Monte Carlo Analysis of Security Protocols Needham-Schroeder

Monte Carlo Analysis of Security Protocols: Needham-Schroeder Revisited Radu Grosu SUNY at Stony Brook Joint work with Xiaowan Huang, Scott Smolka, & Ping Yang June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols Talk Outline 1. LTL Model Checking 2. Monte Carlo Model Checking  3. Needham-Schroeder 4. Implementation & Results 5. Conclusions & Future Work Model Checking S |  Is system S a model of formula φ? ? Model Checking • S is a nondeterministic/concurrent system. •  is (in our case) an LTL (Linear Temporal Logic) formula.  • Basic idea: intelligently explore S’s state space in attempt to establish S ⊨ . • Fly in the ointment: State Explosion! LTL Model Checking • An LTL formula is made up of atomic propositions p, boolean connectives , ,  and temporal modalities X (neXt) and U (Until). • Every LTL formula  can be translated to a Büchi automaton whose language is set of infinite words satisfying . • Automata-theoretic approach: S ⊨  iff L(BS)  L(B ) iff L(BS  B )   Emptiness Checking • Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). • Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly! sn sk+3 sk+2 sk+1 DFS2 s1 s2 s3 sk-2 sk-1 sk DFS1 Monte Carlo Model Checking (MC2) • Sample Space: lassos in BS  B • Random variable Z : – Outcome = 0 if randomly chosen lasso accepting – Outcome = 1 otherwise • μZ = ∑ pi Zi (weighted mean) ~ • Compute (ε,δ)-approx.  Z of μZ Monte Carlo Model Checking (MC2) a b c d e L1 = abcb, L2 = abcdb, L3 = abcdea Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼ μZ = ½ Monte Carlo Approximation • Problem: Compute the mean value μZ of a random variable Z distributed in [0,1] when an exact computation of μZ proves intractable.  • Solution: Compute an (,)-approximation  Z of Z:  P r[  Z (1   )   Z   Z (1   )]  1   with error margin  and confidence ratio . • Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, expectation that S ⊨  ! Original Solution [Karp, Luby & Madras: Journal of Algorithms 1989]  • Compute  Z as the mean value of N independent random variables (samples) identically distributed according to Z:   Z  ( Z 1  ...  Z N ) / N • Determine N using the Zero-One estimator theorem: N  4 ln( 2 /  ) /  Z  2 • Problems: 1/  Z is unknown and 1/  2 can be large. Stopping Rule Algorithm (SRA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] • Innovation: computes correct N without using 1/  Z  = 4 ln(2/) / 2; for (N=0, S=0; S≤; N++) S=S+ZN;   Z = S/N; return  ;  Z  • Theorem: P r[  Z (1   )   Z   Z (1   )]  1   E[N] ≤ 4 ln(2/) / μZ2; • Problem: 1/  2 is in most interesting cases too large. Optimal Approx Algorithm (OOA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] • Compute N using generalized Zero-One estimator: N   4 ln ( 2 /     4 ln ( 2 /   ) /  Z ) /  Z 2 2 if σ Z   Z   oth erw ise    • Apply sequential analysis (prediction/correction): ˆ 1. Assume 2 is small and compute  Z with SRA(  ,  ) ˆ 2. Compute ˆ 2 using  Z and N  4 ln( 2 /  ) /  Z  ˆ  3. Use ˆ 2 to correct N and  Z . • Expected number of samples is optimal to within a constant factor! Monte Carlo Model Checking Theorem: MC2 computes an (ε,δ)-approximation of μZ in expected time O(N∙D) and uses expected space O(D), where D is the recurrence diameter of B = BS  B . Cf. DDFS which runs in O(2|S|+|φ|) time and space. Needham-Schroeder 1. A  B : { Na, A } KB 2. B  A : { Na, Nb } KA 3. A  B : { Nb } KB Breaking & Fixing Needham-Shroeder • In 1997, Lowe discovered a replay attack that involves an intruder I masquerading as A in its communication with B. As shown by Lowe, protocol is easily fixed by including identity of responder (B) in 2nd msg: 2´. B  A : { B, Na, Nb } KA • Implementation • Implemented DDFS and MC2 in jMocha model checker for synchronous systems specified using Reactive Modules. • Specified NS as a reactive module; all communications go through intruder. • Intruder obeys Dolev-Yao model: besides normal communications, can intercept, overhear, and fake messages. Experimental Results nonce (0..1) (0..4) (0..8) (0..20) (0..32) (0..36) (0..60) DDFS time entries 1 31 1 607 2 2527 11 24031 32 85279 46 18111 oom time 20 33 34 34 70 141 4200 MC2 exp 1 2 9 12 24 37 467 avg 12 29 30 30 30 30 30 Time and space requirements for DDFS and MC2 Experimental Results nonce sat cntr (0..1) 2915 171 (0..4) 2955 18 (0..8) 2969 4 (0..20) 2970 3 (0..32) 6288 3 (0..36) 12975 3 (0..60) 194937 9 μZ mu_Z 0.9445 0.9939 0.9986 0.9989 0.9995 0.9997 0.9999 ~ Variation of µZ for MC2 Related Approaches • NRL Protocol Analyzer [Meadows 96] • Spi-Calculus [Abadi Gordon 97] • FDR [Lowe 97] • The Strand Space Method [Guttman et al. 98] • Isabelle Theorem Prover [Paulson 98] • Backward Induction [Kurkowski Mackow 03] Conclusions • Applied Monte Carlo model checking to Needham-Schroeder. • Results indicate may be more effective than traditional approaches in discovering attacks. • Further experimentation required to draw definitive conclusions. • Other Future Work: Use BDDs to improve run time. Also, take samples in parallel! Monte Carlo Model Checking • Randomized algorithm for LTL model checking utilizing automata-theoretic approach.  • Basic idea: Take N samples: sample = lasso = random walk through BS  B ending in a cycle. • If accepting lasso (counter-example) found, return false. • Else return true with certain confidence.