Logical Approach to the Security Analysis of DistributedSystems                     Yannick Chevalier                     ...
OutlineDistributed systemsLogical ModelSecurity analysisCurrent and Future Works                           Yannick Chevali...
PlanDistributed systems   Distributed systems   Analysis of distributed systemsLogical ModelSecurity analysisCurrent and F...
OutlineDistributed systems   Distributed systems   Analysis of distributed systems                                 Yannick...
Distributed SystemsCommunicating entities                                Entity 3 Entity 1 State 1 State 2            Netw...
Distributed SystemsCommunicating entities                              Server Client Msg 1                                ...
Distributed SystemsCommunicating entities                                   Provider 2 Provider 1    Op. 1                ...
OutlineDistributed systems   Distributed systems   Analysis of distributed systems                                 Yannick...
Security Analysis of Distributed Systems                                                                                  ...
Security Analysis of Distributed Systems                                                                                  ...
Security Analysis of Distributed Systems                                                                                  ...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
Security Analysis of Distributed SystemsPrinciple                                                                       Se...
OutlineDistributed systems   Distributed systems   Analysis of distributed systemsLogical Model   Formal model of entities...
PlanDistributed systemsLogical Model   Formal model of entities   Decision problems   Compilation of conversationsSecurity...
OutlineLogical Model   Formal model of entities   Decision problems   Compilation of conversations                        ...
Equational TheoriesModeling message properties    Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey ))     ...
Equational TheoriesModeling message properties    Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey ))     ...
Deduction Systems       Some function symbols denote relations between terms rather    than computable function           ...
Deduction Systems       Some function symbols denote relations between terms rather    than computable function           ...
Deduction Systems       Some function symbols denote relations between terms rather    than computable function           ...
Entity SpecificationGeneric model    Set of multi-set rewriting rules (Cervesato et al.)    State transitions expressed by ...
Entity SpecificationGeneric model    Set of multi-set rewriting rules (Cervesato et al.)    State transitions expressed by ...
Entity SpecificationGeneric model    Set of multi-set rewriting rules (Cervesato et al.)    State transitions expressed by ...
Entity SpecificationGeneric model    Set of multi-set rewriting rules (Cervesato et al.)    State transitions expressed by ...
Models EmployedProgram without loops                       Deduction systems                                            Lo...
Models EmployedProgram without loops                       Deduction systems                                            Lo...
Models EmployedProgram without loops                       Deduction systems                                            Lo...
OutlineLogical Model   Formal model of entities   Decision problems   Compilation of conversations                        ...
Ground ReachabilitySetting    An observer witnesses an execution of the system without interfering with    it: t1 , . . . ...
Ground ReachabilitySetting    An observer witnesses an execution of the system without interfering with    it: t1 , . . . ...
Static Equivalence 1/2Intuition Setting        A game in which the observer witnesses execution of one out of two        p...
Static Equivalence 1/2Intuition Setting        A game in which the observer witnesses execution of one out of two        p...
Static Equivalence 2/2Technical description Description of the game          Input: 2 sequences of messages representing e...
Static Equivalence 2/2Technical description Description of the game          Input: 2 sequences of messages representing e...
Reachability and EquivalenceContext: cryptographic protocols Setting       All entities but the attacker are modeled by lo...
Reachability and EquivalenceContext: cryptographic protocols Setting       All entities but the attacker are modeled by lo...
Reachability and EquivalenceContext: cryptographic protocols Setting       All entities but the attacker are modeled by lo...
OutlineLogical Model   Formal model of entities   Decision problems   Compilation of conversations                        ...
Cryptographic Protocol AnalysisRemarks    Cryptographic protocols are usually specified with:          the intended message...
Cryptographic Protocol AnalysisRemarks    Cryptographic protocols are usually specified with:          the intended message...
Computation of an InteroperableImplementation(joint work with M. Rusinowitch Main idea An implementation has to solve,each...
Computation of a Secure ImplementationDefinitionA deduction system D has the finite basis property if, for every finite seque...
PlanDistributed systemsLogical ModelSecurity analysis   Reachability & Refutation   Combination results   Computing an Orc...
OutlineSecurity analysis   Reachability & Refutation   Combination results   Computing an Orchestration                   ...
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other...
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other...
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other...
Results ObtainedReachability decision procedures    With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CS...
Results ObtainedReachability decision procedures    With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CS...
Generalisation: Saturated DeductionSystemsSaturation    Decidabiliy result for order saturated sets of clauses for ground ...
Generalisation: Saturated DeductionSystemsSaturation    Decidabiliy result for order saturated sets of clauses for ground ...
OutlineSecurity analysis   Reachability & Refutation   Combination results   Computing an Orchestration                   ...
Combination of Equational TheoriesPrincipleReduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2Wel...
Combination of Equational TheoriesPrincipleReduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2Wel...
Combination of Equational TheoriesPrincipleReduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2Wel...
Application to Refutation of ProtocolsAdditional constraints    The attacker has to built the solution    Preservation of ...
OutlineSecurity analysis   Reachability & Refutation   Combination results   Computing an Orchestration                   ...
Beyond the Security Analysis of Protocols                                ServerClientMsg 1                                ...
Beyond the Security Analysis of Protocols                                  Provider 2Provider 1  Op. 1                    ...
OrchestrationModel   Messages of the services are decorated with guards and persistent   assertions             Limiting a...
Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09)   Decision procedure for orchestration by reduction to the insec...
Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09)   Decision procedure for orchestration by reduction to the insec...
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constra...
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constra...
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constra...
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constra...
PlanDistributed systemsLogical ModelSecurity analysisCurrent and Future Works                           Yannick Chevalier,...
EquivalenceM. Baudet, 2004 Definition (Subterm deduction systems) A deduction system is subterm iff its equational theory i...
Own current and future work   Past: Another proof of this fact [avec Rusinowitch, JAR 2010]   Current: Definition of a gene...
Multiple attackerswith Avanesov, Rusinowitch, Turuani Setting       Multiple, non-communicating, attackers       Model for...
Extensions Entities with LoopsCombination    Automata-based methods are able to synthesize orchestration with loops    Fut...
Extensions Entities with LoopsCombination    Automata-based methods are able to synthesize orchestration with loops    Fut...
Contextual DeductionContextual deduction (Reddy, Bronsard)     Employ resolution with unification replaced by pattern-match...
Contextual DeductionContextual deduction (Reddy, Bronsard)     Employ resolution with unification replaced by pattern-match...
Contextual DeductionContextual deduction (Reddy, Bronsard)     Employ resolution with unification replaced by pattern-match...
Future workCommunicating entities                                Entity 3 Entity 1 State 1 State 2            Network     ...
Future workCommunicating entities                                Application 2 Application 1                              ...
40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enab...
40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enab...
40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enab...
Upcoming SlideShare
Loading in...5
×

Yannick Chevalier - Habilitation (final)

286

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
286
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Yannick Chevalier - Habilitation (final)

  1. 1. Logical Approach to the Security Analysis of DistributedSystems Yannick Chevalier Université Toulouse 3 Toulouse, 25/02/2011
  2. 2. OutlineDistributed systemsLogical ModelSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 2/88
  3. 3. PlanDistributed systems Distributed systems Analysis of distributed systemsLogical ModelSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 3/88
  4. 4. OutlineDistributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 4/88
  5. 5. Distributed SystemsCommunicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message passing on a network Entity 2 Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 5/88
  6. 6. Distributed SystemsCommunicating entities Server Client Msg 1 Example: Cryptographic Protocols Msg 2 Network Entities are the client, server,. . . Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 6/88
  7. 7. Distributed SystemsCommunicating entities Provider 2 Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 7/88
  8. 8. OutlineDistributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 8/88
  9. 9. Security Analysis of Distributed Systems ServerPrinciple Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 9/88
  10. 10. Security Analysis of Distributed Systems ServerPrinciple Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 10/88
  11. 11. Security Analysis of Distributed Systems ServerPrinciple Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 11/88
  12. 12. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 12/88
  13. 13. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 13/88
  14. 14. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 14/88
  15. 15. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 15/88
  16. 16. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 16/88
  17. 17. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 17/88
  18. 18. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 18/88
  19. 19. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 19/88
  20. 20. Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 20/88
  21. 21. OutlineDistributed systems Distributed systems Analysis of distributed systemsLogical Model Formal model of entities Decision problems Compilation of conversationsSecurity analysis Reachability & Refutation Combination results Computing an OrchestrationCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 21/88
  22. 22. PlanDistributed systemsLogical Model Formal model of entities Decision problems Compilation of conversationsSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 22/88
  23. 23. OutlineLogical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 23/88
  24. 24. Equational TheoriesModeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · zGeneric model Data and operations are modeled with function symbols in a first-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 24/88
  25. 25. Equational TheoriesModeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · zGeneric model Data and operations are modeled with function symbols in a first-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 25/88
  26. 26. Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsgDeduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functionsDeduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 26/88
  27. 27. Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsgDeduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functionsDeduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 27/88
  28. 28. Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsgDeduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functionsDeduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 28/88
  29. 29. Entity SpecificationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project)Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 29/88
  30. 30. Entity SpecificationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Employed to describe distributed systems, but impractical for describing decision proceduresDomain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 30/88
  31. 31. Entity SpecificationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project)Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 31/88
  32. 32. Entity SpecificationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project)Domain-specific models For cryptographic protocols For Web Services ... Employed to describe decision procedures, based on simplifying assumptions Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 32/88
  33. 33. Models EmployedProgram without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 33/88
  34. 34. Models EmployedProgram without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 34/88
  35. 35. Models EmployedProgram without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 35/88
  36. 36. OutlineLogical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 36/88
  37. 37. Ground ReachabilitySetting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is specified with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ?Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 37/88
  38. 38. Ground ReachabilitySetting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is specified with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ?Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 38/88
  39. 39. Static Equivalence 1/2Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 39/88
  40. 40. Static Equivalence 1/2Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 40/88
  41. 41. Static Equivalence 2/2Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Refinement [with Rusinowitch 10] A sequence of terms ψ refines a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 41/88
  42. 42. Static Equivalence 2/2Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Refinement [with Rusinowitch 10] A sequence of terms ψ refines a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 42/88
  43. 43. Reachability and EquivalenceContext: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 43/88
  44. 44. Reachability and EquivalenceContext: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 44/88
  45. 45. Reachability and EquivalenceContext: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 45/88
  46. 46. OutlineLogical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 46/88
  47. 47. Cryptographic Protocol AnalysisRemarks Cryptographic protocols are usually specified with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Specifications of cryptographic protocols are not analyzed, their implementation isCompilation problemCan we compute an as secure as possible implementation of a givenspecification? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 47/88
  48. 48. Cryptographic Protocol AnalysisRemarks Cryptographic protocols are usually specified with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Specifications of cryptographic protocols are not analyzed, their implementation isCompilation problemCan we compute an as secure as possible implementation of a givenspecification? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 48/88
  49. 49. Computation of an InteroperableImplementation(joint work with M. Rusinowitch Main idea An implementation has to solve,each time it sends a message, a reachability problem. Theorem [with Rusi 10] If D -ground reachability problems are effectively decidable then it is possible to compute an interoperable implementation of a protocol described using the function symbols in D . Pitfall: the computed implementation may not perform any security checks (e.g. validation of a digital signature) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 49/88
  50. 50. Computation of a Secure ImplementationDefinitionA deduction system D has the finite basis property if, for every finite sequenceof messages ϕ , there exists a finite set S of pairs of constructions such thatψ |= M = N for all (M , N ) ∈ S iff ψ is a refinement of ϕ .Remarks Decision procedures for static equivalence usually compute such a finite set Permits to compute an implementation that accepts only the refinements of the intended message sequence.Conclusion: Justifies cryptographic protocol analysis relying on the operational semantics of the protocol Important point: we can automatically compute a secure implementation of any conversation Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 50/88
  51. 51. PlanDistributed systemsLogical ModelSecurity analysis Reachability & Refutation Combination results Computing an OrchestrationCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 51/88
  52. 52. OutlineSecurity analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 52/88
  53. 53. Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?Many results: Delaune-Jacquemard 2004 (collapsing)Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm)Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blindComon-Lundh,Shmatikov 2003 (xor); signature); . . .Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 53/88
  54. 54. Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?Many results: Delaune-Jacquemard 2004 (collapsing)Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm)Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blindComon-Lundh,Shmatikov 2003 (xor); signature); . . .Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 54/88
  55. 55. Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?Many results: Delaune-Jacquemard 2004 (collapsing)Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm)Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blindComon-Lundh,Shmatikov 2003 (xor); signature); . . .Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 55/88
  56. 56. Results ObtainedReachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 56/88
  57. 57. Results ObtainedReachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 57/88
  58. 58. Generalisation: Saturated DeductionSystemsSaturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for specific sets of Horn clausesGeneralization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a finiteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 58/88
  59. 59. Generalisation: Saturated DeductionSystemsSaturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for specific sets of Horn clausesGeneralization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a finiteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 59/88
  60. 60. OutlineSecurity analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 60/88
  61. 61. Combination of Equational TheoriesPrincipleReduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theoriesA trivial problem?Additional constraints needed [Jan Otop, 2010]Question:Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 61/88
  62. 62. Combination of Equational TheoriesPrincipleReduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theoriesA trivial problem?Additional constraints needed [Jan Otop, 2010]Question:Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 62/88
  63. 63. Combination of Equational TheoriesPrincipleReduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theoriesA trivial problem?Additional constraints needed [Jan Otop, 2010]Question:Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 63/88
  64. 64. Application to Refutation of ProtocolsAdditional constraints The attacker has to built the solution Preservation of the natural structure of these constraintsResults obtained Combination of procedures deciding reachability for disjoint deduction systems (with Rusinowitch, ICALP 05) Non-disjoint case: conditions on the equations employing the shared symbols that permits the reduction to a sub-signature (with Rusinowitch, RTA 06) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 64/88
  65. 65. OutlineSecurity analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 65/88
  66. 66. Beyond the Security Analysis of Protocols ServerClientMsg 1 Example: Cryptographic ProtocolsMsg 2 Network Entities are the client, server,. . .Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 66/88
  67. 67. Beyond the Security Analysis of Protocols Provider 2Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 67/88
  68. 68. OrchestrationModel Messages of the services are decorated with guards and persistent assertions Limiting assumption, but well-suited for security Goal service is specified with an ordered sequence of messages and guards that have to be satisfied finite execution Models both interaction with a client and security constraints Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 68/88
  69. 69. Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisfies persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 69/88
  70. 70. Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisfies persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 70/88
  71. 71. Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 71/88
  72. 72. Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 72/88
  73. 73. Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 73/88
  74. 74. Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 74/88
  75. 75. PlanDistributed systemsLogical ModelSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 75/88
  76. 76. EquivalenceM. Baudet, 2004 Definition (Subterm deduction systems) A deduction system is subterm iff its equational theory is convergent contains only equations l = r with r a subterm of l, or r a ground term Theorem (Baudet, CCS 2004) If D is a subterm deduction system, then D -equivalence is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 76/88
  77. 77. Own current and future work Past: Another proof of this fact [avec Rusinowitch, JAR 2010] Current: Definition of a generalization of subterm deduction systems, encompassing saturated deduction systems à la Kourjieh Future: Modularity of D -equivalence decision procedures ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 77/88
  78. 78. Multiple attackerswith Avanesov, Rusinowitch, Turuani Setting Multiple, non-communicating, attackers Model for code injected into applications in different places of the network Dual problem: distributed orchestration A few decidability (standard cryptography) and undecidability results Generic criterion for lifting reachability decidability results to this problem ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 78/88
  79. 79. Extensions Entities with LoopsCombination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysisForAll loops Model XPath queries on messages with function symbols Difficulty: solving associated unifiability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 79/88
  80. 80. Extensions Entities with LoopsCombination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysisForAll loops Model XPath queries on messages with function symbols Difficulty: solving associated unifiability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 80/88
  81. 81. Contextual DeductionContextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clausesRTA LOOP 37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clausesOwn current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 81/88
  82. 82. Contextual DeductionContextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clausesRTA LOOP 37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clausesOwn current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 82/88
  83. 83. Contextual DeductionContextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clausesRTA LOOP 37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clausesOwn current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 83/88
  84. 84. Future workCommunicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message Entity 2 passing on a network Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 84/88
  85. 85. Future workCommunicating entities Application 2 Application 1 Separation kernels: Output 1 Entities are the applications Input 2 OS hosted by the system Output 3 Communications through an OS that implements an access control Environment policy Validate the possible executions in a given environment Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 85/88
  86. 86. 40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece (source: Super Freakonomics)Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 86/88
  87. 87. 40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece (source: Super Freakonomics)Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 87/88
  88. 88. 40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece (source: Super Freakonomics)Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 88/88
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×