CSP tools for verification of Sec Prot

Overview of the lecture

The Casper interface

Refinement checking and FDR

Model checking

Theorem proving

Safe simplifying transformations

The Casper interface

Casper is essentially a compiler

Refinement checking and FDR

The notion of refinement

The implementation should be a refinement of the specification, in the sense of preserving its properties. Hence, less nondeterministic

Refinement checking: checking that the implementation is indeed a refinement of the specification

Obviously, the notion of refinement depends on the intended semantic. In CSP traditionally we consider 3 kinds of semantics:

Traces

Failures

Failures and Divergences

Refinement checking and FDR

Traces

The set of the sequences of visible actions in all possible runs

Example:

   A =   a -> b -> c -> Stop [] b -> c -> a -> Stop

   Tr(A) = { a.b.c, b.c.a }

   B =   a -> Stop ||| b -> c -> Stop

   Tr(A) = { a.b.c, b.a.c, b.c.a }

Note that A is less nondeterministic than B:

A represents only a subset of the possible runs of B

Refinement checking and FDR

We want to define formally the notion of refinement wrt trace semantics, in such a way that it captures the concept of “less nondeterministic”.

Question: what should be the formal definition of “A is a refinement of B” in terms of their traces?

Refinement checking and FDR

Limits of trace semantics:

It is not compositional. Namely, trace refinement

is not preserved under contexts.

This means that the analysis based on traces cannot

be performed modularly: it must be performed on

the whole system at once.

Example

A = a -> (b -> Stop [] c -> Stop)

B = a -> Stop [] a -> c -> Stop

Refinement checking and FDR

Stronger, compositional semantics

Failures: this semantics encodes the brancing structure of a process by representing, after each partial trace, the set of actions that are not allowed

Example:

The notion of refinement is defined in such a way that A is a refinement of B, but not vice versa

This notion of refinement is preserved under closure on possible contexts

Refinement checking and FDR

Stronger, compositional semantics

Failures and Divergences: This semantics encodes all the information of Failure semantics, plus additional information about divergences (livelocks). As such, it is suitable also for the analysis of liveness properties (not only safety)

Example:

It is considered the standard model of CSP

FDR means: Failure and Divergences Refinement

Automatic refinement check for finite state systems (they can have infinite computations, but the number of states is finite)

Model checking

Model checking basics

The security property we want to verify is expressed as a temporal logic formula F

The protocol is expressed as a system S of processes (the processes involved with the protocol and, possibly, the intruder)

S is represented as a labeled transition system T, which is seen as an interpretation of F

Model checking consists in showing that T is a model of F, namely that T validates F

Always possible with Finite State systems

Also possible for some restricted cases of Infinite State systems

Model checking

Example

A = a -> b -> A

B = c -> d -> B

S = A ||| B

Temporal operators:

F : forever

E : eventually

Some formulae

F E (a or c)

F E a

E F (a or c)

Theorem proving

Based on a set of inference rules that model a satisfiability relation S sat P

Example: parallel rule

Forall i. (S_i sat (R precedes T))

(|||_i S_i ) sat (R precedes T)

Properties of the inference system:

Semiautomatic (invariant needed for recursive definitions)

Sound and relatively complete

All the properties of the Yahalom protocol seen in previous lecture can be easily verified using this system (see proofs in the book of Ryan and Schneider)



	Overview of the lecture

		The Casper interface
		Refinement checking and FDR
		Model checking
		Theorem proving
		Safe simplifying transformations


The notion of refinement
	The implementation should be a refinement of the specification, in the sense of preserving its properties. Hence, less nondeterministic
	Refinement checking: checking that the implementation is indeed a refinement of the specification
	Obviously, the notion of refinement depends on the intended semantic. In CSP traditionally we consider 3 kinds of semantics:
		Traces
		Failures
		Failures and Divergences


	Traces
		The set of the sequences of visible actions in all possible runs
		Example:
		A = a -> b -> c -> Stop [] b -> c -> a -> Stop
		Tr(A) = { a.b.c, b.c.a }

		B = a -> Stop \|\|\| b -> c -> Stop
		Tr(A) = { a.b.c, b.a.c, b.c.a }

		Note that A is less nondeterministic than B:
		A represents only a subset of the possible runs of B


	We want to define formally the notion of refinement wrt trace semantics, in such a way that it captures the concept of “less nondeterministic”.
	Question: what should be the formal definition of “A is a refinement of B” in terms of their traces?


	Limits of trace semantics:
		It is not compositional. Namely, trace refinement
		is not preserved under contexts.
		This means that the analysis based on traces cannot
		be performed modularly: it must be performed on
		the whole system at once.

	Example
		A = a -> (b -> Stop [] c -> Stop)
		B = a -> Stop [] a -> c -> Stop


Stronger, compositional semantics
	Failures: this semantics encodes the brancing structure of a process by representing, after each partial trace, the set of actions that are not allowed

		Example:






	The notion of refinement is defined in such a way that A is a refinement of B, but not vice versa
	This notion of refinement is preserved under closure on possible contexts


Stronger, compositional semantics
	Failures and Divergences: This semantics encodes all the information of Failure semantics, plus additional information about divergences (livelocks). As such, it is suitable also for the analysis of liveness properties (not only safety)
	Example:




	It is considered the standard model of CSP
	FDR means: Failure and Divergences Refinement
		Automatic refinement check for finite state systems (they can have infinite computations, but the number of states is finite)


	Model checking basics
	The security property we want to verify is expressed as a temporal logic formula F
	The protocol is expressed as a system S of processes (the processes involved with the protocol and, possibly, the intruder)
	S is represented as a labeled transition system T, which is seen as an interpretation of F
	Model checking consists in showing that T is a model of F, namely that T validates F
		Always possible with Finite State systems
		Also possible for some restricted cases of Infinite State systems


Example
		A = a -> b -> A
		B = c -> d -> B

		S = A \|\|\| B

Temporal operators:
	F : forever
	E : eventually

Some formulae
	F E (a or c)
	F E a
	E F (a or c)


	Based on a set of inference rules that model a satisfiability relation S sat P

		Example: parallel rule

	Forall i. (S_i sat (R precedes T))
	(\|\|\|_i S_i ) sat (R precedes T)

	Properties of the inference system:
		Semiautomatic (invariant needed for recursive definitions)
		Sound and relatively complete
		All the properties of the Yahalom protocol seen in previous lecture can be easily verified using this system (see proofs in the book of Ryan and Schneider)