yannick chevalier - habilitation (final)
TRANSCRIPT
Logical Approach to the Security Analysis of DistributedSystems
Yannick ChevalierUniversité Toulouse 3Toulouse, 25/02/2011
Outline
Distributed systems
Logical Model
Security analysis
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 2/88
Plan
Distributed systemsDistributed systemsAnalysis of distributed systems
Logical Model
Security analysis
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 3/88
Outline
Distributed systemsDistributed systemsAnalysis of distributed systems
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 4/88
Distributed SystemsCommunicating entities
Entity 1
State 1
State 2
State 3
Network
Entity 2
Entity 3
Distributed systems:
I Several entities
I Communicating by messagepassing on a network
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 5/88
Distributed SystemsCommunicating entities
Client
Msg 1
Msg 2
Msg 3
Network
attacker
Server
Example: Cryptographic Protocols
I Entities are the client, server,. . .
I The state is the point reached bythe entity in the protocol
I An attacker can interfere with thecommunications
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 6/88
Distributed SystemsCommunicating entities
Provider 1
Op. 1
Op. 2
Op. 3
Network
Orchestrator
Provider 2
Web Services:
I Entities are service providers,which may be stateful or not
I An orchestrator can interact withthese providers to provide a newfunctionality
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 7/88
Outline
Distributed systemsDistributed systemsAnalysis of distributed systems
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 8/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
Network
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 9/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
Network
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 10/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
Network
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 11/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 12/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 13/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 14/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 15/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 16/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 17/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 18/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 19/88
Security Analysis of Distributed Systems
Principle
I Specify the participatingentities
I Specify a property
I Check whether the property issatisfied by the possibleexecutions
Client
Msg 1
Msg 2
Msg 3
OS
attacker
Server
Security Properties
I Secrecy
I Authentication
I Strong secrecy
Remarks
I Not deterministic
I Infinitely branching
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 20/88
OutlineDistributed systems
Distributed systemsAnalysis of distributed systems
Logical ModelFormal model of entitiesDecision problemsCompilation of conversations
Security analysisReachability & RefutationCombination resultsComputing an Orchestration
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 21/88
Plan
Distributed systems
Logical ModelFormal model of entitiesDecision problemsCompilation of conversations
Security analysis
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 22/88
Outline
Logical ModelFormal model of entitiesDecision problemsCompilation of conversations
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 23/88
Equational TheoriesModeling message properties
I Encryption: enc(xmsg,pk(xkey)), Decryption dec(xmsg,sk(xkey))
∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg
I Associativity of concatenation _ ·_
∀x ,y ,z,x · (y · z) = (x · y) · z
Generic model
I Data and operations are modeled with function symbols in a first-ordersignature
I Effects of operations and properties of data constructors are modeled withan equational theory
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 24/88
Equational TheoriesModeling message properties
I Encryption: enc(xmsg,pk(xkey)), Decryption dec(xmsg,sk(xkey))
∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg
I Associativity of concatenation _ ·_
∀x ,y ,z,x · (y · z) = (x · y) · z
Generic model
I Data and operations are modeled with function symbols in a first-ordersignature
I Effects of operations and properties of data constructors are modeled withan equational theory
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 25/88
Deduction SystemsSome function symbols denote relations between terms rather
than computable function
∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg
Deduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functions
Deduction system as a set of Horn clauses
I Let knowe(t) be a predicate denoting that t ’s value is known by e
I Equivalent to a set of Horn clauses each of the form:
knowe(x1), . . . ,knowe(xn)⇒ knowe(f (x1, . . . ,xn))
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 26/88
Deduction SystemsSome function symbols denote relations between terms rather
than computable function
∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg
Deduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functions
Deduction system as a set of Horn clauses
I Let knowe(t) be a predicate denoting that t ’s value is known by e
I Equivalent to a set of Horn clauses each of the form:
knowe(x1), . . . ,knowe(xn)⇒ knowe(f (x1, . . . ,xn))
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 27/88
Deduction SystemsSome function symbols denote relations between terms rather
than computable function
∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg
Deduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functions
Deduction system as a set of Horn clauses
I Let knowe(t) be a predicate denoting that t ’s value is known by e
I Equivalent to a set of Horn clauses each of the form:
knowe(x1), . . . ,knowe(xn)⇒ knowe(f (x1, . . . ,xn))
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 28/88
Entity Specification
Generic model
I Set of multi-set rewriting rules (Cervesato et al.)
I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)
Domain-specific models
I For cryptographic protocols
I For Web Services
I . . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 29/88
Entity Specification
Generic model
I Set of multi-set rewriting rules (Cervesato et al.)
I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)
Employed to describe distributed systems, but impractical fordescribing decision procedures
Domain-specific models
I For cryptographic protocols
I For Web Services
I . . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 30/88
Entity Specification
Generic model
I Set of multi-set rewriting rules (Cervesato et al.)
I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)
Domain-specific models
I For cryptographic protocols
I For Web Services
I . . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 31/88
Entity Specification
Generic model
I Set of multi-set rewriting rules (Cervesato et al.)
I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)
Domain-specific models
I For cryptographic protocols
I For Web Services
I . . .
Employed to describe decision procedures, based on simplifyingassumptions
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 32/88
Models Employed
Program without loops
I roles in a cryptographic protocol
I Web Services without TrustNegotiation policy
I Policy Enforcement Point
Deduction systemsLogical specification of possibleactions:
I Attacker
I Orchestrator
I . . .
Combination of both (work with Balbiani,ElHouri):Web services with Trust Negotiation policies
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 33/88
Models Employed
Program without loops
I roles in a cryptographic protocol
I Web Services without TrustNegotiation policy
I Policy Enforcement Point
Deduction systemsLogical specification of possibleactions:
I Attacker
I Orchestrator
I . . .
Combination of both (work with Balbiani,ElHouri):Web services with Trust Negotiation policies
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 34/88
Models Employed
Program without loops
I roles in a cryptographic protocol
I Web Services without TrustNegotiation policy
I Policy Enforcement Point
Deduction systemsLogical specification of possibleactions:
I Attacker
I Orchestrator
I . . .
Combination of both (work with Balbiani,ElHouri):Web services with Trust Negotiation policies
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 35/88
Outline
Logical ModelFormal model of entitiesDecision problemsCompilation of conversations
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 36/88
Ground Reachability
Setting
I An observer witnesses an execution of the system without interfering withit: t1, . . . , tn
I A goal is specified with a ground term t
I Question: Can t be deduced given the messages t1, . . . , tn?
Remarks
I Model of the possible constructions by the observer
I Unsatisfactory model of observer’s knowledge
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 37/88
Ground Reachability
Setting
I An observer witnesses an execution of the system without interfering withit: t1, . . . , tn
I A goal is specified with a ground term t
I Question: Can t be deduced given the messages t1, . . . , tn?
Remarks
I Model of the possible constructions by the observer
I Unsatisfactory model of observer’s knowledge
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 38/88
Static Equivalence 1/2Intuition
Setting
I A game in which the observer witnesses execution of one out of twopossible distributed systems: t1, . . . , tn
I Question: Can the observer deduce to which distributed system thisexecution belongs to?
RemarksI Possible tests on the execution:
I constructions using the deduction system and nonce creationI equality tests
I Model of observer’s knowledge
I Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 39/88
Static Equivalence 1/2Intuition
Setting
I A game in which the observer witnesses execution of one out of twopossible distributed systems: t1, . . . , tn
I Question: Can the observer deduce to which distributed system thisexecution belongs to?
RemarksI Possible tests on the execution:
I constructions using the deduction system and nonce creationI equality tests
I Model of observer’s knowledge
I Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 40/88
Static Equivalence 2/2Technical description
Description of the game
Input: 2 sequences of messages representing each the execution ofone of the distributed system
Output: NO if there exists two constructions that yields identical resultson one execution and distinct values on the other
Asymmetric version: Refinement [with Rusinowitch 10]A sequence of terms ψ refines a sequence ϕ if every pair of constructions thatyields the same results on ϕ yields the same result on ψ .
Notation: ψ |= M = N if the constructions M,N yield equal resultswhen applied on the terms of ψ
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 41/88
Static Equivalence 2/2Technical description
Description of the game
Input: 2 sequences of messages representing each the execution ofone of the distributed system
Output: NO if there exists two constructions that yields identical resultson one execution and distinct values on the other
Asymmetric version: Refinement [with Rusinowitch 10]A sequence of terms ψ refines a sequence ϕ if every pair of constructions thatyields the same results on ϕ yields the same result on ψ .
Notation: ψ |= M = N if the constructions M,N yield equal resultswhen applied on the terms of ψ
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 42/88
Reachability and EquivalenceContext: cryptographic protocols
Setting
I All entities but the attacker are modeled by loop-free programs
I Attacker modelled by a deduction system
Definition: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?
Definition: D -EquivalenceCan the attacker devise a completion in which he will be able to find with whichsystem he interacts ?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 43/88
Reachability and EquivalenceContext: cryptographic protocols
Setting
I All entities but the attacker are modeled by loop-free programs
I Attacker modelled by a deduction system
Definition: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?
Definition: D -EquivalenceCan the attacker devise a completion in which he will be able to find with whichsystem he interacts ?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 44/88
Reachability and EquivalenceContext: cryptographic protocols
Setting
I All entities but the attacker are modeled by loop-free programs
I Attacker modelled by a deduction system
Definition: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?
Definition: D -EquivalenceCan the attacker devise a completion in which he will be able to find with whichsystem he interacts ?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 45/88
Outline
Logical ModelFormal model of entitiesDecision problemsCompilation of conversations
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 46/88
Cryptographic Protocol Analysis
RemarksI Cryptographic protocols are usually specified with:
I the intended message sequenceI interoperability considerations
I Analysis performed is based on an operational semantics of cryptographicprotocols
Specifications of cryptographic protocols are not analyzed, theirimplementation is
Compilation problemCan we compute an as secure as possible implementation of a givenspecification?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 47/88
Cryptographic Protocol Analysis
RemarksI Cryptographic protocols are usually specified with:
I the intended message sequenceI interoperability considerations
I Analysis performed is based on an operational semantics of cryptographicprotocols
Specifications of cryptographic protocols are not analyzed, theirimplementation is
Compilation problemCan we compute an as secure as possible implementation of a givenspecification?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 48/88
Computation of an InteroperableImplementation(joint work with M. Rusinowitch
Main ideaAn implementation has to solve,each time it sends a message, a reachabilityproblem.
Theorem[with Rusi 10] If D -ground reachability problems are effectively decidable thenit is possible to compute an interoperable implementation of a protocoldescribed using the function symbols in D .
Pitfall: the computed implementation may not perform anysecurity checks (e.g. validation of a digital signature)
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 49/88
Computation of a Secure ImplementationDefinitionA deduction system D has the finite basis property if, for every finite sequenceof messages ϕ , there exists a finite set S of pairs of constructions such thatψ |= M = N for all (M,N) ∈ S iff ψ is a refinement of ϕ .
Remarks
I Decision procedures for static equivalence usually compute such a finiteset
I Permits to compute an implementation that accepts only the refinementsof the intended message sequence.
Conclusion:
I Justifies cryptographic protocol analysis relying on the operationalsemantics of the protocol
I Important point: we can automatically compute a secure implementationof any conversation
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 50/88
Plan
Distributed systems
Logical Model
Security analysisReachability & RefutationCombination resultsComputing an Orchestration
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 51/88
Outline
Security analysisReachability & RefutationCombination resultsComputing an Orchestration
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 52/88
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?
Many results:Amadio,Lugiez 2000 (atomic keys)Millen,Shmatikov 2001 (any keys)Comon-Lundh,Shmatikov 2003 (xor);
Delaune-Jacquemard 2004 (collapsing)Baudet 2004 (subterm)Bernat,Comon-Lundh 2006 (blindsignature); . . .
Common pattern
I Assume there exists a completion that induces a substitution σ on thevariables occurring in the messages exchanged by the honest participants
I Prove that the size of this substitution can be bounded by using a“pumping lemma”
I Guess this substitution to reduce the problem to a ground reachabilityproblem
I Prove that the latter is decidable
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 53/88
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?
Many results:Amadio,Lugiez 2000 (atomic keys)Millen,Shmatikov 2001 (any keys)Comon-Lundh,Shmatikov 2003 (xor);
Delaune-Jacquemard 2004 (collapsing)Baudet 2004 (subterm)Bernat,Comon-Lundh 2006 (blindsignature); . . .
Common pattern
I Assume there exists a completion that induces a substitution σ on thevariables occurring in the messages exchanged by the honest participants
I Prove that the size of this substitution can be bounded by using a“pumping lemma”
I Guess this substitution to reduce the problem to a ground reachabilityproblem
I Prove that the latter is decidable
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 54/88
Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?
Many results:Amadio,Lugiez 2000 (atomic keys)Millen,Shmatikov 2001 (any keys)Comon-Lundh,Shmatikov 2003 (xor);
Delaune-Jacquemard 2004 (collapsing)Baudet 2004 (subterm)Bernat,Comon-Lundh 2006 (blindsignature); . . .
Common pattern
I Assume there exists a completion that induces a substitution σ on thevariables occurring in the messages exchanged by the honest participants
I Prove that the size of this substitution can be bounded by using a“pumping lemma”
I Guess this substitution to reduce the problem to a ground reachabilityproblem
I Prove that the latter is decidable
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 55/88
Results Obtained
Reachability decision procedures
I With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL2003), exponentiation (FSTTCS 2003)
I With Kourjieh:
I Decidability of reachability for protocols in which weak hash functions areemployed (collisions computable) (ASIAN 2006)
I Decidability of reachability for protocols in which key selection attacks onthe on the digital signature are possible (FSTTCS 2007)
Last result: ad hoc application of ordered saturation on the Hornclauses in the deduction system
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 56/88
Results Obtained
Reachability decision procedures
I With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL2003), exponentiation (FSTTCS 2003)
I With Kourjieh:
I Decidability of reachability for protocols in which weak hash functions areemployed (collisions computable) (ASIAN 2006)
I Decidability of reachability for protocols in which key selection attacks onthe on the digital signature are possible (FSTTCS 2007)
Last result: ad hoc application of ordered saturation on the Hornclauses in the deduction system
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 57/88
Generalisation: Saturated DeductionSystemsSaturation
I Decidabiliy result for order saturated sets of clauses for ground problemsby Basin,Ganzinger
I Our procedure relied on different hypotheses, but was only applicable forspecific sets of Horn clauses
Generalization
I We have extended our proof to arbitrary sets of clauses
I Consequence 1: replacement of a finiteness condition with awell-foundedness condition on the ordering employed during thesaturation
I Consequence 2: with further hypotheses, decidability of non-groundproblems
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 58/88
Generalisation: Saturated DeductionSystemsSaturation
I Decidabiliy result for order saturated sets of clauses for ground problemsby Basin,Ganzinger
I Our procedure relied on different hypotheses, but was only applicable forspecific sets of Horn clauses
Generalization
I We have extended our proof to arbitrary sets of clauses
I Consequence 1: replacement of a finiteness condition with awell-foundedness condition on the ordering employed during thesaturation
I Consequence 2: with further hypotheses, decidability of non-groundproblems
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 59/88
Outline
Security analysisReachability & RefutationCombination resultsComputing an Orchestration
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 60/88
Combination of Equational Theories
PrincipleReduce a unifiability problem on E1∪E2 to unifiability problems on E1 and E2
Well-known results
I Schmidt-Schauß 86, Baader+Schulz 92
I Combination of unifiability procedures for disjoint equational theories
A trivial problem?Additional constraints needed [Jan Otop, 2010]
Question:Can we reuse these results to obtain similar ones for reachability analysis?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 61/88
Combination of Equational Theories
PrincipleReduce a unifiability problem on E1∪E2 to unifiability problems on E1 and E2
Well-known results
I Schmidt-Schauß 86, Baader+Schulz 92
I Combination of unifiability procedures for disjoint equational theories
A trivial problem?Additional constraints needed [Jan Otop, 2010]
Question:Can we reuse these results to obtain similar ones for reachability analysis?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 62/88
Combination of Equational Theories
PrincipleReduce a unifiability problem on E1∪E2 to unifiability problems on E1 and E2
Well-known results
I Schmidt-Schauß 86, Baader+Schulz 92
I Combination of unifiability procedures for disjoint equational theories
A trivial problem?Additional constraints needed [Jan Otop, 2010]
Question:Can we reuse these results to obtain similar ones for reachability analysis?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 63/88
Application to Refutation of Protocols
Additional constraints
I The attacker has to built the solution
I Preservation of the natural structure of these constraints
Results obtained
I Combination of procedures deciding reachability for disjoint deductionsystems (with Rusinowitch, ICALP 05)
I Non-disjoint case: conditions on the equations employing the sharedsymbols that permits the reduction to a sub-signature (with Rusinowitch,RTA 06)
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 64/88
Outline
Security analysisReachability & RefutationCombination resultsComputing an Orchestration
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 65/88
Beyond the Security Analysis of Protocols
Client
Msg 1
Msg 2
Msg 3
Network
attacker
Server
Example: Cryptographic Protocols
I Entities are the client, server,. . .
I The state is the point reached bythe entity in the protocol
I An attacker can interfere with thecommunications
We obtain for free a decision procedure for orchestration
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 66/88
Beyond the Security Analysis of Protocols
Provider 1
Op. 1
Op. 2
Op. 3
Network
Orchestrator
Provider 2
Web Services:
I Entities are service providers,which may be stateful or not
I An orchestrator can interact withthese providers to provide a newfunctionality
We obtain for free a decision procedure for orchestration
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 67/88
Orchestration
Model
I Messages of the services are decorated with guards and persistentassertions
Limiting assumption, but well-suited for security
I Goal service is specified with an ordered sequence of messages andguards that have to be satisfied
finite execution
I Models both interaction with a client and security constraints
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 68/88
Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09)
I Decision procedure for orchestration by reduction to the insecurityproblem of cryptographic protocols
I A wrapper (Mekki, Avanesov) implements the reduction before invokingCL-AtSe
If it exists, we can compute a conversation. . . :I that considers the cryptographically protected parts of the
messagesI that satisfies persistent security and functionality constraintsI that adapts messages to suits the different service interfaces
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 69/88
Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09)
I Decision procedure for orchestration by reduction to the insecurityproblem of cryptographic protocols
I A wrapper (Mekki, Avanesov) implements the reduction before invokingCL-AtSe
If it exists, we can compute a conversation. . . :I that considers the cryptographically protected parts of the
messagesI that satisfies persistent security and functionality constraintsI that adapts messages to suits the different service interfaces
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 70/88
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints
Reminder (compilation):we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it asa service ?
Automated deployment of orchestrations
I Implementation by M.A. Mekki
I Currently as Tomcat servlet
I Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 71/88
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints
Reminder (compilation):we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it asa service ?
Automated deployment of orchestrations
I Implementation by M.A. Mekki
I Currently as Tomcat servlet
I Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 72/88
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints
Reminder (compilation):we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it asa service ?
Automated deployment of orchestrations
I Implementation by M.A. Mekki
I Currently as Tomcat servlet
I Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 73/88
Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints
Reminder (compilation):we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it asa service ?
Automated deployment of orchestrations
I Implementation by M.A. Mekki
I Currently as Tomcat servlet
I Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 74/88
Plan
Distributed systems
Logical Model
Security analysis
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 75/88
EquivalenceM. Baudet, 2004
Definition(Subterm deduction systems) A deduction system is subterm iff its equationaltheory is
I convergentI contains only equations l = r with
I r a subterm of l , orI r a ground term
Theorem(Baudet, CCS 2004) If D is a subterm deduction system, then D -equivalenceis decidable
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 76/88
Own current and future work
I Past: Another proof of this fact [avec Rusinowitch, JAR 2010]
I Current: Definition of a generalization of subterm deduction systems,encompassing saturated deduction systems à la Kourjieh
I Future: Modularity of D -equivalence decision procedures ?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 77/88
Multiple attackerswith Avanesov, Rusinowitch, Turuani
Setting
I Multiple, non-communicating, attackers
I Model for code injected into applications in different places of the network
I Dual problem: distributed orchestration
I A few decidability (standard cryptography) and undecidability results
Generic criterion for lifting reachability decidability results to thisproblem ?
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 78/88
Extensions Entities with Loops
Combination
I Automata-based methods are able to synthesize orchestration with loops
I Future work: combination with our synthesis algorithms
I More generally: Aspect-based analysis
ForAll loops
I Model XPath queries on messages with function symbols
I Difficulty: solving associated unifiability problems
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 79/88
Extensions Entities with Loops
Combination
I Automata-based methods are able to synthesize orchestration with loops
I Future work: combination with our synthesis algorithms
I More generally: Aspect-based analysis
ForAll loops
I Model XPath queries on messages with function symbols
I Difficulty: solving associated unifiability problems
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 80/88
Contextual DeductionContextual deduction (Reddy, Bronsard)
I Employ resolution with unification replaced by pattern-matching
I Not refutationally complete in general
I Contrary to expectations, not complete for order saturated sets of clauses
RTA LOOP ]37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clauses
Own current and future work
I Past: a re-definition of ordered saturation that keeps some redundantclauses
I Future: prove that contextual deduction is complete for such saturatedsets of clauses
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 81/88
Contextual DeductionContextual deduction (Reddy, Bronsard)
I Employ resolution with unification replaced by pattern-matching
I Not refutationally complete in general
I Contrary to expectations, not complete for order saturated sets of clauses
RTA LOOP ]37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clauses
Own current and future work
I Past: a re-definition of ordered saturation that keeps some redundantclauses
I Future: prove that contextual deduction is complete for such saturatedsets of clauses
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 82/88
Contextual DeductionContextual deduction (Reddy, Bronsard)
I Employ resolution with unification replaced by pattern-matching
I Not refutationally complete in general
I Contrary to expectations, not complete for order saturated sets of clauses
RTA LOOP ]37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clauses
Own current and future work
I Past: a re-definition of ordered saturation that keeps some redundantclauses
I Future: prove that contextual deduction is complete for such saturatedsets of clauses
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 83/88
Future workCommunicating entities
Entity 1
State 1
State 2
State 3
Network
Entity 2
Entity 3
Distributed systems:
I Several entities
I Communicating by messagepassing on a network
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 84/88
Future workCommunicating entities
Application 1
Output 1
Input 2
Output 3
OS
Environment
Application 2
Separation kernels:
I Entities are the applicationshosted by the system
I Communications through an OSthat implements an access controlpolicy
I Validate the possible executions ina given environment
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 85/88
40+ years ago. . .
Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece
(source: Super Freakonomics)
Many incarnations:
I Component-based software engineering
I Multi-agent systems
I . . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 86/88
40+ years ago. . .
Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece
(source: Super Freakonomics)
Many incarnations:
I Component-based software engineering
I Multi-agent systems
I . . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 87/88
40+ years ago. . .
Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece
(source: Super Freakonomics)
Many incarnations:
I Component-based software engineering
I Multi-agent systems
I . . .
Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 88/88