Using Interval Logics for
Temporal Analysis of Security
Protocols
Michael R. Hansen and Robin Sharp
{mrh,robin}@imm.dtu.dk.
Safe & Secure Systems Group
Informatics and Mathematical Modelling
Technical University of Denmark
DK-2800 Kgs. Lyngby, Denmark.
FMSE’03, Washington, D.C., October 2003. – p.1/17
The Problem
How do we formalise temporal properties of systems, with
particular focus on Availability?
FMSE’03, Washington, D.C., October 2003. – p.2/17
The Problem
How do we formalise temporal properties of systems, with
particular focus on Availability?
Basic assumptions:
Clients C1 , C2 , . . . exchange messages with Server S
C1
C2
Ci → S : M
:
:
S → Ci : M 0
S
Cn
Good clients i ∈ γ request δi of the server’s time.
Bad clients j ∈ β (“intruders”) waste the server’s time.
FMSE’03, Washington, D.C., October 2003. – p.2/17
Approach
Interval logics with durations are well-suited for reasoning
about temporal properties of systems with:
Concurrent activities
Shared resources
Arbitrary scheduling disciplines
FMSE’03, Washington, D.C., October 2003. – p.3/17
Approach
Interval logics with durations are well-suited for reasoning
about temporal properties of systems with:
Concurrent activities
Shared resources
Arbitrary scheduling disciplines
Extend such analysis to deal with systems which:
Construct and send messages via a network
Check received messages in accordance with a given
protocol
in the presence of hostile intruders.
FMSE’03, Washington, D.C., October 2003. – p.3/17
Overview
Duration Calculus
Modelling availability
Estimating availability
Obtaining a more operational model
Concluding remarks
FMSE’03, Washington, D.C., October 2003. – p.4/17
Duration Calculus
[Zhou,Hoare,Ravn 91]
Time:
State variables:
Time =
bR
P : Time → {0, 1}
Finite Variability
System in state P at time t if P (t) = 1.
FMSE’03, Washington, D.C., October 2003. – p.5/17
Duration Calculus
[Zhou,Hoare,Ravn 91]
Time:
State variables:
Time =
bR
P : Time → {0, 1}
Finite Variability
System in state P at time t if P (t) = 1.
State expressions: S ::= 0 | 1 | P | ¬S | S1 ∨ S2 | . . .
FMSE’03, Washington, D.C., October 2003. – p.5/17
Duration Calculus
[Zhou,Hoare,Ravn 91]
Time:
State variables:
Time =
bR
P : Time → {0, 1}
Finite Variability
System in state P at time t if P (t) = 1.
State expressions: S ::= 0 | 1 | P | ¬S | S1 ∨ S2 | . . .
Intervals:
Intv : {[b, e] | b, e ∈ Time ∧ b ≤ e}
FMSE’03, Washington, D.C., October 2003. – p.5/17
Duration Calculus
[Zhou,Hoare,Ravn 91]
Time:
State variables:
Time =
bR
P : Time → {0, 1}
Finite Variability
System in state P at time t if P (t) = 1.
State expressions: S ::= 0 | 1 | P | ¬S | S1 ∨ S2 | . . .
Intervals:
Durations:
Length:
Intv : {[b, e] | b, e ∈ Time ∧ b ≤ e}
R
S : Intv → R
Re
defined on [b, e] by b S(t)dt
R
`=
b 1
FMSE’03, Washington, D.C., October 2003. – p.5/17
Duration Calculus
[Zhou,Hoare,Ravn 91]
Time:
State variables:
Time =
bR
P : Time → {0, 1}
Finite Variability
System in state P at time t if P (t) = 1.
State expressions: S ::= 0 | 1 | P | ¬S | S1 ∨ S2 | . . .
Intervals:
Durations:
Length:
Terms:
Formulas:
Intv : {[b, e] | b, e ∈ Time ∧ b ≤ e}
R
S : Intv → R
Re
defined on [b, e] by b S(t)dt
R
`=
b 1
R
Θ ::= S | ` | Const | V ar | f (Θ∗ )
Φ ::= Θ | ¬Θ | Θ1 ∧ Θ2 | Θ1 ∨ Θ2 | . . .
FMSE’03, Washington, D.C., October 2003. – p.5/17
Modalities in DC
Originally based on ITL (with single chop modality).
Now relies on Neighbourhood Logic with two modalities:
Left neighbourhood: ♦l , such that:
♦l φ holds on [b, e] ⇔ (∃ξ ≥ 0 · φ holds on [b − ξ, b])
z
a
φ
}|
{z
b
♦l φ
}|
{
e
Right neighbourhood: ♦r , such that:
♦r φ holds on [b, e] ⇔ (∃ξ ≥ 0 · φ holds on [e, e + ξ])
Gives an adequate interval logic in which all other interval
modalities can be expressed (♦, , l , r ,. . . ).
FMSE’03, Washington, D.C., October 2003. – p.6/17
DC Examples
R
(Useful shorthand: ddSee =
b S = ` ∧ ` > 0)
Kerberos state variables:
p has ticket
Tp : Time → {0, 1}
p using resource Rp : Time → {0, 1}
Ticket validity:
ddTp ee ⇒ ` ≤ Process may make repeated requests:
r♦r (true_dd¬Rp ee_ddRp ee)
Process has resource but does not use it:
ddTp ∧ ¬Rp ee ∧ ♦l dd¬Tp ee ∧ ♦r dd¬Tp ee
A succint notation for expressing real-time properties.
FMSE’03, Washington, D.C., October 2003. – p.7/17
Availability
Clients C1 , C2 , . . . exchange messages with Server S
C1
C2
Ci → S : M
:
:
S → Ci : M 0
S
Cn
Good clients i ∈ γ request δi of the server’s time.
Bad clients j ∈ β (“intruders”) waste the server’s time.
FMSE’03, Washington, D.C., October 2003. – p.8/17
Availability
Clients C1 , C2 , . . . exchange messages with Server S
C1
C2
Ci → S : M
:
:
S → Ci : M 0
S
Cn
Good clients i ∈ γ request δi of the server’s time.
Bad clients j ∈ β (“intruders”) waste the server’s time.
How to formalize requirements about the availability?
E.g., Available for good clients a fraction x of the time.
FMSE’03, Washington, D.C., October 2003. – p.8/17
Availability
Clients C1 , C2 , . . . exchange messages with Server S
C1
C2
Ci → S : M
:
:
S → Ci : M 0
S
Cn
Good clients i ∈ γ request δi of the server’s time.
Bad clients j ∈ β (“intruders”) waste the server’s time.
How to formalize requirements about the availability?
E.g., Available for good clients a fraction x of the time.
Under which assumptions are these requirements to be met?
Require some model of strengths of bad clients.
FMSE’03, Washington, D.C., October 2003. – p.8/17
Strengths of Intruders
Assume bad processes partitioned into disjoint subsets:
β = β 1 ∪ β2 ∪ . . . ∪ β n
Server needs time Cβq to reject requests from processes in βq .
For simplicity, assume Cβ1 < Cβ2 < · · · < Cβn < Cγ , i.e. subsets are
ranked according to strength.
FMSE’03, Washington, D.C., October 2003. – p.9/17
Strengths of Intruders
Assume bad processes partitioned into disjoint subsets:
β = β 1 ∪ β2 ∪ . . . ∪ β n
Server needs time Cβq to reject requests from processes in βq .
For simplicity, assume Cβ1 < Cβ2 < · · · < Cβn < Cγ , i.e. subsets are
ranked according to strength.
Assume Gong & Syverson’s fail-stop model, so intruders have no
further bad effects once they have been rejected.
FMSE’03, Washington, D.C., October 2003. – p.9/17
Strengths of Intruders
Assume bad processes partitioned into disjoint subsets:
β = β 1 ∪ β2 ∪ . . . ∪ β n
Server needs time Cβq to reject requests from processes in βq .
For simplicity, assume Cβ1 < Cβ2 < · · · < Cβn < Cγ , i.e. subsets are
ranked according to strength.
Assume Gong & Syverson’s fail-stop model, so intruders have no
further bad effects once they have been rejected.
Assume processes in βq can waste fraction ≤ xq of server’s time:
R
P
` ≥ T ⇒ ( i∈βq Runi ) ≤ xq · `
But bad processes do not take all server’s time:
Pn
q=1 xq < 1
FMSE’03, Washington, D.C., October 2003. – p.9/17
Multi-threaded Server
Analysed previously by:
State variables:
Rdyi
Runi
Hansen,Zhou,Ravn,Rischel 92
Yuhua,Zhou 94
Chan,Dang 95
: Time → {0, 1}
: Time → {0, 1}
Only ready processes are running: ddRuni ee ⇒ ddRdyi ee
At most one process is running: ddRuni ee ⇒
V
i6=j dd¬Runj ee
Round-Robin Scheduling with time slice τs


♦l dd¬Runi ee


 ⇒ ` = τs
 ∧ ddRuni ee
∧ ♦r dd¬Runi ∧ Rdyi ee
FMSE’03, Washington, D.C., October 2003. – p.10/17
Modelling Availability
Normal service for trusted clients a fraction x of the time:
XR
(` > T ⇒ (
Runi ) ≤ (1 − x) · `)
i6∈γ
Request for ci CPU time completed within p · ci :
R
∀i ∈ γ · ♦r (` ≤ p · ci ⇒ Runi = ci )
Assumptions as before about strengths of bad clients:
(` ≥ T ⇒ (
XR
Runi ) ≤ xq · `)
i∈βq
FMSE’03, Washington, D.C., October 2003. – p.11/17
Modelling Availability
Normal service for trusted clients a fraction x of the time:
XR
(` > T ⇒ (
Runi ) ≤ (1 − x) · `)
i6∈γ
Request for ci CPU time completed within p · ci :
R
∀i ∈ γ · ♦r (` ≤ p · ci ⇒ Runi = ci )
Assumptions as before about strengths of bad clients:
(` ≥ T ⇒ (
XR
Runi ) ≤ xq · `)
i∈βq
Is availability then guaranteed under the assumptions?
(Scheduler ∧ Ass γ ∧ Ass β ∧ R(x̄)) ⇒ Availability
FMSE’03, Washington, D.C., October 2003. – p.11/17
Estimating Availability
Suppose f out of k good processes finish their tasks during a
certain interval, T . How big is f ?
For scheduler with zero overhead, assuming processes in βq do not
use more than xq of server’s time:
T =` =
n X
X
R
Runi +
q=1 i∈βq
≤
n
X
q=1
xq · T +
XR
Runi
i∈γ
XR
Runi
i∈γ
FMSE’03, Washington, D.C., October 2003. – p.12/17
Estimating Availability
Suppose f out of k good processes finish their tasks during a
certain interval, T . How big is f ?
For scheduler with zero overhead, assuming processes in βq do not
use more than xq of server’s time:
T =` =
n X
X
R
Runi +
q=1 i∈βq
≤
n
X
q=1
xq · T +
XR
Runi
i∈γ
XR
Runi
i∈γ
Lower bound for running time of good processes is given by:
XR
i∈γ
Runi ≥ T · (1 −
n
X
xq )
q=1
FMSE’03, Washington, D.C., October 2003. – p.12/17
Estimating Availability (2)
Assume for example RR scheduling with time slice τs .
Upper bound for running time of good processes is given
by:
XR
Runi ≤ (f + 1) · Cγ + (k − f − 1)(Cγ − τs )
i∈γ
FMSE’03, Washington, D.C., October 2003. – p.13/17
Estimating Availability (2)
Assume for example RR scheduling with time slice τs .
Upper bound for running time of good processes is given
by:
XR
Runi ≤ (f + 1) · Cγ + (k − f − 1)(Cγ − τs )
i∈γ
Thus estimate of f is:
T
f ≥ (1 −
τs
n
X
q=1
Cγ − τ s
xq ) − 1 − k ·
τs
FMSE’03, Washington, D.C., October 2003. – p.13/17
Estimating Availability (2)
Assume for example RR scheduling with time slice τs .
Upper bound for running time of good processes is given
by:
XR
Runi ≤ (f + 1) · Cγ + (k − f − 1)(Cγ − τs )
i∈γ
Thus estimate of f is:
T
f ≥ (1 −
τs
n
X
q=1
Cγ − τ s
xq ) − 1 − k ·
τs
— Note that the approach gives a symbolic estimate of f .
FMSE’03, Washington, D.C., October 2003. – p.13/17
A more Operational Model
We can incorporate a more detailed, operational model of the
server’s way of handling requests.
Example: Meadows’ verification actions with costs.
Client/server protocol consists of a sequence of steps following
extended Alice/Bob schemata:
A → B : T1i , . . . , Tmi ||Mi || O1i , . . . , Oki
Preparation actions T1i , . . . , Tmi in step i cost ∆i in total.
Verification action Oji in step i has rank rji and costs δji to
execute.
A bad client of strength s will oblige server to execute actions
until the first verification action with rank rji > s.
Good (or very bad) clients cause server to execute all
verification actions in all steps.
FMSE’03, Washington, D.C., October 2003. – p.14/17
Adding more Details (2)
Easy to find formulas for computation times required on server
when ranks and computation times of individual verification actions
are known. With a client of strength s and an l-step protocol:
C=
X
if odd(i) then Ri else ∆i
i∈F (s)
P
where
Ri
and
W (i, s) = {j ∈ [1 . . . ki ] | j ≤ w(i, s)}
w(i, s) = if S(i, s) = ∅ then 0 else max(S(i, s))
S(i, s) = {j ∈ [1 . . . ki ] | ∀m ≤ j · s ≥ rmi }
And where
F (s)
a(s)
U (s)
=
j∈W (i,s) δji
= {i ∈ [1 . . . l] | i ≤ a(s) + 1}
= if U (s) = ∅ then 0 else max(U (s))
= {i ∈ [1 . . . l] | ∀m ≤ i · w(m, s) = km }
FMSE’03, Washington, D.C., October 2003. – p.15/17
Remarks
Interval Logic offers a simple framework for expressing
availability requirements in a succint manner.
General framework offers ways to express assumptions about:
Good processes
Bad processes
Scheduling
FMSE’03, Washington, D.C., October 2003. – p.16/17
Remarks
Interval Logic offers a simple framework for expressing
availability requirements in a succint manner.
General framework offers ways to express assumptions about:
Good processes
Bad processes
Scheduling
Results can be expressed symbolically – not just for particular
values of system parameters.
FMSE’03, Washington, D.C., October 2003. – p.16/17
Remarks
Interval Logic offers a simple framework for expressing
availability requirements in a succint manner.
General framework offers ways to express assumptions about:
Good processes
Bad processes
Scheduling
Results can be expressed symbolically – not just for particular
values of system parameters.
Mechanical assistance available for proofs: NL and DC
encoded within Isabelle/HOL.
FMSE’03, Washington, D.C., October 2003. – p.16/17
Remarks
Interval Logic offers a simple framework for expressing
availability requirements in a succint manner.
General framework offers ways to express assumptions about:
Good processes
Bad processes
Scheduling
Results can be expressed symbolically – not just for particular
values of system parameters.
Mechanical assistance available for proofs: NL and DC
encoded within Isabelle/HOL.
General approach can be used to analyse other time-related
phenomena, such as time-limited validity.
FMSE’03, Washington, D.C., October 2003. – p.16/17
Remarks
Interval Logic offers a simple framework for expressing
availability requirements in a succint manner.
General framework offers ways to express assumptions about:
Good processes
Bad processes
Scheduling
Results can be expressed symbolically – not just for particular
values of system parameters.
Mechanical assistance available for proofs: NL and DC
encoded within Isabelle/HOL.
General approach can be used to analyse other time-related
phenomena, such as time-limited validity.
Can be generalised to other resources with time-varying
usage.
FMSE’03, Washington, D.C., October 2003. – p.16/17
Status
Interval Logic provides a link between formal requirements
and design parameters for an operational model:
Availability Requirements and Assumptions
IL Analysis
Design parameters for Operational Model
Executable Code
Appears to be a useful basis for a design tool.
FMSE’03, Washington, D.C., October 2003. – p.17/17
Status
Interval Logic provides a link between formal requirements
and design parameters for an operational model:
Availability Requirements and Assumptions
IL Analysis
Design parameters for Operational Model
Executable Code
Appears to be a useful basis for a design tool.
Thank you for your attention!
FMSE’03, Washington, D.C., October 2003. – p.17/17