Virtual Nodes for Mobile Networks . and Analyzing Security Protocols

1
Virtual Nodes for Mobile Networks .
andAnalyzing Security Protocols

• Nancy Lynch
• Massachusetts Institute of Technology, CSAIL
• UIUC, MIT, Stanford, UCSB, UCLA MURI 3-Year
  Review
• June 22, 2005
• Sponsored by DDRE and AFOSR
• Program manager Lt Col Sharon Heise

2
Involves all aspects of project
Control Information Theory
Computing Verification
Robotic Vehicles
Lynch, Kaynar, and students Gilbert, Mitra,
Nolte, Newport, Umeno,
Communications
3
MIT project

• Uses interacting automaton models
• I/O Automata (IOA)
• Timed I/O Automata (TIOA)
• Hybrid (HIOA)
• Probabilistic (PIOA)
• To represent, analyze, simulate, various kinds
  of complex systems
• Communication systems, traditional and wireless
• Robots, vehicles, aircraft
• Security protocols

4
Highlights TIOA

• Monograph Theory of timed I/O automata (Kaynar,
  Lynch)
• Applications Virtual Node systems
• Tools (Kaynar, Lynch, Garland, Shvartsman, Mitra,
  Umeno, Mavrommatis, Lim, Griffeth, Archer)
• Designed formal TIOA modeling language
• Built prototypes of supporting tools
• Parser, connection to PVS theorem-prover,
  simulator.
• Examples
• Many small verification examples
• DHCPv.6 communication protocol, other Internet
  protocols
• NASA SATS-HVO
• VeroModo, to engineer the tools for wider use.

5
Highlights HIOA

• Stability analysis for hybrid systems (Mitra,
  Liberzon)
• Mode switches, lower bound on average dwell time.
• Last years MURI review talk.
• Motion coordination for mobile robots
• Current Defining HIOA modeling language,
  considering how to extend the TIOA tools to
  hybrid systems.
• PVS theorem-prover, simulator
• Integration with control theory methods
  (stability, robustness)

6
Highlights PIOA

• Compositionality properties for probabilistic I/O
  automata (Lynch, Cheung, Segala, Vaandrager)
• Special case Switched automata
• General case Hard
• New kinds of simulation relations to prove
  implementation relationships between PIOAs
  (Kaynar, Lynch, Segala)
• Time-bound restrictions, approximate knowledge
  (Canetti, Lynch, Pereira)
• Applications to security protocols

7
This talk

• Two projects
• Virtual Nodes for Mobile ad hoc Networks
• Security protocol modeling using Probabilistic
  I/O Automata.

8
1. Virtual Node Layers

• Collaborators
• Shlomi Dolev, Alex Shvartsman, Jennifer Welch,
• Seth Gilbert, Sayan Mitra, Calvin Newport, Tina
  Nolte,
• Limor Lahiani, Elad Schiller,
• Matthew Brown, Mike Spindel

9
Virtual Nodes

• Small computers can be equipped with sensors,
  actuators, wireless communication.
• Potentially, people, robots, vehicles, could use
  this hardware to establish mobile ad hoc
  networks, coordinate in running applications.
• Examples
• Rescue workers in disaster areas
• Soldiers in urban battle
• Robots exploring a novel location
• Cars on highway
• Set up network, use network to collect and
  process data, produce models of environment, plan
  activities.

10
That would be nice, but

• Application design for ad hoc networks is hard.
• Networks change unpredictably.
• New idea for simplifying application design
• Use a Virtual Node layer
• Abstract layer containing virtual computing nodes
  that are better behaved than actual physical
  nodes.
• Program applications on top of the virtual node
  layer.

11
Virtual Node Layers

• Abstraction layers containing virtual active
  nodes.
• Virtual Nodes may be associated with fixed
  geographical locations, or
• VNs may move
• Along a pre-planned path, or
  
  
• Along a path that is calculated
  dynamically.
• Program applications over
  the VN layer.

12
Virtual Node Layers
13
Virtual Node Layers
14
Virtual Node Layers
Route message to a designated geographical region.
15
Virtual Node Layers
Gather, analyze,aggregate,and distribute data.
16
Virtual Node Layers
Coordinateregion.
17
Alternative approach IP Routing

• Build an IP-style point-to-point routing service
  directly over the MAC layer.
• Build applications on top of IP routing layer.
• Masks mobility.
• Standard approach
  (IETF Working Group on
  Mobile Ad
  Hoc Networks)
• Internet-inspired view
• Many protocols AODV, DSR,
  APRL, ODMRP, GPSR, STARA,
  

18
IP Routing

• But IP routing is difficult to implement in
  mobile networks.
• Algorithms are complicated.
• Dont work well when network changes too much.
• And it doesnt give us everything we want
• Rescue workers, soldiers want
• Broadcast to geographical region (Geocast).
• Learn standing orders for region.
• Collect data about region.
• Robots in novel location want
• Elect leader for region.
• Build predictive models.
• Use model to coordinate activities.
• Cars on highway want
• Information about highway conditions.
• Travel advice.

19
Other services

• Local services
• Local leader election
• Local reliable broadcast
• Global services
• Token circulation
• Leader election
• Mutual exclusion
• Spanning trees
• Still dont provide
  everything we
  need

Application
Token
Leader
RBcast

20
Virtual Node Layers

• Sounds appealing, but needs a lot of work
• Theoretical
• Define particular Virtual Node layers.
• Devise algorithms to implement VN layers over MAC
  layer, analyze correctness, performance,
  fault-tolerance.
• Devise algorithms to implement applications over
  VN layers, analyze
• Empirical
• Validate assumptions in practice.
• Implement VN layers.
• Implement applications.

21
Four VN layers, with applications

• 1.1. Virtual objects
• 1.2. Virtual mobile I/O automata
• 1.3. Virtual stationary timed I/O automata
• 1.4. Virtual stationary I/O automata with time
  bounds

22
1.1. Virtual Objects

• Dolev, Gilbert, Lynch, Shvartsman, Welch DISC3,
  DGLSW 04
• Original goal
• Implement atomic Read/Write memory (like
  centralized shared memory) in mobile networks.

23
RAMBO algorithm

• Runs directly over MAC layer.
• Guarantees
• Atomicity in all cases (like shared memory).
• Good latency in common cases.
• High availability.
• Use configurations
• members, read-quorums, write-quorums.
• Members maintain object replicas.
• Read, write, reconfigure ops involve two phases,
  accessing a read-quorum and a write-quorum.
• Everything proceeds concurrently.

24
Virtual Objects approach

• Uses Virtual Object intermediate layer.
• Virtual Objects at fixed geographical locations.
• Centers of small, densely populated areas
• Roadways Busy traffic intersections.
• Urban battlefield Major buildings, bridges,
• Continuously populated, thus able to maintain
  state.
• Implement Virtual Object layer over mobile ad hoc
  network layer.
• Implement Read/Write memory over Virtual Object
  layer.

25
Virtual Object Layer

• Client automata, with knowledge of time and
  location.
• Virtual Object automata, atomic tagged-value
  objects.
• Client automata accept Read/Write operation
  invocations from, return responses to, their
  external environment.
• Client automata perform operations on VO automata.

26
Implementing Atomic Memory

• Client automata manage Read/Write operations.
• Replicas at Virtual Objects.
• Read/Write operations use quorums of VOs.
• Write operation 1-phase
• Choose unique tag (Real-time clock, Client node
  ID).
• Write the new (tag, value) to a write-quorum of
  VOs.
• Read operation 2-phase
• Read from read-quorum of VOs, learn largest (tag,
  value).
• Propagate to a write-quorum of VOs.
• Avoid propagating a tag if another op has already
  done so.
• Tolerates bounded number of VO stopping failures.
• Limited reconfiguration also allowed.

27
Implementing Virtual Objects

• Physical layer assumptions
• Each physical mobile node (PN) has real-time
  clock, location service (GPS, Cricket)
• Local Broadcast (LBcast) communication service,
  within VO region.
• Guaranteed, totally ordered delivery
• GeoCast communication service
• Delivers message to every PN within a fixed
  radius of the target location.
• Implementation strategy
• Implement each VO separately.
• PNs in a VOs region implement the VO,
• Using Replicated State Machine strategy,
• Using totally-ordered LBcast.
• Use GeoCast for communication between clients and
  VOs.

28
Discussion

• VO layer definition emerged during this work.
  Allowed us to untangle high-level, low-level
  algorithms.
• Theoretical approach
• All components defined as TIOAs.
• Correctness proofs, analysis.
• Strong communication assumptions
• Totally-ordered reliable LBcast
• Better to weaken this, e.g., allowing message
  loss, collisions.
• Global GeoCast
• Better to eliminate entirely.

29
Discussion

• Recovery of failed Virtual Objects
• When region empties out, then someone arrives.
• Low-level algorithm allows VOs to recover, in
  initial state.
• Remains to extend our high-level atomic memory
  algorithm to accommodate VO recoveries Tulone.

30
1.2. Virtual Mobile I/O Automata

• Dolev, Gilbert, Lynch, Schiller, Shvartsman,
  Welch DISC 04
• DGLSSW 04
• Virtual Objects are passive data repositories
  now consider active Virtual Nodes (general I/O
  Automata).
• Mobility VNs can move, along pre-determined
  path.
• Local communication LBcast only, no GeoCast.
• Virtual Mobile Node layer
• Client nodes (Timed I/O Automata)
• Virtual Mobile Nodes (arbitrary, ordinary I/O
  Automata).
• Interact using Local Broadcast (only).
• Failure model for VMNs
• VMN automaton may crash, revert to initial state.
• Resumes activity in its pre-determined location.

31
Virtual Mobile Nodes
32
Virtual Mobile Nodes
33
Implementing the VMN Layer

• Physical layer assumptions
• Each physical mobile node has real-time clock,
  location info.
• Local Bcast communication service (only)
• Guaranteed, totally ordered delivery within
  region.
• Implementation strategy
• Replicated state machine algorithm
• All PNs in vicinity of VMN perform all steps.
• Using reliable totally-ordered LBcast
• Very similar to implementation of Virtual
  Objects.
• Its all relative

is the same as
34
Applications

• Message routing
• VMN picks up and delivers messages.
• Compulsory protocols Chatzigiannakis, et al. 01
• Sensor data collection
• VMN can pick up data, aggregating along the way.
• Answer queries.

35
Application High Tech Highway

• Physical platform
• Cars with computers having GPS devices.
• Hard to wire entire highway, but easy to install
  software on car computers.
• Virtual Node layer
• Virtual Stationary Nodes (Virtual Mobile Nodes
  that dont move) at key points along the highway.
• Virtual Mobile Nodes racing back and forth in
  between.
• Possible uses
• Traffic coordination
• Obstacle avoidance

36
High Tech Highway

Observe what happens at this intersection. Learn
who is here, who is approaching. Use the
information to implement a virtual traffic light.
Offload statistics to Highway Patrol vehicles as
they pass.
37
High Tech Highway

Traffic jam ahead. Slow down. Consider another
route.
An ambulance is coming. Get out of the left lane.
38
Discussion

• VMN work introduced
• Active Virtual Nodes (I/O automata).
• Local communication only (LBcast)
• VNs can move, along pre-determined path.
• Recovery of failed Virtual Mobile Node
• When its path passes through empty area, then
  enters populated area.
• VMN recovers, in initial state, at predicted
  location.
• Applications accommodate VMN recoveries.
• E.g., VMN in High-Tech Highway begins sending new
  data when it recovers.
• Remaining work
• Weaken LBcast assumptions
• Consider message loss, collisions.
• VMS with autonomous motion.

39
1.3. Virtual Stationary TIOAs

• Nolte, Gilbert, Lahiani, Dolev, Lynch 05
• Nolte, Lahiani, Dolev, Lynch 05
• Most useful special case of Virtual Mobile Nodes
  Virtual Stationary Nodes.
• Timing
• VMNs are ordinary IOAs, hence have no control
  over timing.
• New VSNs are general TIOAs, can control timing in
  arbitrary ways.
• New Virtual Stationary Node layer
• Client nodes (TIOAs)
• Virtual Stationary Nodes (TIOAs).
• Interact using Local Bcast (only).
• VSN failures May crash, revert to initial
  state, recover.

40
Virtual Stationary Node layer
41
Application GeoCast
Route message to a designated geographical region
42
Data Management
Gather, analyze,aggregate,and distribute data.
43
Region coordination
Coordinate behavior ofnodes in region.
44
Token circulation
Circulate tokenregion by region.
45
Location Service

• Support queries about current locations of PNs.
• Implement Location Service over VSN layer
• Each PN has a Home Location
• VSN that keeps track of PNs current location
  (VSN region).
• Determined by hash function from PN id.
• PN keeps Home Location up-to-date by sending
  periodic messages.
• Use GeoCast (implemented over VSN layer).
• Queries, responses also use GeoCast.
• For reliability, use several, redundant Home
  Locations.
• Easier than solutions using distributed hashing
  directly over physical layer.
• Use this Location Service to implement (easily)
  point-to-point message routing between PNs.

46
Coordination Oracles

• Oracle associated with a given VSN location
• Gathers and analyzes information about that
  location.
• Sends summarized information to other Oracles.
• Builds a suitable model of the environment.
• PNs query nearby Oracles and use response to help
  plan their actions.
• Use for advanced global coordination.

47
Coordination Oracles

My model predicts fierce fighting here. Stay
here, take cover!
Location A
48
Coordination Oracles

Location B
My model predicts quiet here. Location A needs
reinforcements. I will suggest a safe route
there.
Location A
49
Implementing the VSN Layer

• Physical layer assumptions
• Each PN has real-time clock, location info.
• Local Broadcast (LBcast) communication (only)
• Use leader-based algorithm
• Less communication than fully replicated state
  machine algorithm.
• Only the leader sends out scheduled events.
• Choosing the leader
• Uses leader-election sub-algorithm.
• If leader fails, leader election sub-algorithm
  chooses a new leader.
• Can rotate leader systematically, to save power.
• Algorithm enforces VSNs timing constraints
  (TIOAs).
• Self-stabilizing

50
Discussion

• VSN work introduced
• Important special case of Virtual Mobile Nodes
  No motion.
• VSNs are general TIOAs.
• New leader-based algorithm, reducing
  communication, self-stabilizing.
• VSN recovery
• VSNs can fail, recover in initial state.
• High-level algorithms accommodate VSN recoveries
• Remaining work
• Weaken LBcast assumptions
• Consider message loss, collisions.
• Requires new VSN implementations
• Reduce communication further.
• Guidelines for choosing leaders
• Location, speed, direction, power

51
1.4. Virtual IOAs time bounds

• Lynch, Mitra, Nolte 05
• Current experimental project Brown, Spindel
• Virtual Stationary Nodes with less precise timing
  guarantees.
• I/O automata with tasks, time bound for each task
  Merritt, Modugno, Tuttle 91
• Allows simpler implementations.
• Many applications dont require precise control.
• New VSN layer
• Client nodes (TIOAs)
• VSNs (IOAs with time bounds).
• LBcast
• VSNs crash, recover in initial state.
• Application Motion Coordination

52
Motion Coordination Problem

• Given curve G, and a finite, unknown set of
  physical mobile nodes (PNs), move the PNs so that
  they are (approximately) evenly spaced on G.

53
Virtual Node Approach

• Divide region into zones, one Virtual Stationary
  Node (VSN) per zone.
• VSNh coordinates client nodes in zone h.
• Directs motion of CNs in zone h
• Towards G.
• On G, to even out spacing.
• Communicates with
  neighboring VSNs, sends
  extra clients to
  neighboring zones.

CN
CN
54
Goal

• If failures and recoveries stop, then
• Within bounded time
• The set of CNs in each zone h becomes fixed, and
  the number is (approximately) proportional to the
  length of Gh (the portion of G within zone h).
• If Gh is nonempty, then the CNs in zone h reach
  and remain on Gh.
• In the limit
• If Gh is nonempty, then the CNs in zone h are
  (approximately) evenly spaced on Gh.

55
Physical Layer

• Bounded rectangle B
• Components
• PNi, physical nodes
• LBcast
• RealWorld
• All components are Hybrid IOAs.

x
realtime
LBcast
RW
send(m)i
v2
x2
receive(m)i
realtime
PNi
PN2
PN1
B
56
Virtual Layer

• B partitioned into square zones.
• Neighbors NSEW zones
• Components
• CNi, client nodes, correspond one-for-one with
  PNs
• VNh, virtual nodes
• LBcast
• RealWorld

x
realtime
LBcast
RW
send(m)i
receive(m)i
v2
x2
realtime
send(m)1,3
receive(m)1,3
CNi
CN2
VN2,3
VN2,2
CN1
VN1,3
VN2,1
VN1,2
VN1,1
57
Virtual Node VNh

• Located at center of square h.
• Discrete, no clock
• I/O automaton tasks upper bound for each
  task.
• Task partition of locally- controlled actions
• If a task T is enabled, then within specified
  time, either T becomes disabled or an action in T
  is performed.

x
realtime
LBcast
RW
send(m)i
receive(m)i
v2
x2
realtime
send(m)1,3
CNi
CN2
VN2,3
VN2,2
CN1
VN1,3
VN2,1
VN1,2
VN1,1
58
Implementing Virtual Layer

• Replicated state machine algorithm
• Each PN in zone h keeps a copy of the state of
  VNh.
• PNs perform same actions, in same order, on their
  copies
• Achieves specified VN task bounds (assuming
  theyre large enough).
• Failed VNh restarts within bounded time if a CN
  enters and remains in zone h.

59
Motion Coordination Using VNs

• Round-based.
• In each round
• Each CN sends a message to its local VN, letting
  it know the CN is in its zone.
• VNs exchange messages with neighboring VNs,
  letting them know how many CNs they have.
• Each VN calculates
• Which local CNs should be assigned to neighboring
  zones.
• What its local CNs new target points should be.
• Each VN broadcasts the new target points.
• Each CN moves towards its new target point.

60
Implementing the rounds

• Difficulty VNs do not have access to clocks!
• Solution Use the CNs knowledge of time.
• Recall
• CNs receive accurate knowledge of time (from RW).
• Known upper bound on time for VN tasks.
• Known upper bound for message delivery.
• So, CNs send trigger messages to VNs, telling
  them its time to perform a step within a round.
• CNs determine that enough time has passed that
  the VNs must have already received all relevant
  messages.

61
Discussion

• This work introduced
• VSNs as simple IOAs tasks bounds
• VSNs used to control motion of the physical
  nodes.
• Modeled everything using Hybrid I/O Automata
  (HIOAs).
• Remaining work
• Extend algorithm to handle changing curve (local
  input)
• Apply the framework to other problems Robotics,
  unmanned vehicle control,

62
Experimental project

• Undergrad programmers Mike Spindel, Matthew
  Brown
• PhD students Gilbert, Newport, Nolte
• Building small network of virtual nodes on a
  bunch of HP ipaqs, equipped with 802.11 and GPS
  sensors.
• Demo applications
• Virtual traffic light
• Tracking cooperative mobile devices
  (using home location
  service)
• Sponsor Quanta, Inc.

63
Conclusions (Virtual Nodes)

• Virtual node layers are an elegant, easy-to-use
  way to program mobile ad hoc networks.
• Virtual Stationary Nodes are simplest, and
  provide most of the benefits.
• More work is needed on finding practical, simple,
  efficient, fault-tolerant implementations of VN
  layers.
• Lots of opportunities to design new applications.
• E.g. Control for free flight
• Initial experimental work going on this summer.

64
2. Security Protocol Analysis

• Collaborators
• Ran Canetti, Dilsun Kaynar, Olivier Pereira,
  Roberto Segala,
• Ling Cheung, Moses Liskov, Frits Vaandrager

65
General goals

• Model security protocols precisely, prove their
  correctness rigorously, completely.
• Take proper account of computational limitations.
• Tractable, usable methods.
• Relationship to Mitchells project
• Same goals
• Somewhat different approach
• Probabilistic I/O Automata, with polytime
  restrictions, instead probabilistic polytime
  process algebras.
• Invariants, simulation relations instead of
  process equivalence.
• Handling of crypto primitives?
• Remains to reconcile the two approaches.

66
Specific goal

• Prove correctness of a simple 2-party
  
  Oblivious Transfer protocol
• Requirements
• Transmitter gets two inputs, x0, x1, from
  environment.
• Receiver gets a bit, to select one of the inputs.
• Receiver is supposed to output the selected x
  input.
• Adversary (who hears all communication) should
  not learn anything interesting.
• Protocol A three message exchange
• Transmitter chooses and sends a trapdoor
  permutation f to Receiver.
• Receiver chooses two random numbers, applies f to
  just one of them (the one corresponding to its
  input bit), sends results to Transmitter.
• Transmitter inverts the permutation for both,
  applies xor with random bits, sends to Rec.
• Receiver decode the right value.

67
Several versions of the problem

• Depending on whether Transmitter and/or Receiver
  is corrupted.
• Adversary also sees inputs, outputs, random
  choices of corrupted parties.

68
What does all this mean?

• Describe the protocol components as Probabilistic
  I/O Automata.
• Describe the correctness conditions as other
  PIOAs, e.g., when no one is corrupted
• E.g., when just the Receiver is corrupted

in(b)
in(x0,x1)
out(x)
out(x)
Funct
69
Correctness specification

• An implementation relationship between the
  algorithm PIOA system and the spec PIOA system.
• Using new relation neg,ppt
• For every poly-time Envt PIOA E, every
  probabilistic execution of the algorithm with E
  yields approximately the same visible behavior as
  some execution of the specification with E.
• Approximation Negligible difference in the
  probability that E outputs accept.

70
How to prove correctness?

• Break the proof into several stages, using system
  descriptions at several levels of abstraction.
• Prove some stages using standard PIOA
  simulation relations.
• These prove not just neg,ppt , but stronger
  0,any
• Actually, need to generalize the standard PIOA
  simulations.
• Other stages exactly describe the correctness of
  the use of a crypto primitive (e.g., trap-door
  permutation).
• Proofs adapted from techniques from computational
  cryptography
• Distinguisher arguments.
• But re-cast in terms of mappings between automata
  instead of proofs by contradiction.

71
New ideas

• Modeling everything using PIOAs
• Algorithms
• Correctness specs, including functionality and
  secrecy.
• Proofs using simulation relations, in multiple
  layers
• Some layers use PIOA simulation relations.
• Others use crypto Distinguisher arguments.
• Carefully isolates the different kinds of
  reasoning.
• New PIOA theory
• New kinds of simulation relations
• Capture correspondence between random choices at
  different levels.
• New ways of expressing computational crypto
  reasoning
• Define crypto primitives in terms of
  implementation relationship neg,ppt
• Compose to get relation neg,ppt for systems
  that use the primitives.

72
Thank you!
73
A generic slide

• Here is some text
• And a bullet

• Nothing here yet