Executable specification of cryptofraglets with Maude

for security verification

Fabio Martinelli and Marinella Petrocchi

IIT-CNR, Pisa Italy

presented by

Daniel Schreckling (Univ. Passau, Germany) and Lidia Yamamoto (Univ. Basel, Switzerland)

Overview• Introduction: context, motivation, and goal

• The Fraglets language

– Cryptofraglets

– Threat model

• Maude specification language

– Cryptofraglets in Maude

– Case study: attack detection on Needham Schroeder Public Key (NSPK) protocol

• Conclusions, future work

Introduction

• Adaptive and autonomic systems need:

– New methodologies to assess security and trustworthiness of network protocols and services in a potentially changing environment

– Techniques for automated security verification

• Chemical computing (e.g. Gamma, Fraglets) as a tool for specifying autonomic behavior

• Goal

– Development of a software tool supporting specification of crypto-protocols in Fraglets and their security analysis

The Fraglets Language

• Programming language inspired by chemistry

– Code and data represented as molecules = strings = computation fragments

– Processing by chemical reactions that consume and produce molecules (code and data)

– Goal: automated synthesis and evolution of communication protocols

Fraglets Basic Instruction Set

(educts) (products)

The Fraglets Language

• Fraglets processing: chemical reactions perform string rewriting operations

– head of string fully determines rewriting operation

– analogous to packet header processing in network protocols

• Distributed computation: Fraglets (computation fragments) flow through a computer network

• Applications: active networks, self-modifying code, autonomic communication protocols

Cryptofraglets

• Original Fraglets language lacked security features

• Cryptofraglets [BIONETICS 2006]: our extension of the Fraglets instruction set for

– symmetric/asymmetric cryptography

– hashing techinques

• Encryption [enc newtag k1 tail] → [newtag tail_k1]

• Decryption• [dec newtag k2 tail_k2] → [newtag tail]

• Hash [hash newtag tail] → [newtag h(tail)]

Fraglets-Based Threat Model

• Protocol specification involving two honest roles

– initiator SS

– responder SR.

• Communication flow through untrusted store SX

• Secret keys initially contained in the legitimate store(s)

Definition of Security Properties

• It is now possible to define security properties (secrecy, authentication, integrity…)

• Classical notion of intruder’s knowledge rephrased:

– the set of symbols that the intruder's store contains

– example: secrecy property: “at each point of the computation, a symbol is secret between initiator and responder if it is not possible for the intruder store to know that symbol”

(Formal definitions in the Bionetics 2009 paper)

The Maude Rewrite System• Reflective Specification language and system based

on Rewriting Logic

• Distributed systems specified as:

– Algebraic data type axiomatizing system state

– Rewrite rules axiomatising system’s local transitions

• Provides executable semantics and toolkit allowing for formal reasoning

• User-defined execution strategies allow for state exploration strategies, e.g., breadth-first search

What is a rewrite rule?

mod climate issort wheatercondition .

op sunnyday : -> wheatercondition . op rainyday : -> wheatercondition . rl [raincloud] : sunnyday => rainyday . Endm

Maude “search” strategies

• Maude commands

– rewrite, can explore one possible sequence of rewrites

– search command looks for all the possible traces from an initial to a particular configuration of interest (e.g. set of fraglets in store X)

• Possibility to exploit built-in toolkits:

– model checker

– theorem prover,

– User-defined ad hoc search strategies

We use Maude for…

• Encoding of fraglets (crypto)instructions into an executable specification

• Perform security analysis on this specification

• Case study

– Formulation of Needham Schroeder Public Key protocol

– Attack on flawed version of NSPK analyzed and detected

Encoding

• Fraglets instructions become rewrite rules

• Example

– Dup (duplicate symbol)

– Send (transfer fraglet from to another store)

Encoding

• En/decryption-instructions:

Case Study: NSPK Protocol

• Protocol authenticates two agents A and B

• At the end of the protocol

– Agents know their identities

– Agents share a secret (nonces)

• Original protocol was vulnerable to a man-in-the-middle attack

• Implementation of vulnerable version in fraglets

Flawed NSPK in Maude

• Translate fraglets version into Maude

• Command rewrite takes initial configuration of fraglets in stores A, B, and X

• Maude executes two interleaved sessions of NSPK

• At the end of computation:

–Store A contains newly received nonce nb

–Store B contains [what expected]

–Store X contains [auxtag5 nb]

• Maude detects secrecy violation

Conclusions

• Main result:

– assessment of usefulness of executing fraglets specifications for security verification purposes

• Possible follow-ups:

– analyzing complex security protocols and properties;

– definition of the fraglets-based most powerful intruder to verify security properties over universal quantification