1

STATUS REPORT ON MAUDE-NPATOOL

Catherine Meadows Santiago Escobar Jose Meseguer

September 28, 2006

2

GOAL

• Extend standard free algebra model of cryptoprotocol analysis to deal with algebraicproperties– Encryption-decryption– Exclusive-or– Diffie Hellman– Etc.

• Provide tool that can be used to reason aboutthese in unbounded session model

3

Approach• Use rewriting logic as general theoretical framework

– Specify crypto protocols formally as rewrite rules andalgebraic identities as equational properties

• Use narrowing modulo equational theories assymbolic reachability analysis method

• Combine with state reduction techniques of NRLProtocol Analyzer

• Implement in Maude programming environment– Rewriting logic gives theoretical framework and

understanding– Maude implementation gives us tool support

4

PLANS• Formalize techniques in rewriting logic DONE

– Initial version of Maude-NPA tool• Grammar generation• Backwards narrowing reachability analysis• Soundness and completeness theorems

– Paper to appear in TCS special issue on ARSPA• Include state reduction techniques (NPA and new)

– Grammar generation DONE– Other techniques to improve efficiency (partially done)

• Extend model to different types of equational theories– Ongoing– Have implemented an initial AC version of tool in Maude– Need to extend grammars and other state reduction

techniques to these equational theories• Termination results for grammar generation (future)

5

Covered Today

• Overview of how NPA works• Description of optimizations• Where we are in AC Unification• Summing up

6

REWRITING LOGIC IN ANUTSHELL

7

NARROWING ANDBACKWARDS NARROWING

8

BASIC STRUCTURE OFMAUDE-NPA

• Uses strand space model• Searches backwards through strands from final state• Set of rewrite rules governs how search is conducted• Sensitive to past and future

– Used to prevent infinite loops– Learn-once rule says intruder can learn term only once– When an intruder learns term in a backwards search, tool

keeps track of this and doesn’t allow intruder to learn aboutit again

9

Specify Protocols as Strands

10

NOTION OF STATE IN NPASTRANDS

11

Protocol Rules and Their Execution

12

Introducing New Strands

13

Covered Today

• Overview of how NPA works• Description of optimizations• AC Unification• Summing up

14

Execute Rule 1 First (50%)

15

Partial Order Reduction (70%)

16

Using the Power of Strands (20% for each)

17

Lazy Intruder (30%)

18

A Refinement

• Kill the ghost if its variable subterms onlyappear in the future– In that case, there is no way they can be

instantiated• Another example of the power of strands: you

can see the past at a glance!

19

Conflict Between Ghosts and P.O.Reduction

• A state that dominates another could stopdoing once a ghost is revived

• Our solution: include the ghost whencomputing the partial order

• Potentially more powerful solution, in whichdominated states are part of the ghost, may beimplemented later

20

Major Slowdowns Remaining• In order to make experimentation with different

techniques easier, we use a “generate and test”strategy– Results in many more states generated than used– Once we have better understanding of optimizations, can

implement them in a more integral way• Lack of unification in Maude

– Unification implemented in tool– Once unification implemented in Maude, this should speed

things up

21

Covered Today

• Overview of how NPA works• Description of optimizations• AC Unification• Summing up

22

Status of AC Unification

• Have implemented AC unification viainterface to the CIME tool

• Two sources of inefficiency– Calls to CIME tool– CIME unification untyped, our unification typed

• However, is adequate for experimentation withAC

23

Recall How Languages Generated

• Search backwards from seed term• Look at terms intruder needs to know to learn

seed term• Use heuristics to create language rules saying

one of these terms is in the language• Iterate until you can prove that if the intruder

knows a term in the language, must havepreviously known term in language

24

An Observation onLanguage Generation Heuristics

25

But, keep on searching ….

26

Covered Today

• Overview of how NPA works• Description of optimizations• AC unification• Summing up

27

Summing Up

• We have the theoretical infrastructure in place• We have the basic implementation• We are starting to turn it into a working tool• We are starting to experiment with AC unification• To do

– More optimizations– Termination results– Verification on benchmarks: Clarke-Jacob, SPORE, Avispa– Tool integration