Secure Concurrent Constraint

Programming

H. Lopez , J. Perez, C. Rueda,Universidad Javeriana

C. PalamidessiINRIA and LIX Ecole Polytechnique

F. ValenciaCNRS and LIX Ecole Polytechnique.

ICLP, 2006

ICLP06

Motivation

The study of security uses tools and tech-

niques from constraint and logic programming.

• CP and LP Programming Languages.. Millen's Interrogator Prolog constraint solver [Mil95].

• Logic Programming.

. Compton et al [CD99] used LP for protocols.

. Blanchet uses Horn-Clauses for analyzing protocols.

• Constraint Programming : Soft Constraints byBistarelli et al [BB01].

ICLP06 1

Motivations

Want to explore Concurrent Constraint Pro-

gramming (CCP), a well-stablished concurrency frame-work, for reasoning about Security Protocols.

Reasons:

• Strinking resemblance with modern calculi for security.

• Matured Model with several reasoning techniques(specially reachability analysis, traces) and implementa-tions

. Final-store denotational semantics,

. Complete proof systems for veri�cation P |= F

. Declarative methods: Processes-as-FOL formulae.

. Decidability Results for Reachability

. Programming Languages.

ICLP06 2

Agenda

In this talk we report on our observations and prelimi-nary work on CCP as a framework for security protocols.

1. Security Protocols

2. Process Calculi for Security Protocols

3. CCP

4. Similarities between CCP and Modern Process Calculifor Security

5. CCP Extension to model Security Protocols

6. Conclusion

ICLP06 3

Background: Security protocols

• Message exchange via untrusted network

• Achieve authentication, secrecy, anonymity, etc.

• Needham-Schröder protocol

A −→ B : {m,A}Pub(B)

B −→ A : {m,n}Pub(A)

A −→ B : {n}Pub(B)

Two roles: initiator (A), responder (B)

Concurrent sessions among distributed agents

Uses cryptography to achieve security properties

• Secrecy property:n never appears on a run of the protocols.

ICLP06 4

The Dolev-Yao model Active intruder:

• Eavesdrop

• Disassemble and compose

• Encrypt and decrypt with available keys

BUT

• random numbers unguessable

• cryptography unbreakable

Properties can be di�cult to proveUndecidability of secrecy (even for class of simple prot.)

ICLP06 5

Security protocol veri�cation

Do it formally:

• 1) protocol formalisation,

• 2) property formalisation,

• 3) the proof (automatic or by hand)

An important approach within Concurrency Theory:

• Process Calculi (enriched with crypto primitives):Treat (concurrent) processes much like the lambda cal-culi treat computable functions.

ICLP06 6

Example: SPL

Syntax:

ICLP06 7

SPL Modelling

Alice and Bob and Dole-Yao Spy:

The System Modelling All Attacks:

ICLP06 8

SPL Monotonic Semantics

Semantics: < Process, Names, Store >

Remember: Monotonic Store Assumption andName Generation

ICLP06 9

Example: Boreale and Buscemi's

Syntax:

Message Inference System:

ICLP06 10

Boreale and Buscemi's Semantics

Semantics (Con�gurations Store . Process).

Remember: Monotonic Store, Parametric in InferenceSystem, and Name Generation.

ICLP06 11

CCP Scenario & Concurrency

• Concurrent Executions of Agents.

• Synchronization: Via Blocking-Ask.

ICLP06 12

CCP Syntax

Let x, y, ..., be variables and γ, σ, ... be constraints(i.e., FOL formulae)

Agents A,B, ... := true

| tell(σ)| ask(σ).A| (νx)A| A ‖ B| p(X)

De�nitions D := ε| p(X) :: A| D.D

Programs P,Q := D.A

ICLP06 13

Operational Semantics

A(s,s′)−→ B means: A in store s reduces to B in s′.

TELL: tell(σ)(s,s∧σ)−→ true

ASK: ask(σ).A(s,s)−→ A , if s ` σ

PAR: A(s,s′)−→A′

A‖B(s,s′)−→A′‖B

HIDE: A(s,s′)−→A′

(localX)A(s,s′)−→A′

If X is fresh

ICLP06 14

A program example

D = max(X, Y, Z) :: (ask(X ≥ Y ).tell(Z = X))‖ (ask(Y > X).tell(Z = Y ))

A1 = tell(X > 20) ‖ tell(Y > 10) ‖ max(X, Y, Z)

A2 = tell(X > 20) ‖ tell(Y < 10) ‖ max(X, Y, Z)

• In A1 (initiated in the empty store) both ask agents arestuck.

• In A2 (initiated in any store) tell(Z = X) is output.

ICLP06 15

Constraint Systems

CCP is parametric in a constraint system

De�nition. A constraint system consists of a sig-

nature Σ and �rst-order theory ∆ over Σ.

• Constraints: formulae over Σ.

• Relation `: decidable entailment relation betweenconstraints.

Example: Boreale-Buscemi's constraint system: Σ speci�esthe crypto primitives and ` is given by

ICLP06 16

Observations

Observation 1: Boreale's Inference System ` gives riseto a particular constraint system.

Observation 2: CCP has a Monotonic Store (like SPL,Boreale's calculus, and others)

ICLP06 17

Some Reasoning Techniques

Closure-Operator and Logic Interpretations

Denotation [[ · ]] Formula F (·)[[ tell(σ) ]]= {γ | γ ` σ} σ

[[ ask(σ).A ]]= {γ | γ ` σ ⇒ γ ∈ [[ A ]]} σ ⇒ F (A)

[[ (νx)A ]] = {γ | ∃σ ∈ [[ A ]] : ∃xσ ⇔ ∃xγ} ∃xF (A)

[[ A ‖ B ]] = [[ A ]] ∩ [[ B ]] F (A) ∧ F (B)

Remark 1. (Behavioral Charecterization)[[ A ]] = [[B ]] i� not context can operationallydistinguishA from B.

Remark 2. (Rechability Charecterization)A output σ i� and only if F (A) ⇒ σ

Notice the correspondence between (νx)A and ∃xF (A).

Other tools: Proof systems for Model Checking, PetriNet Semantics, True Concurrent Semantics.

ICLP06 18

Modelling Security Protocols with

CCP

A CCP Strategy for reasoning about protocols:

• Use CCP with Boreales's constraint system.

• Use Tells to output messages on the network and Asksto input them.

• Then use reasoning techniques of CCP.

Almost done. Do we have name (or nonce) generation andname passing as most of the calculi for security ?

• Can the CCP �(νx)�, i.e., existential quanti�cation

�(∃x)�, simulate the Pi-calculus (νx) ?

Not quite. But we will see to it.

ICLP06 19

Modelling the Pi (νx) in CCP

• Assume a constraint system with only predicates of theform out(.). The process

tell(out(42)) ‖ ask(out(y)).A.

does not execute A.

• Let us then extend the Ask to Persistent Universal Ask:

B = ∀~y ask(σ[~y]).A

Operationally:

B(s,s)−→ A[~x/~y] ‖ B, if s ` σ[~x/~y] .

• The logic counter-part is ∀~y σ[~y] ⇒ F (A).

• Now we have name passing. E.g., the process

tell(out(42)) ‖ ∀y ask(out(y)).A.

executes A[42/y].

ICLP06 20

Modelling the Pi (νx) in CCP

Do we have name generation? Can we now capture thepi-calculus ν with ∃ ?

Consider the the interpretation of a replicated versionof the π calculus in the logical counter-part of our extendedCCP:

Remark 1: π reduction as logic entailment.

if P → Q then [[ P ]] |= [[Q ]]

Remark 2: FOL Charecterization of π Barb Observability.

P ⇓ x if and only if [[ P ]] |= ∃z out(x, z)

ICLP06 21

Modelling the Pi (νx) in CCP

• Hence if we are interested in certain kind of reachabilityanalysis ∃ can capture the ν operator of the π-calculus.

• Application: Identi�cation of meaninful π-classes forwhich barbed reachability is decidable by using Classicresults from FOL. E.g.,

Example: Berney-Schon�nkel's process !x(y).(νz)!yzis a provider of fresh names. The Goedel's process(νz)(!xz | !z(u).u) waits on its secret channel.

ICLP06 22

Modelling the Pi (νx) in CCP

Example: Take P = (νz)(!xz | !z(u).u) and Q =x(y).yt and R = Q ‖ P. We have R ⇓t.

From the translation we get:

ICLP06 23

Modelling the Pi (νx) in CCP

But how robust is the interpretation of ν as ∃ ?

The correspondance holds in the absence of mistmatch.E.g., It would not hold for mistmatch [x 6= y].P with thenatural interpretation x 6= y ⇒ [[ P ]].

Let R = (νx)(νy)[x 6= y].!t.

• We have R ⇓t

• But [[ R ]] = ∃x∃y(x 6= y ⇒ out(t)) 6` out(t).

So if want a more faithfull correpondance we may have toconsider operators to reason about freshness, uniqueness,etc. E.g., Miller's ∇operator.

ICLP06 24

Conclusions

We believe that CCP + Universal Persistent Asks mayprovide a framework for reasoning about security protocols:

• Constraint System speci�es crypt primitives and spyknowledge.

• Monotonic store models the power of the spy (see andremember everything)

• Existential and Universal model nonce generation andname passing.

• The non-linear (i.e., persistent) nature of the frameworkmakes it suitable for protocols analysys with unboundedruns.

ICLP06 25

References

References

[BB01] G. Bella and S. Bistarelli. Soft constraints forsecurity protocol analysis: Con�dentiality. Lecture

Notes in Computer Science, 1990, 2001.

[CD99] K. Compton and S. Dexter. Proof techniques forcryptographic protocols. Lecture Notes in Com-

puter Science, 1644, 1999.

[Mil95] J. Millen. The Interrogator model. In IEEE Sym-

posium on Security and Privacy, pages 251�260.IEEE Computer Society, 1995.

ICLP06 26