Yannick Chevalier - Habilitation (final)

88
Logical Approach to the Security Analysis of Distributed Systems Yannick Chevalier Université Toulouse 3 Toulouse, 25/02/2011

Transcript of Yannick Chevalier - Habilitation (final)

Page 1: Yannick Chevalier - Habilitation (final)

Logical Approach to the Security Analysis of DistributedSystems

Yannick ChevalierUniversité Toulouse 3Toulouse, 25/02/2011

Page 2: Yannick Chevalier - Habilitation (final)

Outline

Distributed systems

Logical Model

Security analysis

Current and Future Works

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 2/88

Page 3: Yannick Chevalier - Habilitation (final)

Plan

Distributed systemsDistributed systemsAnalysis of distributed systems

Logical Model

Security analysis

Current and Future Works

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 3/88

Page 4: Yannick Chevalier - Habilitation (final)

Outline

Distributed systemsDistributed systemsAnalysis of distributed systems

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 4/88

Page 5: Yannick Chevalier - Habilitation (final)

Distributed SystemsCommunicating entities

Entity 1

State 1

State 2

State 3

Network

Entity 2

Entity 3

Distributed systems:

I Several entities

I Communicating by messagepassing on a network

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 5/88

Page 6: Yannick Chevalier - Habilitation (final)

Distributed SystemsCommunicating entities

Client

Msg 1

Msg 2

Msg 3

Network

attacker

Server

Example: Cryptographic Protocols

I Entities are the client, server,. . .

I The state is the point reached bythe entity in the protocol

I An attacker can interfere with thecommunications

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 6/88

Page 7: Yannick Chevalier - Habilitation (final)

Distributed SystemsCommunicating entities

Provider 1

Op. 1

Op. 2

Op. 3

Network

Orchestrator

Provider 2

Web Services:

I Entities are service providers,which may be stateful or not

I An orchestrator can interact withthese providers to provide a newfunctionality

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 7/88

Page 8: Yannick Chevalier - Habilitation (final)

Outline

Distributed systemsDistributed systemsAnalysis of distributed systems

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 8/88

Page 9: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

Network

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 9/88

Page 10: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

Network

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 10/88

Page 11: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

Network

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 11/88

Page 12: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 12/88

Page 13: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 13/88

Page 14: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 14/88

Page 15: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 15/88

Page 16: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 16/88

Page 17: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 17/88

Page 18: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 18/88

Page 19: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 19/88

Page 20: Yannick Chevalier - Habilitation (final)

Security Analysis of Distributed Systems

Principle

I Specify the participatingentities

I Specify a property

I Check whether the property issatisfied by the possibleexecutions

Client

Msg 1

Msg 2

Msg 3

OS

attacker

Server

Security Properties

I Secrecy

I Authentication

I Strong secrecy

Remarks

I Not deterministic

I Infinitely branching

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 20/88

Page 21: Yannick Chevalier - Habilitation (final)

OutlineDistributed systems

Distributed systemsAnalysis of distributed systems

Logical ModelFormal model of entitiesDecision problemsCompilation of conversations

Security analysisReachability & RefutationCombination resultsComputing an Orchestration

Current and Future Works

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 21/88

Page 22: Yannick Chevalier - Habilitation (final)

Plan

Distributed systems

Logical ModelFormal model of entitiesDecision problemsCompilation of conversations

Security analysis

Current and Future Works

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 22/88

Page 23: Yannick Chevalier - Habilitation (final)

Outline

Logical ModelFormal model of entitiesDecision problemsCompilation of conversations

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 23/88

Page 24: Yannick Chevalier - Habilitation (final)

Equational TheoriesModeling message properties

I Encryption: enc(xmsg,pk(xkey)), Decryption dec(xmsg,sk(xkey))

∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg

I Associativity of concatenation _ ·_

∀x ,y ,z,x · (y · z) = (x · y) · z

Generic model

I Data and operations are modeled with function symbols in a first-ordersignature

I Effects of operations and properties of data constructors are modeled withan equational theory

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 24/88

Page 25: Yannick Chevalier - Habilitation (final)

Equational TheoriesModeling message properties

I Encryption: enc(xmsg,pk(xkey)), Decryption dec(xmsg,sk(xkey))

∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg

I Associativity of concatenation _ ·_

∀x ,y ,z,x · (y · z) = (x · y) · z

Generic model

I Data and operations are modeled with function symbols in a first-ordersignature

I Effects of operations and properties of data constructors are modeled withan equational theory

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 25/88

Page 26: Yannick Chevalier - Habilitation (final)

Deduction SystemsSome function symbols denote relations between terms rather

than computable function

∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg

Deduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functions

Deduction system as a set of Horn clauses

I Let knowe(t) be a predicate denoting that t ’s value is known by e

I Equivalent to a set of Horn clauses each of the form:

knowe(x1), . . . ,knowe(xn)⇒ knowe(f (x1, . . . ,xn))

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 26/88

Page 27: Yannick Chevalier - Habilitation (final)

Deduction SystemsSome function symbols denote relations between terms rather

than computable function

∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg

Deduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functions

Deduction system as a set of Horn clauses

I Let knowe(t) be a predicate denoting that t ’s value is known by e

I Equivalent to a set of Horn clauses each of the form:

knowe(x1), . . . ,knowe(xn)⇒ knowe(f (x1, . . . ,xn))

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 27/88

Page 28: Yannick Chevalier - Habilitation (final)

Deduction SystemsSome function symbols denote relations between terms rather

than computable function

∀xmsg,xkey , dec(enc(xmsg,pk(xkey)),sk(xkey)) = xmsg

Deduction systemsA deduction system is defined by an equational theory and the subset ofsymbols corresponding to computable functions

Deduction system as a set of Horn clauses

I Let knowe(t) be a predicate denoting that t ’s value is known by e

I Equivalent to a set of Horn clauses each of the form:

knowe(x1), . . . ,knowe(xn)⇒ knowe(f (x1, . . . ,xn))

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 28/88

Page 29: Yannick Chevalier - Habilitation (final)

Entity Specification

Generic model

I Set of multi-set rewriting rules (Cervesato et al.)

I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)

Domain-specific models

I For cryptographic protocols

I For Web Services

I . . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 29/88

Page 30: Yannick Chevalier - Habilitation (final)

Entity Specification

Generic model

I Set of multi-set rewriting rules (Cervesato et al.)

I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)

Employed to describe distributed systems, but impractical fordescribing decision procedures

Domain-specific models

I For cryptographic protocols

I For Web Services

I . . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 30/88

Page 31: Yannick Chevalier - Habilitation (final)

Entity Specification

Generic model

I Set of multi-set rewriting rules (Cervesato et al.)

I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)

Domain-specific models

I For cryptographic protocols

I For Web Services

I . . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 31/88

Page 32: Yannick Chevalier - Habilitation (final)

Entity Specification

Generic model

I Set of multi-set rewriting rules (Cervesato et al.)

I State transitions expressed by a set of set-rewriting rules modulo a Horntheory (ASLan, Avantssar project)

Domain-specific models

I For cryptographic protocols

I For Web Services

I . . .

Employed to describe decision procedures, based on simplifyingassumptions

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 32/88

Page 33: Yannick Chevalier - Habilitation (final)

Models Employed

Program without loops

I roles in a cryptographic protocol

I Web Services without TrustNegotiation policy

I Policy Enforcement Point

Deduction systemsLogical specification of possibleactions:

I Attacker

I Orchestrator

I . . .

Combination of both (work with Balbiani,ElHouri):Web services with Trust Negotiation policies

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 33/88

Page 34: Yannick Chevalier - Habilitation (final)

Models Employed

Program without loops

I roles in a cryptographic protocol

I Web Services without TrustNegotiation policy

I Policy Enforcement Point

Deduction systemsLogical specification of possibleactions:

I Attacker

I Orchestrator

I . . .

Combination of both (work with Balbiani,ElHouri):Web services with Trust Negotiation policies

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 34/88

Page 35: Yannick Chevalier - Habilitation (final)

Models Employed

Program without loops

I roles in a cryptographic protocol

I Web Services without TrustNegotiation policy

I Policy Enforcement Point

Deduction systemsLogical specification of possibleactions:

I Attacker

I Orchestrator

I . . .

Combination of both (work with Balbiani,ElHouri):Web services with Trust Negotiation policies

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 35/88

Page 36: Yannick Chevalier - Habilitation (final)

Outline

Logical ModelFormal model of entitiesDecision problemsCompilation of conversations

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 36/88

Page 37: Yannick Chevalier - Habilitation (final)

Ground Reachability

Setting

I An observer witnesses an execution of the system without interfering withit: t1, . . . , tn

I A goal is specified with a ground term t

I Question: Can t be deduced given the messages t1, . . . , tn?

Remarks

I Model of the possible constructions by the observer

I Unsatisfactory model of observer’s knowledge

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 37/88

Page 38: Yannick Chevalier - Habilitation (final)

Ground Reachability

Setting

I An observer witnesses an execution of the system without interfering withit: t1, . . . , tn

I A goal is specified with a ground term t

I Question: Can t be deduced given the messages t1, . . . , tn?

Remarks

I Model of the possible constructions by the observer

I Unsatisfactory model of observer’s knowledge

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 38/88

Page 39: Yannick Chevalier - Habilitation (final)

Static Equivalence 1/2Intuition

Setting

I A game in which the observer witnesses execution of one out of twopossible distributed systems: t1, . . . , tn

I Question: Can the observer deduce to which distributed system thisexecution belongs to?

RemarksI Possible tests on the execution:

I constructions using the deduction system and nonce creationI equality tests

I Model of observer’s knowledge

I Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 39/88

Page 40: Yannick Chevalier - Habilitation (final)

Static Equivalence 1/2Intuition

Setting

I A game in which the observer witnesses execution of one out of twopossible distributed systems: t1, . . . , tn

I Question: Can the observer deduce to which distributed system thisexecution belongs to?

RemarksI Possible tests on the execution:

I constructions using the deduction system and nonce creationI equality tests

I Model of observer’s knowledge

I Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 40/88

Page 41: Yannick Chevalier - Habilitation (final)

Static Equivalence 2/2Technical description

Description of the game

Input: 2 sequences of messages representing each the execution ofone of the distributed system

Output: NO if there exists two constructions that yields identical resultson one execution and distinct values on the other

Asymmetric version: Refinement [with Rusinowitch 10]A sequence of terms ψ refines a sequence ϕ if every pair of constructions thatyields the same results on ϕ yields the same result on ψ .

Notation: ψ |= M = N if the constructions M,N yield equal resultswhen applied on the terms of ψ

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 41/88

Page 42: Yannick Chevalier - Habilitation (final)

Static Equivalence 2/2Technical description

Description of the game

Input: 2 sequences of messages representing each the execution ofone of the distributed system

Output: NO if there exists two constructions that yields identical resultson one execution and distinct values on the other

Asymmetric version: Refinement [with Rusinowitch 10]A sequence of terms ψ refines a sequence ϕ if every pair of constructions thatyields the same results on ϕ yields the same result on ψ .

Notation: ψ |= M = N if the constructions M,N yield equal resultswhen applied on the terms of ψ

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 42/88

Page 43: Yannick Chevalier - Habilitation (final)

Reachability and EquivalenceContext: cryptographic protocols

Setting

I All entities but the attacker are modeled by loop-free programs

I Attacker modelled by a deduction system

Definition: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?

Definition: D -EquivalenceCan the attacker devise a completion in which he will be able to find with whichsystem he interacts ?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 43/88

Page 44: Yannick Chevalier - Habilitation (final)

Reachability and EquivalenceContext: cryptographic protocols

Setting

I All entities but the attacker are modeled by loop-free programs

I Attacker modelled by a deduction system

Definition: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?

Definition: D -EquivalenceCan the attacker devise a completion in which he will be able to find with whichsystem he interacts ?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 44/88

Page 45: Yannick Chevalier - Habilitation (final)

Reachability and EquivalenceContext: cryptographic protocols

Setting

I All entities but the attacker are modeled by loop-free programs

I Attacker modelled by a deduction system

Definition: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?

Definition: D -EquivalenceCan the attacker devise a completion in which he will be able to find with whichsystem he interacts ?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 45/88

Page 46: Yannick Chevalier - Habilitation (final)

Outline

Logical ModelFormal model of entitiesDecision problemsCompilation of conversations

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 46/88

Page 47: Yannick Chevalier - Habilitation (final)

Cryptographic Protocol Analysis

RemarksI Cryptographic protocols are usually specified with:

I the intended message sequenceI interoperability considerations

I Analysis performed is based on an operational semantics of cryptographicprotocols

Specifications of cryptographic protocols are not analyzed, theirimplementation is

Compilation problemCan we compute an as secure as possible implementation of a givenspecification?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 47/88

Page 48: Yannick Chevalier - Habilitation (final)

Cryptographic Protocol Analysis

RemarksI Cryptographic protocols are usually specified with:

I the intended message sequenceI interoperability considerations

I Analysis performed is based on an operational semantics of cryptographicprotocols

Specifications of cryptographic protocols are not analyzed, theirimplementation is

Compilation problemCan we compute an as secure as possible implementation of a givenspecification?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 48/88

Page 49: Yannick Chevalier - Habilitation (final)

Computation of an InteroperableImplementation(joint work with M. Rusinowitch

Main ideaAn implementation has to solve,each time it sends a message, a reachabilityproblem.

Theorem[with Rusi 10] If D -ground reachability problems are effectively decidable thenit is possible to compute an interoperable implementation of a protocoldescribed using the function symbols in D .

Pitfall: the computed implementation may not perform anysecurity checks (e.g. validation of a digital signature)

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 49/88

Page 50: Yannick Chevalier - Habilitation (final)

Computation of a Secure ImplementationDefinitionA deduction system D has the finite basis property if, for every finite sequenceof messages ϕ , there exists a finite set S of pairs of constructions such thatψ |= M = N for all (M,N) ∈ S iff ψ is a refinement of ϕ .

Remarks

I Decision procedures for static equivalence usually compute such a finiteset

I Permits to compute an implementation that accepts only the refinementsof the intended message sequence.

Conclusion:

I Justifies cryptographic protocol analysis relying on the operationalsemantics of the protocol

I Important point: we can automatically compute a secure implementationof any conversation

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 50/88

Page 51: Yannick Chevalier - Habilitation (final)

Plan

Distributed systems

Logical Model

Security analysisReachability & RefutationCombination resultsComputing an Orchestration

Current and Future Works

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 51/88

Page 52: Yannick Chevalier - Habilitation (final)

Outline

Security analysisReachability & RefutationCombination resultsComputing an Orchestration

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 52/88

Page 53: Yannick Chevalier - Habilitation (final)

Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?

Many results:Amadio,Lugiez 2000 (atomic keys)Millen,Shmatikov 2001 (any keys)Comon-Lundh,Shmatikov 2003 (xor);

Delaune-Jacquemard 2004 (collapsing)Baudet 2004 (subterm)Bernat,Comon-Lundh 2006 (blindsignature); . . .

Common pattern

I Assume there exists a completion that induces a substitution σ on thevariables occurring in the messages exchanged by the honest participants

I Prove that the size of this substitution can be bounded by using a“pumping lemma”

I Guess this substitution to reduce the problem to a ground reachabilityproblem

I Prove that the latter is decidable

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 53/88

Page 54: Yannick Chevalier - Habilitation (final)

Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?

Many results:Amadio,Lugiez 2000 (atomic keys)Millen,Shmatikov 2001 (any keys)Comon-Lundh,Shmatikov 2003 (xor);

Delaune-Jacquemard 2004 (collapsing)Baudet 2004 (subterm)Bernat,Comon-Lundh 2006 (blindsignature); . . .

Common pattern

I Assume there exists a completion that induces a substitution σ on thevariables occurring in the messages exchanged by the honest participants

I Prove that the size of this substitution can be bounded by using a“pumping lemma”

I Guess this substitution to reduce the problem to a ground reachabilityproblem

I Prove that the latter is decidable

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 54/88

Page 55: Yannick Chevalier - Habilitation (final)

Reachability Decision ProceduresReminder: D -ReachabilityCan the attacker successfully complete the execution of the other entities ?

Many results:Amadio,Lugiez 2000 (atomic keys)Millen,Shmatikov 2001 (any keys)Comon-Lundh,Shmatikov 2003 (xor);

Delaune-Jacquemard 2004 (collapsing)Baudet 2004 (subterm)Bernat,Comon-Lundh 2006 (blindsignature); . . .

Common pattern

I Assume there exists a completion that induces a substitution σ on thevariables occurring in the messages exchanged by the honest participants

I Prove that the size of this substitution can be bounded by using a“pumping lemma”

I Guess this substitution to reduce the problem to a ground reachabilityproblem

I Prove that the latter is decidable

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 55/88

Page 56: Yannick Chevalier - Habilitation (final)

Results Obtained

Reachability decision procedures

I With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL2003), exponentiation (FSTTCS 2003)

I With Kourjieh:

I Decidability of reachability for protocols in which weak hash functions areemployed (collisions computable) (ASIAN 2006)

I Decidability of reachability for protocols in which key selection attacks onthe on the digital signature are possible (FSTTCS 2007)

Last result: ad hoc application of ordered saturation on the Hornclauses in the deduction system

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 56/88

Page 57: Yannick Chevalier - Habilitation (final)

Results Obtained

Reachability decision procedures

I With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL2003), exponentiation (FSTTCS 2003)

I With Kourjieh:

I Decidability of reachability for protocols in which weak hash functions areemployed (collisions computable) (ASIAN 2006)

I Decidability of reachability for protocols in which key selection attacks onthe on the digital signature are possible (FSTTCS 2007)

Last result: ad hoc application of ordered saturation on the Hornclauses in the deduction system

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 57/88

Page 58: Yannick Chevalier - Habilitation (final)

Generalisation: Saturated DeductionSystemsSaturation

I Decidabiliy result for order saturated sets of clauses for ground problemsby Basin,Ganzinger

I Our procedure relied on different hypotheses, but was only applicable forspecific sets of Horn clauses

Generalization

I We have extended our proof to arbitrary sets of clauses

I Consequence 1: replacement of a finiteness condition with awell-foundedness condition on the ordering employed during thesaturation

I Consequence 2: with further hypotheses, decidability of non-groundproblems

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 58/88

Page 59: Yannick Chevalier - Habilitation (final)

Generalisation: Saturated DeductionSystemsSaturation

I Decidabiliy result for order saturated sets of clauses for ground problemsby Basin,Ganzinger

I Our procedure relied on different hypotheses, but was only applicable forspecific sets of Horn clauses

Generalization

I We have extended our proof to arbitrary sets of clauses

I Consequence 1: replacement of a finiteness condition with awell-foundedness condition on the ordering employed during thesaturation

I Consequence 2: with further hypotheses, decidability of non-groundproblems

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 59/88

Page 60: Yannick Chevalier - Habilitation (final)

Outline

Security analysisReachability & RefutationCombination resultsComputing an Orchestration

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 60/88

Page 61: Yannick Chevalier - Habilitation (final)

Combination of Equational Theories

PrincipleReduce a unifiability problem on E1∪E2 to unifiability problems on E1 and E2

Well-known results

I Schmidt-Schauß 86, Baader+Schulz 92

I Combination of unifiability procedures for disjoint equational theories

A trivial problem?Additional constraints needed [Jan Otop, 2010]

Question:Can we reuse these results to obtain similar ones for reachability analysis?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 61/88

Page 62: Yannick Chevalier - Habilitation (final)

Combination of Equational Theories

PrincipleReduce a unifiability problem on E1∪E2 to unifiability problems on E1 and E2

Well-known results

I Schmidt-Schauß 86, Baader+Schulz 92

I Combination of unifiability procedures for disjoint equational theories

A trivial problem?Additional constraints needed [Jan Otop, 2010]

Question:Can we reuse these results to obtain similar ones for reachability analysis?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 62/88

Page 63: Yannick Chevalier - Habilitation (final)

Combination of Equational Theories

PrincipleReduce a unifiability problem on E1∪E2 to unifiability problems on E1 and E2

Well-known results

I Schmidt-Schauß 86, Baader+Schulz 92

I Combination of unifiability procedures for disjoint equational theories

A trivial problem?Additional constraints needed [Jan Otop, 2010]

Question:Can we reuse these results to obtain similar ones for reachability analysis?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 63/88

Page 64: Yannick Chevalier - Habilitation (final)

Application to Refutation of Protocols

Additional constraints

I The attacker has to built the solution

I Preservation of the natural structure of these constraints

Results obtained

I Combination of procedures deciding reachability for disjoint deductionsystems (with Rusinowitch, ICALP 05)

I Non-disjoint case: conditions on the equations employing the sharedsymbols that permits the reduction to a sub-signature (with Rusinowitch,RTA 06)

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 64/88

Page 65: Yannick Chevalier - Habilitation (final)

Outline

Security analysisReachability & RefutationCombination resultsComputing an Orchestration

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 65/88

Page 66: Yannick Chevalier - Habilitation (final)

Beyond the Security Analysis of Protocols

Client

Msg 1

Msg 2

Msg 3

Network

attacker

Server

Example: Cryptographic Protocols

I Entities are the client, server,. . .

I The state is the point reached bythe entity in the protocol

I An attacker can interfere with thecommunications

We obtain for free a decision procedure for orchestration

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 66/88

Page 67: Yannick Chevalier - Habilitation (final)

Beyond the Security Analysis of Protocols

Provider 1

Op. 1

Op. 2

Op. 3

Network

Orchestrator

Provider 2

Web Services:

I Entities are service providers,which may be stateful or not

I An orchestrator can interact withthese providers to provide a newfunctionality

We obtain for free a decision procedure for orchestration

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 67/88

Page 68: Yannick Chevalier - Habilitation (final)

Orchestration

Model

I Messages of the services are decorated with guards and persistentassertions

Limiting assumption, but well-suited for security

I Goal service is specified with an ordered sequence of messages andguards that have to be satisfied

finite execution

I Models both interaction with a client and security constraints

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 68/88

Page 69: Yannick Chevalier - Habilitation (final)

Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09)

I Decision procedure for orchestration by reduction to the insecurityproblem of cryptographic protocols

I A wrapper (Mekki, Avanesov) implements the reduction before invokingCL-AtSe

If it exists, we can compute a conversation. . . :I that considers the cryptographically protected parts of the

messagesI that satisfies persistent security and functionality constraintsI that adapts messages to suits the different service interfaces

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 69/88

Page 70: Yannick Chevalier - Habilitation (final)

Results obtained (with Mekki, Rusinowitch,WSCMA07,FAST09)

I Decision procedure for orchestration by reduction to the insecurityproblem of cryptographic protocols

I A wrapper (Mekki, Avanesov) implements the reduction before invokingCL-AtSe

If it exists, we can compute a conversation. . . :I that considers the cryptographically protected parts of the

messagesI that satisfies persistent security and functionality constraintsI that adapts messages to suits the different service interfaces

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 70/88

Page 71: Yannick Chevalier - Habilitation (final)

Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints

Reminder (compilation):we can automatically compute a secure implementation of any conversation

Question: Can we actually compute an orchestration and deploy it asa service ?

Automated deployment of orchestrations

I Implementation by M.A. Mekki

I Currently as Tomcat servlet

I Further work is programmed to obtain compliant Web Services

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 71/88

Page 72: Yannick Chevalier - Habilitation (final)

Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints

Reminder (compilation):we can automatically compute a secure implementation of any conversation

Question: Can we actually compute an orchestration and deploy it asa service ?

Automated deployment of orchestrations

I Implementation by M.A. Mekki

I Currently as Tomcat servlet

I Further work is programmed to obtain compliant Web Services

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 72/88

Page 73: Yannick Chevalier - Habilitation (final)

Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints

Reminder (compilation):we can automatically compute a secure implementation of any conversation

Question: Can we actually compute an orchestration and deploy it asa service ?

Automated deployment of orchestrations

I Implementation by M.A. Mekki

I Currently as Tomcat servlet

I Further work is programmed to obtain compliant Web Services

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 73/88

Page 74: Yannick Chevalier - Habilitation (final)

Can we connect the dots?SummaryIf it exists, we can compute a conversation describing a orchestration withsecurity constraints

Reminder (compilation):we can automatically compute a secure implementation of any conversation

Question: Can we actually compute an orchestration and deploy it asa service ?

Automated deployment of orchestrations

I Implementation by M.A. Mekki

I Currently as Tomcat servlet

I Further work is programmed to obtain compliant Web Services

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 74/88

Page 75: Yannick Chevalier - Habilitation (final)

Plan

Distributed systems

Logical Model

Security analysis

Current and Future Works

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 75/88

Page 76: Yannick Chevalier - Habilitation (final)

EquivalenceM. Baudet, 2004

Definition(Subterm deduction systems) A deduction system is subterm iff its equationaltheory is

I convergentI contains only equations l = r with

I r a subterm of l , orI r a ground term

Theorem(Baudet, CCS 2004) If D is a subterm deduction system, then D -equivalenceis decidable

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 76/88

Page 77: Yannick Chevalier - Habilitation (final)

Own current and future work

I Past: Another proof of this fact [avec Rusinowitch, JAR 2010]

I Current: Definition of a generalization of subterm deduction systems,encompassing saturated deduction systems à la Kourjieh

I Future: Modularity of D -equivalence decision procedures ?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 77/88

Page 78: Yannick Chevalier - Habilitation (final)

Multiple attackerswith Avanesov, Rusinowitch, Turuani

Setting

I Multiple, non-communicating, attackers

I Model for code injected into applications in different places of the network

I Dual problem: distributed orchestration

I A few decidability (standard cryptography) and undecidability results

Generic criterion for lifting reachability decidability results to thisproblem ?

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 78/88

Page 79: Yannick Chevalier - Habilitation (final)

Extensions Entities with Loops

Combination

I Automata-based methods are able to synthesize orchestration with loops

I Future work: combination with our synthesis algorithms

I More generally: Aspect-based analysis

ForAll loops

I Model XPath queries on messages with function symbols

I Difficulty: solving associated unifiability problems

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 79/88

Page 80: Yannick Chevalier - Habilitation (final)

Extensions Entities with Loops

Combination

I Automata-based methods are able to synthesize orchestration with loops

I Future work: combination with our synthesis algorithms

I More generally: Aspect-based analysis

ForAll loops

I Model XPath queries on messages with function symbols

I Difficulty: solving associated unifiability problems

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 80/88

Page 81: Yannick Chevalier - Habilitation (final)

Contextual DeductionContextual deduction (Reddy, Bronsard)

I Employ resolution with unification replaced by pattern-matching

I Not refutationally complete in general

I Contrary to expectations, not complete for order saturated sets of clauses

RTA LOOP ]37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clauses

Own current and future work

I Past: a re-definition of ordered saturation that keeps some redundantclauses

I Future: prove that contextual deduction is complete for such saturatedsets of clauses

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 81/88

Page 82: Yannick Chevalier - Habilitation (final)

Contextual DeductionContextual deduction (Reddy, Bronsard)

I Employ resolution with unification replaced by pattern-matching

I Not refutationally complete in general

I Contrary to expectations, not complete for order saturated sets of clauses

RTA LOOP ]37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clauses

Own current and future work

I Past: a re-definition of ordered saturation that keeps some redundantclauses

I Future: prove that contextual deduction is complete for such saturatedsets of clauses

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 82/88

Page 83: Yannick Chevalier - Habilitation (final)

Contextual DeductionContextual deduction (Reddy, Bronsard)

I Employ resolution with unification replaced by pattern-matching

I Not refutationally complete in general

I Contrary to expectations, not complete for order saturated sets of clauses

RTA LOOP ]37Is there a notion of ’complete theory’ for which contextual deduction iscomplete for refutation of ground clauses

Own current and future work

I Past: a re-definition of ordered saturation that keeps some redundantclauses

I Future: prove that contextual deduction is complete for such saturatedsets of clauses

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 83/88

Page 84: Yannick Chevalier - Habilitation (final)

Future workCommunicating entities

Entity 1

State 1

State 2

State 3

Network

Entity 2

Entity 3

Distributed systems:

I Several entities

I Communicating by messagepassing on a network

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 84/88

Page 85: Yannick Chevalier - Habilitation (final)

Future workCommunicating entities

Application 1

Output 1

Input 2

Output 3

OS

Environment

Application 2

Separation kernels:

I Entities are the applicationshosted by the system

I Communications through an OSthat implements an access controlpolicy

I Validate the possible executions ina given environment

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 85/88

Page 86: Yannick Chevalier - Habilitation (final)

40+ years ago. . .

Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece

(source: Super Freakonomics)

Many incarnations:

I Component-based software engineering

I Multi-agent systems

I . . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 86/88

Page 87: Yannick Chevalier - Habilitation (final)

40+ years ago. . .

Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece

(source: Super Freakonomics)

Many incarnations:

I Component-based software engineering

I Multi-agent systems

I . . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 87/88

Page 88: Yannick Chevalier - Habilitation (final)

40+ years ago. . .

Alan Kay’s description of object-oriented programmingencapsulate each chunk of code with logic that enabled it to interact with anyother piece

(source: Super Freakonomics)

Many incarnations:

I Component-based software engineering

I Multi-agent systems

I . . .

Yannick Chevalier, Toulouse, 25/02/2011Université Toulouse 3Habilitation 88/88