Operational Semantics

Rulerk says that the set of clocks to be reset inκ(kCRkApt) isCRand the clock resets occur in Apt; and ruleri says that the invariant of processφ . Aptis the intersection ofφand the invariant predicate inApt.

PROTOCOLS

u1. Ud(A,v); u2. Ud(α^∗≺π Apt,v);

u3. Ud(φ ,→Apt,v) if Ud(Apt,v);

u4. Ud(kCRk Apt,v) if Ud(Apt,v[rst:CR]);

u5. Ud(φ . Apt, v) if Ud(Apt,v)∧ |= (v+d)(φ);

u6. Ud(A¹_pt[ ]A²_pt,v) if Ud(A¹_pt,v)∨ Ud(A²_pt,v);

u7. Ud(A¹_pt|A²_pt,v) if Ud(A¹_pt,v)∨ Ud(A²_pt, v);

u8. Ud(A¹_pt⊕p A²_pt,v) if Ud(A¹_pt,v)∨ Ud(A²_pt,v);

u9. U_d(X_pt,v) if U_d(P[P/X_pt],v);

Rules (u1-u2) are the Until axioms for the states (A,v) and (α^∗ ≺π Apt,v). Inu3 the system stays in the state (φ ,→ Apt, v) until d time units, if this is valid to the state (Apt, v) as well.

Rules (u4-u5) come from the definition of the clock reset and invariant. In rule (u4)v[rst:CR] represents the clock valuation v where the clocks in CR are reset. Rules (u6-u8) say that the system stays untildtime units at the state withA¹_pt[ ]A²_pt,A¹_pt|A²_pt, andA¹_pt⊕p A²_pt, if it stays dtime in the state with one of the two processesA¹_ptandA²_pt. Ruleu9 is concerned with the until predicate for (recursive) process variableX_pt, which comes directly from the definition of recursive process invocation. Note thatP is a plain process defined incrypt.

I define the satisfaction predicate|=,|=⊆Φ(C), on clock constraints. For each φ∈Φ(C) I use the shorthand|=v(φ) iffv satisfies φ, for all clock valuationv. The set of past closed constraint, Φ(C)⊆Φ(C), is used for defining semantics of location invariant, ∀v∈ V,d∈R^≥0: |= (v+d)(φ)

=⇒ |= (v)(φ). Intuitively, this says that if the valuationv+d, which is defined as v(xc) +dfor all clocksxc, satisfies the constraint φthen so doesv. I adopt the variant of time automata used in [24], where location invariant and clock resets are defined as functions∂ andκassigning a set of clock constraints Φ(C) and a set of clocks to be resetR(C), respectively, to acrypt^prob_time process.

The probabilistic timed transition (action) rules for crypt^prob_time are given as follows. I provide the connection of each PTTS transition with the edge syntax in probabilistic timed automata.

a1. (α^∗ ≺_π A_pt, v)

α^∗(d), π

−−−−−−→_{P T T S} (A_pt, v+d) if α^∗ ≺_π A_pt

α^∗, true

−−−−−→_π A_pt; a2. (kC_RkA_pt,v)

α^∗(d), π

−−−−−−→_{P T T S} (A⁰_pt,v⁰) if (A_pt,v[rst:C_R])

α^∗(d), true

−−−−−−→_π (A⁰_pt,v⁰);

a3. (φ ,→Apt,v)

α^∗(d), π

−−−−−−→P T T S (A⁰_pt,v⁰) if (Apt,v)

α^∗(d), φ

−−−−−−→π (A⁰_pt, v⁰)∧(v+d)(φ);

a4. (φ . Apt,v)

α^∗(d), π

−−−−−−→P T T S (A⁰_pt,v⁰) if (Apt, v)

α^∗(d), true

−−−−−−→π (A⁰_pt,v⁰)∧(v+d)(φ);

a5. (A_pt,v)

α^∗(d), π

−−−−−−→P T T S (φ . A⁰_pt,v⁰) if (A_pt, v)

α^∗(d), true

−−−−−−→π (A⁰_pt,v⁰)∧(v+d)(φ);

a6. (A¹_pt[ ] A²_pt,v)

α^∗(d), π

−−−−−−→P T T S (A¹_pt⁰,v⁰) if (A¹_pt,v)

α^∗(d), true

−−−−−−→π (A¹_pt⁰, v⁰);

a7/a. (A¹_pt⊕p A²_pt, v)

α^∗(d), π(p)

−−−−−−→P T T S (A¹_pt⁰,v⁰) if A¹_pt ⊕p A²_pt

α^∗, true

−−−→ _π(p)A¹_pt⁰

a7/b. (A¹_pt⊕p A²_pt,v)

α^∗(d), π(1−p)

−−−−−−→ P T T S (A²_pt⁰,v⁰) if A¹_pt⊕p A²_pt

α^∗, true)

−−−−−−−→_π(1−p)A²_pt⁰

a8. (A¹_pt|A²_pt,v)

α^∗(d), π

−−−−−−→_{P T T S} (A¹_pt⁰ |norst(A²_pt),v⁰) if (A¹_pt,v)

α^∗(d), true

−−−−−−→_π (A¹_pt⁰,v⁰);

a9. (Xpt, v)

α^∗(d), π

−−−−−−→P T T S (P⁰,v⁰) if (P[P/Xpt],v)

α^∗(d), true

−−−−−−→π (P⁰,v⁰).

In rule a2 v⁰ =v[rst:C_R] + d, and in the rest rulesv⁰ =v +d. v[rst:C_R] represents the valuation v where the clocks in C_R are reset. Each rule should be interpreted that the PTTS transition on the left side can be performed if there is an edge in a corresponding automaton.

For instance, rule a1 applies if there is an edge α^∗ ≺π Apt

α^∗, true

−−−−−→π Apt in the corresponding automaton. Rulea1 says that after performing actionα^∗withdtime units the system gets to the process Apt with the clock valuation after d time units elapsed. Rule a2 says that by the time kCRkAptproceeds toApt, the clocks inCRwill have been reset. In the rulesa3 anda4 the timed transition can be performed if (v+d)(φ) holds, which means that the valuationv+dmust satisfy the clock guard φ. Rules a5-a6 describe the case when process A¹_pt is activated (the rules for activatingA²_ptare similar). π(p) andπ(1−p) in rulesa7/a-bmean that in distributionπthe first and second transitions (edges) are chosen with probabilitypand (1−p). Ina8 to avoid conflict of clock variables, it is required that after performing the transition, processA²_ptcannot perform resetting at the beginning. The last rule is the action rule for recursive process variableX_pt. It can be proven, based on the rulesu1-u9 anda1-a9, that probabilistic timed transition system of crypt^prob_time satisfies axiomsUntil andDelay, hence, it is well defined.

Theorem 2. For all crypt^prob_time process Apt and for all closed valuation v0, PTTS(Apt,v0, F) is indeed the probabilistic timed transition system defined in probabilistic timed automata. Hence, the correctness of the semantics of crypt^prob_time is based on the correctness of the probabilistic timed automata.

Proof. (Sketch) Any process defined in crypttime can be expressed in a corresponding timed au-tomaton. To show this, I adopt the notionimage-finiteandfinitely sorted(borrowed from transition system theory). A probabilistic timed automaton is image-finite if for a given distributionπ, the set of outgoing edges of each state with the same actionact is finite. Formally, for eachq,act and π, the size of the set{q^{act, φ}−→_πq⁰|q∈ L}is finite. A probabilistic timed automaton is finitely-sorted if for a given distributionπ, the set of outgoing edges with the same actionact of every state,{act

| ∃q⁰ ∈ L: q ^{act, φ}−→_π q⁰}, is finite.

The associated probabilistic timed automaton for a (initial) processA⁰_ptcan be constructed by associating the process A⁰_pt to the initial locationq₀, then each transition A⁰_pt ^α

∗, φ

−→_π A¹_pt can be defined in terms of a corresponding probabilistic timed automaton,PT = (L, q₀,P, C,∂, κ, E, Π), as follows:

A⁰_pt =kκ(q0)k∂(q0).(φ ,→(α^∗ ≺π A¹_pt))

In this process definition, A⁰_pt corresponds to location q0 of the corresponding probabilistic timed automaton at which the set of clocks to be reset isκ(q0), and the invariant∂(q0) is defined.

The edge fromq₀toq₁,q₀^α

∗,φ,π

−→ q₁, corresponds to the time constructφ ,→(α^∗≺πA¹_pt). Generally, for every subsequent processAⁱ_ptafter some transition steps fromA⁰_pt we have

Aⁱ_pt=kκ(qi)k ∂(q_i).(φ ,→(α^∗ ≺π Aⁱ⁺¹_pt )) which corresponds to the edgeqi

α^∗,φ,π

−→ qi+1 in PT. For the more complex target process such asA⁽ⁱ⁺¹⁾_pt ¹ [ ] . . . [ ] A⁽ⁱ⁺¹⁾_pt ⁿ we have

PROTOCOLS

Aⁱ_pt=kκ(qi)k ∂(qi).[ ]ⁿ_j=1(φj ,→(α^∗_j ≺π A⁽ⁱ⁺¹⁾_pt ^j))

whereAⁱ_ptcorresponds to locationq_i (with the appropriate resets and invariant) and the sub-process [ ]ⁿ_j=1(φ_j ,→(α^∗_j ≺π A⁽ⁱ⁺¹⁾_t ^j)) corresponds to the edge fromq_i to the locationq_(i+1)j with label (α^∗_j,φ_j), 1≤j ≤n, such thatα^∗_j is the first enabled action (due to the valid condition atq_i) among then processes. In case there are more than one enabled action at the same time, it can be treated in the same way as the non-deterministic choices.

For the target processA⁽ⁱ⁺¹⁾_pt ¹ ⊕p A⁽ⁱ⁺¹⁾_pt ², we have the following process definition forAⁱ_pt: Aⁱ_pt =kκ(qi)k∂(qi). (φ1 ,→(α^∗₁ ≺_π(p)A⁽ⁱ⁺¹⁾_pt ¹)⊕p φ2,→(α^∗₂ ≺_π(1−p) A⁽ⁱ⁺¹⁾_pt ²))

whereAⁱ_ptcorresponds to locationqi, and from this location we can get to the locationA⁽ⁱ⁺¹⁾_pt ¹ with probability p and to A⁽ⁱ⁺¹⁾_pt ¹ with probability 1−p, via the edges (or the corresponding transition) with the labels (α^∗₁,φ1) and (α^∗₂,φ2), respectively.

For the target processA⁽ⁱ⁺¹⁾_pt ¹ |. . .|A⁽ⁱ⁺¹⁾_pt ⁿ, we have

Aⁱ_pt=kκ(q_i)k∂(q_i). (φ ,→(α^∗≺_π A⁽ⁱ⁺¹⁾_pt ¹ |. . .|A⁽ⁱ⁺¹⁾_pt ⁿ)),

which says that from the location corresponding to processAⁱ_ptwe can get to the location corre-sponding toA⁽ⁱ⁺¹⁾_pt ¹ |. . .|A⁽ⁱ⁺¹⁾_pt ⁿ, via the edge (transition) with the label (α^∗,φ). The reason is that we associate the parallel composition ofcrypt^prob_timeprocesses to a location in the probabilistic timed automaton, instead of interpreting it as parallel composition of automata. Hence, the tran-sitionA¹_pt |A²_pt ^α

∗, φ

−→π A¹_pt⁰ |A²_pt corresponds to the edgeq−→^{act, φ}π q⁰, whereA¹_pt |A²_ptcorresponds to locationq, whileA¹_pt⁰ | A²_pttoq⁰.

In case there is not any outgoing edge fromq_iwe have the following process definitions for each type of target process:

Aⁱ_t =kκ(qi)k∂(q_i). nil

I defined rules for renaming of clock variables and I showed that the process with non-conflict of clock variables,ncv, property is preserved by clock renaming, hence, the restriction I made to process without conflict of clock variables is harmless [24]. Based on the rules of renaming I also added new rules for structural equivalent resulted from renaming. I omit the discussion of these rules in details because I do not use them in the dissertation, but the reader can find it in my longer report [Th12 , 2013].

Weak probabilistic timed (weak prob-timed) labeled bisimulation

I provide a novel bisimilarity definition, calledweak prob-timed labeled bisimulation forcrypt^prob_time, which enables us to prove or refute the security of probabilistic timed systems.

My proposed definition makes use of the definition of static equivalence proposed in the applied π-calculus [27], which says that the outputs of static equivalent processes cannot be distinguished by the environment (or attackers). The main advantage of static equivalence is that it only takes into account the static knowledge exposed by two processes to show the behavioral equivalence of them. This method is much easier to use than using the observational equivalence [27], where I have to consider the dynamic behavior of processes.

Let the extended processAbe {^t1/x1} |. . .| {^tn/xn} |P1 |. . .| Pn. The frame ϕofAis the parallel composition{^t1/_x1} |. . .| {^tn/_xn} that models all the information that is output so far by the processA, which aret₁,. . . , t_n in this case.

Definition 14. Static equivalence for extended processes(≈s). Two extended processesA¹ andA² are statically equivalent, denoted asA¹≈sA², if their frames are statically equivalent. Two framesϕ1 andϕ2 are statically equivalent if they include the same number of active substitutions and same domain; and any two terms that are equal inϕ1are equal in ϕ2 as well. Intuitively, this means that the outputs of the two processes cannot be distinguished by the environment.

In my proposedweak prob-timed labeled bisimulation, I extend the static equivalence with time and probabilistic elements. The meaning ofweak is that in this dissertation I want to examine whether the attackers can distinguish the behavior of two processes, based on the information they canobserve. Hence, in weak prob-timed labeled bisimulation, I do not require the equivalence of the probability of two action traces, because practically an observer cannot distinguish if an action is performed with 1/2 or 1/3 probability.

Nevertheless, I also proposed the definition of strong prob-timed labeled bisimulation in my longer report [Th12 , 2013], which I do not discuss in this dissertation, because I found that for analyzing the security of DTSN and SDTP, it is sufficient to use the weak prob-timed labeled bisimulation. Strong prob-timed labeled bisimulation is stricter, since it also distinguishes two processes based on the probability of their corresponding action traces.

Definition 15. (Weak prob-timed labeled bisimulation for crypt^prob_time processes)

Let PTTSi(Aⁱ_pt, v0, F) =(Si,α×R^≥0 ×Π,sⁱ₀,−→P T T Si,Uⁱ,F),i∈ {1,2}be two probabilistic timed transition systems for crypt^prob_time processes. Weak prob-timed labeled bisimilarity (≈pt) is the largest symmetric relation R, R ⊆ S1 × S2 with s¹₀ R s²₀, where each sⁱ is the pair of a closed crypt^prob_time process and a same initial valuationv₀ ∈ V^c, (Aⁱ_pt,v₀), such that s₁ Rs₂ implies:

1. A¹ ≈s A²; 2. if s₁

τ(d), π

−−−−→P T T S1 s⁰₁ for a scheduler F, then ∃ s⁰₂ such that s₂ ^τ(

Pdi), πi

=⇒ P T T S2 s⁰₂ for the sameF, withd=f(Pd_i)for some functionf, ands⁰₁ Rs⁰₂;

3. ifs1 α(d), π

−−−−→P T T S1 s⁰₁ for a scheduler F andf v(α)⊆dom(A¹)∧bn(α)∩f n(A²) =∅, then

∃s⁰₂ such thats2

α(Pdj), πi

=⇒ P T T S2s⁰₂ for the sameF, withd=f(P

dj)for some functionf, ands⁰₁ Rs⁰₂. Again,dom(Aⁱ)represents the domain ofAⁱ,

and vice versa. A¹ andA² are the extended processes we get by removing all the probabilistic and timed elements fromA¹_pt andA²_pt, respectively.

The arrow =^α⇒P T T S is the shorthand of the action trace −→^{τ ∗}_{P T T S} −→^α P T T S

−→τ ^∗_{P T T S}, where

−→τ ^∗_{P T T S}represents a series (formally, a transitive closure) of sequential transitions−→^τ P T T S. P di

on =⇒P T T S is the sum of the time elapsed at each transition, and represents the total time elapsed during the sequence of transitions. Note thatf n(A²_pt) anddom(A¹_pt) is the same asf n(A²) and dom(A¹), respectively. Moreover, a process A_pt is closed if its non-timed and “non-probabilistic”

counterpartAis closed.

Intuitively, in caseA¹_pt and A²_pt represent two protocols (or two variants of a protocol), then the meaning of each point in the Definition is as follows: (i) the outputs of the two processesA¹_pt andA²_pt cannot be distinguished by the environment based on their behaviors; (ii) the time that the protocols spend on the performed operations until they reach the corresponding points is in some relationship defined by a functionf. Heref depends on the specific definition of the security property, for instance, it can returnditself, hence, the requirement for time consumption would bed=P

di. In particular, the first point means thatA¹_pt andA²_pt are statically equivalent, that is, the environment cannot distinguish the behavior of the two protocols based on their outputs;

the second point says thatA¹_ptandA²_ptremain statically equivalent after silent transition (internal computation) steps. Finally, the third point says that the behavior of the two protocols matches in transition with the actionα.

PROTOCOLS

In document TaVinhThong Automatedsecurityverificationofnetworkingprotocolsandqueryauditingalgorithmsforwirelesssensornetworks (Pldal 89-94)