initial commit

sections/abstract.tex

@@ -0,0 +1 @@
+Distributed protocols underpin the modern internet, making their correctness and security critical. Formal methods provide rigorous tools for analyzing protocol correctness and cryptographic security, yet existing tools fall short for denial of service (DoS) analysis. We introduce \korg, a tool that synthesizes attacks on distributed protocols by targeting communication channels to violate linear temporal logic (LTL) specifications. \korg provides sound, complete analysis, synthesizing attacks or proving their absence through exhaustive state-space search. With support for pre-defined and custom attacker models, \korg enables targeted DoS analysis and broader LTL-based verification, demonstrated through various case studies.

sections/attacker_models.tex

@@ -0,0 +1,14 @@
+In this section we discuss the various details for each attacker model built into \korg.
+
+\subsection{Custom Attacker Models}%
+\label{sub:Custom Attacker Models}
+
+\subsection{Replaying Attacker Model}%
+\label{sub:Replay Attacker}
+
+\subsection{Rearranging Attacker Model}%
+\label{sub:Rearrange Attacker}
+
+\subsection{Dropping Attacker Model}%
+\label{sub:Dropping Attacker}
+

sections/case_studies.tex

@@ -0,0 +1,8 @@
+\subsection{SCTP}%
+\label{sub:SCTP}
+
+\subsection{TCP}%
+\label{sub:TCP}
+
+\subsection{DCCP}%
+\label{sub:DCCP}

sections/design.tex

@@ -0,0 +1,69 @@
+In this section we discuss the details behind the design, implementation, and guarantees of \korg. 
+
+\subsection{High-level design}%
+\label{sub:High-level design}
+TODO: diagram. Promela model, channel selection, gadget selection/definition get put into Korg. Korg spits out another promela model, which is put into Spin along with a property. Then, we get some attacks.
+
+\subsection{The Korg Implementation}%
+\label{sub:The Korg Implementation}
+
+We implemented \korg on top of the \spin, a popular and robust model checker for reasoning about distributed and concurrent systems. Intuitively, models written in \promela, the modeling language of \spin, are communicating state machines whose messages are passed over defined \textit{channels}. Channels in \promela can either be unbuffered synchronous channels, or buffered asynchronous channels. \korg generates attacks \textit{with respect} to these defined channels.
+
+\begin{lstlisting}[caption={Example \promela model of peers communicating over a channel}, label={lst:spin-model}]
+// channel of buffer size 0
+chan msg_channel = [0] of { int } 
+
+active proctype Peer1() {
+    msg_channel ! 1
+}
+
+active proctype Peer2() {
+    int received_msg
+    msg_channel ? received_msg
+}
+\end{lstlisting}
+
+Following the gadgetry framework as described in Hippel et al., \korg is designed to parse user-chosen channels and generate gadgets for sending, receiving, and manipulating messages on them. \korg has built-in gadgets that are designed to emulate various real-world attacker models, as further described in Section \ref{sec:usage_attacker_models}. Additionally, users can explicitly define which messages a generated gadget can send and receive. Once one or multiple gadgets are generated, \korg invokes \spin to check if a given property of interest remains satisfied in the presence of the attacker gadgets.
+  
+\subsection{Soundness And Completeness of Korg}%
+\label{sub:Soundness And Completeness}
+
+\newcommand{\comp}{\mid\mid}
+\newcommand{\ioint}{\mathcal{C}}
+\newcommand{\ba}{B\"uchi Automata}
+
+\korg is an implementation of the theoretical attack synthesis framework proposed by Hippel et al. This framework enjoys soundness and completeness guarantees for attacks discovered; that is, if there exists an attack, it is discovered, and if an attack is discovered, it is valid. However, the attack synthesis framework proposed by Hippel et al. reasons about an abstracted, theoretical process construct. Therefore, in order to correctly claim \korg is also sound and complete, it is necessary to demonstrate discovering an attack within the theoretical framework reduces to the semantics of \spin, the model checker \korg is built on top of.
+
+%There exists a semantic gap between the theoretical attack synthesis framework proposed by Hippel et al., and the semantics of \korg. Therefore, in order to correctly claim \korg maintains the soundness and completeness of the theoretical framework it implements, it suffices to demonstrate finding an attack within the theoretical attack synthesis framework precisely reduces to the semantics of \spin.
+%the model checker \korg is implemented on top of.
+
+\begin{theorem}
+  Checking whether there exists an attacker for a given threat model, the R-$\exists$ASP problem as proposed in Hippel et al., reduces to B\"uchi Automata language inclusion (which is in turn solved by the \spin model checker).
+\end{theorem}
+
+\begin{proof}
+  Recalling the definitions from Hippel et al., a \textit{process} is Kripke structure whose transitions are equipped additional input and output operations in the same flavor as a standard I/O automata.\footnote{Modeling processes in this way allows for the simultaneous modeling of message passing while also maintaining the ability to leverage Linear Temporal Logic for specification} 
+Hippel et al. also defines asynchronous composition on processes to match input and output transitions with the same label when constructing the product automata.
+
+Threat models, then, contain a \textit{target process} $P$ that is unmodifiable by an attacker, a set of vulnerable processes $Q_1,\ldots,Q_n$ that are unmodifiable by an attacker, and a Linear Temporal Logic specification $\phi$. Let $\comp$ denote asynchronous composition between processes. For simplicity, let $Q = Q_1 \comp Q_2 \comp \ldots \comp Q_n$. 
+Given this, we initially require $P \comp Q \models \phi$ (that is, $P$ composed with $Q$ satisfies the property $\phi$.)
+
+Now, our attacker synthesis problem becomes checking whether we can find some process $A$ such that $P \comp A \not\models \phi$. Hippel et al. showed finding such an $A$ can be done algorithmically, maintaining soundness and completeness guarantees,
+given the input and output transition labels of $A$, denoted $\ioint (A)$, is a subset of $\ioint (Q)$. In particular, Hippel et al. describes gadgets dubbed "daisies" which consist of a main state, a recovery state, circular transitions for each input and output label on the main state, and a non-deterministic transition to the recovery state. To construct $A$, $P \comp Daisy(Q) \models \phi$ is checked. 
+
+In short, \spin implements model checking by reducing Promela models to a \ba (a $\omega$-regular automata), converting a Linear Temporal Logic property into a \ba, intersecting the two to construct a product automata, and determining if there exists a reachable acceptance cycle \cite{Vardi_Wolper_1986}. 
+We know by Vardi, we can always generate a \ba that accepts the traces of any given Kripke structure \cite{Vardi_Wolper_1986, clarke2000model}. Thus, defining the transition relations in our \ba to match the I/O transition labels in their respective processes, we can convert $P$, $Daisy(Q)$, and $\phi$ to \ba and intersect them with \spin. 
+Then, \spin will soundly and completely search the product automata for acceptance cycles, either finding a counterexample to $\phi$ or proving the absence of such a trace.
+\end{proof}
+
+From this result, we naturally get a complexity-theoretic result for finding an attacker from a given threat model.
+
+\begin{theorem}
+Checking whether there exists an attacker for a given threat model, the R-$\exists$ASP problem as proposed in Hippel et al., is PSPACE-complete.
+\end{theorem}
+
+\begin{proof}
+  By the previous argument, the R-$\exists$ASP problem reduces to intersecting multiple \ba, which is well-known to be PSPACE-complete \cite{Kozen_1977}.
+\end{proof}
+
+Although this result implies \korg has a rough upper bound complexity, in practice due the various implementation-level optimizations of \spin finding attacks on some $\phi$ is generally fast, but proving their absence via a state-space search can expensive.

sections/introduction.tex

@@ -0,0 +1,3 @@
+Distributed protocols are the foundation for the modern internet, and therefore ensuring their correctness and security is paramount. To this end, formal methods, the use of mathematically rigorous techniques for reasoning about software, has been increasingly employed to analyze and study distributed protocols. Historically, formal methods has been employed for reasoning about concurrency and the correctness of distributed systems, and in recent years formal methods has been employed to reason about the security of cryptographic protocols and primitives. However, no previous formal methods tools offered an effective solution for studying denial of service attacks on protocols.
+
+To fill this gap we introduce \korg, a tool for synthesizing attacks on distributed protocols that implements the theoretical framework proposed in Hippel et al. In particular, \korg targets the communication channels between the protocol endpoints, and synthesizes attacks to violate arbitrary linear temporal logic (LTL) specifications. \korg either synthesizes attack, or proves the absence of such via an exhaustive state-space search. \korg is sound and complete, meaning if there exists an attack \korg will find it, and \korg will never have false positives. \korg supports pre-defined attacker models, including attackers that can replay, rearrange, or drop messages on channels, as well as custom user-defined attacker models. Although \korg best lends itself for reasoning about denial of service attacks, it can target any specification expressable in LTL. We present a variety of case studies illustrating the employability and usefulness of \korg.