Protokollsicherheit
Automated Verification – Reachability Secrecy
Logic Programming (Prolog)
Logic Programming (Prolog)
The main motto is to described declaratively the solution of a
problem and not how it should be solved.
Logic Programming (Prolog)
The main motto is to described declaratively the solution of a
problem and not how it should be solved.
Example
Imperative solution:
int sum(int[] list) =
result = 0;
for(int i = 0; i ¡ list.length; ++i)
result += list[i]
return result
Logic Programming (Prolog)
The main motto is to described declaratively the solution of a
problem and not how it should be solved.
Example
Imperative solution:
int sum(int[] list) =
result = 0;
for(int i = 0; i ¡ list.length; ++i)
result += list[i]
return result
We define how to compute!
Logic Programming (Prolog)
The main motto is to described declaratively the solution of a
problem and not how it should be solved.
Example
Functional solution:
fun sum ([]) = 0
| sum(h :: lst) = h + sum(lst)
We define how to compute!
Logic Programming (Prolog)
The main motto is to described declaratively the solution of a
problem and not how it should be solved.
Example
Prolog solution:
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
Logic Programming (Prolog)
The main motto is to described declaratively the solution of a
problem and not how it should be solved.
Example
Prolog solution:
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
Programs are logical theories!
We do not specify how to compute it, but just state
what is true about it.
Logic Programming (Prolog)
Queries
Prolog Program
Answers
Logic Programming (Prolog)
Queries
Prolog Program
Answers
Prolog Program
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
Logic Programming (Prolog)
Queries
Prolog Program
Answers
Prolog Program
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
Query
sum([4, 2, 3, 4], X).
Logic Programming (Prolog)
Queries
Prolog Program
Answers
Prolog Program
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
Query
sum([4, 2, 3, 4], X).
Answer
X = 13
Logic Programming (Prolog)
Queries
Prolog Program
Answers
Prolog Program
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
Query
sum([4, 2, 3, 4], X).
Answer
X = 13
What the prolog engine is doing
is searching for a proof
demonstrating that the query
logically follows from the logic
program.
Proof Theory Basics – Sequent Calculus
Proof Theory Basics – Sequent Calculus
Proof theory is the field of mathematics that studies the
properties and structure of formal proofs.
Proof Theory Basics – Sequent Calculus
Proof theory is the field of mathematics that studies the
properties and structure of formal proofs.
Sequents
F1 , . . . , Fn −→ G1 , . . . , Gm
F1 ∧ · · · ∧ Fn ⊃ G1 ∨ · · · ∨ Gm
Proof Theory Basics – Inference Rules
Proof Theory Basics – Inference Rules
Identity Rules
A −→ A Init
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Proof Theory Basics – Inference Rules
Identity Rules
A −→ A Init
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Logical Rules
Γ1 , A −→ ∆1 Γ2 , B −→ ∆2
∨l
Γ1 , Γ2 , A ∨ B −→ ∆1 , ∆2
Γ −→ A1 , A2 , ∆
∨r
Γ −→ A1 ∨ A2 , ∆
Proof Theory Basics – Inference Rules
Identity Rules
A −→ A Init
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Logical Rules
Γ1 , A −→ ∆1 Γ2 , B −→ ∆2
∨l
Γ1 , Γ2 , A ∨ B −→ ∆1 , ∆2
Γ, A, B −→ ∆
∧l
Γ, A ∧ B −→ ∆
Γ −→ A1 , A2 , ∆
∨r
Γ −→ A1 ∨ A2 , ∆
Γ1 −→ ∆1 , G1 Γ2 −→ ∆2 , G2
∧r
Γ1 , Γ2 −→ ∆1 , ∆2 , G1 ∧ G2
Proof Theory Basics – Inference Rules
Identity Rules
A −→ A Init
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Logical Rules
Γ1 , A −→ ∆1 Γ2 , B −→ ∆2
∨l
Γ1 , Γ2 , A ∨ B −→ ∆1 , ∆2
Γ, A, B −→ ∆
∧l
Γ, A ∧ B −→ ∆
Γ −→ A1 , A2 , ∆
∨r
Γ −→ A1 ∨ A2 , ∆
Γ1 −→ ∆1 , G1 Γ2 −→ ∆2 , G2
∧r
Γ1 , Γ2 −→ ∆1 , ∆2 , G1 ∧ G2
Γ1 −→ A, ∆1
Γ2 , B −→ ∆2
⊃l
Γ1 , Γ2 , A ⊃ B −→ ∆1 , ∆2
Γ, A −→ B, ∆
⊃r
Γ −→ A ⊃ B, ∆
Proof Theory Basics – Inference Rules
Identity Rules
A −→ A Init
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Logical Rules
Γ1 , A −→ ∆1 Γ2 , B −→ ∆2
∨l
Γ1 , Γ2 , A ∨ B −→ ∆1 , ∆2
Γ, A, B −→ ∆
∧l
Γ, A ∧ B −→ ∆
Γ −→ A1 , A2 , ∆
∨r
Γ −→ A1 ∨ A2 , ∆
Γ1 −→ ∆1 , G1 Γ2 −→ ∆2 , G2
∧r
Γ1 , Γ2 −→ ∆1 , ∆2 , G1 ∧ G2
Γ1 −→ A, ∆1
Γ2 , B −→ ∆2
⊃l
Γ1 , Γ2 , A ⊃ B −→ ∆1 , ∆2
Γ, A{t/x} −→ ∆
∀l
Γ, ∀A −→ ∆
Γ, A −→ B, ∆
⊃r
Γ −→ A ⊃ B, ∆
Γ −→ A{c/x}, ∆
∀
Γ −→ ∀x A, ∆ r
Proof Theory Basics – Inference Rules
Identity Rules
A −→ A Init
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Logical Rules
Γ1 , A −→ ∆1 Γ2 , B −→ ∆2
∨l
Γ1 , Γ2 , A ∨ B −→ ∆1 , ∆2
Γ, A, B −→ ∆
∧l
Γ, A ∧ B −→ ∆
Γ −→ A1 , A2 , ∆
∨r
Γ −→ A1 ∨ A2 , ∆
Γ1 −→ ∆1 , G1 Γ2 −→ ∆2 , G2
∧r
Γ1 , Γ2 −→ ∆1 , ∆2 , G1 ∧ G2
Γ1 −→ A, ∆1
Γ2 , B −→ ∆2
⊃l
Γ1 , Γ2 , A ⊃ B −→ ∆1 , ∆2
Γ, A{t/x} −→ ∆
∀l
Γ, ∀A −→ ∆
Γ, A −→ B, ∆
⊃r
Γ −→ A ⊃ B, ∆
Γ −→ A{c/x}, ∆
∀
Γ −→ ∀x A, ∆ r
Γ, ⊥ −→ ∆
⊥L
Proof Theory Basics – Inference Rules
Structural Rules
Proof Theory Basics – Inference Rules
Structural Rules
Γ −→ ∆ W
Γ, A −→ ∆ l
Γ −→ ∆ W
Γ −→ A, ∆ r
Proof Theory Basics – Inference Rules
Structural Rules
Γ −→ ∆ W
Γ, A −→ ∆ l
Γ, A, A −→ ∆
Cl
Γ, A −→ ∆
Γ −→ ∆ W
Γ −→ A, ∆ r
Γ −→ A, A, ∆
Cr
Γ −→ A, ∆
Proof Theory Basics – Inference Rules
Structural Rules
Γ −→ ∆ W
Γ, A −→ ∆ l
Γ, A, A −→ ∆
Cl
Γ, A −→ ∆
Γ, B, A, Γ0 −→ ∆
Xl
0
Γ, A, B, Γ −→ ∆
Γ −→ ∆ W
Γ −→ A, ∆ r
Γ −→ A, A, ∆
Cr
Γ −→ A, ∆
Γ −→ ∆, B, A, ∆0
0 Xr
Γ −→ ∆, A, B, ∆
Proof Theory Basics – Inference Rules
Structural Rules
Γ −→ ∆ W
Γ, A −→ ∆ l
Γ, A, A −→ ∆
Cl
Γ, A −→ ∆
Γ, B, A, Γ0 −→ ∆
Xl
0
Γ, A, B, Γ −→ ∆
Γ −→ ∆ W
Γ −→ A, ∆ r
Γ −→ A, A, ∆
Cr
Γ −→ A, ∆
Γ −→ ∆, B, A, ∆0
0 Xr
Γ −→ ∆, A, B, ∆
F1 , . . . , Fn −→ G1 , . . . , Gm
These contexts can be treated as sets of formulas.
We assume that the structural rules are applied implicitly.
Proof Theory Basics – Proofs
Proof Theory Basics – Proofs
Proofs are tree-like structures constructed using inference rules and
whose leaves are instances of the initial rule and/or of the false rule.
Proof Theory Basics – Proofs
Proofs are tree-like structures constructed using inference rules and
whose leaves are instances of the initial rule and/or of the false rule.
P −→ P Init Q −→ Q Init
∧r
P, Q −→ P ∧ Q
∧l
P ∧ Q −→ P ∧ Q
⊃r
· −→ (P ∧ Q) ⊃ (P ∧ Q)
Proof Theory Basics – Proofs
Proofs are tree-like structures constructed using inference rules and
whose leaves are instances of the initial rule and/or of the false rule.
P −→ P Init Q −→ Q Init
∧r
P, Q −→ P ∧ Q
∧l
P ∧ Q −→ P ∧ Q
⊃r
· −→ (P ∧ Q) ⊃ (P ∧ Q)
Theorem: (Soudness and Completeness) A formula F is a tautology
if and only if there is proof of −→ F.
Proof Theory Basics – Cut Elimination
Proof Theory Basics – Cut Elimination
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Proof Theory Basics – Cut Elimination
This a new formula in
the proof. Use of a
Lemma.
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Proof Theory Basics – Cut Elimination
This a new formula in
the proof. Use of a
Lemma.
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Proof with Cuts
Proof without Cuts
Proof Theory Basics – Cut Elimination
This a new formula in
the proof. Use of a
Lemma.
Γ1 −→ A, ∆1 Γ2 , A −→ ∆2
Cut
Γ1 , Γ2 −→ ∆1 , ∆2
Proof with Cuts
Proof without Cuts
Consistency
−→ A
A −→
Sub-formula
No needs for Lemmas.
Logic Programming (Prolog)
Horn Clauses
Logic Programming (Prolog)
Horn Clauses
Goals (or queries)
G ::= true | A | G ∧ G | ∃x.G
Logic Programming (Prolog)
Horn Clauses
Goals (or queries)
G ::= true | A | G ∧ G | ∃x.G
Programs
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
Logic Programming (Prolog)
Horn Clauses
Goals (or queries)
G ::= true | A | G ∧ G | ∃x.G
Programs
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
Prove the sequent: P −→ G
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
−→
∃X.sum([4, 2, 3, 4], X)
Logic Programming (Prolog)
Computation is Cut-free Proof Search
Logic Programming (Prolog)
Computation is Cut-free Proof Search
P −→ G
Logic Programming (Prolog)
Computation is Cut-free Proof Search
P −→ G
Logic Programming (Prolog)
Computation is Cut-free Proof Search
P −→ G
Logic Programming (Prolog)
Computation is Cut-free Proof Search
Backtracking
P −→ G
Logic Programming (Prolog)
Computation is Cut-free Proof Search
Backtracking
Proof
···
P −→ G
P −→ G
Logic Programming (Prolog)
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
No disjunction on the
right of sequents.
Logic Programming (Prolog)
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
No disjunction on the
right of sequents.
Single formula to the right-hand-side: F1 , . . . , Fn −→ G
Logic Programming (Prolog)
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
No disjunction on the
right of sequents.
Single formula to the right-hand-side: F1 , . . . , Fn −→ G
Proof Theory – Sequent Calculus LJ
Logic Programming (Prolog)
No disjunction on the
right of sequents.
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
Single formula to the right-hand-side: F1 , . . . , Fn −→ G
Proof Theory – Sequent Calculus LJ
Γ, P, Q −→ G
∧l
Γ, P ∧ Q −→ G
Γ −→ G1 Γ −→ G2
∧r
Γ −→ G1 ∧ G2
Γ −→ P
Γ, Q −→ G
⊃l
Γ, P ⊃ Q −→ G
Γ, P{t/x} −→ G
∀l
Γ, ∀P −→ G
Γ −→ G{t/x}
∃r
Γ −→ ∃x.G
Init
A −→ A
Logic Programming (Prolog)
No disjunction on the
right of sequents.
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
Single formula to the right-hand-side: F1 , . . . , Fn −→ G
Proof Theory – Sequent Calculus LJ
Γ, P, Q −→ G
∧l
Γ, P ∧ Q −→ G
Γ −→ G1 Γ −→ G2
∧r
Γ −→ G1 ∧ G2
Γ −→ P
Γ, Q −→ G
⊃l
Γ, P ⊃ Q −→ G
Γ, P{t/x} −→ G
∀l
Γ, ∀P −→ G
Γ −→ G{t/x}
∃r
Γ −→ ∃x.G
Init
A −→ A
Searching a proof with the rules above is too inefficient! The
search space is huge!
Logic Programming (Prolog)
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
Backchaining Rule
Logic Programming (Prolog)
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
Backchaining Rule
Γ, ∀~x.[G1 ∧ · · · ∧ Gn ⊃ A] −→ G1 θ · · · Γ, ∀~x.[G1 ∧ · · · ∧ Gn ⊃ A] −→ Gn θ
bc
Γ, ∀~x.[G1 ∧ · · · ∧ Gn ⊃ A] −→ Ag
where θ is the most general unifier of A and Ag .
Logic Programming (Prolog)
G ::= true | A | G ∧ G | ∃x.G
P ::= A | G ⊃ A | P1 ∧ P2 | ∀x.P
Backchaining Rule
Γ, ∀~x.[G1 ∧ · · · ∧ Gn ⊃ A] −→ G1 θ · · · Γ, ∀~x.[G1 ∧ · · · ∧ Gn ⊃ A] −→ Gn θ
bc
Γ, ∀~x.[G1 ∧ · · · ∧ Gn ⊃ A] −→ Ag
where θ is the most general unifier of A and Ag .
The backchaining rule yields a goal directed search.
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], N)]
Γ −→ sum(l, m)
Γ −→ eq(m + 2, m + 2)
bc
Γ −→ sum([2 | l], m + 2)
Logic Programming (Prolog)
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], M)]
Γ −→ sum(l, m)
Γ −→ eq(m + 2, m + 2)
bc
Γ −→ sum([2 | l], m + 2)
Logic Programming (Prolog)
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], M)]
Γ −→ sum(l, m)
Γ −→ eq(m + 2, m + 2)
bc
Γ −→ sum([2 | l], m + 2)
The backchaining rule can be interpreted as a collection of
atomic rules.
Γ −→ sum(l, m) Γ −→ eq(m + 2, m + 2)
Γ, sum([2 | l], m + 2) −→ sum([2 | l], m + 2)
Γ −→ sum(l, m) ∧ eq(m + 2, m + 2)
Γ, [sum(l, m) ∧ eq(m + 2, m + 2) ⊃ sum([2 | l], m + 2)] −→ sum([2 | l], m + 2)
4×∀
Γ −→ sum([2 | l], m + 2)
Logic Programming (Prolog)
Question: Clearly proof search using the backchaining rule is sound,
but is it complete?
Logic Programming (Prolog)
Question: Clearly proof search using the backchaining rule is sound,
but is it complete?
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
Logic Programming (Prolog)
Question: Clearly proof search using the backchaining rule is sound,
but is it complete?
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
In fact, the proof of the theorem above tells a bit more. The set of
proofs of the following shape is complete.
bc
∧r and ∃r
∧l
Logic Programming (Prolog)
Question: Clearly proof search using the backchaining rule is sound,
but is it complete?
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
In fact, the proof of the theorem above tells a bit more. The set of
proofs of the following shape is complete.
bc
∧r and ∃r
∧l
In literature, these proofs
are called uniform
proofs.
Logic Programming (Prolog)
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
Proof Sketch:
Logic Programming (Prolog)
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
Proof Sketch:
The proof relies in permutation lemmas:
Lemma 1: All rules permute
over ∧l .
Logic Programming (Prolog)
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
Proof Sketch:
The proof relies in permutation lemmas:
Lemma 1: All rules permute
over ∧l .
Γ, A, B −→ F
Γ, G, A, B −→ R
∧l
∧l
Γ, A ∧ B −→ F
Γ, G, A ∧ B −→ R
⊃l
Γ, F ⊃ G, A ∧ B −→ R
Γ, A, B −→ F
Γ, G, A, B −→ R
⊃l
Γ, F ⊃ G, A, B −→ R
∧l
Γ, F ⊃ G, A ∧ B −→ R
Logic Programming (Prolog)
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
Proof Sketch:
The proof relies in permutation lemmas:
Lemma 1: All rules permute
over ∧l .
Lemma 2: All other rules
permute over each other.
Logic Programming (Prolog)
Theorem: Any LJ proof of a sequent of the form P −→ G
can be transformed into a proof that contains only
occurrences of ∧l , bc, and ∃r .
Proof Sketch:
The proof relies in permutation lemmas:
Lemma 1: All rules permute
over ∧l .
Lemma 2: All other rules
permute over each other.
Γ, G −→ A Γ, G −→ B
∧r
Γ −→ F
Γ, G −→ A ∧ B
⊃l
Γ, F ⊃ G −→ A ∧ B
Γ −→ F Γ, G −→ B
Γ −→ F Γ, G −→ A
⊃l
⊃l
Γ, F ⊃ G −→ B
Γ, F ⊃ G −→ A
∧r
Γ, F ⊃ G −→ A ∧ B
Logic Programming (Prolog)
Proof Sketch:
Lemma 1: All rules permute
over ∧l .
Lemma 2: All other rules
permute over each other.
Logic Programming (Prolog)
Proof Sketch:
Lemma 1: All rules permute
over ∧l .
Lemma 2: All other rules
permute over each other.
Using Lemma 1, we can move all instances of ∧l
downwards in the proof.
∧l
∧l
Logic Programming (Prolog)
Proof Sketch:
Lemma 1: All rules permute
over ∧l .
Lemma 2: All other rules
permute over each other.
Using Lemma 2, we can organize the remaining rules to
form a backchaining rule instance.
∧r
⊃l
⊃l
∧r
Logic Programming (Prolog)
How about the witnesses for existentials?
Logic Programming (Prolog)
How about the witnesses for existentials?
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], M)]
−→
∃X.sum([4, 2, 3, 4], X)
Logic Programming (Prolog)
How about the witnesses for existentials?
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], M)]
−→
∃X.sum([4, 2, 3, 4], X)
Unification delays the search for witnesses for the ∃r rule.
sum([], 0)∧
∀H, T, N, M.[sum(T, M) ∧ eq(N, M + H) ⊃ sum([H|T ], M)]
−→
sum([4, 2, 3, 4], X)
where X is a logical variable created by the logic interpreter (Prolog
engine). That is, this is a strictly implementation technique. There is
no correspondence to logic.
Logic Programming (Prolog)
There is still one decision to make: which clause to
backchain?
Logic Programming (Prolog)
There is still one decision to make: which clause to
backchain?
∀X.p( f (X)) ⊃ p(X)
Γ, ∀X.[p( f (X) ⊃ p(X)] −→ p( f (a))
bc
Γ, ∀X.[p( f (X) ⊃ p(X)] −→ p(a)
Logic Programming (Prolog)
There is still one decision to make: which clause to
backchain?
∀X.p( f (X)) ⊃ p(X)
Γ, ∀X.[p( f (X) ⊃ p(X)] −→ p( f (a))
bc
Γ, ∀X.[p( f (X) ⊃ p(X)] −→ p(a)
If the interpreter always backchains on the clause above,
then it will not terminate.
Verifying Protocols with Prolog
We model the intruder as well as the protocol by using Horn
clauses.
As before, we assume that there are constructors and
destructors.
For each constructor f , we add a rule of the form:
att(M1 ) ∧ · · · ∧ att(Mn ) ⊃ att( f (M1 , . . . , Mn ))
Examples
att(m) ∧ att(pk) ⊃ att(aenc(m, pk))
att(sk) ⊃ att(pk(sk))
att(m) ∧ att(sk) ⊃ att(sign(m, sk))
Verifying Protocols with Prolog
For each destructor defined by g(M1 , . . . , Mn ) = M, we add
a rule of the form:
att(M1 ) ∧ · · · ∧ att(Mn ) ⊃ att(M)
att(aenc(m, pk(sk))) ∧ att(sk) ⊃ att(m)
att(sign(m, sk)) ⊃ att(m)
Destructors never appear in the rules. They are modelled
using pattern-matching.
Verifying Protocols with Prolog
Specification of a Protocol (by example)
A → B : {sign(k, skA )} pkB
The intruder starts protocols with anyone he wants, or alternatively it
can intercept A’s message faking to be B.
att(pk(k)) ⊃ att(aenc(sign(k, skA [])), pk(k))
However, keys are fresh!
att(pk(k)) ⊃ att(aenc(sign(k[pk(x)], skA [])), pk(k))
This is the first abstraction that Proverif uses. Fresh values are
considered as functions of the messages previously received by the
protocol.
Verifying Protocols with Prolog
Specification of a Protocol (by example)
Once B receives the message of the form {sign(k0 , sk)} pkB she cheks
whether the signature is correct, that is, sk = skA []:
B → A : {s[]}k0
In our model, the attacker does all this:
att(enc(sign(k0 , skA [])), pk(skB )) ⊃ att(aenc(s[], k0 ))
A symmetric rule is added for when B starts the protocol.
In general, a protocol that contains n messages encoded by n sets of
rules, each set containing the same corresponding rule for each
principal.
Verifying Protocols with Prolog
Reachability Secrecy Problem
Given a logic program P encoding a protocol containing a
secret s, is the fact att(s[]) derivable from P.
Notice that since we are in classical logic, the number of times a
message is used is not evident.
att(enc(s[], k))
In a derivation, this message can be derived as many times needed.
This is because formulas can be contracted. Hence, messages
meant to appear only once in a future protocol may mix up with
messages in the past. This may lead to false attacks.
Verifying Protocols with Prolog
Problem with Prolog Proof Search
Using the backchaining rule with the rule below would lead
to non-termination.
att(enc(m, pk(sk))) ∧ att(sk) ⊃ att(m)
We need another solving algorithm!
Verifying Protocols with Prolog
Main Idea
The solving algorithm works in two phases:
In the first phase, we pre-process the logic program by
constructing rewriting rules so that the body of all rules of
the form att(x).
The second phase is to use the same Prolog search
strategy but using the pre-processed program.
Verifying Protocols with Prolog
Phase One
We want that the body of all clauses are of the form att(x).
Selection function: sel(F1 ∧ · · · ∧ Fn ⊃ F) ⊆ {F1 , . . . , Fn }
sel(F1 ∧ · · · ∧ Fn ⊃ F) = ∅ if Fi = att(x) for all 1 ≤ i ≤ n.
sel(F1 ∧ · · · ∧ Fn ⊃ F) = {Fi } otherwise, where Fi has the greatest size.
Example
sel(att(enc(m, pk(sk))) ∧ att(sk) ⊃ att(m)) = att(enc(m, pk(sk)))
Verifying Protocols with Prolog
Phase One – Resolution
R = F1 ∧ · · · ∧ Fn ⊃ F
sel(R) = ∅
R0 = F10 ∧ · · · ∧ Fn0 0 ⊃ F 0
Fi0 ∈ sel(R0 )
Add to the program the following clause, denoted as R ◦Fi0 R0
0
0
F1 θ ∧ · · · ∧ Fn θ ∧ F10 θ ∧ · · · Fi−1
θ ∧ Fi+1
θ ∧ · · · ∧ Fn0 0 θ ⊃ F 0 θ
This operation can be seen as a forward-chaining step.
Example
att(aenc(sign(z, skA []), pkB [])) ⊃ att(enc(s, z))
att(m) ∧ att(pk) ⊃ att(enc(m, pk))
att(sign(z, skA [])) ∧ att(pkB []) ⊃ att(enc(s, z))
© Copyright 2024 Paperzz