SlideShare uma empresa Scribd logo

Yannick Chevalier - Habilitation (final)

Yannick Chevalier
Yannick Chevalier
Educação
1 de 88
Baixar para ler offline
Logical Approach to the Security Analysis of Distributed Systems Yannick Chevalier Université Toulouse 3 Toulouse, 25/02/2011
Outline Distributed systems Logical Model Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 2/88
Plan Distributed systems Distributed systems Analysis of distributed systems Logical Model Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 3/88
Outline Distributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 4/88
Distributed Systems Communicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message passing on a network Entity 2 Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 5/88
Distributed Systems Communicating entities Server Client Msg 1 Example: Cryptographic Protocols Msg 2 Network Entities are the client, server,. . . Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 6/88
Distributed Systems Communicating entities Provider 2 Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 7/88
Outline Distributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 8/88
Security Analysis of Distributed Systems Server Principle Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 9/88
Security Analysis of Distributed Systems Server Principle Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 10/88
Security Analysis of Distributed Systems Server Principle Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 11/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 12/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 13/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 14/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 15/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 16/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 17/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 18/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 19/88
Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 20/88
Outline Distributed systems Distributed systems Analysis of distributed systems Logical Model Formal model of entities Decision problems Compilation of conversations Security analysis Reachability & Refutation Combination results Computing an Orchestration Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 21/88
Plan Distributed systems Logical Model Formal model of entities Decision problems Compilation of conversations Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 22/88
Outline Logical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 23/88
Equational Theories Modeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · z Generic model Data and operations are modeled with function symbols in a first-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 24/88
Equational Theories Modeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · z Generic model Data and operations are modeled with function symbols in a first-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 25/88
Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Deduction systems A deduction system is defined by an equational theory and the subset of symbols corresponding to computable functions Deduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 26/88
Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Deduction systems A deduction system is defined by an equational theory and the subset of symbols corresponding to computable functions Deduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 27/88
Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Deduction systems A deduction system is defined by an equational theory and the subset of symbols corresponding to computable functions Deduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 28/88
Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 29/88
Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Employed to describe distributed systems, but impractical for describing decision procedures Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 30/88
Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 31/88
Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Domain-specific models For cryptographic protocols For Web Services ... Employed to describe decision procedures, based on simplifying assumptions Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 32/88
Models Employed Program without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 33/88
Models Employed Program without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 34/88
Models Employed Program without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 35/88
Outline Logical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 36/88
Ground Reachability Setting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is specified with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ? Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 37/88
Ground Reachability Setting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is specified with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ? Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 38/88
Static Equivalence 1/2 Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 39/88
Static Equivalence 1/2 Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 40/88
Static Equivalence 2/2 Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Refinement [with Rusinowitch 10] A sequence of terms ψ refines a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 41/88
Static Equivalence 2/2 Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Refinement [with Rusinowitch 10] A sequence of terms ψ refines a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 42/88
Reachability and Equivalence Context: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 43/88
Reachability and Equivalence Context: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 44/88
Reachability and Equivalence Context: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 45/88
Outline Logical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 46/88
Cryptographic Protocol Analysis Remarks Cryptographic protocols are usually specified with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Specifications of cryptographic protocols are not analyzed, their implementation is Compilation problem Can we compute an as secure as possible implementation of a given specification? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 47/88
Cryptographic Protocol Analysis Remarks Cryptographic protocols are usually specified with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Specifications of cryptographic protocols are not analyzed, their implementation is Compilation problem Can we compute an as secure as possible implementation of a given specification? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 48/88
Computation of an Interoperable Implementation (joint work with M. Rusinowitch Main idea An implementation has to solve,each time it sends a message, a reachability problem. Theorem [with Rusi 10] If D -ground reachability problems are effectively decidable then it is possible to compute an interoperable implementation of a protocol described using the function symbols in D . Pitfall: the computed implementation may not perform any security checks (e.g. validation of a digital signature) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 49/88
Computation of a Secure Implementation Definition A deduction system D has the finite basis property if, for every finite sequence of messages ϕ , there exists a finite set S of pairs of constructions such that ψ |= M = N for all (M , N ) ∈ S iff ψ is a refinement of ϕ . Remarks Decision procedures for static equivalence usually compute such a finite set Permits to compute an implementation that accepts only the refinements of the intended message sequence. Conclusion: Justifies cryptographic protocol analysis relying on the operational semantics of the protocol Important point: we can automatically compute a secure implementation of any conversation Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 50/88
Plan Distributed systems Logical Model Security analysis Reachability & Refutation Combination results Computing an Orchestration Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 51/88
Outline Security analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 52/88
Reachability Decision Procedures Reminder: D -Reachability Can the attacker successfully complete the execution of the other entities ? Many results: Delaune-Jacquemard 2004 (collapsing) Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm) Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blind Comon-Lundh,Shmatikov 2003 (xor); signature); . . . Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 53/88
Reachability Decision Procedures Reminder: D -Reachability Can the attacker successfully complete the execution of the other entities ? Many results: Delaune-Jacquemard 2004 (collapsing) Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm) Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blind Comon-Lundh,Shmatikov 2003 (xor); signature); . . . Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 54/88
Reachability Decision Procedures Reminder: D -Reachability Can the attacker successfully complete the execution of the other entities ? Many results: Delaune-Jacquemard 2004 (collapsing) Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm) Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blind Comon-Lundh,Shmatikov 2003 (xor); signature); . . . Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 55/88
Results Obtained Reachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 56/88
Results Obtained Reachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 57/88
Generalisation: Saturated Deduction Systems Saturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for specific sets of Horn clauses Generalization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a finiteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 58/88
Generalisation: Saturated Deduction Systems Saturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for specific sets of Horn clauses Generalization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a finiteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 59/88
Outline Security analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 60/88
Combination of Equational Theories Principle Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2 Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theories A trivial problem? Additional constraints needed [Jan Otop, 2010] Question: Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 61/88
Combination of Equational Theories Principle Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2 Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theories A trivial problem? Additional constraints needed [Jan Otop, 2010] Question: Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 62/88
Combination of Equational Theories Principle Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2 Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theories A trivial problem? Additional constraints needed [Jan Otop, 2010] Question: Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 63/88
Application to Refutation of Protocols Additional constraints The attacker has to built the solution Preservation of the natural structure of these constraints Results obtained Combination of procedures deciding reachability for disjoint deduction systems (with Rusinowitch, ICALP 05) Non-disjoint case: conditions on the equations employing the shared symbols that permits the reduction to a sub-signature (with Rusinowitch, RTA 06) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 64/88
Outline Security analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 65/88
Beyond the Security Analysis of Protocols Server Client Msg 1 Example: Cryptographic Protocols Msg 2 Network Entities are the client, server,. . . Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 66/88
Beyond the Security Analysis of Protocols Provider 2 Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 67/88
Orchestration Model Messages of the services are decorated with guards and persistent assertions Limiting assumption, but well-suited for security Goal service is specified with an ordered sequence of messages and guards that have to be satisfied finite execution Models both interaction with a client and security constraints Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 68/88
Results obtained (with Mekki, Rusinowitch, WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisfies persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 69/88
Results obtained (with Mekki, Rusinowitch, WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisfies persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 70/88
Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 71/88
Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 72/88
Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 73/88
Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 74/88
Plan Distributed systems Logical Model Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 75/88
Equivalence M. Baudet, 2004 Definition (Subterm deduction systems) A deduction system is subterm iff its equational theory is convergent contains only equations l = r with r a subterm of l, or r a ground term Theorem (Baudet, CCS 2004) If D is a subterm deduction system, then D -equivalence is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 76/88
Own current and future work Past: Another proof of this fact [avec Rusinowitch, JAR 2010] Current: Definition of a generalization of subterm deduction systems, encompassing saturated deduction systems à la Kourjieh Future: Modularity of D -equivalence decision procedures ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 77/88
Multiple attackers with Avanesov, Rusinowitch, Turuani Setting Multiple, non-communicating, attackers Model for code injected into applications in different places of the network Dual problem: distributed orchestration A few decidability (standard cryptography) and undecidability results Generic criterion for lifting reachability decidability results to this problem ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 78/88
Extensions Entities with Loops Combination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysis ForAll loops Model XPath queries on messages with function symbols Difficulty: solving associated unifiability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 79/88
Extensions Entities with Loops Combination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysis ForAll loops Model XPath queries on messages with function symbols Difficulty: solving associated unifiability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 80/88
Contextual Deduction Contextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clauses RTA LOOP 37 Is there a notion of ’complete theory’ for which contextual deduction is complete for refutation of ground clauses Own current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 81/88
Contextual Deduction Contextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clauses RTA LOOP 37 Is there a notion of ’complete theory’ for which contextual deduction is complete for refutation of ground clauses Own current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 82/88
Contextual Deduction Contextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clauses RTA LOOP 37 Is there a notion of ’complete theory’ for which contextual deduction is complete for refutation of ground clauses Own current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 83/88
Future work Communicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message Entity 2 passing on a network Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 84/88
Future work Communicating entities Application 2 Application 1 Separation kernels: Output 1 Entities are the applications Input 2 OS hosted by the system Output 3 Communications through an OS that implements an access control Environment policy Validate the possible executions in a given environment Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 85/88
40+ years ago. . . Alan Kay’s description of object-oriented programming encapsulate each chunk of code with logic that enabled it to interact with any other piece (source: Super Freakonomics) Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 86/88
40+ years ago. . . Alan Kay’s description of object-oriented programming encapsulate each chunk of code with logic that enabled it to interact with any other piece (source: Super Freakonomics) Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 87/88
40+ years ago. . . Alan Kay’s description of object-oriented programming encapsulate each chunk of code with logic that enabled it to interact with any other piece (source: Super Freakonomics) Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 88/88

Recomendados

Networked Dynamic Systems: Identification, Controllability, and Randomness
Networked Dynamic Systems: Identification, Controllability, and RandomnessNetworked Dynamic Systems: Identification, Controllability, and Randomness
Networked Dynamic Systems: Identification, Controllability, and RandomnessMarzieh Nabi
 
An ontology for attacks in wireless sensor networks
An ontology for attacks in wireless sensor networksAn ontology for attacks in wireless sensor networks
An ontology for attacks in wireless sensor networksfying1982
 
Layered approach
Layered approachLayered approach
Layered approachingenioustech
 
On-line Fault diagnosis of Arbitrary Connected Networks
On-line Fault diagnosis of Arbitrary Connected NetworksOn-line Fault diagnosis of Arbitrary Connected Networks
On-line Fault diagnosis of Arbitrary Connected NetworksIDES Editor
 
Dynamic aodv
Dynamic aodvDynamic aodv
Dynamic aodvambitlick
 
Integration of security and authentication agent in ns 2 and leach protocol f...
Integration of security and authentication agent in ns 2 and leach protocol f...Integration of security and authentication agent in ns 2 and leach protocol f...
Integration of security and authentication agent in ns 2 and leach protocol f...Zac Darcy
 
20080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture0320080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture03Computer Science Club
 
06558266
0655826606558266
06558266Vidya Sagar
 

Recomendados

Networked Dynamic Systems: Identification, Controllability, and Randomness
Networked Dynamic Systems: Identification, Controllability, and RandomnessNetworked Dynamic Systems: Identification, Controllability, and Randomness
Networked Dynamic Systems: Identification, Controllability, and RandomnessMarzieh Nabi
 
An ontology for attacks in wireless sensor networks
An ontology for attacks in wireless sensor networksAn ontology for attacks in wireless sensor networks
An ontology for attacks in wireless sensor networksfying1982
 
Layered approach
Layered approachLayered approach
Layered approachingenioustech
 
On-line Fault diagnosis of Arbitrary Connected Networks
On-line Fault diagnosis of Arbitrary Connected NetworksOn-line Fault diagnosis of Arbitrary Connected Networks
On-line Fault diagnosis of Arbitrary Connected NetworksIDES Editor
 
Dynamic aodv
Dynamic aodvDynamic aodv
Dynamic aodvambitlick
 
Integration of security and authentication agent in ns 2 and leach protocol f...
Integration of security and authentication agent in ns 2 and leach protocol f...Integration of security and authentication agent in ns 2 and leach protocol f...
Integration of security and authentication agent in ns 2 and leach protocol f...Zac Darcy
 
20080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture0320080502 software verification_sharygina_lecture03
20080502 software verification_sharygina_lecture03Computer Science Club
 
06558266
0655826606558266
06558266Vidya Sagar
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
Handout1
Handout1Handout1
Handout1milan_chbr
 
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...ijwmn
 
A secure routing process to simultaneously defend against false report and wo...
A secure routing process to simultaneously defend against false report and wo...A secure routing process to simultaneously defend against false report and wo...
A secure routing process to simultaneously defend against false report and wo...ieijjournal
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperJPINFOTECH JAYAPRAKASH
 
Distributed network security management
Distributed network security managementDistributed network security management
Distributed network security managementSwati Sinha
 
Chapter 01
Chapter 01Chapter 01
Chapter 01nathanurag
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Enhanced security for non English users of Wireless Sensor Networks
Enhanced security for non English users of Wireless Sensor NetworksEnhanced security for non English users of Wireless Sensor Networks
Enhanced security for non English users of Wireless Sensor NetworksEswar Publications
 
Ijretm 2014-sp-043
Ijretm 2014-sp-043Ijretm 2014-sp-043
Ijretm 2014-sp-043Selva Raj
 
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...Neelamani Samal
 
Y04405144148
Y04405144148Y04405144148
Y04405144148IJERA Editor
 
IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET Journal
 
An Inference Sharing Architecture for a More Efficient Context Reasoning
An Inference Sharing Architecture for a More Efficient Context ReasoningAn Inference Sharing Architecture for a More Efficient Context Reasoning
An Inference Sharing Architecture for a More Efficient Context ReasoningAitor Almeida
 
Kb2417221726
Kb2417221726Kb2417221726
Kb2417221726IJERA Editor
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
231 236
231 236231 236
231 236Editor IJARCET
 
Securing cluster based adhoc network through balanced clustering with distrib...
Securing cluster based adhoc network through balanced clustering with distrib...Securing cluster based adhoc network through balanced clustering with distrib...
Securing cluster based adhoc network through balanced clustering with distrib...eSAT Journals
 
A Two Tiered Data Origin Authentication Scheme for Adhoc Network
A Two Tiered Data Origin Authentication Scheme for Adhoc NetworkA Two Tiered Data Origin Authentication Scheme for Adhoc Network
A Two Tiered Data Origin Authentication Scheme for Adhoc Networkijsrd.com
 
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...IOSR Journals
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 

Mais conteúdo relacionado

Semelhante a Yannick Chevalier - Habilitation (final)

Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...ijwmn
 
A secure routing process to simultaneously defend against false report and wo...
A secure routing process to simultaneously defend against false report and wo...A secure routing process to simultaneously defend against false report and wo...
A secure routing process to simultaneously defend against false report and wo...ieijjournal
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperJPINFOTECH JAYAPRAKASH
 
Distributed network security management
Distributed network security managementDistributed network security management
Distributed network security managementSwati Sinha
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Enhanced security for non English users of Wireless Sensor Networks
Enhanced security for non English users of Wireless Sensor NetworksEnhanced security for non English users of Wireless Sensor Networks
Enhanced security for non English users of Wireless Sensor NetworksEswar Publications
 
Ijretm 2014-sp-043
Ijretm 2014-sp-043Ijretm 2014-sp-043
Ijretm 2014-sp-043Selva Raj
 
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...Neelamani Samal
 
IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET Journal
 
An Inference Sharing Architecture for a More Efficient Context Reasoning
An Inference Sharing Architecture for a More Efficient Context ReasoningAn Inference Sharing Architecture for a More Efficient Context Reasoning
An Inference Sharing Architecture for a More Efficient Context ReasoningAitor Almeida
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)inventionjournals
 
Securing cluster based adhoc network through balanced clustering with distrib...
Securing cluster based adhoc network through balanced clustering with distrib...Securing cluster based adhoc network through balanced clustering with distrib...
Securing cluster based adhoc network through balanced clustering with distrib...eSAT Journals
 
A Two Tiered Data Origin Authentication Scheme for Adhoc Network
A Two Tiered Data Origin Authentication Scheme for Adhoc NetworkA Two Tiered Data Origin Authentication Scheme for Adhoc Network
A Two Tiered Data Origin Authentication Scheme for Adhoc Networkijsrd.com
 
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...IOSR Journals
 

Semelhante a Yannick Chevalier - Habilitation (final) (20)

Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
 
Handout1
Handout1Handout1
Handout1
 
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...
ENHANCED THREE TIER SECURITY ARCHITECTURE FOR WSN AGAINST MOBILE SINK REPLI...
 
A secure routing process to simultaneously defend against false report and wo...
A secure routing process to simultaneously defend against false report and wo...A secure routing process to simultaneously defend against false report and wo...
A secure routing process to simultaneously defend against false report and wo...
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Distributed network security management
Distributed network security managementDistributed network security management
Distributed network security management
 
Chapter 01
Chapter 01Chapter 01
Chapter 01
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Enhanced security for non English users of Wireless Sensor Networks
Enhanced security for non English users of Wireless Sensor NetworksEnhanced security for non English users of Wireless Sensor Networks
Enhanced security for non English users of Wireless Sensor Networks
 
Ijretm 2014-sp-043
Ijretm 2014-sp-043Ijretm 2014-sp-043
Ijretm 2014-sp-043
 
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...
A fault tolerant tokenbased atomic broadcast algorithm relying on responsive ...
 
Y04405144148
Y04405144148Y04405144148
Y04405144148
 
IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
 
An Inference Sharing Architecture for a More Efficient Context Reasoning
An Inference Sharing Architecture for a More Efficient Context ReasoningAn Inference Sharing Architecture for a More Efficient Context Reasoning
An Inference Sharing Architecture for a More Efficient Context Reasoning
 
Kb2417221726
Kb2417221726Kb2417221726
Kb2417221726
 
International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)International Journal of Engineering and Science Invention (IJESI)
International Journal of Engineering and Science Invention (IJESI)
 
231 236
231 236231 236
231 236
 
Securing cluster based adhoc network through balanced clustering with distrib...
Securing cluster based adhoc network through balanced clustering with distrib...Securing cluster based adhoc network through balanced clustering with distrib...
Securing cluster based adhoc network through balanced clustering with distrib...
 
A Two Tiered Data Origin Authentication Scheme for Adhoc Network
A Two Tiered Data Origin Authentication Scheme for Adhoc NetworkA Two Tiered Data Origin Authentication Scheme for Adhoc Network
A Two Tiered Data Origin Authentication Scheme for Adhoc Network
 
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
 

Último

Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 

Último (20)

Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 

Yannick Chevalier - Habilitation (final)

  • 1. Logical Approach to the Security Analysis of Distributed Systems Yannick Chevalier Université Toulouse 3 Toulouse, 25/02/2011
  • 2. Outline Distributed systems Logical Model Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 2/88
  • 3. Plan Distributed systems Distributed systems Analysis of distributed systems Logical Model Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 3/88
  • 4. Outline Distributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 4/88
  • 5. Distributed Systems Communicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message passing on a network Entity 2 Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 5/88
  • 6. Distributed Systems Communicating entities Server Client Msg 1 Example: Cryptographic Protocols Msg 2 Network Entities are the client, server,. . . Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 6/88
  • 7. Distributed Systems Communicating entities Provider 2 Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 7/88
  • 8. Outline Distributed systems Distributed systems Analysis of distributed systems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 8/88
  • 9. Security Analysis of Distributed Systems Server Principle Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 9/88
  • 10. Security Analysis of Distributed Systems Server Principle Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 10/88
  • 11. Security Analysis of Distributed Systems Server Principle Client Specify the participating Msg 1 entities Msg 2 Network Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 11/88
  • 12. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 12/88
  • 13. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 13/88
  • 14. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 14/88
  • 15. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 15/88
  • 16. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 16/88
  • 17. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 17/88
  • 18. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 18/88
  • 19. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 19/88
  • 20. Security Analysis of Distributed Systems Principle Server Client Specify the participating Msg 1 entities Msg 2 OS Specify a property Msg 3 Check whether the property is satisfied by the possible executions attacker Security Properties Remarks Secrecy Not deterministic Authentication Infinitely branching Strong secrecy Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 20/88
  • 21. Outline Distributed systems Distributed systems Analysis of distributed systems Logical Model Formal model of entities Decision problems Compilation of conversations Security analysis Reachability & Refutation Combination results Computing an Orchestration Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 21/88
  • 22. Plan Distributed systems Logical Model Formal model of entities Decision problems Compilation of conversations Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 22/88
  • 23. Outline Logical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 23/88
  • 24. Equational Theories Modeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · z Generic model Data and operations are modeled with function symbols in a first-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 24/88
  • 25. Equational Theories Modeling message properties Encryption: enc(xmsg , pk(xkey )), Decryption dec(xmsg , sk(xkey )) ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Associativity of concatenation _ · _ ∀x , y , z , x · (y · z ) = (x · y ) · z Generic model Data and operations are modeled with function symbols in a first-order signature Effects of operations and properties of data constructors are modeled with an equational theory Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 25/88
  • 26. Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Deduction systems A deduction system is defined by an equational theory and the subset of symbols corresponding to computable functions Deduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 26/88
  • 27. Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Deduction systems A deduction system is defined by an equational theory and the subset of symbols corresponding to computable functions Deduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 27/88
  • 28. Deduction Systems Some function symbols denote relations between terms rather than computable function ∀xmsg , xkey , dec(enc(xmsg , pk(xkey )), sk(xkey )) = xmsg Deduction systems A deduction system is defined by an equational theory and the subset of symbols corresponding to computable functions Deduction system as a set of Horn clauses Let knowe (t ) be a predicate denoting that t’s value is known by e Equivalent to a set of Horn clauses each of the form: knowe (x1 ), . . . , knowe (xn ) ⇒ knowe (f (x1 , . . . , xn )) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 28/88
  • 29. Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 29/88
  • 30. Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Employed to describe distributed systems, but impractical for describing decision procedures Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 30/88
  • 31. Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Domain-specific models For cryptographic protocols For Web Services ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 31/88
  • 32. Entity Specification Generic model Set of multi-set rewriting rules (Cervesato et al.) State transitions expressed by a set of set-rewriting rules modulo a Horn theory (ASLan, Avantssar project) Domain-specific models For cryptographic protocols For Web Services ... Employed to describe decision procedures, based on simplifying assumptions Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 32/88
  • 33. Models Employed Program without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 33/88
  • 34. Models Employed Program without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 34/88
  • 35. Models Employed Program without loops Deduction systems Logical specification of possible roles in a cryptographic protocol actions: Web Services without Trust Attacker Negotiation policy Orchestrator Policy Enforcement Point ... Combination of both (work with Balbiani,ElHouri): Web services with Trust Negotiation policies Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 35/88
  • 36. Outline Logical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 36/88
  • 37. Ground Reachability Setting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is specified with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ? Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 37/88
  • 38. Ground Reachability Setting An observer witnesses an execution of the system without interfering with it: t1 , . . . , tn A goal is specified with a ground term t Question: Can t be deduced given the messages t1 , . . . , tn ? Remarks Model of the possible constructions by the observer Unsatisfactory model of observer’s knowledge Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 38/88
  • 39. Static Equivalence 1/2 Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 39/88
  • 40. Static Equivalence 1/2 Intuition Setting A game in which the observer witnesses execution of one out of two possible distributed systems: t1 , . . . , tn Question: Can the observer deduce to which distributed system this execution belongs to? Remarks Possible tests on the execution: constructions using the deduction system and nonce creation equality tests Model of observer’s knowledge Lot of research on this topic: Abadi-Fournet, Abadi-Cortier, Kremer,. . . Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 40/88
  • 41. Static Equivalence 2/2 Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Refinement [with Rusinowitch 10] A sequence of terms ψ refines a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 41/88
  • 42. Static Equivalence 2/2 Technical description Description of the game Input: 2 sequences of messages representing each the execution of one of the distributed system Output: N O if there exists two constructions that yields identical results on one execution and distinct values on the other Asymmetric version: Refinement [with Rusinowitch 10] A sequence of terms ψ refines a sequence ϕ if every pair of constructions that yields the same results on ϕ yields the same result on ψ . Notation: ψ |= M = N if the constructions M , N yield equal results when applied on the terms of ψ Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 42/88
  • 43. Reachability and Equivalence Context: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 43/88
  • 44. Reachability and Equivalence Context: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 44/88
  • 45. Reachability and Equivalence Context: cryptographic protocols Setting All entities but the attacker are modeled by loop-free programs Attacker modelled by a deduction system Definition: D -Reachability Can the attacker successfully complete the execution of the other entities ? Definition: D -Equivalence Can the attacker devise a completion in which he will be able to find with which system he interacts ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 45/88
  • 46. Outline Logical Model Formal model of entities Decision problems Compilation of conversations Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 46/88
  • 47. Cryptographic Protocol Analysis Remarks Cryptographic protocols are usually specified with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Specifications of cryptographic protocols are not analyzed, their implementation is Compilation problem Can we compute an as secure as possible implementation of a given specification? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 47/88
  • 48. Cryptographic Protocol Analysis Remarks Cryptographic protocols are usually specified with: the intended message sequence interoperability considerations Analysis performed is based on an operational semantics of cryptographic protocols Specifications of cryptographic protocols are not analyzed, their implementation is Compilation problem Can we compute an as secure as possible implementation of a given specification? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 48/88
  • 49. Computation of an Interoperable Implementation (joint work with M. Rusinowitch Main idea An implementation has to solve,each time it sends a message, a reachability problem. Theorem [with Rusi 10] If D -ground reachability problems are effectively decidable then it is possible to compute an interoperable implementation of a protocol described using the function symbols in D . Pitfall: the computed implementation may not perform any security checks (e.g. validation of a digital signature) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 49/88
  • 50. Computation of a Secure Implementation Definition A deduction system D has the finite basis property if, for every finite sequence of messages ϕ , there exists a finite set S of pairs of constructions such that ψ |= M = N for all (M , N ) ∈ S iff ψ is a refinement of ϕ . Remarks Decision procedures for static equivalence usually compute such a finite set Permits to compute an implementation that accepts only the refinements of the intended message sequence. Conclusion: Justifies cryptographic protocol analysis relying on the operational semantics of the protocol Important point: we can automatically compute a secure implementation of any conversation Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 50/88
  • 51. Plan Distributed systems Logical Model Security analysis Reachability & Refutation Combination results Computing an Orchestration Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 51/88
  • 52. Outline Security analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 52/88
  • 53. Reachability Decision Procedures Reminder: D -Reachability Can the attacker successfully complete the execution of the other entities ? Many results: Delaune-Jacquemard 2004 (collapsing) Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm) Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blind Comon-Lundh,Shmatikov 2003 (xor); signature); . . . Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 53/88
  • 54. Reachability Decision Procedures Reminder: D -Reachability Can the attacker successfully complete the execution of the other entities ? Many results: Delaune-Jacquemard 2004 (collapsing) Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm) Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blind Comon-Lundh,Shmatikov 2003 (xor); signature); . . . Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 54/88
  • 55. Reachability Decision Procedures Reminder: D -Reachability Can the attacker successfully complete the execution of the other entities ? Many results: Delaune-Jacquemard 2004 (collapsing) Amadio,Lugiez 2000 (atomic keys) Baudet 2004 (subterm) Millen,Shmatikov 2001 (any keys) Bernat,Comon-Lundh 2006 (blind Comon-Lundh,Shmatikov 2003 (xor); signature); . . . Common pattern Assume there exists a completion that induces a substitution σ on the variables occurring in the messages exchanged by the honest participants Prove that the size of this substitution can be bounded by using a “pumping lemma” Guess this substitution to reduce the problem to a ground reachability problem Prove that the latter is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 55/88
  • 56. Results Obtained Reachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 56/88
  • 57. Results Obtained Reachability decision procedures With Küsters, Rusinowitch, and Turuani: xor (LICS 2003),validation (CSL 2003), exponentiation (FSTTCS 2003) With Kourjieh: Decidability of reachability for protocols in which weak hash functions are employed (collisions computable) (ASIAN 2006) Decidability of reachability for protocols in which key selection attacks on the on the digital signature are possible (FSTTCS 2007) Last result: ad hoc application of ordered saturation on the Horn clauses in the deduction system Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 57/88
  • 58. Generalisation: Saturated Deduction Systems Saturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for specific sets of Horn clauses Generalization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a finiteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 58/88
  • 59. Generalisation: Saturated Deduction Systems Saturation Decidabiliy result for order saturated sets of clauses for ground problems by Basin,Ganzinger Our procedure relied on different hypotheses, but was only applicable for specific sets of Horn clauses Generalization We have extended our proof to arbitrary sets of clauses Consequence 1: replacement of a finiteness condition with a well-foundedness condition on the ordering employed during the saturation Consequence 2: with further hypotheses, decidability of non-ground problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 59/88
  • 60. Outline Security analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 60/88
  • 61. Combination of Equational Theories Principle Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2 Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theories A trivial problem? Additional constraints needed [Jan Otop, 2010] Question: Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 61/88
  • 62. Combination of Equational Theories Principle Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2 Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theories A trivial problem? Additional constraints needed [Jan Otop, 2010] Question: Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 62/88
  • 63. Combination of Equational Theories Principle Reduce a unifiability problem on E1 ∪ E2 to unifiability problems on E1 and E2 Well-known results Schmidt-Schauß 86, Baader+Schulz 92 Combination of unifiability procedures for disjoint equational theories A trivial problem? Additional constraints needed [Jan Otop, 2010] Question: Can we reuse these results to obtain similar ones for reachability analysis? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 63/88
  • 64. Application to Refutation of Protocols Additional constraints The attacker has to built the solution Preservation of the natural structure of these constraints Results obtained Combination of procedures deciding reachability for disjoint deduction systems (with Rusinowitch, ICALP 05) Non-disjoint case: conditions on the equations employing the shared symbols that permits the reduction to a sub-signature (with Rusinowitch, RTA 06) Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 64/88
  • 65. Outline Security analysis Reachability & Refutation Combination results Computing an Orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 65/88
  • 66. Beyond the Security Analysis of Protocols Server Client Msg 1 Example: Cryptographic Protocols Msg 2 Network Entities are the client, server,. . . Msg 3 The state is the point reached by the entity in the protocol attacker An attacker can interfere with the communications We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 66/88
  • 67. Beyond the Security Analysis of Protocols Provider 2 Provider 1 Op. 1 Web Services: Op. 2 Network Entities are service providers, Op. 3 which may be stateful or not An orchestrator can interact with these providers to provide a new Orchestrator functionality We obtain for free a decision procedure for orchestration Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 67/88
  • 68. Orchestration Model Messages of the services are decorated with guards and persistent assertions Limiting assumption, but well-suited for security Goal service is specified with an ordered sequence of messages and guards that have to be satisfied finite execution Models both interaction with a client and security constraints Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 68/88
  • 69. Results obtained (with Mekki, Rusinowitch, WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisfies persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 69/88
  • 70. Results obtained (with Mekki, Rusinowitch, WSCMA07,FAST09) Decision procedure for orchestration by reduction to the insecurity problem of cryptographic protocols A wrapper (Mekki, Avanesov) implements the reduction before invoking CL-AtSe If it exists, we can compute a conversation. . . : that considers the cryptographically protected parts of the messages that satisfies persistent security and functionality constraints that adapts messages to suits the different service interfaces Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 70/88
  • 71. Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 71/88
  • 72. Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 72/88
  • 73. Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 73/88
  • 74. Can we connect the dots? Summary If it exists, we can compute a conversation describing a orchestration with security constraints Reminder (compilation): we can automatically compute a secure implementation of any conversation Question: Can we actually compute an orchestration and deploy it as a service ? Automated deployment of orchestrations Implementation by M.A. Mekki Currently as Tomcat servlet Further work is programmed to obtain compliant Web Services Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 74/88
  • 75. Plan Distributed systems Logical Model Security analysis Current and Future Works Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 75/88
  • 76. Equivalence M. Baudet, 2004 Definition (Subterm deduction systems) A deduction system is subterm iff its equational theory is convergent contains only equations l = r with r a subterm of l, or r a ground term Theorem (Baudet, CCS 2004) If D is a subterm deduction system, then D -equivalence is decidable Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 76/88
  • 77. Own current and future work Past: Another proof of this fact [avec Rusinowitch, JAR 2010] Current: Definition of a generalization of subterm deduction systems, encompassing saturated deduction systems à la Kourjieh Future: Modularity of D -equivalence decision procedures ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 77/88
  • 78. Multiple attackers with Avanesov, Rusinowitch, Turuani Setting Multiple, non-communicating, attackers Model for code injected into applications in different places of the network Dual problem: distributed orchestration A few decidability (standard cryptography) and undecidability results Generic criterion for lifting reachability decidability results to this problem ? Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 78/88
  • 79. Extensions Entities with Loops Combination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysis ForAll loops Model XPath queries on messages with function symbols Difficulty: solving associated unifiability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 79/88
  • 80. Extensions Entities with Loops Combination Automata-based methods are able to synthesize orchestration with loops Future work: combination with our synthesis algorithms More generally: Aspect-based analysis ForAll loops Model XPath queries on messages with function symbols Difficulty: solving associated unifiability problems Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 80/88
  • 81. Contextual Deduction Contextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clauses RTA LOOP 37 Is there a notion of ’complete theory’ for which contextual deduction is complete for refutation of ground clauses Own current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 81/88
  • 82. Contextual Deduction Contextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clauses RTA LOOP 37 Is there a notion of ’complete theory’ for which contextual deduction is complete for refutation of ground clauses Own current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 82/88
  • 83. Contextual Deduction Contextual deduction (Reddy, Bronsard) Employ resolution with unification replaced by pattern-matching Not refutationally complete in general Contrary to expectations, not complete for order saturated sets of clauses RTA LOOP 37 Is there a notion of ’complete theory’ for which contextual deduction is complete for refutation of ground clauses Own current and future work Past: a re-definition of ordered saturation that keeps some redundant clauses Future: prove that contextual deduction is complete for such saturated sets of clauses Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 83/88
  • 84. Future work Communicating entities Entity 3 Entity 1 State 1 State 2 Network Distributed systems: State 3 Several entities Communicating by message Entity 2 passing on a network Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 84/88
  • 85. Future work Communicating entities Application 2 Application 1 Separation kernels: Output 1 Entities are the applications Input 2 OS hosted by the system Output 3 Communications through an OS that implements an access control Environment policy Validate the possible executions in a given environment Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 85/88
  • 86. 40+ years ago. . . Alan Kay’s description of object-oriented programming encapsulate each chunk of code with logic that enabled it to interact with any other piece (source: Super Freakonomics) Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 86/88
  • 87. 40+ years ago. . . Alan Kay’s description of object-oriented programming encapsulate each chunk of code with logic that enabled it to interact with any other piece (source: Super Freakonomics) Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 87/88
  • 88. 40+ years ago. . . Alan Kay’s description of object-oriented programming encapsulate each chunk of code with logic that enabled it to interact with any other piece (source: Super Freakonomics) Many incarnations: Component-based software engineering Multi-agent systems ... Yannick Chevalier, Toulouse, 25/02/2011 Université Toulouse 3 Habilitation 88/88