moar

main.aux

@@ -24,28 +24,21 @@
 \newlabel{sec:usage_attacker_models}{{III}{2}{}{}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-A}}Dropping Attacker Model}{2}{}\protected@file@percent }
 \newlabel{sub:Dropping Attacker}{{\mbox  {III-A}}{2}{}{}{}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-B}}Replaying Attacker Model}{2}{}\protected@file@percent }
-\newlabel{sub:Replay Attacker}{{\mbox  {III-B}}{2}{}{}{}}
 \bibstyle{IEEEtran}
 \bibdata{main}
 \bibcite{Lamport_1994}{1}
 \bibcite{Holzmann_1997}{2}
 \bibcite{Clarke_Wang}{3}
-\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
+\newlabel{lst:korg_drop}{{2}{3}{}{}{}}
-\bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
+\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{3}{}\protected@file@percent }
-\bibcite{Kobeissi_Nicolas_Tiwari}{6}
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-B}}Replaying Attacker Model}{3}{}\protected@file@percent }
-\bibcite{Blanchet_Jacomme}{7}
+\newlabel{sub:Replay Attacker}{{\mbox  {III-B}}{3}{}{}{}}
-\bibcite{Basin_Linker_Sasse}{8}
-\bibcite{Hippel2022}{9}
-\bibcite{Vardi_Wolper_1986}{10}
-\bibcite{clarke2000model}{11}
-\bibcite{Kozen_1977}{12}
-\newlabel{lst:spin-model}{{2}{3}{}{}{}}
-\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example dropping attacker model gadget}{3}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-C}}Rearranging Attacker Model}{3}{}\protected@file@percent }
 \newlabel{sub:Rearrange Attacker}{{\mbox  {III-C}}{3}{}{}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-D}}Custom Attacker Models}{3}{}\protected@file@percent }
 \newlabel{sub:Custom Attacker Models}{{\mbox  {III-D}}{3}{}{}{}}
+\newlabel{lst:korg_replay}{{3}{3}{}{}{}}
+\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{3}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{3}{}\protected@file@percent }
 \newlabel{sec:case_studies}{{IV}{3}{}{}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {IV-A}}SCTP}{3}{}\protected@file@percent }
@@ -57,12 +50,21 @@
 \@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{3}{}\protected@file@percent }
 \newlabel{sec:conclusion}{{V}{3}{}{}{}}
 \@writefile{toc}{\contentsline {section}{References}{3}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{3}{}\protected@file@percent }
+\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
-\newlabel{sec:Appendix}{{VI}{3}{}{}{}}
+\bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {VI-A}}Full Korg Soundness and Completeness Proofs}{3}{}\protected@file@percent }
+\bibcite{Kobeissi_Nicolas_Tiwari}{6}
-\newlabel{sub:korg_proofs}{{\mbox  {VI-A}}{3}{}{}{}}
+\bibcite{Blanchet_Jacomme}{7}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {VI-B}}Preventing Korg Livelocks}{3}{}\protected@file@percent }
+\bibcite{Basin_Linker_Sasse}{8}
-\newlabel{sub:Preventing Korg Livelocks}{{\mbox  {VI-B}}{3}{}{}{}}
+\bibcite{Hippel2022}{9}
-\newlabel{lst:drop_passer}{{3}{4}{}{}{}}
+\bibcite{Vardi_Wolper_1986}{10}
-\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example dropping attacker model gadget with message skipping}{4}{}\protected@file@percent }
+\bibcite{clarke2000model}{11}
+\bibcite{Kozen_1977}{12}
+\@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{4}{}\protected@file@percent }
+\newlabel{sec:Appendix}{{VI}{4}{}{}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {VI-A}}Full Korg Soundness and Completeness Proofs}{4}{}\protected@file@percent }
+\newlabel{sub:korg_proofs}{{\mbox  {VI-A}}{4}{}{}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {VI-B}}Preventing Korg Livelocks}{4}{}\protected@file@percent }
+\newlabel{sub:Preventing Korg Livelocks}{{\mbox  {VI-B}}{4}{}{}{}}
+\newlabel{lst:drop_passer}{{4}{4}{}{}{}}
+\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example dropping attacker model gadget with message skipping}{4}{}\protected@file@percent }
 \gdef \@abspage@last{4}

main.fls

@@ -223,13 +223,13 @@ INPUT ./sections/conclusion.tex
 INPUT ./main.bbl
 INPUT ./main.bbl
 INPUT ./main.bbl
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
 INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
 INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
 INPUT ./main.aux
 INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
 INPUT /usr/share/texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb

main.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2)  11 NOV 2024 03:48
+This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2)  11 NOV 2024 13:11
 entering extended mode
  restricted \write18 enabled.
  %&-line parsing enabled.
@@ -319,11 +319,7 @@ File: lstmisc.sty 2024/02/21 1.10 (Carsten Heinz)
 File: l3backend-pdftex.def 2024-02-20 L3 backend support: PDF output (pdfTeX)
 \l__color_backend_stack_int=\count294
 \l__pdf_internal_box=\box57
-) (./main.aux
+) (./main.aux)
-
-LaTeX Warning: Label `lst:spin-model' multiply defined.
-
-)
 \openout1 = `main.aux'.
 
 LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 48.
@@ -410,7 +406,11 @@ LaTeX Warning: `h' float specifier changed to `ht'.
 
 LaTeX Warning: `h' float specifier changed to `ht'.
 
-[2]) (./sections/case_studies.tex) (./sections/conclusion.tex) (./main.bbl
+[2]
+
+LaTeX Warning: `h' float specifier changed to `ht'.
+
+) (./sections/case_studies.tex) (./sections/conclusion.tex) (./main.bbl
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
@@ -426,6 +426,7 @@ LaTeX Warning: `h' float specifier changed to `ht'.
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
+[3]
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
@@ -470,7 +471,7 @@ might try typing `S' now just to see what is salvageable.
 LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
 (Font)              using `OT1/ptm/m/sc' instead on input line 15.
 
-[3])
+)
 
 ** Conference Paper **
 Before submitting the final camera ready copy, remember to:
@@ -482,23 +483,17 @@ Before submitting the final camera ready copy, remember to:
  uses only Type 1 fonts and that every step in the generation
  process uses the appropriate paper size.
 
-[4
+[4] (./main.aux)
-
-] (./main.aux)
  ***********
 LaTeX2e <2023-11-01> patch level 1
 L3 programming layer <2024-02-20>
  ***********
-
-
-LaTeX Warning: There were multiply-defined labels.
-
  ) 
 Here is how much of TeX's memory you used:
- 6276 strings out of 476076
+ 6344 strings out of 476076
- 93712 string characters out of 5793776
+ 94418 string characters out of 5793776
- 2039187 words of memory out of 5000000
+ 2116187 words of memory out of 5000000
- 28293 multiletter control sequences out of 15000+600000
+ 28361 multiletter control sequences out of 15000+600000
  597323 words of font info for 103 fonts, out of 8000000 for 9000
  14 hyphenation exceptions out of 8191
  57i,8n,65p,1155b,1257s stack positions out of 10000i,1000n,20000p,200000b,200000s
@@ -507,7 +502,7 @@ texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb></usr/share/texmf-dist/fonts/type
 1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb
 ></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-dist
 /fonts/type1/urw/times/utmri8a.pfb>
-Output written on ./main.pdf (4 pages, 157257 bytes).
+Output written on ./main.pdf (4 pages, 160828 bytes).
 PDF statistics:
  49 PDF objects out of 1000 (max. 8388607)
  29 compressed objects within 1 object stream

sections/attacker_models.tex

@@ -5,8 +5,10 @@
 
 The first and most simple general attacker model \korg supports is an attacker that can \textit{drop} messages from a channel. The user specifies a "drop limit" value that limits the number of packets the attacker can drop from the channel. Note, a higher drop limit will increase the search space of possible attacks, thereby increasing execution time.
 
+The dropper attacker model gadget \korg synthesizes works as follows. The gadget will nondeterministically choose to observe a message on a channel. Then, if the drop limit variable is not zero, it will consume the message. An example is shown in Figure \ref{lst:korg_drop}.
+
 \begin{figure}[h]
-\begin{lstlisting}[caption={Example dropping attacker model gadget}, label={lst:spin-model}]
+\begin{lstlisting}[caption={Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}, label={lst:korg_drop}]
 chan cn = [8] of { int, int, int }; 
 
 active proctype attacker_drop() {
@@ -31,9 +33,56 @@ BREAK:
 
 \subsection{Replaying Attacker Model}%
 \label{sub:Replay Attacker}
-The second attacker model \korg supports is an attacker that can observe and replay messages back onto a channel. Similarly to the drop limit for the dropping attacker model, the user can specify a "replay limit" that caps the number of messages the attacker can replay back onto the specified channel. 
+The second attacker model \korg supports is an attacker that can observe and \textit{replay} messages back onto a channel. Similarly to the drop limit for the dropping attacker model, the user can specify a "replay limit" that caps the number of messages the attacker can replay back onto the specified channel. 
 
-\jg{todo: describe impl more}
+The dropper attacker model gadget \korg synthesizes works as follows. The gadget has two states, \textsc{Consume} and \textsc{Replay}. The gadget starts in the \textsc{Consume} state and nondeterministically reads (but not consumes) messages on the target channel, sending them into a local storage buffer. Once the gadget read the number of messages on the channel equivalent to the defined replay limit, its state changes to \textsc{Replay}. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_replay}.
+
+\begin{figure}[h]
+\begin{lstlisting}[caption={Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}, label={lst:korg_replay}]
+chan cn = [8] of { int, int, int }; 
+
+// local memory for the gadget
+chan gadget_mem = [3] of { int, int, int };
+
+active proctype attacker_replay() {
+int b_0, b_1, b_2;
+int i = 3;
+CONSUME:
+  do
+  // read messages until the limit is passed
+  :: cn ? [b_0, b_1, b_2] -> atomic {
+   cn ? <b_0, b_1, b_2> -> gadget_mem ! b_0, b_1, b_2;
+    i--;
+    if
+    :: i == 0 -> goto REPLAY;
+    :: i != 0 -> goto CONSUME;
+    fi
+    }
+  od
+REPLAY:
+  do
+  :: atomic {
+    // nondeterministically select a random value from the storage buffer
+    int am;
+    select(am : 0 .. len(gadget_mem)-1);
+    do
+    :: am != 0 ->
+      am = am-1;
+      gadget_mem ? b_0, b_1, b_2 -> gadget_mem ! b_0, b_1, b_2;
+    :: am == 0 ->
+      gadget_mem ? b_0, b_1, b_2 -> cn ! b_0, b_1, b_2;
+      break;
+    od
+    }
+  // doesn't need to use all messages on the channel
+  :: atomic {gadget_mem ? b_0, b_1, b_2; }
+  // once mem has no more messages, we're done
+  :: empty(gadget_mem) -> goto BREAK;
+  od
+BREAK:
+}
+\end{lstlisting}
+\end{figure}
 
 \subsection{Rearranging Attacker Model}%
 \label{sub:Rearrange Attacker}