init - first working version

2025-10-27 01:14:12 -04:00
parent 6cc22d4f17
commit 9b0f340c0b
24 changed files with 1277 additions and 12 deletions
--- a/tests/drop/t1-drop.pml
+++ b/tests/drop/t1-drop.pml
@@ -0,0 +1,20 @@
+// INTENDED BEHAVIOR: acceptance cycle
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC;
+  od
+PROC:
+  q=0;
+}
+
+ltl proc {
+  eventually (q == 0);
+}
--- a/tests/drop/t2-drop.pml
+++ b/tests/drop/t2-drop.pml
@@ -0,0 +1,22 @@
+// INTENDED BEHAVIOR: no violation
+// explanation: attacker can only drop one message, but two are on the channel
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC;
+  od
+PROC:
+  q=0;
+}
+
+ltl proc {
+  eventually (q == 0);
+}
--- a/tests/drop/t3-drop.pml
+++ b/tests/drop/t3-drop.pml
@@ -0,0 +1,22 @@
+// INTENDED BEHAVIOR: violation
+// explanation: attacker should be able to drop both messages
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC;
+  od
+PROC:
+  q=0;
+}
+
+ltl proc {
+  eventually (q == 0);
+}
--- a/tests/drop/t4-drop.pml
+++ b/tests/drop/t4-drop.pml
@@ -0,0 +1,24 @@
+// INTENDED BEHAVIOR: violation
+// explanation: drop attacker should be able to find the attack in the middle of the chan
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!3;
+c!5;
+c!6;
+
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC;
+  od
+PROC:
+  q=0;
+}
+
+ltl proc {
+  eventually (q == 0);
+}
--- a/tests/drop/t5-drop-multi.pml
+++ b/tests/drop/t5-drop-multi.pml
@@ -0,0 +1,24 @@
+// INTENDED BEHAVIOR: acceptance cycle
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+c!5;
+c!5;
+c!5;
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC;
+  od
+PROC:
+  q=0;
+}
+
+ltl proc {
+  eventually (q == 0);
+}
--- a/tests/drop/t6-drop-overwhelm.pml
+++ b/tests/drop/t6-drop-overwhelm.pml
@@ -0,0 +1,24 @@
+// INTENDED BEHAVIOR: acceptance cycle
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+c!5;
+c!5;
+c!5;
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC;
+  od
+PROC:
+  q=0;
+}
+
+ltl proc {
+  eventually (q == 0);
+}
--- a/tests/reorder/t1-reorder.pml
+++ b/tests/reorder/t1-reorder.pml
@@ -0,0 +1,30 @@
+// intended behavior: no violation
+// explanation: the rearrange attacker gadget shouldn't be able to violate the claim, as 
+// it doesn't have enough mem
+chan c = [8] of { byte };
+byte q=0;
+
+init {
+c!3;
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> 
+    q = q+1; 
+    goto B1;
+  od
+B1:
+  do 
+  :: c ? 3 ->
+    q = q + 1;
+    goto END;
+  od
+END:
+}
+
+ltl proc {
+  always !(q==2);
+}
--- a/tests/reorder/t2-reorder.pml
+++ b/tests/reorder/t2-reorder.pml
@@ -0,0 +1,36 @@
+// intended behavior: violation
+// explanation: rearrange attacker has enough mem to do the rearrange attack
+chan c = [8] of { byte };
+byte q=0;
+
+init {
+c!3;
+c!5;
+c!7;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 7 -> 
+    q = q+1; 
+    goto B1;
+  od
+B1:
+  do 
+  :: c ? 5 ->
+    q = q + 1;
+    goto B2;
+  od
+B2:
+  do 
+  :: c ? 3 ->
+    q = q + 1;
+    goto END;
+  od
+END:
+}
+
+ltl proc {
+  always !(q==3);
+}
--- a/tests/reorder/t3-reorder.pml
+++ b/tests/reorder/t3-reorder.pml
@@ -0,0 +1,36 @@
+// intended behavior: no violation
+// explanation: rearrange attacker does not have enough mem
+chan c = [8] of { byte };
+byte q=0;
+
+init {
+c!3;
+c!5;
+c!7;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 7 -> 
+    q = q+1; 
+    goto B1;
+  od
+B1:
+  do 
+  :: c ? 5 ->
+    q = q + 1;
+    goto B2;
+  od
+B2:
+  do 
+  :: c ? 3 ->
+    q = q + 1;
+    goto END;
+  od
+END:
+}
+
+ltl proc {
+  always !(q==3);
+}
--- a/tests/reorder/t4-reorder.pml
+++ b/tests/reorder/t4-reorder.pml
@@ -0,0 +1,34 @@
+// intended behavior: violation
+// explanation: rearrange attacker does not have enough mem
+chan c = [1] of { byte };
+byte q=0;
+
+init {
+c!3;
+c!5;
+c!7;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 3 -> 
+    goto B1;
+  od
+B1:
+  do 
+  :: c ? 7 ->
+    goto B2;
+  od
+B2:
+  do 
+  :: c ? 5 ->
+    goto END;
+  od
+END:
+q = 1;
+}
+
+ltl proc {
+  always !(q == 1);
+}
--- a/tests/replay/3-jump.pml
+++ b/tests/replay/3-jump.pml
@@ -0,0 +1,29 @@
+// INTENDED BEHAVIOR: no violation
+// explanation: can only replay once
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC1;
+  od
+PROC1:
+  do 
+  :: c ? 5 -> goto PROC2;
+  od
+PROC2:
+  do 
+  :: c ? 5 -> goto PROC3;
+  od
+PROC3:
+  q=0;
+}
+
+ltl proc {
+  always !(q == 0);
+}
--- a/tests/replay/replay-out-of-order.pml
+++ b/tests/replay/replay-out-of-order.pml
@@ -0,0 +1,34 @@
+// INTENDED BEHAVIOR: violation
+// explanation: replay, but in a different order than received
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+c!3;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC1;
+  od
+PROC1:
+  do 
+  :: c ? 3 -> goto PROC2;
+  od
+PROC2:
+  do 
+  :: c ? 3 -> goto PROC3;
+  od
+PROC3:
+  do 
+  :: c ? 5 -> goto PROC4;
+  od
+PROC4:
+  q=0;
+}
+
+ltl proc {
+  always !(q == 0);
+}
--- a/tests/replay/t1-replay.pml
+++ b/tests/replay/t1-replay.pml
@@ -0,0 +1,24 @@
+// INTENDED BEHAVIOR: violation
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC1;
+  od
+PROC1:
+  do 
+  :: c ? 5 -> goto PROC2;
+  od
+PROC2:
+  q=0;
+}
+
+ltl proc {
+  always !(q == 0);
+}
--- a/tests/replay/t2-replay.pml
+++ b/tests/replay/t2-replay.pml
@@ -0,0 +1,19 @@
+chan c = [8] of { byte };
+byte q=1;
+
+init {
+c!5;
+}
+
+active proctype consume() {
+MAIN:
+  do 
+  :: c ? 5 -> goto PROC;
+  od
+PROC:
+  q=0;
+}
+
+ltl proc {
+  eventually (q == 0);
+}
--- a/tests/tests.yaml
+++ b/tests/tests.yaml
@@ -0,0 +1,76 @@
+t1-reorder:
+  - command: python src/main.py --model=tests/reorder/t1-reorder.pml --attacker=reorder --chan=c --output=temp.pml --eval --cleanup --mem=1
+  - intended: no violation
+  - explanation: the reorder attacker gadget shouldn't be able to violate the claim, as it doesn't have enough mem
+
+t1-reorder-more-mem:
+  - command: python src/main.py --model=tests/reorder/t1-reorder.pml --attacker=reorder --chan=c --output=temp.pml --eval --cleanup --mem=2
+  - intended: property violation
+  - explanation: the reorder attacker now has enough mem
+
+t2-reorder:
+  - command: python src/main.py --model=tests/reorder/t2-reorder.pml --attacker=reorder --chan=c --output=temp.pml --eval --cleanup --mem=3
+  - intended: property violation
+  - explanation: rearrange attacker has enough mem to do the reorder attack
+
+t3-reorder:
+  - command: python src/main.py --model=tests/reorder/t3-reorder.pml --attacker=reorder --chan=c --output=temp.pml --eval --cleanup --mem=2
+  - intended: no violation
+  - explanation: rearrange attacker does not have enough mem
+
+t4-reorder:
+  - command: python src/main.py --model=tests/reorder/t4-reorder.pml --attacker=reorder --chan=c --output=temp.pml --eval --cleanup --mem=2
+  - intended: no violation
+  - explanation: rearrange attacker does not have enough mem
+
+t1-drop:
+  - command: python3 src/main.py --model=tests/drop/t1-drop.pml --attacker=drop --chan=c --output=temp.pml --mem=1 --eval --cleanup
+  - intended: acceptance cycle
+  - explanation: drop attacker is able to remove the single message on the channel, preventing the eventually LTL property from ever satisfying
+
+t2-drop:
+  - command: python3 src/main.py --model=tests/drop/t2-drop.pml --attacker=drop --chan=c --output=temp.pml --mem=1 --eval --cleanup
+  - intended: no violation
+  - explanation: drop attacker is not able to remove both the messages on the channel, so the LTL property remains satisfying
+
+t3-drop:
+  - command: python3 src/main.py --model=tests/drop/t3-drop.pml --attacker=drop --chan=c --output=temp.pml --mem=2 --eval --cleanup
+  - intended: acceptance cycle
+  - explanation: attacker should drop both messages
+
+t4-drop:
+  - command: python3 src/main.py --model=tests/drop/t4-drop.pml --attacker=drop --chan=c --output=temp.pml --mem=1 --eval --cleanup
+  - intended: acceptance cycle
+  - explanation: drop attacker should be able to find the attack in the middle of the chan
+
+t5-drop-multi:
+  - command: python3 src/main.py --model=tests/drop/t5-drop-multi.pml --attacker=drop --chan=c --output=temp.pml --mem=5 --eval --cleanup
+  - intended: acceptance cycle
+  - explanation: attacker can drop all five messages
+
+t6-drop-overwhelm:
+  - command: python3 src/main.py --model=tests/drop/t6-drop-overwhelm.pml --attacker=drop --chan=c --output=temp.pml --mem=4 --eval --cleanup
+  - intended: no violation
+  - explanation: attacker can't drop all five messages
+  
+t1-replay:
+  - command: python src/main.py --model=tests/replay/t1-replay.pml --attacker=replay --chan=c --output=temp.pml --eval --cleanup --mem=1
+  - intended: property violation
+  - explanation: since the attacker is able to replay "5" on c, they can progress the consume proctype from PROC1, then PROC2
+
+t2-replay:
+  - command: python src/main.py --model=tests/replay/t2-replay.pml --attacker=replay --chan=c --output=temp.pml --eval --cleanup --mem=1
+  - intended: no violation
+  - explanation: the attacker must eventually replay the packet onto the channel
+
+3-jump: 
+  - command: python src/main.py --model=tests/replay/3-jump.pml --attacker=replay --chan=c --output=temp.pml --eval --cleanup --mem=1
+  - intended: no violation
+  - explanation: can only replay the packet once
+
+replay-out-of-order:
+  - command: python src/main.py --model=tests/replay/replay-out-of-order.pml --attacker=replay --chan=c --output=temp.pml --eval --cleanup --mem=2
+  - intended: property violation
+  - explanation: replay, but in a different order than received
+
+