PS-LTL for Constraint-based Security Protocol Analysis
Corin, Ricardo and Saptawijaya, Ari and Etalle, Sandro (2005) PS-LTL for Constraint-based Security Protocol Analysis. In: International Conference [on] Logic Programming, ICLP : 21 (Sitges), October 2-5, 2005, Sitges, Spain.
|Abstract:||Several formal approaches have been proposed to analyse security protocols, e.g. [2,7,11,1,6,12]. Recently, a great interest has been growing on the use of constraint solving approach. Initially proposed by Millen and Shmatikov , this approach allows analysis of a finite number of protocol sessions. Yet, the representation of protocol runs by symbolic traces (as opposed to concrete traces) captures the possibility of having unbounded message space, allowing analysis over an infinite state space. A constraint is defined as a pair consisting of a message M and a set of messages K that represents the intruder¿s knowledge. Millen and Shmatikov present a procedure to solve a set of constraints, i.e. that in each constraint, M can be built from K. When a set of constraints is solved, then a concrete trace representing an attack over the protocol can be extracted.
Corin and Etalle  has improved the work of Millen and Shmatikov by presenting a more efficient procedure. However, none of these constraint-based systems provide enough flexibility and expresiveness in specifying security properties. For example, to check secrecy an artificial protocol role is added to simulate whether a secret can be learned by an intruder. Authentication cannot also be checked directly. Moreover, only a built-in notion of authentication is implemented by Millen and Shmatikov in his Prolog implementation . This problem motivates our current work.
A logical formalism is considered to be an appropriate solution to improve the flexibility and expresiveness in specifying security properties. A preliminary attempt to use logic for specifying local security properties in a constraint-based setting has been carried out . Inspired by this work and the successful NPATRL [11,8], we currently explores a variant of linear temporal logic (LTL) over finite traces, -LTL, standing for pure-past security LTL . In contrast to standard LTL, this logic deals only with past events in a trace. In our current work, a protocol is modelled as in previous works [9,4,3], viz. by protocol roles. A protocol role is a sequence of send and receive events, together with status events to indicate, e.g. that a protocol role has completed her protocol run. A scenario is then used to deal with the number of sessions and protocol roles considered in the analysis.
Integrating -LTL into our constraint solving approach presents a challenge, since we need to develop a sound and complete decision procedure against symbolic traces, instead of concrete traces. Our idea to address this problem is by concretizing symbolic traces incrementally while deciding a formula. Basically, the decision procedure consists of two steps: transform and decide. The former step transforms a -LTL formula with respect to the current trace into a so-called elementary formula that is built from constraints and equalities using logical connectives and quantifiers. The decision is then performed by the latter step through solving the constraints and checking the equalities.
Although we define a decision procedure for a fragment of -LTL, this fragment is expressive enough to specify several security properties, like various notions of secrecy and authentication, and also data freshness. We provide a Prolog implementation and have analysed several security protocols.
There are many directions for improvement. From the implementation point of view, the efficiency of the decision procedure can still be improved. I would also like to investigate the expressiveness of the logic for speficying other security properties. This may result in an extension of the decision procedure for a larger fragment of the logic. Another direction is to characterize the expressivity power of -LTL compared to other security requirement languages.
|Item Type:||Conference or Workshop Item|
|Copyright:||© 2005 Springer-Verlag|
Electrical Engineering, Mathematics and Computer Science (EEMCS)
|Link to this item:||http://purl.utwente.nl/publications/54523|
|Export this item as:||BibTeX|
Daily downloads in the past month
Monthly downloads in the past 12 months
Repository Staff Only: item control page
Metis ID: 228779