|
|
|
|
|
|
Overview of the lecture |
|
|
|
The Casper interface |
|
Refinement checking and FDR |
|
Model checking |
|
Theorem proving |
|
Safe simplifying transformations |
|
|
|
|
|
|
|
|
|
|
Casper is essentially a compiler |
|
|
|
|
|
|
|
|
|
|
|
|
The notion of refinement |
|
The implementation should be a refinement of the
specification, in the sense of preserving its properties. Hence, less
nondeterministic |
|
Refinement checking: checking that the
implementation is indeed a refinement of the specification |
|
Obviously, the notion of refinement depends on
the intended semantic. In CSP traditionally we consider 3 kinds of
semantics: |
|
Traces |
|
Failures |
|
Failures and Divergences |
|
|
|
|
|
|
|
Traces |
|
The set of the sequences of visible actions in
all possible runs |
|
Example: |
|
A =
a -> b -> c -> Stop [] b -> c -> a -> Stop |
|
Tr(A) = { a.b.c, b.c.a } |
|
|
|
B =
a -> Stop ||| b -> c -> Stop |
|
Tr(A) = { a.b.c, b.a.c, b.c.a } |
|
|
|
Note that A is less nondeterministic than B: |
|
A represents only a subset of the possible runs
of B |
|
|
|
|
|
|
We want to define formally the notion of refinement
wrt trace semantics, in such a way that it captures the concept of “less
nondeterministic”. |
|
Question: what should be the formal definition
of “A is a refinement of B” in terms of their traces? |
|
|
|
|
|
Limits of trace semantics: |
|
It is not compositional. Namely, trace
refinement |
|
is not preserved under contexts. |
|
This means that the analysis based on traces
cannot |
|
be performed modularly: it must be performed on |
|
the whole system at once. |
|
|
|
Example |
|
A = a -> (b -> Stop [] c -> Stop) |
|
B = a -> Stop [] a -> c -> Stop |
|
|
|
|
|
|
|
|
Stronger, compositional semantics |
|
Failures: this semantics encodes the brancing
structure of a process by representing, after each partial trace, the set
of actions that are not allowed |
|
|
|
Example: |
|
|
|
|
|
|
|
|
|
|
|
|
|
The notion of refinement is defined in such a
way that A is a refinement of B, but not vice versa |
|
This notion of refinement is preserved under
closure on possible contexts |
|
|
|
|
|
|
Stronger, compositional semantics |
|
Failures and Divergences: This semantics encodes
all the information of Failure semantics, plus additional information about
divergences (livelocks). As such, it is suitable also for the analysis of liveness
properties (not only safety) |
|
Example: |
|
|
|
|
|
|
|
|
|
It is considered the standard model of CSP |
|
FDR means: Failure and Divergences Refinement |
|
Automatic refinement check for finite state
systems (they can have infinite computations, but the number of states is
finite) |
|
|
|
|
|
|
|
Model checking basics |
|
The security property we want to verify is
expressed as a temporal logic formula F |
|
The protocol is expressed as a system S of
processes (the processes involved with the protocol and, possibly, the
intruder) |
|
S is represented as a labeled transition system
T, which is seen as an interpretation of F |
|
Model checking consists in showing that T is a
model of F, namely that T validates F |
|
Always possible with Finite State systems |
|
Also possible for some restricted cases of
Infinite State systems |
|
|
|
|
|
|
|
|
Example |
|
A = a -> b -> A |
|
B = c -> d -> B |
|
|
|
S = A ||| B |
|
|
|
Temporal operators: |
|
F : forever |
|
E : eventually |
|
|
|
Some formulae |
|
F E (a or c) |
|
F E a |
|
E F (a or c) |
|
|
|
|
|
|
|
|
|
Based on a set of inference rules that model a
satisfiability relation S sat P |
|
|
|
Example: parallel rule |
|
|
|
Forall
i. (Si sat (R
precedes T)) |
|
(|||i Si ) sat (R precedes
T) |
|
|
|
Properties of the inference system: |
|
Semiautomatic (invariant needed for recursive
definitions) |
|
Sound and relatively complete |
|
All the properties of the Yahalom protocol seen
in previous lecture can be easily verified using this system (see proofs in
the book of Ryan and Schneider) |
|
Notes