A Graphical Environment for the Facilitation of LogicBased Security Protocol Analysis

1
A Graphical Environment for the Facilitation of
Logic-Based Security Protocol Analysis
Elton Saul and Andrew Hutchison DNA Research
Group University of Cape Town South Africa
2
OVERVIEW

• Introduction.
• Basics of GNY analysis.
• The VGNY environment.
• VGNY examples.
• Where VGNY fits in with our plans.
• Conclusion.

3
INTRODUCTION

• Design and engineering of security protocols is a
  challenging task.
• Protocols often contain subtle flaws and
  vulnerabilities which attackers exploit.
• Need to encourage protocol engineering with
  proven techniques.
• To facilitate timely, rapid and accurate protocol
  modelling, usable and expressive graphical
  interfaces are required.

4
GUIDING PRINCIPLE
Distil the critical issues and present designers
with an appropriate level of detail, guiding them
in the specification and analysis process as much
as possible.
5
LOGIC-BASED ANALYSIS

• Security protocol analysis methods have typically
  focused on information leakage.
• Security logics aim to determine whether a
  protocol achieves its intended goals.
• BAN logic first popularized this type of security
  protocol analysis.
• GNY a popular successor of BAN.

6
GNY PRIMER

• Beliefs and possessions of a principal are
  described using logic statements.
• A statement contains syntactical characters and
  formulae.
• A formula is a name referring to a bit string
  which would have a particular value in a session.
• Principal names describe who believes or
  possesses something.

7
GNY PRIMER
A GNY Statement
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
8
GNY PRIMER
A GNY Statement
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
Syntactical Characters
9
GNY PRIMER
A GNY Statement
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
Syntactical Characters
Formulae
10
GNY PRIMER
Another GNY Statement
A believes that principal B possesses formula Tb.
11
GNY PRIMER
Another GNY Statement
A believes that principal B possesses formula Tb.
Syntactical Characters
12
GNY PRIMER
Another GNY Statement
A believes that principal B possesses formula Tb.
Syntactical Characters
Formulae
13
GNY PRIMER

• An extension to a formula is a formal
  specification which dictates that a principal
  should only proceed to send the formula if
  certain conditions hold.
• This helps to eliminate ambiguity as these
  conditions are often only expressed verbally.
• Having accepted a formula as genuinely coming
  from someone, the recipient can choose to believe
  that the extension holds if he trusts the
  senders competence.

14
GNY PRIMER
A Formula with an Extension
The extension states that X is recognizable.
15
LOGIC-BASED ANALYSIS
16
LOGIC-BASED ANALYSIS
Can now determine whether the protocol achieves
its goals by examining these final sets.
17
ADVANTAGES OF LOGICS

• Forces designers to explicitly state the security
  assumptions they have made and will require after
  execution.
• Helps to minimize redundancy by making designers
  think about the use of each component.
• Keeps track of the evolution of beliefs in a
  session and thus helps to determine the minimum
  number of messages required.

18
PROBLEMS WITH LOGICS

• Analysis using a logic tends to be obscure and
  and inaccessible for the uninitiated.
• Often requires experience, insight and knowledge
  of cryptic syntax and notation.
• Thus, the opportunity exists to support analysis
  efforts by guiding the process.

19
THE VGNY ENVIRONMENT

• Protocol analysis environment known as the Visual
  GNY (VGNY) Environment.
• Used to visualize and manage GNY logic
  statements.
• Employs a tree-based view with multiple tabbed
  panels.
• Contextual pop-up menus are used to add
  components, principals and belief categories.
• Statements can be constructed using only a mouse.

20
THE VGNY ENVIRONMENT
21
THE VGNY ENVIRONMENT
Belief Categories
22
THE VGNY ENVIRONMENT
Belief Categories
Components
23
THE VGNY TREE-VIEW

• Nodes within the tree can be deleted or expanded.
• If a node contains children, then a clickable
  token is displayed to its right.
• Deleting a node deletes its children.
• Tooltips automatically reveal the statement
  represented by the current node.

24
ADVANTAGES OF VGNY

• Imposes a hierarchical structure on GNY
  statements.
• Makes the representation of GNY statements as
  concise as possible.
• Allows a user to vary the level of detail.
• Ensures users do not have to remember cryptic
  syntax or notation.
• Provides scope for guiding a user.

25
VGNY EXAMPLES
A believes that formula Na is recognizable.
26
VGNY EXAMPLES
vs
A believes that principal B possesses formula Tb.
27
VGNY EXAMPLES
vs
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
28
VGNY AND SPEAR II
29
CONCLUSION

• Security protocol analysis is important.
• People dont want to remember complex syntax.
• Tools must focus on semantic issues and pitching
  design information at the appropriate level.
• The VGNY environment uses a tree-based system and
  contextualized pop-up menus to allow a designer
  to specify GNY statements.
• Analysis information is structured and presented
  hierarchically.

30
?
QUESTIONS