Alwyn Goodloe
ABSTRACT
Network protocol design is usually an informal process where debugging is based on successive iterations of a prototype implementation. The feedback provided by a prototype can be indispensable since the requirements are often incomplete at the start. A draw-back of this technique is that errors in protocols can be notoriously difficult to detect by testing alone. Applying formal methods such as theorem proving can greatly increase one's confidence that the protocol is correct. However, formal methods can be tedious to use, rarely support successive design iterations and prototyping, are difficult to scale to entire designs, and typically require a clear understanding of requirements in advance. We investigate how formal simulation based on Maude executable specifications overcomes many of these hurdles. We apply this technique in the early stages of the design of a new security protocol, known as Layer 3 Accounting (L3A), aimed at protecting known vulnerabilities in the wireless accounting infrastructure. The protocol sets up a collection of IPsec security associations that provide the necessary protection. We demonstrate how formal simulation uncovered problems in several successive iterations of the L3A protocol design.
- M. Abadi, B. Blanchet, and C. Fournet. Just Fast Keying in the Pi Calculus. In D. Schmidt, editor, The European Symposium on Programming (ESOP), Lecture Notes inComputer Science 2618. Springer-Verlag, 2004.]]Google Scholar
- M. Abadi and A. Gordan. A Calculus for Cryptographic Protocols: The Spi Calculus. Information and Computation, 148(1):1--70, 1999.]] Google ScholarDigital Library
- W. Aiello, S. Bellovin, M. Blaze, R. Caetti, J. Ioannidis, A. Keromytis, and O. Reingold. Just Fast Keying: Key Aggrement in a Hostile Internet. ACM Transactions of Information System Security, 7(2):242--273, 2004.]] Google ScholarDigital Library
- K. Bhargavan, C. A. Gunter, M. Kim, I. Lee, D. Obradovic, O. Sokolsky, and M. Viswanathan. Verisim: Formal analysis of network simulations. In M. J. Harrold, editor, ISSTA 00 Proceedings of the ACM SIGSOFT 2000 International Symposium on Software Testing and Analysis, pages 2--13, Portland, OR, August 2000. ACM.]] Google ScholarDigital Library
- K. Bhargavan, C. A. Gunter, M. Kim, I. Lee, D. Obradovic, O. Sokolsky, and M. Viswanathan. Verisim: Formal analysis of network simulations. IEEE Transactions on Software Engineering, 28(2):129--145, February 2002.]] Google ScholarDigital Library
- K. Bhargavan, C. A. Gunter, and D. Obradovic. Routing information protocol in HOL/SPIN. In J. Harrison and M. Aagaard, editors, Theorem Proving in Higher Order Logics: 13th International Conference, TPHOLs 2000, volume 1869 of Lecture Notes in Computer Science, pages 53--72, Portland, Oregon, August 2000. Springer-Verlag.]] Google ScholarDigital Library
- K. Bhargavan, D. Obradovic, and C. A. Gunter. Formal verification of standards for distance vector routing protocols. Journal of the ACM, 49(4):538--576, July 2002.]] Google ScholarDigital Library
- B. Blanchet. From Secrecy to Authencity in Security Protocols. In 9th International Static Analysis Symposium (SAS'02), Lecture Notes In Computer Science 2477, pages 342--359. Springer-Verlag, 2002.]] Google ScholarDigital Library
- B. Blanchet. Automatic Proof of Strong Secrecy for Security Protocols. In IEEE Symposium on Security and Privacy, pages 86--100, 2004.]]Google Scholar
- A. Bouhoula, J.-P. Jouannaud, and J. Meseguer. Specification and Proof in Membership Equational Logic. Theoretical Computer Science, 236:35--132, 2000.]] Google ScholarDigital Library
- C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985.]] Google ScholarDigital Library
- E. Clark, O. Grumberg, and D. Peled. Model Checking. MIT Press, 2000.]]Google Scholar
- M. Clavel, F. Durán, S. Eker, P. Lincoln, N. Martí-Oliet, J. Meseguer, and J. Quesada. A Tutorial on Maude. http://maude.csl.sri.com, March 2000.]]Google Scholar
- M. Clavel, F. Durán, S. Eker, P. Lincoln, N. Martí-Oliet, J. Meseguer, and J. Quesada. Maude: specification and programming in rewriting logic. Theoretical Computer Science, 285:187--243, 2002.]] Google ScholarDigital Library
- M. Clavel, F. Durán, S. Eker, P. Lincoln, N. Martí-Oliet, J. Meseguer, and C. Talcott. Maude 2.0 Manual. June 2003, http://maude.cs.uiuc.edu.]]Google Scholar
- G. Denker, J. Meseguer, and C. Talctt. Protocol Specification and Analysis in Maude. In Proc. of Workshop on Formal Methods and Security Protocols, 1998.]]Google Scholar
- S. Gutierrez-Nolasco, N. Venkatasubramanian, M. Stehr, and C. Talcott. Exploring Adaptability of Secure Group Communication. University of California Technical Report, 2004.]]Google Scholar
- T. Hiller, P. Walsh, X. Chen, M. Munson, G. Dommety, S. Sivalingham, B. Lim, P. McCann, H. Shiino, B. Hirschman, S. Manning, R. Hsu, R. Hsu, M. Lipford, P. Calhoun, C. Lo, E. Jaques, E. Campbell, Y. Xu, S. Baba, T. Ayaki, T. Seki, and A. Hammed. CDMA2000 Wireless Data Requirements for AAA. RFC 3141, IETF, 2001.]] Google ScholarDigital Library
- G. Holzmann. Design and Validation of Computer Protocols. Prentice-Hall, 1991.]] Google ScholarDigital Library
- C. Kaufman. Internet Key Exchange(IKE V2) Protocol. RFC 2407, IETF, 2004.]]Google Scholar
- S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, IETF, 1998.]] Google ScholarDigital Library
- M. Koutsopoulou, A. Kaloxylos, A. Alonistioti, L. Merakos, and K. Kawamura. Charging, Accounting, and Biling Management Schemes in Mobile Telecommunications Networks and the Internet. IEEE Communications Surveys, 6(1), 2004.]] Google ScholarDigital Library
- G. Lowe. An Attack on the Needham-Schroeder Public-Key Auntentication Protocol. Information Processing Letters, 56(3):131--133, 1995.]] Google ScholarDigital Library
- K. McMillan. The SMV Manual. November 2000, http://www-2.cs.cmu.edu/~modelcheck/smv.html.]]Google Scholar
- C. Meadows. The NRL Protocol Analyzer: An Overview. Journal of Logic Programming, 1994.]]Google Scholar
- A. J. Menezs, P. C. van Oorchot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.]] Google ScholarDigital Library
- J. Meseguer. Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science, 96:73--155, 1992.]] Google ScholarDigital Library
- L. Paulson. The Inductive Approach to Verifying Cryptographic Protocols. J. Computer Security, 6:85--128, 1998.]] Google ScholarCross Ref
- L. Paulson. Inductive Analysis of the Internet Protocol TLS. ACM Transactions on Computer and System Security, 2(3):332--351, 1999.]] Google ScholarDigital Library
- C. Rigney. RADIUS Accounting. RFC 2866, IETF, 2000.]] Google ScholarDigital Library
- P. Ryan and S. Schneider. Modeling and Analysis of Security Protocols. Addison-Wesley, 2001.]] Google ScholarDigital Library
- Formal prototyping in early stages of protocol design
Recommendations
A rapid protocol prototyping development system
RSP '95: Proceedings of the Sixth IEEE International Workshop on Rapid System Prototyping (RSP'95)With the rapid growth in the applications of computer networks, protocol implementations have become essential. Such implementations require error-free and unambiguous protocol design and specification. One solution to this problem is to formally ...
A formal semantics for protocol narrations
Protocol narrations are a widely-used informal means to describe, in an idealistic manner, the functioning of cryptographic protocols as a single intended sequence of cryptographic message exchanges among the protocol's participants. Protocol narrations ...
Formal Specification and Design Time Testing
It is shown how design time testing can be used in conjunction with formal specification. Emphasis is placed on the benefits of using an executable specification language OBJ, of having a design controlled by requirements specification, and of adherence ...
Comments