1.
Logical Approach to the Security Analysis of DistributedSystems Yannick Chevalier Université Toulouse 3 Toulouse, 25/02/2011
2.
OutlineDistributed systemsLogical ModelSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 2/88
3.
PlanDistributed systems Distributed systems Analysis of distributed systemsLogical ModelSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 3/88
4.
OutlineDistributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 4/88
5.
Distributed SystemsCommunicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message passing on a network Entity 2 Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 5/88
6.
Distributed SystemsCommunicating entities Server Client Msg 1 Example: Cryptographic Protocols Msg 2 Network Entities are the client, server,. . . Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 6/88
7.
Distributed SystemsCommunicating entities Provider 2 Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 7/88
8.
OutlineDistributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 8/88
9.
Security Analysis of Distributed Systems ServerPrinciple Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 9/88
10.
Security Analysis of Distributed Systems ServerPrinciple Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 10/88
11.
Security Analysis of Distributed Systems ServerPrinciple Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 11/88
12.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 12/88
13.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 13/88
14.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 14/88
15.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 15/88
16.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 16/88
17.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 17/88
18.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 18/88
19.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 19/88
20.
Security Analysis of Distributed SystemsPrinciple Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisﬁed by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Inﬁnitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 20/88
21.
OutlineDistributed systems Distributed systems Analysis of distributed systemsLogical Model Formal model of entities Decision problems Compilation of conversationsSecurity analysis Reachability & Refutation Combination results Computing an OrchestrationCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 21/88
22.
PlanDistributed systemsLogical Model Formal model of entities Decision problems Compilation of conversationsSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 22/88
23.
OutlineLogical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 23/88
24.
Equational TheoriesModeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · zGeneric model Data and operations are modeled with function symbols in a ﬁrst-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 24/88
25.
Equational TheoriesModeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · zGeneric model Data and operations are modeled with function symbols in a ﬁrst-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 25/88
26.
Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsgDeduction systemsA deduction system is deﬁned by an equational theory and the subset ofsymbols corresponding to computable functionsDeduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 26/88
27.
Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsgDeduction systemsA deduction system is deﬁned by an equational theory and the subset ofsymbols corresponding to computable functionsDeduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 27/88
28.
Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsgDeduction systemsA deduction system is deﬁned by an equational theory and the subset ofsymbols corresponding to computable functionsDeduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 28/88
29.
Entity SpeciﬁcationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project)Domain-speciﬁc models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 29/88
30.
Entity SpeciﬁcationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Employed to describe distributed systems, but impractical for describing decision proceduresDomain-speciﬁc models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 30/88
31.
Entity SpeciﬁcationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project)Domain-speciﬁc models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 31/88
32.
Entity SpeciﬁcationGeneric model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project)Domain-speciﬁc models For cryptographic protocols For Web Services ... Employed to describe decision procedures, based on simplifying assumptions Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 32/88
33.
Models EmployedProgram without loops Deduction systems Logical speciﬁcation of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 33/88
34.
Models EmployedProgram without loops Deduction systems Logical speciﬁcation of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 34/88
35.
Models EmployedProgram without loops Deduction systems Logical speciﬁcation of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 35/88
36.
OutlineLogical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 36/88
37.
Ground ReachabilitySetting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is speciﬁed with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ?Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 37/88
38.
Ground ReachabilitySetting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is speciﬁed with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ?Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 38/88
39.
Static Equivalence 1/2Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 39/88
40.
Static Equivalence 1/2Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 40/88
41.
Static Equivalence 2/2Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Reﬁnement [with Rusinowitch 10] A sequence of terms ψ reﬁnes a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 41/88
42.
Static Equivalence 2/2Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Reﬁnement [with Rusinowitch 10] A sequence of terms ψ reﬁnes a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 42/88
43.
Reachability and EquivalenceContext: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Deﬁnition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Deﬁnition: D -Equivalence Can the attacker devise a completion in which he will be able to ﬁnd with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 43/88
44.
Reachability and EquivalenceContext: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Deﬁnition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Deﬁnition: D -Equivalence Can the attacker devise a completion in which he will be able to ﬁnd with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 44/88
45.
Reachability and EquivalenceContext: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Deﬁnition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Deﬁnition: D -Equivalence Can the attacker devise a completion in which he will be able to ﬁnd with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 45/88
46.
OutlineLogical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 46/88
47.
Cryptographic Protocol AnalysisRemarks Cryptographic protocols are usually speciﬁed with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Speciﬁcations of cryptographic protocols are not analyzed, their implementation isCompilation problemCan we compute an as secure as possible implementation of a givenspeciﬁcation? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 47/88
48.
Cryptographic Protocol AnalysisRemarks Cryptographic protocols are usually speciﬁed with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Speciﬁcations of cryptographic protocols are not analyzed, their implementation isCompilation problemCan we compute an as secure as possible implementation of a givenspeciﬁcation? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 48/88
49.
Computation of an InteroperableImplementation(joint work with M. Rusinowitch Main idea An implementation has to solve,each time it sends a message, a reachability problem. Theorem [with Rusi 10] If D -ground reachability problems are effectively decidable then it is possible to compute an interoperable implementation of a protocol described using the function symbols in D . Pitfall: the computed implementation may not perform any security checks (e.g. validation of a digital signature) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 49/88
50.
Computation of a Secure ImplementationDeﬁnitionA deduction system D has the ﬁnite basis property if, for every ﬁnite sequenceof messages ϕ , there exists a ﬁnite set S of pairs of constructions such thatψ |= M = N for all (M , N ) ∈ S iff ψ is a reﬁnement of ϕ .Remarks Decision procedures for static equivalence usually compute such a ﬁnite set Permits to compute an implementation that accepts only the reﬁnements of the intended message sequence.Conclusion: Justiﬁes cryptographic protocol analysis relying on the operational semantics of the protocol Important point: we can automatically compute a secure implementation of any conversation Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 50/88
51.
PlanDistributed systemsLogical ModelSecurity analysis Reachability & Refutation Combination results Computing an OrchestrationCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 51/88
53.
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?Many results: Delaune-Jacquemard 2004 (collapsing)Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm)Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blindComon-Lundh,Shmatikov 2003 (xor); signature); . . .Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 53/88
54.
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?Many results: Delaune-Jacquemard 2004 (collapsing)Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm)Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blindComon-Lundh,Shmatikov 2003 (xor); signature); . . .Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 54/88
55.
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?Many results: Delaune-Jacquemard 2004 (collapsing)Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm)Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blindComon-Lundh,Shmatikov 2003 (xor); signature); . . .Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 55/88
56.
Results ObtainedReachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 56/88
57.
Results ObtainedReachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 57/88
58.
Generalisation: Saturated DeductionSystemsSaturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for speciﬁc sets of Horn clausesGeneralization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a ﬁniteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 58/88
59.
Generalisation: Saturated DeductionSystemsSaturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for speciﬁc sets of Horn clausesGeneralization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a ﬁniteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 59/88
61.
Combination of Equational TheoriesPrincipleReduce a uniﬁability problem on E1 ∪ E2 to uniﬁability problems on E1 and E2Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of uniﬁability procedures for disjoint equational theoriesA trivial problem?Additional constraints needed [Jan Otop, 2010]Question:Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 61/88
62.
Combination of Equational TheoriesPrincipleReduce a uniﬁability problem on E1 ∪ E2 to uniﬁability problems on E1 and E2Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of uniﬁability procedures for disjoint equational theoriesA trivial problem?Additional constraints needed [Jan Otop, 2010]Question:Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 62/88
63.
Combination of Equational TheoriesPrincipleReduce a uniﬁability problem on E1 ∪ E2 to uniﬁability problems on E1 and E2Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of uniﬁability procedures for disjoint equational theoriesA trivial problem?Additional constraints needed [Jan Otop, 2010]Question:Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 63/88
64.
Application to Refutation of ProtocolsAdditional constraints The attacker has to built the solution Preservation of the natural structure of these constraintsResults obtained Combination of procedures deciding reachability for disjoint deduction systems (with Rusinowitch, ICALP 05) Non-disjoint case: conditions on the equations employing the shared symbols that permits the reduction to a sub-signature (with Rusinowitch, RTA 06) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 64/88
66.
Beyond the Security Analysis of Protocols ServerClientMsg 1 Example: Cryptographic ProtocolsMsg 2 Network Entities are the client, server,. . .Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 66/88
67.
Beyond the Security Analysis of Protocols Provider 2Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 67/88
68.
OrchestrationModel Messages of the services are decorated with guards and persistent assertions Limiting assumption, but well-suited for security Goal service is speciﬁed with an ordered sequence of messages and guards that have to be satisﬁed ﬁnite execution Models both interaction with a client and security constraints Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 68/88
69.
Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisﬁes persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 69/88
70.
Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisﬁes persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 70/88
71.
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 71/88
72.
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 72/88
73.
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 73/88
74.
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraintsReminder (compilation):we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ?Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 74/88
75.
PlanDistributed systemsLogical ModelSecurity analysisCurrent and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 75/88
76.
EquivalenceM. Baudet, 2004 Deﬁnition (Subterm deduction systems) A deduction system is subterm iff its equational theory is convergent contains only equations l = r with r a subterm of l, or r a ground term Theorem (Baudet, CCS 2004) If D is a subterm deduction system, then D -equivalence is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 76/88
77.
Own current and future work Past: Another proof of this fact [avec Rusinowitch, JAR 2010] Current: Deﬁnition of a generalization of subterm deduction systems, encompassing saturated deduction systems à la Kourjieh Future: Modularity of D -equivalence decision procedures ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 77/88
78.
Multiple attackerswith Avanesov, Rusinowitch, Turuani Setting Multiple, non-communicating, attackers Model for code injected into applications in different places of the network Dual problem: distributed orchestration A few decidability (standard cryptography) and undecidability results Generic criterion for lifting reachability decidability results to this problem ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 78/88
79.
Extensions Entities with LoopsCombination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysisForAll loops Model XPath queries on messages with function symbols Difﬁculty: solving associated uniﬁability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 79/88
80.
Extensions Entities with LoopsCombination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysisForAll loops Model XPath queries on messages with function symbols Difﬁculty: solving associated uniﬁability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 80/88
81.
Contextual DeductionContextual deduction (Reddy, Bronsard) Employ resolution with uniﬁcation replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clausesRTA LOOP 37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clausesOwn current and future work Past: a re-deﬁnition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 81/88
82.
Contextual DeductionContextual deduction (Reddy, Bronsard) Employ resolution with uniﬁcation replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clausesRTA LOOP 37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clausesOwn current and future work Past: a re-deﬁnition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 82/88
83.
Contextual DeductionContextual deduction (Reddy, Bronsard) Employ resolution with uniﬁcation replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clausesRTA LOOP 37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clausesOwn current and future work Past: a re-deﬁnition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 83/88
84.
Future workCommunicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message Entity 2 passing on a network Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 84/88
85.
Future workCommunicating entities Application 2 Application 1 Separation kernels: Output 1 Entities are the applications Input 2 OS hosted by the system Output 3 Communications through an OS that implements an access control Environment policy Validate the possible executions in a given environment Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 85/88
86.
40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece (source: Super Freakonomics)Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 86/88
87.
40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece (source: Super Freakonomics)Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 87/88
88.
40+ years ago. . .Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece (source: Super Freakonomics)Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 88/88
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.
Be the first to comment