1

The Formal Method CAPSL

Kyle TaylorZhenxiao Yang

CAPSL

� Common Authentication Protocol Specification Language

� Message list protocol description

•A B: {A, Na}PB

•B A: {Na, Nb}PA

•A B: {Nb}PB

A B

{A, Na}PB

{Na, Nb}PA

{Nb}PB

Overview

2

CAPSL Notation

� Declarations– Imports– Types– Variables– Functions– Constants

� Modules– Typespec– Protocol– Environment

Typespec

� Introduce New Types� Define Functions for a

Type� Extend Existing Types� Syntax

– Declarations– Axioms

TYPESPEC PPK;IMPORTS SPKE;TYPES PKUser : PrincipalFunctionspk(PKUser): Pkey;sk(PKUser): Pkey, PRIVATE;

VARIABLESA: PKUser;X: Field;

Axiomsped(sk(A), ped(pk(A), X)) = X;ped(pk(A), ped(sk(A), X)) = X;INVERT ped(pk(A), X): X | sk(A);INVERT ped(sk(A), X): X | pk(A);

Protocol

� The Message List� Syntax

– Declaration– Assumptions– Messages– Goals

PROTOCOL Simple;VARIABLES

A, B: Principal;K: Skey, FRESH, CRYPTO;F: Field;

ASSUMPTIONSHOLDS A: B;

MESSAGESA -> B: {A,K}pk(B);

GOALSSECRET K;

3

Protocol Declaration and Assumptions

� Declaration– Denotes

� Allows a variable to be defined as the value of an expression � Assumptions

– Boolean-valued terms or equalities– BELIEVES

� Used to indicate a initial belief– HOLDS

� Used to indicate knowledge of another entity– KNOWS

� Belief plus truth

Example: BELIEVES A : BELIEVES B : HOLDS A : K

Protocol Messages

� Message Format– id. sender -> receiver : field, …;

� Concatenation of Fields– {,} denotes associative concatenation – [,] denotes non-associative concatenation

� Encryption– Built in functions ped(), pk(), se(), sd()– {A, K}pk(B) == ped(pk(B), {A, K})– {X}K == se(K, X) and {X}’K == sd(K, X)

Protocol Messages Continued

� Arithmetic– Allows +, -, *, /, and ^ with built in type Skey

� %-operator– Distinguishes between the senders and the

receivers view of a message– {A%B, C%D}

� Sender constructs {A, C} � Receiver constructs {B, D}

4

Protocol Messages Continued

� Actions– Assignment or comparison test– Assume and Prove

� Assumptions and Goals that are associated with intermediate states rather than initial and final states

� Phrases– Phrase = message + actions before and after it– “/” used to separate receiver actions from sender

actions� A -> B: X;� X < Y;/� A -> C: Z;

Protocol Messages Continued

� Subprotocols– A protocol may invoke a different protocol using the

INCLUDE P;– No statements may follow and INCLUDE

� Conditional Selection– IF A=B THEN INCLUDE P2;– ELSE INCLUDE P3; ENDIF;

Protocol Goals

� States security objectives� SECRET V : P1, …

– Variable V is a secret shared only by P1, …� PRECEDES A : B | V1, V2

– If B reaches its final state, it agrees with A on V1, V2� AGREE A, B : V1, … | W1, …

– If A and B agree on W1 then they must agree on V1

5

Environment

� Used for setup � Syntax

– Declaration– Agent

� Define Roles– Exposed

� Defines initial knowledge of an attacker

– Axioms� Defines assumptions

about constants– Order

� Species series parrallel sequencing of agents

ENVIORNMENT TestIMPORTS NSPK;CONSTANTSAlice, Bob: PKUser;Mallory: PKUser, EXPOSED;

AGENT A1 HOLDSA = Alice;B = Bob;

AGENT B1 HOLDSB = Bob;

EXPOSED{Bob}sk(Alice);

END;

Needham-Schroeder Public Key Handshake

ENVIORNMENT TestIMPORTS NSPK;CONSTANTSAlice, Bob: PKUser;Mallory: PKUser, EXPOSED;

AGENT A1 HOLDSA = Alice;B = Bob;

AGENT B1 HOLDSB = Bob;

EXPOSED{Bob}sk(Alice);

END;

PROTOCOL NSPK;Variables

A, B: PKUser;Na, Nb: Nonce, CRYPTO;

ASSUMPTIONSHOLDS A: B;

MESSAGESA-> B: {A, Na}pk(B);B-> A: {Na, Nb}pk(A);A-> B: {Nb}pk(B);

GOALSSECRET Na;SECRET Nb;PRECEDES A: B | Na;PRECEDES B: A | Nb;

END;

CIL

� CAPSL Intermediate Language� Two purposes

– Defines CAPSL Semantics– Interface to tool support

� Uses Multiset Term Rewriting Rules

6

CIL Design

� General and Expressive enough to represent a wide range of protocols

� At a low enough level to be useful to verification and model checking tools

� Represents state-transitions in a pattern-matching style, with symbolic terms to represent encryption and other computations

Rewrite Rules

Rewrite Rules

0 + x -> xs(x) + y -> s(x +y)0 * x -> 0s(x) * y -> y + (x * y)fact(0) -> s(0)fact(s(x)) -> s(x) * fact(x)gcd(0, x) -> xgcd(x, x+y) -> gcd(x, y)

Examples

Fact(s(s(0))))->s(s(0)) * fact(s(0))->s(s(0)) * s(0) * fact(0)->s(s(0)) * s(0) * s(0)->s(s(0)) * s(0) + (0 * s(0))->s(s(0)) * s(0) + 0->s(s(0)) * s(0)->s(s(0)) + (0 * s(s(0)))->s(s(0)) + 0->s(s(0) = 2

s(s(s(0))) = 3

s(0) + (0 * s(0)) ->s(0) + 0->s(0) = 1

gcd(s(s(s(s(0)))), s(s(0)))->gcd(s(s(0)), s(s(0)))->gcd(0, s(s(0)))->s(s(0)) = 2

Multi-Set Rewrite

� F1, …, Fk

�(∃ X1, …, Xm) G1, …, Gn

– ∀ i,j Fi and Gj are facts– Existentially quantified variables are instantiated with fresh

(unused) constants� A rule is eligible to fire when the facts on the left side

can be matched with facts in the multiset� When a rule fires, facts on the left side of the rule are

removed from the multiset and facts on the right side of the rule are inserted into the multiset after being instantiated according to the substitution required by the pattern match.

7

MSR Example

� Rule that defines two new agents–

�A0(A, B),B0(B)

� The message “A �

B: A, {N}sk(A) results in at least two rules– A0(A,B)

�(∃N)A1(A,B,N), M(A, B, { A, {N}sk(A)}

– B0(B), M(X, B, { A, {N}sk(A)}) �

B1(B, A, N)

Translation Output

� Slot Table– Maps each protocol variable to an argument position in the state

predicate of each role� Symbol Table

– Contains all identifiers declared in all the specification modules � Axioms

– Single list generated form Typespec and Environment� Localized Assumptions and Goals

– Axioms localized to a particular state� Protocol Rewrite Rules

– MSR rules� Environment Information

– CIL AST representation of an Environment

Translation Stages

� Parsing– Checks syntax and produces a parse tree

� Type Checking– Confirms consistency of type and signature declarations

� Syntax Transformations– Syntactical sugar is removed

� Rule Generation– Creation of rewrite rules from messages and actions

� Local Assertions– Transformation of Assertions from interleaved to Associated

� Optimization– Reduces the number or rules and the number of states per

role by 50%

8

CAPSL Example AP1.0

CAPSL Example AP1.0 (cont’d)

�������������� ���������� ���� �������� ��������� "! #%$%! &�'�( �

)���%*,+-�.�,� ��/0�1�2��3��4 � ���

+������� ,5���� 76�89���� �

��/:3��

CAPSL Example AP2.0

9

CAPSL Example AP2.0 (cont’d)�������������� �� � ����� ���� �������� ��������� "! #%$%! &�'�( �� �%����! ��( �)�

)���%*,+-�.�,� ��/0�1�2��3��4 ������� �%�

+������� ,5���� 76�89����� �� � ��� �

��/:3��

CAPSL Example AP3.0

CAPSL Example AP3.0 (cont’d)���� ������������������������ ���� "!��#���$��&%(' )�*' +�,.- ���$./' 0�- 1���.$./�' 0.- 12#���3��" ��4�

�5!!&6�74�8 5� ��9�!:��;��<�!;��$��&#����:��;��<�!=��$���

7> "!!"��?� @!�BA�CD�.$�E ��#���F ��GA.CH�;$&���

�9�<��

10

CAPSL Example AP4.0

CAPSL Example AP4.0 (cont’d)������������� ���������� ���� ����� � ���������� � �!�� "�#�$ �����%&' �!�(��)�����*�(�+�����',�� (�$ -'�

.����/01���2� ��%�32����4�� �����')��32����4�5����)������

06� ���� .7���� 98�:;���� ���<8�:= ����� 98�:;����> ��? )���<8�:= �����

��%�4��

CAPSL Example AP5.0

11

CAPSL Example AP5.0 (cont’d)������������� ���������� ���� ����� � ���������)�/�� (�� �����%&' �!�(���.������,�� (�$ -'�

.����/01���2� ��%�32����4�� �����32����4�5�����������

06� ���� .7���� 98�:;���� ���<8�:= ����� 98�:;����> ��? ��*�� �� ��<8�:= ����� 98�:;����"�*�� �� ��<8�:= ���.�

��%�4��

CAPSL Example AP5.0 (cont’d)

CAPSL Example AP5.0 (cont’d)

12

Tools Support

� Translators� Connectors� Maude, PVS, NRL, etc.

Translator

� CAPSL Parser and Type Checker– Checks syntax and type consistency

� Rule Generator– Uses maude to generate CIL rewrite rules

� CIL Optimizer– Optimizes CIL while preserving behavior

Connectors

� Objective– A bridge between CIL and various analyzer tools

� Example Connectors– cil2pvs– cil2maude

13

Maude

� Rewriting Logic Interpreter� Contains an LTL Model Checker� Reflective Computation Through Meta-Level

Modules

Conclusion and Discussions

� Good Idea– Unambiguous because of CIL– Simple to describe protocols– Inflexible in that it only specifies protocols– The power of this language is in the tool support– Insightful in the abstraction of the tool support

� More Connectors Needed� Better documentation of Tool Support� MuCAPSL

References

� CAPSL Homepage: http://www.csl.sri.com/users/millen/capsl/

� G. Denker and J. Millen. CAPSL intermediate language. In N.Heintze and E. Clarke, editor, Workshop on Formal Methods and Security Protocols (FMSP99), Trento, Italy, 1999.URL:

��� � +2$ ��������� *�� - � %(' *� �������1�0&)��0.% ��+����������� ��� � -

� G. Denker, J. Millen, and H. Ruess. The CAPSL integrated protocol environment. Technical Report SRI-CSL-2000-02, Oct. 2000.URL:

��� � +2$ ��������� *�� - � %(' *� ���� +�,.+�0.% ����� %(' A*�� - A���������A������

14

References

� Grit Denker. Design of a CIL connector to maude. In 2000 Workshop on Formal Methods and Computer Security, Chicago, USA, July 2000.URL:

��� � +2$ ��� �� � *�� - � %(' *� �� ��+�,�+.0�% ���"1�0�)����

� Narciso Mart-Oliet and Jos Meseguer. Rewriting logic: Roadmap and bibliography. Theoretical Computer Science, 285(2):121-154, Aug. 2002.URL: http://

*' � 0��"00.% )�� )&0*� *� � ��������� ���� ��� � -