3. Plan
Distributed systems
Distributed systems
Analysis of distributed systems
Logical Model
Security analysis
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 3/88
4. Outline
Distributed systems
Distributed systems
Analysis of distributed systems
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 4/88
5. Distributed Systems
Communicating entities
Entity 3
Entity 1
State 1
State 2 Network Distributed systems:
State 3
Several entities
Communicating by message
passing on a network
Entity 2
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 5/88
6. Distributed Systems
Communicating entities
Server
Client
Msg 1 Example: Cryptographic Protocols
Msg 2 Network
Entities are the client, server,. . .
Msg 3
The state is the point reached by
the entity in the protocol
attacker An attacker can interfere with the
communications
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 6/88
7. Distributed Systems
Communicating entities
Provider 2
Provider 1
Op. 1
Web Services:
Op. 2 Network
Entities are service providers,
Op. 3
which may be stateful or not
An orchestrator can interact with
these providers to provide a new
Orchestrator
functionality
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 7/88
8. Outline
Distributed systems
Distributed systems
Analysis of distributed systems
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 8/88
9. Security Analysis of Distributed Systems
Server
Principle
Client
Specify the participating Msg 1
entities
Msg 2 Network
Specify a property Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 9/88
10. Security Analysis of Distributed Systems
Server
Principle
Client
Specify the participating Msg 1
entities
Msg 2 Network
Specify a property Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 10/88
11. Security Analysis of Distributed Systems
Server
Principle
Client
Specify the participating Msg 1
entities
Msg 2 Network
Specify a property Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 11/88
12. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 12/88
13. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 13/88
14. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 14/88
15. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 15/88
16. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 16/88
17. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 17/88
18. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 18/88
19. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 19/88
20. Security Analysis of Distributed Systems
Principle Server
Client
Specify the participating Msg 1
entities
Msg 2 OS
Specify a property
Msg 3
Check whether the property is
satisfied by the possible
executions attacker
Security Properties
Remarks
Secrecy
Not deterministic
Authentication
Infinitely branching
Strong secrecy
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 20/88
21. Outline
Distributed systems
Distributed systems
Analysis of distributed systems
Logical Model
Formal model of entities
Decision problems
Compilation of conversations
Security analysis
Reachability & Refutation
Combination results
Computing an Orchestration
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 21/88
22. Plan
Distributed systems
Logical Model
Formal model of entities
Decision problems
Compilation of conversations
Security analysis
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 22/88
23. Outline
Logical Model
Formal model of entities
Decision problems
Compilation of conversations
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 23/88
24. Equational Theories
Modeling message properties
Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey ))
∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg
Associativity of concatenation _ · _
∀x , y , z , x · (y · z ) = (x · y ) · z
Generic model
Data and operations are modeled with function symbols in a first-order
signature
Effects of operations and properties of data constructors are modeled with
an equational theory
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 24/88
25. Equational Theories
Modeling message properties
Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey ))
∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg
Associativity of concatenation _ · _
∀x , y , z , x · (y · z ) = (x · y ) · z
Generic model
Data and operations are modeled with function symbols in a first-order
signature
Effects of operations and properties of data constructors are modeled with
an equational theory
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 25/88
26. Deduction Systems
Some function symbols denote relations between terms rather
than computable function
∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg
Deduction systems
A deduction system is defined by an equational theory and the subset of
symbols corresponding to computable functions
Deduction system as a set of Horn clauses
Let knowe (t ) be a predicate denoting that t’s value is known by e
Equivalent to a set of Horn clauses each of the form:
knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn ))
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 26/88
27. Deduction Systems
Some function symbols denote relations between terms rather
than computable function
∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg
Deduction systems
A deduction system is defined by an equational theory and the subset of
symbols corresponding to computable functions
Deduction system as a set of Horn clauses
Let knowe (t ) be a predicate denoting that t’s value is known by e
Equivalent to a set of Horn clauses each of the form:
knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn ))
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 27/88
28. Deduction Systems
Some function symbols denote relations between terms rather
than computable function
∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg
Deduction systems
A deduction system is defined by an equational theory and the subset of
symbols corresponding to computable functions
Deduction system as a set of Horn clauses
Let knowe (t ) be a predicate denoting that t’s value is known by e
Equivalent to a set of Horn clauses each of the form:
knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn ))
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 28/88
29. Entity Specification
Generic model
Set of multi-set rewriting rules (Cervesato et al.)
State transitions expressed by a set of set-rewriting rules modulo a Horn
theory (ASLan, Avantssar project)
Domain-specific models
For cryptographic protocols
For Web Services
...
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 29/88
30. Entity Specification
Generic model
Set of multi-set rewriting rules (Cervesato et al.)
State transitions expressed by a set of set-rewriting rules modulo a Horn
theory (ASLan, Avantssar project)
Employed to describe distributed systems, but impractical for
describing decision procedures
Domain-specific models
For cryptographic protocols
For Web Services
...
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 30/88
31. Entity Specification
Generic model
Set of multi-set rewriting rules (Cervesato et al.)
State transitions expressed by a set of set-rewriting rules modulo a Horn
theory (ASLan, Avantssar project)
Domain-specific models
For cryptographic protocols
For Web Services
...
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 31/88
32. Entity Specification
Generic model
Set of multi-set rewriting rules (Cervesato et al.)
State transitions expressed by a set of set-rewriting rules modulo a Horn
theory (ASLan, Avantssar project)
Domain-specific models
For cryptographic protocols
For Web Services
...
Employed to describe decision procedures, based on simplifying
assumptions
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 32/88
33. Models Employed
Program without loops Deduction systems
Logical specification of possible
roles in a cryptographic protocol actions:
Web Services without Trust Attacker
Negotiation policy
Orchestrator
Policy Enforcement Point
...
Combination of both (work with Balbiani,ElHouri):
Web services with Trust Negotiation policies
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 33/88
34. Models Employed
Program without loops Deduction systems
Logical specification of possible
roles in a cryptographic protocol actions:
Web Services without Trust Attacker
Negotiation policy
Orchestrator
Policy Enforcement Point
...
Combination of both (work with Balbiani,ElHouri):
Web services with Trust Negotiation policies
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 34/88
35. Models Employed
Program without loops Deduction systems
Logical specification of possible
roles in a cryptographic protocol actions:
Web Services without Trust Attacker
Negotiation policy
Orchestrator
Policy Enforcement Point
...
Combination of both (work with Balbiani,ElHouri):
Web services with Trust Negotiation policies
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 35/88
36. Outline
Logical Model
Formal model of entities
Decision problems
Compilation of conversations
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 36/88
37. Ground Reachability
Setting
An observer witnesses an execution of the system without interfering with
it: t1 , . . . , tn
A goal is specified with a ground term t
Question: Can t be deduced given the messages t1 , . . . , tn ?
Remarks
Model of the possible constructions by the observer
Unsatisfactory model of observer’s knowledge
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 37/88
38. Ground Reachability
Setting
An observer witnesses an execution of the system without interfering with
it: t1 , . . . , tn
A goal is specified with a ground term t
Question: Can t be deduced given the messages t1 , . . . , tn ?
Remarks
Model of the possible constructions by the observer
Unsatisfactory model of observer’s knowledge
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 38/88
39. Static Equivalence 1/2
Intuition
Setting
A game in which the observer witnesses execution of one out of two
possible distributed systems: t1 , . . . , tn
Question: Can the observer deduce to which distributed system this
execution belongs to?
Remarks
Possible tests on the execution:
constructions using the deduction system and nonce creation
equality tests
Model of observer’s knowledge
Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . .
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 39/88
40. Static Equivalence 1/2
Intuition
Setting
A game in which the observer witnesses execution of one out of two
possible distributed systems: t1 , . . . , tn
Question: Can the observer deduce to which distributed system this
execution belongs to?
Remarks
Possible tests on the execution:
constructions using the deduction system and nonce creation
equality tests
Model of observer’s knowledge
Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . .
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 40/88
41. Static Equivalence 2/2
Technical description
Description of the game
Input: 2 sequences of messages representing each the execution of
one of the distributed system
Output: N O if there exists two constructions that yields identical results
on one execution and distinct values on the other
Asymmetric version: Refinement [with Rusinowitch 10]
A sequence of terms ψ refines a sequence ϕ if every pair of constructions that
yields the same results on ϕ yields the same result on ψ .
Notation: ψ |= M = N if the constructions M , N yield equal results
when applied on the terms of ψ
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 41/88
42. Static Equivalence 2/2
Technical description
Description of the game
Input: 2 sequences of messages representing each the execution of
one of the distributed system
Output: N O if there exists two constructions that yields identical results
on one execution and distinct values on the other
Asymmetric version: Refinement [with Rusinowitch 10]
A sequence of terms ψ refines a sequence ϕ if every pair of constructions that
yields the same results on ϕ yields the same result on ψ .
Notation: ψ |= M = N if the constructions M , N yield equal results
when applied on the terms of ψ
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 42/88
43. Reachability and Equivalence
Context: cryptographic protocols
Setting
All entities but the attacker are modeled by loop-free programs
Attacker modelled by a deduction system
Definition: D -Reachability
Can the attacker successfully complete the execution of the other entities ?
Definition: D -Equivalence
Can the attacker devise a completion in which he will be able to find with which
system he interacts ?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 43/88
44. Reachability and Equivalence
Context: cryptographic protocols
Setting
All entities but the attacker are modeled by loop-free programs
Attacker modelled by a deduction system
Definition: D -Reachability
Can the attacker successfully complete the execution of the other entities ?
Definition: D -Equivalence
Can the attacker devise a completion in which he will be able to find with which
system he interacts ?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 44/88
45. Reachability and Equivalence
Context: cryptographic protocols
Setting
All entities but the attacker are modeled by loop-free programs
Attacker modelled by a deduction system
Definition: D -Reachability
Can the attacker successfully complete the execution of the other entities ?
Definition: D -Equivalence
Can the attacker devise a completion in which he will be able to find with which
system he interacts ?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 45/88
46. Outline
Logical Model
Formal model of entities
Decision problems
Compilation of conversations
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 46/88
47. Cryptographic Protocol Analysis
Remarks
Cryptographic protocols are usually specified with:
the intended message sequence
interoperability considerations
Analysis performed is based on an operational semantics of cryptographic
protocols
Specifications of cryptographic protocols are not analyzed, their
implementation is
Compilation problem
Can we compute an as secure as possible implementation of a given
specification?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 47/88
48. Cryptographic Protocol Analysis
Remarks
Cryptographic protocols are usually specified with:
the intended message sequence
interoperability considerations
Analysis performed is based on an operational semantics of cryptographic
protocols
Specifications of cryptographic protocols are not analyzed, their
implementation is
Compilation problem
Can we compute an as secure as possible implementation of a given
specification?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 48/88
49. Computation of an Interoperable
Implementation
(joint work with M. Rusinowitch
Main idea
An implementation has to solve,each time it sends a message, a reachability
problem.
Theorem
[with Rusi 10] If D -ground reachability problems are effectively decidable then
it is possible to compute an interoperable implementation of a protocol
described using the function symbols in D .
Pitfall: the computed implementation may not perform any
security checks (e.g. validation of a digital signature)
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 49/88
50. Computation of a Secure Implementation
Definition
A deduction system D has the finite basis property if, for every finite sequence
of messages ϕ , there exists a finite set S of pairs of constructions such that
ψ |= M = N for all (M , N ) ∈ S iff ψ is a refinement of ϕ .
Remarks
Decision procedures for static equivalence usually compute such a finite
set
Permits to compute an implementation that accepts only the refinements
of the intended message sequence.
Conclusion:
Justifies cryptographic protocol analysis relying on the operational
semantics of the protocol
Important point: we can automatically compute a secure implementation
of any conversation
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 50/88
51. Plan
Distributed systems
Logical Model
Security analysis
Reachability & Refutation
Combination results
Computing an Orchestration
Current and Future Works
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 51/88
53. Reachability Decision Procedures
Reminder: D -Reachability
Can the attacker successfully complete the execution of the other entities ?
Many results:
Delaune-Jacquemard 2004 (collapsing)
Amadio,Lugiez 2000 (atomic keys)
Baudet 2004 (subterm)
Millen,Shmatikov 2001 (any keys)
Bernat,Comon-Lundh 2006 (blind
Comon-Lundh,Shmatikov 2003 (xor);
signature); . . .
Common pattern
Assume there exists a completion that induces a substitution σ on the
variables occurring in the messages exchanged by the honest participants
Prove that the size of this substitution can be bounded by using a
“pumping lemma”
Guess this substitution to reduce the problem to a ground reachability
problem
Prove that the latter is decidable
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 53/88
54. Reachability Decision Procedures
Reminder: D -Reachability
Can the attacker successfully complete the execution of the other entities ?
Many results:
Delaune-Jacquemard 2004 (collapsing)
Amadio,Lugiez 2000 (atomic keys)
Baudet 2004 (subterm)
Millen,Shmatikov 2001 (any keys)
Bernat,Comon-Lundh 2006 (blind
Comon-Lundh,Shmatikov 2003 (xor);
signature); . . .
Common pattern
Assume there exists a completion that induces a substitution σ on the
variables occurring in the messages exchanged by the honest participants
Prove that the size of this substitution can be bounded by using a
“pumping lemma”
Guess this substitution to reduce the problem to a ground reachability
problem
Prove that the latter is decidable
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 54/88
55. Reachability Decision Procedures
Reminder: D -Reachability
Can the attacker successfully complete the execution of the other entities ?
Many results:
Delaune-Jacquemard 2004 (collapsing)
Amadio,Lugiez 2000 (atomic keys)
Baudet 2004 (subterm)
Millen,Shmatikov 2001 (any keys)
Bernat,Comon-Lundh 2006 (blind
Comon-Lundh,Shmatikov 2003 (xor);
signature); . . .
Common pattern
Assume there exists a completion that induces a substitution σ on the
variables occurring in the messages exchanged by the honest participants
Prove that the size of this substitution can be bounded by using a
“pumping lemma”
Guess this substitution to reduce the problem to a ground reachability
problem
Prove that the latter is decidable
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 55/88
56. Results Obtained
Reachability decision procedures
With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL
2003), exponentiation (FSTTCS 2003)
With Kourjieh:
Decidability of reachability for protocols in which weak hash functions are
employed (collisions computable) (ASIAN 2006)
Decidability of reachability for protocols in which key selection attacks on
the on the digital signature are possible (FSTTCS 2007)
Last result: ad hoc application of ordered saturation on the Horn
clauses in the deduction system
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 56/88
57. Results Obtained
Reachability decision procedures
With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL
2003), exponentiation (FSTTCS 2003)
With Kourjieh:
Decidability of reachability for protocols in which weak hash functions are
employed (collisions computable) (ASIAN 2006)
Decidability of reachability for protocols in which key selection attacks on
the on the digital signature are possible (FSTTCS 2007)
Last result: ad hoc application of ordered saturation on the Horn
clauses in the deduction system
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 57/88
58. Generalisation: Saturated Deduction
Systems
Saturation
Decidabiliy result for order saturated sets of clauses for ground problems
by Basin,Ganzinger
Our procedure relied on different hypotheses, but was only applicable for
specific sets of Horn clauses
Generalization
We have extended our proof to arbitrary sets of clauses
Consequence 1: replacement of a finiteness condition with a
well-foundedness condition on the ordering employed during the
saturation
Consequence 2: with further hypotheses, decidability of non-ground
problems
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 58/88
59. Generalisation: Saturated Deduction
Systems
Saturation
Decidabiliy result for order saturated sets of clauses for ground problems
by Basin,Ganzinger
Our procedure relied on different hypotheses, but was only applicable for
specific sets of Horn clauses
Generalization
We have extended our proof to arbitrary sets of clauses
Consequence 1: replacement of a finiteness condition with a
well-foundedness condition on the ordering employed during the
saturation
Consequence 2: with further hypotheses, decidability of non-ground
problems
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 59/88
61. Combination of Equational Theories
Principle
Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2
Well-known results
Schmidt-Schauß 86, Baader+Schulz 92
Combination of unifiability procedures for disjoint equational theories
A trivial problem?
Additional constraints needed [Jan Otop, 2010]
Question:
Can we reuse these results to obtain similar ones for reachability analysis?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 61/88
62. Combination of Equational Theories
Principle
Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2
Well-known results
Schmidt-Schauß 86, Baader+Schulz 92
Combination of unifiability procedures for disjoint equational theories
A trivial problem?
Additional constraints needed [Jan Otop, 2010]
Question:
Can we reuse these results to obtain similar ones for reachability analysis?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 62/88
63. Combination of Equational Theories
Principle
Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2
Well-known results
Schmidt-Schauß 86, Baader+Schulz 92
Combination of unifiability procedures for disjoint equational theories
A trivial problem?
Additional constraints needed [Jan Otop, 2010]
Question:
Can we reuse these results to obtain similar ones for reachability analysis?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 63/88
64. Application to Refutation of Protocols
Additional constraints
The attacker has to built the solution
Preservation of the natural structure of these constraints
Results obtained
Combination of procedures deciding reachability for disjoint deduction
systems (with Rusinowitch, ICALP 05)
Non-disjoint case: conditions on the equations employing the shared
symbols that permits the reduction to a sub-signature (with Rusinowitch,
RTA 06)
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 64/88
66. Beyond the Security Analysis of Protocols
Server
Client
Msg 1 Example: Cryptographic Protocols
Msg 2 Network
Entities are the client, server,. . .
Msg 3
The state is the point reached by
the entity in the protocol
attacker An attacker can interfere with the
communications
We obtain for free a decision procedure for orchestration
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 66/88
67. Beyond the Security Analysis of Protocols
Provider 2
Provider 1
Op. 1
Web Services:
Op. 2 Network
Entities are service providers,
Op. 3
which may be stateful or not
An orchestrator can interact with
these providers to provide a new
Orchestrator
functionality
We obtain for free a decision procedure for orchestration
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 67/88
68. Orchestration
Model
Messages of the services are decorated with guards and persistent
assertions
Limiting assumption, but well-suited for security
Goal service is specified with an ordered sequence of messages and
guards that have to be satisfied
finite execution
Models both interaction with a client and security constraints
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 68/88
69. Results obtained (with Mekki, Rusinowitch,
WSCMA07,FAST09)
Decision procedure for orchestration by reduction to the insecurity
problem of cryptographic protocols
A wrapper (Mekki, Avanesov) implements the reduction before invoking
CL-AtSe
If it exists, we can compute a conversation. . . :
that considers the cryptographically protected parts of the
messages
that satisfies persistent security and functionality constraints
that adapts messages to suits the different service interfaces
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 69/88
70. Results obtained (with Mekki, Rusinowitch,
WSCMA07,FAST09)
Decision procedure for orchestration by reduction to the insecurity
problem of cryptographic protocols
A wrapper (Mekki, Avanesov) implements the reduction before invoking
CL-AtSe
If it exists, we can compute a conversation. . . :
that considers the cryptographically protected parts of the
messages
that satisfies persistent security and functionality constraints
that adapts messages to suits the different service interfaces
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 70/88
71. Can we connect the dots?
Summary
If it exists, we can compute a conversation describing a orchestration with
security constraints
Reminder (compilation):
we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it as
a service ?
Automated deployment of orchestrations
Implementation by M.A. Mekki
Currently as Tomcat servlet
Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 71/88
72. Can we connect the dots?
Summary
If it exists, we can compute a conversation describing a orchestration with
security constraints
Reminder (compilation):
we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it as
a service ?
Automated deployment of orchestrations
Implementation by M.A. Mekki
Currently as Tomcat servlet
Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 72/88
73. Can we connect the dots?
Summary
If it exists, we can compute a conversation describing a orchestration with
security constraints
Reminder (compilation):
we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it as
a service ?
Automated deployment of orchestrations
Implementation by M.A. Mekki
Currently as Tomcat servlet
Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 73/88
74. Can we connect the dots?
Summary
If it exists, we can compute a conversation describing a orchestration with
security constraints
Reminder (compilation):
we can automatically compute a secure implementation of any conversation
Question: Can we actually compute an orchestration and deploy it as
a service ?
Automated deployment of orchestrations
Implementation by M.A. Mekki
Currently as Tomcat servlet
Further work is programmed to obtain compliant Web Services
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 74/88
76. Equivalence
M. Baudet, 2004
Definition
(Subterm deduction systems) A deduction system is subterm iff its equational
theory is
convergent
contains only equations l = r with
r a subterm of l, or
r a ground term
Theorem
(Baudet, CCS 2004) If D is a subterm deduction system, then D -equivalence
is decidable
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 76/88
77. Own current and future work
Past: Another proof of this fact [avec Rusinowitch, JAR 2010]
Current: Definition of a generalization of subterm deduction systems,
encompassing saturated deduction systems à la Kourjieh
Future: Modularity of D -equivalence decision procedures ?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 77/88
78. Multiple attackers
with Avanesov, Rusinowitch, Turuani
Setting
Multiple, non-communicating, attackers
Model for code injected into applications in different places of the network
Dual problem: distributed orchestration
A few decidability (standard cryptography) and undecidability results
Generic criterion for lifting reachability decidability results to this
problem ?
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 78/88
79. Extensions Entities with Loops
Combination
Automata-based methods are able to synthesize orchestration with loops
Future work: combination with our synthesis algorithms
More generally: Aspect-based analysis
ForAll loops
Model XPath queries on messages with function symbols
Difficulty: solving associated unifiability problems
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 79/88
80. Extensions Entities with Loops
Combination
Automata-based methods are able to synthesize orchestration with loops
Future work: combination with our synthesis algorithms
More generally: Aspect-based analysis
ForAll loops
Model XPath queries on messages with function symbols
Difficulty: solving associated unifiability problems
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 80/88
81. Contextual Deduction
Contextual deduction (Reddy, Bronsard)
Employ resolution with unification replaced by pattern-matching
Not refutationally complete in general
Contrary to expectations, not complete for order saturated sets of clauses
RTA LOOP 37
Is there a notion of ’complete theory’ for which contextual deduction is
complete for refutation of ground clauses
Own current and future work
Past: a re-definition of ordered saturation that keeps some redundant
clauses
Future: prove that contextual deduction is complete for such saturated
sets of clauses
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 81/88
82. Contextual Deduction
Contextual deduction (Reddy, Bronsard)
Employ resolution with unification replaced by pattern-matching
Not refutationally complete in general
Contrary to expectations, not complete for order saturated sets of clauses
RTA LOOP 37
Is there a notion of ’complete theory’ for which contextual deduction is
complete for refutation of ground clauses
Own current and future work
Past: a re-definition of ordered saturation that keeps some redundant
clauses
Future: prove that contextual deduction is complete for such saturated
sets of clauses
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 82/88
83. Contextual Deduction
Contextual deduction (Reddy, Bronsard)
Employ resolution with unification replaced by pattern-matching
Not refutationally complete in general
Contrary to expectations, not complete for order saturated sets of clauses
RTA LOOP 37
Is there a notion of ’complete theory’ for which contextual deduction is
complete for refutation of ground clauses
Own current and future work
Past: a re-definition of ordered saturation that keeps some redundant
clauses
Future: prove that contextual deduction is complete for such saturated
sets of clauses
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 83/88
84. Future work
Communicating entities
Entity 3
Entity 1
State 1
State 2 Network Distributed systems:
State 3
Several entities
Communicating by message
Entity 2 passing on a network
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 84/88
85. Future work
Communicating entities
Application 2
Application 1
Separation kernels:
Output 1
Entities are the applications
Input 2 OS
hosted by the system
Output 3
Communications through an OS
that implements an access control
Environment policy
Validate the possible executions in
a given environment
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 85/88
86. 40+ years ago. . .
Alan Kay’s description of object-oriented programming
encapsulate each chunk of code with logic that enabled it to interact with any
other piece
(source: Super Freakonomics)
Many incarnations:
Component-based software engineering
Multi-agent systems
...
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 86/88
87. 40+ years ago. . .
Alan Kay’s description of object-oriented programming
encapsulate each chunk of code with logic that enabled it to interact with any
other piece
(source: Super Freakonomics)
Many incarnations:
Component-based software engineering
Multi-agent systems
...
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 87/88
88. 40+ years ago. . .
Alan Kay’s description of object-oriented programming
encapsulate each chunk of code with logic that enabled it to interact with any
other piece
(source: Super Freakonomics)
Many incarnations:
Component-based software engineering
Multi-agent systems
...
Yannick Chevalier, Toulouse, 25/02/2011
Université Toulouse 3
Habilitation 88/88