moar
This commit is contained in:
JakeGinesin
1046
.latexrun.db
1046
.latexrun.db
File diff suppressed because it is too large
Load Diff
44
main.aux
44
main.aux
@@ -24,28 +24,21 @@
|
||||
\newlabel{sec:usage_attacker_models}{{III}{2}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-A}}Dropping Attacker Model}{2}{}\protected@file@percent }
|
||||
\newlabel{sub:Dropping Attacker}{{\mbox {III-A}}{2}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Replaying Attacker Model}{2}{}\protected@file@percent }
|
||||
\newlabel{sub:Replay Attacker}{{\mbox {III-B}}{2}{}{}{}}
|
||||
\bibstyle{IEEEtran}
|
||||
\bibdata{main}
|
||||
\bibcite{Lamport_1994}{1}
|
||||
\bibcite{Holzmann_1997}{2}
|
||||
\bibcite{Clarke_Wang}{3}
|
||||
\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
|
||||
\bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
|
||||
\bibcite{Kobeissi_Nicolas_Tiwari}{6}
|
||||
\bibcite{Blanchet_Jacomme}{7}
|
||||
\bibcite{Basin_Linker_Sasse}{8}
|
||||
\bibcite{Hippel2022}{9}
|
||||
\bibcite{Vardi_Wolper_1986}{10}
|
||||
\bibcite{clarke2000model}{11}
|
||||
\bibcite{Kozen_1977}{12}
|
||||
\newlabel{lst:spin-model}{{2}{3}{}{}{}}
|
||||
\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example dropping attacker model gadget}{3}{}\protected@file@percent }
|
||||
\newlabel{lst:korg_drop}{{2}{3}{}{}{}}
|
||||
\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{3}{}\protected@file@percent }
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Replaying Attacker Model}{3}{}\protected@file@percent }
|
||||
\newlabel{sub:Replay Attacker}{{\mbox {III-B}}{3}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-C}}Rearranging Attacker Model}{3}{}\protected@file@percent }
|
||||
\newlabel{sub:Rearrange Attacker}{{\mbox {III-C}}{3}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-D}}Custom Attacker Models}{3}{}\protected@file@percent }
|
||||
\newlabel{sub:Custom Attacker Models}{{\mbox {III-D}}{3}{}{}{}}
|
||||
\newlabel{lst:korg_replay}{{3}{3}{}{}{}}
|
||||
\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{3}{}\protected@file@percent }
|
||||
\@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{3}{}\protected@file@percent }
|
||||
\newlabel{sec:case_studies}{{IV}{3}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-A}}SCTP}{3}{}\protected@file@percent }
|
||||
@@ -57,12 +50,21 @@
|
||||
\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{3}{}\protected@file@percent }
|
||||
\newlabel{sec:conclusion}{{V}{3}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {section}{References}{3}{}\protected@file@percent }
|
||||
\@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{3}{}\protected@file@percent }
|
||||
\newlabel{sec:Appendix}{{VI}{3}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-A}}Full Korg Soundness and Completeness Proofs}{3}{}\protected@file@percent }
|
||||
\newlabel{sub:korg_proofs}{{\mbox {VI-A}}{3}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-B}}Preventing Korg Livelocks}{3}{}\protected@file@percent }
|
||||
\newlabel{sub:Preventing Korg Livelocks}{{\mbox {VI-B}}{3}{}{}{}}
|
||||
\newlabel{lst:drop_passer}{{3}{4}{}{}{}}
|
||||
\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example dropping attacker model gadget with message skipping}{4}{}\protected@file@percent }
|
||||
\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
|
||||
\bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
|
||||
\bibcite{Kobeissi_Nicolas_Tiwari}{6}
|
||||
\bibcite{Blanchet_Jacomme}{7}
|
||||
\bibcite{Basin_Linker_Sasse}{8}
|
||||
\bibcite{Hippel2022}{9}
|
||||
\bibcite{Vardi_Wolper_1986}{10}
|
||||
\bibcite{clarke2000model}{11}
|
||||
\bibcite{Kozen_1977}{12}
|
||||
\@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{4}{}\protected@file@percent }
|
||||
\newlabel{sec:Appendix}{{VI}{4}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-A}}Full Korg Soundness and Completeness Proofs}{4}{}\protected@file@percent }
|
||||
\newlabel{sub:korg_proofs}{{\mbox {VI-A}}{4}{}{}{}}
|
||||
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-B}}Preventing Korg Livelocks}{4}{}\protected@file@percent }
|
||||
\newlabel{sub:Preventing Korg Livelocks}{{\mbox {VI-B}}{4}{}{}{}}
|
||||
\newlabel{lst:drop_passer}{{4}{4}{}{}{}}
|
||||
\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example dropping attacker model gadget with message skipping}{4}{}\protected@file@percent }
|
||||
\gdef \@abspage@last{4}
|
||||
|
||||
10
main.fls
10
main.fls
@@ -223,13 +223,13 @@ INPUT ./sections/conclusion.tex
|
||||
INPUT ./main.bbl
|
||||
INPUT ./main.bbl
|
||||
INPUT ./main.bbl
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
|
||||
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./sections/appendix.tex
|
||||
INPUT ./main.aux
|
||||
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
|
||||
INPUT /usr/share/texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb
|
||||
|
||||
35
main.log
35
main.log
@@ -1,4 +1,4 @@
|
||||
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 11 NOV 2024 03:48
|
||||
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 11 NOV 2024 13:11
|
||||
entering extended mode
|
||||
restricted \write18 enabled.
|
||||
%&-line parsing enabled.
|
||||
@@ -319,11 +319,7 @@ File: lstmisc.sty 2024/02/21 1.10 (Carsten Heinz)
|
||||
File: l3backend-pdftex.def 2024-02-20 L3 backend support: PDF output (pdfTeX)
|
||||
\l__color_backend_stack_int=\count294
|
||||
\l__pdf_internal_box=\box57
|
||||
) (./main.aux
|
||||
|
||||
LaTeX Warning: Label `lst:spin-model' multiply defined.
|
||||
|
||||
)
|
||||
) (./main.aux)
|
||||
\openout1 = `main.aux'.
|
||||
|
||||
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 48.
|
||||
@@ -410,7 +406,11 @@ LaTeX Warning: `h' float specifier changed to `ht'.
|
||||
|
||||
LaTeX Warning: `h' float specifier changed to `ht'.
|
||||
|
||||
[2]) (./sections/case_studies.tex) (./sections/conclusion.tex) (./main.bbl
|
||||
[2]
|
||||
|
||||
LaTeX Warning: `h' float specifier changed to `ht'.
|
||||
|
||||
) (./sections/case_studies.tex) (./sections/conclusion.tex) (./main.bbl
|
||||
** WARNING: IEEEtran.bst: No hyphenation pattern has been
|
||||
** loaded for the language `en'. Using the pattern for
|
||||
** the default language instead.
|
||||
@@ -426,6 +426,7 @@ LaTeX Warning: `h' float specifier changed to `ht'.
|
||||
** WARNING: IEEEtran.bst: No hyphenation pattern has been
|
||||
** loaded for the language `en'. Using the pattern for
|
||||
** the default language instead.
|
||||
[3]
|
||||
** WARNING: IEEEtran.bst: No hyphenation pattern has been
|
||||
** loaded for the language `en'. Using the pattern for
|
||||
** the default language instead.
|
||||
@@ -470,7 +471,7 @@ might try typing `S' now just to see what is salvageable.
|
||||
LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
|
||||
(Font) using `OT1/ptm/m/sc' instead on input line 15.
|
||||
|
||||
[3])
|
||||
)
|
||||
|
||||
** Conference Paper **
|
||||
Before submitting the final camera ready copy, remember to:
|
||||
@@ -482,23 +483,17 @@ Before submitting the final camera ready copy, remember to:
|
||||
uses only Type 1 fonts and that every step in the generation
|
||||
process uses the appropriate paper size.
|
||||
|
||||
[4
|
||||
|
||||
] (./main.aux)
|
||||
[4] (./main.aux)
|
||||
***********
|
||||
LaTeX2e <2023-11-01> patch level 1
|
||||
L3 programming layer <2024-02-20>
|
||||
***********
|
||||
|
||||
|
||||
LaTeX Warning: There were multiply-defined labels.
|
||||
|
||||
)
|
||||
Here is how much of TeX's memory you used:
|
||||
6276 strings out of 476076
|
||||
93712 string characters out of 5793776
|
||||
2039187 words of memory out of 5000000
|
||||
28293 multiletter control sequences out of 15000+600000
|
||||
6344 strings out of 476076
|
||||
94418 string characters out of 5793776
|
||||
2116187 words of memory out of 5000000
|
||||
28361 multiletter control sequences out of 15000+600000
|
||||
597323 words of font info for 103 fonts, out of 8000000 for 9000
|
||||
14 hyphenation exceptions out of 8191
|
||||
57i,8n,65p,1155b,1257s stack positions out of 10000i,1000n,20000p,200000b,200000s
|
||||
@@ -507,7 +502,7 @@ texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb></usr/share/texmf-dist/fonts/type
|
||||
1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb
|
||||
></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-dist
|
||||
/fonts/type1/urw/times/utmri8a.pfb>
|
||||
Output written on ./main.pdf (4 pages, 157257 bytes).
|
||||
Output written on ./main.pdf (4 pages, 160828 bytes).
|
||||
PDF statistics:
|
||||
49 PDF objects out of 1000 (max. 8388607)
|
||||
29 compressed objects within 1 object stream
|
||||
|
||||
BIN
main.synctex.gz
BIN
main.synctex.gz
Binary file not shown.
@@ -5,8 +5,10 @@
|
||||
|
||||
The first and most simple general attacker model \korg supports is an attacker that can \textit{drop} messages from a channel. The user specifies a "drop limit" value that limits the number of packets the attacker can drop from the channel. Note, a higher drop limit will increase the search space of possible attacks, thereby increasing execution time.
|
||||
|
||||
The dropper attacker model gadget \korg synthesizes works as follows. The gadget will nondeterministically choose to observe a message on a channel. Then, if the drop limit variable is not zero, it will consume the message. An example is shown in Figure \ref{lst:korg_drop}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\begin{lstlisting}[caption={Example dropping attacker model gadget}, label={lst:spin-model}]
|
||||
\begin{lstlisting}[caption={Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}, label={lst:korg_drop}]
|
||||
chan cn = [8] of { int, int, int };
|
||||
|
||||
active proctype attacker_drop() {
|
||||
@@ -31,9 +33,56 @@ BREAK:
|
||||
|
||||
\subsection{Replaying Attacker Model}%
|
||||
\label{sub:Replay Attacker}
|
||||
The second attacker model \korg supports is an attacker that can observe and replay messages back onto a channel. Similarly to the drop limit for the dropping attacker model, the user can specify a "replay limit" that caps the number of messages the attacker can replay back onto the specified channel.
|
||||
The second attacker model \korg supports is an attacker that can observe and \textit{replay} messages back onto a channel. Similarly to the drop limit for the dropping attacker model, the user can specify a "replay limit" that caps the number of messages the attacker can replay back onto the specified channel.
|
||||
|
||||
\jg{todo: describe impl more}
|
||||
The dropper attacker model gadget \korg synthesizes works as follows. The gadget has two states, \textsc{Consume} and \textsc{Replay}. The gadget starts in the \textsc{Consume} state and nondeterministically reads (but not consumes) messages on the target channel, sending them into a local storage buffer. Once the gadget read the number of messages on the channel equivalent to the defined replay limit, its state changes to \textsc{Replay}. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_replay}.
|
||||
|
||||
\begin{figure}[h]
|
||||
\begin{lstlisting}[caption={Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}, label={lst:korg_replay}]
|
||||
chan cn = [8] of { int, int, int };
|
||||
|
||||
// local memory for the gadget
|
||||
chan gadget_mem = [3] of { int, int, int };
|
||||
|
||||
active proctype attacker_replay() {
|
||||
int b_0, b_1, b_2;
|
||||
int i = 3;
|
||||
CONSUME:
|
||||
do
|
||||
// read messages until the limit is passed
|
||||
:: cn ? [b_0, b_1, b_2] -> atomic {
|
||||
cn ? <b_0, b_1, b_2> -> gadget_mem ! b_0, b_1, b_2;
|
||||
i--;
|
||||
if
|
||||
:: i == 0 -> goto REPLAY;
|
||||
:: i != 0 -> goto CONSUME;
|
||||
fi
|
||||
}
|
||||
od
|
||||
REPLAY:
|
||||
do
|
||||
:: atomic {
|
||||
// nondeterministically select a random value from the storage buffer
|
||||
int am;
|
||||
select(am : 0 .. len(gadget_mem)-1);
|
||||
do
|
||||
:: am != 0 ->
|
||||
am = am-1;
|
||||
gadget_mem ? b_0, b_1, b_2 -> gadget_mem ! b_0, b_1, b_2;
|
||||
:: am == 0 ->
|
||||
gadget_mem ? b_0, b_1, b_2 -> cn ! b_0, b_1, b_2;
|
||||
break;
|
||||
od
|
||||
}
|
||||
// doesn't need to use all messages on the channel
|
||||
:: atomic {gadget_mem ? b_0, b_1, b_2; }
|
||||
// once mem has no more messages, we're done
|
||||
:: empty(gadget_mem) -> goto BREAK;
|
||||
od
|
||||
BREAK:
|
||||
}
|
||||
\end{lstlisting}
|
||||
\end{figure}
|
||||
|
||||
\subsection{Rearranging Attacker Model}%
|
||||
\label{sub:Rearrange Attacker}
|
||||
|
||||
Reference in New Issue
Block a user