξ |= τ  : F |= τ : ∃xF iff there is a ξe with ξ ∼x ξe and K, ξe |= F (ξ ∼x ξe iff ξ(y) = ξe (y) for all y ∈ X other than x) |= F iff for all τ , K, ξ |= τ : F for every logical formula F







For the other logical operators (in particular , , and ∀) the definitions carry over as usual. A logical formula F is valid in K (or K satisfies F ), written K |= F , if K, ξ |= F for every variable valuation ξ. A logical formula F is valid in Γ (or Γ satisfies F ), denoted by Γ |= F , if K |= F for every K of Γ . Theories. We will formulate in Section 5 a set of axioms that describe assertions about the runs of any Cryptoki token. Formally, this gives rise to a theory such that any FOSTS that models a Cryptoki token is a model of the theory. A theory T is a satisfiable set of logical sentences. A T -model is a FOSTS that satisfies all formulas in T . A logical formula F is T -valid, denoted by T |= F , iff every FOSTS Γ that satisfies the axioms of T , i.e., Γ |= A for every A ∈ T , also satisfies F , i.e., Γ |= F . As usual, the following connection holds: Proposition 1. Given a theory T and a logical sentence F , T |= F iff T ∪ ¬F is unsatisfiable. Proof Method. To prove T -validity of a logical sentence F we use a tableau method: we construct a proof tree that shows that the set of sentences T ∪ ¬F is unsatisfiable. We begin by assuming ¬F and proceed by applying proof rules that implement the semantic definitions of the connectives. For some rules the tableau branches into several columns. Thus, a proof evolves as a tree rather

Reasoning with Past to Prove PKCS#11 Keys Secure

105

than linearly. At any time we can extend a branch by a node with a formula of T . If we manage to derive a contradiction on each branch then we have proved that the assumption T ∪ ¬F is unsatisfiable, and hence that F is T -valid.

τ : ∀xF γ∀ τ : F {x/t} for any ground term t

τ : ¬¬F α¬ τ :F τ : F1 ∧ · · · ∧ Fn α∧ τ : Fi

τ : ¬(F1 ∧ · · · ∧ Fn ) β∧ τ : ¬F1 | · · · | τ : ¬Fn

τ : ¬∃xF γ∃ τ : ¬F {x/t} for any ground term t

τ : ¬(F1 ∨ · · · ∨ Fn ) α∨ τ : ¬Fi

τ : F1 ∨ · · · ∨ Fn β∨ τ : F1 | · · · | τ : Fn

τ : ¬∀xF δ∀ τ : ¬F {x/c} for any new constant c

τ : ¬(F → G) α→ τ :F τ : ¬G

τ :F →G β→ τ : ¬F | τ : G

τ : ∃xF δ∃ τ : F {x/c} for any new constant c

Fig. 3. Semantic rules for first-order logic connectives

Fig. 3 shows the proof rules for the first-order logic connectives. Apart from the labels they are like the rules of standard first-order tableaux methods (e.g. [5]). Note that justified by the associativity of the connectives ∧ and ∨ we permit more than two formulas in a conjunction or disjunction. Fig. 4 shows all the remaining rules. First, there are proof rules for introducing labels. Secondly, there are the proof rules for the temporal connectives. For example, if at time point τ , F holds and τ  is a time point equal or later than τ then we can deduce that F holds at τ  . The frame rules reflect characteristics of linear time such as transitivity and reflexivity of ≤, and rules which model the behaviour of ≤ and . the successor function. As usual, we use τ < τ  short for τ ≤ τ  ∧ ¬(τ = τ  ). We also use derived proof rules to make proofs more concise. The rule (MP) is a special form of modus ponens, which will be useful when applying axioms. The remaining rules give reasoning principles in the context of monotonic formulas. For example, Rule (Mon1) expresses that when F does not hold at a time point τ but F does hold at a time point τ  and F is monotonic then there must be a time point τ  between τ and τ  at which F is about to become true. A branch B of a tableau is called closed if a formula F and its negation both appear on B. The soundness of the proof rules is straightforward from the semantics. As usual, soundness of the tableau method follows from the soundness of the proof rules, and we obtain:



106

S. Fröschle and N. Sommer

Rules for introducing labels ¬F Lab1 τ : ¬F for a new label τ

F Lab2 τ :F for any label τ

Semantic rules for temporal connectives: τ : F τ +1:F

τ ≤ τ τ : F τ : F





τ: F τ ≤ τ τ : F for a new label τ 

0<τ τ : F τ −1:F

τ ≤ τ τ : F τ : F



τ: F τ ≤ τ τ : F for a new label τ 















Frame rules:

τ ≤τ

F1

τ ≤ τ τ  ≤ τ  F2 τ ≤ τ 

τ +1 ≤ τ  F3 τ < τ

τ < τ F4 τ +1 ≤ τ 

F5 . ¬(τ +1 = 0)

Derived rules: τ : F1 ··· τ : Fn F1 ∧ · · · ∧ Fn → G1 ∧ · · · ∧ Gm MP τ : Gi

τ : ¬F τ : F F → F Mon1 τ ≤ τ    τ <τ τ  : ¬F τ  : F for a new label τ 





τ ≤ τ τ :F F → F τ : F



τ ≤ τ τ : ¬F F → F τ  : ¬F



Mon2

Mon3

Fig. 4. Other proof rules tcontains(k) hasRole(k, a) avUndef (k, a) rolesCons(k) fresh(k)

≡ ≡ ≡ ≡ ≡

∃t. tcontains(k, t) ∃t. tcontains(k, t) ∧ t.a = true ∃t. tcontains(k, t) ∧ t.a = undefined ∀t, t , a, x. tcontains(k, t) ∧ tcontains(k, t ) ∧ t.a = x → t .a = x (¬iknows(k) ∧ ∀k ¬iknows(enc(k  , k)) ∧ ∀k ¬iknows(enc(k, k )) ∧ ∀t¬tcontains(k, t))



Fig. 5. Abbreviations

Reasoning with Past to Prove PKCS#11 Keys Secure

107

Theorem 1 (Soundness). If every branch of a tableau proof of the set of sentences T ∪ ¬F is closed then T ∪ ¬F is unsatisfiable, and hence F is T -valid.

5

Cryptoki Theory and Monotonicity

We now formulate our theory of Cryptoki systems. Note that our goal is not a complete axiomatization of Cryptoki but to have a set of sound axioms that support proofs about the security of keys with certain characteristics. Cryptoki theory, denoted by TCK , is presented in Fig. 6. (Refer to Fig. 5 for the abbreviations we make use of.) The theory falls into three groups of axioms. Exec Rules express enabling conditions for the commands and consequences for the next state. Obtain Rules axiomatize how the intruder can obtain a new situation that may be beneficial for his attack: the knowledge of a key or an encryption, or the availability of a key on the token in a certain role or with a certain attribute undefined. Finally, there is an axiom that expresses monotonicity of the intruder knowledge. The theory is sound with respect to our FOSTS ΓCK : Theorem 2. ΓCK is a TCK -model: ΓCK |= A for every A ∈ TCK . To ease our proving tasks we would like to work under the assumption that not only the intruder knowledge but also the token state is monotonic. In other words, we would like to employ a second monotonicity axiom: 2. M-tcontains:

tcontains(k, t) →

tcontains(k, t)

This axiom does, in general, not hold but we can achieve it by a sound approximation. By inspection of the standard it is easy to see that the only commands that violate monotonicity of state are SetAttributeValue and DestroyObject. The latter does not give any power to the intruder while SetAttributeValue can be simulated by CopyObject: whenever the intruder would use SetAttributeValue he can use CopyObject with the same attribute template. Let ΓCKmon be the FOSTS we obtain from ΓCK by removing the rules for DestroyObject and SetAttributeValue. Similarly, let TCKmon be the theory we obtain from TCK by removing the option SetAttributeValue from the axioms ObtainRole and ObtainUndef, and adding the second monotonicity axiom. Theorem 3. ΓCKmon is a TCKmon -model: ΓCKmon |= A for all A ∈ TCKmon .

6

Security of Unextractable Keys

We now wish to apply our approach to prove the following security property: “If a key is generated on the token with the extractable attribute set to false then it has always been and will always remain secret.” Cryptoki imposes two crucial restrictions on how a key object with extractable set to false can be used:

108

S. Fröschle and N. Sommer

Exec Rules: Object management 1. exec CreateObject(k, t) → iknows(k) 2. exec CopyObject(k, t) → hasRole(k, copyable) 3. exec CopyObject(k, t) ∧ t.a = undefined → avUndef (k, a) 4. exec CopyObject(k, t) ∧ t.extractable = true → hasRole(k, extractable) ∨ avUndef (k, extractable) 5. exec SetAttributeValue(k, t) → hasRole(k, modifyable) 6. exec SetAttributeValue(k, t) ∧ t.a = undefined → avUndef (k, a) 7. exec SetAttributeValue(k, t) ∧ t.extractable = true → hasRole(k, extractable) ∨ avUndef (k, extractable) Encryption and decryption 8. exec Encrypt(ke , k) → hasRole(ke , encrypt) ∧ iknows(k) 9. exec Decrypt(kd , k) → hasRole(kd , decrypt) ∧ ∃ke . inv(ke , kd ) ∧ iknows(enc(ke , k)) Key management 10. exec GenerateKey(k, t) → fresh(k) ∧ inv(k, k) ∧ tcontains(k, t) ∧ rolesCons(k) ∧ ¬iknows(k) 11. exec GenerateKeyPair(kpub , kpriv , tpub , tpriv ) → fresh(kpub ) ∧ fresh(kpriv ) ∧ inv(kpub , kpriv ) ∧ tcontains(kpub , tpub ) ∧ rolesCons(kpub ) ∧ iknows(kpub ) ∧ tcontains(kpriv , tpriv ) ∧ rolesCons(kpriv ) ∧ ¬iknows(kpriv ) 12. exec WrapKey(kw , k) → hasRole(kw , wrap) ∧ hasRole(k, extractable) 13. exec UnwrapKey(ku , k, t) → hasRole(ku , unwrap) ∧ ∃kw . inv(kw , ku ) ∧ iknows(enc(kw , k))





















Intruder 14. exec IntrEncrypt(ke , k) → iknows(ke ) ∧ iknows(k) 15. exec IntrDecrypt(kd , k) → iknows(kd ) ∧ ∃ke . inv(ke , kd ) ∧ iknows(enc(ke , k)) Obtain Rules: 1. ObtainKey ¬iknows(k) ∧ iknows(k) → ∃kd . exec Decrypt(kd , k) ∨ ∃kd . exec IntrDecrypt(kd , k) 2. ObtainEnc I ¬iknows(enc(ke , k)) ∧ iknows(enc(ke , k)) → exec Encrypt(ke , k) ∨ exec IntrEncrypt(ke , k) ∨ exec WrapKey(ke , k) 3. ObtainEnc II ¬iknows(k) ∧ ¬iknows(enc(ke , k)) ∧ iknows(enc(ke , k)) → exec WrapKey(ke , k) 4. ObtainRole tcontains(k) ∧ ¬hasRole(k, a) ∧ hasRole(k, a) → ∃t. t.a = true ∧ (exec CreateObject(k, t) ∨ exec CopyObject(k, t) ∨ exec SetAttributeValue(k, t)∨∃ku exec UnwrapKey(ku , k, t)) 5. ObtainUndef tcontains(k) ∧ ¬avUndef (k, a) ∧ avUndef (k, a) → ∃t. t.a = undefined ∧ (exec CreateObject(k, t) ∨ exec CopyObject(k, t) ∨ exec SetAttributeValue(k, t)∨∃ku exec UnwrapKey(ku , k, t))









Monotonicity: 1. M-iknows:

iknows(m) →

iknows(m)

Fig. 6. Cryptoki theory TCK

Reasoning with Past to Prove PKCS#11 Keys Secure

109

1. “The CKA WRAP attribute of the wrapping key, which indicates whether the key supports wrapping must be CK TRUE. The CKA EXTRACTABLE attribute of the key to be wrapped must also be CK TRUE.” ([10], p. 176) 2. “e.g. in the course of copying [or modifying] a secret key, a key’s CKA EXTRACTABLE attribute may be changed from CK TRUE to CK FALSE, but not the other way around.”3 ([10], p. 128) The first requirement is translated into Exec Axiom (12), and the second into Exec Axioms (4), and (7) respectively. One subtlety of Cryptoki is that not all attributes of a key (consistent with its object class) need to be defined. Our security proof highlights that it is crucial that an attribute which is already set to true or false cannot be ‘downgraded’ to undefined. This seems to be implied by the following general requirement concerning modifying attributes: 3. “The template supplied to C SetAttributeValue [or C CopyObject] can contain new values for attributes which the object already possesses; values for attributes which the object does not yet possess; or both.” ([10], p. 61) We interpret this requirement with the addition “and it is never possible to unset an attribute that has already a value to be undefined”. This is translated into Exec Axioms (3) and (6). We noticed the necessity for this requirement only during our security proof, which led us to the following attacks. First, assume a key object freshly generated with value k and extractable = undefined, and observe that k can easily be attacked as follows: 1. Use CopyObject to make a copy of k while setting extractable = true. This is not prevented by requirement (2) above. 2. Attack the copy with the wrap/decrypt attack. Now assume a key object freshly generated with value k and extractable = false. If requirement (3) (under our interpretation) is violated by an implementation then k can be attacked in the following way: 0. Use CopyObject to make a copy of the key while setting extractable = undefined. Now k can be attacked by continuing with step (1) and (2) above. With all three requirements implemented we indeed achieve: Theorem 4. ΓCKmon |= exec GenerateKey(k, t) ∧ t.extractable = false →

¬iknows(k) ∧ ¬iknows(k). 7

Conclusions

We have proved that keys that are generated with extractable = false are secure. There are some restrictions on the model, but they all seem straightforward to 3

We naturally assume that this is also so for private keys even though the standard does not spell this out.

110

S. Fröschle and N. Sommer

overcome: (1) One can use a notion of simulation to formally carry over the proof from the monotonic model to the general model. (2) We have worked with typed messages and an intruder model similar to that in [6]. The latter work uses a result which carries over results for the typed language to an untyped language. We will investigate whether this also applies here. (3) We have not modelled the commands for signing and MAC’ing since they seem not to interact with the security proof. But we will investigate this more carefully. With these extensions in place, we will have a full security proof for the absence of any logical attacks, i.e., any attacks that do not break cryptography or make use of algebraic properties. This is highly relevant for practice considering that our experiments show that protecting keys by setting extractable to false is common in real devices. We have chosen a tableau proof method because it best formalizes informal reasoning. However, it is interesting to note that the reasoning in our tableau proofs either decreases the size of formulas (as usual for tableau proofs) or steps back to earlier time points (once a ‘bad’ time point is fixed at the start). This indicates that this type of reasoning may well be amenable to automation. We have provided a more precise model of Cryptoki that can model attribute templates, and constraints on commands. This has exposed new subtleties and attacks that come from the fact that attributes can be undefined. For a robust configuration we recommend that attributes should always be given default values. In ongoing work we verify our approach by analysing configurations based on the wrapWithTrusted mechanism.

References 1. http://csd.informatik.uni-oldenburg.de/~ sib 2. Borgstr¨ om, J.: Monotonicity for multiple key managment tokens (2009); presentation at ASA 2009 3. Castellini, C.: Automated Reasoning in Quantified Modal and Temporal Logic. Ph.D. thesis, University of Edinburgh (2004) 4. Clulow, J.: On the security of PKCS #11. In: Walter, C.D., Ko¸c, C ¸ .K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003) 5. D’Agostino, M., Gabbay, D.M., H¨ ahnle, R., Posegga, J.: Handbook of Tableau Methods. Kluwer Academic Publishers, Dordrecht (1999) 6. Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11. In: CSF 2008, pp. 331–344. IEEE Computer Society Press, Los Alamitos (2008) 7. Fr¨ oschle, S., Steel, G.: Analysing PKCS#11 key management aPIs with unbounded fresh data. In: Degano, P., Vigan` o, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009) 8. Gabbay, D.M.: Labelled Deductive Systems, vol. 1. Oxford Science Publications (1996) 9. Kr¨ oger, F., Merz, S.: Temporal Logic and State Systems. Springer, Heidelberg (2008) 10. RSA Laboratories: PKCS#11: Cryptographic Token Interface Standard, vol. v2.30, Draft 4. RSA Security Inc. (July 2009) 11. Thayer, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: Why is a security protocol correct? In: IEEE Symposium on Security and Privacy, pp. 160–171 (1998)

A Formal Analysis of Authentication in the TPM St´ephanie Delaune1 , Steve Kremer1 , Mark D. Ryan2 , and Graham Steel1 1

LSV, ENS Cachan & CNRS & INRIA Saclay ˆIle-de-France, France 2 School of Computer Science, University of Birmingham, UK

Abstract. The Trusted Platform Module (TPM) is a hardware chip designed to enable computers to achieve a greater level of security than is possible in software alone. To this end, the TPM provides a way to store cryptographic keys and other sensitive data in its shielded memory. Through its API, one can use those keys to achieve some security goals. The TPM is a complex security component, whose specification consists of more than 700 pages. We model a collection of four TPM commands, and we identify and formalise their security properties. Using the tool ProVerif, we rediscover some known attacks and some new variations on them. We propose modifications to the API and verify our properties for the modified API.

1 Introduction The Trusted Platform Module (TPM) is a hardware chip designed to enable commodity computers to achieve greater levels of security than is possible in software alone. There are 300 million TPMs currently in existence, mostly in high-end laptops, but now increasingly in desktops and servers. Application software such as Microsoft’s BitLocker and HP’s HP ProtectTools use the TPM in order to guarantee security properties. The TPM specification is an industry standard [16] and an ISO/IEC standard [13] coordinated by the Trusted Computing Group. In the last few years, several vulnerabilities in the TPM API have been discovered, particularly in relation to secrecy and authentication properties (we detail a few of them in Section 5). These attacks highlight the necessity of formal analysis of the API specification. We perform such an analysis in this paper, focussing on the mechanisms for authentication and authorisation. Formal analysis of security APIs involves many of the tools and techniques used in the analysis of security protocols, but the long-term state information held by the TPM presents an additional challenge. Tools such as ProVerif are not optimised to reason with stateful protocols. There is no easy solution to this problem, although we show how to alleviate it in this case with suitable abstractions. In this paper, we model a collection of four TPM commands, concentrating on the authentication mechanisms. We identify security properties which we will argue are central to correct and coherent design of the API. We formalise these properties for our fragment, and using ProVerif, we rediscover some known attacks on the API and some new variations on them. We discuss some fixes to the API, and prove our security properties for the modified API. P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 111–125, 2011. c Springer-Verlag Berlin Heidelberg 2011 

112

S. Delaune et al.

2 An overview of the TPM The TPM stores cryptographic keys and other sensitive data in its shielded memory, and provides ways for platform software to use those keys to achieve security goals. The TPM offers three kinds of functionality: – Secure storage. User processes can store content that is encrypted by keys only available to the TPM. – Platform authentication. A platform can obtain keys by which it can authenticate itself reliably. – Platform measurement and reporting. A platform can create reports of its integrity and configuration state that can be relied on by a remote verifier. To store data using a TPM, one creates TPM keys and uses them to encrypt the data. TPM keys are arranged in a tree structure, with the storage root key (SRK) at its root. To each TPM key is associated a 160-bit string called authdata, which is analogous to a password that authorises use of the key. A user can use a key loaded in the TPM through the interface provided by the device. This interface is actually a collection of commands that (for example) allow one to load a new key inside the device, or to certify a key by another one. All the commands have as an argument an authorisation HMAC that requires the user to provide a proof of knowledge of the relevant authdata. Each command has to be called inside an authorisation session. We first describe this mechanism before we explain some commands in more detail. 2.1 Sessions The TPM provides two kinds of authorisation sessions: – Object Independent Authorisation Protocol (OIAP), which creates a session that can manipulate any object, but works only for certain commands. – Object Specific Authorisation Protocol (OSAP), which creates a session that manipulates a specific object specified when the session is set up. An authorisation session begins when the command TPM OIAP or TPM OSAP is successfully executed. OIAP authorisation session. To set up an OIAP session, the user process sends the command TPM OIAP to the TPM. Then, the user receives back a session handle, together with a nonce. Each command within the session sends the session handle as part of its arguments, and also a new nonce. Nonces from the user process are called odd nonces, and nonces from the TPM are called even nonces. This system of rotating nonces guarantees freshness of the commands and responses. All authorisation HMACs include the most recent odd and even nonce. In an OIAP session, the authorisation HMACs required to execute a command are keyed on the authdata for the resource (e.g. key) requiring authorisation.

A Formal Analysis of Authentication in the TPM

113

OSAP authorisation session. For an OSAP session, the user process sends the command TPM OSAP to the TPM, together with the name of the object (e.g. key handle), and an OSAP odd nonce No OSAP . The response includes a session handle, an even nonce for the rolling nonces, and an OSAP even nonce Ne OSAP . Then, the user process and the TPM both compute the OSAP shared secret hmac(auth, Ne OSAP , No OSAP ), i.e. an HMAC of the odd OSAP nonce and the even OSAP nonce, keyed on the object’s authdata. Now commands within such a session may be executed. In an OSAP session, the authorisation HMACs are keyed on the OSAP shared secret. The purpose of this arrangement is to permit the user process to cache the session key for a possibly extended session duration, without compromising the security of the authdata on which it is based. 2.2 Commands The TPM provides a collection of commands that allow one to create some new keys and to manipulate them. These commands are described in [16]. Here, we explain only a few of them in order to illustrate how the TPM works. To store data using a TPM, one creates a TPM key and uses it to encrypt the data. TPM keys are arranged in a tree structure. The Storage Root Key (SRK) is created by a command called TPM TakeOwnership. At any time afterwards, a user process can call TPM CreateWrapKey to create a child key of an existing key. Once a key has been created, it may be loaded using TPM LoadKey2, and then can be used in an operation requiring a key (e.g. TPM CertifyKey, TPM UnBind). TPM CreateWrapKey. The command creates the key but does not store it; it simply returns it to the user process (protected by an encryption). Assume that the parent key pair (sk , pk(sk )) under which we want to create a new key is already loaded inside the device with the authdata auth. Assume also that an OSAP session has been established on this key, with ss = hmac(auth, neOSAP , noOSAP ) as the OSAP shared secret and assume the current even rolling nonce associated to this session is ne. The command can be informally described as follows: handle(auth, sk ), no, cipher, new SK , new Ne · Ne, pk(SK ), wrp, → hmac(ss, cwk, cipher, ne, no) hmac(ss, cwk, wrp, pk(SK ), N e, no) where: – cipher = senc(NewAuth, hash(ss, ne)), and – wrp = wrap(pk(sk ), SK , NewAuth, tpmproof). The intuitive meaning of such a rule is: if an agent (possibly the attacker) has the data items on the left, then, by means of the command, he can obtain the data items on the right. The new keyword indicates that data, e.g. nonces or keys, is freshly generated. The TPM CreateWrapKey command takes arguments that include the handle for the parent key of the key to be created, an odd rolling nonce that is a priori freshly generated by the user, the new encrypted authdata of the key to be created, and the authorisation HMAC based on the authdata of the parent key. It returns the public part

114

S. Delaune et al.

pk(SK ) of the new key and an encrypted package; the package contains the private part and the authdata of the new key, as well as the constant tpmproof (a private constant only known by the TPM). This package is encrypted with the parent key pk(sk ). An authentication HMAC is also constructed by the TPM to accompany the response. The newly created key is not yet available to the TPM for use. Note that this command introduced a new authdata that is encrypted with the OSAP secret. Because this arrangement could expose the OSAP shared secret to cryptanalytic attacks if used multiple times, an OSAP session that is used to introduce new authdata is subsequently terminated by the TPM. Commands that want to continue to manipulate the object have to create a new session. TPM LoadKey2. To use a TPM key, it must be loaded. TPM LoadKey2 takes as argument a wrap created by the command TPM CreateWrapKey, and returns a handle, that is, a pointer to the key stored in the TPM memory. Commands that use the loaded key refer to it by this handle. Since TPM LoadKey2 involves a decryption by the parent key, it requires the parent key to be loaded and it requires an authorisation HMAC based on the parent key authdata. The root key SRK is permanently loaded and has a well-known handle value, and therefore never needs to be loaded. Once loaded, a key can be used, for example to encrypt or decrypt data, or to sign data. As an illustrative example, we describe the command TPM CertifyKey in more detail. TPM CertifyKey. This command requires two key handle arguments, representing the certifying key and the key to be certified, and two corresponding authorisation HMACs. It returns the certificate. Assume that two OIAP sessions are already established with their current even rolling nonce ne1 and ne2 respectively, and that two keys handle(auth1 , sk1 ) and handle(auth2 , sk2 ) are already loaded inside the TPM. The TPM CertifyKey command can be informally described as follows: n, no1 , no2 , new Ne 1 , new Ne 2 · hmac(auth1 , cfk, n, ne1 , no1 ) Ne 1 , Ne 2 , certif → hmac(auth2 , cfk, n, ne2 , no2 ) hmac(auth1 , cfk, n, Ne 1 , no1 , certif) handle(auth1 , sk1 ), handle(auth2 , sk2 ) hmac(auth2 , cfk, n, Ne 2 , no2 , certif)

where certif = cert(sk1 , pk(sk2 )). The user requests to certify the key pk(sk2 ) with the key sk1 . For this, he generates a nonce n and two odd rolling nonces no1 and no2 that he gives to the TPM together with the two authorisation HMACs. The TPM returns the certificate certif. Two authentication HMACs are also constructed by the TPM to accompany the response. The TPM also generates two new even rolling nonces to continue the session.

3 Modelling the TPM In this section, we first give a short introduction to the tool ProVerif that we used to perform our analysis. We chose ProVerif after first experimenting with the AVISPA

A Formal Analysis of Authentication in the TPM

115

toolsuite [3], which provides support for mutable global state. However, of the AVISPA backends that support state, OFMC and CL-AtSe require concrete bounds on the number of command invocations and fresh nonces to be given. It is possible to avoid this restriction using SATMC [10], but SATMC performed poorly in our experiments due to the relatively large message length, a known weakness of SATMC. We therefore opted for ProVerif using abstractions to model state, as we explain below. We will explain how the TPM commands as well as its security properties can be formalized in our framework. 3.1 The Tool ProVerif ProVerif takes as input a process written in a syntax close to the one used in the applied pi calculus [1], a modelling language for security protocols. In particular, it allows processes to send first-order terms built over a signature, names and variables. These terms model the messages that are exchanged during a protocol. Example 1. Consider for example the signature Σ = {senc, sdec, hmac} which contains three binary function symbols. The signature is equipped with an equational theory and we interpret equality up to this theory. For instance the theory sdec(senc(x, y), y) = x models that decryption and encryption cancel out whenever the same key is used. We do not need to consider any equations for modelling an HMAC function. Processes P, Q, R, . . . are constructed as follows. The process 0 is the empty process which does nothing. new a.P restricts the name a in P and can for instance be used to model that a is a fresh random number. in(c, x).P models the input of a term on a channel c, which is then substituted for x in process P . out(c, t) outputs a term t on a channel c. P | Q models the parallel composition of processes P and Q. In particular, an input and an output on the same channel in parallel can synchronize and perform a communication. The conditional if M = N then P else Q behaves as P when M and N are equal modulo the equational theory and behaves as Q otherwise. !P is the replication of P , modelling an unbounded number of copies of the process P . Moreover we annotate processes with events ev(t1 , . . . , tn ) which are useful for modelling correspondence properties, discussed below. ProVerif can automatically check security properties assuming that an arbitrary adversary process is run in parallel. Example 2. Consider the process new k.(!P |!Q) where Q= ˆ in(c, y); P = ˆ new nP .begin1(nP ). out(c, senc(nP , k)).in(c, x). if y = senc(sdec(y, k), k) then let (xP , xQ ) = sdec(x, k) in let yP = sdec(y, k) in end1(yP ).new nQ . if xP = nP then end2(nP , xQ ) begin2(yP , nQ ); out(c, senc((yP , nQ ), k)) The processes P and Q share a long term symmetric key k which they use to perform a handshake protocol. Note that we use some syntactic sugar of the ProVerif syntax for readability: final 0 and else 0 are omitted, we use a let construct to introduce local variables and use a variadic tuple operator (t1 , . . . , tn ) for concatenating terms. For the moment we ignore the begin and end events. The process P first generates a nonce nP

116

S. Delaune et al.

which is encrypted with the key k. This ciphertext is sent to Q over a channel c. In Q, the test y = senc(sdec(y, k), k) is used to check whether decryption succeeds. If it does, then the process Q generates a fresh nonce nQ and sends the encryption of both nonces back to P . Lastly, the process P checks that the received nonce matches the previously generated nonce nP . We now discuss correspondence properties, which can be automatically verified by ProVerif [4]. A correspondence property ev2(x1 , . . . , xn ) ⇒ ev1(y1 , . . . , yn ) holds if on every execution trace each occurrence of ev2(x1 , . . . , xn )σ is preceded by an occurrence of ev1(y1 , . . . , yn )σ where σ is a substitution mapping the xi s and yi s to terms. An injective correspondence property holds if each occurrence of ev2(x1 , . . . , xn )σ is preceded by a different occurrence of ev1(y1 , . . . , yn )σ. Intuitively, injective correspondence avoids replay attacks. Example 3. Coming back to Example 2, the property end1(x) ⇒ begin1(x) models that whenever the process Q receives a correctly encrypted message with key k (end1(x) occurs) it must have originated from P (begin1(x) occurs). Moreover, the processes P and Q agree on the value of x. This correspondence property indeed holds. However, the stronger injective version does not hold, as the first message of P can be replayed to Q. The second correspondence property end2(x1 , x2 ) ⇒ begin1(x1 , x2 ) models that whenever the process P finishes a session successfully, it must have interacted with the process Q. This property holds injectively. 3.2 Modelling Commands of the TPM One of the difficulties in reasoning about security APIs such as that of the TPM is nonmonotonic state. If the TPM is in a certain state s, and then a command is successfully executed, then typically the TPM ends up in a state s = s. Commands that require it to be in the previous state s will no longer work. Some of the over-approximations made by tools such as ProVerif do not work well with non-monotonic state. For example, although private channels could be used to represent the state changes, the abstraction of private channels that ProVerif makes prevents it from being able to verify correctness of the resulting specification. Moreover, ProVerif does not model a state transition system, but rather a set of derivable facts representing attacker knowledge, together with the assumption that the attacker never forgets any fact. We address these restrictions by introducing the assumption that only one command is executed in each OIAP or OSAP session. This assumption appears to be quite reasonable. Indeed, the TPM imposes the assumption itself whenever a command introduces new authdata. Moreover, tools like TPM/J [15] that provide software-level APIs also implement this assumption. Again to avoid non-monotonicity, we do not allow keys to be deleted from the memory of the TPM; instead, we allow an unbounded number of keys to be loaded. An important aspect of the TPM is its key table that allows one to store cryptographic keys and other sensitive data in its shielded memory. Our aim is to allow the key table to contain dishonest keys, i.e. keys for which the attacker knows the authdata, as well as honest keys. Some of these keys may also share the same authdata. Indeed,

A Formal Analysis of Authentication in the TPM

117

User CertifyKey = ˆ in(c, h1 ).in(c, h2 ).in(c, ne1 ).in(c, ne2 ). new N.new No 1 .new No 2 . let (auth1 , pk1 ) = (getAuth(h1 ), getPK(h1 )) in let (auth2 , pk2 ) = (getAuth(h2 ), getPK(h2 )) in let hmac1 = hmac(auth1 , (cfk, N, ne1 , No 1 )) in let hmac2 = hmac(auth2 , (cfk, N, ne2 , No 2 )) in UserRequestsC(auth1 , pk1 , auth2 , pk2 ). out(c, (N, No 1 , hmac1 , No 2 , hmac2 )). in(c, (xcert, ne1 , ne2 , hm1 , hm2 )). if hm1 = hmac(auth1 , (cfk, N, ne1 , No 1 , xcert)) then if hm2 = hmac(auth2 , (cfk, N, ne2 , No 2 , xcert)) then UserConsidersC(auth1 , pk1 , auth2 , pk2 , xcert). Fig. 1. Process User CertifyKey

it would be incorrect to suppose that all keys have distinct authdata, as the authdata may be derived from user chosen passwords. Our first idea was to use a binary function symbol handle(auth, sk ) to model a handle to the secret key sk with authdata auth. We use private functions, i.e. functions which may not be applied by the attacker, to allow the TPM process to extract the authdata and the secret key from a handle. This models a lookup in the key table where each handle can indeed be associated to its authdata and private key. Unfortunately, with this encoding ProVerif does not succeed in proving some expected properties. The tool outputs a false attack based on the hypothesis that the attacker knows two handles handle(auth 1 , sk) and handle(auth 2 , sk ) which are built over two distinct authdata but the same secret key (which is impossible). We therefore use a slightly more involved encoding where the handle depends on the authdata and a seed; the secret key is now obtained by applying a binary private function symbol (denoted hsk hereafter) to both the authdata and the seed. Hence, handle(auth 1 , s) and handle(auth 2 , s) will now point to two different private keys, namely hsk(auth 1 , s) and hsk(auth 2 , s). This modelling avoids false attacks. In our modelling we have two processes for each command: a user process and a TPM process. The user process (e.g. User CertifyKey) models an honest user who makes a call to the TPM while the TPM process (e.g. TPM CertifyKey) models the TPM itself. The user process first takes parameters, such as the key handles used for the given command, and can be invoked by the adversary. This allows the adversary to schedule honest user actions in an arbitrary way without knowing himself the authdata corresponding to the keys used in these commands. Our model assumes that the attacker can intercept, inject and modify commands sent by applications to the TPM, and the responses sent by the TPM. While this might not be the case in all situations, it seems to be what the TPM designers had in mind; otherwise, neither the authentication HMACs keyed on existing authdata, nor the encryption of new authdata described in section 2.2 would be necessary. We now illustrate our modelling on the TPM CertifyKey command in an OIAP session. The process User CertifyKey is detailed in Figure 1. This process starts by inputing two handles h1 , h2 which are provided by the attacker. In this way the attacker

118

S. Delaune et al. TPM CertifyKey = ˆ new Ne 1 .new Ne 2 .out(c, Ne 1 ).out(c, Ne 2 ). in(c, n).in(c, (h1 , no1 , hm1 )).in(c, (h2 , no2 , hm2 )). let (auth1 , sk1 , pk1 ) = (getAuth(h1 ), getSK(h1 ), getPK(h1 )) in let (auth2 , sk2 , pk2 ) = (getAuth(h2 ), getSK(h2 ), getPK(h2 )) in if hm1 = hmac(auth1 , (cfk, n, Ne 1 , no1 )) then if hm2 = hmac(auth2 , (cfk, n, Ne 2 , no2 )) then let certif = cert(sk1 , pk2 )in out(c, certif ). TpmC(auth1 , pk1 , auth2 , pk2 , certif ). new Ne 1 .new Ne 2 . let hmac1 = hmac(auth1 , (cfk, n, Ne 1 , no1 , certif )) in let hmac2 = hmac(auth2 , (cfk, n, Ne 2 , no2 , certif )) in out(c, (Ne 1 , Ne 2 , hmac1 , hmac2 )). Fig. 2. Process TPM CertifyKey

can schedule with which keys this command is executed. The user also inputs two even nonces which are supposed to come from the TPM. Then the user constructs the two authorisation HMACs for the corresponding nonces using the authdata and public keys extracted out of the handles and outputs these HMACs together with the nonces. The event UserRequestsC is used to declare that the user requested the command with the given parameters. When receiving the reply the user checks the received HMACs. If all checks go through the user triggers the event UserConsidersC. The process TPM CertifyKey is detailed in Figure 2 and does the complementary actions to the user process. We may note that when the attacker knows the authdata corresponding to a handle he can directly interact with this process without the user process. 3.3 Security Properties of the TPM The TPM specification does not detail explicitly which security properties are intended to be guaranteed, although it provides some hints. The specification [16, Part I, p.60] states that: “The design criterion of the protocols is to allow for ownership authentication, command and parameter authentication and prevent replay and man in the middle attacks.” We will formalise these security properties as correspondence properties: 1. If the TPM has executed a certain command, then a user in possession of the relevant authdata has previously requested the command. 2. If a user considers that the TPM has executed a certain command, then either the TPM really has executed the command, or an attacker is in possession of the relevant authdata. The first property expresses authentication of user commands, and is achieved by the authorisation HMACs that accompany the commands. The second one expresses authentication of the TPM, and is achieved by the HMACs provided by the TPM with its answer. We argue that the TPM certainly aims at achieving these properties, as otherwise there would be no need for the HMAC mechanism. Going back to the example of

A Formal Analysis of Authentication in the TPM

119

the TPM CertifyKey command (Figures 1 and 2) the above mentioned properties can be expressed by the injective correspondence properties: 1. TpmC(x1 , x2 , x3 , x4 , x5 ) ⇒ UserRequestsC(x1 , x2 , x3 , x4 ), and 2. UserConsidersC(x1 , x2 , x3 , x4 , x5 ) ⇒ TpmC(x1 , x2 , x3 , x4 , x5 ). These properties, however, cannot hold if we provide the attacker with a dishonest key, i.e. a handle for which he knows the corresponding authdata. Indeed, the attacker can simply execute the command without the user process. Hence, if we provide the attacker with a handle handle(auth i , seed i ) and the authdata auth i , we weaken the property to avoid the trivial failure of the property. We cannot expect the property to hold when x1 and x3 are both instantiated with auth i . However, as soon as we give the attacker the possibility to create new keys (using the TPM CreateWrapKey command), the attacker can create new keys and again make the property trivially fail. Hence, when we consider a scenario in which new keys can be loaded, we consider the following formalization: 1. TpmC(x1 , x2 , x3 , x4 , x5 ) ⇒ UserRequestsC(x1 , x2 , x3 , x4 , x5 ) ∨ (I(x1 ) ∧ I(x3 )) 2. UserConsidersC(x1 , x2 , x3 , x4 , x5 ) ⇒ TpmC(x1 , x2 , x3 , x4 , x5 ) ∨ (I(x1 ) ∧ I(x3 )). where I is the attacker knowledge predicate. Hence, we allow the property to fail if the commands are executed with keys for which the attacker knows the authdata.

4 Analysing the TPM with ProVerif All the files for our experiments described below are available on line at: http://www.lsv.ens-cachan.fr/˜delaune/TPM/ In the figures describing attacks, for the sake of clarity, we sometimes omit some parts of the messages, especially session handles that we do not consider in our model and key handles when they are clear from the other messages. Our methodology was to first study some core key management commands in isolation to analyse the weakness of each command. This leads us to propose some fixes for these commands. Then, we carried out an experiment where we consider the commands TPM CertifyKey, TPM CreateWrapKey, TPM LoadKey2, and TPM UnBind together. We consider the fixed version of each of these commands and we show in Experiment 10 that the security properties are satisfied for a scenario that allows: – an attacker to load his own keys inside the TPM, and – an honest user to use the same authdata for different keys. In our first six experiments, we model the command TPM CertifyKey in isolation. Then, in Experiments 7-9, we model the command TPM CreateWrapKey only. Lastly, in Experiment 10, we consider a model where the commands TPM CertifyKey, TPM CreateWrapKey, TPM LoadKey2, and TPM UnBind are taken into account. In all experiments, the security properties under test are the correspondence properties explained above.

120

S. Delaune et al.

Experiment 1. In our first two experiments, we consider a configuration with two keys loaded inside the TPM. The attacker knows the two handles handle(auth 1 , sk 1 ) and handle(auth 2 , sk 2 ). From the handle handle(auth 1 , sk 1 ), the attacker can obtain the corresponding public key pk(sk 1 ). However, he can obtain neither the private key sk 1 , nor the authdata auth 1 required to manipulate the key through the device. For the moment, we assume that the attacker does not have his own key loaded onto the device. ProVerif immediately discovers an attack, described in Figure 3, that comes from the fact that the command involved two keys. The attacker can easily swap the role of these two keys: he swaps the two HMACs, the two key handles, and the rolling nonces provided in input of the command. Hence, the TPM will output the certificate cert(sk 2 , pk(sk 1 )) whereas the user asked for obtaining the certificate cert(sk 1 , pk(sk 2 )). By performing also the swap on the answer provided by the TPM, the attacker can provide two valid HMACs to the user who will accept the wrong certificate. Hence, the second correspondence property is not satisfied. Note that if the user chooses to verify the certificate he received with the checkcert algorithm, then this attack is not valid anymore and ProVerif is able to verify that this second correspondence property holds. Initial knowledge of Charlie: handle(auth 1 , sk 1 ), handle(auth 2 , sk 2 ). Trace: Charlie swaps the two authorisation HMACs, and swaps the two response HMACs. USER → TPM : request to open two OIAP sessions TPM → USER : ne1 , ne2 USER requests key certification to obtain cert(sk 1 , pk(sk 2 )) USER → Charlie : n, no1 , no2 , hmac(auth 1 , cfk, n, ne1 , no1 ),hmac(auth 2 , cfk, n, ne2 , no2 ) Charlie → TPM : n, no2 , no1 , hmac(auth 2 , cfk, n, ne2 , no2 ),hmac(auth 1 , cfk, n, ne1 , no1 ) → Charlie : ne1 , ne2 , cert(sk 2 , pk(sk 1 )), hmac(auth 2 , cfk, n, ne1 , no2 ), hmac(auth 1 , cfk, n, ne2 , no1 ) Charlie → USER : ne2 , ne1 , cert(sk 2 , pk(sk 1 )), hmac(auth 1 , cfk, n, ne2 , no1 ), hmac(auth 2 , cfk, n, ne1 , no2 ) TPM

USER checks the HMACs and accepts the certificate cert(sk 2 , pk(sk 1 )). Fig. 3. Attack trace for Experiment 1

Experiment 2. We patch the command TPM CertifyKey by considering two different tags for the two different HMACs. More precisely, we replace the constant cfk with cfk1 (resp. cfk2 ) in the first (resp. second) HMAC provided by the user and also the one provided by the TPM. The attacks reported in our first experiment are prevented. ProVerif is now able to verify the two correspondence properties. Experiment 3. We add in the initial configuration another key for Alice and we assume that this new key sk 2 has the same authdata as a previous key of Alice

A Formal Analysis of Authentication in the TPM

121

already loaded onto the TPM. Hence, in our model, we have that handle(auth 1 , sk 1 ), handle(auth 2 , sk 2 ), and handle(auth 2 , sk 2 ) are terms known by the attacker Charlie. ProVerif immediately discovers another attack, described in Figure 4. The attacker can exchange the key handle handle(auth 2 , sk 2 ) provided by the honest user in entry of the command with another handle having the same authdata, i.e. handle(auth 2 , sk 2 ). The TPM will answer by sending the certificate cert(sk 1 , pk(sk 2 )) together with the two HMACs. After verifying the HMACs, the user will accept this certificate which is not the right one. Indeed, the user was expecting to receive cert(sk 1 , pk(sk 2 )). The trace described in Figure 4 shows that none of the two correspondence properties holds. Initial knowledge of Charlie: handle(auth 1 , sk 1 ), handle(auth 2 , sk 2 ), handle(auth 2 , sk 2 ). Trace: Charlie swaps a key handle for another one that has the same authdata. USER → TPM : request to open two OIAP sessions TPM → USER : ne1 , ne2 USER requests key certification to obtain cert(sk 1 , pk(sk 2 )) USER → Charlie : n, no1 , handle(auth 1 , sk 1 ), hmac(auth 1 , cfk, n, ne1 , no1 ), no2 , handle(auth 2 , sk 2 ), hmac(auth 2 , cfk, n, ne2 , no2 ) Charlie → TPM : n, no1 , handle(auth 1 , sk 1 ), hmac(auth 1 , cfk, n, ne1 , no1 ), no2 , handle(auth 2 , sk 2 ), hmac(auth 2 , cfk, n, ne2 , no2 ) TPM

→ USER : ne1 , ne2 , cert(sk 1 , pk(sk 2 )), hmac(auth 1 , cfk, n, ne1 , no1 ), hmac(auth 2 , cfk, n, ne2 , no2 )

USER checks the HMACs and accepts the certificate cert(sk 1 , pk(sk 2 )). Fig. 4. Attack trace for Experiment 3

Experiment 4. The attack described in the previous experiment comes from the fact that the HMAC is only linked to the key via the authdata. Thus, as soon as two keys share the same authdata, this leads to some confusion. A way to fix this would be to add the key handle inside the HMAC, but the TPM designers chose not to do this because they wanted to allow middleware to unload and reload keys (and therefore possibly change key handles) without the knowledge of application software that produces the HMACs. A more satisfactory solution that has been proposed for future versions of the TPM is to add (the digest of) the public key inside the HMAC. Hence, for instance, the HMAC built by the user is now of the form hmac(auth, cfk1, pk(sk ), n, ne1 , no1 ). The same transformation is done on all the HMACs. The previous attacks do not exist anymore. ProVerif is able to verify that the two correspondence properties hold. Experiment 5. We now assume that the attacker has his own key loaded onto the device. This means that he knows a key handle handle(auth i , sk i ) and the authdata auth i that allows him to manipulate sk i through the device. He has also access to the public key pk(sk i ). However, he does not know sk i that is stored inside the TPM.

122

S. Delaune et al.

We immediately rediscover the attack of [12], showing that the attacker can manipulate the messages exchanged between the USER and the TPM in such a way that the TPM will provide the certificate cert(sk 1 , pk(sk i )) to a user that has requested the certificate cert(sk 1 , pk(sk 2 )). Initial knowledge of Charlie: handle(auth 1 , sk 1 ), handle(auth 2 , sk 2 ), handle(auth i , sk i ), auth i . Trace: Charlie replaces they key to be certified his own key. USER → TPM : request to open two OIAP sessions TPM → USER : ne1 , ne2 USER requests key certification to obtain cert(sk 1 , pk(sk 2 )) USER → Charlie : n, no1 , hmac(auth 1 , cfk, pk(sk 1 ), n, ne1 , no1 ), no2 , hmac(auth 2 , cfk, pk(sk 2 ), n, ne2 , no2 ) Charlie → TPM : n, no1 , hmac(auth 1 , cfk, pk(sk 1 ), n, ne1 , no1 ), no2 , hmac(auth i , cfk, pk(sk i ), n, ne2 , no2 ) TPM

→ Charlie : ne1 , ne2 , cert(sk 1 , pk(sk i )), . . . Fig. 5. Attack trace for Experiment 5

ProVerif succeeds in proving the other correspondence property. Note that in the trace described in Figure 5, Charlie is not able to build the HMACs expected by the user in order to accept the wrong certificate. Experiment 6. The attack of [12] comes from the fact that the attacker can replace the user’s HMAC with one of his own (pertaining to his own key). The TPM will not detect this change since the only link between the two HMACs is the nonce n known by the attacker. To fix this, it seems important that each HMAC contains something that depends on the two keys involved in the certificate. So, we add a digest of each public key inside each HMAC. For instance, the first HMAC built by the user will be now of the form: hmac(auth 1 , cfk1, pk(sk 1 ), pk(sk 2 ), n, ne1 , no1 ). The attack described in Experiment 5 is not possible anymore. The TPM will only accept two HMACs that refer to the same pair of public keys. ProVerif is now able to verify that the two correspondence properties hold. However, it does not succeed in proving injectivity for the property expressing authentication of the user. This is due to a limitation of the tool and does not correspond to a real attack. Experiment 7. We now study the command TPM CreateWrapKey in isolation. For this command, we need an OSAP session. We consider a configuration with 2 keys pairs (sk 1 , pk(sk 1 )) and (sk 2 , pk(sk 2 )) loaded inside the TPM. The attacker knows the handles handle(auth 1 , sk 1 ) and handle(auth 2 , sk 2 ). He has access to the public part of these two keys but he does not know the private part of the keys and the authdata

A Formal Analysis of Authentication in the TPM

123

associated to these keys that allows one to manipulate the keys through the device. For the moment, the intruder does not have his own key loaded onto the device. For this simple configuration, ProVerif is able to verify that the two correspondence properties hold. Note that this command involves only one key, thus the kind of confusion that exists for the TPM CertifyKey command is not possible on the command TPM CreateWrapKey. Experiment 8. We add another key for Alice in the initial configuration and assume that this new key sk 2 has the same authdata as a previous key of Alice already loaded in the TPM. We discover an attack of the same type as the one presented in Experiment 3. When the user opens the OSAP session on handle(auth 2 , sk 2 ), the attacker can replace this handle by handle(auth 2 , sk 2 ). Similarly, when the user requests to create a wrap with handle(auth 2 , sk 2 ) the attacker replaces this handle by handle(auth 2 , sk 2 ). Hence, at the end, the user will obtain a wrap that is not the expected one. Note that the user cannot detect that the wrap he received has been performed with pk(sk 2 ) instead of pk(sk 2 ) since he does not have access to the private part of the key. Hence, a trace similar to the one presented in Figure 4 allows one to falsify both correspondence security properties. Experiment 9. As in the case of the TPM CertifyKey command, a way to fix this, is to add pk(sk ) inside the HMAC. Then ProVerif is able to verify the two correspondence properties even if we load a ‘dishonest’ key inside the TPM, i.e. a key for which the attacker knows the authdata. Experiment 10. We now consider a much richer scenario. We consider the commands: – TPM CertifyKey (the version described in Experiment 6 in order to avoid the previous attacks), – TPM CreateWrapKey, TPM LoadKey2, and TPM UnBind for which we add the public key inside the HMAC (again to avoid the kind of attacks that we described in Experiment 3 and Experiment 8). We consider a scenario where an honest key and a dishonest key are already loaded inside the TPM. Note that by using TPM CreateWrapKey and TPM LoadKey2, the honest user and the attacker will be able to create and load new keys into the device. Hence, having only two keys loaded in the TPM in the initial configuration is not a restriction. An honest user is allowed to use the same authdata for different keys. ProVerif is able to establish the 8 correspondence security properties. However, in one case, as in Experiment 6, it is not able to verify the injective version of the property.

5 Related Work Several papers have appeared describing systems that leverage the TPM to create secure applications, but most of these assume that the TPM API correctly functions and provides the high-level security properties required [9,11]. Lower level analyses of the

124

S. Delaune et al.

TPM API are more rare. Coker et al. discuss such work, but the details of the model remain classified [8]. Lin described an analysis of various fragments of the TPM API using Otter and Alloy. He modelled several subsets of the API commands in a model which omits details such as sessions, HMACs and authdata, but does include (monotonic) state. His results included a possible attack on the delegation model of the TPM [14]. However, experiments with a real TPM have shown that the attack is not possible [2]. G¨urgens et al. [12] describe an analysis of the TPM API using finite state automata. Details of their model are difficult to infer from the paper, but is seems to include a finite number of fresh nonces and handles, and HMACs. They also formalise security as secrecy of certain terms in the model, giving examples of concrete scenarios where these secrets must be protected. They show how an attacker can in some circumstances illegitimately obtain a certificate on a TPM key of his choice (see Experiment 5). In our work, we have proposed correspondence properties as a more general security goal for the API, and shown how attacks such as the attack in Experiment 5 are in fact an instance of a violation of these goals. We have also verified these properties on a patched API for unbounded numbers of command invocations, fresh nonces, keys and handles. We have only treated one small subset of commands so far, but runtimes with ProVerif are just a few seconds, and we are optimistic about extending our approach to cover more of the API. Other attacks on the TPM found without the aid of formal methods include offline dictionary attacks on the passwords or authdata used to secure access to keys [7], and attacks exploiting the fact that the same authdata can be shared between users [6]. Both of these can be detected in our formal model by small adjustments. However, for the moment we deliberately omit these, since fixes have already been proposed, and we are interested in analysis of the underlying API. There is a further known attack whereby an attacker intercepts a message, aiming to cause the legitimate user to issue another one, and then causes both to be received, resulting in the message being processed twice [5]. This is not a violation of our correspondence property, hence our formal model does not consider it as an attack.

6 Conclusion and Future Work We presented a detailed modelling of a fragment of the TPM in the applied pi calculus. We model core security properties as correspondence properties and use the ProVerif tool to automate our security analysis. We were able to rediscover several known attacks and some new variants of these attacks. As future work, we foresee extending our model with more commands such as those involved in key migration. We also plan to model the TPM’s platform configuration registers (PCRs) which allow one to condition some commands on the current value of a register. PCRs are crucial when using the TPM for checking the integrity of a system. Modelling the PCRs and the commands for manipulating these registers for automated verification seems to be a challenging task, because of non-monotonicity of state. Acknowledgments. Mark Ryan gratefully thanks Microsoft and Hewlett-Packard for interesting discussions and financial support that contributed to this research.

A Formal Analysis of Authentication in the TPM

125

References 1. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proc. 28th Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115. ACM Press, New York (2001) 2. Ables, K.: An attack on key delegation in the Trusted Platform Module (first semester miniproject in computer security). Master’s thesis, School of Computer Science, University of Birmingham (2009) 3. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., He´am, P.C., Kouchnarenko, O., Mantovani, J., M¨odersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Vigan`o, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005) 4. Blanchet, B.: Automatic verification of correspondences for security protocols. Journal of Computer Security 17(4), 363–434 (2009) 5. Bruschi, D., Cavallaro, L., Lanzi, A., Monga, M.: Replay attack in TCG specification and solution. In: Proc. 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 127–137. IEEE Computer Society, Los Alamitos (2005) 6. Chen, L., Ryan, M.: Attack, solution and verification for shared authorisation data in TCG TPM. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 201–216. Springer, Heidelberg (2010) 7. Chen, L., Ryan, M.D.: Offline dictionary attack on TCG TPM weak authorisation data, and solution. In: Future of Trust in Computing, Vieweg & Teubner (2008) 8. Coker, G., Guttman, J., Loscocco, P., Herzog, A., Millen, J., O’Hanlon, B., Ramsdell, J., Segall, A., Sheehy, J., Sniffen, B.: Principles of remote attestation. International Journal of Information Security (2010) (to appear) 9. Datta, A., Franklin, J., Garg, D., Kaynar, D.: A logic of secure systems and its application to trusted computing. In: Proc. 30th IEEE Symposium on Security and Privacy (S&P 2009), pp. 221–236 (2009) 10. Fr¨oschle, S., Steel, G.: Analysing PKCS#11 key management aPIs with unbounded fresh data. In: Degano, P., Vigan`o, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009) 11. Gasmi, Y., Sadeghi, A.-R., Stewin, P., Unger, M., Asokan, N.: Beyond secure channels. In: Scalable Trusted Computing (STC 2007), pp. 30–40 (November 2007) 12. G¨urgens, S., Rudolph, C., Scheuermann, D., Atts, M., Plaga, R.: Security evaluation of scenarios based on the TCG’s TPM specification. In: Biskup, J., L´opez, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 438–453. Springer, Heidelberg (2007) 13. ISO/IEC PAS DIS 11889: Information technology – Security techniques – Trusted Platform Module 14. Lin, A.H.: Automated Analysis of Security APIs. Master’s thesis, MIT (2005), http://sdg.csail.mit.edu/pubs/theses/amerson-masters.pdf 15. Sarmenta, L.: TPM/J developer’s guide. Massachussetts Institute of Technology 16. Trusted Computing Group. TPM Specification version 1.2. Parts 1–3, revision 103 (2007), http://www.trustedcomputinggroup.org/resources/tpm_main_ specification

Modeling Identity-Related Properties and Their Privacy Strength Meilof Veeningen, Benne de Weger, and Nicola Zannone Eindhoven University of Technology {m.veeningen,b.m.m.d.weger,n.zannone}@tue.nl

Abstract. In the last years several attempts to define identity-related properties such as identifiability, pseudonymity and anonymity have been made to analyze the privacy offered by information systems and protocols. However, these definitions are generally incomparable, making it difficult to generalize the results of their analysis. In this paper, we propose a novel framework for formalizing and comparing identity-related properties. The framework employs the notions of detectability, associability and provability to assess the knowledge of an adversary. We show how these notions can be used to specify well-known identity-related properties and classify them with respect to their logical relations and privacy strength. We also demonstrate that the proposed framework is able to capture and compare several existing definitions of identity-related properties.

1 Introduction With the growth of Internet usage, companies and institutions are gathering more and more personally identifiable information about the individuals in their target groups, such as customers or citizens. Also, more and more people voluntarily publish this information, e.g. on social network websites. Individuals will be associated with an identifier such as a customer number, Social Security Number or nickname, that uniquely identifies them within the service domain. Privacy-sensitive data (name, address, age, sex, all kinds of personal preferences, etc.) will be associated with this identifier. People are often asked to provide personally identifiable information with the alleged reason of enabling personalization of services, while there may be other, hidden, reasons for this personal data collection, as it often also enables profiling of individual persons or target groups, e.g. for marketing reasons, or for (credit) risk management. Although this trend promises advantages, it also threatens the privacy of the persons involved, because of the easiness of overuse of personally identifiable information in ways that may not be in line with the reason why the person handed over this information in the first place, or may even be against his will. Before subscribing to a service, people may want to know the privacy policies and practices of the service provider, in particular they may want to know which information is personally identifiable, i.e. can be linked to the originating individual, and who is able to establish those links. Privacy, defined as the right to control one’s own personally identifiable information, is studied extensively in the literature. Several identity-related properties such 

This work is partially funded by the Dutch Sentinel Mobile IDM project (#10522).

P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 126–140, 2011. c Springer-Verlag Berlin Heidelberg 2011 

Modeling Identity-Related Properties and Their Privacy Strength

127

as pseudonymity, anonymity and identifiability are used in the literature to assess the privacy offered by information systems together with techniques for their verification. Unfortunately, there is no universal, widely accepted definition for these properties. Sometimes, the properties are defined informally and lack a precise semantics [1], making it difficult to reason about them. Elsewhere, they are formally characterized using different foundation frameworks (e.g., process algebra [2,3], modal logic [4], information theory [5], etc.) and are specific to a certain application domain. These differences make it difficult to compare the existing definitions and generalize the results of such studies. In this paper, we propose a formal framework that allows the specification and comparison of identity-related properties. In particular, we make these contributions: – Using the ideas of [1] as a starting point, we formally model the personally identifiable information in an information system, and the (partial) knowledge actors can have about this information. In this way, we are able to precisely and unambiguously define many identity-related properties. We also include non-repudiation and deniability properties that are not found in other similar works; – By analyzing our model, we obtain the logical relations between our properties. As a result, one can easily and formally see which combinations of properties are possible and which are not; – By introducing the concept of “privacy strength” we order the defined identityrelated properties so that one can compare them in terms of the privacy they offer; – We formalize the identity-related properties presented in [1,6,7] to demonstrate the expressiveness of our model. In particular, we show that our framework provides a means for comparing existing definitions of identity-related properties and consequently for generalizing the results of such studies. This paper is structured as follows. First, we introduce the concepts of personal information model (§2) and actor view (§3). Then, we show how these concepts are used to formalize identity-related properties (§4). Next, we analyze the properties in terms of logical relations and privacy offered (§5), and compare the results with existing taxonomies (§6). Finally, we present final remarks and directions for future work (§7).

2 Personal Information Models This section introduces the concept of personal information (PI) model, which is used to represent the context of a computer system containing personally identifiable information. A PI model consists of items of interest within the system (i.e., data items, identifiers, and entities) and the relations between them. A data item is a piece of information that we are interested in from a privacy perspective: information belonging to an entity (i.e., a natural person [8]) that might be regarded as sensitive. A precise characterization of data items depends on the application domain. For example, in a communication setting, data items (“hello”, sent) and (“hello”, recv) represent the actions of sending and receiving message “hello” over a network; in a database setting, entries in the database such as a person’s age, address, etc. are data items. Data items, however, are not directly coupled with entities; rather, they are coupled with identifiers, which represent an attribute of an entity (e.g., social security number)

128

M. Veeningen, B. de Weger, and N. Zannone d1

d2

 θ  
θ i1 = i2 ==    ψ ψ

e (a) Functions θ, ψ

dO 1 Z6ohQQ /; dO 2 \: 66 vQvQvQQ ::

QQQ   {vv6 (/ i2 III66 @ I$   

6 i1 odII 66

e (b) ↔ relation

Fig. 1. D = {d1 , d2 }; I = {i1 , i2 }; E = {e}. The θ and ψ functions indicate to which (single) identifier a data item belongs, and to which (single) entity an identifier belongs; the “related” relation ↔ is the minimal equivalence relation containing ψ and θ.

that can be used to uniquely identify an entity within the system. An identifier, in turn, is coupled with the corresponding entity. Distinguishing identifiers from entities makes it possible to model situations in which the coupling of a data item to an identifier is known, but the coupling to the entity is not; and to model situations in which an entity makes use of multiple identifiers (i.e., pseudonyms) within the same system. A data item in our model is assumed to belong to one unique identifier, which in turn belongs to one unique entity. This way, when one speaks e.g. about the “anonymity” of a data item, it is immediately clear whose privacy is protected. Given the sets of data items D, identifiers I and entities E, we can see these links as functions θ : D → I and ψ : I → E (Figure 1(a)). We introduce the relation related, denoted by ↔, to indicate that two items of interest are related to each other. Essentially, ↔ is the minimal equivalence relation on data items, identifiers and entities such that a data item d is related to an identifier i (represented as d ↔ i) if θ(d) = i and an identifier i is related to an entity e (represented as i ↔ e) if ψ(i) = e (Figure 1(b)). Note that according to the definition of ↔, a data item is related to any identifier of an entity, and not just to the one given by θ. In fact, the relation ↔ defines equivalence classes which consist of exactly one entity and all identifiers and data items related to it. This representation makes it possible to infer all the information related to an entity and better evaluate the level of entity’s privacy. Definition 1. A personal information model or PI model is a tuple (E, I, D, ↔) where: 1. E, I and D are disjoint finite sets of entities, identifiers and data items, respectively; 2. ↔ is an equivalence relation on E ∪ I ∪ D, called the related relation, such that every data item is related to at least one identifier, and every identifier is related to exactly one entity. Note that this definition implies that any data item or identifier is related to one unique entity, as indicated above. Note, also, the disjointness of E, I and D: this is to avoid ambiguity in the definitions of our properties later on. For the sake of simplicity, we use O to denote the set of all items of interest in the system (i.e., O = E ∪I ∪D) when there is no need to distinguish between the different types. Moreover, we use the symbol ↔ to indicate that two items of interest are not related to each other. An obvious domain where identity-related properties are relevant is communication networks where various parties send messages to each other. The following example shows how our model applies to this domain.

Modeling Identity-Related Properties and Their Privacy Strength dO 1.W NNN

1

d2 .. NNNNNNN G O 2 N N  .1 2   i? _ ?...  ? d1 ??.      2 1 e (a)

dO 1W. NNN

1,a

d2

. NNNNNN  .. 1,aNNNN d1 i? _ ?... ??. ?    2,a 1,a e

(b)

Fig. 2. The two consistent PI models from Example 2 (a), and a’s views from Example 5 (b)

o d1 = Italian Z66Hc H

129

/ d2 = postdoc : C uu 66 H b,{a,b} a,{a,b} 66 H# zuu  6 iO  {a,b} {a,b} 6 66  {a,b} 6   {a,b}

e Fig. 3. Combined actor view (Example 3)

Example 1. Consider a communication network such as the Internet. The IP address used in communication can be modeled as the identifier of the person accessing the network. A person may use several IP addresses to access the network (e.g., the IP addresses corresponding to his home Internet connection, to his mobile phone, etc.). In our model, these IP addresses corresponds to different identifiers of the same entity. A message m transmitted over the network is then represented as two data items: (m, sent) and (m, recv). This representation makes it possible to identify the sender and the receiver of a specific message. Different systems may share common entities, identifiers, or data items. In particular, a data item in one system can be used as an identifier in another system. In case of overlap, if different models (Ei , Ii , Di , ↔i ) are to give a consistent view of reality, they must correspond on the overlapping   part. Formally, let ↔ be the minimal equivalence relation on Oi such that ↔⊃ ↔i ; then the restriction of ↔ to Oi is equal to ↔i . Example 2. Let M1 = (E1 , I1 , D1 , ↔1 ) and M2 = (E2 , I2 , D2 , ↔2 ) be two PI models where M1 represents a social network site and M2 an e-mail system. Let e be an entity that occurs in both systems and i be its identifier on the social network. Now, the e-mail address d1 of e is mentioned in his profile on the social networking site, so it occurs as a data item in M1 . However, d1 is also e’s identifier in M2 , linked to an e-mail message d2 . The ↔ relation as defined above now relates all items {e, i, d1 , d2 }. The relation ↔1 defines the equivalence class {e, i, d1 } and ↔2 the equivalence class {e, d1 , d2 }. Clearly, M1 and M2 are consistent (see Figure 2(a)).

3 Actor View The PI model describes the “full reality”, that is, all the items of interest within the system and the relations between them. Different actors may see different parts of the system; their views model the partial knowledge they have about the reality at a given moment in time. In this paper, A is used to denote the set of actors. There is no inherent relation between this set and the set of entities defined in the system. Actors may be normal users of a system, or they may be attackers that want to collect as much information as possible – it is in terms of these latter kinds of attackers that identity-related properties are usually defined [1,6,7]. Note that we only consider knowledge of a given actor at a static moment in time. Thus, the concept of view is not bound to a certain kind of attacker model in which an attacker is static/active or inside/outside the system.

130

M. Veeningen, B. de Weger, and N. Zannone

An actor may or may not know about the existence of certain data items, identifiers or entities. Also, even if the actor knows about the existence of two items, he may not be aware of whether they are related. Let us indicate how these aspects are formalized in the actor’s view. First, the view includes the set of items of interest detectable by the actor. In other words, the actor “can sufficiently distinguish whether [these items] exist or not” [1]. This means that the actor not only “sees” that the item exists, but also that it is real (for instance, in cases where dummy traffic is added to a communication network [9], this dummy traffic is not part of the view). Next, an actor a can observe relations between items of interest within the system. This is captured by the associability relation (denoted by ↔a ): if x, y are related in the system, then x ↔a y means that a can “sufficiently distinguish whether these items of interest are related” [1]. Finally, if x ↔a y, then it is possible that a is even able to convince other actors that the items are indeed related: for this we introduce a stronger version of ↔a called the provability relation, denoted by a . Note that providing a formal definition of detectability, associability, and provability is out of the scope of this paper. We refer to Section 7 for a discussion on existing works that can be used to formalize these notions. Actors can combine their knowledge about the PI model. One application is federated identity management [10], in which service providers share information with partners and deliver services across multiple domains. To capture this case, we define the view of sets of actors, indicating the knowledge they would collectively have if they would (hypothetically) come together and share their information about the PI model. Definition 2. Let M = (E, I, D, ↔) be a PI model and A ⊂ A be a set of actors. The view of A on M is a tuple (EA , IA , DA , ↔A , A ) such that: 1. EA ⊂ E, IA ⊂ I, DA ⊂ D are the items of interest detectable by A; their union is denoted OA = EA ∪ IA ∪ DA 2. ↔A ⊂ (↔ ∩(OA × OA )) is an equivalence relation: the associability relation of A 3. A ⊂↔A is an equivalence relation: the provability relation of A 4. If A = A1 ∪A2 for non-empty A1 , A2 ⊂ A, then EA ⊃ EA1 ∪EA2 ; IA ⊃ IA1 ∪IA2 ; DA ⊃ DA1 ∪ DA2 ; ↔A ⊃ (↔A1 ∪ ↔A2 ); A ⊃ (A1 ∪ A2 ).  A for the complement of A . The We write ↔ A for the complement of ↔A and  above definition states that (1) only “real” items can be detected; (2) the associability relation is an equivalence relation and a set of actors A can only associate items that are related in the system and detectable by A; (3) the provability relation is an equivalence relation and an actor can prove that two items of interest are associated only if he can associate them; (4) two sets of actors combined have at least as much knowledge as the separate sets. Note that ↔A contains at least the transitive closure of ↔A1 and ↔A2 , but possibly even more (and similarly for A ). So, a group may be able to deduce more than what follows directly from the models of the single actors (or subsets of actors) forming the group (see Example 3). Example 3. Consider a research group with only one Italian postdoc e, with i as employee number. Suppose actor a knows the nationality d1 = Italian of i, and actor b knows the position d2 = postdoc of i. Data items d1 and d2 alone are not sufficient to uniquely identify e, as several postdocs and several Italians may work in the research group. However, the set {a, b} can link i to e (Figure 3).

Modeling Identity-Related Properties and Their Privacy Strength

131

Example 4. Consider the scenario of Example 1. Detecting an IP address means being able to say whether the IP address is in use in the network. Detectability of messages means knowing that a given message is a real message sent over the network regardless of its sender or recipient. We assume that if a message m is detectable, then data items d1 = (m, sent), d2 = (m, recv) are detectable. However, the associability of the message to the sender and to recipient are independent from each other. The views of a set of actors on two overlapping PI models must be consistent. Similarly to what we described earlier, given views (Ei,A , Ii,A , Di,A , ↔i,A , i,A ) of actors A ⊂ A on system models (Ei , Ii , Di , ↔i ), we say that the ↔i,A should be restrictions to Oi,A × Oi,A of ↔A . The same holds for the provability relations i,A . Example 5. Let us revisit Example 2. Now suppose that an actor a ∈ A is able to see the e-mail address of e on e’s profile, so i ↔1,a d1 . Also, in his e-mail application he sees that the e-mail address belongs to e, so in the view of the e-mail system, d1 ↔2,a e. Then the consistency requirement states that also in a’s view on M1 , the e-mail address (as data item) is associable to e: d1 ↔1,a e, and thus also i ↔1,a e (Figure 2(b)).

4 Identity-Related Properties This section presents a formalization of well known identity-related properties (e.g. [1]) in terms of actor view. These properties (Table 1) are defined from the perspective of data items by describing their detectability and the amount of associability that data items have to other items of interest. – The detectability properties (D, UD) indicate the occurrence of the data item in the detectability set of the actor view; – The identifiability properties (I, PI, CI) indicate that the actor can associate the data item to an entity, identifier, or both — note that the identifier that a data item d is associated with does not necessarily need to be θ(d): it can also be any other identifier of ψ(θ(d)) observable by the actor; – The anonymity properties (A, PA, CA) indicate that such a link can not be made; – The linkability properties (L, UL) indicate the ability to associate the data item with other data items; – The non-repudiability properties (EN, IN, CN) indicate that a link to an identifier, entity, or both, can be proved; – The deniability properties (ED, ID, CD) indicate that such a link can not be proved. The following observations follow directly from our model: Proposition 1. Let M = (E, I, D, ↔) be a PI model, A ⊂ A a set of actors, and d1 , d2 ∈ D s.t. d1 ↔ d2 . If d1 and d2 are identifiable, then they are linkable. If d1 and d2 are pseudo-identifiable to the same i, then they are linkable. (Un)detectability, identifiability, anonymity, (un)linkability, entity-non-repudiability and entity-deniability can be similarly defined as properties of identifiers; we do not present them in the paper due to lack of space.

132

M. Veeningen, B. de Weger, and N. Zannone

Table 1. Let (E , I, D, ↔), A ⊂ A, MA = (EA , IA , DA , ↔A ,  A ) be a PI model, a set of actors and the view of that set of actors, respectively. Let d ∈ D. The table shows the conditions under which identity-related properties hold for d w.r.t. A. Property of d ∈ D detectability (D) undetectability (UD) identifiability (I) pseudo-identifiability (PI) complete identifiability (CI) anonymity (A) pseudonymity (PA) complete anonymity (CA) linkability (L) unlinkability (UL) entity-non-repudiability (EN) identifier-non-repudiability (IN) complete non-repudiability (CN) entity-deniability (ED) identifier-deniability (ID) complete deniability (CD)

Condition d ∈ DA d∈ / DA ∃e ∈ EA s.t. d ↔A e; i.e. d ↔A ψ(θ(d)) ∃i ∈ IA s.t. d ↔A i ∃e ∈ EA s.t. d ↔A e and ∃i ∈ IA s.t. d ↔A i; d∈ / DA , or ∀e ∈ EA d ↔ A e; i.e. d ∈ / DA ∨d ↔ A ψ(θ(d)) ∀e ∈ EA d ↔ A e and ∃i ∈ IA s.t. d ↔A i d∈ / DA , or ∀e ∈ EA d ↔ A e and ∀i ∈ IA d ↔ A i ∃d ∈ DA s.t. d ↔A d ∀d ∈ DA d ↔ A d ∃e ∈ EA s.t. d  A e; i.e. d  A ψ(θ(d)) ∃i ∈ IA s.t. d  A i ∃e ∈ EA s.t. d  A e and ∃i ∈ IA s.t. d  A i d∈ / DA , or ∀e ∈ EA d  A e; i.e. d ∈ / DA ∨ d  A ψ(θ(d)) d∈ / DA , or ∀i ∈ IA d  Ai d∈ / DA , or ∀e ∈ EA d  A e and ∀i ∈ IA d  Ai

5 Taxonomies of Identity-Related Properties This section presents an analysis of the relationships between the properties defined in Section 4. We introduce the concept of “privacy strength” of a data item, which represents the information that an actor has about the data item. This concept is then used to compare the properties in terms of their logical relations and of privacy offered. 5.1 Strength of Privacy The properties introduced in Section 4 are defined in terms of several aspects of a data item: its detectability, its associability to an entity, and its associability to an identifier. We use these three aspects of privacy to define the “privacy strength” of a data item: Definition 3. Let (E, I, D, ↔) be a PI model and A ⊂ A be a set of actors. Let d ∈ D. The privacy strength σ of d w.r.t. A is the tuple (δ, , ι), where: – δ = 1 if d ∈ DA ; δ = 0 otherwise; –  = 2 if there is e ∈ EA such that d A e;  = 1 if not, but there is e ∈ EA such that d ↔A e;  = 0 otherwise; – ι = 2 if there is i ∈ IA such that d A i; ι = 1 if not, but there is i ∈ IA such that d ↔A i; ι = 0 otherwise. Note that the ↔A and A relations only have meaning if d ∈ DA , so the admissible privacy strengths are those in S = {(0, 0, 0)} ∪ ({1} × {0, 1, 2} × {0, 1, 2}).

Modeling Identity-Related Properties and Their Privacy Strength

133

Table 2. Let (E , I, D, ↔) be a PI model and A ⊂ A a set of actors. The table shows the conditions on the privacy strength σ = (δ, , ι) of a data item c ∈ D corresponding to the given identity-related properties. privacy property undetectability (UD) anonymity (A) pseudonymity (PA) complete anonymity (CA) entity-deniability (ED) identifier-deniability (ID) complete deniability (CD)

condition δ=0 =0  = 0, ι ≥ 1 =ι=0 <2 ι<2  < 2, ι < 2

privacy property detectability (D) identifiability (I) pseudo-identifiability (PI) complete identifiability (CI) entity-non-repudiability (EN) identifier-non-repudiability (IN) complete non-repudiability (CN)

condition δ=1 ≥1 ι≥1  ≥ 1, ι ≥ 1 =2 ι=2  = 2, ι = 2

We can now rephrase our properties as conditions of the privacy strength of a data item. Each identity-related property then corresponds to a subset S  ⊂ S of admissible privacy strengths. The correspondence is shown in Table 2. Note that we do not consider (un)linkability as it is not about associating the data item with identifiers and entities. 5.2 Logical Relations between Properties The formulation of identity-related properties in terms of their privacy strength enables us to analyze the logical relations between them (i.e., whether they overlap, are mutually exclusive, or one implies the other). The following result follows directly from Table 2: Proposition 2. Let (E, I, D, ↔) be a PI model, and A ⊂ A a set of actors. Then Table 3 shows the logical relations between the identity-related properties for a data item d ∈ D with respect to A. Table 3 makes it possible to identify, for example, which properties it is impossible to achieve at the same time. For instance, having both identifiability and pseudonymity is not possible, but one can have identifiability with pseudo-identifiability. It also shows that anonymity automatically guarantees entity-deniability. Although the taxonomy in Table 3 exactly indicates the logical relations between properties, it does not say which ones are more desirable from a privacy standpoint. In the next section, we propose an ordering of properties with respect to privacy. 5.3 A Partial Order on Privacy Strengths The notion of “privacy strength” makes it possible to compare the privacy of different data items: we say that a data item has (strictly) stronger privacy than another data item if on each of the three aspects above, its privacy is stronger than that of the other item. This gives a partial order on the admissible privacy strengths (Figure 4). Definition 4. Let b and c be two data items, and σb = (δb , b , ιb ) ∈ S and σc = (δc , c , ιc ) ∈ S be their privacy strengths. We say that σb is stronger than σc , denoted by σb σc , if δb ≤ δc , b ≤ c , ιb ≤ ιc . Accordingly, we say that b has stronger privacy than c (denoted by b c) if σb σc .

134

M. Veeningen, B. de Weger, and N. Zannone

Table 3. Logical relations between the various identity-related properties. ⇑: left properties implies top property; ⇐: left property implied by top property; ∅: mutually exclusive; ¬: each others negation; : properties partially overlap. detect. identif. anonymity non-repud. deniability D UD I PI CI A PA CA EN IN CN ED ID CD Detectability (D) = ¬ Undetectability (UD) ¬ =

⇐⇐⇐  ⇐  ∅ ∅ ∅ ⇑ ∅ ⇑

⇐ ⇐ ⇐ ∅ ∅ ∅

   ⇑ ⇑ ⇑

Identifiability (I) ⇑ ∅ Pseudo-identifiability (PI) ⇑ ∅ Complete identifiability (CI) ⇑ ∅

=  ⇐ ¬ ∅ ∅  = ⇐  ⇐ ∅ ⇑ ⇑ = ∅ ∅ ∅

⇐  ⇐  ⇐ ⇐   ⇐

     

Anonymity (A)  ⇐ Pseudonymity (PA) ⇑ ∅ Complete anonymity (CA)  ⇐

¬  ∅ ∅ ⇑ ∅ ∅ ∅ ∅

= ⇐ ⇐ ⇑ = ∅ ⇑ ∅ =

∅  ∅  ∅ ∅

∅ ∅ ∅

⇑   ⇑   ⇑ ⇑ ⇑

Entity-non-repudiability (EN) ⇑ ∅ Identifier-non-repudiability (IN) ⇑ ∅ Complete non-repudiability (CN) ⇑ ∅

⇑    ⇑  ⇑ ⇑ ⇑

∅ ∅   ∅ ∅

∅ ∅ ∅

=  ⇐  = ⇐ ⇑ ⇑ =

¬  ∅  ¬ ∅ ∅ ∅ ∅

   ⇐⇐ ⇐      ⇐      ⇐

¬  ∅  ¬ ∅ ∅ ∅ ∅

=  ⇐  = ⇐ ⇑ ⇑ =

Entity-deniability (ED)  ⇐ Identifier-deniability (ID)  ⇐ Complete deniability (CD)  ⇐

        

  

            

 

  


  
       

   


 
     
   

 

       
            


       

        

        




          

 


 

Fig. 4. Partial order on the set S of admissible privacy strengths. In the left figure, for the detectability, identifiability and anonymity properties their subsets S  ⊂ S are drawn (for the colored areas, the line style of the area corresponds to that of the property name); in the right figure the non-repudiability and deniability properties are indicated.

The definition above together with the formalization of identity-related properties in Table 2 allows us to order properties with respect to their privacy strength. We consider two natural ways to define when S1 ⊂ S offers stronger privacy than S2 ⊂ S. First, we consider a strict condition under which S1 should be pairwise stronger than S2 . In this case, we say that S1 has absolutely stronger privacy than S2 . We also consider a weaker condition under which S1 just has stronger privacy than S2 .

Modeling Identity-Related Properties and Their Privacy Strength

D O aCfMCMM jmrjmrz865 < CN z

CCMM jmjmrjmrjmr j z j

m z j jmjmmmrrrzz

INO aDD CCCMMMM j j j M m rr zz

jjj mkXmXPI CI PA A ID ED YYYYXYXYXjVXVIXVVhRVREN O lYYD YYYXYXYXVRYXVRXVRcGVRGG O F {{= qqq8 Y X Y q { q CD lYYYYYY CA O {{qq YYYYYY YYYY {q{qq UD (a) “absolutely stronger”-relation 

135

; CN O cGGG ww IN O w; CI Gc G EN O G w PI I ; O cGGG www w PA DO cG O GG ED ; cGGG IDO www A cG GG www; CD CA O UD

(b) “stronger” relation Fig. 5. Partial orders on identity-related properties: arrow means weakening of privacy

Definition 5. Let P1 and P2 be properties, and S1 ⊂ S and S2 ⊂ S their respective sets of privacy strengths. – P1 has absolutely stronger privacy than P2 , or P1  P2 , if for all σ1 ∈ S1 , σ2 ∈ S2 one has σ1 σ2 – P1 has stronger privacy than P2 , or P1 P2 , if for all σ ∈ S1 , there exists a τ ∈ S2 such that σ τ and for all τ ∈ S2 , there exists a σ ∈ S1 such that σ τ . It is clear that and  defined above are relations; however, it may not be immediately clear that they are partial orders (i.e., they are reflexive, anti-symmetric and transitive relations). This does turn out to be true.1 Proposition 3. The partial orders ,  on identity-related properties are as in Fig. 5. As seen in the figure, the absolutely stronger relation already gives us several logical conclusions: for instance, we can see that undetectability (UD) is the strongest privacy guarantee, whereas complete non-repudiation (CN) offers the weakest — in fact, no — privacy. However, there are also many things it does not allow us to conclude. For instance, anonymity (A) does not offer absolutely stronger privacy than identifiability (I). The reason is that if anonymity (A) holds for a data item d, then it may still be associable to an identifier; if identifiability (I) holds for d then it may be unassociable to an identifier. Using the less strict “stronger” relation (Figure 5(b)), we can make this claim and several similar ones. 5.4 Relating the Taxonomies Each identity-related property corresponds to an area in Figure 4. Given two identityrelated properties, we can compare them on their privacy strength. Loosely speaking, if property A has stronger privacy than property B, then it will lie lower than B in the 1

Technically, ,  give a partial ordering on all subsets S  ⊂ S that have no gaps, i.e., if x, z ∈ S  and x  y  z, then also y ∈ S  . This property holds for all of our properties.

136

M. Veeningen, B. de Weger, and N. Zannone

Table 4. Possible situations when comparing two identity-related properties A, B and their interpretations as areas in Figure 4. Between brackets an example of the situation is given. Note that A = S \ B is a special case of A ∪ B = ∅. A B A,B incomp.

A∪B =∅ B completely above A (CA CN) A,B next to each other (PA, ID)

A⊂B A is bottom part of B (UD CA) A in middle of B (PA⊂ED)

B⊂A B is top part of A (IN CN) B in middle of A (ED⊂PA)

A ∪ B = ∅ B partly above A (A IN) A, B overlap, not one above (A,Cd)

figure. Also, we can see the logical relation between A and B in the figure: for example, if A and B overlap as properties, then the areas in the figure will overlap. The comparison of two properties both on strength and on logical relation determines how the areas of the properties relate to each other. For instance, if A B and A ⊂ B, then the area of A in the figure must be the lower part of the area of B. A summary of the many different combinations that can occur is shown in Table 4.

6 Comparing Identity-Related Property Taxonomies In this section, we discuss several frameworks [1,6,7] that define identity-related properties, and we compare them with our framework. Note that these frameworks mainly focus on a communication setting. We refer to Examples 1 and 4 on how this domain can be represented in our model. To smooth our terminology in this particular context, given a message m we refer to “anonymity of (m, sent)” simply as “anonymity of the sender of m”, and similarly for other properties. The frameworks presented in [1,6,7] do not differentiate between entities and identifiers (although [6] does mention this as a possible extension). Consequently, they cannot capture pseudonymity as a property. Pfitzmann and Hansen [1] do define pseudonymity, but by this they mean the mechanism of using pseudonyms. They then specify different degrees of linkability between the pseudonym and entity that correspond to our notions of identifiability/anonymity of identifiers. Also non-repudiability and deniability properties are not considered in these frameworks. 6.1 Privacy by Data Minimization In their evolving work [1], Pfitzmann and Hansen present a terminology for properties related to what they call privacy by data minimization. From the basic concepts of detectability and linkability of items of interest, they define informally more advanced properties. These (informal) definitions are the basis of our framework, albeit that we use the term associability instead of linkability. This is because we want to distinguish the property of linking two data items (or two identifiers) to one another from the general relation used to associate items of interest with each other. Table 5 provides a formalization of the identity-related properties of [1] in our model. For instance, sender anonymity can be translated into our model as follows: given a message m, (m, sent) is anonymous from the perspective of adversary a (i.e., anonymity of sender). Similarly, recipient anonymity – the dual of sender anonymity – corresponds to anonymity of recipient.

Modeling Identity-Related Properties and Their Privacy Strength

137

Table 5. Interpretation in our model (for a given message m sent by s and received by r w.r.t. actor a) for identity-related notions from [1], and our name for the given property Property from [1] Detectability Undetectability Linkability Sender Anonymity Recipient Anonymity Unobservability (w.r.t. all actors)

Interpretation (m, sent) ∈ Da ∧ (m, recv) ∈ Da (m, sent) ∈ / Da ∧ (m, recv) ∈ / Da o1 ↔A o2 (with o1 , o2 ∈ Oa ) (m, sent) ↔ a s (m, recv) ↔ a r ∀b ∈ A : b = s, b = r : (m, sent) ∈ / Db ∧ (m, recv) ∈ / Db ∧ (m, sent) ↔ r s ∧ (m, recv) ↔ s r

Property detectability undetectability associability anonymity of sender anonymity of recipient undetectability w.r.t. b; anonymity of sender w.r.t. r; anonymity of recv w.r.t. s

The authors also define the notion of unobservability: for a message m sent by s and received by r, it means undetectability of m w.r.t. A \ {s, r}, sender anonymity w.r.t. r, and recipient anonymity w.r.t. s. Differently from other properties, unobservability is a global property in the sense that it is defined w.r.t. the set of all actors A. 6.2 An Indistinguishability-Based Characterization of Anonymous Channels In [7], several identity-related notions are defined and classified in terms of indistinguishability of message matrices. A message matrix indicates which messages have to be sent by what sender to what recipient in a run of some communication protocol. An adversary gets to choose two message matrices M1 and M2 . The communication protocol will then be run in an experiment using either M1 or M2 , and the adversary tries to decide which message matrix was used. Identity-related notions are then defined in terms of restrictions placed on the message matrices (in other words, what information can be freely chosen by the adversary). The strongest anonymity notion, unobservability, holds when there are no restrictions at all on M1 and M2 , but still after observing the communication protocol the adversary cannot say which was used. For the weaker notion of unlinkability, the number of messages sent by each sender and the number of messages received by each recipient must be the same for the two message matrices. Differently from our approach, the properties of [7] are also defined on the basis of the confidentiality of the message content.2 Therefore, many of them (i.e., SUL, RUL, UL, SA*, RA*, and SRA) cannot be captured in our model. To enable us to compare these notions, we extend the view Ma with a set Ca ⊂ Da consisting of the messages whose content is known to the attacker. Table 6 shows a formalization of their identityrelated properties in this extended model. From the table, one can clearly reproduce the trivial relations between properties given in Proposition 1 from [7]. In their formalization, the authors also show that using PKI and key-private secure encryption [11], some weak notions can be transformed to stronger notions. The use of encryption aims to guarantee the confidentiality of messages. Under this assumption, the authors prove that SUL, RUL, and UL are all equivalent as well as SA and SA*, and RA and RA*. Table 6 shows that the same conclusions can be drawn in our framework. 2

Although confidentiality of the message is an important aspect, we believe that it is independent of the issue of associating a message with its sender and recipient.

138

M. Veeningen, B. de Weger, and N. Zannone

Table 6. Interpretation in our model (for a given message m sent by s and received by r w.r.t actor a) for identity-related notions from [7], and our name for the given property Property from [7] Sender Unlinkability (SUL) Sender Anonymity (SA) Strong Sender Anonymity (SA*) Receiver Unlinkability (RUL) Receiver Anonymity (RA) Strong Receiver Anonymity (RA*) (Sender-Receiver) Unlinkability (UL) Sender-Receiver Anonymity (SRA) Unobservability (UO)

Interpretation Property (m, sent) ↔ a s ∨ ((m, recv) ↔ a r ∧ m ∈ / Ca ) — (m, sent) ↔ a s anonymity of sender (m, sent) ↔ a s ∧ m ∈ / Ca — (m, recv) ↔ a r ∨ ((m, sent) ↔ a s ∧ m ∈ / Ca ) — (m, recv) ↔ a r anonymity of recipient (m, recv) ↔ a r ∧ m ∈ / Ca — ((m, recv) ↔ a r ∨ (m, sent) ↔ a s) ∧ m ∈ / Ca — (m, recv) ↔ a r ∧ (m, sent) ↔ a s ∧ m ∈ / Ca — (m, sent) ∈ / Da ∧ (m, recv) ∈ / Da undetectability

Pfitzmann and Hansen [1] have also compared their terminology to [7], with different results. However, we believe our comparison matches more closely with the formal model of [7]. For example, they claim that SUL corresponds to sender anonymity. This latter property means that no message can be associated with its sender. However, suppose an actor can associate a message with its sender, but not see the contents of the message or the recipient. Then, in the formalization of [7], SUL still holds. So clearly, although sender anonymity is a sufficient condition for SUL, it is not a necessary one.3 6.3 Information Hiding, Anonymity and Privacy: A Modular Approach In [6], identity-related properties are formalized in terms of the amount of knowledge about sender and recipient functions (i.e., functions that link messages to their sender or recipient respectively). These functions can have the following properties: – Value opaqueness: for a given message, the sender/recipient is not known. This corresponds to anonymity of sender and anonymity of recipient, respectively. – Image opaqueness: for a given entity, it is not known if it has sent/received a message. Image opaqueness is a necessary, but not sufficient, condition for detectability. – Kernel opaqueness: given two distinct messages, it is not known that they have been sent/received by the same entity. This corresponds to our notion of unlinkability. The authors then define several anonymity properties based on these concepts. The formalization of the notions in [6] is shown in Table 7. Sender anonymity and recipient anonymity are defined as value opaqueness of the sender and recipient functions, which is in line with our definitions. For sender untraceability, in addition one should have kernel opaqueness, so this corresponds to anonymity and unlinkability of the data item (m, sent); similarly for recipient untraceability. Blender anonymity is defined as a combination of value opaqueness of the sender and recipient functions. Accordingly, it can be seen as anonymity of both sender and recipient. “Conversation-agent-2-unlinkability”, on the other hand, is value opaqueness 3

This assumes that seeing a message does not mean seeing the message contents. It is not entirely clear if [1] makes this assumption. If not, then [1] in addition to sender anonymity should also demand relationship anonymity to capture the meaning of SUL.

Modeling Identity-Related Properties and Their Privacy Strength

139

Table 7. Interpretation in our model (for a given message m sent by s and received by r w.r.t. actor a) of identity-related notions from [6], and our name for the given property Property from [6] Sender Anonymity Sender Untraceability

Interpretation (m, sent) ↔ a s (m, sent) ↔ a s ∧ m : (m , sent) ↔a (m, sent) Recipient Anonymity (m, recv) ↔ a r Recipient Untraceability (m, recv) ↔ a r ∧ m : (m , recv) ↔a (m, recv) Blender Anonymity (m, sent) ↔ a s ∧ (m, recv) ↔ a r Conversation-Agent-2-Unlink. (m, sent) ↔ a s ∨ (m, recv) ↔ a r

Property anonymity of sender anonymity of sender + unlinkability of sender anonymity of recipient anonymity of recipient + unlinkability of recipient anon. of sender and recv anon. of sender or recv

of the function giving the sender and recipient at the same time, so it corresponds to either anonymity of sender or anonymity of recipient. Note that [6] defines several variants of anonymity based on the number of possible senders or recipients for a message. Our model abstracts away from this level of detail so that anonymity means that there is “sufficient” unclarity about the sender or recipient.

7 Conclusions and Future Work In this work, we presented a formal model to represent privacy-sensitive information in information systems and the knowledge that actors have about it. This model can be used to formalize many identity-related notions such as identifiability, pseudonymity and anonymity. This formalization allows one to compare the properties in terms of their logical relations and their privacy strengths. In particular, the obtained taxonomies show which properties cannot be achieved at the same time and which properties are implied by other properties as well as which properties are more desirable from a privacy standpoint. We also demonstrated that our model is able to capture the identity-related properties and reproduce several results presented in [1,6,7]. However, the mapping is not always straightforward because of the different notions these frameworks employ. For instance, [7] considers confidentiality issues in defining identity-related properties. We showed how such issues can be modeled in our framework. Interestingly, the formalization in [7] enables one to formally express transformations of communication protocols to achieve certain privacy properties. Our model is static and therefore is not able to specify the behavior of communcation parties or adversaries. In forthcoming work we intend to extend our model to capture dynamic situations. Our approach to defining identity-related properties assumes a formal meaning of the notions of detectability, associability, and provability. Several proposed frameworks can be used to formalize these notions. One relevant research stream proposes to model the knowledge of an actor in a probabilistic way [5,12,13,14]. For instance, [5,13,14] consider the knowledge about who has executed some action as a probability distribution over all possible entities; the entropy of this distribution then is a measure of the “degree of anonymity” of that action. Another research stream models communication systems using process algebra [2,3] or modal logic [4] and, based on such formal specifications, checks the privacy provided by a system. Concerning the formalization of

140

M. Veeningen, B. de Weger, and N. Zannone

non-repudiation [15], we mention that it is often seen as a consequence of using cryptography, e.g. the unforgeability property of digital signatures. However, as [16, Ch.4] remarks, the meaning of “proving” depends strongly on the specific context of the application. As future work, we plan to investigate how to use these different frameworks for detectability, associability and provability as a foundation for our model. Of particular interest here is how we can capture low-level details of properties (e.g., 10-anonymity is “stronger” than 3-anonymity) without loosing the abstract nature of the model.

References 1. Pfitzmann, A., Hansen, M.: A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management. v0.32 (December 2009), http://dud.inf.tu-dresden.de/Anon_Terminology.shtml 2. Schneider, S., Sidiropoulos, A.: CSP and anonymity. In: Proc. of ESORICS 1996. LNCS, vol. 2482, pp. 198–218. Springer, Heidelberg (1996) 3. Chatzikokolakis, K.: Probabilistic and Information-Theoretic Approaches to Anonymity. ´ PhD thesis, Laboratoire d’Informatique (LIX), Ecole Polytechnique, Paris (2007) 4. Syverson, P.F., Stubblebine, S.G.: Group principals and the formalization of anonymity. In: Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 814–833. Springer, Heidelberg (1999) 5. Steinbrecher, S., K¨opsell, S.: Modelling unlinkability. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 32–47. Springer, Heidelberg (2003) 6. Hughes, D., Shmatikov, V.: Information hiding, anonymity and privacy: a modular approach. Journal of Computer Security 12(1), 3–36 (2004) 7. Hevia, A., Micciancio, D.: An indistinguishability-based characterization of anonymous channels. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 24–43. Springer, Heidelberg (2008) 8. European Parliament: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities L 281, 31–50 (November 23, 1995) 9. Diaz, C., Preneel, B.: Taxonomy of mixes and dummy traffic. In: Proc. of I-NetSec 2004, pp. 215–230. Kluwer Academic Publishers, Dordrecht (2004) 10. Camenisch, J., Pfitzmann, B.: Federated Identity Management. In: Security, Privacy, and Trust in Modern Data Management, pp. 213–238. Springer, Heidelberg (2007) 11. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001) 12. Clauß, S.: A Framework for Quantification of Linkability Within a Privacy-Enhancing Identity Management System. In: M¨uller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 191–205. Springer, Heidelberg (2006) 13. D´ıaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003) 14. Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 41–53. Springer, Heidelberg (2003) 15. Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Sec. Comput. 1, 11–33 (2004) 16. Roe, M.: Cryptography and Evidence. PhD thesis, University of Cambridge (1997)

Semantics of Trust Tim Muller University of Luxembourg [email protected] Abstract. The meaning assigned to the word ‘trust’ is diverse. We present a formalism that allows various interpretations of trust. To this end, we introduce terms that specify the observations of agents, called connections. Then we apply epistemic semantics to reason about the knowledge of agents. We allow specifications of interpretations of trust in terms of facts, and analyze whether agents know the relevant facts. If agents know that a target is trustworthy under an interpretation, that agent trusts the target. We illustrate the formalism on three specific existing interpretations.

1

Introduction

When one asks an ethicist for a definition of trust, one might expect a response such as: “Trust (. . . ) is letting other persons (natural or artificial, such as firms, nations, etc.) take care of something the trustor cares about, (. . . )” [1]. An economist might say: “Trust is the willingness to permit the decisions of others to influence your welfare” [2]. An interesting sociological definition is: “(Trust is the) undertaking of a risky course of action on the confident expectation that all persons involved in the action will act competently and dutifully.” [3]. A game theoretical view on the issue is formulated as: “(Trust) is the mutual confidence that one’s vulnerability will not be exploited in an exchange.” [4].1 In this paper, we argue that trust is something more abstract, and we refer to more specific notions, such as the aforementioned, as specific meanings of trust. First we define the general notions regarding trust: Definition 1. An observation is any contingent fact, that is witnessed to be true. A trust assessment is a boolean expectation based on own observations and possibly observations of others. Trust is a positive trust assessment, and distrust a negative. An interpretation of trust defines under which condition to trust or distrust an agent. Interpretations are formulated as predicates on agents. Given an interpretation, if an agent with perfect information trusts another agent, then the latter is trustworthy. The meaning of trust assessments differs according to the context. The meaning depends on what an expectation denotes, as illustrated by the aforementioned examples. An interpretation of trust determines which condition yields a positive expectation. A trust system contains zero or more interpretations and meanings of trust at the same time. To illustrate this with an example: 1

Thanks to Harvey S. James, Jr. for collecting trust related quotes on his webpage.

P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 141–156, 2011. c Springer-Verlag Berlin Heidelberg 2011 

142

T. Muller

Example 1. A user visits the Microsoft website, to get a software update. The software has a certificate, showing that the update is from Microsoft. After seeing the certificate, the user trusts the software and installs it. One meaning of trust here, is that the user has the expectation that the software is not malware. An interpretation of trust is whether the software is certified. As the software is certified, the user has a positive trust assessment, hence the user trusts that the software. The usage of the word “trust” in the previous sentence implicitly uses the aforementioned interpretation and meaning. As common practice dictates, the meaning and interpretation of trust are implicit in situations where they are obvious. In the example, a secondhand observation is the reason that the user gives a positive assessment. Namely, the user observed that a particular certifying authority has issued a certificate to Microsoft. Apparently there is some type of trust in the issuer of the certificate. Let’s look at the situation with a finer grain. We introduce a new meaning of trust in the system, which is used alongside the aforementioned meaning of trust. The end-user trusts that the certifying authority is honest, and he trusts the ability of the certifying authority to assess the intentions of particular software developers. The new interpretation of trust is being a particular certifying authority. In this example, different types of trust are dependant. The first interpretation could be formulated as: “A truthful certifying authority signed a software certificate”. Which depends on a meaning of trust, such as: “We expect certifying authorities are truthful”. We observe that trust systems generally solve two particular problems, possibly at the same time: How to collect observations, and which interpretation(s) of trust to use. An example of a system designed to optimize the collection of data is [5], where agents not only delegate jobs to other agents that they need done, but also send out challenges to other agents. An agent will know the solution of a challenge, and if the challenged agent fails to return the right result, he will be trusted less. This only works in specialized settings, as the relevance of this solution depends on the indistinguishability between regular jobs and challenges. Whereas a paper such as [6] investigates ways to interpret trust. It focusses on different properties of interpretations, and formal denotations of these properties. How these interpretations relate to actual models is not defined. One of the goals of this paper is to enable us to easily recombine the good aspects of existing, specialized solutions. A solution for both problems is needed for recommender systems. Recommender systems have several aspects that are studied, as shown in [7]. Those aspects represent different subproblems. Filtering, for example, is the process of turning a real item into a subject in the recommender system. Filtering is purely about data collection. Matching is the way a recommender system calculates which opinions agents should follow. What type of matching to use is an interpretation of trust. There are aspects, such as how feedback is given and how sensitive it is to changes over time, that depend on both data collection and interpretation.

Semantics of Trust

143

Interpretations of trust are usually defined in terms of facts. When the software has a certificate from a particular certifying authority, the software is trustworthy on that basis. If an agent knows the right facts, the agent knows that another agent is trustworthy, and hence trust the agent. Given an interpretation, the problem of trusting can be reduced to a problem of having the right knowledge. In most concrete contexts, the relation between observations and knowledge is obvious. As a consequence, the transformation of observations into knowledge is an underexposed issue. We, however, are interested in a more general context. Hence, we need to be explicit in our dealings with observations. To represent observations in this generalized setting, we introduce a formalism. The formalism is, although fundamentally different, derived from subjective logic [8], in the sense that it uses dilution and fusion. The fundamental differences lie in the fact that terms in subjective logic represent opinions in the form of probabilities and estimates, while terms in our formalism represent observations in the form of facts and statements. There is an axiomatization presented in [9], which abstracts from subjective logic. Due to this abstraction, some properties that are axiomatized will still hold in our context. Having set a formalism to express observations, we need to be able to transform these observations into knowledge in a general way. We should not, generally, treat secondhand observations as knowledge, nor should we disregard them totally. Hence, we should evaluate the trust in the source that claimed to have made the observation. “Are sources of information capable and honest” is a possible meaning of trust. This type of trust will be used to evaluate third-party observations, and is therefore assigned a special status, namely reliability. In other words, reliability is an instance of trustworthiness, where trust has the meaning “being capable and honest”.

2

Connections and Networks

There are two well-studied aspects of trust systems. We recall data collection and interpretation, mentioned in the introduction. One of our goals is to glue these together in a generic way. As mentioned before, we need to transform observations into knowledge in an abstract way. To achieve this, we need a formal way to state the observations of agents. The formal representation of the observations of an agent is called the connection of that agent. Every user in a trust system has a (possibly empty) set of observations regarding other users. If a has an observation about b, then b does not necessarily have an observation about a. If a has a secondhand observation regarding b, it means that another user, say c, claims to have a particular observation regarding b. This is considered as a’s observation regarding b, albeit secondhand. However, to determine the value of c’s claim, a can use its observations about c to assess the reliability of c. Recall that reliability is an instance of trustworthiness, for a meaning of trust such as “c speaks the truth”. Since we want to keep our formalism general, we do not assume any interpretation of trust. As we need an interpretation to assess trust, it is generally not possible to assess whether c speaks the truth. In Section 3, we address this problem.

144

T. Muller

In the preceding paragraph we hinted at the shape of connections. A connection that represents lack of observations is denoted as ε. We are able to denote a connection representing precisely one observation, by just giving the predicate representing the observation. Since an agent can have more than one observation, we should be able to combine connections, we call this a fusion of connections, denoted + . Furthermore, we should be able to express that another agent, say a, makes a claim. This is called dilution, and is written a. . The syntax is defined over agents, who may state claims, and observations regarding agents, which we will denote as a predicate on said agents. The syntax of connections is defined over finite sets of agents A and possible observations P regarding agents: ϕ ::= ε | P (a) | a.ϕ | ϕ + ϕ for agent a ∈ A and observation P ∈ P regarding an agent. We treat observations as logical predicates, in other words P ∈ P : A → {, ⊥}. Logical relationships may exist between predicates. For example, let O(d) denote that door d is open, and C(d) denote that d is closed. Obviously, in situations where a door d is open, d cannot be closed, denoted O(d) S ¬C(d). A set of those semantic rules S is called a signature. A signature defines the logical relationships between predicates. For this paper, it suffices to realize that, given a signature, not all combinations of predicates can be satisfied. The door cannot be both open and closed. We will refer to this property as consistency: Definition 2. A set of predicates Γ is consistent when there is no predicate ϕ ∈ Γ such that Γ S ¬ϕ. Using the example, Γ = {O(d), C(d)} is, as we expect, not consistent, since {O(d), C(d)} S ¬C(d). In [9], it was shown that fusion of opinions is associative and commutative, and that total uncertainty is the identity element. On that basis, we expect the fusion of connections also to be associative and commutative. Section 3 trivially shows the expectation is correct. And since an empty connection yields no information, we expect the empty connection to be the identity element. This allows us to treat every connection as a summation. If one of the summands is a particular observation, we can say that the connection contains that observation. Let C be the set of all connections allowed by our syntax. We note that, as a consequence of the definition, C is countable. Using the notion of connections, we define a network. A network defines which agent has what connection. A network is represented as a function on agents N : A → C. Rather than using the function type notation, we define a countable set of networks as N . Note that the range of a network is a subset of C. If a connection is in the range of a network, we simply say that the connection exists in the network. Example 2. Figure 1 depicts an example of a network. To formally describe this network, we need to define a set of agents. We pick A = {a, b, c}. We furthermore take a set of predicates: Let Dα (β) denote “β danced with α”. Let

Semantics of Trust

145

“danced together” a

c “arrested”

“stole money”

“a claimed b is a criminal” b

Fig. 1. An example of a network N of three agents

C(α) denote “α is a criminal”. Then N (a) = C(b) + C(b) + Da (c), N (b) = ε and N (c) = Dc (a) + a.C(b). Let P (a) and Q(b) be inconsistent predicates. Agents only have observations that correspond to the real world. If an agent has observation P (a), no other agent can have observation Q(b). Since P (a) has been observed, it must hold, and since it contradicts Q(b), Q(b) cannot hold, and hence not be observed. E.g. if a car is red, no agent can make the observation that the car is blue. Mind that it is, of course, possible that an agent claims that he observed that the red car is blue.

3

Generic Semantics

In order to successfully transform observations into knowledge, we have introduced a formalism to unambiguously represent observations in Section 2. We will now present a method that takes a connection and assigns a semantics to it, in the form of knowledge. The association of knowledge of agents with a particular model is a well-studied subject in logics, called epistemic logic. There is an introduction to semantics of logics and modal logic in [10]. An in-depth discussion of modal logics and their semantics can be found in [11]. Since this section will deal with epistemic modal logic and knowledge in general, we present [12] as a source of information about epistemic logic in particular. Given a network, there should be a unique method to evaluate specific interpretations of trust. Formulated negatively; if, given a network, two methods of evaluating trust yield different trust assessments, then the two methods do not use the same interpretations. A network is seen as a model that has epistemic semantics. Paragraph 3.1 shows how this is done. In Paragraph 3.2, we formulate interpretations in epistemic logic. Together, this automatically yields a general method to evaluate interpretations in a model. 3.1

Epistemic Semantics

We assert that there is a real world, and in this world all facts are true or false. No agent, in general, will be able to distinguish the real world from other possible worlds, as he has not observed all facts. Within our model we distinguish three types of facts:

146

T. Muller

Whether a property holds. Whether a claim has been made. Whether a particular agent would lie about something. The real world can now be defined using valuations, assignments of truth values, over these facts. In the real world, a property either holds or it does not, a claim has been made or it has not, and an agent is willing to lie or he is not. We call the mapping from predicates P × A, to truth values, a predicate valuation θP . We call a mapping from pairs of agents and connections A × A × C, to whether a claim has been made, a statement valuation θS . We call a mapping from pairs of agents and connections A × A × C, to truthfulness of claims, a reliability valuation θR . This mapping reasons about hypothetical situations. Namely, how reliable an agent would be, when he would state a particular claim to another agent. For example, for a perfectly honest agent a, θR (a, b, x) will be true for all b and x. Whereas, for a compulsive liar it will be always be false. For a rational agent a, it will be true in those situations when it serves a’s best interest to speak the truth. The particular reliability valuation defines the reliability of agents. Let Let Let Let

WP be the set of all valuations θP . WS be the set of all valuations θS . WN be the set of possible networks. WR be the set of all valuations θR .

We can see that x ∈ WP × WS denotes all objective facts in a world. The set of possible worlds W is a subset of WP × WS × WN × WR . Note, again, that if it is observed that P (a) holds, then P (a) must hold. Hence some combinations of valuations and networks cannot exist. The possibility relation defines which worlds can exist, and which are contradictory. The possibility relation, Π, enforces three conditions: The consistency of the valuation over predicates, as defined in definition 2. The connections of all agents in the network must adhere to reality; which is defined by the conformance function. Furthermore, when a claims is reliable and has been made, then it must also conform to reality. The conformance function, π, enforces that the observations x of an agent a are in line with reality: If If If If

an an an an

agent agent agent agent

has no observations, they cannot contradict reality. observed a fact, then it must be true. received a claim, then the claim must have been made. has several connections, all must be in line with reality.

Let the set of possible worlds W be defined as {(wP , wS , wN , wR ) | wP ∈ WP ∧ wS ∈ WS ∧ wN ∈ WN ∧ wR ∈ WR ∧ Π(wP , wS , wN , wR )}, where Π(p, c, n, r) is

Semantics of Trust

147

the possibility relation on valuations, defining whether a world w = (p, c, n, r) is possible: Π(wP , wS , wN , wR ) = consistent({wP (P, a)|P ∈ P, a ∈ A})∧ ∀a∈A (π(wP , wS , a, wN (a)))∧ ∀a,b∈A,x∈C (wR (a, b, x) ⇒ wS (a, b, x) ⇒ π(wP , wS , b, x)) and π(p, c, a, x) is the conformance function defining if a specific connection x of an agent a is possible when the objective facts are defined by (p, c). ⎧ x = ε∨ ⎪ ⎪ ⎪ ⎨x = P (b) ∧ w (P, b)∨ P π(wP , wS , a, x) = ⎪ (a, c, x)∨ x = c.x ∧ w S ⎪ ⎪ ⎩ x = x + y ∧ π(wP , wS , a, x) ∧ π(wP , wS , a, y) In Kripke semantics, worlds may be related to each other.In epistemic semantics, two worlds are related to each other, if there is a particular agent cannot tell the difference between the two worlds. Such a relation is called an accessability relation. In our context, two worlds are related if an agent has the same connection in both worlds. For each agent a ∈ A, let Ra be the relation over     worlds, such that (wP , wS , wN , wR )Ra (wP , wS , wN , wR ) iff wN (a) = wN (a). Furthermore, we have functions ΘP : W → P × A → {, ⊥} defined as ΘP (wP , wS , wN , wR ) = wP , ΘS : W → A × A × C → {, ⊥} defined as ΘS (wP , wS , wN , wR ) = wS and ΘR : W → A × A × C → {, ⊥} defined as ΘR (wP , wS , wN , wR ) = wR . These are functions are projections of worlds onto their respective valuations. In particular, ΘP determines if in a particular world, a particular observable predicate holds, i.e. a predicate from P. Whereas ΘS determines if in a particular world, a particular claim x has been made by an agent a towards another agent b. We introduce the following notation for such a predicate: C ab (x). Finally, ΘR determines if in a particular world, a particular agent a is reliable when claiming x towards b. We introduce the following notation for such a predicate: Rab (x). We find the following relation between observational models and epistemic logic in a straightforward manner: Definition 3. The observational model is a Kripke model, defined by K =

W, Ra , Rb , . . . , ΘP , ΘS , ΘR . K, w |= K, w |=ϕ ∧ ψ K, w |=¬ϕ K, w |=P (b)

iff K, w |= ϕ and K, w |= ψ iff K, w |= ϕ iff ΘP (w)(P, b)

K, w |=Cab (x)

iff ΘS (w)(a, b, x)

K, w K, w |=Ka (ϕ)

iff ΘR (w)(a, b, x) iff for all w such that wRa w : K, w |= ϕ

|=Rab (x)

148

T. Muller P (c) ∧ Rab (P (c)) ∧ Cab (P (c))

¬P (c) ∧ Rab (P (c)) ∧ Cab (P (c))

P (c) ∧ Rab (P (c)) ∧ ¬Cab (P (c))

¬P (c) ∧ Rab (P (c)) ∧ ¬Cab (P (c))

P (c) ∧ ¬Rab (P (c)) ∧ Cab (P (c))

¬P (c) ∧ ¬Rab (P (c)) ∧ Cab (P (c))

P (c) ∧ ¬Rab (P (c)) ∧ ¬Cab (P (c))

¬P (c) ∧ ¬Rab (P (c)) ∧ ¬Cab (P (c))

Fig. 2. A set of 7 possible worlds

Example 3. Figure 2 depicts some possible worlds as dots annotated with the truth values of some predicates. The world depicted as a cross is not a possible world using the possibility relation. If Rab (P (c)) and C ab (P (c)) then π(wP , wR , b, P (c)). However, wP (¬P (c)), thus ¬π(wP , wR , b, P (c)). The points in the area marked by the dashed line represent states where the following statement holds: “If b is reliable to a when claiming that P (c), then P (c) holds.” This type of collection of worlds will turn out to be relevant when dealing with claims. 3.2

Interpretations of Trustworthiness

Suppose we introduce an interpretation of trust into the model. An interpretation of trust tells us what predicate needs to be true in order for an agent to be trustworthy. Hence, we may view an interpretation as a predicate on agents. Let I be such an interpretation. Let the set of predicates in the system be {P }, and I(a) = P (a). We interpret trust, such that an agent a is trustworthy when P (a) holds. We formally define interpretations of trustworthiness: Definition 4. Let I be an interpretation and a an agent. We introduce a generic symbol for trustworthiness, T I (a). The semantics associated with this type of trust is: K, w |= T I (a) iff K, w |= I(a) We define trust using the following notion; knowing an agent is trustworthy means being able to trust that agent. We can apply the definition of knowledge in Definition 3. We see that, only defining when an agent is trustworthy, is sufficient to define when it is trusted. Proposition 1. K, w |= Ka (T I (b)) iff K, w |= Ka (I(b)) Before we proceed, notice that it might be possible that in some world, an agent might be trustworthy to one agent, but not to another. A solution to the aforementioned problem, would be to index interpretations, in order to represent to whom trustworthiness applies. If there are N agents, then there are N different interpretations of trust, one for each agent. We write that agent b is trustworthy

Semantics of Trust

149

to agent a under interpretation I as T Ia (b). An agent a trusts b under I, is then written Ka (T Ia (b)). In social systems, it is common to have a situation where a knows that c is trustworthy towards b. In general, however, this has no consequence for agent a. Our formalism is flexible enough to allow a model where it does affect a. Earlier, we discussed that some interpretations of trust are, in a sense, selfreferential. Namely, when we trust that certain statements from agents to agents are reliable. We define a finite set ζ of claims that are asserted to be reliable. When an agent is trying to figure out whether another agent is trustworthy, it will assume that the claims they have heard are true, when the are in ζ. In other words, reliability of all the claims in ζ is a condition under which to determine interpretations of trustworthiness. Trustworthiness under ζ is more formally defined in Definition 5. A world where a claim from ζ is falsely stated, is considered to be a possible world. However, agents assess their trust in a model under the assumption that such a world is not relevant. For example, a friend tells you that his car broke down. This does, generally, not imply that you know his car broke down. He might be lying, exaggerating or mistaken. It does, however, mean that you will assess trust in his car dealer using the assumption that your friends car broke down. As a sidetrack, it is interesting to think about the approach that does interpret trust in truthfulness as a source of knowledge. In other words, a world where a claim from ζ is falsely stated is not considered possible. This approach is worked out into fine detail in [13]. What we call claims are called announcements there. An announcement updates the knowledge. However, such an approach is inherently dynamic. Hence, in [13] the emphasis must be on mixing epistemic logic with dynamic logics. This is a difficult task, since determining a false announcement to be reliable will lead to logical contradiction. For this reason, we prefer a static model. Our approach allows us to have a static model in a natural way. Using the notion of reliable claims, we extend the definition of trustworthiness to: Definition 5. Let TζI (a) denote that, given that the claims in ζ are reliable, a is trustworthy under interpretation I.  (Rbc (x)) ⇒ T I (a) K, w |= TζI (a) iff K, w |= (b,c,x)∈ζ

Only defining when an agent is trustworthy is sufficient to define when it is trusted. Proposition 2. K, w |= Ka (TζI (b)) iff K, w |= Ka ((



Rcd (x)) ⇒ I(b))

(c,d,x)∈ζ

We remark that T I (b) is, by definition, equivalent to T∅I (b).

150

T. Muller

We will see that the set builder for the set ζ can depend on conditional trust itself. When chaining trust, for example, it is possible that a delegates trust to b who further delegates that trust to c. Hence, we trust c, if the claim of delegation D of b is reliable, in other words, if D ∈ ζ. However, D is in ζ, only when we somehow trust b, which is the case only when a was reliable. The next section will provide examples of interpretations of trust, and in particular chained interpretations of trust.

4

Existing Interpretations

The main idea of the generalized semantics that we present, is that they are easy to translate to. We will naively fill in the relevant observations and the interpretation of trust. If our approach works, then we are able to prove the given naive translations correct. Correctness of a translate means that, if we can derive trust in the original model, then we can derive trust in the translation, and vice versa. 4.1

Flat Public Key Infrastructure

A flat public key infrastructure is the most basic type of public key infrastructure. There are users and certifying authorities. A certifying authority signs certificates of users. A user u trusts another user u when the certificate of u has been signed by some trusted certifying authority. There is a special type of certifying authority, called a root certifier. Every user trusts precisely those certifying authorities that are root certifiers. Note that in Paragraph 4.2, root certifiers can delegate their trust to other certifying authorities. In order to do an analysis, we present a more formal way to describe what a flat public key infrastructure is: Let U be a set of users. Let C be a disjoint set of certifying authorities, and Croot be the subset representing root certifiers. Let S(c, u) denote that certifying authority c has signed a certificate of user u. We define that observesu (ϕ) means that u observes ϕ. Then user u trusts correctness of the public key of u iff ∃c∈C (observesu (cisarootcertifier)∧observesu (S(c, u ))). The set of agents A is equivalent to the union of the users and the certifiers. The set of predicates P is {P } ∪ {Sa | a ∈ C}. The predicate P (a) is true when a is a root certifier, a ∈ Croot . The predicate Sa (b) is true when S(a, b), thus when a signed certificate of b. Then we need to define the network. The connection of a user a contains precisely the observations of a. In other words, a has a connection   b∈A,observesa (P (b)) P (b) + b,c∈A,observesa (S(b,c)) b.Sb (c). Lastly, we formally interpret trust. An agent a trusts an agent b, if there is a root certifying authority that claims to have signed b’s certificate. We call this the basic interpretation of trust. We define such a basic interpretation of trust as follows: b TζI (a)

Semantics of Trust

where

I b (a) =



151

(P (b) ∧ Sb (a))

b∈A

and ζ = {(a, b, Sb (c)) | a, b, c ∈ A ∧ P (b)} Note that ζ represents the claims regarding signed certificates made by the root certifiers. In other words, for the basic trust interpretation, we assert that root certifiers are reliable in claims about certificates. We prove correctness of the interpretation: b

Lemma 1. User u trusts correctness of the public key of u , iff K, w |= Ku TζI (u ). Proof. We prove the implication in both ways. ⇒ Agent u observes there is a root certifier c ∈ Croot , such that u observes that c claims S(c, u ). As a consequence, the connection of u contains a summand P (c) and a summand c.Sc (u ). Since u has a connection P (c) + y, wN (u) = P (c) + y, Π(wP , wS , wN , wR ) ⇒ π(wP , wS , u, P (c) + y) ⇒ wP (P, c). Similarly, for c.Sc (u ) we see that C uc (Sc (u )). In all accessible worlds for u, wN (u). Hence, wP (P, c) holds in every world w , such that wRu w , and thus Ku P (c) and Ku C uc (Sc (u )). As a consequence of P (c), (u, c, Sc (u )) ∈ ζ. We see, using the possibility re lation and C uc (Sc (u )), that in all worlds where Ruc (Sc (u )), π(wP , wS , c, Sc u )     also holds, and thus wP (Sc , u ). Since wP (Sc , u ) holds in every possible world for u, K, w |= Ka(Sc (u)). Hence, we can apply Proposition 2, to see that b K, w |= Ku TζI (u ). b ⇐ By definition, if K, w |= Ku TζI (u ) then K, w |= Ku (( (c,d,x)∈ζ Rcd (x)) ⇒ I b (u )). We get K, w |= Ku (( c,d∈A∧x∈C∧P (d) R cd (x)) ⇒ ∃b∈A (P (b)∧Sb (u ))) b  u  by applying the definition ofc ζ and I . Hence, for all w such that wR w ,  K, w |= ( c,d∈A∧x∈C∧P (d) Rd (x)) ⇒ ∃b∈A (P (b) ∧ Sb (u )). We need to push    , wS , wN , wR )Ru w, we push the the knowledge into the model. Let w = (wP  knowledge into the model by analyzing the shape of wN (u). We recall that every connection can be seen as a summation. We need only analyze what  summands must exist in wN (u). If there is no agent a such that there is a summand P (a), then there is a world w , such that for no agent a, P (a). In such a world ζ = ∅, and clearly b T∅I (u ) does not hold, since there is no a with P (a). Hence, we can assume that there is an agent a, such that there is a summand P (a). By applying the possibility relation, we see that for all  worlds w , wP (P, a). Therefore ζ = {(b, a, Sa (c)) | a, b, c ∈ A ∧ P (a)}. We furthermore know that agent a exist where P (a) and a.Sa (u ) are summands of u’s connection. Assume that all agents a for which there is a summand P (a), there is no summand a.Sa (u ) in u’s connection, then there is a world w , such that for no agent a, P (a) ∧ Sa (u ). In such a world b ζ = {b, a, Sa (c)) | a, b, c ∈ A ∧ c = u ∧ P (a)}. Therefore, K, w |= Ku TζI (u ).

152

T. Muller

Therefore, there is an agent a, such that there is a summand P (a) and a summand a.Sa (u ). Hence, observesu (P (a)) and observesu (C ua (Sa (u )), and u trusts correctness of the public key of u . 4.2

Hierarchical Public Key Infrastructure

An N hierarchical public key key infrastructure is a generalization of the flat public key infrastructure. There are users and certifying authorities. A certifying authority can sign certificates of users and extend trusts. A user u trusts another user u when the certificate of u has been signed by some trusted certifying authority. There is a special type of certifying authority, called a root certifier. All root certifiers are trusted by all agents. If there is a chain, with length at most N , of trust extensions from a root certifier to another certifying authority c, then every user trusts c. We note that a 0 hierarchical public key infrastructure is, in fact, equivalent to the flat public key infrastructure. When we want to describe a hierarchical public key infrastructure, where we do not care about the length of a chain, we simply pick N greater than the number of certifying authorities. Let U be a set of users. Let C be a disjunct set of certifying authorities, and Croot be the subset representing root certifiers. Root certifiers are trusted by every user in the system in their role as certifying authority. Let H(c, c ) denote that certifying authority c transfers part of its authority to certifier c . For notational simplicity, we assume that H(c, c). Let S(c, u) denote that certifying authority c has signed a certificate of user u. Again, observesu (ϕ) means that u observes ϕ. We define that for n > 0, Dn (u, c) holds for user u and certifying authority c, if there is a certifying authority c , such that Dn−1 (u, c ) and observesu (H(c, c )). And for n = 0, we define that D0 (u, c) holds when observesu (c ∈ Croot ). As a consequence of reflexivity of H, if Dn−1 (u, c) then Dn (u, c). Again, u trusts correctness of the public key of u iff ∃c∈C (DN (c, u )). The set of agents A is equivalent to the union of the users and the certifiers. The set of predicates P is {P } ∪ {Sa | a ∈ C} ∪ {Ha | a ∈ C}. The predicate P (a) is true when a is a root certifier, a ∈ Croot . The predicate Ha (b) is true when H(a, b), thus when a extends his trust to b. The predicate Sa (b) is true when S(a, b), thus when a signed certificate of b. Then we need to define the network. The connection of a user  a contains precisely the observations of a. In other words, a has a connection b∈A,observesa (P (b)) P (b) +   b,c∈A,observesa (S(b,c)) b.Sb (c) + b,c∈A,observesa (H(b,c)) b.Hb (c). An agent a trusts an agent b, if there is a trusted certifying authority that claims to have signed b’s certificate. The first instance of “trust”, namely trusting a certifying authority, differs from the second, namely trusting a user. We refer, in this context, to the first instance as intermediate trust, and the second instance as final trust. There are multiple types of intermediate trust, depending on their chain length. We define intermediate trust with a chain length only pertaining direct connections. Ii T∅ 0 (a) where:

I0i (a) = P (a)

Semantics of Trust

153

and: ζ0 = ∅ We define intermediate trust with longer chain lengths 1 ≤ n ≤ N : Ii

Tζnn (a) where: Ini (a) =

 b∈A

Ii

n−1 (Hb (a) ∧ Tζn−1 (b))

and:

Ii

n−1 ζn = {(a, b, Hb (c)) | a, b, c ∈ A ∧ Tζn−1 (b)}

Using intermediate trust, final trust can easily be defined. f

TζI (a) where:



I f (a) =

b∈A

and:

Ii

(Sb (a) ∧ TζNN (b)) Ii

ζ  = {(a, b, Sb (c)) | a, b, c ∈ A ∧ TζNN (b)} f

Lemma 2. User u trusts correctness of the public key of u , iff K, w |= Ku TζI (u ). Proof. This proof is highly similar to that of Lemma 1. The forward side, soundness, is a simple extension of the flat case. Hence we only mention the completeness case, where we apply modus tollens as in Lemma 1. If there is no agent a such that there is a summand P (a), then there is a world Ii

w , such that for no agent a, P (a). In such a world ζ0 = ∅, and clearly T∅ 0 (u ) Ii

does not hold, since there is no a with P (a). As a consequence TζNN (u ) also does f

not hold, and neither does TζI (u ). Hence, we can assume that there is an agent a, such that there is a summand P (a). By applying the possibility relation, we see  that for all worlds w , wP (P, a). Therefore ζ1 = {(b, a, Sa (c)) | a, b, c ∈ A∧P (a)}. Ii

i−1 (a). If there is For all 1 ≤ i ≤ N . We know that agents a exist such that Tζi−1

Ii

i−1 (a) and there is no summand a.Ha (b), then there is no agent a such that Tζi−1

Ii

i−1 a world w , such that for no agent a, Ha (b) ∧ Tζi−1 (a). Such a world, however,

Ii

i−1 cannot exist. Therefore, there must be an agent a with Tζi−1 (a), such that there is a summand a.Ha (b).

Ii

Lastly, we know that agents a exist such that TζNN (a). If there is no agent a Ii

such that TζNN (a) and there is no summand a.Sa (b), then there is a world w , such Ii

that for no agent a, Sa (b) ∧ TζNN (a). Again, such a world must exist. Therefore, Ii

there must be an agent a with TζNN (a), such that there is a summand a.Sa (b).

154

T. Muller

We have derived in the last three paragraphs that there must exist a set of agents L, such that (per paragraph): There is an element L0 ∈ L, where wN (u) has a summand P (L0 ). There are intermediate agents Li in L, such that wN (u) has Li .HLi (Li+1 ). There is an element LN ∈ L, where wN (u) has a summand SLN (u ). We can apply the definition of D to see that u trusts correctness of the public key of u . 4.3

Web of Trust

An N Web of Trust is a variation of the hierarchical public key infrastructure. There are only users. Users can sign certificates, and by doing that, extend trust. A user u trusts another user u when there is a chain of certificates from u to u , with length at most N . We note that a 0 web of trust simply means that users only trust certificates that they signed themselves. When we want to describe a web of trust with unlimited chaining, we simply pick N greater than the number of users. We define the following model of a web of trust more formally: Let U be a set of users. Let N be an integer, representing the chain length threshold. Let E(a, b) denote that agent a extends his trust to b. Let Dn (a, b) denote that there is a chain with length at most n of trust-extensions from a to b. More formally: D0 (a, b) = E(a, b), and Dn (a, b) = (E(a, b) ∨ ∃c∈A (E(a, c) ∧ Dn−1 (c, b))). Agent a trusts agent b if and only if it observes Dn (a, b). The set of agents A is equivalent to the set of users U . The set of predicates P is {Ea | a ∈ A}. The predicate Ea (b) is true when E(a, b), thus when a extends his trust to b. We assume that Ea (a), so that we can lengthen a chain without breaking it. Then we need to define the network. The connection of a user a will of a. In other words, a has a connection  contain precisely the observations  E (b) + a b∈A,observesa (E(a,b) b,c∈A,observesa (E(b,c)) b.Eb (c). An agent a trusts another agent b, if there is a list L of users of size n ≤ N , such that a = L0 , b = Ln and for all 0 ≤ i < n, E(Li , Li+1 ). For all 0 ≤ n ≤ N : It

Tζnn (a) where: Int (a) =



It

n−1 (Eb (a) ∧ Tζn−1 (b))

b∈A

and:

It

n−1 ζn = {(a, b, Eb (c)) | a, b, c ∈ A ∧ Tζn−1 (b)}

Lemma 3. Let u and u be users. Let there be a transitive interpretation, as defined above. User u trusts correctness of the public key of u , iff K, w |= It

Ku TζNN (u ). Proof. Since I t is essentially the same as I i , this is a straightforward adaptation from Lemma 2.

Semantics of Trust

5

155

Conclusion

A generalized semantics is given, requiring observations, in the form of connections, and interpretations, in the form of objective predicates. We formalized connections, by providing a clear syntax and semantics. We showed how interpretations of trust can act transitively, using examples. We asserted that if an agent knows that a target is trustworthy, he will trust the target. We studied three particular examples, namely flat and hierarchical public key infrastructures, and PGP’s web of trust. In all of them, we have instantiated the network in a way that we found natural. We gave the interpretations of trust as a straightforward translation, from natural language, to predicate logic. Then we proceeded to prove equivalence between our model and the existing model. We have hence successfully applied our approach to these three examples. There is an important aspect that has not been discussed in this paper. The question whether the generalized semantics can be completely axiomatized. Due to the work on algebraization of predicate logic in [14], we expect that this is possible. Therefore, we will proceed to research such axiomatizations. They should axiomatize the core of all trust systems. Furthermore, it should be researched whether there is a way to generate axiomatizations given interpretations. If a standard way exists to axiomatize interpretations, then the axiomatizing existing systems is reduced to formalizing existing models in our formalism. Another interesting exercise would be to formalize more complex models, that do not have a simple and concise logical description. If there is a translation into our formalism, proving equivalence to the original might not be feasible for such systems. We are interested in formalizing simple recommender systems. Given that the number of possible ratings is finite, we should be able to describe the real world of recommender systems in our language. Our intuition is therefore that formalizing recommender systems should be possible in our formalism. An interesting existing formalism is subjective logic, as defined by Jøsang in [8]. In subjective logic, reasoning is done over opinions. It is assumed that these opinions are independent. This leads to the lack of idempotency of fusion in subjective logic. In subjective logic, fusing two identical opinions means fusing two different, independent opinions that happen to have the same value. Hence, we suspect that our methodology can be combined with subjective logic in a sequential way. Assume there is a way to transform arbitrary connection expressions to a form with independent fusion. Then we can input any network, reformulate it in an equivalent network, with only independent fusion, and apply subjective logic. Finally, it is worth studying probability instead of possibility. Every world will have a certain probability, depending on its valuation. Interpretations will no longer be black and white issues, but assign opinions to situations. We expect that this approach will lead to subjective logic, when all information is independent. If it is equivalent to subjective logic, that would strongly support both the probability approach and subjective logic. Furthermore, the probability approach should also be able to fuse opinions with overlapping information properly, hence extending subjective logic.

156

T. Muller

Acknowledgements Thanks to Sjouke Mauw and Baptiste Alcalde, for their input and steering. Thanks to Wojtek Jamroga for his advice regarding semantics of our model.

References 1. Baier, A.: Trust and antitrust. Ethics 96(2), 231 (1986) 2. Sobel, J.: Can we trust social capital? Journal of Economic Literature 40(1), 139– 154 (2002) 3. Lewis, J.D., Weigert, A.: Trust as a Social Reality. Social Forces 63(4), 967–985 (1985) 4. Barney, J., Hanson, M.: Trustworthiness as a source of competitive advantage. Long Range Planning 28, 127–127(1) (1995) 5. Staab, E., Fusenig, V., Engel, T.: Towards trust-based acquisition of unverifiable information. In: Klusch, M., Pˇechouˇcek, M., Polleres, A. (eds.) CIA 2008. LNCS (LNAI), vol. 5180, pp. 41–54. Springer, Heidelberg (2008) 6. Demolombe, R.: Reasoning about trust: A formal logical framework. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 291–303. Springer, Heidelberg (2004) 7. Montaner, M., L´ opez, B., de la Rosa, J.L.: A taxonomy of recommender agents on the internet. Artificial Intelligence Review 19, 285–330 (2003) 8. Jøsang, A.: A logic for uncertain probabilities. Int. J. Uncertain. Fuzziness Knowl.Based Syst. 9(3), 279–311 (2001) 9. Alcalde, B., Mauw, S.: An algebra for trust dilution and trust fusion. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 4–20. Springer, Heidelberg (2010) 10. Huth, M.R.A., Ryan, M.: Logic in computer science: modelling and reasoning about systems. Cambridge University Press, New York (2000) 11. Blackburn, P., Van Benthem, J., Wolter, F.: Handbook of Modal Logic. Springer, Heidelberg (2000) 12. Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning About Knowledge. MIT Press, Cambridge (2003) 13. Baltag, A., Moss, L.S., Solecki, S.: The logic of public announcements, common knowledge, and private suspicions. Technical report, Amsterdam, The Netherlands (1999) 14. Langel, J., Kohlas, J.: Algebraic structure of semantic information and questions. predicate logic: an information algebra. Technical Report 08-02, Department of Informatics, University of Fribourg (2008)

Semi-automatic Synthesis of Security Policies by Invariant-Guided Abduction Cl´ement Hurlin1,2 and H´el`ene Kirchner1 1

INRIA Bordeaux – Sud-Ouest, 351 avenue de la lib´eration, 33405 Talence, France 2 Microsoft R&D France, 39 quai du Pr´esident Roosevelt, 92130 Issy-les-Moulineaux, France [email protected]

Abstract. We present a specification approach of secured systems as transition systems and security policies as constraints that guard the transitions. In this context, security properties are expressed as invariants. Then we propose an abduction algorithm to generate possible security policies for a given transition-based system. Because abduction is guided by invariants, the generated security policies enforce security properties specified by these invariants. In this framework we are able to tune abduction in two ways in order to: (i) filter out bad security policies and (ii) generate additional possible security policies. Invariant-guided abduction helps designing policies and thus allows using formal methods much earlier in the process of building secured systems. This approach is illustrated on role-based access control systems.

1

Introduction

Security administration in large, open, distributed and heterogeneous environments has strongly motivated research on security policy specification and analysis, but is yet nowadays a challenge. There is a great amount of proposals for security languages and frameworks for access control and more generally security policies, but even with an expressive policy language, a user may have difficulty understanding the overall effects of a policy and may not foresee the consequences of composing several policies. To improve confidence, both logicbased languages and verification techniques have been set up, as well as security analysis concepts. Our approach is in the line of logic-based languages providing a well-understood formalism, amenable to verification, proof and analysis. We specify secured systems as transition systems whose states record the relevant security information in the current environment, and whose transitions model their changes. Security policy authorisations guard the transitions. Guards are constraints that are solved in the current state. The transition occur only when the constraint is satisfied and the changes may take into account the solutions of the constraint. In this context, the system and the policy that restrict it are given separately, but share a common language. Contrary to close related work (such as TLA [16]), this modular design allows to plug-in different security P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 157–175, 2011. c Springer-Verlag Berlin Heidelberg 2011 

158

C. Hurlin and H. Kirchner

policies and to compare them. Transition rules and constraints are expressed in first-order logic. Many security properties can then be expressed as invariants of the transition system and verified: invariants are first-order formulae that should hold in any state of the system restricted by the policy. Our main contribution is to show how to synthesise security policies that enforce given invariants. Using abduction, the method consists in trying to prove the desired properties - invariants - and inspecting failed proof attempts to guess security policies. While current approaches on security analysis use formal methods to validate already existing security policies, invariant-guided abduction helps designing policies and thus allows using formal methods much earlier in the process of building secured systems. The modular design of system and policy described above is essential for the abduction algorithm, that requires that the system’s states and transitions are defined before generating policies. Our approach uses first-order deduction: it can be implemented in frameworks using transition systems and whose proof obligations can be discharged with sequent calculus (such as TLA [16] or B [3]). In Sec. 2, we define secured systems and security policies using standard firstorder logic. In Sec. 3, we show how to prove invariants of secured systems inductively. In Sec. 4, we present our abduction algorithm that proposes possible security policies satisfying by construction such invariants. We also provide some heuristics for choosing between different possibilities, when any. In Sec. 5, the synthesis method is illustrated on a role-based access control (RBAC) system. Finally, we discuss related work and give further perspectives in Sec. 6.

2

Secured Systems and Security Policies

In order to model security policies applied to a system, we choose to model the part of information in the system relevant to security as a state, the evolution of this information as a transition relation, and the policy as a constraint that restricts the transition relation. For instance in a role-based access control (RBAC) [24,12,18] policy, the state is built from current information on users, sessions, roles, inheritance relation; the transition relation is defined from events like create a session or assign a role whose parameters are abstractly defined but should instantiate on actual users, sessions, roles... in the current state where the event occurs; the effect of a transition triggered by an event create a session is to modify the current state of information for instance by opening a session for a current user and giving him a list of actual roles. The security policy should constrain this transition to cases where the session is not yet opened and the actual roles are allowed for the current user in the current state where the event occurs. In this approach the transition rules and the policy constraints are specified abstractly with first-order formulae but their evaluation is performed in a changing environment which is the current state of information in the system. A specification SP consists of a signature Σ = (S, F , P) with a set of sorts S, a set of functions F , a set of predicates P, together with a set of Σ-formulae T.

Semi-automatic Synthesis of Security Policies

159

Because in this paper, the functions purpose is only to build events, we require: (1) S contains a sort Event, (2) functions and predicates do not have Event in their domains, and (3) functions all have Event as co-domain. Lists of variables (x1 , . . . , xn ) are denoted simply x, f (x) (resp. p(y)) denotes f (x1 , . . . , xn ) (resp. p(y1 , . . . , ym )) when f is a function of Σ of arity n, (resp. p is a predicate of arity m), and x = x denotes component-wise equality of lists of variables. For example, the specification of a RBAC system [24,12,18] can be given as follows: ⎧ ⎫ UR : User × Role ⎪ ⎪ ⎪ ⎪   ⎨ ⎬ User , Role, Roles user : Session × User Δ Δ sorts S = predicates P = Session, Event role : Session × Role ⎪ ⎪ ⎪ ⎪ ⎩ ⎭ ≤ : Role × Role ⎧ ⎫ createSession : User × Session × Roles → Event ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ addActiveRole : User × Session × Role → Event ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ ⎬ dropActiveRole : User × Session × Role → Event Δ functions F = deleteSession : User × Session → Event ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ assignRole : User × Role → Event ⎪ ⎪ ⎪ ⎪ ⎩ ⎭ addInheritance : Role × Role → Event ⎧ ⎫ ⎪ ⎪ ⎪ ∀x.x ≤ x ⎪ ⎨ ⎬ ∀x y z.x ≤ y ∧ y ≤ z ⇒ x ≤ z Δ theory T = ∀x y.x ≤ y ∧ y ≤ x ⇒ x = y ⎪ ⎪ ⎪ ⎪ ⎩ ⎭ ∀u r r .UR(u, r) ∧ r ≤ r ⇒ UR(u, r ) Δ SPRBAC = ((S, F, P), T)

To keep the specification small, we omit objects and operations, as well as administrative commands and review functions [18]. Predicate UR(u, r) indicates that role r is assigned to user u; user(s, u) (SU in [18]) indicates that user u opened session s; role(s, r) (SR in [18]) indicates the set of roles activated by session s’ user; and ≤ (IN H in [18]) specifies the hierarchy between roles. Functions specify events. The theory states that ≤ is an order and axiomatizes the hierarchy of roles. The states of the system are first-order SP-interpretations I that map sorts and predicates into sets. We refer to [8] for the precise definitions. Because in this paper, functions only represent events, they do not appear in formulae and we can leave them uninterpreted. Fig. 1 shows an SPRBAC -interpretation: IRBAC . It represents the state of a system where the set of users includes Bob, role Secretary is assigned to Bob, Bob opened session 0 and Bob associated roles Secretary and Worker with session 0. 2.1

Transitions

The transition rules of the system describe the evolution of the states when specific events occur.

160

C. Hurlin and H. Kirchner

IRBAC

⎧ User ⎪ ⎪ ⎪ ⎪ Role ⎪ ⎪ ⎪ ⎪ ⎨ Session Δ = UR ⎪ ⎪ ≤ ⎪ ⎪ ⎪ ⎪ ⎪ user ⎪ ⎩ role

→  →  →  →  →  →  →

⎫ {Alice, Bob} ⎪ ⎪ ⎪ ⎪ {Secretary , Worker } ⎪ ⎪ ⎪ ⎪ N ⎬ {(Alice, Worker ), (Bob, Secretary )} ⎪ ⎪ {(Worker , Secretary )} ⎪ ⎪ ⎪ ⎪ {(0, Bob)} ⎪ ⎪ ⎭ {(0, Secretary ), (0, Worker )}

Fig. 1. Definition of a SPRBAC -interpretation: IRBAC

Definition 1 (Transition rule). A transition rule (or simply rule) over a specification SP is a pair “f (x) : action” where: 1. f (x) is called the pattern and variables in x are called parameters; 2. action is a •-separated list of atomic actions of the form p(y) | φ or ¬p(y) | φ. In an action p(y) | φ, some variables in y may be parameters, and φ’s free variables must occur in x ∪ y (similarly for negated atomic actions). Given a transition rule r, we denote by pattern(r) (resp. action(r)) the pattern (resp. the action) of r. The separator between actions (•) can be understood as a conjunction: the effect of act 1 • act 2 is the effect of performing act 1 and act 2 . Intuitively, the atomic action p(y) | φ (resp. ¬p(y) | φ) means that the interpretation of predicate p is made true (resp. false) for instances of free variables in y that satisfy φ. When φ is the true formula , we simply write p(y) instead of p(y) | . A transition rule f (x) : action is triggered when a specific event f (t) occurs: this event is an instance of the rule’s pattern by a substitution that must instantiate all parameters by constants. In order to express easily the relation between two consecutive interpretations (given later in Def. 3), we assume that for any transition rule, for any predicate p, p appears at most once in the event’s action (similarly for ¬p). This is not a real restriction, because an action of the form p(y0 ) | φ • p(y1 ) | ψ can be written as p(y) | (y = y0 ∧ φ) ∨ (y = y1 ∧ ψ). As an example, Fig. 2 lists the transitions for the role-based access control system (RBAC). createSession(u, s, rs) : user (s, u) • role(s, r0 ) | r0 ∈ rs addActiveRole(u, s, r) : role(s, r) dropActiveRole(u, s, r) : ¬role(s, r) deleteSession(u, s) : ¬user (s, u) • ¬role(s, r0 ) assignRole(u, r) : UR(u, r) addInheritance (r0 , r1 ) : r0 ≤ r1 Fig. 2. Transition rules: pairs of a pattern and a list of (action | condition)

For later developments, we need to formalise that actions reflect the effect of a transition on a state. We do this by specifying the relation between a given

Semi-automatic Synthesis of Security Policies

161

state and its successor with a first-order formula built from the transition rule’s actions. This relation consists of three parts: facts set to true, facts set to false, and facts unchanged. Before giving the relation between consecutive states in details, we define the semantics of these relations. This semantics is adapted from TLA [16]. Given two consecutive states I and I  , we follow TLA’s convention of using non-primed (resp. primed) formulae to indicate formulae interpreted w.r.t. I (resp. I  ). Definition 2 (Two-states relations and their interpretation). Let I and I  be two SP-interpretations. A two-states relation on I and I  is a formula that can contain both non-primed and primed predicates. Non-primed predicates are interpreted by I while primed predicates are interpreted by I  . Formally: I; I  I; I  I; I  I; I 

|= p(t1 , . . . , tn ) |= p (t1 , . . . , tn ) |= ¬p(t1 , . . . , tn ) |= ¬p (t1 , . . . , tn )

iff iff iff iff

I(p)(t1 , . . . , tn ) =  I  (p)(t1 , . . . , tn ) =  I(p)(t1 , . . . , tn ) = ⊥ I  (p)(t1 , . . . , tn ) = ⊥

where the ti ’s are variables or constants. Connectors and quantifiers interpretations are similar to the single-state case. As before we leave functions uninterpreted, because our formulae do not include function symbols (even though we use functions to represent events). We write φ to denote formula φ where all predicates have been primed. The formula φ can also be seen as a formula in temporal logic where, instead of priming predicates, they would be enclosed by a next operator X. To simplify the generation of the relation between two consecutive states (see Def. 3), we suppose that actions are put in some normal form. Given a transition rule f (x) : action, action is normalised iff for any p(y) | φ appearing in action, we have y ∩ x = ∅ (similarly for negated actions). Actions are normalised using the following rewrite system: p(y0 , x, y1 ) | φ → p(y0 , y, y1 ) | y = x ∧ φ ¬p(y0 , x, y1 ) | φ → ¬p(y0 , y, y1 ) | y = x ∧ φ

where y is a fresh variable where y is a fresh variable

Definition 3 (Relation between consecutive states). The relation between a SP-interpretation I and its successor I  after a transition r is a first-order formula denoted by relation(r) built by inspecting the effect of action(r) on predicates declared in SP. Let r be “f (x) : act ”. For each predicate p : S1 × · · · × Sm declared in SP, we define:  Δ

relationp (r) = relation¬ p (r)

 Δ

=

∀y.φ ⇒ p (y) if p(y) | φ ∈ act  if p(y) | φ ∈ act

∀y.φ ⇒ ¬p (y) if ¬p(y) | φ ∈ act  if ¬p(y) | φ ∈ act

162

C. Hurlin and H. Kirchner

⎧  ∀y.¬φ ∧ ¬ψ ⇒ p (y) ⇔ p(y) ⎪ ⎪ ⎪ ⎪ if p(y) | φ ∈ act and ¬p(y) | ψ ⎪ ⎪  ⎪ ⎪ ⎪ ∀y.¬φ ⇒ p (y) ⇔ p(y) ⎪ ⎪ ⎨ if p(y) | φ ∈ act and ¬p(y) | ψ Δ  relationequiv (r) = p ⎪ ∀y.¬ψ ⇒ p (y) ⇔ p(y) ⎪ ⎪ ⎪ ⎪ if p(y) | φ ∈ act and ¬p(y) | ψ ⎪ ⎪ ⎪  ⎪ ∀y.p (y) ⇔ p(y) ⎪ ⎪ ⎩ if p(y) | φ ∈ act and ¬p(y) | ψ

∈ act ∈ act ∈ act ∈ act



Above, as explained in Def. 2, predicate p is interpreted as predicate p in interpretation I  . Finally, the relation between two consecutive states is:

Δ equiv relation(r) = ∃x. p ∈ SP relationp (r) ∧ relation¬ (r) p (r) ∧ relationp For later convenience, we define: Δ quantifiers(r) = ∃x

updt Δ ¬ relation∃ (r) = p ∈ SP relationp (r) ∧ relationp (r)

Δ ¬ equiv relation∃ (r) = (r) p ∈ SP relationp (r) ∧ relationp (r) ∧ relationp

2.2

Secured Systems

In our framework, transition systems over structures are simply called systems. Security policies restrict possible transitions to obtain secured systems. This section defines these components. Definition 4 (System). Given a specification SP, a formula init representing initial conditions, and a set τ of transition rules; the system S = SP, init, τ  is the transition system such that: – the set of initial states is: {I0 | I0 is an SP-structure and I0 |= init}. evt – the transition relation −−→S is such that, for any event evt = σ(pattern(r)) evt with r ∈ τ , I −−→ I  whenever I; I  |= σ(relation(r)). Definition 5 (Security policy). Given a specification SP, a security policy ℘ is a function that maps all patterns to SP-formulae. Given a SP-interpretation I, a policy ℘, a transition rule r, and an event evt = σ(f (x)) = σ(pattern(r)), evt is authorised by ℘ in I iff I |= σ(℘(f (x))) holds. Fig. 3 shows how to define policy ℘RBAC for the RBAC system given before. Let us suppose that the event createSession(Alice, 0, {Secretary, Worker }) occurs in an RBAC system whose state is interpretation IRBAC given in Fig. 1. The policy checks if the following holds:   ∀u0 .¬user (0, u0 ) ∧ ∀r0 .¬role(0, r0 ) IRBAC |= ∧ ∀r0 .r0 ∈ {Secretary, Worker } ⇒ UR(Alice, r0 ) But this does not hold, because user (0, Bob) in IRBAC contradicts the first conjunct. Having 1 as createSession’s second parameter in the event would make it hold.

Semi-automatic Synthesis of Security Policies

℘RBAC

⎧ ⎪ ⎪ createSession(u, s, rs) ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ addActiveRole(u, s, r) Δ = dropActiveRole(u, s, r) ⎪ ⎪ deleteSession(u, s) ⎪ ⎪ ⎪ ⎪ assignRole(u, r) ⎪ ⎪ ⎩ addInheritance(r0, r1 )



→ → → → → →

∀u0 .¬user (s, u0 ) ∧ ∀r0 .¬role(s, r0 ) ∧ ∀r0 .r0 ∈ rs ⇒ UR(u, r0 ) user (s, u) ∧ UR(u, r) user (s, u) ∧ role(s, r) user (s, u) ¬(r1 ≤ r0 )

163 ⎫ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎬ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎭

Fig. 3. Policy for RBAC

Definition 6 (Secured system). Given a system S = SP, init, τ  and a policy ℘, we denote by S|℘ = SP, init, τ ℘ the ℘-secured system built from S. S|℘ is the transition system such that: – the set of initial states is: {I0 | I0 is an SP-structure and I0 |= init} evt – the transition relation −−→S ℘ is such that, for any event evt = σ(pattern(r)) with r ∈ τ :  iff I −−→S I  ∧ I |= σ(℘(pattern(r))) I −−→S ℘ I evt

evt

∗

Let −→S ℘ denote the reflexive transitive closure of this transition relation.

3

Invariants of Secured Systems

Because secured systems are transition systems, they support reasoning about temporal formulae, in particular invariants. Formally, given a secured system S|℘ = S, init , τ ℘ , formula φ is an invariant of S|℘ (written S|℘ |=  φ) if ∗ for any initial state I0 , I0 |= φ and ∀ I.I0 −→S ℘ I ⇒ I |= φ. Like in TLA, an invariant can be checked inductively i.e. by checking that it is true in the initial state and it is preserved by every step of the transition system. In Definition 3, σ(pattern(r))

we wrote the relation that exists between I and I  when I −−−−−−−−→ I  : it is relation ∃ (r). Furthermore, the security policy forces I |= σ(℘(pattern(r))) to hold. By generalizing over all possible events (i.e. over σ), we have to prove: init ⇒ φ and for any r ∈ τ :   (INV) φ ∧ quantifiers(r).relation ∃ (r) ∧ ℘(pattern(r)) ⇒ φ Using this method, we can prove that the RBAC system shown before, secured by policy ℘RBAC , enforces the invariant that sessions are either unassigned or assigned to a unique user: ∀s.(∀u.¬user (s, u)) ∨ (∃! u.user(s, u))

164

C. Hurlin and H. Kirchner

For example, to prove that Fig. 2’s transition rule createSession preserves this invariant,we have to prove:  ∀s0 .(∀u0 .¬user (s0 , u0 )) ∨ (∃! u0 .user(s0 , u0 )) φ ∧ ∃u s rs. ⎫quantifiers(r) user  (s, u) ∧ ∀r0 .r0 ∈ rs ⇒ role  (s, r0 ) ⎪ ⎪ ⎬ ∧ ∀s0 u0 .s0 = s ∨ u0 = u ⇒ (user  (s0 , u0 ) ⇔ user (s0 , u0 )) relation ∃ (r)  ∧ ∀s0 r0 .s0 = s ∨ r0 ∈ rs ⇒ (role (s0 , r0 ) ⇔ role(s0 , r0 )) ⎪ ⎪ ⎭  ∧ ∀u  0 r0 .UR (u0 , r0 ) ⇔ UR(u0 , r0 )   ∀u0 .¬user (s, u0 ) ∧ ∀r0 .¬role(s, r0 ) ∧ ℘(pattern(r)) ∧ ∀r0 .r0 ∈ rs ⇒ UR(u, r0 ) ⇓   ∀s0 .(∀u0 .¬user  (s0 , u0 )) ∨ (∃! u0 .user  (s0 , u0 )) φ This implication can be proven with any theorem prover that accepts firstorder logic with equality and set theory. Alternatively, the RBAC system and its security policy can be encoded in TLA [16] or B [3], and this invariant can be proven using these tools.

4

Abduction Algorithm

In this section, we present our abduction algorithm. In Sec. 4.1, we show a standard abduction algorithm for first-order logic and sequent calculus based on Mayer and Pirri [19]. In Sec. 4.2, we show how our application domain helps in selecting good candidate security policies1 for abduction, then in Sec. 4.3, we show how it helps generating additional candidates. We assume here that we have a proof search procedure in first-order logic. Given SP = (Σ, T), we write φ SP ψ to denote that φ and the theory T entail ψ. We omit the SP subscript when it is clear from the context. We require the proof search procedure to be correct w.r.t. |=, i.e.: if φ (Σ,T) ψ 4.1

then T |= φ ⇒ ψ

Abduction Problem

An abduction problem in our application domain is a triple SP; τ ; φ where φ is an invariant that should be respected by any system S = SP, init, τ . A solution to this abduction problem is a policy ℘ that associates to each transition rule r ∈ τ a SP-formula such that transitions of any secured system S|℘ preserves φ. This means that for any r ∈ τ , ℘ must satisfy:   φ ∧ quantifiers(r).relation ∃ (r) ∧ ℘(pattern(r)) ⇒ φ 1

Abduction is mainly used in the AI community, where the term explanation denotes abducted formulae. In this paper, however, we prefer the term “candidate policy” or “candidate”.

Semi-automatic Synthesis of Security Policies

165

Following Mayer and Pirri [19], we use unfinished proofs in classical natural deduction (specifically NK [13]) to find an appropriate ℘(pattern(r)) above. A sequent ς in natural deduction is a construct of the form ψ1 , . . . , ψn  ξ where ψ1 , . . . , ψn are hypotheses and ξ is the goal. In other terms, such a sequent can be interpreted as the implication ψ1 ∧ · · · ∧ ψn ⇒ ξ. With Γ ranging over sets of formulae, we sometimes write sequents Γ  ξ. Given a sequent, proof trees are built using inference rules [13]. In a proof tree, a leaf is closed if it is an axiom. Otherwise it is open. We say that a formula ψ is the candidate policy of an open leaf ς, if adding ψ to ς’s hypotheses closes ς. Usually [19], a candidate policy of an open leaf ς is ς’s goal or the negation of an hypothesis of ς. This definition of candidate policy, however, is too coarse for our application domain. That is why we add contexts in order to complete candidate policies with the part of the hypotheses involving non-parameter variables: Definition 7 (Context of a formula). Given a transition rule r, a sequent ψ1 , . . . , ψn  ξ, and a formula ϕ; the context of ϕ in ψ1 , . . . , ψn  ξ (written ctx(r, {ψ1 , . . . , ψn }, ϕ)) is a formula of the form Q1 x1 . . . Qn xn . ζ ⇒ ϕ such that (1) ζ is a conjunction of the formulae ψi (1 ≤ i ≤ n) that contain ϕ’s variables that are not parameters of rule r and (2) Q1 x1 , . . . , Qn xn quantify over those variables. For example, given r = createSession(u, s, rs), we have: Δ ctx (r, {u0 = u, u0 = Bob}, user(s, u)) = user (s, u) Δ ∀u0 .u0 = u ⇒ user(s, u0 ) ctx (r, {u0 = u, u = Bob}, user(s, u0 )) = Δ ∀s0 u0 .u0 = u ∧ s0 = s ⇒ user(s0 , u0 ) ctx (r, {u0 = u, s0 = s}, user(s0 , u0 )) =

Computing contexts consists in (1) gathering hypotheses about nonparameter variables in candidate policies (variables that are not quantified and that are not parameters of the event) and (2) quantifying appropriately these variables. Point (2) is similar to reverse skolemization [9,19]. Because later use of contexts is no more complex than the above examples and because computing contexts is orthogonal to this paper’s topic, we do not detail it. Computing contexts is useful to return weaker security policies in the following sense: for any r, Γ and ϕ, if ctx (r, Γ, ϕ) = Q1 x1 , . . . , Qn xn .ζ ⇒ ϕ, we have ϕ ⇒ (ζ ⇒ ϕ). Candidate policies are built in two ways: Definition 8 (Positive candidate policy). Given an abduction problem SP; r; φ, the positive candidate policy of the open leaf Γ  ξ is ctx(r, Γ, ξ) ⇒ ξ. Definition 9 (Negative candidate policies). Given an abduction problem SP; r; φ, the set of negative candidate policies of the leaf Γ  ξ is: {ϕ | ϕ = (ctx(r, Γ, ψ) ⇒ ¬ψ) and ψ ∈ Γ } Candidate policies are used to build solutions to abduction problems: Definition 10 (Solution to an abduction problem). Given an abduction problem SP; r; φ, and a proof tree of φ ∧ (quantifiers(r).relation∃ (r) ∧ ℘(r))  φ whose open leafs are ς1 , . . . , ςn , a solution to the abduction problem consists of:

166

C. Hurlin and H. Kirchner

1. n non-empty sets of formulae Γ1 , . . . , Γn such that for any 1 ≤ i ≤ n, Γi is the set of (positive and negative) candidate policies of leaf ςi . 2. A choice function such that (Γi ) ∈ Γi . Given those two elements, a policy preserving invariant φ when transition r fires in a system SP, init, r is ℘ = {pattern(r) → ε(Γ1 ) ∧ . . . ∧ ε(Γn )}. This definition generalises straightforwardly to systems with multiple transition rules. When abducting policies for systems with multiple transitions, we can obtain contradictory policies (such as policy ψ for an event and policy ¬ψ for another event). While we provide no way - in this paper - to detect such inconsistent policies (because our approach is per transition), this could be detected by additional semantical checks involving candidate policies abducted for different events. This problem does not harm, however, the soundness of our approach. Theorem 1 (Correctness of abduction). Given a system S = SP, init, τ , a solution ℘ to the abduction problem SP; τ ; φ and a proof that S’s initial states satisfy invariant φ (i.e. SP |= init ⇒ φ); then S|℘ |=  φ. While Def. 10 shows how to build a policy preserving an invariant, it can be improved in two ways. First, some candidate policies are not acceptable in our framework and must be filtered out. Second, for abduction to succeed all sets of candidate policies Γ1 , . . . , Γn must be non-empty. If the brute force method does not allow to close all branches, more candidates have to be found. Sec. 4.2 and Sec. 4.3 tackle these two problems. 4.2

Domain-Specific Filtering of Candidate Policies

Because abduction is all about finding good candidate policies, we now define various filtering criteria that exclude “bad” candidates. The first level of filtering eliminates candidate policies syntactically. Syntactical filtering rules out policies that are unrelated to the transition considered or that constrain the next state. E.g, filtering forbids invariants to be candidate policies, because invariants do not have free variables. Definition 11 (Acceptable candidate policy). Formula ψ is an acceptable candidate policy for the abduction problem SP; r; φ iff all the following conditions hold: 1. At least one parameter of rule r occurs in ψ as a free variable. 2. ψ contains a user-defined predicate. 3. ψ contains no primed predicate. The second level of filtering eliminates candidate policies semantically, because it requires proof search. Intuitively, we should check that a candidate policy ψ is not a consequence of the transition’s action. Otherwise, having this candidate as a policy would mean “require ψ to be true before setting ψ to true“.

Semi-automatic Synthesis of Security Policies

167

Definition 12 (Good candidate policy). Formula ψ is a good candidate policy for the abduction problem SP; r; φ iff the following formula holds: (r) ⇒ ψ  ) ¬(quantifiers(r).relation updt ∃ The two levels of filtering eliminate some candidate policies in Def. 10. Instead of considering all candidates of open leafs, we consider only good candidates. Yet, it is possible to get several good candidates so that some choice must be made. In this case, we order candidate policies to help make this choice. Definition 13 (Order on candidate policies). A choice strategy is a function f whose domain is the set of formulae and whose range is some set R such that there is a relation ≤R such that (R, ≤R ) is a partial order. We say that ψ is a better candidate policy than φ if f (φ) ≤ f (ψ). A standard order (called minimality [19, Sec. 1.1]) is the function f such that f (φ) ≤ f (ψ) iff φ  ψ. While this order is powerful, it is only partial (there are φ and ψ such that φ  ψ and ψ  φ). Due to our application domain, however, we can provide other orders. For example, cheap total orders include the functions that count the number of free or quantified variables in candidate policies. Intuitively, such orders are useful because - in our application domain - (1) Free variables in candidate policies are parameters of transition rules (e.g. u, s, and rs in createSession’s policy in Fig. 3). Because policies typically constrain parameters of transition rules, best candidate policies maximise the number of free variables. (2) Universally quantified variables occur as arguments of predicates (e.g. u0 and r0 in createSession’s policy in Fig. 3). Because this often indicates too strong candidate policies, best candidates minimise the number of universally quantified variables. As usual, such orders can be combined. For example, let f (resp. g) be the function of type Formula → N that counts free (resp. universally quantified) variables in formulae. A cheap and useful order is the syntactical lexicographical order ≤vars built from f and g:  φ ≤vars ψ iff f (φ) < f (ψ) or f (φ) = f (ψ) and g(φ) > g(ψ) Orders on candidate policies may already arise in Def. 10, because the choice function ε can be defined in terms of orders. Typically, ε must satisfy: ∀Γ.∀ψ ∈ Γ.ε(Γ ) ≤ ψ. 4.3

Domain-Specific Generation of Candidate Policies

As Def. 10 shows, abduction fails if one open leaf does not have any candidate policy. In this section, we show how to avoid some failures of abduction by generating more candidates than the standard techniques given in Def. 8 (positive candidates) and Def. 9 (negative candidates). First, we show how our application domain allows the generation of additional negative candidate policies.

168

C. Hurlin and H. Kirchner

Definition 14 (Additional negative candidate policies). Given an abduction problem SP; r; φ and an open leaf Γ  ξ, the set of negative candidate policies of this leaf is:     ϕ = (ctx(r, Γ, ψ) ⇒ ¬ψ), ζ ∈ Γ, Γ ⇒ ψ holds,  ϕ  and ψ is ζ where primes have been removed Def. 14 tries to “guess” negative candidate policies by removing primes from hypotheses of open leafs. This guessing is motivated by three reasons specific to our application domain. First, hypotheses of sequents often contain primed predicates. This stems from the fact that invariants often have the form Q1 x1 . . . Qn xn .ψ  ⇒ ξ  where Q1 , . . . , Qn are quantifiers and ψ  and ξ  are quantifier free. Because proofs of such formulae typically follow the pattern: ψ  ξ ⇒-R  ψ ⇒ ξ (Quantifier elimination)  Q1 x1 . . . Qn xn .ψ  ⇒ ξ  primed formulae (e.g. ψ  ) end up in hypotheses. The second reason that motivates Def. 14 is that candidate policies should contain no primes. The third reason is that formulae obtained after removing primes can often be proved, because - by construction - proof obligations contain equivalences between nonprimed and primed predicates (see Def. 3) as hypotheses. Second, we show how to generate additional positive candidate policies. To do this, we impose the proof search algorithm to follow a general pattern, which is guided by our application domain. First, let us recall that proof obligations in our framework have exactly this form: φ ∧ (quantifiers(r).relation ∃ (r) ∧ ψ) ⇒ φ Now, suppose that the invariant φ is in prenex form i.e. it has the form Q1 x1 , . . . , Qn xn .ξ where ξ is quantifier free and Q1 , . . . , Qn ∈ {∀, ∃}. This is not a restriction, because any first-order formula can be transformed into an equivalent prenex formula.Furthermore, we know that quantifiers(r) is a sequence of existential quantifiers (see Def. 3). Therefore, we impose the proof search to start as follows: (1) remove the top-level implication, (2) remove all quantifiers in front of φ , (3) split the conjunction in the hypotheses, (4) remove all quantifiers in front of quantifiers(r).relation ∃ (r) ∧ ψ, and (5) perform case splits on equality and membership between variables introduced in steps 2 and 4. To help the reader understand this proof strategy, we illustrate it for a transition rule with a single parameter y and the invariant ∀x, x.φ. We abbreviate relation ∃ (r) ∧ ψ by ξ: y = x, y ∈ x, φ, ξ  φ

y = x, y ∈ x, φ, ξ  φ

y = x, y ∈ x, φ, ξ  φ

φ, ξ  φ φ, ∃y. ξ  φ φ ∧ ∃y. ξ  φ

Step (4) Step (3)

φ ∧ ∃y. ξ  ∀x, x.φ  φ ∧ ∃y. ξ ⇒ ∀x, x. φ

Step (2) Step (1)

y = x, y ∈ x, φ, ξ  φ Step (5)

Semi-automatic Synthesis of Security Policies

169

Why is this proof search pattern relevant for our application domain ? To answer this question, suppose we want to enforce invariant ∀x.p(x). In events that modify the truth value of p(y) for some y, the proof of the invariant will perform a case split: (1) show that p(x) holds for any x = y and (2) show that p(y) holds. Typically, goal (1) follows from the hypotheses that the invariant holds before the event (because the truth value of p(x) is unchanged in the transition); while goal (2) follows from the policy (because the truth value of p(y) is changed by the transition). Doing case split in low positions in proof trees impacts abduction in two ways: first, it helps generating good candidate policies, because the generated proof trees distinguish between parameters of the transition rule from other variables; this mirrors the fact that policies constrain differently parameters of transition rules and other variables (as all rules of Fig. 3’s RBAC policy exemplify). Second, having case splits in proof trees permits to gather positive candidate policies in lower positions than open leaves, as we detail in the next paragraphs. To justify how to find additional positive candidate policies, let us consider rule ⇒-E of the sequent calculus: ψ1 , . . . , ψn  ξ ⇒ ϕ ψ1 , . . . , ψn  ξ ⇒-E ψ1 , . . . , ψ n  ϕ Rule ⇒-E means: to prove ϕ when ξ ⇒ ϕ holds, it suffices to prove ξ. In this inference rule, ϕ can be seen as the reason why ξ appears as a goal. Definition 15 (Additional positive candidate policy). Given an abduction problem SP; r; φ and an open leaf Γ  ξ, the corresponding positive candidate policy is obtained as follows: – If ctx(r, Γ, ξ) ⇒ ξ is a good candidate, it is the positive candidate policy. – Otherwise, the positive candidate policy is the goal of the first sequent (below the open leaf and above case splits involving parameters from the transition rule) whose inference rule is ⇒-E and whose goal is a good candidate policy. Def. 15 means that if the goal of the open leaf is inappropriate, the algorithm looks for the reason why this branch of the proof tree has been started during proof search and returns this reason as the positive candidate policy. Collecting positive candidate policies by traversing proof trees from top to bottom can be inadequate if it goes all way down to the root of the proof tree (i.e. the root’s goal is taken as the leaf’s positive candidate policy). Because we impose a proof strategy, however, we can stop traversing the proof tree from top to bottom when a case split involving parameters of the transition rule is encountered. This avoids returning the desired invariant as candidate policy. Furthermore, because proof trees occurring above case splits represent radically different cases, candidate policies for a given open leaf should not be chosen below a case split: such a candidate would not be specific to the open leaf’s case.

170

5

C. Hurlin and H. Kirchner

Case Study: Role-Based Access Control Systems

We show how to synthesise a policy for event createSession(u, s, r) that enforces the invariant that activated roles are assigned to users: ∀s u r.user (s, u) ∧ role(s, r) ⇒ UR(u, r) Given the effect of event createSession(u, s, r) (it is user(s, u)• role(s0 , r0 ) | s0 = s ∧ r0 ∈ r as shown in Fig. 2), abduction consists in finding ψ such that:  ∀s0 u0 r0 .user (s0 , u0 ) ∧ role(s0 , r0 ) ⇒ UR(u0 , r0 ) φ ∧ ∃u s r. ⎫ user  (s, u) ∧ ∀r0 .r0 ∈ r ⇒ role  (s, r0 ) ⎪ ⎪ ⎪ ∧ ∀s0 u0 .s0 = s ∨ u0 = u ⇒ user  (s0 , u0 ) ⇔ user (s0 , u 0 ) ⎪ ⎬ ∧ ∀s0 r0 .s0 = s ∨ r0 ∈ r ⇒ role  (s0 , r0 ) ⇔ role(s0 , r0 ) hyps[1, . . . , 5] ⎪ ⎪ ∧ ∀u0 r0 .UR  (u0 , r0 ) ⇔ UR(u0 , r0 ) ⎪ ⎪ ⎭ ∧ψ ⇓   ∀s0 u0 r0 .user  (s0 , u0 ) ∧ role  (s0 , r0 ) ⇒ UR  (u0 , r0 ) φ We detail a classical proof trial of the formula above (see this trial in Coq [1]) that follows all steps of the proof search strategy defined in 4.3. In this example, this strategy transforms the goal into 8 subgoals: (1) hyps ∧ s0 = s ∧ u0 = u ∧ r0 ∈ r  user  (s, u) ∧ role  (s, r0 ) ⇒ UR  (u, r0 ) (2) hyps ∧ s0 = s ∧ u0 = u ∧ r0 ∈ r  user  (s, u) ∧ role  (s, r0 ) ⇒ UR  (u, r0 ) .. . (8) hyps ∧ s0 = s ∧ u0 = u ∧ r0 ∈ r  user  (s0 , u0 ) ∧ role  (s0 , r0 ) ⇒ UR  (u0 , r0 ) We now show how a typical proof trial for subgoal (1) proceeds. In our application domain, a standard proof search strategy is to prove goals containing primed predicates by transforming them into non-primed predicates. This is reasonable, because we have equivalences between primed and non-primed predicates in hypotheses. This works, because our hypotheses (the invariant and policies) are not-primed. This proof search strategy proceeds as follows on subgoal (1) (where we omit some trivial leafs and where ξ abbreviates s0 = s ∧ u0 = u ∧ r0 ∈ r): stuck! φ, hyps, ξ, user  (s, u), role  (s, r0 ) user (s, u)

stuck! · · · role(s, r0 )

φ, hyps, ξ, user  (s, u), role  (s, r0 ) user (s, u) ∧ role(s, r0 ) φ, hyps, ξ, user  (s, u), role  (s, r0 ) UR(u, r0 ) φ, hyps, ξ, user  (s, u), role  (s, r0 ) UR  (u, r0 ) φ, hyps, ξ user  (s, u) ∧ role  (s, r0 ) ⇒ UR  (u, r0 )

∧-I ⇒-E and φ

⇒-E and hyps[5] ⇒-I

Proof search is stuck in two leafs, because each respective goal is a non-primed predicate, and no hypothesis matches it. We detail how the candidate policies for the left open leaf are obtained (the case of the other leaf is similar). This leaf’s

Semi-automatic Synthesis of Security Policies

171

goal (user (s, u)) is an acceptable positive candidate: it contains only non-primed user-defined predicates and two variables of the event (s and u). It is not, however, a good candidate, because it is incompatible with createSession’s actions: createSession sets user (s, u) to true. Incompatibility is detected by proving the following formula (where moustaches refers to Def. 12 to show how the sequent is built systematically): quantifiers(createSession(u,s,r))

   ∃u s r.

¬

relation updt (createSession(u,s,r)) ∃

ψ

      user  (s, u) ∧ ∀r0 .r0 ∈ r ⇒ role  (s, r0 ) ⇒ user  (s, u)

Because the candidate policy user (s, u) is not a good one, we use Def. 15 to look for other candidates in lower positions in the proof tree (as indicated by grey background). Because the positive candidate policy ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) (built from the goal UR(u, r0 ) and the goal’s context) (1) is under an application of rule ⇒-E and (2) is a good candidate, it is returned by the algorithm. This closes subgoal (1). However, the proof is stuck in subgoal (2) in the same position as subgoal (1): the resulting proof tree is the same except that ξ abbreviates s0 = s∧u0 = u∧r0 ∈ r. In this subgoal, the positive candidate policy ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) is produced. In addition, negative candidates are found. Because user  (s, u) and role  (s, r0 ) occur in the leaf’s hypotheses; the provability of user (s, u) and role(s, r0 ) are checked (as in Def. 14). Because role(s, r0 ) is provable and is good, the negative candidate policy ∀r0 .r0 ∈ r ⇒ ¬role(s, r0 ) is produced. To recap, after abducting the constraint ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) for goal (1), one of the two candidate policies below should be chosen for goal (2): ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) or ∀r0 .r0 ∈ r ⇒ ¬role(s, r0 ) Because choosing the first candidate policy would make the constraint equivalent to ∀r0 .UR(u, r0 ) (which is very restrictive), it indicates that the second candidate should be chosen. Sec. 4’s syntactical order ≤vars selects the good candidate if we use the already abducted constraint, because the following holds:     ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) ≤vars ∧ ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) ∧ ∀r0 .r0 ∈ r ⇒ role(s, r0 ) Choosing the second candidate policy and completing the proof leads to abduct two candidates: ∀u0 r0 .u0 = u ∧ r0 ∈ r ⇒ UR(u0 , r0 ) and ∀u0 .u0 = u ⇒ ¬user (s, u0 ). The second candidate (which is the “good” one) is automatically selected by the order ≤vars . This third abduction step suffices to finish the proof. Finally, the abducted constraint for createSession is the formula ψ below while the formula ξ is the constraint given in Fig. 3: ∀r0 .r0 ∈ r ⇒ UR(u, r0 ) ∧ ∀r ψ= 0 .r0 ∈ r ⇒ ¬role(s, r0 ) ∧ ∀u0 .u0 = u ⇒ ¬user (s, u0 ) Δ

∀r0 .r0 ∈ r ⇒ UR(u, r0 ) ∧ ∀r ξ= 0 .¬role(s, r0 ) ∧ ∀u0 .¬user (s, u0 ) Δ

While the two constraints are close, they are not equivalent. The ξ constraint entails the abducted constraint ψ (hence the abducted constraint is less restrictive). The difference is that the abducted constraint allows a user u to open

172

C. Hurlin and H. Kirchner

twice session s: ψ does not imply ¬user (s, u) ∧ ∀r0 .¬role(s, r0 ). On the contrary ξ implies ¬user (s, u) ∧ ∀r0 .¬role(s, r0 ) (i.e. ξ requires u not to have opened s before). The difference between the abducted constraint and the human-written constraint, however, is not a defect of our abduction algorithm. The difference stems from the invariant used to guide abduction: this invariant does not forbid a user to open a session multiple times. We cannot, however, express the invariant that users are forbidden to open a session multiple times, because it is a two states properties. To support such invariants, we need temporal reasoning (at least the X operator). This Section’s examples as well as middle-size additional examples are available online [1]. These experiments validate our choice of heuristics.

6

Related Work and Conclusion

Related work. Among a rich literature on security policies (see for instance [10] for policy specification languages), our specification framework is in the line of logic-based languages providing a well-understood formalism, amenable to verification, proof and analysis. Close frameworks based on Datalog are [11] and [5]. In [11] security properties are analysed using model checking formulae in first-order temporal logic and in [5], sequences of user actions are analysed with a proof system. Concerning invariant verification, the closest related work is Lamport’s TLA [16,20]. First, like in TLA, the effects of transitions (i.e. actions) are expressed with first-order formulae. Second, our rules for proving invariants (in Sec. 3) are similar to TLA’s rules. But contrary to TLA, we do not allow users to write arbitrary first-order formula as actions: users have to write actions using p(y) | φ and ¬q(z) | ψ predicates. This permits to have well-structured relations between two consecutive states. Such well-structured relations simplify the presentation of our abduction algorithm (see e.g. the use of relation updt in Def. 12). Furthermore, ∃ our language of actions induce relations in first-order logic with equality and set theory, while TLA’s relations contain non-standard operators (e.g. [17, p. 3]) to express changes to the interpretation of predicates. Another difference is that, in TLA, security policies would be specified as part of actions. Consequently, in TLA, plug-in different security policies and comparing them (for a single system) is not as easy as in our approach. Concerning abduction, the closest related work is [19]’s abduction algorithm for first-order logic. Like Mayer and Pirri, our abduction algorithm uses proof trees in sequent calculi. However, while Mayer and Pirri’s algorithm gathers positive justifications by inspecting solely opened leafs, our algorithm has a top to bottom strategy: it first gathers positive justifications in opened leafs; but it can also recursively inspect goals in lower positions in the proof tree. Another crucial difference is that our application domain allows us to define criteria (Defs. 11 and 12) to filter out undesirable explanations and to classify possible explanations.

Semi-automatic Synthesis of Security Policies

173

The literature on abduction for logic programs is consequent (see [14,23,4,6,25] and [15] for a survey). These works use techniques that do not fit our setting of first-order logic and sequent calculi. Abduction for logic programs has good termination and completeness result which cannot be achieved in first-order logic. Russo et al. [23] use abductive logic programming to detect violation of invariants in event-based systems. Contrary to us, they use abduction in “refutation mode”, where abducted formulae represent possible violations of invariants which can be used to modify either the system or the faulty invariant. To our knowledge, the only other work on abduction for security policies is by Becker et al. [6] who use abduction for various applications: to write and debug policies, to explain to users when access is denied, and to compute missing credentials automatically. While the first application is close to ours; Becker et al. do not use invariants to guide abduction and they do not tune abduction with domain-specific hypotheses like we do. Further work and Conclusion. First, we presented a framework to specify transition systems restricted by security policies, based on first-order logic. The framework is modular in the sense that the system and the policy that restricts its transitions are given separately, but using a common language. This gives the possibility to plug-in different security policies and to compare them. Second, we proposed an abduction algorithm that infers security policies by using invariants as guides. These invariants are expressing security properties. We showed how the specification formalism of transition systems restricted by policies is appropriate to policy synthesis. From the logical point of view, the specificities of this application domain naturally induces both syntactic heuristics and a proof search methodology that allowed us to tune abduction. We have shown how to filter out explanations not suitable as security policies and how to generate additional candidates for possible security policies. Contrary to most previous work on abduction, our approach is based on firstorder logic instead of logic programming. Indeed decidability and complexity results are harder to obtain, but first-order logic is standard to specify systems, used for instance in TLA [16] or B [3]. While we do not want to stick to a specific framework, our algorithm could be adapted without significant effort to infer part-of TLA’s actions and to infer part-of B’s preconditions. Future work includes evaluating the quality of our heuristics. This is complex, because these heuristics depend on the proof search strategy, on the way proof trees are inspected, and on the choice criteria between candidate explanations. For that, we plan to implement the abduction algorithm in existing theorem provers. This is handy in interactive theorem provers such as Coq [2] or Isabelle [21] that provide rich interfaces to inspect the proof’s state. The algorithm can also be implemented in automatic theorem provers for first-order logic based on tableau or sequent calculi [22,7]. Another advantage of the synthesis approach is its incremental feature. In this paper, for clarity, we used only one invariant to guide abduction. In practice, however, systems often have to ensure multiple, often unrelated invariants. Our abduction algorithm can be easily made incremental to allow multiple invariants.

174

C. Hurlin and H. Kirchner

´ Acknowledgements. We are very grateful to Emilie Balland and Paul Brauner, both for their careful reading of this paper and their numerous suggestions that helped improving our work. We also thank Katsumi Inoue for his detailed answers to our technical questions.

References 1. Examples of abduction with Coq [2], http://www-sop.inria.fr/everest/Clement.Hurlin/abduction.tgz 2. The Coq proof assistant, http://coq.inria.fr 3. Abrial, J.R.: The B-Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996) 4. Alrajeh, D., Ray, O., Russo, A., Uchitel, S.: Using abduction and induction for operational requirements elaboration. Journal of Applied Logic 7(3), 275–288 (2009); Special Issue: Abduction and Induction in Artificial Intelligence 5. Becker, M.Y., Nanz, S.: A logic for state-modifying authorization policies. In: Biskup, J., L´ opez, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 203–218. Springer, Heidelberg (2007) 6. Becker, M.Y., Nanz, S.: The role of abduction in declarative authorization policies. In: Hudak, P., Warren, D.S. (eds.) PADL 2008. LNCS, vol. 4902, pp. 84–99. Springer, Heidelberg (2008) 7. Bonichon, R., Delahaye, D., Doligez, D.: zenon: An extensible automated theorem prover producing checkable proofs. In: Dershowitz, N., Voronkov, A. (eds.) LPAR 2007. LNCS (LNAI), vol. 4790, pp. 151–165. Springer, Heidelberg (2007) 8. Bourdier, T., Cirstea, H., Jaume, M., Kirchner, H.: Formal specification and validation of security policies. Tech. Rep. 00507300, INRIA (2010), http://hal.inria.fr/inria-00507300/ 9. Cox, P.T., Pietrzykowski, T.: A complete, nonredundant algorithm for reversed skolemization. In: Bibel, W., Kowalski, R.A. (eds.) CADE 1980. LNCS, vol. 87, pp. 374–385. Springer, Heidelberg (1980) 10. Damianou, N.C., Bandara, A.K., Sloman, M.S., Lupu, E.C.: A survey of policy specification approaches. Tech. rep., Imperial College of Science Technology and Medicine (2002) 11. Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Specifying and reasoning about dynamic access-control policies. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 632–646. Springer, Heidelberg (2006) 12. Ferraiolo, D., Kuhn, D.R., Chandramouli, R.: Role-based access control. Computer security series. Artech House, Boston (2003) 13. Gentzen, G.: Untersuchungen u ¨ber das logische Schließen. Mathematical Zeitschrift 39, 176–210 (1934) 14. Kakas, A.C., Kowalski, R.A., Toni, F.: Abductive logic programming. Journal of Logic and Computation 2(6), 719–770 (1992) 15. Kakas, A.C., Kowalski, R.A., Toni, F.: The role of abduction in logic programming. Handbook of Logic in Artificial Intelligence and Logic Programming 5, 235–324 (1998) 16. Lamport, L.: The temporal logic of actions. ACM Transactions on Programming Languages and Systems 16(3), 872–923 (1994) 17. Lamport, L.: A summary of TLA+ (2000)

Semi-automatic Synthesis of Security Policies

175

18. Liu, Y.A., Stoller, S.D.: Role-based access control: A corrected and simplified specification. In: Wang, C., King, S., Wachter, R., Herklotz, R., Arney, C., Toth, G., Hislop, D., Heise, S., Combs, T. (eds.) Department of Defense Sponsored Information Security Research: New Methods for Protecting Against Cyber Threats., Wiley, Chichester (2007) 19. Mayer, M.C., Pirri, F.: First order abduction via tableau and sequent calculi. Logic Journal of the Interest Group in Pure and Applied Logics 1(1), 99–117 (1993) 20. Merz, S.: The specification language TLA+. Logics of Specificat. Languages, 401– 451 (2008) 21. Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL — A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002) 22. Paulson, L.C.: A generic tableau prover and its integration with Isabelle. Journal of Universal Computer Science 5(3), 73–87 (1999) 23. Russo, A., Miller, R., Nusheibeh, B., Kramer, J.: An abductive approach for analysing event-based requirements specification. In: Stuckey, P. (ed.) ICLP 2002. LNCS, vol. 2401, pp. 22–37. Springer, Heidelberg (2002) 24. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996) 25. Soler-Toscano, F., Nepomuceno-Fern´ andez, A., Aliseda-Llera, A.: Abduction via C-tableaux and δ-resolution. Journal of Applied Non-Classical Logics 19(2), 211– 225 (2009)

Corrective Enforcement of Security Policies Raphael Khoury and Nadia Tawbi Laval University, Department of Computer Science and Software Engineering [email protected], [email protected]

Abstract. Monitoring is a powerful security policy enforcement paradigm that allows the execution of a potentially malicious software by observing and transforming it, thus ensuring its compliance with a user-defined security policy. Yet some restrictions must be imposed on the monitor’s ability to transform sequences for the enforcement to be meaningful. The intuition behind our model is that the monitor should be bounded to output a sequence that both respects the desired security property and preserves key elements of the execution’s semantics. An approximation of the sequence is executed rather than an equivalent one. This approximation must preserve the essential behavior of the sequence as intended by the user. In this paper, we propose a framework to express and study such a restriction based on partial orders. We give several examples of real-life security policies and propose monitors capable of enforcing these properties. We then turn to the question of comparing several monitors enforcing the same security property. Keywords: Monitors, Security Policies Enforcement, Program Transformation.

1 Introduction Monitors have become a widely used security policy enforcement tool. They allow an untrusted program to run safely by observing its execution and reacting as needed to prevent a violation of the security property. Part of their flexibility resides in their ability to transform the input sequence. If a potential violation of the security policy is observed, the monitor may react by aborting the execution, or by adding or removing some program action. In fact, the monitor replaces the execution it observes by an alternate execution that respects the desired security policy. Previous research has shown that monitors which transform the execution they control are much more powerful than monitors that merely abort invalid executions. For this kind of enforcement to be meaningful, constraints must be imposed on the monitor’s ability to transform sequences. Otherwise, the monitor can enforce the property by replacing any execution with an arbitrarily chosen valid sequence. Previously, researchers have attempted to solve this problem by sorting out sequences into equivalence classes and imposing that the monitor’s output be equivalent to the original sequence in either some or all cases. In this context, the equivalence relation represents a semantic property of the original sequence that must be preserved throughout any transformation performed by the monitor. Although this approach solves the problem described above, it also limits the monitor ability to take certain corrective actions, since the equivalence between the monitor’s inputs and outputs must be always maintained. Furthermore, it is often difficult to define a suitable equivalence relation. P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 176–190, 2011. c Springer-Verlag Berlin Heidelberg 2011 

Corrective Enforcement of Security Policies

177

We propose a new framework to model the corrective capabilities of monitors. Our key insight is to organize executions into partial orders, rather than equivalence classes, and impose that an execution be replaced only by a sequence that is at least as high on the partial order than itself. As we argue in section 4, partial orders are a more natural way to model the restrictions we wish to impose on the monitor than equivalence relations. We also illustrate our framework with four examples of real properties. The remainder of this paper is organized as follows. Section 2 presents a review of related work. In Section 3, we define some concepts and notations that are used throughout the paper. In Section 4, we show how partial orders form the basis of a corrective monitoring framework, and motivate its use by comparing it to other enforcement paradigms. In Section 5, we give four examples of security properties that we are able to enforce. Concluding remarks and future work are sketched in Section 6.

2 Related Work This paper extends the body of research that seeks to study the notion of security policy enforcement by monitors and to identify the set of properties enforceable by monitors under various constraints. These issues were first investigated by Schneider in [12], who formalized the notions of monitoring and enforcement. He focused on specific classes of monitors that observe the execution of a target program with no knowledge of its possible future behavior and with no ability to affect it, except by aborting the execution. To enforce a property, this particular monitor must accept each action of any valid sequence, as soon as it is produced by the target program, a enforcement paradigm termed precise enforcement. Under these conditions, a monitor can enforce the class of security policies that are identified in the literature as safety properties, and are informally characterized by prohibiting a certain bad thing from occurring in a given execution. In [1], Ligatti, Bauer and Walker show that if this definition of enforcement is used, the added power of some monitors to transform the executions they monitor (by inserting or suppressing program actions) does not result in an increase in the set of enforceable properties. The authors suggest the alternative notion of effective∼ = enforcement instead. A monitor effectively∼ enforces a property if any execution respecting = the property is replaced by an equivalent execution, w.r.t. some equivalence relation ∼ =. Subsequently, in [10], the authors delineate the set of properties that are effectively∼ = enforceable for a specific equivalence relation, syntactic equality. Khoury et al. [9] tighten this definition by imposing that all sequences, rather than only the valid ones, be transformed into equivalent ones. They show how this enforcement paradigm models reasonable restrictions on monitors ensuring that their enforcement is meaningful. Alternative definitions of enforcement are given in [3] and [11]. The computability constraints that can further restrict a monitor’s enforcement power are discussed in [8]. The enforcement power of monitors operating with memory constrains is discussed in [7,14] and [2]; that of monitors relying upon an a priori model of the program’s possible behavior is discussed in [1,6] and [11].

178

R. Khoury and N. Tawbi

3 Preliminaries Executions are modeled as sequences of atomic actions taken from a finite or countably infinite set of actions Σ. The empty sequence is noted , the set of all finite length sequences is noted Σ ∗ , that of all infinite length sequences is noted Σ ω , and the set of all possible sequences is noted Σ ∞ = Σ ω ∪ Σ ∗ . Likewise, for a set of sequences S, S ∗ denote the finite iterations of sequences of S and S ω that of infinite iterations, and S ∞ = S ω ∪ S ∗ . Let τ ∈ Σ ∗ and σ ∈ Σ ∞ be two sequences of actions. We write τ ; σ for the concatenation of τ and σ. We say that τ is a prefix of σ noted τ  σ,or equivalently σ  τ iff there exists a sequence σ  such that τ ; σ  = σ. We write τ ≺ σ (resp. σ  τ ) for τ  σ ∧ τ = σ (resp. σ  τ ∧ τ = σ). Finally, let τ, σ ∈ Σ ∞ , τ is said to be a suffix of σ iff there exists a σ  ∈ Σ ∗ s.t. σ = σ  ; τ . We denote by pref (σ) (resp. suf (σ)) the set of all prefixes (resp. suffixes) of σ. Let A ⊆ Σ ∞be a set of sequences.Abusing the notation, we let pref (A) (resp. suf (A)) stand for σ∈A pref (σ) (resp. σ∈A suf (σ)). The ith action in a sequence σ is given as σi , σ1 denotes the first action σ, σ[i, j] denotes the sequence occurring between the ith and j th actions of σ, and σ[i, ..] denotes the remainder of the sequence, starting from action σi . The length of a sequence τ ∈ Σ ∗ is given as |τ |. Let τ, τ  be sequences, we write τ \τ  for the left cancelation of τ  from τ , which is defined by the truncation from τ of the first occurrence of each occurrence of each action present in τ  . For example, a; b; c; a; d; a\d; a; a = b; c; a. A multiset, or bag is a generalization of a set in which each element may occur multiple times. A multiset A can be formally defined as a pair A, f where A is a set and f : A → N is a function indicating the number of occurrences of each element of A in A. Note that a ∈ A ⇔ f (a) = 0. Thus, by using this insight, to define basic operations on multisets one can consider a universal set A and different functions of type A → N associated with it to form different multisets. We let acts(τ ) represent the multiset of actions occurring in sequence τ . Finally, a security policy P ⊆ Σ ∞ is a set of allowed executions. A policy P is a property iff there exists a decidable predicate Pˆ over the executions of Σ ∞ s.t. σ ∈ ˆ P ⇔ P(σ). Thus, a property is a policy for which the membership of a sequence can be determined solely by examining it. Such a sequence is said to be valid. Since all policies enforceable by monitors are properties, we use Pˆ to refer to policies and their characteristic predicate interchangeably.

4 Monitoring with Partial Orders In this section, we introduce the automata-based model of monitors and the notions of effective∼ = and corrective∼ = enforcement used in the literature. We show why these definitions are sometimes inadequate before presenting an alternative enforcement paradigm. The edit automaton [1,10], is the most widely used model of a monitor. It captures the behavior of a monitor capable of inserting or suppressing any action in the execution in progress, as well as halting it. The ideas presented in this paper are easily transferable to the model proposed by Ligatti et al. in [11].

Corrective Enforcement of Security Policies

179

Definition 1. An edit automaton is a tuple Σ, Q, q0 , δ where1 : – – – –

Σ is a finite or countably infinite set of actions; Q is a finite or countably infinite set of states; q0 ∈ Q is the initial state; δ : (Q × Σ) → (Q × Σ ∞ ) is the transition function, which, given the current state and input action, specifies the automaton output and successor state. At any step, the automaton may accept the action and output it as it is, suppress it and move on to the next action, (with no output), or output some other sequence in Σ ∞ . If an undefined transition is attempted, the automaton aborts.

Let A be an edit automaton, we let A(σ) be the output of A when its input is σ. Most related studies have focused on effective enforcement. A mechanism effectively enforces a security property iff it respects the two following principles, from [1]: 1. Soundness : All output must respect the desired property. 2. T ransparency : The semantics of executions which already respect the property must be preserved. This naturally requires the use of an equivalence relation, stating when one sequence can be substituted for another. Definition 2. (From [1]) Let A be an edit automaton. A effectively∼ = enforces the property Pˆ iff ∀σ ∈ Σ ∞ ˆ 1. P(A(σ)) (i.e. A(σ) is valid) ˆ 2. P(σ) ⇒ A(σ) ∼ =σ In the literature, the only equivalence relation ∼ = for which the set of effectively∼ = enforceable properties has been formally studied is syntactic equality[1]. Yet, effective enforcement is only one paradigm of enforcement which has been suggested. Other enforcement paradigms include precise enforcement[1], all-or-nothing delayed enforcement[3], conservative enforcement[1] and corrective∼ = enforcement [9]. Most previous work has focused on effective∼ enforcement. This definition allows = the monitor to replace an invalid execution with any valid sequence, even . A more intuitive model of the desired behavior of a monitor would rather require that only minimal alterations be made to an invalid sequence, for instance by releasing a resource or adding an entry in a log. Those parts of the input sequence which are valid should be preserved in the output, while invalid behaviors should be corrected or removed. A possible solution is proposed by Khoury et al. in [9], and was termed corrective∼ = enforcement. An enforcement mechanism correctively∼ enforces the desired property if every = output sequence is both valid and equivalent to the input sequence. The equivalence relation is formulated such that the valid behavior of the input sequence is preserved. Definition 3. (From[9]) Let A be an edit automaton. A correctively∼ = enforces the property Pˆ iff ∀σ ∈ Σ ∞ ˆ 1. P(A(σ)) 2. A(σ) ∼ =σ 1

This definition, taken from [14], is equivalent to the one given in [1].

180

R. Khoury and N. Tawbi

However, this definition also raises some difficulties. In particular, it implies that several distinct valid sequences, which are possible transformations of an invalid sequences, must be equivalent. Likewise, it requires that several invalid sequences be considered equivalent if a single valid sequence is a valid alternative to both. In this paper, we examine an alternative notion of enforcement, termed corrective enforcement. Following previous work in monitoring by Fong [7], we use an abstraction function F : Σ ∗ → I, to capture the property of the input sequence that the monitor must preserve throughout its manipulation. While Fong made use of abstractions to reduce the overhead of the monitor, we use them as the basis for determining which transformations the monitor is or is not allowed to perform on both valid and invalid sequences. The main idea is to use this abstraction to capture the semantic property of the execution corresponding to the valid, or desired behavior of the target program. This may be, for example, the number of occurrences of certain subwords or factors or any other semantic property of interest. We wish to constrain the behavior of the monitor so that an invalid sequence is corrected in such a way that the monitor preserves all valid behaviors present in it. An intuitive solution to this problem would be to impose that the output sequences always have the same value of F . The abstraction function would thus form the basis of a partition of the sequences of Σ ∞ into equivalence classes. But, as discussed above, this limits the monitor’s ability to use the same valid sequences as a potential solution to several unrelated invalid sequences. Instead, we let  be a partial order over sequences of Σ ∗ , s.t. ∀σ, σ : σ  σ ⇔ F(σ) ≤ F(σ  ). The monitor is allowed to transform an input σ into another sequence σ  iff σ  σ . By defining  appropriately, we can ensure that sequences which are greater on the partial order are always adequate replacements for any inferior sequences, in the sense that they preserve the valid behaviors present in those sequences. The use of partial order also allows us to connect monitoring to refinement specifications, which are stated using partial orders. We also find that partial orders are a more natural way to state most security policies than equivalence relations. Let τ, τ  be two sequences s.t. τ  τ  , we write that τ is lower than τ  or conversely, that τ  is higher than τ . Definition 4. Let A be an edit automaton and let  be a partial order over the sequences of Σ ∞ . A correctively enforces the property Pˆ iff ∀σ ∈ Σ ∞ ˆ 1. P(A(σ)) 2. σ  A(σ) A monitor often operates in a context in which it knows that certain executions cannot occur. This is because the monitor can benefit from a static analysis of its target, that provides it with a model of the target’s possible behavior. Prior research [1,6] has shown that a monitor operating in such a context (called a nonuniform context) can enforce a significantly larger range of properties than one that considers every sequence in Σ ∞ to be a possible input (called the uniform context). To take into account the possibility that the monitor might operate in a nonuniform context, we adapt the preceding definition as follows:

Corrective Enforcement of Security Policies

181

Definition 5. Let S ⊆ Σ ∞ be a subset of sequences, let  be a partial order over the sequences of Σ ∞ and let A be an edit automaton. A correctivelyS enforces the property Pˆ iff ∀σ ∈ S ˆ 1. P(A(σ)) 2. σ  A(σ) We write corrective enforcement when S = Σ ∞ or S is obvious from context. The partial order is defined over the sequences of Σ ∗ . Let σ, σ  be infinite sequences, we have that σ  σ  iff σ and σ  have infinitely many common prefixes τ, τ  s.t. τ  τ  with τ ≺ σ and τ  ≺ σ . ∀σ, σ  ∈ Σ ω : σ  σ ⇔ ∀τ ≺ σ : ∃υ  τ : ∃τ  ≺ σ  : υ  τ 

(4.1)

Finally, since the monitor operates by transforming sequences, we must impose that every partial order respects the following closure restriction. τ  τ  ⇒ τ ; σ  τ ; σ

(4.2)

To understand the need for this restriction consider the possible behavior of a monitor which is presented with an invalid prefix τ of a longer input sequence. It may opt to transform τ into a valid higher sequence τ  . However, if the closure restriction given in equation 4.2 is not respected by the partial order, then it’s possible that the full input sequence σ  τ is actually valid, but that there is no valid extension of τ  that is greater than σ. The monitor would have inadvertently ruined a valid sequence.

5 Examples In this section, we illustrate the use of corrective enforcement using four real-life security properties : transactional properties, the assured pipeline property, the Chinese wall property and general availability. 5.1 Transactional Properties The first class of properties we wish to correctively enforce is that of transactional properties, suggested in [10]. Let Σ be an action set and let T ⊆ Σ ∗ be a set of finite transactions, PˆT is a transactional property over set Σ ∞ iff ∀σ ∈ Σ ∞ : PˆT (σ) ⇔ σ ∈ T ∞

(transactional)

This definition is subtly different, and indeed forms a subset of that of iterative properties defined in [3]. Transactional properties also form a subset of the set of renewal properties, and include some but not all safety properties, liveness properties as well as properties which are neither. Transactional properties can be effectively= enforced [10], in a manner that allows the longest valid prefix to be output [2]. In [3], Bielova et al. propose an alternative enforcement paradigm, that allows all valid transactions to be output. Corrective enforcement is a generalization of their work.

182

R. Khoury and N. Tawbi

The partial order which we will consider is based on the notion of factors. A word τ ∈ Σ ∗ is a factor of a word ω ∈ Σ ∞ if ω = υ; τ ; υ  , with υ ∈ Σ ∗ and υ  ∈ Σ ∞ . Factors allow us to reason about transactions in a formalized manner. We will only consider transactional properties built from a set of sequences T which meets the unambiguity criterion suggested in [9]. /T ∀σ, σ  ∈ T : ∀τ ∈ pref (σ) : ∀τ  ∈ suf (σ  ) : τ =  ∧ τ  =  ⇒ τ ; τ  ∈ (unambiguity) Informally, this restriction forbids the occurrence of transactions with overlapping prefixes and suffixes. If this restriction is not met, there exists sequences which cannot be parsed as the concatenation of valid transactions, and thus not in the property, but for which every action is a part of at least one valid transaction (with some atomic actions belonging to more than one transaction). To enforce this property, we use an abstraction function which returns the multiset of factors occurring in a given sequence. We use a multiset rather than simply comparing the set of factors from T occurring in each sequence so as to be able to distinguish between sequences containing a different number of occurrences of the same subset of factors. For any two sequences σ and σ  , we write σ  σ  iff σ has more valid factors (w.r.t. T ) than σ, and σ  is thus an acceptable replacement sequence for σ, provided that the σ  is valid and σ is not. This captures the intuition that if certain valid transactions are present in the input sequence, they must still be present in the output sequence, regardless of any other transformation made to ensure compliance with the security property. The monitor may add valid transactions and remove invalid ones, but may not remove any valid transactions present in the original execution. Let validT (σ), which stand for the multiset of factors from the sequence σ which are present in T , be the abstraction function F . The partial order  used to correctively enforce this property is thus given as ∀σ, σ ∈ Σ ∞ : σ  σ ⇔ validT (σ) ⊆ validT (σ ). This partial order captures the intuition that any valid transaction present in the original sequence must also be present in the monitor’s output. The following automaton correctively enforces transactional properties. Let At = Σ, Q, q0 , δ where – Σ is a finite or countably infinite action set. – Q = Σ ∗ × Σ ∗ , is the set of automaton states. Each state consists of a pair σo , σs where σo is the sequence which has been output so far, and σs is a sequence which the monitor has suppressed, and may either eventually output or delete. – q0 = ,  , is the initial state. – The transition function δ : Q × Σ → Q × Σ ∞ is given as: ⎧ σo ; τ,  if ∃τ ∈ suf (σs ; a) : τ ∈ T ∧ τ =  ∧ |τ | ≤ |σs ; a| ⎪ ⎪ ⎨ σo ; σs ; a,  if ∃τ ∈ T : ∃τ  ∈ T ∗ : σo ; σs ; a = τ  ; τ ∧ δ( σo , σs , a)= |τ | ≥ |σs ; a| ⎪ ⎪ ⎩ σo , σs ; a otherwise Proposition 1. Let T ⊆ Σ ∞ be a subset of sequences, let PˆT be the corresponding transactional property and let  be a partial order over the sequences of Σ ∞ defined such that ∀σ, σ ∈ Σ ∞ : σ  σ  ⇔ validT (σ) ⊆ validT (σ ). The automaton At correctively enforces PˆT .

Corrective Enforcement of Security Policies

Proof. We omit the proofs of theorems and propositions due to space constraints.

183

 

The method above thus shows how a transactional property could be enforced in such a manner that the output is always valid, and always contains as many or more valid transactions than the input. In this particular example, we may be able to prove an even stronger enforcement paradigm, namely that the output will always contain exactly the same valid transactions as the input. This is unsurprising, since equivalence relations are a special case of partial orders, and imposing such a constraint would be tantamount to using the equivalent∼ = enforcement proposed in section 4. The method presented here can thus be seen as a generalization of this framework. But this example also highlights why equivalent∼ = enforcement is too rigid to be useful in many practical cases. Consider what would happen, for example, if the restriction that the set T be unambiguous is lifted 2 . Even though the only transformation performed by the monitor is to remove invalid factors, we cannot guarantee that exactly those valid sequences which are present in the original sequence will be present in the output. As a counterexample, consider the case of valid sequences T = {σ1 , σ2 , σ3 } and invalid sequences τ, τ  ∈ / T s.t. τ ; σ3 ; τ  = σ1 ; σ2 . Let the infinite sequences σ1 ; υ; σ2 ; υ; σ1 ; υ... be the input sequence, where υ is an invalid transaction (possibly τ or τ  ). The multiset of valid transactions present in σ1 ; σ2 , σ1 ; σ2 , σ1 ; σ2 ... contains an infinite number of factors σ3 , not present in the original sequence. While it may be difficult to imagine a real-life, transactional property exhibiting this behavior, this example does illustrate why using equivalence relations rather than a partial order would unduly restrict the transformations available to a monitor. Furthermore, one may wish to consider other means by which a monitor may enforce a transactional property, for instance, by inserting actions to correct an incomplete or transactions, or simply to log the occurrence of certain possibly malicious factors. 5.2 Assured Pipelines In the previous section, we show how transactional properties can be enforced by an edit automaton that simply suppresses some actions from the input. Yet, part of the power of the edit automaton resides in its ability to insert actions not present in the input to correct an invalid sequence. Naturally, this ability must be constrained for the enforcement to remain meaningful, otherwise the monitor may simply replace any invalid sequence by some unrelated valid sequence. In this section, we propose two possible enforcement paradigms for the assured Pipeline policy based on suppression and insertion. The assured pipeline property was suggested in [4] to ensure that data transformations are performed in a specific order. Let O be a set of data objects, and S be a set of transformations. We assume that S contains a distinguished member create. Finally, let E ∈ S × O be a set of access events. s, o ∈ E denotes the application of transformation s to the data object o. An assured pipeline policy restricts the application of transformations from S to data objects using an enabling relation e : S × S, with the following two restrictions: the relation e must define an acyclic graph, and the create process can only occur at the root of this graph. The presence of a pair s, s in e, is represented in the graph by the occurrence of an edge between the vertex s and the 2

This may involve altering the definition of iterative properties.

184

R. Khoury and N. Tawbi

vertice s , and indicates that any action of the form s , o is only permissible if s is the last process that accessed o. Because of the restriction that e must be a acyclic graph, each action s , o can occur at most once during an execution. We add another restriction namely that the enabling relation be linear. Formally : ∀s, s ∈ S : s, s ∈ e ⇒ ¬∃ s, s ∈ e : s = s . This condition will make it easier for insertion monitors to add actions to the output, without compromising transparency. A truncation-based monitor was suggested by Fong [7] and Talhi [14] to enforce this property. Their monitors effectively= enforce the assured pipeline property by aborting the execution if an unauthorized data transaction is encountered. Our corrective enforcement framework allows the monitor to continue the execution after an illicit transformation has been attempted. As was the case with transactional properties, the partial order defining the desired behavior of the program is stated in terms of the presence of valid actions, i.e. those occurring in a manner allowed by the enabling relation. Since each action can only occur once, a function returning the set of valid atomic actions is an adequate abstraction function. We write valide (σ) for the set of valid transformations (w.r.t. enabling relation e) occurring in σ. We write σ  σ  ⇔ valide (σ) ⊆ valide (σ ). Instead of simply aborting the execution, a corrective monitor may suppress an invalid action, and allow the execution to proceed. The automaton Asap = E, Q, q0 , δs bellow which enforces the assured pipelines in this manner. – – – –

E is a set of access events over objects from O and transformations from S. Q : ℘(E) is the state space. Each state is an unordered set of access events from E. q0 = ∅ is the initial state. The transition function δs : Q × Σ → Q × Σ ∞ is given as: ⎧ /q ⎪ (q ∪ { s, o }, s, o ) if s = create ∧ create, o ∈ ⎪ ⎨ (q ∪ { s, o }, s, o ) if ∃s ∈ S : s , o ∈ q ∧ s , s ∈ e∧ δs (q, s, o ) = s, o ∈ /q ⎪ ⎪ ⎩ (q, ) otherwise

Proposition 2. Let e be an enabling relation, defining an assure pipeline policy Pˆ over a set of actions E, and let  be a partial order over the sequences of E ∞ defined such that ∀σ, σ ∈ E ∞ : σ  σ ⇔ valide (σ) ⊆ valide (σ ). The automaton Asap ˆ correctively enforces P. The execution thus either outputs an action if it is valid, or it suppresses it before allowing the execution to continue. Yet, the edit automaton is capable of not only suppressing or outputting the actions present in the input, but also of adding actions not present in the execution to the input. It may be reasonable, for instance, for a monitor to suppress only those transformations which have already occurred, or those manipulating an object which has not yet been created. Otherwise, if an action occurs in the input sequence before the actions preceding it in e have occurred, the monitor can enforce the property by adding the required actions. The following automaton Aeap enforces the property as described above. To simplify the notation, we use the predicate pathe (τ ) to indicate that τ is a factor of a valid sequence according to e and that every action in τ manipulates the same object. Formally , pathe (τ ) ⇔

Corrective Enforcement of Security Policies

185

– ∃o ∈ O : ∀ s, o ∈ acts(τ ) : o = o – ∀i : 2 ≤ i ≤ |τ | : τi−1 = s, o ∧ τi = s , o ⇒ s, s ∈ e Let Aeap = E, Q, q0 , δe where Σ, Q and q0 are defined as in Asap and δe is given as follows. ⎧ (q ∪ { s, o }, s, o ) if s = create ∧ create, o ∈ /q ⎪ ⎪ ⎪    ⎪ (q ∪ { s, o }, s, o ) if ∃s ∈ S : s , o ∈ q ∧ s , s ∈ e∧ ⎪ ⎪ ⎪ ⎪ s, o ∈ /q ⎨ / q ∧ create, o ∈ q δe (q, s, o ) = (q ∪ acts(τ ; s, o ), τ ; s, o ) if s, o ∈ ⎪ ⎪ and τ is the longest sequence s.t. ⎪ ⎪ ⎪ ⎪ τ ∈ / q ∧ path(τ ; s, o ) ⎪ 0 ⎪ ⎩ (q, ) otherwise Proposition 3. Let e be an enabling relation, defining an assured pipeline policy Pˆ over a set of actions E, and let  be a partial order over the sequences of E ∞ defined such that ∀σ, σ ∈ E ∞ : σ  σ ⇔ valide (σ) ⊆ valide (σ ). The automaton Aeap ˆ correctively enforces P. Note that had we used an equivalence relation rather than a partial order, it would not have been possible to correct the sequence in this manner as this requires the input sequence be equivalent a corrected sequence to which valid actions have been added. This in turn implies that whenever such actions occur in an input sequence, the monitor is allowed to delete them, which is obviously not desirable. Partial orders allow the monitor to alter the original sequence so as to correct violations of the security policies, while preserving key elements of the input sequence’s semantics. 5.3 Chinese Wall The third example we consider is the Chinese Wall policy, suggested in [5] to avoid conflicts of interest. In this model, a user which accesses a data object o is forbidden from accessing other data objects that are in conflict with o. Several implementations of this model have been suggested in the literature. In this paper, we consider the framework of Sobel et al. [13], which includes the notion of data relinquishing. Let S be a set of subjects, and O a set of objects. The set of conflicts of interests is given as a set of pairs C : O × O. The presence of (oi , oj ) ∈ C indicates that objects oi and oj conflict. Naturally, C is a symmetric set ((oi , oj ) ∈ C ⇔ (oj , oi ) ∈ C). For all objects oi ∈ O, we write Coi for the set of objects which are in conflict with  oi . Let O ⊆ O be a subset of objects, overloading the notation we write CO for o∈O Co . An action of the form (acq , s, o) indicates that subject s holds the right to acquires the right to access object o. After this action is performed the subject can freely access the resource but can no longer access an object which conflicts with o. It can often be too restrictive to impose on subjects that they never again access any data that conflict with any data objects they have previously accessed. In practice, the involvement of a subject with a given entity will eventually come to an end. Once this occurs, the subject should no longer be prevented from collaborating with the competitors of his former client. In [13], the model is enriched along this line by giving

186

R. Khoury and N. Tawbi

subjects the capacity to relinquish previously acquired data. This can be modeled by the action (rel, s, o), indicating that subject s relinquishes a previously accessed object o. After this action occurs in a sequence, s is once again allowed to access objects that conflict with o, as long as they do not conflict with any other objects previously accessed by s and not yet relinquished. To simplify the notation, we define function live : S × Σ ∗ → ℘(O) as follows : let s be a subject and τ be a finite sequence, live(s, τ ) return the set of objects which s has accessed in τ and has not yet released. ˆ The security property predicate is stated as follows: ∀σ ∈ Σ ∞ : P(σ) ⇔ ∀s ∈ S :  ∀o ∈ O : ∀i ∈ N : σi = (access , s, o) : ¬∃o ∈ live(s, σ[..i − 1]) : o ∈ Co where Σ = {access,rel} × S × O is the set of atomic actions. Both Fong [7] and Talhi [14] enforce this property by truncation, aborting the execution as soon as a conflicting data access is attempted. Any authorized data access present in the input sequence after a conflicting data access has occurred is absent from the output sequence. Corrective enforcement can provide a more flexible enforcement. First, we define the partial order . Analogously to section 5.1, we impose that authorized data accesses are preserved while conflicting ones are deleted. Let σ be a sequence and let C be the corresponding conflict of interest class, we write validC (σ) for the multiset of actions from σ occurring in that sequence in a manner consistent with C. The partial order is defined as ∀σ, σ  ∈ Σ ∞ : σ  σ ⇔ validC (σ)  validC (σ  ). The most intuitive manner to correctively enforce this property is to suppress conflicting data access, but allow the execution to proceed afterward. The following automaton enforces the property the Chinese wall property is this manner. Ascw = E, Q, q0 , δs where – Σ : {access,rel} × S × O is the set of all possible access and release events over objects from O and subjects from S, – Q : Σ ∗ is the state space. Each state is the finite sequence which has been output so far. – q0 =  is the initial state. – δs : Q × Σ⎧→ Q × Σ ∪ {} × Σ ∞ is given as : / live(s, q) ⎨ (q; a, a) if a = (access , s, o)) ∧ o ∈ – δs (q, a) = (q; a, a) if a = (rel , s, o) ⎩ (q, ) otherwise Proposition 4. Let C be a set of conflicts of interests, and let PˆC be the corresponding Chinese Wall property. The automaton Asap correctively enforces PˆC . As discussed above, the involvement of any subject with a given entity eventually ends. When this occurs, objects in conflict with that entity become available to this subject for access, provided that they do not conflict with any other object currently held by this subject. Thus, it is natural to suggest an enforcement paradigm in which the monitor keeps track of denied data accesses, and inserts them after release actions make them available. In fact, access to conflicting objects is delayed rather than suppressed. Since the monitor must return an output which is superior or equal to the input on a partial order, rather than in the same equivalence class, the monitor is allowed to transform the input sequence such that it contains strictly more valid accesses.

Corrective Enforcement of Security Policies

187

The automaton Aecw enforces the property in this manner. Aecw = E, Q, q0 , δe where – Σ : {access, rel} × S × O is the set of all possible access and release events over objects from O and subjects from S, – Q : Σ ∗ × Σ ∗ is the state space. Each state is a pair σo , σs of finite sequences, where σo is the sequence which has been output so far, and σs is the sequence which has been seen and suppressed. – q0 = ,  is the initial state. ∞ – δe : Q × Σ → Q × ⎧ Σ ∪ {} × Σ is given as : if a = (access , s, o)) ∧ o ∈ / live(s, σo ) ⎨ ( σo ; a, σs τ ) δe ( σo , σs , a) = ( σo ; a; τ, σs \τ ) if a = (rel , s, o) and f (s, σo , σs ) = τ ⎩ ( σo , σs ; a ) otherwise where the function f examines the sequences have been suppressed and output up to that point and returns a sequence composed of all actions which have previously been suppressed, but can now be output with causing a conflict. Proposition 5. Let C be a set of conflicts of interests, and let PˆC be the corresponding Chinese Wall property. The automaton Aeap correctively enforces PˆC . 5.4 General Availability The final security property that we examine is general availability; a policy requiring that any acquired resource is eventually released. Despite its apparent simplicity, the property is remarkably difficult to monitor in a system with more than one resource, and is given by Ligatti et al. as an example of a property that is not effectively= enforceable. Modifying Ligatti’s formulation slightly, we define the property as follows. Let (ac, i), (use, i) and (rel, i) stand for accessing, using and releasing a resource i from a set of resources I. The set of possible actions is given as Σ : {ac, use, rel} × I. The property states that only acquired resources are used, and that any acquired resource is eventually released. This seemingly straightforward property combines a liveness component, that cannot be monitored [10], with a safety component. In related work, there has been an interest in examining how restricting the set of possible executions can increase that of enforceable properties. The intuition is that if the monitor knows, from a static analysis, that certain executions cannot occur, it should be able to enforce properties that would be otherwise unenforceable. This question was first raised in [12], and was later addressed in [1,6,11]. It this section, we show that an a priori knowledge of the program’s possible executions not only increases the set of properties enforceable by the monitor, but also provides a different, and possibly preferable, enforcement of a given property. A monitor trying to enforce the general availability property when S = Σ ∞ cannot simply abort an invalid execution since it could be corrected. Nor can it suppress a potentially invalid sequence only to output it when a valid prefix is reached. As observed in [10], an infinite sequence of the form (ac, 1); (ac, 2); (rel, 1); (ac, 3); (rel, 2); (ac, 4); (rel, 3)... is valid but has no valid prefix. The property can only be enforced by a monitor transforming the input more aggressively.

188

R. Khoury and N. Tawbi

Since the desired behavior of the program is given in terms of the presence of (use, i) actions bracket by aci and (rel, i) actions, a partial order based on the number of occurrences of such actions is a natural way to compare sequences. We can designate such use actions as valid. Let the function valid(σ), which returns the multiset of actions (use, i) which occur in sequence σ and are both preceded by a (ac, i) action and followed by a (rel, i) action be the abstraction function F . We thus have that ∀σ, σ  ∈ Σ ∗ : σ  σ  ⇔ valid(σ) ≤ valid(σ  ). A trivial way to enforce this property is for the monitor to insert an (ac, i) action prior to each (use, i) action, and follow it with a (rel, i) action. The (ac, i) and reli actions present in the original sequence can than simply be suppressed, as every (use, i) action is made available by a pair of actions (ac, i) and (rel, i) inserted by the monitor. While theoretically feasible, it is obvious that a monitor which opens and closes a resource after every program step would be of limited use in practice. Furthermore, for many applications, a sequence of the form (ac, i); (use, i); (use, i); (rel, i) cannot be considered equivalent to the sequence (ac, i); (use, i); (rel, i); (ac, i); (use, i); (rel, i). We thus limit this study to monitors which insert (ac, i) actions a finite number of times. We first propose a monitor capable of enforcing the general availability property in a uniform context, where every sequence in Σ ∞ can occur in the target program. A monitor can enforce the property in this context by suppressing every acquire action, as well as subsequent use actions for the same resource, and output them only when a release action is reached. Any use action not preceded by a corresponding acquire action is simply suppressed and never inserted again. A monitor enforcing the property in this manner needs to keep track only of the actions that have been suppressed and not ∞ output so far. The automaton AΣ ga enforces the property as described above. ∞ Let AΣ ga = Σ, Q, q0 , δe where – Σ : {aq, rel, use} × I is the set of all possible acquire, release and use actions for all objects; – Q : Σ ∗ is the sequence which has been suppressed so far; – q0 =  is the initial state; – δΣ ∞ : Q ×⎧ Σ → Q × Σ ∪ {} is given as: (τ, ) if a = (use, i) ∧ (ac, i) ∈ / acts(τ ) ⎪ ⎪ ⎨ (τ ; a, ) if a = (ac, i) ∨ (a = (use, i)∧ δe (τ, a) = (ac, i) ∈ acts(τ )) ⎪ ⎪ ⎩ (τ \(fi (τ )), fi (τ ); (rel, i)) if a = (rel, i) The purpose of the function fi is simply to examine the suppressed sequence and retrieve the actions over resource i. ∞

Proposition 6. The automaton AΣ ga correctively enforces the general availability property. A static analysis can often determine that all computations of a program are fair meaning certain actions must occur infinitely often in infinite paths. For the purposes of the general availability property, a static analysis could determine that any action (ac, i) is eventually followed by a (rel, i) action, or by the end of the execution. The property can thus be violated only by the presence of use actions that are not preceded by a

Corrective Enforcement of Security Policies

189

corresponding ac action. If the monitor is operating in a fair context, a new, more conservative enforcement method becomes possible, as is illustrated by automaton Afgaair . Let Afgaair = Σ, Q, q0 , δe where Σ is defined as above and – Q : ℘(I) is the set of resources which have been acquired but not yet released; – q0 = ∅ is the initial state; – δΣ ∞ : Q ×⎧ Σ → Q × {Σ ∪ } is given as : (q, ) if a = (use, i) ∧ (ac, i) ∈ / acts(τ ) ⎪ ⎪ ⎪ ⎪ ⎨ (q ∪ {i}, a) if a = (ac, i) if a = (rel, i) δe (q, a) = (q\i, a) ⎪ ⎪ (q, a) if a = (use, i) ∧ i ∈ q ⎪ ⎪ ⎩ (, f (q)) if a = aend Where f : ℘(I) → Σ ∗ is a function returning a sequence of the form reli , relj , relk ... for all resources present in its input. Proposition 7. Let S ⊆ Σ ∞ be a subset of sequences s.t. ∀σ ∈ S ∩ Σ ω : ∀i ∈ I : ∀j ∈ N : σj = (ac, i) ⇒ ∃k > j : σk = (rel, i). The automaton Afgaair correctivelyS enforces the general availability property. Finally, a static analysis may determine that every possible execution of the target program eventually terminates. If this is the case, an even more corrective enforcement paradigm is available to the monitor, which can acquire resources as needed, and close them at the end of the execution. Since every execution if finite, the number ac actions inserted into the sequence will also necessarily be finite. ∗ Let AΣ ga = Σ, Q, q0 , δe where Σ is defined as above and – Q : ℘(N ) is the set of resources which have been acquired but not yet released; – q0 = ∅ is the initial state; – δΣ ∞ : Q × Σ → Q × {Σ ∪ } is given as: ⎧ (q ∪ {i}, (ac, i); a) if a = (use, i) ∧ (ac, i) ∈ / acts(τ ) ⎪ ⎪ ⎪ ⎪ if a = (ac, i) ⎨ (q ∪ {i}, a) if a = (rel, i) δe (q, a) = (q\i, a) ⎪ ⎪ (q, a) if a = (use, i) ∧ i ∈ q ⎪ ⎪ ⎩ (, f (q)) if a = aend Where f : ℘(I) → Σ ∗ is a function returning a sequence of the form reli , relj , relk ... for all resources present in its input. ∗

∗

Σ Proposition 8. The automaton AΣ ga correctively enforces the general availability property.

6 Conclusion and Future Work In this paper, we propose a framework to analyze the security properties enforceable by monitors capable of transforming their input. By imposing constraints on the enforcement mechanism to the effect that some behaviors existing in the input sequence

190

R. Khoury and N. Tawbi

must still be present in the output, we are able to model the desired behavior of real-life monitors in a more realistic and effective way. We also show that real life properties are enforceable in this paradigm, and give four examples of relevant real-life properties. The framework presented in this paper allows us to transform a program execution to ensure its compliance with a security policy, while reasonably approximating the semantics of the execution. We believe this framework to be sufficiently flexible to be useful in other program rewriting contexts, and even in situations where security is not the main concern, such as controller synthesis or specification refinement. In future work, we hope to adapt our corrective framework to such contexts.

References 1. Bauer, L., Ligatti, J., Walker, D.: More enforceable security policies. In: Proceedings of the Foundations of Computer Security Workshop (July 2002) 2. Beauquier, D., Cohen, J., Lanotte, R.: Security policies enforcement using finite edit automata. Electronic Notes in Theoretical Computer Science 229(3), 19–35 (2009) 3. Bielova, N., Massacci, F., Micheletti, A.: Towards practical enforcement theories. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 239–254. Springer, Heidelberg (2009) 4. Boebert, W.E., Kain, R.Y.: A practical alternative to hierarchical integrity policies. In: Proceedings of the 8th National Computer Security Conference (September 1985) 5. Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: IEEE Symposium on Security and Privacy, pp. 206–214 (1989) 6. Chabot, H., Khoury, R., Tawbi, N.: Generating in-line monitors for rabin automata. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 287– 301. Springer, Heidelberg (2009) 7. Fong, P.: Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (May 2004) 8. Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Transactions on Programming Languages and Systems 28(1), 175–205 (2006) 9. Khoury, R., Tawbi, N.: Using equivalence relations for corrective enforcement of security policies. In: The Fifth International Conference Mathematical Methods, Models, and Architectures for Computer Networks Security (2010) 10. Ligatti, J., Bauer, L., Walker, D.: Enforcing non-safety security policies with program monitors. In: Proceedings of the 10th European Symposium on Research in Computer Security (September 2005) 11. Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. Technical Report USFCSE-SS-102809, University of South Florida (April 2010) 12. Schneider, F.B.: Enforceable security policies. Information and System Security 3(1), 30–50 (2000) 13. Sobel, A.E.K., Alves-Foss, J.: A trace-based model of the chinese wall security policy. In: Proceedings of the 22nd National Information Systems Security Conference (1999) 14. Talhi, C., Tawbi, N., Debbabi, M.: Execution monitoring enforcement under memorylimitations constraints. Information and Computation 206(1), 158–184 (2008)

Cryptographic Enforcement of Role-Based Access Control Jason Crampton Information Security Group, Royal Holloway, University of London [email protected]

Abstract. Many cryptographic schemes have been designed to enforce information flow policies. However, enterprise security requirements are often better encoded, or can only be encoded, using role-based access control policies rather than information flow policies. In this paper, we provide an alternative formulation of role-based access control that enables us to apply existing cryptographic schemes to core and hierarchical role-based access control policies. We then show that special cases of our cryptographic enforcement schemes for role-based access control are equivalent to cryptographic enforcement schemes for temporal access control and to ciphertext-policy and key-policy attribute-based encryption schemes. Finally, we describe how these special cases can be extended to support richer forms of temporal access control and attributebased encryption.

1

Introduction

In some situations, we may wish to use cryptographic techniques to enforce some form of access control. Such techniques are useful when data objects have the following characteristics: read often, by many users; written once, or rarely, by the owner of the data; and transmitted over unprotected networks. Fu et al. [15] cite content distribution networks, such as Akami and BitTorrent, as examples where some kind of cryptographic access control is particularly suitable. In such circumstances, protected data (objects) are encrypted and authorized users are given the appropriate cryptographic keys. When cryptographic enforcement is used, the problem we must address is the efficient and accurate distribution of encryption keys to authorized users. In recent years, there has been a considerable amount of interest in key encrypting or key assignment schemes. In such schemes, a user is given a secret value – typically a single key – which enables the user to derive some collection of encryption keys which decrypt the objects for which she is authorized. In most schemes, key derivation is performed using the secret value and some information made publicly available by the scheme administrator. Key assignment schemes are typically used to enforce information flow policies. Unfortunately, information flow policies represent a relatively small proportion of the access control policies that we may wish to enforce. In contrast, role-based access control policies can be used to encode a wide variety of access P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 191–205, 2011. c Springer-Verlag Berlin Heidelberg 2011 

192

J. Crampton

control requirements, but no cryptographic enforcement mechanism exists for such policies. In this paper, we consider the cryptographic enforcement of role-based access control policies. Our main contributions are – to provide a new characterization of role-based access control policies; – to demonstrate how this characterization leads to an interpretation of rolebased access control policies as an “authorization poset” (which is not the same as a role hierarchy); – to illustrate how cryptographic enforcement of role-based access control can be used both to enforce and extend the scope of temporal access control policies [4,5,21] and attribute-based encryption [9,16]. Collectively, we may regard our contributions as providing some kind of unification of several different “flavors” of policies for controlling read access to protected resources, in the sense that information flow policies, temporal access control policies and attribute-based encryption policies are all special cases of our characterization of role-based access control. In the next section, we introduce some relevant background material. In Sections 3 and 5, we describe, respectively, how core and hierarchical role-based access control can be enforced using cryptographic techniques. In Sections 4 and 6, we consider the application of our techniques to temporal access control and attribute-based encryption, respectively. There is no separate section on related work; instead, we discuss relevant prior research, where appropriate, in Sections 2, 4 and 6.

2

Background

In this section, we provide a brief introduction to information flow policies and their enforcement using cryptographic techniques. We will apply these methods to role-based access control in Sections 3 and 5. We conclude the section with a summary of role-based access control. 2.1

Information Flow Policies

Reading an object can be interpreted as causing information to flow from the object (to the reader). An information flow policy specifies which flows of information are authorized [14]. To specify such a policy, we define: – a partially ordered set (poset) of security labels (L, );1 – a set of users U and a set of objects O; – a security function λ : U ∪ O → L, where λ(x) denotes the security label of entity x. Then a user u is authorized to read o if and only if λ(u)  λ(o). Informally, information can only flow “upwards” with respect to L; in particular, information cannot flow from an object to a less privileged user. 1

In other words,  is a reflexive, anti-symmetric, transitive, binary relation defined on L.

Cryptographic Enforcement of Role-Based Access Control

2.2

193

Cryptographic Enforcement of Information Flow Policies

The study of cryptographic enforcement of information flow policies began with the work of Akl and Taylor [1]. The basic idea is very simple. Given a set of security labels L and a function λ: 1. associate a cryptographic key κ(x) with each x ∈ L, 2. encrypt every object o such that λ(o) = x with κ(x), and 3. for every user u such that λ(u) = x, ensure that u possesses, or can derive, key κ(y) for all y  x. Then user u can decrypt any object o with security label y  x, but cannot decrypt any other object. There are several generic techniques that can be used to realize such cryptographic enforcement schemes for information flow [11], which are often called key assignment schemes. In this paper, we focus on key assignment schemes that use iterative key derivation (which is defined by the traversal of some path in an appropriate directed, acyclic graph). In such schemes, each user is given a single key and the scheme administrator publishes additional information that enables the derivation of other keys. Specifically, given a directed graph G = (V, E) and a function λ : U ∪ O → V , we define a key κ(x) for each x ∈ V , and for each edge (x, y) ∈ E we include Encκ(x) (κ(y)) in the public information (where Enck (m) denotes the symmetric encryption of message m with key k). Then a user u such that λ(u) = x can derive the key for any y ∈ V if there exists a directed path from x to y in G. Clearly, such a scheme can be used to enforce an information flow policy, where G is the Hasse diagram [12] of (L, ). There are two notions of security for key assignment schemes: key recovery and key indistinguishability [3,5]. Informally, security against key recovery means that an adversary has a negligible probability of deriving a key κ(x) if the adversary does not know κ(y) for some y > x. And a scheme with key indistinguishability means that a computationally-bounded adversary A has no significantly better strategy than to guess in deciding whether a given string equals κ(x) (where x is known to A) or is some random string. Key indistinguishability is analogous to ciphertext indistinguishability (under chosen plaintext attack) [19]. The method of encrypting the keys of child nodes using the keys of parent nodes (described above) results in a key assignment scheme secure against key recovery (assuming the encryption method is chosen appropriately). However, the use of κ(x) to encrypt both objects and subordinate keys means that it is trivial to distinguish κ(x) from a random string. To obtain a scheme with the key indistinguishability property we need to introduce an additional “key-encrypting key” K(x) for each node x. Then we publish EncK(x) (κ(x)) for all x ∈ L and EncK(x) (K(y)) for all edges (x, y) ∈ E: for y < x, K(x) is used to derive K(y) and K(y) is used to derive the (“object-encrypting”) key κ(y); crucially, κ(x) cannot be used to derive κ(y). Space does not permit a detailed account of these concepts; the interested reader is referred to the literature [3,6,13] for further details. For our purposes, it is sufficient to note that key assignment schemes that are secure against key

194

J. Crampton

recovery and have the property of key indistinguishability can be constructed for any directed, acyclic graph G = (V, E). 2.3

Role-Based Access Control

The basic principles of role-based access control (RBAC) are very simple [22]. We assume that there is a set of roles that are authorized to perform certain actions and that users are authorized to “play” certain roles. The indirection between users and authorized actions provided by the set of roles means that the management of access control policies is greatly simplified. More formally, we assume the existence of set of users U , a set of roles R and a set of permissions P (where a permission is an object-action pair). Then in core RBAC [2] (equivalently, the RBAC0 model [22]) an access control policy is specified by a user-role assignment relation UA ⊆ U × R and a permission-role assignment relation PA ⊆ P × R. A user u is authorized for permission p if there exists a role r ∈ R such that (u, r) ∈ UA and (p, r) ∈ PA. An additional level of indirection may be introduced (with further reduction in management overheads) by defining a role hierarchy as a partial order relation on R (hierarchical RBAC [2] or RBAC1 [22]). In this case, a user u is authorized for permission p if there exist roles r and r such that (u, r) ∈ UA, r  r and (p, r ) ∈ PA.

3

Cryptographic Role-Based Access Control

We first consider an alternative, but equivalent, formalism for core RBAC. (We extend our formalism to hierarchical RBAC in Sect. 5.) First let us assume that we only wish to control read access to objects (as is usual when considering cryptographic access control). With this assumption, there is a one-to-one correspondence between permission and objects and we may replace the set of permissions P with the set of objects O. Given a set of roles X, then, we may represent a core RBAC policy as a function φ : U ∪ O → 2X . We interpret φ(u), where u ∈ U , as the set of roles for which u is authorized, and φ(o), where o ∈ O, as the set of roles that are authorized for o. Then (by definition) u ∈ U is authorized for o ∈ O if and only if φ(u) ∩ φ(o) = ∅. Note that this formulation of RBAC is rather similar to that for information flow policies, with 2X comprising the set of security labels. However, the authorization semantics for information flow and RBAC are rather different, which means that we cannot apply the cryptographic enforcement techniques (discussed in Sect. 2) directly to the poset (2X , ⊆). Nor can we use the binary relation ∼, defined on 2X , where A ∼ B if and only if A ∩ B = ∅, since it is neither anti-symmetric nor transitive. We now consider what it means for an object o to be assigned to two roles r1 and r2 . Then any user assigned to any set of roles containing r1 or r2 is authorized for o. Hence, from the perspective of authorization, we may interpret

Cryptographic Enforcement of Role-Based Access Control

195

φ(o) = {r1 , r2 } as a “disjunction” of the roles r1 ∨r2 . A similar argument suggests that φ(u) = {r1 , r2 } should be interpreted as a “conjunction” r1 ∧ r2 . With this insight, we use the set X as a set of “atoms” to construct an “authorization poset” Auth(X, φ), where x ∧ y represents the authorization label for any user u such that φ(u) = {x, y} and x∨y represents the authorization label  of any object o such that  φ(o) = {x, y}.2 Henceforth, we write {a1 , . . . , ak } to denote a1 ∨ · · · ∨ ak and {a1 , . . . , ak } to denote a1 ∧ · · · ∧ ak . We now define the authorization poset induced by a core RBAC policy. Definition 1. Let φ : U × O → 2X define a core RBAC policy, where X is a set of roles. Then we define (Auth(X, φ), ), the authorization poset induced by φ and X, in the following way: – – – – – – –

for all x ∈ X, x ∈ Auth(X, φ);  if A = φ(u) for some A ∈ 2X and some u ∈ U , then  A ∈ Auth(X, φ); if φ(o) for some B ∈ 2X and some o ∈ O, then B ∈ Auth(X, φ); B =  A   B if and only if A ⊇ B; A   B if and only if A ⊆ B; A   B if and only if A ∩ B = ∅; A  B.

Henceforth, we will omit φ from Auth(X, φ) as it willalways  be obvious from context. Note that x ∈ X can be represented either as {x} or {x}, and these representations are vacuously equivalent from the perspective of authorization. Hence, we omit these duplication representations and, for all x ∈ X, we simply include x in Auth(X). Figure 1 illustrates Auth(X) for X = {a, b, c} (under the assumption that for all A ⊆ X, there exists u ∈ U such that φ(u) = A and there exists o ∈ O such that φ(o) = A). a∧b∧c

a∧b

a

a∨b

s @ @ @ s a ∧ c s b ∧@ c s @ @ @ @ @ @ s @ @ c s b s @ @ @ @ @ @ s a ∨@ c s b ∨@ c s @ @ @ @s a∨b∨c

Fig. 1. (Auth(X), ) for X = {a, b, c} 2

It is important to stress that x ∧ y is simply notation that is intended to convey some intuition about how the assignment of roles x and y to a user should be interpreted; it does not represent the logical conjunction of x and y. The same is true for x ∨ y.

196

J. Crampton

Proposition 2. Let φ : U ∪ O → X be a core role-based access control policy and let |X| = n. Then (Auth(X), ) is a poset and |Auth(X)|  2n+1 − n − 2. Proof. We have to establish that is reflexive, anti-symmetric and transitive. Recall that ⊆ and ⊇ (subset and superset inclusion, respectively) define partial orders on 2X for any set X.   – Then is reflexive, since any element in Auth(X) has the form A or A for some A ⊆ X, and reflexivity of therefore follows from the reflexivity of ⊆ and ⊇, respectively. – Suppose that C D and  D C. Then,without loss of generality, it cannot be the case that C = A and D = B for some A, B ⊆ X, since,by   definition, A  B for all A, B ⊆ X. Hence, either C = A and D = B   or C = A and D = B for some A, B ⊆ X. The anti-symmetry of then follows immediately from the anti-symmetry of ⊆ and ⊇.  – Suppose  that D E and E F . First, consider the case where D = A, E = B and F = C for A, B, by the transitivity  C ⊆ X.Then D F  of ⊆. The same is true if D = A, E = B and F = C. Now consider    the case where D = A, E = B and F = C. Then, by definition, there exists x ∈ A ∩ B, and x ∈ C, since B ⊆C. Hence,D F . Clearly,  a similar line of argument can be used if D = A, E = B and F = C. (Note   that we can discount cases like D = A, E = B and F = C, as we did in the proof of the anti-symmetric property, because, by definition, E  F .) By definition Auth(X) may contain up to two copies of each subset of X of cardinality greater than 1 and one copy of each singleton subset of X. There are 2n − (n + 1) subsets of X of cardinality greater than 1 and there are n singleton subsets of X. Hence, Auth(X)  2(2n − (n + 1)) + n. The result follows.   Note that (Auth(X), ) is not a lattice, even though its “building blocks” – (2X , ⊆) and (2X , ⊇) – are lattices, because some pairs of elements (a and b ∨ c in Fig. 1, for example) do not have a unique least upper bound. Proposition 3. Let X, UA and PA define a core RBAC policy, and let (Auth(X), ) be the authorization poset induced by X and φ. Then user u ∈ U is authorized  for object  o ∈ O with respect to the usual core RBAC semantics if and only φ(o) φ(u). Proof. u is authorized for object o if and only if there exists r ∈ X such that (u, r) ∈UA and (p,  r) ∈ PA; that is, r ∈ φ(u) ∩ φ(o) And r ∈ φ(u) ∩ φ(o) if and only if φ(o) φ(u).   In other words, if we have a collection of objects to which read access should be restricted according to some RBAC policy φ with role set X, then we can define a collection of cryptographic keys, one for each element of Auth(X). Given that Auth(X) is a poset, we can now use existing key assignment schemes to generate a set of public information for (Auth(X), ): that is, if x  y in Auth(X), then the key associated with x ∈ Auth(X), denoted κ(x), can be used to derive κ(y). We refer to this as a cryptographic role-based access control (CRBAC) scheme.

Cryptographic Enforcement of Role-Based Access Control

197

 Note that, given κ( A), it is only necessary to be able toderive κ(a), a ∈ A, because no object is encrypted with any key of the form κ( B), where B ⊆ A. From this observation, we deduce the following result. Proposition 4. Let φ : U ∪ O → X define a core RBAC policy, and let |X| = n. Then there exists a set of edges E ⊆ Auth(X) × Auth(X) such that |E|  n(2n − 2) and the diameter3 of the graph (Auth(X), E) (and hence the number of key derivation steps) is no greater than 2. Proof. We construct E in the following way:  – for a  node A, where A = φ(u) for some u ∈ U , we add an edge between node Aand node a for all a ∈ A, and – for node B, where B = φ(o) for some o ∈ O, we add an edge between b  and B for all b ∈ B. Now each subset A ∈ 2X such  that |A| >  1 contributes at most 2 |A| edges (|A| edges for each of the elements A and A). Hence,  n     n   n     n  n − 1 n |E|  2 i =2 i − n = 2n − 1 = 2n(2n−1 −1) i i i − 1 i=2 i=1 i=1   Finally, A should be able to derive the key for  B only if there existsx ∈ A ∩ B. Now, by construction, there exists an edge ( A, x) and an edge (x, B) and key derivation takes precisely two hops.  

In Sec. 5, we consider how we can incorporate role hierarchies into our work. Before that, we consider a class of access control policies that can be interpreted as instances of core RBAC policies in which we are interested in particular subsets of 2X and can ignore certain “conjunctions” and “disjunctions”.

4

Application: Temporal Access Control

In recent years, we have seen the development of access control models in which time plays an important role in deciding whether access requests are authorized or not [7]. One particular application of such “temporal access control” systems is the protection of data that is made available periodically as (part of) a subscription-based service [8]. In this section, we consider an application of CRBAC in which we extend the scope of temporal access control policies and their enforcement using cryptographic techniques. We do this by restricting attention to particular families of subsets of some set of roles. In particular, each time interval (a consecutive sequence of time points) represents a security label that may be assigned to a user, and each time point represents a security label that may be assigned to an object. Then objects are encrypted using the key associated with a particular time point t and a user associated with time interval [x, y] is authorized to access the object if t ∈ [x, y]. 3

The length of the longest path contained in the graph.

198

J. Crampton

Figure 2(a) illustrates the poset when the number of time points is 4. Atallah et al. [4] and Ateniese et al. [5] have constructed key assignment schemes for temporal access control using this model. Alternatively, we may wish to define policies in which objects are associated with a time interval and users are associated with a particular time point. We may, for example, wish to release an encrypted object at time t in such a way that it can be decrypted by keys κ(t), κ(t + 1), . . . , κ(t + d) (where κ(t) denotes the key associated with time point t). Paterson and Quaglia recently introduced the notion of time-specific encryption [21], which uses this model of temporal access control, and also discussed potential applications of time-specific encryption. In this case, it is users that are assigned to single time points and objects that are assigned to intervals. It is easy to see from the above observations that CRBAC can be used to enforce these two different interpretations of temporal  access control. In the first case, we are only interested in labels of the form [ti , tj ] (since objects are only associated with  single time points); in the second case, we only consider labels of the form [ti , tj ] (since users are only associated with single time points). The posets representing these two situations for X = {t1 , t2 , t3 , t4 } are shown in Fig. 2. t1 ∧ t2 ∧ t3 ∧ t4

r @ @ t1 ∧ t2 ∧ t3 r @rt2 ∧ t3 ∧ t4 @ @ @ r @ rt ∧ t r t1 ∧ t2 t2 ∧ t3@ @3 4 @ @ @ @ r @r @r @r

t1

t2

t3

(a) Temporal access control

t4

t1

t2 t3 t4 r r r r @ @ @ @ @ @ r r @rt3 ∨ t4 t1 ∨ t2@ t2 ∨ t3@ @ @ @ @rt2 ∨ t3 ∨ t4 t1 ∨ t2 ∨ t3 r @ @ @r t1 ∨ t2 ∨ t3 ∨ t4

(b) Time-specific encryption

Fig. 2. Authorization posets for temporal access control and time-specific encryption

More generally, we may wish to assign both users and objects to intervals. Then an object associated with interval [x, y] can be accessed by any user associated with interval [x , y  ], where x  y (in other words, whenever the intervals overlap). In this context, we define two types of intervals. – We write [x ∧ y] to denote an interval that can only be assigned to users. A user with key κ([x ∧ y]) indicates that the user is authorized for all time points t ∈ [x, y]; – An interval of the form [x ∨ y] can only be assigned to objects and indicates the object is associated with each of the time points t ∈ [x, y]. In particular, κ(t) can decrypt an object encrypted with κ([x ∨ y]) for all t ∈ [x, y]. In this context, the set of security labels forms a diamond-shaped grid, where [x ∧ y]  [z, z] and [z, z]  [x ∨ y] for all z ∈ [x, y].

Cryptographic Enforcement of Role-Based Access Control

5

199

Role Hierarchies

In hierarchical RBAC, the set of roles is partially ordered. In the hierarchical setting, we must therefore provide an appropriate interpretation of r1 ∧ r2 and r1 ∨ r2 . There are two situations to consider: – r1  r2 (and, equivalently, r1  r2 ); – r1 and r2 are incomparable (that is, r1  r2 and r1  r2 ), which we abbreviate henceforth to r1  r2 . If r1  r2 , then any user assigned to r2 is also (implicitly) assigned to r1 , and any permission assigned to r1 is also assigned to r2 . Therefore, r1 ∧ r2 is equivalent, in terms of authorization, to r2 , and r1 ∨r2 is equivalent to r1 . In contrast, r1 ∧r2 and r1 ∨ r2 cannot be simplified if r1  r2 . Generalizing, we have:  – for  every non-empty chain C ⊆ X, C is the minimum element in C and C is the maximum element in C;   – for every non-empty antichain A ⊆ X, A and A cannot be simplified.4 Note that the above discussion means we may assume that the set of roles for which a user is authorized is an antichain and the set of roles that are authorized for a permission also forms an antichain. We write AX to denote the set of antichains in a poset (X, ). The following result (stated without proof) establishes the existence of two partial orders on AX ; these orderings are analogous to subset and superset inclusion for a powerset. Lemma 5 (Crampton [10]). Let (X, ) be a poset, and let AX be the set of antichains in X. For A, B ∈ AX , we define: – A 1 B if and only if for all b ∈ B there exists a ∈ A such that a  b, and – A 2 B if and only if for all a ∈ A there exists b ∈ B such that a  b. Then 1 and 2 define partial orders on AX . Definition 6. Given a poset of roles (X, ) and a hierarchical RBAC policy φ : U ∪ O → AX , we define (Auth(X), ), the authorization poset induced by (X, ) and φ, in the following way: – for all x ∈ X, x ∈ Auth(X);  – if A = φ(u) for some A ∈ AX , then  A ∈ Auth(X); – if φ(o) for some B ∈ AX , then B ∈ Auth(X); B =  –  A  B if and only if A 1 B; –  A B if and only if A 2 B; – A B if and only if there exists x ∈ X such that A 1 {x} and {x}  B; 2   – A  B. Note that an information flow policy for confidentiality is a trivial special case in which (X, ) represents the security lattice and for all u ∈ U and o ∈ O, φ(u) and φ(o) are singleton sets. The construction of Auth(X) for a simple poset of 4

Note that in core RBAC, we may take the partial order on R to be the empty set, and every subset of R is an antichain.

200

J. Crampton d

s

b∧c

a∧b d

b

s S  S  S s  Ssc s

a

(a) (X, )

b

b∨c

s @ @ @ @sc

s @ @ s @ @ @ @ s @sa @ @ @ @s a∨b

(b) (Auth(X), )

a∧b

b

d b∧c s s s   @ @  @ @ @ s @  @sc @ A @

A @ A
@s A
 a  A 
 A
 s  A
s

a∨b

b∨c

(c) (Auth(X), E)

Fig. 3. Auth(X) for a simple poset X

roles X is shown in Fig. 3. (The figure assumes that every antichain appears exactly twice.) We have two results analogous to those for core RBAC. The proof of each result is very similar to the respective proofs in Sect. 3 and rely on Lemma 5. The  orderings 1 (which is used to define the  ordering on elements of the form A) and 2 (used for elements of the form A) replace ⊇ and ⊆, respectively. The proofs of the following results are omitted due to space constraints. Proposition 7. Let (X, ) be a poset. Then (Auth(X), ) is a poset. Proposition 8. Let (X, ), UA and PA define a hierarchical RBAC policy, and let Auth(X) be the authorization lattice induced by X and φ. Then user u ∈ U is authorized forobject o ∈ O with respect to the usual hierarchical RBAC semantics if and only φ(o) φ(u). We cannot prove a general result analogous to Proposition 4 because the cardinality of Auth(X) depends on the antichains in X (which depend on the partial order). However, we can provide an upper bound on the number of nodes as a function of the number of antichains in X, which we denote by a. Then there are a − n antichains of cardinality greater than 1. Therefore, by construction, |Auth(X)|  2(a − n) + n = 2a − n. (Note that when X is unordered, every non-empty subset is an antichain, and we recover the result in Proposition 4.) We can also construct a set of edges such that the diameter of (Auth(X), E) is 2. We construct a set of edges E in the following way:  – if A = φ(u) for some u ∈ U , then (  A, a) ∈ E for all a ∈ A, – if B = φ(o) for some o ∈ O, then (b, B) ∈ E for all b ∈ B, and – if (x, y) is an edge in the (graph of the) transitive reduction of (X, ), then (x, y) ∈ E.

Cryptographic Enforcement of Role-Based Access Control

201

Clearly the diameter of the graph (Auth(X), E) is 2, as in the proof of Proposition 4. Like |Auth(X)|, the cardinality of E depends on a. In general,  |E|  m + 2 |A| , A∈AX

where m is the cardinality of the covering relation of (X, ). An example of the graph (Auth(X), E) is shown in Fig. 3(c).

6

Application: Attribute-Based Encryption

In this section, we examine the connections between CRBAC and attribute-based encryption (ABE). In ciphertext policy ABE (CP ABE) a message is associated with multiple attribute sets, whereas a user (who is given a private decryption key) is associated with a single attribute set [9]. More specifically, in CP ABE we assume the existence of a set of attributes Att. Each encryption key is associated with a monotone access structure S defined over Att. That is, S is a collection of subsets of Att such that if A ∈ S and A ⊆ B, where A, B ⊆ Att, then B ∈ S.5 In contrast, each decryption key is associated with some subset of Att. The keys are constructed in such a way that a message encrypted with k, where k is associated with monotone access structure S, can only be decrypted by k  , where k  is associated with A ⊆ Att, if A ∈ S. We assume that users are synonymous with decryption keys and objects are synonymous with encryption keys. Then an instance of CP ABE is completely Att defined by a function ψ : U ∪ O → 22 , where – ψ(u), u ∈ U , is equal to {A} for some A ⊆ Att; – ψ(o), o ∈ O, is equal to some monotone access structure S defined over Att. A user u is, by definition, authorized for object o if ψ(u) ∈ ψ(o). Clearly, we may encode an instance of CP ABE as an  instance of a core RBAC policy, in which X = 2Att , φ(u) = ψ(u) and φ(o) = ψ(o). By definition, u is authorized for o if φ(u) ∩ φ(o) = ∅ and, since φ(u) is a singleton set in 2Att , this condition holds if and only if φ(u) ∈ φ(o). However, we can encode ψ more economically as a hierarchical role-based access control policy. In particular, we define the set of roles to be (2Att , ⊆) and we define – φ(u) = ψ(u);  – φ(o) = ψ(o), where S denotes the set of minimal elements in the monotone access structure S.6 Figure 4 illustrates the authorization lattice induced by the hierarchical RBAC interpretation of CP ABE when |Att| = 3. To prove that this hierarchical RBAC policy does indeed encode ψ, we establish the following result. 5 6

Equivalently, S is an order filter [12] in the poset (2Att , ⊆). A set Ai is minimal in the collection of sets {A1 , . . . , Ak } if there does not exist Aj such that Aj ⊂ Ai . It is easy to show that a monotone access structure is uniquely defined by its minimal elements (see [10], for example).

202

J. Crampton

h

h

e

b

s @ @ @ s @ g s f s @ @ @ @ @ @ s @ @ c s d s @ @ @ @s

s @ @ @ @ g s e s f s @ @ @ @ @ @ e ∨@ g s f ∨@ e∨f s g s PP H PP HH @ PP H @ PP HH @ P P H @ c s b s d s se ∨ f ∨ g           s c∨f  s d∨e s b∨g  @ @ @ @ @ @ b ∨ c s b ∨@ d s c ∨@ d s @ @ @ b ∨ c ∨@ d s s

a

a

(a) X = 2Att

(b) Auth(X)

Fig. 4. The authorization poset for CP ABE when |Att| = 3

Proposition 9. Let ψ define an instance of  ciphertext policy attribute-based encryption. Then ψ(u) ∈ ψ(o) if and only if ψ(o) ψ(u). Proof. “⇒”: Since ψ(o) is a monotone access structure, ψ(u) ∈ ψ(o) implies that there exists a minimal element M ∈ ψ(o) such that M ⊆ ψ(u).   And, by definition, M ∈ ψ(o). Hence, ψ(o) 1 {M } 2 ψ(u). That is, ψ(o) ψ(u).  X “⇐”:  If ψ(o) ψ(u), then, by definition, there exists M ∈ 2 such that ψ(o) 1 {M } and {M } 2 ψ(u). Since ψ(u)  is a singleton set, the definition of 2 implies that M ⊆ ψ(u). Moreover, ψ(o) {M } implies that there exists M  ∈ ψ(o) such that M  ⊆ M . Hence, we may conclude that M  ⊆ ψ(u), which implies that ψ(u) ∈ ψ(o) since ψ(o) is a monotone access structure and M  ∈ ψ(o).   We conclude that CRBAC can be used to implement CP ABE. The crucial difference is that CRBAC uses only symmetric primitives, whereas CP ABE relies on pairing-based cryptographic primitives. Space constraints preclude a comparison of the characteristics of CP ABE and CRBAC (such as security notions, key size, ciphertext size, encryption and decryption times); this will be the subject of future work.

Cryptographic Enforcement of Role-Based Access Control

203

h

s

s @ @ @ e ∧ f s e ∧ g s f ∧@ g s @ @ @ @ @ @ f s b ∧@ g s d ∧ e s c ∧@            s  g s e s f s b∧c∧d  aa  a Qaa  Q
Q A Q A A Q a  Q  
 A Q  Qaa A a aa A Q 
 A  Q  Q A aaAaaQ sa b ∧ dA
s c ∧Q s QAse ∨ f aAse ∨a asf ∨ g gQ b∧c  d  Qaa a Q A  aa Q A A
Q aa Q  Q   a A aQ  Q  A
Q Aa a  A a Q A a  Q  QA
Q s aa s aQ a s Q A
se ∨ f ∨ g cA bA d             s c∨f  s d∨e s b∨g  @ @ @ @ @ @ b ∨ c s b ∨@ d s c ∨@ d s @ @ @ b ∨ c ∨@ d s e∧f ∧g

h

e

b

s @ @ @ s @ g s f s @ @ @ @ @ @ s @ @ c s d s @ @ @ @s

s

a

a

(a) X

(b) Auth(X)

Fig. 5. Auth(X) when the set of roles X is order isomorphic to a powerset

In contrast to CP ABE, key policy ABE (KP ABE) associates decryption keys with monotone access structures and encryption keys with single attribute sets [16]. The decryption key k, where ψ(k) = S for some monotone access structure S, can decrypt any message encrypted with k  , where ψ(k  ) = B ⊆ Att for any B ∈ S. As for KP ABE, we can show that CRBAC can be used to enforce KP ABE; we omit these details. Note, however, that there is no particular reason why we should associate a single element of X = 2Att with either encryption (as in KP ABE) or decryption (as in CP ABE). In other words, we can do for attribute-based encryption exactly what we did for temporal access control in Sect. 4, and associate arbitrary antichains in 2Att with both encryption and decryption keys. To our knowledge, no scheme in the literature has considered the simultaneous enforcement of CP

204

J. Crampton

and KP ABE. Again, space constraints do not allow us to explore this matter in appropriate detail and is something we will be pursuing in future work. Figure 5 illustrates the full authorization poset required to support CP and KP ABE when |Att| = 3. Notice the embedding of the poset depicted in Fig. 4 within the poset shown in Fig. 5.

7

Concluding Remarks

The main contribution of this paper is to introduce a way of re-writing an RBAC policy in such a way that it can be interpreted as an information flow policy.7 Having re-written an RBAC policy as an information flow policy, we can apply techniques from the literature on key assignment schemes to provide a cryptographic enforcement mechanism for the original RBAC policy. Perhaps the most interesting aspect of our work is that several different strands of work on cryptographic enforcement of access control policies – such as temporal access control and attribute-based encryption – are special cases of our cryptographic enforcement mechanism for RBAC. This is unsurprising as RBAC is claimed to be very expressive [22], but it does illustrate the importance of our contribution in providing a cryptographic enforcement mechanism for RBAC, thereby providing a uniform cryptographic enforcement mechanism for several classes of authorization policies. In future work, we will continue to explore the connections between our work and attribute-based encryption, with a particular emphasis on the simultaneous enforcement of ciphertext policy and key policy attribute-based encryption. Previous work on cryptographic file systems suggests that asymmetric cryptosystems are required to support read-write access control policies; consequently key management becomes more complex [17,18]. Therefore, we also intend to investigate whether it is possible to support both read and write access modes for RBAC using the (symmetric encryption) techniques described in this paper, perhaps using message authentication codes, rather than digital signatures, to confirm the validity of attempts to modify an object.

References 1. Akl, S., Taylor, P.: Cryptographic solution to a problem of access control in a hierarchy. ACM Transactions on Computer Systems 1(3), 239–248 (1983) 2. American National Standards Institute: ANSI INCITS 359-2004 for Role Based Access Control (2004) 3. Atallah, M., Blanton, M., Fazio, N., Frikken, K.: Dynamic and efficient key management for access hierarchies. ACM Transactions on Information and System Security 12(3), 1–43 (2009) 4. Atallah, M., Blanton, M., Frikken, K.: Incorporating temporal capabilities in existing key management schemes. In: Proceedings of the 12th European Symposium on Research in Computer Security, pp. 515–530 (2007) 7

It should be noted that our technique is quite different from attempts in the literature to use RBAC to enforce information flow policies (as in [20], for example).

Cryptographic Enforcement of Role-Based Access Control

205

5. Ateniese, G., De Santis, A., Ferrara, A., Masucci, B.: Provably-secure time-bound hierarchical key assignment schemes. Cryptology ePrint Archive, Report 2006/225 (2006) 6. Ateniese, G., De Santis, A., Ferrara, A., Masucci, B.: Provably-secure time-bound hierarchical key assignment schemes. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 288–297 (2006) 7. Bertino, E., Bonatti, P., Ferrari, E.: TRBAC: A temporal role-based access control model. ACM Transactions on Information and System Security 4(3), 191–223 (2001) 8. Bertino, E., Carminati, B., Ferrari, E.: A temporal key management scheme for secure broadcasting of XML documents. In: Proceedings of the 8th ACM Conference on Computer and Communications Security, pp. 31–40 (2002) 9. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: Proceedings of 2007 IEEE Symposium on Security and Privacy, pp. 321– 334 (2007) 10. Crampton, J.: Authorization and antichains. Ph.D. thesis, Birkbeck, University of London, London, England (2002) 11. Crampton, J., Martin, K., Wild, P.: On key assignment for hierarchical access control. In: Proceedings of 19th Computer Security Foundations Workshop, pp. 98–111 (2006) 12. Davey, B., Priestley, H.: Introduction to Lattices and Order, 2nd edn. Cambridge University Press, Cambridge (2002) 13. De Santis, A., Ferrara, A., Masucci, B.: Efficient provably-secure hierarchical key assignment schemes. Cryptology ePrint Archive, Report 2006/225 (2006) 14. Denning, D.: A lattice model of secure information flow. Communications of the ACM 19(5), 236–243 (1976) 15. Fu, K., Kamara, S., Kohno, T.: Key regression: Enabling efficient key distribution for secure distributed storage. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2006 (2006) 16. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: Proceedings of 13th ACM Conference on Computer and Communications Security, pp. 89–98 (2006) 17. Harrington, A., Jensen, C.: Cryptographic access control in a distributed file system. In: Proceedings of Eighth ACM Symposium on Access Control Models and Technologies, pp. 158–165 (2003) 18. Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: Plutus: Scalable secure file sharing on untrusted storage. In: Proceedings of the FAST 2003 Conference on File and Storage Technologies, pp. 29–42 (2003) 19. Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman & Hall/CRC (2007) 20. Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security 3(2), 85–106 (2000) 21. Paterson, K., Quaglia, E.: Time-specific encryption. In: Garay, J. (ed.) Proceedings of Seventh Conference on Security and Cryptography for Networks (2010) (to appear) 22. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

A Calculus for the Analysis of Wireless Network Security Protocols Francesco Ballardin and Massimo Merro Dipartimento di Informatica, Universit` a degli Studi di Verona, Italy

Abstract We propose a timed broadcasting calculus for wireless systems. The operational semantics of our calculus is given both in terms of a Reduction Semantics and in terms of a Labelled Transition Semantics. We prove that the two semantics coincide. The labelled transition system is used to derive a standard notion of (weak) bi-similarity which is proved to be a congruence. We use our simulation theory to adapt Gorrieri and Martinelli’s tGNDC scheme to investigate, in our setting, the safety of non-trivial wireless network security protocols.

1

Introduction

Communication technologies such as WiFi, Bluetooth, and Homeplug are widely diffused and rely on short-range networking for disparate wireless devices in home and office environments. Larger wireless networks such as cellular, sensor and vehicular ad hoc networks are also becoming more and more popular. In order to design secure wireless networks, several aspects have to be considered [1]: key establishment, secrecy, authentication, and privacy. Key establishment is at the core of any security framework. Traditional solutions for data secrecy and authentication rely on cryptographic protocols, which typically use either public key or symmetric key algorithms. However, in many wireless systems (such as sensor networks and vehicular ad hoc networks) resource limitations and/or real-time constrains impose to use symmetric key algorithms. In the last four years, a number of distributed process calculi have been proposed for modelling different aspects of wireless systems [2,3,4,5,6,7,8,9]. However, none of this calculi deal with security protocols. On the other hand, process algebras, such as CryptoCCS and tCryptoSPA [10] have already been used in [10,11] to study network security protocols, also in a wireless scenario. These calculi are extensions of Milner’s CCS [12], where node distribution, local broadcast communication, and message loss are not primitives but they are codified in terms of point-to-point transmission and a (discrete) notion of time. We propose a simple timed broadcasting process calculus, called tcryptoCWS, for modelling wireless network security protocols. As usual in wireless systems, our broadcast communications span over a limited area, called transmission range. The time model we use is known as the fictitious clock approach (see e.g. [13]). A global clock is supposed to be updated whenever all nodes agree on 

This work was partially supported by the PRIN 2007 project “SOFT”.

P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 206–222, 2011. c Springer-Verlag Berlin Heidelberg 2011 

A Calculus for the Analysis of Wireless Network Security Protocols

207

this, by globally synchronising on a special action σ. All the other actions are assumed to take no time. This is reasonable if we choose a time unit such that the actual time of an action is negligible with respect to the time unit. The operational semantics of the calculus is given both in terms of a reduction semantics and in terms of a labelled transition semantics. The two operational semantics are proved to coincide. The calculus enjoys standard time properties, such as: time determinism, maximal progress and patience [13]. The labelled transition semantics is used to derive a standard notion of (weak) bi-similarity which is proved to be a congruence. As a main application, we provide a clear and formal specification of two wireless network security protocols: (i) μTESLA [14], a well-known protocol to achieve authenticated broadcast in wireless sensor networks; (ii) Localized Encryption and Authentication Protocol (LEAP+) [15], a key management protocol intended for large-scale wireless sensor networks. We use our simulation theory, to adapt Gorrieri and Martinelli’s Timed Generalized Non-Deducibility on Compositions (tGNDC) scheme [10,11], a well-known general framework for the definition of timed security properties. In particular, we concentrate on two properties: timed integrity, which guarantees on the freshness of authenticated packets; and timed agreement, for which agreement between initiator and responder must be reached within a certain deadline. We formally prove that the μTESLA protocol enjoys both timed integrity and timed agreement. We then prove that the single-hop pairwise shared key mechanism of the LEAP+ protocol enjoys timed integrity, while it does not respect timed agreement. When showing that timed agreement fails, we provide an execution trace in which the attacker performs a replay attack , despite the security assessment of [15]. To our knowledge this is the first formalisation of a replay attack to LEAP+, in a timed scenario.

2

The Calculus

In Table 1, we define the syntax of tcryptoCWS in a two-level structure, a lower one for processes and an upper one for networks. We use letters a, b, c, . . . for logical names, x, y, z for variables, u for messages, and v and w for closed values, i.e. values that do not contain free variables. We write Fi to denote constructors for messages. The syntax and the semantics of tcryptoCWS are parametric with respect to a given decidable inference system. Inference systems consist of a set of rules to model the operations on messages by using constructors. For instance, the rules (pair)

v1 v2 pair(v1 , v2 )

(fst)

pair(v1 , v2 ) v1

(snd)

pair(v1 , v2 ) v2

allow us to deal with pairs of values. An instance of the application of rule r to closed messages vi is denoted as v1 . . . vk r v0 . Given an inference system, a deduction function D is defined such that, if Φ is a finite set of closed messages,

208

F. Ballardin and M. Merro

Table 1. The Syntax Networks: M, N ::= 0   M1 | M2   n[P ]ν

empty network parallel composition node

Processes: P, Q ::=              

termination broadcast receiver with timeout internal with timeout delay matching deduction recursion

nil !u.P ?(x).P Q τ.P Q σ.P [u1 = u2 ]P ; Q [u1 . . . un r x]P ; Q H˜ u

then D(Φ) is the set of closed messages that can be deduced from Φ by applying instances of the rules of the inference system. Networks in tcryptoCWS are collections of nodes (which represent devices) running in parallel and using a unique common channel to communicate with each other. The symbol 0 denotes the empty network, while M1 | M2represents the parallel composition of two sub-networks M1 and M2 . We write i∈I Mi to mean the parallel composition of all Mi , for i ∈ I. We assume that all nodes have the same transmission range (this is a quite common assumption in ad hoc networks [16]). The communication paradigm is local broadcast ; only nodes ν located in the range of the transmitter may receive data. We write n[P ] for a node named n (the device network address) executing the sequential process P . The tag ν contains (the names of) the neighbours of n. Processes are sequential and live within the nodes. The symbol nil denotes the skip process. The sender process !v.P allows to broadcast the value v. The process ?(x).P Q denotes a receiver with timeout. Intuitively, this process either receives a value, in the current time interval, and then continues as P , or it idles for one time unit, and then continues as Q. Upon successful reception the variable x of P is instantiated with the received message. Similarly, the process τ.P Q denotes a process that either perform an internal action, in the current time interval, and then continues as P , or it idles for one time unit, and then continues as Q. The process σ.P models sleeping for one time unit. Process [v1 = v2 ]P ; Q behaves as P if v1 = v2 , and as Q otherwise. Sometime, we will write [v1 = v2 ]P to mean [v1 = v2 ]P ; nil. Process [v1 . . . vk r x]P ; Q is the inference construct. It tries to infer a message w from the set of premises {v1 . . . , vk } through an application of rule r ; if it succeeds, then it behaves as P (where w replaces x), otherwise it behaves as Q. As in the matching construct, we will write [v1 . . . vn r x]P to mean [v1 . . . vn r x]P ; nil. In processes σ.P, ?(x).P1 P2 , τ.P1 P2 and !v.P the occurrences of P , P1 and P2 are said to be guarded.

A Calculus for the Analysis of Wireless Network Security Protocols

209

Table 2. Reduction Semantics

(R-Bcast)

(R-Internal)

m[!v.P ]ν |

i∈I

∀i ∈ I ni ∈ ν m ∈ νi  ni [?(xi ).Pi Qi ]νi  m[P ]ν | i∈I ni [{v/xi }Pi ]νi

− m[τ.P Q]ν  m[P ]ν

(R-Sigma)

(R-Struct1)





(R-Par)

M  M M | N  M | N

−  σ [σ.Pi ] | j∈J nj [. . .Qj ]νj | k∈K nk [nil]νk −−  i∈I n i   νi | j∈J nj [Qj ]νj | k∈K nk [nil]νk i∈I ni [Pi ] νi



M ≡ N N  N N ≡ M M  M

σ

(R-Struct2)

M ≡ N N −−  N N ≡ M σ M −−  M

We write H˜ v  to denote a process defined via an equation H(˜ x) = P , with |x ˜ |=| v˜ |, where x ˜ contains all variables that appear free in P . Defining equations provide guarded recursion, since P may contain only guarded occurrences of process identifiers, such as H itself. We assume there are no free variables in our networks. The absence of free variables in networks is trivially maintained as the network evolves. We write {v/x }P for the substitution of the variable x with the value v in P . Given a network M , nds(M ) returns the names of M . If m ∈ nds(M ), the function ngh(m, M ) returns the set of the neighbours of m in M . Thus, for ν M = m[P ] | N it holds that ngh(m, M ) = ν. We write Env(M ) to mean all the nodes of the environment reachable by the network M . The formal definition is: Env(M ) = ∪m∈nds(M ) ngh(m, M )\nds(M ). The dynamics of the calculus is given in terms of a timed reduction relation described in Table 2. As usual in process calculi, the reduction semantics relies on an auxiliary relation, ≡, called structural congruence, defined in Table 3. Basically, ≡ brings the participants of a potential interaction into contiguous positions. In our case, for convenience, structural congruence also takes into account matching and deduction; we recall that our inference systems are always decidable. The computation proceeds in lock-step: between global synchronisation, deσ noted with −− , all nodes proceeds asynchronously by performing actions with no duration, denoted with . Rule (R-Bcast) models the broadcast of a message v. Communication proceeds even if there are no listeners: transmission is a non-blocking action. Moreover, communication is lossy as some receivers within the range of the transmitter might not receive the message. This may be due to several reasons such as signal interferences or the presence of obstacles. Rule (R-Internal) models local computations. Rules (R-Par), (R-Struct1) and (R-Struct2) are standard in process calculi. Rule (R-Sigma) models the passage of time. We write  to denote the reflexive and transitive closure of .

210

F. Ballardin and M. Merro

Table 3. Structural Congruence n[[v1 . . . vn r v]P ; Q]ν ≡ n[P ]ν if v1 . . . vn r v n[[v1 . . . vn r v]P ; Q]ν ≡ n[Q]ν if ∃ v. v1 . . . vn r v n[[v = v]P ; Q]ν ≡ n[P ]ν n[[v1 = v2 ]P ; Q]ν ≡ n[Q]ν if v1 = v2 def

n[A˜ v ]ν ≡ n[{v/x }P ]ν if A˜ v = P ∧ | x ˜ |=| v˜ | M |N ≡N |M (M | N) | M  ≡ M | (N | M  ) M |0≡M M ≡M M ≡ N implies N ≡ M M ≡ M  ∧ M  ≡ M  implies M ≡ M  M ≡ N implies M | M  ≡ N | M  , for all M 

(Struct (Struct (Struct (Struct

DedT) DedF) Then) Else)

(Struct (Struct (Struct (Struct (Struct (Struct (Struct (Struct

Rec) Par Comm) Par Assoc) Zero Par) Refl) Symm) Trans) Ctx Par)

The syntax presented in Table 1 allows to derive inconsistent networks. We rule out networks containing two nodes with the same name. As all nodes have the same transmission range the neighbouring relation is symmetric. Furthermore, in order to guarantee clock synchronisation, we impose network connectivity. Definition 1 (Well-formedness). M is said to be well-formed if ν

ν

– whenever M ≡ M1 | m1 [P1 ] 1 | m2 [P2 ] 2 it holds that m1 = m2 ; ν ν – whenever M ≡ N | m1 [P1 ] 1 | m2 [P2 ] 2 with m1 ∈ ν2 it holds that m2 ∈ ν1 ; – for all m, n ∈ nds(M ) there are m1 , . . . , mk ∈ nds(M ), such that m=m1 , n=mk , νj = ngh(mj , M ), for 1≤j≤k, and mi ∈ νi+1 , for 1≤i≤k−1. Network well-formedness is preserved at run time. σ

Proposition 1. Let M be a well-formed network. If M  M  or M −−  M  then M is a well-formed network.

3

Time Properties

Proposition 2 formalises the deterministic nature of time passing: a network can reach at most one new state by executing the action σ. Proposition 2 (Time Determinism). Let M be a well-formed network. If σ σ M −−  M  and M −−  M  then M  ≡ M  The maximal progress property [13] says that processes communicate as soon as a possibility of communication arises. Proposition 3 (Maximal Progress). Let M be a well-formed network. If σ ν M ≡ m[!v.P ] | N then M −−  M  for no network M  .

A Calculus for the Analysis of Wireless Network Security Protocols

211

Table 4. LTS - Transmission, internal actions, and time passing

(Snd)

− m!vν

ν

ν

m[!v.P ] −−−−−− → m[P ]

(RcvEnb)

M −−−− →M

−

M −−−−−− → M

m?v

M | N −−−− → M | N

N −−−− → N m!vν 

m?v

N −−−− → N

ν  := ν\nds(N ) τ

τ

− σ n[nil]ν −− → n[nil]ν

(σ-Rcv)

− σ n[?(x).P Q]ν −− → n[Q]ν

(σ-Par)

M −− → M  N −− → N σ  M | N −− → M | N

σ

m?v

M −−−− → M

M | N −−−−−−− → M | N

m[τ.P Q]ν −− → m[P ]ν

(σ-nil)

m?v

n[?(x).P Q] −−−− → n[{v/x }P ]ν

(RcvPar)

m?v

m!vν

(Tau)

m∈ν ν

m?v

m∈ / nds(M )

(Bcast)

(Rcv)

(TauPar)

M −− → M τ M | N −− → M | N

(Delay)

− σ n[σ.P ]ν −− → n[P ]ν

(σ-Tau)

− σ m[τ.P Q]ν −− → m[Q]ν

σ

(σ-0)

− σ 0 −− →0

Patience guarantees that a process will wait indefinitely until it can communicate [13]. In our setting, this means that if no transmissions can start then it must be possible to execute a σ-action to let time pass.  ν Proposition 4 (Patience). Let M ≡ i∈I mi [Pi ] i be a well-formed network, νi such that for all i ∈ I it holds that mi [Pi ] ≡ mi [!v.Qi ]νi , then there is a σ network N such that M −−  N.

4

Labelled Transition Semantics

In Table 4, we provide a Labelled Transition System (LTS) for our calculus. In rule (Snd) a sender dispatches its message to its neighbours ν, and then continues as P . In the label m!vν the set ν contains the neighbours of m which may receive the message v. In rule (Rcv) a receiver gets a message coming from a neighbour node m, and then evolves into process P , where all the occurrences of the variable x are replaced with the value v. If no message is received in the current time interval, the node n will continue with process Q, according to the rule (σ-Rcv). In rule (RcvPar) we model the composition of two networks receiving the same message from the same transmitter. Rule (RcvEnb) says that every node can synchronise with an external transmitter m. This rule, together with rule (RcvPar), serves to model message loss. Rule (Bcast) models the propagation of messages on the broadcast channel. Note that in rule (Bcast) we loose track

212

F. Ballardin and M. Merro

Table 5. LTS - Matching, recursion and deduction λ

(Then)

λ

n[P ]ν −− → n[P  ]ν λ

n[[v = v]P ; Q]ν −− → n[P  ]ν (Rec)

n[H˜ v ]

ν

n[{v/x }P ]ν −− → n[P  ]ν v1 . . . vn r v λ

n[[v1 . . . vn r x]P ; Q]ν −− → n[P  ]ν

v1 = v2 λ

n[[v1 = v2 ]P ; Q]ν −− → n[Q ]ν def

λ n[{v˜/˜ x}P ]ν −− → n[P  ]ν

H(˜ x) = P

λ

 ν

−− → n[P ]

λ

(Dtt)

n[Q]ν −− → n[Q ]ν

(Else)

λ

(Dff)

n[Q]ν −− → n[Q ]ν  ∃ v. v1 . . . vn r v λ

n[[v1 . . . vn r x]P ; Q]ν −− → n[Q ]ν

of those neighbours of m that are in N . Rule (Tau) models local computations. Rule (TauPar) serves to propagate internal computations on parallel components. The remaining rules model the passage of time. Rule (Delay) model the delay of a time unit. Rules (σ-nil) and (σ-0) are straightforward. Rules (σ-Rcv) models timeout on receivers. Similarly, (σ-Tau) models timeout on internal activities. Rule (σ-Par) models time synchronisation between parallel components. Rules (Bcast) and (TauPar) have their symmetric counterpart. In Table 5 we report the obvious rules for nodes containing matching, recursion and deduction processes (we recall that only guarded recursion is allowed). In the sequel, we use the metavariable λ to range over the labels: m!vν, m?v, τ , and σ. The LTS-based semantics is consistent with the reduction semantics. Theorem 1 (Harmony Theorem). – – – – 4.1

If If If If

M M M M

τ

m!vν

 M  then either M −− →≡ M  or M −−−−−− →≡ M  , for some m, v, ν. σ σ   −−  M then M −− →≡ M . m!vν τ  −−−−−− → M or M −− → M  then M  M  . σ σ  −− → M then M −−  M .

Behavioural Semantics

We use our LTS to define a standard notion of timed labelled bisimilarity. In general, a bisimulation describes how two terms (in our case networks) can mimic each other actions. Since we are focusing on weak equivalences we have to distinguish between transmissions which may be observed and transmissions which may not be observed by the environment. Thus, we extend the set of rules of Table 4 with the following two rules: m!vν

m!v∅

(Shh)

M −−−−− → M τ M −− → M

(Obs)

M −−−−−→ − M

ν = ∅

!vν

M −−−− → M

Rule (Shh) models transmissions that cannot be observed because none of the potential receivers is in the environment. Rule (Obs) models a transmission of

A Calculus for the Analysis of Wireless Network Security Protocols

213

a message v that can be received (and hence observed) by those nodes of the environment contained in ν. The name of the transmitter is removed as in real networks the identity of the transmitter can only be ensured by using appropriate authentication protocols. Notice that in a derivation tree the rule (Obs) can only be applied at top-level. In the rest of the paper, the metavariable α ranges over the following actions: !vν, m?v, τ , and σ. We adopt the standard notation for weak transitions: = ⇒ τ α α α ˆ denotes the reflexive and transitive closure of −− →; == ⇒ denotes = ⇒ −− →= ⇒; == ⇒ α denotes = ⇒ if α = τ and == ⇒ otherwise. Definition 2 (Bi-similarity). A relation R over well-formed networks is a α simulation if M R N implies that whenever M −− → M  there is N  such that α ˆ    N == ⇒ N and M R N . A relation R is called bisimulation if both R and its converse are simulations. We say that M and N are similar, written M  N if there is a simulation R such that M R N . We say that M and N are bisimilar, written M ≈ N , if there is a bisimulation R such that M R N . Our notions of similarity and bisimilarity between networks are congruence, as they are preserved by parallel composition. We only report the result for bisimilarity. Theorem 2 (≈ is a congruence). Let M and N be two well-formed networks such that M ≈ N . Then M | O ≈ N | O for all networks O such that M | O and N | O are well-formed.

5

A Framework for the Analysis of Wireless Network Security Protocols

In order to perform a security analysis of wireless network security protocols, we adapt a general schema for the definition of timed security properties, called Timed Generalized Non-Deducibility on Compositions (tGNDC ) [10], a real-time generalisation of Generalised Non-Deducibility on Compositions (GNDC ) [17]. The main idea is the following: a system M is tGN DCα if and only if for every attacker ATT the composition of the system M with ATT satisfies the timed specification α(M ), with respect the timed behavioural relation . The preorder that we will be using in the following analysis is the similarity relation . An attacker is a network, with some constrains on the data known initially, which tries to attack a protocol by stealing and faking information transmitted on the communication channel. Given a network M , we call ID(M ) the set of messages (closed values) that appears in M .1 In our setting, a generic attacker of a network M is a collection of nodes in the environment of M , with current knowledge Φ: def

AT T (Φ, M ) = 1

 n∈Env(M )

n[Pn ]

nds(M)

s.t. ID(Pn ) ⊆ D(Φ) for all n.

This function can be easily defined along the lines of [10].

214

F. Ballardin and M. Merro

Definition 3 (tGNDC). Let M be a network, Φ0 the initial knowledge of the attacker, and α a function between networks defining the property specification for M as the network α(M ). We say that M is tGN DC α  if and only if it holds that M | AT T (Φ0 , M )  α(M ). In order to prove that a network is tGN DC α  , we need a timed notion of term stability [10]. Intuitively, a network M is said to be time-dependent stable if the attacker cannot increase its knowledge when M runs in the space of a time interval. This requires the notion of execution trace. A trace is a sequence of labelled transitions, that we will denote in the standard way. If A is sequence of α1 αn A labels α1 α2 . . . αn , we write M == ⇒ M  to mean M = ⇒ −−− →= ⇒ ··· = ⇒ −−− →= ⇒ M  . Let #σ (A) be the number of occurrences of σ actions in the sequence A. Definition 4. We say that a network M is time-dependent stable wrt a sequence A ⇒ M  | AT T (Φ , M  ) of knowledges {Φj }j≥0 , if whenever M | AT T (Φ0 , M ) == σ  and # (A) = i, then D(Φ ) ⊆ D(Φi ). When two or more networks are time-dependent stable with respect a certain sequence of knowledges {Φj }j≥0 , and they enjoy a certain tGNDC property, then the following compositionality property holds. Proposition 5. Let {Φj }j≥0 be a sequence of knowledges, and {Mr }1≤r≤n a set of time-dependent stable subnetworks, with respect to {Φi }i≥0 , such that Mr ∈ α (M ) tGN DCr r , for 1≤r≤n. It follows that: 1. M1 | . . . | Mn is time-dependent stable; α (M )|...|αn (Mn ) 2. M1 | . . . | Mn ∈ tGN DC1 1 . As in [10], we formalise two useful timed properties for security protocols in terms of use tGN DCα : timed integrity, which guarantees that only fresh packets are authenticated, and timed agreement, for which agreement must be reached within a certain deadline, otherwise authentications does not hold. More precisely, a protocol is said to enjoy the timed integrity property if, whenever a packet p is authenticated during the time interval i, then this packet was sent at most i − δ time intervals before. A protocol is said to enjoy the timed agreement property if, whenever a responder n has completed a run of the protocol, apparently with an initiator m, then the latter has initiated the protocol, apparently with the former, at most δ time intervals before, and the two agents agreed on a set of data d.

6

The μTESLA Protocol

The μTESLA protocol was designed by Perrig et al. [14] to provide authenticated broadcast for sensor networks. μTESLA calculates the Message Authentication Code (MAC) for every packet pi that it is transmitted by using a different key ki . These keys are generated with a public one-way function F such that,

A Calculus for the Analysis of Wireless Network Security Protocols

215

Table 6. μTESLA specification Sender:

def

Si = [xi ki mac mi ] [mi xi pair pi ] !pi .σ. !ki .σ. Si+1 Receiver:

Calculate MAC using payload and key, build a packet with mac and payload, broadcast packet pi , synchronise, broadcast key ki , synchronise, and go to next sending state.

def

Rikl = ?(p).σ.Pikl Qki l k def

k

Receive a packet, synchronise, and go to Pikl ; if timeout go to Qki l .

k

l l Qi l = ?(k).σ.Ri+1 Ri+1

k def

k

Receive a key, synchronise, and go to next receiving state.

k

k

l Pi l = ?(k).Ti l Ri+1

k def

Receive a key k and move to state Ti l ; if timeout go to next receiving state. k

l Ti l = [F i−l (k) = kl ]Uiki ; σ.Ri+1

def Uiki =

def

[p fst m] [p snd x] [x k mac m ] ki [m = m ]Ziki ; σ.Ri+1

ki Ziki = !authi .σ.Ri+1

Check key k using F and the stored key kl , extract MAC from packet p, extract payload from packet p, calculate mac for packet p, verify if it matches with the received one, if so, authenticate packet i, synchronise, go to next receiving state, and store ki .

if k0 , k1 , . . . , kn are the keys used in the transmission, F (ki ) = ki−1 , for 1 ≤ i ≤ n. The transmission time is split into time intervals and each key is tied to one of them. In each time interval one or more packets are deployed by the sender, each one containing the payload and the MAC calculated with the key bound to that interval. When a new interval starts, the key tied to the previous interval is disclosed to all receivers, so that they can authenticate all the packets previously received. Sender and receivers are loosely time synchronised on the key disclosure time to prevent malicious nodes to forge packets with modified payloads. Nodes discard packets containing MACs calculated with already disclosed keys, as those packets could come from an attacker. This key-chain mechanism together with the one-way function F , provides two major advantages: (i) it allows to calculate lost keys by simply applying F to the last received key, as many times as necessary; (ii) every node can authenticate the most recent key ki by means of the last received key kl (stored in the node memory) and the function F ; once authenticated, ki replaces kl in the node memory. The protocol works under the assumption that all nodes share an initial key k0 , before the protocol starts. In Table 6 we provide a specification of the μTESLA protocol in tcryptoCWS. Besides the deduction rules for dealing with pairs, we require a deduction rule to build MACs: v1 v2 mac mac(v1 , v2 ). Our encoding contains a few simplifications with respect to the original protocol. First of all, there is only one packet sent

216

F. Ballardin and M. Merro

per time interval, and the sender dispatches one packet and one key alternately. This yields a simpler and easier to read model. Second, our specification does not account for bootstrapping new receivers on the fly. Let us proceed with the description of our encoding. We essentially define two kinds of processes: senders, Si , and receivers, Rikl , where i is the index number of the current key, and kl is the last authenticated key. Since, we bind one packet with one key, i also refers to the index number of packets. So, a network starting the protocol can be represented as: μTESLA = m[S1 ]νm | n1 [R1k0 ]νn1 | . . . | nk [R1k0 ]νnk def

where m is the transmitter and ni are the receivers. Formally, {n1 , . . . , nk } ⊆ νm , and m ∈ νnj , for 1≤j≤k. For verification reasons we assume that the environment contains a fresh node test, unknown to the attacker, to test successful packet authentication. For simplicity, we assume that this node cannot transmit but it can only receive messages. Thus, test ∈ νm and test ∈ νnj , for 1≤j≤k. 6.1

Security Analysis

Let us prove that μTESLA enjoys timed integrity. In particular, we prove that receivers authenticate only packets that have been sent in the previous time interval (δ = 1), in the correct order, even in the presence of the intruder. The key point is that even if the intruder acquires shared keys then it is “too late” to break integrity, i.e. to authenticate packets older than δ. Let us define the timed integrity property via an abstraction of the protocol with no possible intruders: def

ˆ 1 ]test | . . . | nk [R ˆ 1 ]test α(μTESLA) = m[S1 ]test | n1 [R ˆ i def ˆi+1 R ˆ i+1 . Here, S1 is the process defined in Table 6, while R = σ.τ.!authi .σ.R Obviously, here we abstract on receivers. Let us demonstrate that α(μTESLA) enjoys timed integrity with δ = 1. Lemma 1. A

m!pi test

– If m[S1 ]test == ⇒ −−−−−−−→ − then #σ (A) = 2(i − 1). n !auth test j i A test == ⇒ −−−−−−−−−→ − , for some 1≤j≤k, then #σ (A) = 2(i − 1)+ 1. – If nj [Rˆ1 ] Proposition 6.

A

m!pi test

B

nr !authi test

If α(μTESLA) == ⇒ −−−−−−−− → == ⇒ −−−−−−−−−→ − then #σ (B)=1. It should be noticed than any formulation of timed agreement for μTESLA would actually coincide with timed integrity. Thus, Proposition 6 also demonstrates that α(μTESLA) enjoys timed agreement, with δ = 1. Now, we prove that μTESLA satisfies our timed properties. By Proposition 5, it is enough to prove the result for each component. In particular, we notice that the nodes m[S1 ]νm and nj [R1 ]νnj , for 1≤j≤k, are time-dependent stable with respect to the following sequence of knowledges:

A Calculus for the Analysis of Wireless Network Security Protocols

Φ0 = {p1 } Φ1 = Φ0 ∪ {k1 } ... Φi = Φi−1 ∪ {pj+1 } if i = 2j, Φi = Φi−1 ∪ {kj+1 } if i = 2j + 1,

217

j>0 j > 0.

Intuitively, Φi consists in Φi−1 together with the set of messages an intruder can get by eavesdropping on a run of the protocol during the time interval i. νm

Lemma 2. 1. m[S1 ] νn j

2. nj [R1 ]

m[S1 ]test

∈ tGN DC ˆ 1 ]test n [R

∈ tGN DCj

, for 1 ≤ j ≤ k.

By applying Lemma 2 and Proposition 5 we derive the following result. α(μTESLA )

Theorem 3 (μTESLA Correctness). μTESLA ∈ tGN DC

7

.

The LEAP+ Protocol

The LEAP+ protocol [15] provides a keying framework to establish authenticated communications. In [15], the authors describe four possible keying mechanisms, each of them providing a different level of security. In our paper, we focus on the single-hop pairwise shared key mechanism as it is underlying to all other keying methods. Here, a network controller loads each node with an initial key kIN and a computational efficient pseudo-random function prf(), before deployment. Then, each node n derives its master key: kn = prf(kIN , n). Let us briefly describe the protocol between an initiator node m and a responder node n. Node m tries to discover its neighbours by broadcasting a hello packet that contains its identity, m, and a freshly created nonce, ai , where i counts the number of attempts of the initiator. When n receives the hello packet from m, it computes its MAC, h = mac(kn , (ai , n)), and sends to m a packet containing h and its identity n. If node m does not get the authenticated packet from the responder in due time, it will send a new hello packet with a fresh nonce. When m receives the packet from n, it tries to authenticate it by using n’s master key and the last created nonce. If the authentication succeeds, then both nodes proceed in calculating the pairwise key kmn by using the the function prf() as follows: kmn = prf(kn , m). In Table 7 we provide a specification of LEAP+ in tcryptoCWS. Besides the standard rules for dealing with pairs, we require the following deduction rules: (mac)

v1 v2 mac(v1 , v2 )

(prf)

v1 v2 prf(v1 , v2 )

for calculating MACs and the pseudo random function prf(), respectively. Our specification considers only two nodes, to yield an easier to read model: def

LEAP+ = m[S1 ]

νm

νn

| n[R]

218

F. Ballardin and M. Merro

Table 7. LEAP+ specification Sender at node m: def

Si = [ai−1 m prf ai ] [m ai pair t] [hello t pair p] !p.σ.P def

P = ?(q).P1 Si+1 def

P1 = [q fst n]P2 ; σ.Si+1 def

Build a random nonce ai , build a pair t with m and the nonce ai , build hello packet using the pair t, broadcast the hello, synchronise and move to P. Wait for response from neighbours, extract node name n from packet q,

P2 = [q snd h]P3 ; σ.Si+1 def

extract MAC h from packet q,

P3 = [n ai pair t ] [kIN n prf kn ] [kn t mac h ] [h = h]P4 ; σ.Si+1

build a pair t with n and current nonce ai , calculate n’s master key kn , calculate MAC h with kn and t , if it matches with the received one go to P4 , otherwise steps to next time interval and restart;

P4 = [kn m prf kmn ]P5

def

calculate the pairwise key kmn ,

P5 = σ.OK SND

synchronise, and continue.

def

Receiver at node n: def

R = ?(p).R1 σ.R def

Wait for incoming hello packets,

R1 = [p fst p1 ]R2 ; σ.σ.R

extract the first component,

R2 = [p snd p2 ]R3 ; σ.σ.R

extract the second component,

R3 = [p1 = hello]R4 ; σ.σ.R

check if p is a hello packet,

R4 = [p2 fst m]R5 ; σ.σ.R

extract the sender name m,

R5 = [p2 snd a]R6 ; σ.σ.R

extract the nonce a,

R6 = [n a pair t] [kn t mac h] [n h pair q] σ.!q.R7

build a pair t with a and n, calculate MAC h on t with n’s master key kn , build packet q with node name n and MAC h, synchronise, broadcast q, and go to R7 ,

R7 = [kn m prf kmn ]R8

calculate pairwise key kmn ,

R8 = σ.OK RCV

synchronise and continue.

def def def def def

def def

where m is the initiator and n is the responder, with m ∈ νn and n ∈ νm . This does not lose any generality with respect to the multiple nodes case. Again, for verification reasons, we assume that the environment contains a fresh node test, unknown to the attacker, such that test ∈ νm . We recall that the test node cannot transmits but it can only receive messages. 7.1

Security Analysis

In LEAP+, the timed integrity property imposes that the initiator must authenticate only packets sent by the responder in the previous time interval (δ = 1). Let us slightly modify the specification of LEAP+ to represent this property. Let us define LEAP+ by replacing the process P5 with

A Calculus for the Analysis of Wireless Network Security Protocols

219

def

P5 = σ.[auth t pair q]!q.OK SND. Now, the sender process transmit a packet to signal successful authentication. Notice that authenticated messages are always sent by the responder between an hello and authentication message with the same nonce. As a consequence, time integrity imposes that hello messages and authentication messages with the same nonce must differ for at most two time intervals. In order to show timed integrity, we specify αint (LEAP+) as:  def ˆ∅ αint (LEAP+) = m[Sˆ1 ]test  n[R] def ˆ def ˆ where Sˆi = !pi .σ.τ.σ.!qi .OK SNDS i+1 , for all i, and R = σ.R, with pi = pair(hello, pair(m, ai )) and qi = pair(auth, pair(m, ai )). By construction, αint (LEAP+) satisfies timed integrity. As we did for μTESLA, we use Proposition 5 to break down the proof into ν ν smaller chunks. In particular, we notice that the nodes m[S1 ] m and n[R] n are time-dependent stable with respect to the sequence {Φi }i≥0 , defined as follows:

Φ0 = {a1 } Φ1 = Φ0 ∪ {mac(kn , pair(n, a1 ))} ... Φi = Φi−1 ∪ {aj+1 } Φi = Φi−1 ∪ {mac(kn , pair(n, aj+1 ))} νm

Lemma 3. 1. m[S1 ] 2. n[R]

νn

j>0 j > 0.

m[Sˆ1 ]test

∈ tGN DC

ˆ ∅ n[R]

∈ tGN DC

if i = 2j, if i = 2j + 1,

.

By applying Lemma 3 and Proposition 5 we derive the following result. α

Theorem 4 (LEAP+ Timed integrity). LEAP+ ∈ tGN DCint



(LEAP +)

.

Let us focus now on timed agreement. Again, let us slightly modify the specification of LEAP+ to represent timed agreement. We define LEAP+ by replacing def in LEAP+ the process R8 with R8 = σ.[end a pair r]!r.OK RCV . Now, the responder signals the end of the protocol. For simplicity, we use the following abbreviation: ri = pair(end, ai ). We also require that the node test is among the neighbours of n, i.e. test ∈ νn , so that end messages can be observed. Now, the time agreement property for LEAP+ requires that hello packets pi , sent by the initiator, and end packets ri , sent by the responder, (with the same nonce) must differ for at most two time intervals (δ = 2). Unfortunately, LEAP+ does not satisfy the timed agreement property: Theorem 5 (LEAP+’s Replay Attack). LEAP+ does not satisfy time agreement with δ = 2. Proof. LEAP+ has the following trace: !p1 test.σ.τ.σ.τ.!p2 test.σ.!q1 test.σ.!r1 test.

220

F. Ballardin and M. Merro

In this trace, the transmission of packets p1 and r1 are divided by four σ-actions. This denotes a replay attack. More precisely, if we write AT T (Φi) as an abbreviation for AT T (LEAP +, Φi ), we have the following: ν

ν

m[S1 ] m | n[R] n | AT T (Φ0 ) m[σ.P ]νm | n[R]νn | AT T (Φ0 ) ν ν m[P ] m | n[σ.R] n | AT T (Φ1 ) ν ν m[{p1/q }P1 ] m | n[σ.R] n | AT T (Φ1 ) νm νn m[S2 ] | n[R] | AT T (Φ2 ) ν

ν

!p1 test

−−−−−−→ − σ −− → τ −− → σ −− → τ −− → !p2 test

m[S2 ] m | n[σ.!q1 .R8 ] n | AT T (Φ2 ) m[σ.P ]νm | n[σ.!q1 .R8 ]νn | AT T (Φ2 )

−−−−−−→ − σ −− →

m[P ]νm | n[!q1 .R8 ]νn | AT T (Φ3 ) ν ν m[{q1/q }P1 ] m | n[R8 ] n | AT T (Φ3 )

−−−−−−→ − σ −− →

m[S3 ]

νm

νn

| n[!r1 .OK RCV ]

!q1 test

!r1 test

| AT T (Φ4 ) −−−−−−→ −

In the first time interval the initiator broadcasts the hello packet p1 which is lost by the responder and grasped by the attacker. Both nodes move to the second time interval (σ-action). In this time interval, the attacker replay the packet p1 (τ -action), which is received by the initiator m. This packet however was not what m was expecting. Thus, the network moves to the next time interval (σaction) where m goes to the next starting process S2 and n to initial receiving process R. In the third time interval, the attacker broadcasts again the packet p1 which is successfully received by node n (τ -action), while node m starts again the protocol with a new packet p2 and a fresh nonce a2 (!p2 test-action). However, packet p2 is not received by n which is busy in processing p1 . Then, the network moves to the next time interval (σ-action). In the fourth time interval n sends its reply to the packet p1 (!q1 test-action). Node m does not accept the packet q1 because it contains an old nonce. The network moves to the next time interval, in which n broadcasts its end packet r1 (!r1 test-action) and calculate the pairwise key kmn , while m keeps broadcasting new hello packets. So, agreement can not be reached.

8

Conclusions, Related and Future Work

We have proposed a time broadcasting calculus for wireless network security protocols. Our calculus comes with a well-defined operational semantics and a bisimulation-based behavioural semantics. We have adapted Gorrieri and Martinelli’s tGNDC framework to formally study the wireless network security protocols μTESLA and LEAP+. The design of our calculus has been inspired by tCryptoSPA [10], a timed cryptographic variant of Milner’s CCS. The tGNDC schema for tCryptoSPA, has already been used by Gorrieri, Martinelli and Petrocchi [10,11] to study the WMF and the μTESLA protocol. In particular, since they used tCryptoSPA, the specification of μTESLA was much more involved and the abstraction for timed integrity was less intuitive.

A Calculus for the Analysis of Wireless Network Security Protocols

221

Several process calculi for wireless systems have been proposed [2,3,4,5,6,7,8,9]. Among these, Nanz and Hankin [3] have designed a calculus for mobile ad hoc networks for specification and security analysis of communication protocols. The authors provide a decision procedure to check security against fixed intruders known in advance. It is our intention to apply our framework to study the correctness of a wide range of wireless network security protocols, as for instance, MiniSec [18], and evolutions of LEAP+, such as R-LEAP+ [19] and LEAP++ [20].

References 1. Perrig, A., Stankovic, J.A., Wagner, D.: Security in wireless sensor networks. Commununication ACM 47(6), 53–57 (2004) 2. Lanese, I., Sangiorgi, D.: An Operational Semantics for a Calculus for Wireless Systems. Theoretical Computer Science 411, 1928–1948 (2010) 3. Nanz, S., Hankin, C.: A Framework for Security Analysis of Mobile Wireless Networks. Theoretical Computer Science 367(1-2), 203–227 (2006) 4. Singh, A., Ramakrishnan, C.R., Smolka, S.A.: A process calculus for mobile ad hoc networks. In: Wang, A.H., Tennenholtz, M. (eds.) COORDINATION 2008. LNCS, vol. 5052, pp. 296–314. Springer, Heidelberg (2008) 5. Merro, M.: An Observational Theory for Mobile Ad Hoc Networks (full paper). Information and Computation 207(2), 194–208 (2009) 6. Godskesen, J.C.: A calculus for mobile ad hoc networks. In: Murphy, A.L., Ryan, M. (eds.) COORDINATION 2007. LNCS, vol. 4467, pp. 132–150. Springer, Heidelberg (2007) 7. Ghassemi, F., Fokkink, W., Movaghar, A.: Equational reasoning on ad hoc networks. In: Arbab, F., Sirjani, M. (eds.) FSEN 2009. LNCS, vol. 5961, pp. 113–128. Springer, Heidelberg (2010) 8. Merro, M., Sibilio, E.: A Timed Calculus for Wireless Systems. In: Arbab, F., Sirjani, M. (eds.) FSEN 2009. LNCS, vol. 5961, pp. 228–243. Springer, Heidelberg (2010) 9. Godskesen, J.C., Nanz, S.: Mobility models and behavioural equivalence for wireless networks. In: Field, J., Vasconcelos, V.T. (eds.) COORDINATION 2009. LNCS, vol. 5521, pp. 106–122. Springer, Heidelberg (2009) 10. Gorrieri, R., Martinelli, F.: A simple framework for real-time cryptographic protocol analysis with compositional proof rules. Sci. Comput. Program. 50(1-3), 23–49 (2004) 11. Gorrieri, R., Martinelli, F., Petrocchi, M.: Formal models and analysis of secure multicast in wired and wireless networks. J. Autom. Reasoning 41(3-4), 325–364 (2008) 12. Milner, R.: Communication and Concurrency. Prentice Hall, Englewood Cliffs (1989) 13. Hennessy, M., Regan, T.: A Process Algebra for Timed Systems. Information and Computation 117(2), 221–239 (1995) 14. Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V., Culler, D.: Spins: Security Protocols for Sensor Networks. Wireless Networks 8(5), 521–534 (2002) 15. Zhu, S., Setia, S., Jajodia, S.: Leap+: Efficient security mechanisms for large-scale distributed sensor networks. ACM Transactions on Sensor Networks 2(4), 500–528 (2006)

222

F. Ballardin and M. Merro

16. Misra, S., Woungag, I.: Guide to Wireless Ad Hoc Networks. In: Computer Communications and Networks. Springer, London (2009) 17. Focardi, R., Martinelli, F.: A uniform approach for the definition of security properties. In: Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 794–813. Springer, Heidelberg (1999) 18. Luk, M., Mezzour, G., Perrig, A., Gligor, V.: Minisec: a secure sensor network communication architecture. In: IPSN, pp. 479–488 (2007) 19. Blackshear, S., Verma, R.: R-Leap+: randomizing Leap+ key distribution to resist replay and jamming attacks. In: SAC, pp. 1985–1992. ACM Press, New York (2010) 20. Lim, C.H.: Leap++: A robust key establishment scheme for wireless sensor networks. In: ICDCS, pp. 376–381. IEEE Computer Society, Los Alamitos (2008)

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus Naipeng Dong , Hugo Jonker, and Jun Pang Faculty of Sciences, Technology and Communication, University of Luxembourg, Luxembourg

Abstract. We formally study two privacy-type properties for online auction protocols: bidding-price-secrecy and receipt-freeness. These properties are formalised as observational equivalences in the applied π calculus. We analyse the receipt-free auction protocol by Abe and Suzuki. Biddingprice-secrecy of the protocol is verified using ProVerif, whereas receiptfreeness of the protocol is proved manually.

1

Introduction

Auctions are ways to negotiate the exchange of goods and commodities. In an auction, a seller offers an item for sale, buyers submit bids, and the seller sells the item to the buyer with the highest bid. Nowadays, with the widespread use of the Internet, online auctions are more and more used as a convenient way to trade. Not only is there a number of websites offering auction services (e.g. eBay, eBid, Yahoo!auctions and so on), but online auction protocols are also the subject of an active field of research [1,2,3,4,5,6]. Privacy is a fundamental property in online auction systems. For example, personal information of a bidder should not be revealed to others. In order to protect the privacy of bidders, the following basic privacy-type properties are required. Bidding-price-secrecy: A protocol preserves bidding-price-secrecy if an adversary cannot determine the bidding price of any bidder. Receipt-freeness: A protocol satisfies receipt-freeness if a bidder cannot prove how he bids to an adversary. We study the protocol AS02 proposed by Abe and Suzuki [4]. Abe and Suzuki claim that their protocol satisfies the above two requirements for non-winning bidders and provide an informal analysis. However, security protocols are notoriously difficult to design and analyse, and proofs of security protocols are known to be error-prone, thus we do not want to rely on an informal analysis. In several cases, formal verification found security flaws in protocols which were thought to be secure [7,8]. Formal verification has shown its strength in finding attacks and proving correctness of security protocols. In this paper, we 

Supported by a grant from the Fonds National de la Recherche (Luxembourg).

P. Degano, S. Etalle, and J.D. Guttman (Eds.): FAST 2010, LNCS 6561, pp. 223–238, 2011. c Springer-Verlag Berlin Heidelberg 2011 

224

N. Dong, H. Jonker, and J. Pang

formally verify whether bidding-price-secrecy and receipt-freeness hold in their protocol. We model the AS02 protocol using the applied π calculus [9]. The applied π calculus provides an intuitive way to model concurrent systems, especially security protocols. Moreover, it is supported by ProVerif [10], a verification tool which can be used to verify a number of security properties automatically. As suggested in [11], we use observational equivalence to express bidding-price-secrecy and receipt-freeness in the applied π calculus. Previously, formalisation of privacy-type properties has already been successfully executed in the domain of voting [12,11] (similar ideas were developed in a different formal framework [13]). Bidding-price-secrecy for the AS02 protocol is verified automatically using ProVerif, whereas receipt-freeness is proven manually. We show that both of the two properties hold for non-winning bidders.

2

The Applied π Calculus

To better understand the rest of the paper, we briefly introduce the applied π calculus. This includes its syntax, its semantics and the definition of observational equivalence (for more details, see [9]). The applied π calculus is a language for modelling concurrent systems, in particular security protocols. We use the applied π calculus for its two main advantages: it provides an intuitive way to describe a protocol and cryptographic primitives can be defined by users. Syntax. The calculus assumes an infinite set of names (which are used to represent communication channels or other atomic data), an infinite set of variables and a signature Σ consisting of a finite set of function symbols, which are used to model cryptographic primitives. Terms are defined as names, variables, and function symbols applied to terms. An equational theory E is defined as a set of equations on terms. The equivalence relation induced by E is denoted as =E . Systems are described as processes: plain processes and extended processes. Plain processes are defined as: P, Q, R ::= plain processes 0 null process P|Q parallel composition !P replication νn.P name restriction if M =E N then P else Q conditional in(u, x).P message input out(u, M ).P message output. Null process 0 does nothing. Parallel composition P | Q represents process P running in parallel with process Q. Replication !P behaves as an infinite number of process P running in parallel. The process νn.P binds name n in process P , which means name n is secret to adversaries. Term M =E N represents equality of M and N according to the equational theory rather than strict syntactic identity. The process in(u, x).P (input) reads a message from channel u, and

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus

225

binds the message to variable x in process P . Process out(u, M ).P (output) sends message M on channel u, and then runs process P . We can also write “let x = M in P ” to represent P {M/x} (syntactic substitution). Extended processes add variable restrictions and active substitutions. By restricting names and variables, we can bind a name or a variable to certain processes. An active substitution {M/x} means a variable x can be replaced by term M in every process it comes into contact with. We say an extended process is closed if all its variables are either bounded or defined by an active substitution. The process νx.({M/x} | P ) corresponds exactly to “let x = M in P ”. Active substitutions allow us to map an extended process A to its frame ϕ(A) by replacing every plain process in A with the null process 0, which does nothing. A frame is defined as an extended process built up from 0 and active substitutions by parallel composition and restrictions. The frame ϕ(A) can be considered as an approximation of A that accounts for the static knowledge A exposes to its context, but not A’s dynamic behaviour. The domain of a frame ϕ, denoted as dom(ϕ), is the set of variables for which the frame ϕ defines a substitution. A context C[ ] is defined as an extended process with a hole. An evaluation context is a context whose hole is not in the scope of a replication, a condition, an input, or an output. A context C[ ] closes A when C[A] is closed. Semantics. Two operational semantics are used in this paper: internal reducα tions, denoted as →, and labelled reductions, denoted as − →. Internal reductions allow a process to execute without contacting its context, for example, internal sub-processes communicate with each other, or the process evaluates and executes conditional operations (if-then-else). Labelled reductions are used to reason α about processes that interact with their contexts. The transition A − → B means process A performs α action and continues as process B. Action α is either reading a term M from the process’s context, or sending a name or a variable of base type to the context. Specifically, when the output is a term M , out(u, M ).P is rewritten into νx.({M/x} | P ). Adversary model. To model security protocols, adversaries need to be taken into consideration. Following the Dolev-Yao model [14], an adversary has full control of the network. An adversary can eavesdrop, replay, block and inject messages. The adversary can be modelled as an arbitrary process running in parallel with the protocol, which can interact with the protocol in order to gain information. Observational equivalence. Observational equivalence of two processes is satisfied when an adversary cannot distinguish the two processes. Intuitively, two processes are equivalent if they output on the same channels, irrespective of the context they are placed in. Definition 1 (Observational equivalence [9]). Observational equivalence is the largest symmetric relation R between closed extended processes with the same domain such that A R B implies:

226

N. Dong, H. Jonker, and J. Pang

1. if A can send a message on channel c, then B can also send a message on channel c; 2. if A →∗ A then, for some B  , there exists B →∗ B  , and A R B  ; 3. C[A] R C[B] for all closing evaluation contexts C. In practice, observational equivalence is hard to use, because of the quantification over contexts. Therefore, labelled bisimilarity is introduced. Labelled bisimilarity is easier to reason with manually and automatically. Two notations are used in labelled bisimilarity: static equivalence (≈s ) and labelled bisimilarity (≈ ). Static equivalence compares the static states of processes (represented by their frames), while labelled bisimilarity examines their dynamic behaviour. Definition 2 (Labelled bisimilarity [9]). Labelled bisimilarity (≈ ) is defined as the largest symmetric relation R on closed extended processes, such that process A R B implies: 1. A ≈s B; 2. if A → A then B →∗ B  and A R B  for some B  ; α α 3. if A −→ A and fv(α) ⊆ dom(A) and bn(α)∩fn(B) = ∅; then B →∗ −→→∗ B     and A R B for some B . Note that labelled bisimilarity and observational equivalence coincide [9].

3

AS02 Sealed-Bid Online Auction Protocol

Sealed-bid auctions are a type of auction in which bidders submit their bids without knowing what other bidders bid. The bidder with the highest bid wins the auction and pays the price he submitted. Abe and Suzuki propose a sealed-bid auction protocol [4]. This protocol involves n bidders b1 , . . . , bn and k auctioneers a1 , . . . , ak . A price list is published before the protocol. During the protocol, each bidder sends one commit for every price in the price list: a ‘yes’-commit if he wants to bid that price, a ‘no’-commit otherwise. Auctioneers work together to open the commitments of all bidders from the highest price down until the winning bid(s) is/are found.1 In order to ensure privacy of bidders, the protocol has two physical assumptions: a bidding booth for the bidders, and one-way untappable channels from every bidder to every auctioneer. The bidding booth enables a bidder to privately submit a bid free from control or observation of an adversary. The untappable channels ensure no adversary can see messages sent. Before starting the protocol, one auctioneer publishes an increasing price list p1 , . . . , pm , a message Myes for “I bid”, a message Mno for “I do not bid”, a generator g of subgroup of Z∗p with order q, where q, p are large primes with p = 2q + 1. The protocol consists of two phases: bidding and opening. 1

The protocol does not specify how to resolve the case where there are less items than winners.

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus

227

Bidding phase. A bidder in the bidding booth chooses a secret key x, and publishes his public key h = g x with a predetermined signature. Then the bidder chooses a series of random numbers r1 , . . . , rm as secret seeds, one random number for each price, and decides a price p to bid. Next, he generates a bitcommitment for each price p (1 ≤  ≤ m) as follows:  M g yes hr if p = p (a bid for price p) Commit  = g Mno hr if p = p (not a bid for price p ) Next, the bidder publishes the sequence of the bit-commitments with his signature. Then he proves to each auctioneer that he knows the secret key logg h = x and the discrete logs (logg Commit 1 , . . . , logg Commit m ) using interactive zeroknowledge proofs. Finally, he computes t-out-of-k secret shares2 ri for each secret seed r and each auctioneer ai , and then sends the signed secret share ri over the one-way untappable channel to the auctioneer ai . Opening phase. Auctioneers together iterate the following steps for each price p = pm , pm−1 , . . . , p1 until the winning bid is determined. Each auctioneer ai publishes the secret share ri (the th secret share of a bidder sent to auctioneer ai ) of each bidder. Then, the auctioneers work together to reconstruct for each bidder the bidder’s secret seed r , and check whether Commit  = g Myes hr . ?

If the above equation is not satisfied for any bidder, the auctioneers continue checking the next lower price p−1 . Conversely, if there exists at least one bidder for whom the equation is satisfied, price p is the winning bid and every bidder for whom this holds, is a winning bidder. Informal reasoning of receipt-freeness. Using M to represent either Myes or Mno , the formula for computing Commit  is as follows: Commit  = g M · hr = g M · (g x )r = g M +xr , since h = g x . Thus, log Commit  = M +xr . By using interactive zero-knowledge proofs, a bidder proves he knows his secret key x and discrete logs of Commit  . An interesting property of chameleon bit commitments is that if the bidder bids price p , log Commit  = Myes + xr he can calculate a fake r such that: log Commit  = Mno + xr

and

r = (Myes + xr − Mno )/x.

Using the fake r , the bidder can show that bit-commitment Commit  is opened as message Mno , which means the bidder did not bid price . Using the same method, a bidder can open a ‘no’ bit-commitment as a ‘yes’ bit-commitment. Thus, the commit leaks no information concerning the bid, thus the bidder cannot prove how he bid, and therefore receipt-freeness is satisfied. 2

Threshold secret sharing: t < k auctioneers suffice to reconstruct the secret.

228

4

N. Dong, H. Jonker, and J. Pang

Modelling

We model3 the AS02 protocol in the applied π calculus, with the following two simplifications. In the protocol, auctioneers cooperate to determine the winning bid. It takes at least t auctioneers to decide the winner, thus guaranteeing t-outof-k secrecy. As we focus on bidder privacy, we need to consider only one honest auctioneer. Thus, we simplified the model to have only one auctioneer, who is honest. The AS02 protocol uses interactive zero knowledge proofs to guarantee that each bidder knows his secret key and the discrete logs of bit-commitments. However, the details of these proofs are left unspecified, and thus we did not include them in the model. We simply assume that each bidder knows his secret key and discrete logs of bit-commitments. Signature and equational theory. We fix a list of bidders (b1 , . . . , bn ) and an ordered list of prices (p1 , . . . , pm ), which are modelled as functions with arity 0. We define function nextbidder to find the next bidder in the bidder list, and function nextprice to find the next lower price in the price list. Function checksign is used to check whether a message is correctly signed, and function getmsg returns the original message from a signed message. Particularly, chameleon bit commitments are modeled as a function commit with arity 3: a random number, the public key of the bidder and a message M . The relevant properties of chameleon bit commitments are captured in the following equational theory. commit(r, pk(sk b ), Myes ) = commit(f(r), pk(sk b ), Mno ) commit(r, pk(sk b ), Mno ) = commit(f(r), pk(sk b ), Myes ) open(commit(r, pk, m), r, pk) = m Constants Mno and Myes represent messages “I do not bid” and “I bid”, respectively. The parameter pk(sk b ) is the public key of bidder b, and r is the secret seed the bidder chooses. Function f(r) returns the fake secret seed of a secret seed r. We can model the function f by just giving one parameter - the real secret seed. Because we assume that each bidder knows his secret key and discrete logs of bit-commitments, he can compute the fake secret seed for each real secret seed, as explained in the previous section. The first equivalence means that if a bidder chooses a secret seed r, bids a price, and calculates the bit commitment commit(r, pk(sk b ), Myes ), he can compute a fake secret seed f(r), and by using this fake secret seed, the bit-commitment can be opened as message Mno , which means “I do not bid”. The second equivalence shows that the converse situation also holds, which enables a bidder to open a ‘no’-commitment as if he did bid that price. Main process. The main process is represented in Fig. 1. This process first generates private channels: privch bj for each bidder bj to receive secret keys, untapch bj shared between each bidder bj and the auctioneer, synch used by the auctioneer 3

The complete model in ProVerif is available from http://satoss.uni.lu/members/naipeng/publications.php.

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus P  ν privchb1 · ν privchb2 · . . . · ν privchbn · ν untapchb1 · ν untapchb2 · . . . · ν untapchbn · ν synch· (PK | (let pb = pb1 in let untapch = untapchb1 in let privch = privchb1 in let ch = ch1 in PB ) | . . . | (let pb = pbn in let untapch = untapchbn in let privch = privchbn in let ch = chn in PB ) | PA )

Fig. 1. The main process PK  ν ssk b1 · ν ssk b2 · . . . · ν ssk bn · let spkb1 = pk(ssk b1 ) in ... let spkbn = pk(ssk bn ) in (out(privchb1 , ssk b1 ) | . . . | out(privchbn , ssk bn ) | out(ch, spkb1 ) | . . . | out(ch, spkbn ))

Fig. 2. The key distribution process PB  in(privch, ssk b )· ν sk b · out(ch, sign(pk(sk b ), ssk b ))· ν r1 · . . . · ν rm · if p1 = pb then let cmt p1 = commit(r1 , pk(sk b ), Myes ) in else let cmt p1 = commit(r1 , pk(sk b ), Mno ) in ... if pm = pb then let cmt pm = commit(rm , pk(sk b ), Myes ) in else let cmt pm = commit(rm , pk(sk b ), Mno ) in out(ch, sign((cmt p1 , . . . , cmt pm ), ssk b ))· out(untapch, (r1 , . . . , rm ))

Fig. 3. The bidder process PA  let b = b1 in readinfo | . . . | let b = bn in readinfo | in(synch, vb1 ) · . . . · in(synch, vbn ) ·    n

if cmtpbm = commit(sspbm , pkb1 , Myes ) 1 1 then out(winnerch, (pm , b1 ))· if nextbidder(b1 ) = ⊥ then stop else let b = nextbidder(b1 ) in let p = pm in checknextb else if nextbidder(b1 ) = ⊥ then if nextprice(pm ) =  then stop else let b = b1 in let p = nextprice(pm ) in checknextbnp else let b = nextbidder(b1 ) in let p = pm in checknextbnp

Fig. 4. The auctioneer process

229

230

N. Dong, H. Jonker, and J. Pang

to collect all necessary information before moving to the opening phase. Note that ch is a public channel, and pb1 , . . . , pbn are price-parameters, to be instantiated with a constant from the published price list p1 , . . . , pm . Then the main process launches the key distribution sub-process, n (number of bidders) copies of bidder sub-processes and one auctioneer sub-process. Key distribution process. The key distribution process PK , presented in Fig. 2, generates a signature key ssk bj for each bidder bj , sends it to that bidder over the private channel privchbj , and publishes the corresponding public signature key. Therefore, each secret key is only known to its owner (the bidder), and everyone including the adversary knows each bidder’s public signature key. Bidder process. First, a bidder receives his secret signature key from his private channel. Next, the bidder generates his secret key sk b , and chooses a series of random numbers r1 . . . rm as secret seeds. The bidder then computes each bitcommitment cmt p as described in Sect. 3. Finally, the bidder signs and publishes his bit-commitments cmt p1 , . . . , cmt pm , and sends r1 . . . rm to the auctioneer over his untappable channel. As we assume there is only one honest auctioneer in the model, we do not need to model secret shares. The applied π calculus process for a bidder PB is shown in Fig. 3. Auctioneer process. During the bidding phase, the auctioneer launches n copies of sub-process readinfo to gather information from each bidder bj . This information consists of public signature key spkbj , signed public key sign(pk(sk bj ), ssk bj ), bit-commitments cmtpb1j , . . . , cmtpbm , and secret seeds sspb1j , . . . , sspbm . Then the j j auctioneer synchronises with all bidders, to ensure all bids have been received. During the opening phase, the auctioneer evaluates, for each bidder, whether ? cmtpbm = commit(sspbm , pkbj , Myes ). If this is so, then bidder bj has bid price pm . j j Otherwise, bidder bj did not bid that price. If there is at least one bid for this price, the auctioneer determines the set of winning bids, and stops after publishing the set of winning bidders together with the winning price over the public channel winnerch. If there is no bid for this price, the auctioneer repeats the evaluation steps for each bidder at the next lower price. In a similar way, the sub-process checknextb is used to evaluate the bid of a bidder b at price p, if there are already some winners. Similarly, the sub-process checknextbnp is used to check the next bidder at price p, if there is no winner before that bidder. We use ⊥ and to represent the end of the bidder list and price list, respectively.

5

Analysis

After modelling the protocol in the previous section, we formalise and analyse the two privacy-type properties: bidding-price-secrecy and receipt-freeness. 5.1

ProVerif

ProVerif is a tool for verifying security properties in cryptographic protocols. Given a security property as a query, ProVerif can take a protocol modelled as

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus

231

a process in the applied π calculus as input, and returns whether the protocol satisfies the security property. In ProVerif, standard secrecy of a term M is defined as “an adversary cannot derive M ”. To check standard secrecy, we use the query “not attacker : M ”. A positive result means that no matter how an adversary interacts with the protocol, M will never be part of the adversary’s knowledge. Otherwise, ProVerif gives a counterexample to show how an adversary derives the term M . In ProVerif, strong secrecy is defined as: for all closed substitutions σ and σ  of free variables in a process P , the process satisfies Pσ ≈ Pσ (where ≈ denotes observational equivalence). To check strong secrecy of a variable x, we can use the query “noninterf x”. Intuitively, by instantiating x with different values, we obtain different versions of the given process. A protocol satisfies strong secrecy iff these different versions of the given process are observationally equivalent. The fundamental idea of observational equivalence checking in ProVerif is to focus on pairs of processes sharing the same structure and differing only in terms or destructors. ProVerif’s reasoning about strong secrecy is sound but incomplete. If ProVerif reports that a process does not satisfy strong secrecy, there are two possibilities: either the process indeed does not satisfy strong secrecy, or the process satisfies strong secrecy, but ProVerif cannot prove it. 5.2

Bidding-Price-Secrecy

Bidding-price-secrecy guarantees the anonymity of the link between a bidder and the price he bids. In the AS02 protocol, the winning bid is published, and thus bidding-price-secrecy for the winning bidder is not satisfied. In particular, if all bidders bid the same price, then all bidders are winners, and biddingprice-secrecy is not satisfied for any bidder in this case. From here on, when we refer to bidding-price-secrecy, we mean only w.r.t. non-winning bids. There are two notions of secrecy: standard bidding-price-secrecy and strong bidding-pricesecrecy. Standard bidding-price-secrecy. Standard bidding-price-secrecy is defined as no matter how an adversary interacts with the protocol, he cannot determine which price in the price list a non-winning bidder has bid. In order to show that an adversary cannot determine the bidding price of a non-winning bidder, we can use the standard secrecy query in ProVerif. We model one winning bidder process in which a bidder submits the highest bid, and several other bidder processes. Each of these processes has a variable pb representing the price the bidder bids. The variable pb can be instantiated by any price in the price list, except the highest price. By inquiring “not attacker : pb ”, we check whether an adversary can derive the bidding price of a non-winning bidder. ProVerif replies positively, which means that our model of the protocol satisfies the property of standard bidding-price-secrecy. Strong bidding-price-secrecy. Strong bidding-price-secrecy means an adversary cannot distinguish between the case where a bidder bids price a and the case

232

N. Dong, H. Jonker, and J. Pang

where he bids price c. We use observational equivalence in the applied π calculus to formalise strong bidding-price-secrecy. Similar formalisations have been put forth in the domain of voting. In [11], a property called vote-privacy is formalised as a process in which VA votes for a and VB votes for c is observationally equivalent to a process where VA votes for c and VB votes for a. The idea is that even if all other voters reveal how they voted, an adversary cannot deduce how VA and VB voted, given that their votes counterbalance each other. Auction protocols differ from voting protocols in that in voting protocols, the result is published, whereas normally in auction protocols, a non-winning bidder’s bidding price is not published. Therefore, we do not need a counterbalancing process to achieve privacy for non-winning bidders. Instead, we need a higher-bidding process, which will ensure the auctioneer stops opening (and thus revealing) lower bids. With that in mind, strong bid-pricesecrecy is formalised as follows: Definition 3 (Strong bidding-price-secrecy). An auction protocol P , with a bidder sub-process represented as PB , is strong bidding-price-secret if for all possible bidders b1 and b2 we have: S[PB1 {a/pb } | PB2 {d/pb }] ≈ S[PB1 {c/pb } | PB2 {d/pb }] with a < d and c < d. The context S is used to capture the assumption made on the checked protocol, usually it includes the other honest participants in the protocol. The process PB1 is a non-winning bidder process executed by bidder b1 . The process PB2 is a bidder process in which the bidder b2 bids price d. The intuition is that an adversary cannot determine whether a non-winning bidder bids price a or c, provided there exists another bidder who bids a higher price. We define the context S as ν r˜ · (PK | PB σ1 | . . . | PB σn−2 | PA | ) for the AS02 protocol, where r˜ are channel names, PK is the key distribution process, PB σi are the other honest bidder processes (1 ≤ i ≤ n − 2), and PA is the auctioneer process. The context is as the auction process with a hole instead of two bidder processes. We assume all the participants in the context are honest. In order to make it possible to check strong bidding-price-secrecy in ProVerif, we need to modify the presented auctioneer process. Note that ProVerif is sensitive to evaluations of if-then-else constructs, reporting false attacks when using these constructions [15]. We simplify the process by halting it after checking price d, i.e. if-then-else constructs beyond the checking of price d are cut off. Since we assume there is a process bidding a high price d in the equivalence in the definition of strong bidding-price-secrecy, the auctioneer process will stop after checking price d (or even sooner), and the remaining part of the process will not be executed. Therefore, we may cut the remaining part of the auctioneer process without affecting the verification result. To be able to check noninterf in ProVerif, we modify the bidder process by replacing if-then-else

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus

233

constructions with choice[ ] constructions (see [15] for more explanation). By querying “noninterf pb among p1 , . . . , pd−1 ”, the variable pb is replaced with p1 up to pd−1 , resulting into d − 1 different versions of the process. ProVerif gives a positive result, which means that these process versions are all observationally equivalent. In this way, we prove that the protocol satisfies strong bidding-pricesecrecy. 5.3

Receipt-Freeness

Receipt-freeness means a bidder cannot prove to an adversary that he has bid in a certain way. It is useful to protect bidders from being coerced to show how they bid. Intuitively, bidding-price-secrecy protects a bidder’s privacy when the bidder does not want to reveal his private information, while receipt-freeness protects a bidder’s privacy when the bidder is willing (or coerced) to reveal this. In voting, receipt-freeness can be formalised as an observational equivalence [11]. A voting protocol satisfies receipt-freeness if the adversary cannot distinguish (observational equivalence) whether a voter genuinely did his bidding or that voter claimed to do so, but voted for another candidate. In order to model observational equivalence, the situation that a voter provides his secret information to the adversary is modelled first: Definition 4 (Process P ch [11]). Let P be a plain process and ch a channel name. P ch , the process that shares all of P ’s secrets, is defined as: – – – – – – – – –

0ch =0, ˆ (P |Q)ch =P ˆ ch |Qch , ch ˆ n).P ch when n is a name of base type, (νn.P ) =νn.out(ch, ch ch (νn.P ) =νn.P ˆ otherwise, (in(u, x).P )ch =in(u, ˆ x).out(ch, x).P ch when x is a variable of base type, ch (in(u, x).P ) =in(u, ˆ x).P ch otherwise, ch (out(u, M ).P ) =out(u, ˆ M ).P ch , ch ch (!P ) =!P ˆ , (if M =E N then P else Q)ch =if ˆ M =E N then P ch else Qch .

Delaune et al. also define process transformation A\out(ch,·) , which can be considered as a version of process A that hides all outputs on public channel ch. Definition 5 (Process A\out(ch,·) [11]). Let A be an extended process. We define the process A\out(ch,·) as νch.(A|!in(ch, x)). When modelling online auction protocols, we also need to model the situation in which a bidder shares his secret information with the adversary. We use the above definition directly in our model. Intuitively, a bidder who shares information with the adversary sends all input of base type and all freshly generated names of base type to the adversary over a public channel chc. It is assumed that public channels are under the adversary’s control.

234

N. Dong, H. Jonker, and J. Pang

Now we define receipt-freeness for online auction protocols. Again, we need a bidder process PB2 in which bidder b2 bids a higher price d, so that non-winning bids are not revealed. Intuitively, if a non-winning bid has a strategy to cheat the adversary, and the adversary cannot tell whether the bidder cheats or not, then the protocol is receipt-free. Definition 6 (Receipt-freeness). An auction protocol P , with a bidder subprocess PB , is receipt-free if there exists a closed plain process PB  such that: 1. PB \out(chc,·) ≈ PB1 {c/pb }, 2. S[PB1 {a/pb }chc | PB2 {d/pb }] ≈ S[PB  | PB2 {d/pb }] with a < d and c < d. Process PB  is a bidder process in which bidder b1 bids price c but communicates with the adversary to claim he bids price a. Process PB1 {c/pb } is a bidder process in which bidder b1 bids price c. Process PB1 {a/pb }chc is a bidder process in which bidder b1 bids price a and shares his secret with the adversary. Process PB2 is a bidder process in which bidder b2 bids a higher price d. The first equivalence says that ignoring the outputs bidder b1 makes on the adversary channel chc, PB  looks like a normal process in which b1 bids price c. The second equivalence says that the adversary cannot tell the difference between the situation in which b1 obeys the adversary’s commands and bids price a, and the situation in which b1 pretends to cooperate but actually bids price c, provided there is a bidding process PB2 that bids higher, ensuring that bidding processes PB1 and PB  are not winners. Receipt-freeness is a stronger property than bidding-price-secrecy, as shown in [11]. PB   in(privch, ssk b ) · out(chc, ssk b )· ν sk b · out(chc, sk b )· out(ch, sign(pk(sk b ), ssk b ))· ν r1 · . . . · ν ra · . . . · ν rc · . . . · ν rm · out(chc, (r1 , . . . , f(ra ), . . . , f(rc ), . . . , rm ))· let cmt p1 = commit(r1 , pk(sk b ), Mno ) in ... let cmt pa = commit(ra , pk(sk b ), Mno ) in ... let cmt pc = commit(rc , pk(sk b ), Myes ) in ... let cmt pm = commit(rm , pk(sk b ), Mno ) in out(ch, sign((cmt p1 , . . . , cmt pm ), ssk b ))· out(untapch, (r1 , . . . , ra , . . . , rc , . . . , rm ))

Fig. 5. The process PB 

For the AS02 protocol, the context S is defined the same as in the analysis of the bidding-price-secrecy property. To prove receipt-freeness, we need to find a process PB  which satisfies both equivalences in the definition of receipt-freeness.

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus

235

According to the properties of chameleon bit commitment, the bidder can send a sequence of fake secret seeds to the adversary, and sends the series of real secret seeds to the auctioneer over an untappable channel. The adversary opens the bitcommitments as the bidder bids price a, using the fake secret seeds he received, while the auctioneer opens the same bit-commitments as the bidder bids price c, using the secret seeds the auctioneer received over an untappable channel. The process PB  is shown in Fig. 5. The bidder in this process communicates with the adversary over channel chc, sending the adversary his secret signature key ssk b and his secret key sk b . Later the bidder sends the auctioneer r1 , . . . , rm over an untappable channel, and sends the adversary the same list except changing ra and rc to f(ra ) and f(rc ), respectively. The untappable channel ensures the adversary cannot learn anything about the differences. To prove the first equivalence, we can simply consider PB \out(chc,·) as process PB  without communication on the channel chc. Since the process PB \out(chc,·) is exactly the same as the process PB1 {c/pb }, the first equivalence of Def. 6 is satisfied. To show the second equivalence of Def. 6, we need to consider all the executions of each side. On both sides, the process PK only distributes keys, and all the bidder processes in the context follow the same process. For the sake of simplicity, we ignore the outputs of the process PK and those bidder processes. During the bidding phase the auctioneer process only reads information and synchronises on the private channel synch. There is no output on public channels in the auctioneer process. We denote the sequence of names sk b , r1 , . . . , rm , bsk b , br1 , . . . , brm by n ˜ . After the key distribution, we want to see whether the behaviour of the process PB1 {a/pb }chc | PB2 {d/pb } is observationally equivalent to PB  | PB2 {d/pb }. For this purpose, we need to consider all possible executions of these two processes. Here, we consider a particular execution and only show the interesting part of the two frames after each step of execution by the two processes. Let P = PB1 {a/pb }chc | PB2 {d/pb } and Q = PB  | PB2 {d/pb }. in(privch,ssk b )

in(privchb,bsskb ) ν x1 · out(chc,x1 )

P −−−−−−−−−−→ −−−−−−−−−−−→−−−−−−−−−−−→ P1 | {ssk b/x1 } ν x2 · out(chc,x2 )

−−−−−−−−−−−→ ν n ˜ · (P2 | {ssk b/x1 } | {sk b/x2 }) ν x3 · out(ch,x3 )

−−−−−−−−−−→ ν x4 · out(chc,x4 )

−−−−−−−−−−−→ ν n ˜ · (P3 | {ssk b/x1 } | {sk b/x2 } | {sign(pk(sk b ),ssk b )/x3 } | {sign(pk(bsk b ),bsskb )/x4 }) ν x5 · out(chc,x5 )

−−−−−−−−−−−→ ν n ˜ · (P4 | {ssk b/x1 } | {sk b/x2 } | {sign(pk(sk b ),ssk b )/x3 } | {sign(pk(bsk b ),bsskb )/x4 } | {r1 ,...,rm/x5 }) ν x6 · out(ch,x6 )

−−−−−−−−−−→ ν x7 · out(chc,x7 )

−−−−−−−−−−−→ ν n ˜ · (P5 | | | |

{ssk b/x1 } | {sk b/x2 } | {sign(pk(sk b ),ssk b )/x3 } {sign(pk(bsk b ),bsskb )/x4 } p p {r1 ,...,rm/x5 } | {sign((cmt 1 ,...,cmt m ),ssk b )/x6 } p1 pm {sign((bcmt ,...,bcmt ),bsskb )/x7 })

236

N. Dong, H. Jonker, and J. Pang

in(privch,ssk b )

in(privchb,bsskb ) ν x1 · out(chc,x1 )

Q −−−−−−−−−−→ −−−−−−−−−−−→−−−−−−−−−−−→ Q1 | {ssk b/x1 } ν x2 · out(chc,x2 )

−−−−−−−−−−−→ ν n ˜ · (Q2 | {ssk b/x1 } | {sk b/x2 }) ν x3 · out(ch,x3 )

−−−−−−−−−−→ ν x4 · out(ch,x4 )

−−−−−−−−−−→ ν n ˜ · (Q3 | {ssk b/x1 } | {sk b/x2 } | {sign(pk(sk b ),ssk b )/x3 } | {sign(pk(bsk b ),bsskb )/x4 }) ν x5 · out(chc,x5 )

−−−−−−−−−−−→ ν n ˜ · (Q4 | {ssk b/x1 } | {sk b/x2 } | {sign(pk(sk b ),ssk b )/x3 } | {sign(pk(bsk b ),bsskb )/x4 } | {r1 ,...,f(ra ),...,f(rc ),...,rm/x5 }) ν x6 · out(ch,x6 )

−−−−−−−−−−→ ν x7 · out(ch,x7 )

−−−−−−−−−−→ ν n ˜ · (Q5 | | | | |

{ssk b/x1 } | {sk b/x2 } | {sign(pk(sk b ),ssk b )/x3 } {sign(pk(bsk b ),bsskb )/x4 } {r1 ,...,f(ra ),...,f(rc ),...,rm/x5 } p p {sign((cmt 1 ,...,cmt m ),ssk b )/x6 } p1 p {sign((bcmt ,...,bcmt m ),bsskb )/x7 })

The frames we obtained at the end of P and Q are statically equivalent. In particular, as the adversary knows the bit-commitments the bidder submits, the public key of the bidder, and the secret seeds, the adversary can open all the commitments. The only functions an adversary can use are getmsg and open. By applying these two functions, the adversary can get other terms, the public key of the bidder represented as xmsg = getmsg(x3 , x1 ) and a series of opened messages. Since x3 and x1 are the same for both P and Q, xmsg is the same for both processes as well. Particularly, PB1 {a/pb } bids price a. The adversary opens the commitments cmt pa = commit(ra , pk(sk b ), Myes ) and cmt pc = commit(rc , pk(sk b ), Mno ): open(cmt pa , ra , pk(sk b )) = Myes

open(cmt pc , rc , pk(sk b )) = Mno

For the process Q, the process PB  bids price c. The adversary has a sequence of secret seeds, in which two of them are fake: f(ra ) and f(rc ). According to the equational theory of chameleon bit-commitments (see Sect. 4), the adversary opens cmt pa = commit(ra , pk(sk b ), Mno ) = commit(f(ra ), pk(sk b ), Myes ) and cmt pc = commit(rc , pk(sk b ), Myes ) = commit(f(rc ), pk(sk b ), Mno ) as follows: open(cmt pa , f(ra ), pk(sk b )) = Myes

open(cmt pc , f(rc ), pk(sk b )) = Mno

All other secret seeds and bit-commitments are the same in both P and Q, hence the adversary gets the same series of opened messages for both P and Q as well. Next, we consider the opening phase, in which the auctioneer process is the only active process. According to the protocol, the auctioneer stops after finding the winning bid. Therefore, non-winning bids are not revealed. Since we have assumed the auctioneer is honest, the information the auctioneer process reveals is the opened bit-commitments of all bidders at prices higher than the winning price, and the winning bid. Only the winning bid is opened as Myes , others are opened as Mno . Due to the existence of a higher bid (d in the process PB2 {d/pb })

Analysis of a Receipt-Free Auction Protocol in the Applied Pi Calculus

237

on both sides of the equivalence, the bid made by the bidder b1 will never be published, hence the information the auctioneer process reveals is the same. Thus, we conclude that the protocol satisfies receipt-freeness.

6

Conclusion

The main contribution of this paper is that we propose a formalisation of two privacy-type properties in auction protocols: bidding-price-secrecy and receiptfreeness, following definitions of vote privacy and receipt-freeness in voting [11]. There are two notions of bidding-price-secrecy: standard bidding-price-secrecy and strong bidding-price-secrecy. Standard bidding-price-secrecy is defined as that an adversary does not know a non-winning bidder’s bidding price. Strong bidding-price-secrecy and receipt-freeness are modelled using observational equivalence. We have modelled the AS02 protocol in the applied π calculus, verified bidding-price-secrecy of the protocol automatically using ProVerif and receiptfreeness of the protocol manually. Coercion-resistance in voting is a stronger privacy property than receiptfreeness [11], saying that a voter cannot cooperate with a coercer to prove to him that he voted in a certain way. It is modelled by giving the coercer the ability to communicate with the coercee and the ability to prepare information for the coercee to use [11]. In more details, coercion-resistance is formalised in the applied π calculus by requiring the existence of a process in which a voter can do as he wants, despite the presence of the coercer, and the coercer cannot tell whether the voter is cheating. According to this definition, it seems to us that the AS02 protocol is also coercion-resistant. The information a coercer can generate in the bidder process is: the bidder’s secret key sk b , the random number r1 , . . . , ra , . . . , rc , . . . rm , the bit-commitments cmt p1 , . . . , cmt pm . Since the zero-knowledge proof ensures the bidder knows his own secret key, as well as the discrete logs of bit-commitments, a bidder can figure out which price the coercer wants him to bid, and then calculate the fake secret seeds f(ra ) and f(rc ) to change the price the coercer calculated, and sends secret seeds r1 , . . . , ra−1 , f(ra ), ra+1 , . . . , rc−1 , f(rc ), rc+1 , . . . , rm to the auctioneer. Coercion-resistance is a complicated property to formalise. Several different formalisations have been given [16,17,18], in addition to Delaune, Kremer and Ryan’s work. In the future, we intend to study coercion-resistance in online auction protocols. The AS02 protocol reveals the winning bid. Bidding-price-secrecy and receiptfreeness only hold for non-winners. In [6], Chen et al. propose another auction protocol which can ensure the winner’s privacy as well. We are also interested in formally verifying this protocol. Acknowledgements. We thank Zhengqin Luo and Ben Smyth for helpful discussions and the anonymous referees for their valuable comments on a preliminary version of the paper.

238

N. Dong, H. Jonker, and J. Pang

References 1. Harkavy, M., Tygar, J.D., Kikuchi, H.: Electronic auctions with private bids. In: Proc. 3rd USENIX Workshop on Electronic Commerce, pp. 61–74 (1998) 2. Cachin, C.: Efficient private bidding and auctions with an oblivious third party. In: Proc. CCS 1999, pp. 120–127. ACM Press, New York (1999) 3. Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: Proc. ACM-EC 1999, pp. 129–139. ACM Press, New York (1999) 4. Abe, M., Suzuki, K.: Receipt-free sealed-bid auction. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 191–199. Springer, Heidelberg (2002) 5. Lipmaa, H., Asokan, N., Niemi, V.: Secure vickrey auctions without threshold trust. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 87–101. Springer, Heidelberg (2003) 6. Chen, X., Lee, B., Kim, K.: Receipt-free electronic auction schemes using homomorphic encryption. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 259–273. Springer, Heidelberg (2004) 7. Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147– 166. Springer, Heidelberg (1996) 8. Chadha, R., Kremer, S., Scedrov, A.: Formal analysis of multi-party contract signing. In: Proc. CSFW 2004, pp. 266–279. IEEE CS, Los Alamitos (2004) 9. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Proc. POPL 2001, pp. 104–115. ACM, New York (2001) 10. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proc. CSFW 2001, pp. 82–96. IEEE CS, Los Alamitos (2001) 11. Delaune, S., Kremer, S., Ryan, M.D.: Verifying privacy-type properties of electronic voting protocols. J. Computer Security 17(4), 435–487 (2009) 12. Kremer, S., Ryan, M.D.: Analysis of an electronic voting protocol in the applied pi calculus. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 186–200. Springer, Heidelberg (2005) 13. Jonker, H.L., Mauw, S., Pang, J.: A formal framework for quantifying votercontrolled privacy. J. Algorithms 64(2-3), 89–105 (2009) 14. Dolev, D., Yao, A.C.C.: On the security of public key protocols. IEEE Trans. Information Theory 29(2), 198–207 (1983) 15. Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. J. Log. Algebr. Program. 75(1), 3–51 (2008) 16. Backes, M., Hrit¸cu, C., Maffei, M.: Automated verification of remote electronic voting protocols in the applied pi-calculus. In: Proc. CSF 2008, pp. 195–209. IEEE CS, Los Alamitos (2008) 17. K¨ usters, R., Truderung, T.: An epistemic approach to coercion-resistance for electronic voting protocols. In: Proc. S&P 2009, pp. 251–266. IEEE CS, Los Alamitos (2009) 18. K¨ usters, R., Truderung, T., Vogt, A.: A game-based definition of coercionresistance and its applications. In: Proc. CSF 2010, pp. 122–136. IEEE CS, Los Alamitos (2010)

Author Index

Ballardin, Francesco Ban Kirigin, Tajana Basin, David 34

206 18

Caleiro, Carlos 34 Conchinha, Bruno 34 Crampton, Jason 191 Delaune, St´ephanie 111 de Weger, Benne 126 Dong, Naipeng 223 Fr¨ oschle, Sibylle

96

Hurlin, Cl´ement

157

Jonker, Hugo

223

Kamil, Allaa 50 Kanovich, Max 18 Khoury, Raphael 176 Kirchner, H´el`ene 157 Kordy, Barbara 80 Kremer, Steve 111 Lowe, Gavin

50

Mauw, Sjouke 80 Merro, Massimo 206 Muller, Tim 141 Nigam, Vivek

18

Pang, Jun 223 Pavlovic, Dusko

1

Radomirovi´c, Saˇsa 80 Ryan, Mark D. 111 Scedrov, Andre 18 Schweitzer, Patrick 80 Sinz, Carsten 65 Snelting, Gregor 65 Sommer, Nils 96 Steel, Graham 111 Taghdiri, Mana 65 Tawbi, Nadia 176 Veeningen, Meilof Zannone, Nicola

126 126