synchronous/korg-paper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more

Browse Source
This commit is contained in:
JakeGinesin
2024-11-25 07:15:00 -05:00
parent 434b12e4e0
commit 62d6e309bb
12 changed files with 961 additions and 857 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1137
.latexrun.db
View File

File diff suppressed because it is too large Load Diff

116
main.aux
View File

@@ -10,49 +10,57 @@
\newlabel{sub:High-level design}{{\mbox {II-A}}{1}{}{}{}} \newlabel{sub:High-level design}{{\mbox {II-A}}{1}{}{}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces A high-level overview of the \textsc {Korg}\xspace workflow}}{1}{}\protected@file@percent } \@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces A high-level overview of the \textsc {Korg}\xspace workflow}}{1}{}\protected@file@percent }
\newlabel{fig:korg_workflow}{{1}{1}{}{}{}} \newlabel{fig:korg_workflow}{{1}{1}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-B}}Soundness And Completeness of Korg}{1}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-B}}Supported Attacker Models}{1}{}\protected@file@percent }
\newlabel{sub:Soundness And Completeness}{{\mbox {II-B}}{1}{}{}{}} \newlabel{sub:Supported Attacker Models}{{\mbox {II-B}}{1}{}{}{}}
\citation{Kozen_1977} \citation{Kozen_1977}
\citation{Clarke_Wang} \citation{Clarke_Wang}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-C}}The Korg Implementation}{2}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-C}}Soundness And Completeness of Korg}{2}{}\protected@file@percent }
\newlabel{sub:The Korg Implementation}{{\mbox {II-C}}{2}{}{}{}} \newlabel{sub:Soundness And Completeness}{{\mbox {II-C}}{2}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-D}}The Korg Implementation}{2}{}\protected@file@percent }
\newlabel{sub:The Korg Implementation}{{\mbox {II-D}}{2}{}{}{}}
\newlabel{lst:spin-model}{{1}{2}{}{}{}} \newlabel{lst:spin-model}{{1}{2}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {1}Example \textsc {Promela}\xspace model of peers communicating over a channel}{2}{}\protected@file@percent } \@writefile{lol}{\contentsline {lstlisting}{\numberline {1}Example \textsc {Promela}\xspace model of peers communicating over a channel. \texttt {!} indicates sending a message onto a channel, \texttt {?} indicates receiving a message from a channel.}{2}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-D}}Usage}{2}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-E}}Usage}{2}{}\protected@file@percent }
\newlabel{sub:Usage}{{\mbox {II-D}}{2}{}{}{}} \newlabel{sub:Usage}{{\mbox {II-E}}{2}{}{}{}}
\newlabel{lst:prod-consume}{{2}{2}{}{}{}} \newlabel{lst:abp}{{2}{3}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example \textsc {Promela}\xspace model with four producers and one consumer.}{2}{}\protected@file@percent } \@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example (simplified) \textsc {Promela}\xspace model of the alternating bit protocol.}{3}{}\protected@file@percent }
\newlabel{lst:korg-shell}{{\mbox {II-D}}{2}{}{}{}} \newlabel{lst:korg-shell}{{\mbox {II-E}}{3}{}{}{}}
\newlabel{trace}{{\mbox {II-D}}{2}{}{}{}} \@writefile{toc}{\contentsline {section}{\numberline {III}Attacker Model Gadgets}{3}{}\protected@file@percent }
\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016,Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Ongaro} \newlabel{sec:usage_attacker_models}{{III}{3}{}{}{}}
\citation{Ongaro} \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-A}}Drop Attacker Model Gadget}{3}{}\protected@file@percent }
\newlabel{sub:Dropping Attacker}{{\mbox {III-A}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Replay Attacker Model Gadget}{3}{}\protected@file@percent }
\newlabel{sub:Replay Attacker}{{\mbox {III-B}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-C}}Reorder Attacker Model Gadget}{3}{}\protected@file@percent }
\newlabel{sub:reordering Attacker}{{\mbox {III-C}}{3}{}{}{}}
\citation{Cluzel_Georgiou_Moy_Zeller_2021,Smith_1997,Pacheco2022} \citation{Cluzel_Georgiou_Moy_Zeller_2021,Smith_1997,Pacheco2022}
\citation{Pacheco2022} \citation{Pacheco2022}
\citation{Pacheco2022,Hippel2022} \citation{Pacheco2022,Hippel2022}
\citation{rfc9260}
\citation{Pacheco2022} \citation{Pacheco2022}
\citation{Pacheco2022} \citation{Pacheco2022}
\@writefile{toc}{\contentsline {section}{\numberline {III}Attacker Models}{3}{}\protected@file@percent } \citation{Pacheco2022}
\newlabel{sec:usage_attacker_models}{{III}{3}{}{}{}} \citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016,Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Ongaro}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-A}}Dropping Attacker Model}{3}{}\protected@file@percent } \citation{Ongaro}
\newlabel{sub:Dropping Attacker}{{\mbox {III-A}}{3}{}{}{}} \citation{Ongaro}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Replaying Attacker Model}{3}{}\protected@file@percent } \citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
\newlabel{sub:Replay Attacker}{{\mbox {III-B}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-C}}Reordering Attacker Model}{3}{}\protected@file@percent }
\newlabel{sub:reordering Attacker}{{\mbox {III-C}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-D}}Custom Attacker Models}{3}{}\protected@file@percent }
\newlabel{sub:Custom Attacker Models}{{\mbox {III-D}}{3}{}{}{}}
\@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{3}{}\protected@file@percent }
\newlabel{sec:case_studies}{{IV}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-A}}Raft}{3}{}\protected@file@percent }
\newlabel{sub:Raft}{{\mbox {IV-A}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-B}}TCP}{3}{}\protected@file@percent }
\newlabel{sub:TCP}{{\mbox {IV-B}}{3}{}{}{}}
\bibstyle{IEEEtran} \bibstyle{IEEEtran}
\bibdata{main} \bibdata{main}
\bibcite{Lamport_1994}{1} \bibcite{Lamport_1994}{1}
\bibcite{Holzmann_1997}{2} \bibcite{Holzmann_1997}{2}
\bibcite{Clarke_Wang}{3} \bibcite{Clarke_Wang}{3}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-D}}Insert Attacker Models}{4}{}\protected@file@percent }
\newlabel{sub:Custom Attacker Models}{{\mbox {III-D}}{4}{}{}{}}
\@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{4}{}\protected@file@percent }
\newlabel{sec:case_studies}{{IV}{4}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-A}}TCP}{4}{}\protected@file@percent }
\newlabel{sub:TCP}{{\mbox {IV-A}}{4}{}{}{}}
\newlabel{res:tcp-table}{{\mbox {IV-A}}{4}{}{}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Automatically discovered attacks against the hand-written TCP model from Pacheco et al. and our own, for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {Korg}\xspace proved the absence of an attack via an exhaustive search. Full attack traces are available in the artifact.}}{4}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-B}}Raft}{4}{}\protected@file@percent }
\newlabel{sub:Raft}{{\mbox {IV-B}}{4}{}{}{}}
\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{4}{}\protected@file@percent }
\newlabel{sec:conclusion}{{V}{4}{}{}{}}
\@writefile{toc}{\contentsline {section}{References}{4}{}\protected@file@percent }
\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4} \bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
\bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5} \bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
\bibcite{Kobeissi_Nicolas_Tiwari}{6} \bibcite{Kobeissi_Nicolas_Tiwari}{6}
@@ -60,38 +68,32 @@
\bibcite{Basin_Linker_Sasse}{8} \bibcite{Basin_Linker_Sasse}{8}
\bibcite{Hippel2022}{9} \bibcite{Hippel2022}{9}
\bibcite{Kozen_1977}{10} \bibcite{Kozen_1977}{10}
\bibcite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}{11} \bibcite{Cluzel_Georgiou_Moy_Zeller_2021}{11}
\bibcite{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}{12} \bibcite{Smith_1997}{12}
\bibcite{Ongaro}{13} \bibcite{Pacheco2022}{13}
\bibcite{Cluzel_Georgiou_Moy_Zeller_2021}{14} \bibcite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}{14}
\bibcite{Smith_1997}{15} \bibcite{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}{15}
\bibcite{Pacheco2022}{16} \bibcite{Ongaro}{16}
\bibcite{rfc9260}{17} \@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{5}{}\protected@file@percent }
\newlabel{res:tcp-table}{{\mbox {IV-B}}{4}{}{}{}} \newlabel{sec:Appendix}{{VI}{5}{}{}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Automatically discovered attacks against the gold, canonical (labeled "expert"), and revised TCP models for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {Korg}\xspace proved the absence of an attack via an exhaustive search. Full attack traces are available in the artifact.}}{4}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-A}}Full Korg Soundness and Completeness Proofs}{5}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{4}{}\protected@file@percent } \newlabel{sub:korg_proofs}{{\mbox {VI-A}}{5}{}{}{}}
\newlabel{sec:conclusion}{{V}{4}{}{}{}}
\@writefile{toc}{\contentsline {section}{References}{4}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{4}{}\protected@file@percent }
\newlabel{sec:Appendix}{{VI}{4}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-A}}Full Korg Soundness and Completeness Proofs}{4}{}\protected@file@percent }
\newlabel{sub:korg_proofs}{{\mbox {VI-A}}{4}{}{}{}}
\citation{Holzmann_1997} \citation{Holzmann_1997}
\citation{Kozen_1977} \citation{Kozen_1977}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-B}}Preventing Korg Livelocks}{5}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-B}}Preventing Korg Livelocks}{6}{}\protected@file@percent }
\newlabel{sub:Preventing Korg Livelocks}{{\mbox {VI-B}}{5}{}{}{}} \newlabel{sub:Preventing Korg Livelocks}{{\mbox {VI-B}}{6}{}{}{}}
\newlabel{lst:drop_passer}{{3}{5}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example dropping attacker model gadget with message skipping}{5}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-C}}Attacker Model Gadget Examples}{6}{}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-C}}Attacker Model Gadget Examples}{6}{}\protected@file@percent }
\newlabel{sub:Attacker Model Gadget Examples}{{\mbox {VI-C}}{6}{}{}{}} \newlabel{sub:Attacker Model Gadget Examples}{{\mbox {VI-C}}{6}{}{}{}}
\newlabel{lst:drop_passer}{{3}{6}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example dropping attacker model gadget with message skipping}{6}{}\protected@file@percent }
\newlabel{lst:korg_drop}{{4}{6}{}{}{}} \newlabel{lst:korg_drop}{{4}{6}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{6}{}\protected@file@percent } \@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{6}{}\protected@file@percent }
\newlabel{lst:korg_replay}{{5}{6}{}{}{}} \newlabel{lst:korg_replay}{{5}{7}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {5}Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{6}{}\protected@file@percent } \@writefile{lol}{\contentsline {lstlisting}{\numberline {5}Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{7}{}\protected@file@percent }
\newlabel{lst:korg_reordering}{{6}{7}{}{}{}} \newlabel{lst:korg_reordering}{{6}{7}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {6}Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{7}{}\protected@file@percent } \@writefile{lol}{\contentsline {lstlisting}{\numberline {6}Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{7}{}\protected@file@percent }
\newlabel{lst:io-file}{{7}{7}{}{}{}} \newlabel{lst:io-file}{{7}{8}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {7}Example I/O file targetting channel "cn"}{7}{}\protected@file@percent } \@writefile{lol}{\contentsline {lstlisting}{\numberline {7}Example I/O file targetting channel "cn"}{8}{}\protected@file@percent }
\newlabel{lst:io-file-synth}{{8}{7}{}{}{}} \newlabel{lst:io-file-synth}{{8}{8}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {8}Example gadget synthesized from an I/O file targetting the channel "cn"}{7}{}\protected@file@percent } \@writefile{lol}{\contentsline {lstlisting}{\numberline {8}Example gadget synthesized from an I/O file targetting the channel "cn"}{8}{}\protected@file@percent }
\gdef \@abspage@last{7} \gdef \@abspage@last{8}

42
main.bbl
View File

@@ -75,26 +75,6 @@ D.~Kozen, ``\BIBforeignlanguage{en}{Lower bounds for natural proof systems},''
\url{http://ieeexplore.ieee.org/document/4567949/} \url{http://ieeexplore.ieee.org/document/4567949/}
\BIBentrySTDinterwordspacing \BIBentrySTDinterwordspacing
\bibitem{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
\BIBentryALTinterwordspacing
D.~Woos, J.~R. Wilcox, S.~Anton, Z.~Tatlock, M.~D. Ernst, and T.~Anderson,
``\BIBforeignlanguage{en}{Planning for change in a formal verification of the
raft consensus protocol},'' in \emph{\BIBforeignlanguage{en}{Proceedings of
the 5th ACM SIGPLAN Conference on Certified Programs and Proofs}}.\hskip 1em
plus 0.5em minus 0.4em\relax St. Petersburg FL USA: ACM, Jan. 2016, p.
154165. [Online]. Available:
\url{https://dl.acm.org/doi/10.1145/2854065.2854081}
\BIBentrySTDinterwordspacing
\bibitem{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}
J.~R. Wilcox, D.~Woos, P.~Panchekha, Z.~Tatlock, X.~Wang, M.~D. Ernst, and
T.~Anderson, ``\BIBforeignlanguage{en}{Verdi: A framework for implementing
and formally verifying distributed systems}.''
\bibitem{Ongaro}
D.~Ongaro, ``\BIBforeignlanguage{en}{Consensus: Bridging theory and
practice}.''
\bibitem{Cluzel_Georgiou_Moy_Zeller_2021} \bibitem{Cluzel_Georgiou_Moy_Zeller_2021}
\BIBentryALTinterwordspacing \BIBentryALTinterwordspacing
G.~Cluzel, K.~Georgiou, Y.~Moy, and C.~Zeller, G.~Cluzel, K.~Georgiou, Y.~Moy, and C.~Zeller,
@@ -124,12 +104,24 @@ M.~L. Pacheco, M.~V. Hippel, B.~Weintraub, D.~Goldwasser, and C.~Nita-Rotaru,
\url{https://ieeexplore.ieee.org/document/9833673/} \url{https://ieeexplore.ieee.org/document/9833673/}
\BIBentrySTDinterwordspacing \BIBentrySTDinterwordspacing
\bibitem{rfc9260} \bibitem{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
\BIBentryALTinterwordspacing \BIBentryALTinterwordspacing
M.~Tüxen, R.~Stewart, K.~Nielsen, R.~Jesup, and S.~Loreto, ``{Stream Control D.~Woos, J.~R. Wilcox, S.~Anton, Z.~Tatlock, M.~D. Ernst, and T.~Anderson,
Transmission Protocol (SCTP) Specification Errata and Issues},'' Request for ``\BIBforeignlanguage{en}{Planning for change in a formal verification of the
Comments, June 2022. [Online]. Available: raft consensus protocol},'' in \emph{\BIBforeignlanguage{en}{Proceedings of
\url{https://www.rfc-editor.org/rfc/rfc9260} the 5th ACM SIGPLAN Conference on Certified Programs and Proofs}}.\hskip 1em
plus 0.5em minus 0.4em\relax St. Petersburg FL USA: ACM, Jan. 2016, p.
154165. [Online]. Available:
\url{https://dl.acm.org/doi/10.1145/2854065.2854081}
\BIBentrySTDinterwordspacing \BIBentrySTDinterwordspacing
\bibitem{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}
J.~R. Wilcox, D.~Woos, P.~Panchekha, Z.~Tatlock, X.~Wang, M.~D. Ernst, and
T.~Anderson, ``\BIBforeignlanguage{en}{Verdi: A framework for implementing
and formally verifying distributed systems}.''
\bibitem{Ongaro}
D.~Ongaro, ``\BIBforeignlanguage{en}{Consensus: Bridging theory and
practice}.''
\end{thebibliography} \end{thebibliography}

58
main.blg
View File

@@ -36,45 +36,45 @@ Warning--empty journal in Ongaro
Warning--empty year in Ongaro Warning--empty year in Ongaro
Done. Done.
You've used 17 entries, You've used 16 entries,
4087 wiz_defined-function locations, 4087 wiz_defined-function locations,
935 strings with 10819 characters, 927 strings with 10593 characters,
and the built_in function-call counts, 9675 in all, are: and the built_in function-call counts, 9127 in all, are:
= -- 780 = -- 739
> -- 228 > -- 207
< -- 14 < -- 14
+ -- 108 + -- 98
- -- 54 - -- 49
* -- 546 * -- 519
:= -- 1511 := -- 1420
add.period$ -- 38 add.period$ -- 36
call.type$ -- 17 call.type$ -- 16
change.case$ -- 19 change.case$ -- 18
chr.to.int$ -- 0 chr.to.int$ -- 0
cite$ -- 32 cite$ -- 31
duplicate$ -- 827 duplicate$ -- 786
empty$ -- 811 empty$ -- 765
format.name$ -- 66 format.name$ -- 60
if$ -- 2203 if$ -- 2081
int.to.chr$ -- 0 int.to.chr$ -- 0
int.to.str$ -- 17 int.to.str$ -- 16
missing$ -- 158 missing$ -- 147
newline$ -- 88 newline$ -- 83
num.names$ -- 17 num.names$ -- 16
pop$ -- 417 pop$ -- 385
preamble$ -- 1 preamble$ -- 1
purify$ -- 0 purify$ -- 0
quote$ -- 2 quote$ -- 2
skip$ -- 729 skip$ -- 691
stack$ -- 0 stack$ -- 0
substring$ -- 135 substring$ -- 134
swap$ -- 582 swap$ -- 552
text.length$ -- 14 text.length$ -- 14
text.prefix$ -- 0 text.prefix$ -- 0
top$ -- 5 top$ -- 5
type$ -- 17 type$ -- 16
warning$ -- 15 warning$ -- 15
while$ -- 24 while$ -- 23
width$ -- 19 width$ -- 18
write$ -- 181 write$ -- 170
(There were 2 error messages) (There were 2 error messages)

114
main.fls
View File

@@ -99,6 +99,8 @@ INPUT /usr/share/texmf-dist/tex/latex/tools/xspace.sty
INPUT /usr/share/texmf-dist/tex/latex/tools/xspace.sty INPUT /usr/share/texmf-dist/tex/latex/tools/xspace.sty
INPUT /usr/share/texmf-dist/tex/latex/tools/array.sty INPUT /usr/share/texmf-dist/tex/latex/tools/array.sty
INPUT /usr/share/texmf-dist/tex/latex/tools/array.sty INPUT /usr/share/texmf-dist/tex/latex/tools/array.sty
INPUT /usr/share/texmf-dist/tex/latex/comment/comment.sty
INPUT /usr/share/texmf-dist/tex/latex/comment/comment.sty
INPUT /usr/share/texmf-dist/tex/latex/listings/listings.sty INPUT /usr/share/texmf-dist/tex/latex/listings/listings.sty
INPUT /usr/share/texmf-dist/tex/latex/listings/listings.sty INPUT /usr/share/texmf-dist/tex/latex/listings/listings.sty
INPUT /usr/share/texmf-dist/tex/latex/listings/lstpatch.sty INPUT /usr/share/texmf-dist/tex/latex/listings/lstpatch.sty
@@ -161,6 +163,20 @@ INPUT ./assets/diagram3.png
OUTPUT ./main.pdf OUTPUT ./main.pdf
INPUT ./assets/diagram3.png INPUT ./assets/diagram3.png
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/cmextra/cmex7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/cmextra/cmex7.tfm
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam5.tfm
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm5.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
@@ -184,48 +200,8 @@ INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/cmextra/cmex7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/cmextra/cmex7.tfm
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam5.tfm
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm5.tfm
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8c.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr8c.vf
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr8.tfm INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr8.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr6.tfm INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr6.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmmi8.tfm INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmmi8.tfm
@@ -238,23 +214,55 @@ INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam7.tfm INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm7.tfm INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm7.tfm
INPUT ./sections/conclusion.tex INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
INPUT ./sections/conclusion.tex INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT ./sections/conclusion.tex INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT ./sections/conclusion.tex INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT ./sections/conclusion.tex INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT ./main.bbl INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT ./main.bbl INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT ./main.bbl
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8c.tfm
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT ./sections/attacker_models.tex
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr8c.vf
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT ./sections/conclusion.tex
INPUT ./sections/conclusion.tex
INPUT ./sections/conclusion.tex
INPUT ./sections/conclusion.tex
INPUT ./sections/conclusion.tex
INPUT ./main.bbl
INPUT ./main.bbl
INPUT ./main.bbl
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm
INPUT ./main.aux INPUT ./main.aux

169
main.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 18 NOV 2024 14:49 This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 25 NOV 2024 05:14
entering extended mode entering extended mode
restricted \write18 enabled. restricted \write18 enabled.
%&-line parsing enabled. %&-line parsing enabled.
@@ -283,6 +283,10 @@ Package: array 2023/10/16 v2.5g Tabular extension package (FMi)
\backup@length=\skip60 \backup@length=\skip60
\ar@cellbox=\box56 \ar@cellbox=\box56
) )
(/usr/share/texmf-dist/tex/latex/comment/comment.sty
\CommentStream=\write3
Excluding comment 'comment')
\c@definition=\count285 \c@definition=\count285
(/usr/share/texmf-dist/tex/latex/listings/listings.sty (/usr/share/texmf-dist/tex/latex/listings/listings.sty
@@ -334,20 +338,20 @@ File: l3backend-pdftex.def 2024-02-20 L3 backend support: PDF output (pdfTeX)
) (./main.aux) ) (./main.aux)
\openout1 = `main.aux'. \openout1 = `main.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 52. LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 53.
LaTeX Font Info: ... okay on input line 52. LaTeX Font Info: ... okay on input line 53.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 52. LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 53.
LaTeX Font Info: ... okay on input line 52. LaTeX Font Info: ... okay on input line 53.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 52. LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 53.
LaTeX Font Info: ... okay on input line 52. LaTeX Font Info: ... okay on input line 53.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 52. LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 53.
LaTeX Font Info: ... okay on input line 52. LaTeX Font Info: ... okay on input line 53.
LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 52. LaTeX Font Info: Checking defaults for TS1/cmr/m/n on input line 53.
LaTeX Font Info: ... okay on input line 52. LaTeX Font Info: ... okay on input line 53.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 52. LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 53.
LaTeX Font Info: ... okay on input line 52. LaTeX Font Info: ... okay on input line 53.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 52. LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 53.
LaTeX Font Info: ... okay on input line 52. LaTeX Font Info: ... okay on input line 53.
-- Lines per column: 56 (exact). -- Lines per column: 56 (exact).
(/usr/share/texmf-dist/tex/context/base/mkii/supp-pdf.mkii (/usr/share/texmf-dist/tex/context/base/mkii/supp-pdf.mkii
@@ -385,97 +389,67 @@ Overfull \hbox (6.0pt too wide) in paragraph at lines 11--12
[][] [][]
[] []
LaTeX Font Info: Trying to load font information for U+msa on input line 22.
LaTeX Warning: Reference `sub:korg_proofs' on page 1 undefined on input line 26
.
[1{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/fon
ts/enc/dvips/base/8r.enc}
<./assets/diagram3.png (PNG copy)>]
LaTeX Font Info: Trying to load font information for U+msa on input line 40.
(/usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd (/usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
File: umsa.fd 2013/01/14 v3.01 AMS symbols A File: umsa.fd 2013/01/14 v3.01 AMS symbols A
) )
LaTeX Font Info: Trying to load font information for U+msb on input line 40. LaTeX Font Info: Trying to load font information for U+msb on input line 22.
(/usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd (/usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
File: umsb.fd 2013/01/14 v3.01 AMS symbols B File: umsb.fd 2013/01/14 v3.01 AMS symbols B
) ) [1{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}{/usr/share/texmf-dist/f
onts/enc/dvips/base/8r.enc}
<./assets/diagram3.png (PNG copy)>]
LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
(Font) using `OT1/ptm/m/sc' instead on input line 40. (Font) using `OT1/ptm/m/sc' instead on input line 57.
LaTeX Font Info: Trying to load font information for OT1+pcr on input line 7 LaTeX Font Info: Trying to load font information for OT1+pcr on input line 9
8. 5.
(/usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd (/usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
File: ot1pcr.fd 2001/06/04 font definitions for OT1/pcr. File: ot1pcr.fd 2001/06/04 font definitions for OT1/pcr.
) ) [2]
LaTeX Font Info: Trying to load font information for TS1+pcr on input line 1 LaTeX Font Info: Trying to load font information for TS1+pcr on input line 1
17. 55.
(/usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd (/usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
File: ts1pcr.fd 2001/06/04 font definitions for TS1/pcr. File: ts1pcr.fd 2001/06/04 font definitions for TS1/pcr.
) [2]) )
(./sections/attacker_models.tex Excluding 'comment' comment.) (./sections/attacker_models.tex [3])
(./sections/case_studies.tex
LaTeX Warning: Reference `lst:korg_drop' on page 3 undefined on input line 8. Underfull \hbox (badness 4144) in paragraph at lines 13--13
LaTeX Warning: Reference `lst:korg_replay' on page 3 undefined on input line 16
.
LaTeX Warning: Reference `lst:korg_reordering' on page 3 undefined on input lin
e 23.
LaTeX Warning: Reference `lst:io-file' on page 3 undefined on input line 29.
LaTeX Warning: Reference `lst:io-file-synth' on page 3 undefined on input line
29.
) (./sections/case_studies.tex
Underfull \hbox (badness 4144) in paragraph at lines 15--15
[]\OT1/pcr/m/n/10 SYN_RECEIVED \OT1/ptm/m/n/10 is even-tu-ally fol-lowed by []\OT1/pcr/m/n/10 SYN_RECEIVED \OT1/ptm/m/n/10 is even-tu-ally fol-lowed by
[] []
Underfull \hbox (badness 4144) in paragraph at lines 15--15 Underfull \hbox (badness 4144) in paragraph at lines 13--13
[]\OT1/pcr/m/n/10 SYN_RECEIVED \OT1/ptm/m/n/10 is even-tu-ally fol-lowed by []\OT1/pcr/m/n/10 SYN_RECEIVED \OT1/ptm/m/n/10 is even-tu-ally fol-lowed by
[] []
Underfull \hbox (badness 4144) in paragraph at lines 15--15 Underfull \hbox (badness 4144) in paragraph at lines 13--13
[]\OT1/pcr/m/n/7 SYN_RECEIVED \OT1/ptm/m/n/7 is even-tu-ally fol-lowed by []\OT1/pcr/m/n/7 SYN_RECEIVED \OT1/ptm/m/n/7 is even-tu-ally fol-lowed by
[] []
Underfull \hbox (badness 4144) in paragraph at lines 15--15 Underfull \hbox (badness 4144) in paragraph at lines 13--13
[]\OT1/pcr/m/n/5 SYN_RECEIVED \OT1/ptm/m/n/5 is even-tu-ally fol-lowed by []\OT1/pcr/m/n/5 SYN_RECEIVED \OT1/ptm/m/n/5 is even-tu-ally fol-lowed by
[] []
LaTeX Warning: Reference `res:tcp-table' on page 3 undefined on input line 19. Overfull \hbox (4.66487pt too wide) in paragraph at lines 25--38
[][]
[]
[3]) (./sections/conclusion.tex) (./main.bbl Excluding 'comment' comment.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for LaTeX Warning: Reference `' on page 4 undefined on input line 82.
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been ) (./sections/conclusion.tex) (./main.bbl
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been ** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for ** loaded for the language `en'. Using the pattern for
** the default language instead. ** the default language instead.
@@ -491,6 +465,7 @@ LaTeX Warning: Reference `res:tcp-table' on page 3 undefined on input line 19.
** WARNING: IEEEtran.bst: No hyphenation pattern has been ** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for ** loaded for the language `en'. Using the pattern for
** the default language instead. ** the default language instead.
[4]
** WARNING: IEEEtran.bst: No hyphenation pattern has been ** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for ** loaded for the language `en'. Using the pattern for
** the default language instead. ** the default language instead.
@@ -525,10 +500,22 @@ LaTeX Warning: Reference `res:tcp-table' on page 3 undefined on input line 19.
** loaded for the language `eng'. Using the pattern for ** loaded for the language `eng'. Using the pattern for
** the default language instead. ** the default language instead.
Underfull \hbox (badness 1509) in paragraph at lines 110--115 Underfull \hbox (badness 1509) in paragraph at lines 90--95
\OT1/ptm/m/n/8 t/tcp,'' The-sis, Mas-sachusetts In-sti-tute of Tech-nol-ogy, \OT1/ptm/m/n/8 t/tcp,'' The-sis, Mas-sachusetts In-sti-tute of Tech-nol-ogy,
[] []
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been ** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for ** loaded for the language `en'. Using the pattern for
** the default language instead. ** the default language instead.
@@ -542,7 +529,7 @@ T1/ptm/m/it/10 A \OT1/ptm/m/n/10 Pro-cess \OT1/ptm/m/it/10 is a tu-ple $\OML/cm
m/m/it/10 P \OT1/cmr/m/n/10 = m/m/it/10 P \OT1/cmr/m/n/10 =
[] []
[4]
Underfull \hbox (badness 2165) in paragraph at lines 71--72 Underfull \hbox (badness 2165) in paragraph at lines 71--72
[]\OT1/ptm/m/n/10 In the Pro-cess: $\OML/cmm/m/it/10 s[]; s[]; s[]; []$ \OT1/pt []\OT1/ptm/m/n/10 In the Pro-cess: $\OML/cmm/m/it/10 s[]; s[]; s[]; []$ \OT1/pt
m/m/n/10 with $\OML/cmm/m/it/10 s[] \OT1/cmr/m/n/10 = \OML/cmm/m/it/10 s[]$ \OT m/m/n/10 with $\OML/cmm/m/it/10 s[] \OT1/cmr/m/n/10 = \OML/cmm/m/it/10 s[]$ \OT
@@ -553,16 +540,17 @@ m/m/n/10 with $\OML/cmm/m/it/10 s[] \OT1/cmr/m/n/10 = \OML/cmm/m/it/10 s[]$ \OT
LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
(Font) using `OT1/ptm/m/sc' instead on input line 89. (Font) using `OT1/ptm/m/sc' instead on input line 89.
[5]
Underfull \hbox (badness 1715) in paragraph at lines 96--98 Underfull \hbox (badness 1715) in paragraph at lines 96--98
\OT1/ptm/m/n/10 via the pre-vi-ous the-o-rem we can con-struct B[]uchi Au- \OT1/ptm/m/n/10 via the pre-vi-ous the-o-rem we can con-struct B[]uchi Au-
[] []
LaTeX Warning: Reference `lst:drop_passer' on page 5 undefined on input line 12 LaTeX Warning: `h' float specifier changed to `ht'.
3.
LaTeX Warning: `h' float specifier changed to `ht'.
[5]
LaTeX Warning: `h' float specifier changed to `ht'. LaTeX Warning: `h' float specifier changed to `ht'.
@@ -584,7 +572,9 @@ Before submitting the final camera ready copy, remember to:
uses only Type 1 fonts and that every step in the generation uses only Type 1 fonts and that every step in the generation
process uses the appropriate paper size. process uses the appropriate paper size.
[6] [7] (./main.aux) [6] [7] [8
] (./main.aux)
*********** ***********
LaTeX2e <2023-11-01> patch level 1 LaTeX2e <2023-11-01> patch level 1
L3 programming layer <2024-02-20> L3 programming layer <2024-02-20>
@@ -593,18 +583,15 @@ L3 programming layer <2024-02-20>
LaTeX Warning: There were undefined references. LaTeX Warning: There were undefined references.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
) )
Here is how much of TeX's memory you used: Here is how much of TeX's memory you used:
6591 strings out of 476076 6647 strings out of 476076
97719 string characters out of 5793776 98844 string characters out of 5793776
2189187 words of memory out of 5000000 2225187 words of memory out of 5000000
28594 multiletter control sequences out of 15000+600000 28643 multiletter control sequences out of 15000+600000
603817 words of font info for 122 fonts, out of 8000000 for 9000 605917 words of font info for 126 fonts, out of 8000000 for 9000
14 hyphenation exceptions out of 8191 14 hyphenation exceptions out of 8191
57i,11n,65p,1153b,1636s stack positions out of 10000i,1000n,20000p,200000b,200000s 57i,11n,65p,1153b,1534s stack positions out of 10000i,1000n,20000p,200000b,200000s
</usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmex10.pfb></usr/share/ </usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmex10.pfb></usr/share/
texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texmf-dist/fon texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texmf-dist/fon
ts/type1/public/amsfonts/cm/cmmi5.pfb></usr/share/texmf-dist/fonts/type1/public ts/type1/public/amsfonts/cm/cmmi5.pfb></usr/share/texmf-dist/fonts/type1/public
@@ -618,10 +605,10 @@ msy10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy7.pfb></usr
ts/type1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmb ts/type1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmb
i8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/tex i8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/tex
mf-dist/fonts/type1/urw/times/utmri8a.pfb> mf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on main.pdf (7 pages, 274184 bytes). Output written on ./main.pdf (8 pages, 277407 bytes).
PDF statistics: PDF statistics:
110 PDF objects out of 1000 (max. 8388607) 113 PDF objects out of 1000 (max. 8388607)
67 compressed objects within 1 object stream 69 compressed objects within 1 object stream
0 named destinations out of 1000 (max. 500000) 0 named destinations out of 1000 (max. 500000)
6 words of extra memory for PDF output out of 10000 (max. 10000000) 6 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
main.pdf
View File

Binary file not shown.

3
main.tex
View File

@@ -10,6 +10,7 @@
\usepackage{amsmath, amsthm} \usepackage{amsmath, amsthm}
\usepackage{xspace} \usepackage{xspace}
\usepackage{array} \usepackage{array}
\usepackage{comment}
%\usepackage{csvsimple} %\usepackage{csvsimple}
\newtheorem{definition}{Definition} \newtheorem{definition}{Definition}
@@ -84,7 +85,7 @@ Protocols, Attack Synthesis, Denial of Service, Model Checking
\label{sec:design} \label{sec:design}
\input{sections/design} \input{sections/design}
\section{Attacker Models} \section{Attacker Model Gadgets}
\label{sec:usage_attacker_models} \label{sec:usage_attacker_models}
\input{sections/attacker_models} \input{sections/attacker_models}

29
sections/attacker_models.tex
View File

@@ -1,31 +1,30 @@
\korg supports three general attacker models: an attacker that can drop, replay, or reordering messages on a channel. Additionally, \korg supports user-defined attacker that insert arbitrary messages onto a channel. In this section we discuss the various details that go into each attacker model. \korg supports four general attacker model gadgets: an attacker that can drop, replay, reorder, or insert messages on a channel. In this section we discuss the various details that went into the implementation of the gadgets that encapsulate the behavior of the respective attacker models.
\subsection{Dropping Attacker Model}% % Additionally, \korg supports user-defined attacker that insert arbitrary messages onto a channel. In this section we discuss the various details that go into each attacker model.
\subsection{Drop Attacker Model Gadget}%
\label{sub:Dropping Attacker} \label{sub:Dropping Attacker}
The first and most simple general attacker model \korg supports is an attacker that can \textit{drop} messages from a channel. The user specifies a "drop limit" value that limits the number of packets the attacker can drop from the channel. Note, a higher drop limit will increase the search space of possible attacks, thereby increasing execution time. The most simple attacker model \korg supports is an attacker that can \textit{drop} messages from a channel. The user specifies a "drop limit" value that limits the number of packets the attacker can drop from the channel. Note, a higher drop limit will increase the search space of possible attacks, thereby increasing execution time.
The dropper attacker model gadget \korg synthesizes works as follows. The gadget will nondeterministically choose to observe a message on a channel. Then, if the drop limit variable is not zero, it will consume the message. An example is shown in Figure \ref{lst:korg_drop}. The dropper attacker model gadget \korg synthesizes works as follows. The gadget will nondeterministically choose to observe a message on a channel. Then, if the drop limit variable is not zero, it will consume the message. An example is shown in Figure \ref{lst:korg_drop}.
\subsection{Replay Attacker Model Gadget}%
\subsection{Replaying Attacker Model}%
\label{sub:Replay Attacker} \label{sub:Replay Attacker}
The second attacker model \korg supports is an attacker that can observe and \textit{replay} messages back onto a channel. Similarly to the drop limit for the dropping attacker model, the user can specify a "replay limit" that caps the number of messages the attacker can replay back onto the specified channel. The next attacker model \korg supports is an attacker that can observe and \textit{replay} messages back onto a channel. Similarly to the drop limit for the dropping attacker model, the user can specify a "replay limit" that caps the number of observed messages the attacker can replay back onto the specified channel.
The dropper attacker model gadget \korg synthesizes works as follows. The gadget has two states, \textsc{Consume} and \textsc{Replay}. The gadget starts in the \textsc{Consume} state and nondeterministically reads (but not consumes) messages on the target channel, sending them into a local storage buffer. Once the gadget read the number of messages on the channel equivalent to the defined replay limit, its state changes to \textsc{Replay}. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_replay}. The replay attacker model gadget \korg employs works as follows. The gadget has two states, \textsc{Consume} and \textsc{Replay}. The gadget starts in the \textsc{Consume} state and nondeterministically reads (but not consumes) messages on the target channel, sending them into a local storage buffer. Once the gadget read the number of messages on the channel equivalent to the defined replay limit, its state changes to \textsc{Replay}. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_replay}.
\subsection{Reorder Attacker Model Gadget}%
\subsection{Reordering Attacker Model}%
\label{sub:reordering Attacker} \label{sub:reordering Attacker}
Lastly, \korg supports an attacker model such that an attacker can \textit{reorder} messages on a channel. Like the drop and replay attacker models, the user can specify a "reordering limit" that caps the number of messages that can be reorderingd by the attacker on the specified channel. \korg supports synthesizing attackers that can \textit{reorder} messages on a channel. Like the drop and replay attacker model gadgets, the user can specify a "reordering limit" that caps the number of messages that can be reordered by the attacker on the specified channel.
The reordering attacker model gadget \korg synthesizes works as follows. The gadget has three states, \textsc{Init}, \textsc{Consume}, and \textsc{Replay}. The gadget begins in the \textsc{Init} state, where it arbitrarily chooses a message to start consuming by transitioning to the \textsc{Consume} state. When in the \textsc{Consume} state, the gadget consumes all messages that appear on the channel, filling up a local buffer, until hitting the defined reordering limit. Once this limit is hit, the gadget transitions into the \textsc{Replay} state. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_reordering}. The reordering attacker model gadget \korg synthesizes works as follows. The gadget has three states, \textsc{Init}, \textsc{Consume}, and \textsc{Replay}. The gadget begins in the \textsc{Init} state, where it arbitrarily chooses a message to start consuming by transitioning to the \textsc{Consume} state. When in the \textsc{Consume} state, the gadget consumes all messages that appear on the channel, filling up a local buffer, until hitting the defined reordering limit. Once this limit is hit, the gadget transitions into the \textsc{Replay} state. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_reordering}.
\subsection{Insert Attacker Models}%
\subsection{Custom Attacker Models}%
\label{sub:Custom Attacker Models} \label{sub:Custom Attacker Models}
While the drop, replay, and reordering attacker models as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs. The user defines an \textit{IO-file} denoting the specific input and output messages the attacker is capable of sending, and \korg generates a gadget capable of synthesizing attacks with respect to the user's specification. An example I/O file is given in Figure \ref{lst:io-file}, and the generated gadget is given in \ref{lst:io-file-synth}. \korg supports the synthesis of attackers that can simply insert messages onto a channel. While the drop, replay, and reordering attacker model gadgets as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, the insert attacker model gadget is synthesized with respect to a user-defined \textit{IO-file}. This file denotes the specific outputs and channels the attacker is capable of sending, and \korg generates a gadget capable of synthesizing attacks using the given inputs. An example I/O file is given in Figure \ref{lst:io-file}, and the generated gadget is given in \ref{lst:io-file-synth}.
% \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs. The user defines an \textit{IO-file} denoting the specific input and output messages the attacker is capable of sending, and \korg generates a gadget capable of synthesizing attacks with respect to the user's specification.

58
sections/case_studies.tex
View File

@@ -1,12 +1,10 @@
\subsection{Raft}%
\label{sub:Raft}
Raft is a consensus algorithm designed to replicate a state machine across distributed peers, and sees broad usage in distributed databases, key-value stores, distributed file systems, distributed load-balancers, and container orchestration. Historically, verification efforts of Raft using both constructive, mechanized proving techniques \cite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016, Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson, Ongaro} and automated verification \cite{Ongaro} have only reasoned about the protocol under certain assumptions about the stability of the communication channels. However, no previous approach to Raft verification has reasoned about an on-channel attacker \textit{external} to the protocol itself. Uniquely, \korg enables us to study Raft under insecure communication channels.
\subsection{TCP}% \subsection{TCP}%
\label{sub:TCP} \label{sub:TCP}
TCP (Transmission Control Protocol) is a transport-layer protocol designed to establish reliable, ordered communications between two peers. TCP is ubiquitous in today's internet, and therefore has seen ample formal verification efforts \cite{Cluzel_Georgiou_Moy_Zeller_2021, Smith_1997, Pacheco2022}, including using \promela and \spin \cite{Pacheco2022}. A previous version of \korg has been applied TCP in \cite{Pacheco2022, Hippel2022}; TCP (Transmission Control Protocol) is a transport-layer protocol designed to establish reliable, ordered communications between two peers. TCP is ubiquitous in today's internet, and therefore has seen ample formal verification efforts \cite{Cluzel_Georgiou_Moy_Zeller_2021, Smith_1997, Pacheco2022}, including using \promela and \spin \cite{Pacheco2022}. A previous version of \korg has been applied TCP in \cite{Pacheco2022, Hippel2022};
in particular, we study our \korg extensions using the \promela models from Pacheco et al., which includes a "gold" model whose underlying state machine is derived via an NLP-based algorithm applied to the SCTP RFC \cite{rfc9260} and a "canonical" model hand-written by domain experts \cite{Pacheco2022}. Additionally, we borrow the four LTL properties used in \cite{Pacheco2022}, as detailed below: in particular, we study our \korg extensions using the hand-written TCP \promela model from \cite{Pacheco2022}. Additionally, we construct a TCP \promela model referencing the set of TCP RFCs.
For our analysis, we borrow the four LTL properties used in \cite{Pacheco2022}, as detailed below:
%we study our \korg extensions using the \promela models from Pacheco et al., which includes a "gold" model whose underlying state machine is derived via an NLP-based algorithm applied to the SCTP RFC \cite{rfc9260} and a "canonical" model hand-written by domain experts \cite{Pacheco2022}.
\[ \[
\begin{aligned} \begin{aligned}
\phi_1 &= \text{\parbox[t]{20em}{No half-open connections.}} \\ \phi_1 &= \text{\parbox[t]{20em}{No half-open connections.}} \\
@@ -16,8 +14,33 @@ in particular, we study our \korg extensions using the \promela models from Pach
\end{aligned} \end{aligned}
\] \]
Evaluating the canonical TCP model using \korg led us to identify edge-cases in the connection establishment routine that weren't accounted for, leading us to construct a "revised" TCP model accounting for these missing edge cases. The resulting breakdown of attacks discovered is shown in Figure \ref{res:tcp-table}. We evaluated the our TCP \promela model and the hand-written TCP \promela model presented by \cite{Pacheco2022} against \korg's drop, replay, and reordering attacker models on a single uni-directional communication channel. The resulting breakdown of attacks discovered is shown in Figure \ref{res:tcp-table}.
%Evaluating the canonical TCP model using \korg led us to identify edge-cases in the connection establishment routine that weren't accounted for, leading us to construct a "revised" TCP model accounting for these missing edge cases.
\begin{figure}[h!]
\centering
\begin{scriptsize}
\begin{tabular}{|c|c|c|c|c|c|c|}
\hline
& \multicolumn{2}{c|}{Drop Attacker} & \multicolumn{2}{c|}{Replay Attacker} & \multicolumn{2}{c|}{Reorder Attacker} \\
\hline
& Pacheco et al. & Ours & Pacheco et al. & Ours & Pacheco et al. & Ours \\
\hline
$\phi_1$ & & & & & & \\
$\phi_2$ & x & x & x & x & & \\
$\phi_3$ & & & & & & \\
$\phi_4$ & & & & & x & \\
\hline
\end{tabular}
\end{scriptsize}
\label{res:tcp-table}
\caption{Automatically discovered attacks against the hand-written TCP model from Pacheco et al. and our own, for $\phi_1$ through $\phi_4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. Full attack traces are available in the artifact.}
\end{figure}
\begin{comment}
\begin{figure}[h!] \begin{figure}[h!]
\centering \centering
\begin{scriptsize} \begin{scriptsize}
@@ -27,7 +50,8 @@ Evaluating the canonical TCP model using \korg led us to identify edge-cases in
\hline \hline
& \: Gold \: & \: Expert \: & \: Revised \: & \: Gold \: & \: Expert \: & \: Revised \: & \: Gold \: & \: Expert \: & \: Revised \: \\ & \: Gold \: & \: Expert \: & \: Revised \: & \: Gold \: & \: Expert \: & \: Revised \: & \: Gold \: & \: Expert \: & \: Revised \: \\
\hline \hline
$\phi_1$ & \rule{0pt}{8pt} & & & & & & & & \\ $\phi_1$ & \rule{0pt}{8pt} & & & & The resulting breakdown of attacks discovered is shown in Figure \ref{res:tcp-table}.
& & & & \\
$\phi_2$ & \rule{0pt}{8pt} & x & x & & x & x & & x & \\ $\phi_2$ & \rule{0pt}{8pt} & x & x & & x & x & & x & \\
$\phi_3$ & \rule{0pt}{8pt} & & & & & & & & \\ $\phi_3$ & \rule{0pt}{8pt} & & & & & & & & \\
$\phi_4$ & \rule{0pt}{8pt} x & & & & & & x & & \\ $\phi_4$ & \rule{0pt}{8pt} x & & & & & & x & & \\
@@ -38,3 +62,23 @@ $\phi_4$ & \rule{0pt}{8pt} x & & & & & & x & & \\
\label{res:tcp-table} \label{res:tcp-table}
\caption{Automatically discovered attacks against the gold, canonical (labeled "expert"), and revised TCP models for $\phi_1$ through $\phi_4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. Full attack traces are available in the artifact.} \caption{Automatically discovered attacks against the gold, canonical (labeled "expert"), and revised TCP models for $\phi_1$ through $\phi_4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. Full attack traces are available in the artifact.}
\end{figure} \end{figure}
\end{comment}
\subsection{Raft}%
\label{sub:Raft}
Raft is a consensus algorithm designed to replicate a state machine across distributed peers, and sees broad usage in distributed databases, key-value stores, distributed file systems, distributed load-balancers, and container orchestration. Historically, verification efforts of Raft using both constructive, mechanized proving techniques \cite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016, Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson, Ongaro} and automated verification \cite{Ongaro} have reasoned about the protocol under certain assumptions about the stability of the communication channels. However, no previous approach to Raft verification has reasoned about an coordinated, arbitrary on-channel attacker \textit{external} to the protocol itself. Uniquely, \korg enables us to study Raft in this context.
Referencing the original Raft thesis \cite{Ongaro} and other raft models \cite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}, we constructed a \promela model of the Raft protocol. Additionally, we derived and formalized the following properties, which our \promela model satisfies:
\[
\begin{aligned}
\phi_1 &= \text{\parbox[t]{20em}{No two servers can be leaders in the same term.}} \\
\phi_2 &= \text{\parbox[t]{20em}{Entries committed to the log at the same index must be equivalent.}} \\
\phi_3 &= \text{\parbox[t]{20em}{Only leaders may append entires to the log.}} \\
\phi_4 &= \text{\parbox[t]{20em}{If a leader commits at an index, any server that becomes leader afterwards must follow that commit.}} \\
\phi_5 &= \text{\parbox[t]{20em}{If any two servers commit the same log entry, the log entry at the previous index must be equivalent}}
\end{aligned}
\]
We construct our Raft model such that we can model-check an arbitrary number of peers. We also designed our model such that each peer maintains separate channels for receiving AppendEntry requests, AppendEntry responses, RequestVote requests, and RequestVote responses. This gives \korg ample handle to reason about Raft. In particular, we study Raft in the presence of drop and replay attackers on all four aforementioned channel types, attacking both a minority and majority of peers. A breakdown of our findings is shown in Figure \ref{}.
% We note our analysis is in no

2
sections/conclusion.tex
View File

@@ -1 +1 @@
In conclusion, \korg addresses a critical gap in the formal verification of distributed protocols by enabling the synthesis of communication channel-based attacks against arbitrary linear temporal logic specifications. By leveraging \spin, \korg ensures soundness and completeness in attack synthesis. Its modular support for pre-defined attacker models enhances its versatility, enabling thorough protocol analysis across diverse and interesting scenarios. We demonstrate the effectiveness of \korg by employing it to study TCP and Raft, marking it as an invaluable tool for ensuring the validity and security of distributed protocols.

90
sections/design.tex
View File

@@ -3,7 +3,7 @@ In this section we discuss the details behind the design, formal guarantees, imp
\subsection{High-level design}% \subsection{High-level design}%
\label{sub:High-level design} \label{sub:High-level design}
At the highest level, \korg sits on a user-defined channel in a program written in \promela, the modeling language of the \spin model checker. The user selects an attacker model of choice and correctness properties of choice. \korg then invokes the \spin, which exhaustively searches for attacks with respect to the chosen model and properties. At the highest level, \korg sits on user-specified communication channels in a program written in \promela, the modeling language of the \spin model checker. The user selects an attacker model of choice and correctness properties of choice. \korg then invokes \spin, which exhaustively searches for attacks with respect to the chosen attacker model, \promela model, and correctness property.
A high-level overview of the \korg pipeline is given in the Figure \ref{fig:korg_workflow}. A high-level overview of the \korg pipeline is given in the Figure \ref{fig:korg_workflow}.
\begin{figure}[h] \begin{figure}[h]
@@ -13,6 +13,20 @@ A high-level overview of the \korg pipeline is given in the Figure \ref{fig:korg
\label{fig:korg_workflow} \label{fig:korg_workflow}
\end{figure} \end{figure}
\subsection{Supported Attacker Models}%
\label{sub:Supported Attacker Models}
\korg supports the automatic synthesis of attacks with respect to four general pre-defined attacker models applicable to any communication channel:
\begin{itemize}
\item \textbf{Drop Attacker Model}. Drop attackers are capable of dropping a finite number of messages off a channel.
\item \textbf{Replay Attacker Model}. Replay attackers are capable of replaying previously seen messages back onto a channel.
\item \textbf{Reorder Attacker Model}. Reorder attackers are capable of reordering messages on a channel.
\item \textbf{Insert Attacker Model}. Insert attackers are capable of inserting arbitrary messages (as specifiable by the user) onto a channel.
\end{itemize}
These attacker models can be mixed and matched as desired by the \korg user. For example, a user can specify a drop attacker and replay attacker to target channel 1, a reordering attacker to target channel 2, and an insert attacker to target channel 3. If multiple attacker models are declared, \korg will synthesize attacks where the attackers on different channel \textit{coordinate} to construct a unifying attack.
\subsection{Soundness And Completeness of Korg}% \subsection{Soundness And Completeness of Korg}%
\label{sub:Soundness And Completeness} \label{sub:Soundness And Completeness}
@@ -21,9 +35,12 @@ A high-level overview of the \korg pipeline is given in the Figure \ref{fig:korg
Fundamentally, the theoretical framework that \korg implements proposed by Hippel et al. reasons about \textit{communicating processes}; similarly, \korg is best understood as a synthesizer for attackers that sit \textit{between} communicating processes. Fundamentally, the theoretical framework that \korg implements proposed by Hippel et al. reasons about \textit{communicating processes}; similarly, \korg is best understood as a synthesizer for attackers that sit \textit{between} communicating processes.
The attack synthesis framework proposed by Hippel et al. and \korg use slightly different formalisms. Both employ derivations the general \textit{input/output automata}, state machines whose transitions indicate sending or receiving a message. In particular, the framework proposed by Hippel et al. defines their own notion of a \textit{process} and argues their attack synthesis framework maintains soundness and completeness guarantees with respect to it, while \korg relies upon \spin's preferred model checking formalism, the B\"uchi Automata. Both utilize linear temporal logic as their specification of choice. The theoretical attack synthesis framework and \korg use slightly different formalisms. Both employ derivations the general \textit{Input/Output (I/O) automata}, state machines whose transitions indicate sending or receiving a message.\footnote{
A fundamental assumption both \korg and the theoretical attack synthesis framework rely upon is unicast transition relations of I/O automata within this context. That is, if one sending automata has an output transition matching an input transition of two receiving automata, only one input/output transition pair can be composed upon. Model checkers for I/O automata such as \spin will explore both possibilities.
}
In particular, the theoretical attack synthesis framework defines their own notion of a \textit{process} and argues their attack synthesis algorithm maintains soundness and completeness guarantees with respect to it, while \korg relies upon \spin's preferred model checking formalism, the B\"uchi Automata. Both utilize linear temporal logic as their specification language of choice.
We ultimately seek to conclude \korg maintains the guarantees of the theoretical framework it implements, therefore it is necessary to demonstrate the equivalence of \textit{processes} from Hippel et al. with the B\"uchi Automata. For ease of reading and clarity, we only provide the shortened arguments here. The detailed theorems and proofs are provided in Appendix Section \ref{sub:korg_proofs}. We ultimately seek to conclude \korg maintains the guarantees of the theoretical framework it implements, therefore it is necessary to demonstrate the equivalence of \textit{processes} from the theoretical attack synthesis framework with the B\"uchi Automata. For ease of reading and clarity, we only provide shortened narrations of the arguments here. The detailed, definitions, theorems, and proofs are provided in Appendix Section \ref{sub:korg_proofs}.
%\korg is an implementation of the theoretical attack synthesis framework proposed by Hippel et al. This framework enjoys soundness and completeness guarantees for attacks discovered; that is, if there exists an attack, it is discovered, and if an attack is discovered, it is valid. However, the attack synthesis framework proposed by Hippel et al. reasons about an abstracted, theoretical process construct. Therefore, in order to correctly claim \korg is also sound and complete, it is necessary to demonstrate discovering an attack within the theoretical framework reduces to the semantics of \spin, the model checker \korg is built on top of. %\korg is an implementation of the theoretical attack synthesis framework proposed by Hippel et al. This framework enjoys soundness and completeness guarantees for attacks discovered; that is, if there exists an attack, it is discovered, and if an attack is discovered, it is valid. However, the attack synthesis framework proposed by Hippel et al. reasons about an abstracted, theoretical process construct. Therefore, in order to correctly claim \korg is also sound and complete, it is necessary to demonstrate discovering an attack within the theoretical framework reduces to the semantics of \spin, the model checker \korg is built on top of.
@@ -34,7 +51,7 @@ We ultimately seek to conclude \korg maintains the guarantees of the theoretical
A process, as defined in Hippel et al., always directly corresponds to a B\"uchi Automata. A process, as defined in Hippel et al., always directly corresponds to a B\"uchi Automata.
\end{theorem} \end{theorem}
In short, a process as defined in Hippel et al. is a Kripke Structure equipped with input and output transitions. That is, when composing two processes, an output transition must be matched to a respective input transition. Processes also include atomic propositions, which the given linear temporal logic specifications are defined over. We invoke and build on the well-known correspondence between Kripke Structures and \ba to show our desired correspondence. In short, a process in the theoretical attack synthesis framework is a Kripke Structure equipped with input and output transitions. That is, when composing two processes, an output transition must be matched to a respective input transition. Processes also include atomic propositions, which the given linear temporal logic specifications are defined over. We invoke and build on the well-known correspondence between Kripke Structures and \ba to show our desired correspondence.
\begin{theorem} \begin{theorem}
Checking whether there exists an attacker under a given threat model, the R-$\exists$ASP problem as proposed in Hippel et al., is equivalent to B\"uchi Automata language inclusion (which is in turn solved by the \spin model checker). Checking whether there exists an attacker under a given threat model, the R-$\exists$ASP problem as proposed in Hippel et al., is equivalent to B\"uchi Automata language inclusion (which is in turn solved by the \spin model checker).
@@ -75,7 +92,7 @@ Since \korg uses \spin as its underlying model checker, we can effectively concl
We implemented \korg on top of the \spin, a popular and robust model checker for reasoning about distributed and concurrent systems. Intuitively, models written in \promela, the modeling language of \spin, are communicating state machines whose messages are passed over defined \textit{channels}. Channels in \promela can either be unbuffered \textit{synchronous} channels, or buffered \textit{asynchronous} channels. \korg generates attacks \textit{with respect} to these defined channels. We implemented \korg on top of the \spin, a popular and robust model checker for reasoning about distributed and concurrent systems. Intuitively, models written in \promela, the modeling language of \spin, are communicating state machines whose messages are passed over defined \textit{channels}. Channels in \promela can either be unbuffered \textit{synchronous} channels, or buffered \textit{asynchronous} channels. \korg generates attacks \textit{with respect} to these defined channels.
\begin{lstlisting}[caption={Example \promela model of peers communicating over a channel}, label={lst:spin-model}] \begin{lstlisting}[caption={Example \promela model of peers communicating over a channel. \texttt{!} indicates sending a message onto a channel, \texttt{?} indicates receiving a message from a channel.}, label={lst:spin-model}]
// channel of buffer size 0 // channel of buffer size 0
chan msg_channel = [0] of { int } chan msg_channel = [0] of { int }
@@ -89,12 +106,69 @@ active proctype Peer2() {
} }
\end{lstlisting} \end{lstlisting}
Following the gadgetry framework as described in Hippel et al., \korg is designed to parse user-chosen channels and generate gadgets for sending, receiving, and manipulating messages on them. \korg has built-in gadgets that are designed to emulate various real-world attacker models, as further described in Section \ref{sec:usage_attacker_models}. Additionally, users can explicitly define which messages a generated gadget can send and receive. Once one or multiple gadgets are generated, \korg invokes \spin to check if a given property of interest remains satisfied in the presence of the attacker gadgets. \korg is designed to parse user-chosen channels and generate gadgets for sending, receiving, and manipulating messages on them. \korg has built-in gadgets that are designed to emulate various real-world attacker models, as further described in Section \ref{sec:usage_attacker_models}.
%Additionally, users can explicitly define which messages a generated gadget can send and receive.
Once one or multiple gadgets are generated, \korg invokes \spin to check if a given property of interest remains satisfied in the presence of the attacker gadgets.
\subsection{Usage}% \subsection{Usage}%
\label{sub:Usage} \label{sub:Usage}
To use \korg, the user first authors a \promela model and a correctness property in LTL. Take the following producer-consumer model, as shown in Listing \ref{lst:prod-consume}.
To demonstrate the usage of \korg, we'll walk through an example of proving the alternate bit protocol (ABP) is secure with respect to attackers that can replay messages. ABP is a simple communication protocol that provides reliable communication between two peers over an unreliable communication by continually agreeing on a bit value.
To use \korg, the user first authors a \promela model and a correctness property in LTL. For example, take the \promela model as shown in Listing \ref{lst:abp}. The sender repeatedly sends its stored bit, \texttt{A\_curr}, to the receiver. The receiver changes its internal bit, \texttt{B\_curr}, and sends an acknowledgement to the sender. When the sender receives the acknowledgement, it will bitflip \texttt{A\_curr} and repeatedly send the updated bit. A natural specification for this protocol, formalized into the LTL property \texttt{eventually\_agrees}, states that if the sender and receiver do not currently agree on a bit, they eventually will be able to reach an agreement.
\begin{lstlisting}[caption={Example (simplified) \promela model of the alternating bit protocol.}, label={lst:abp}]
chan StoR = [2] of { bit };
chan RtoS = [2] of { bit };
bit A_curr = 0, B_curr = 1, rcv_a, rcv_b;
active proctype Sender(){
do
:: StoR ! A_curr;
:: RtoS ? rcv_a ->
if :: rcv_a == A_curr ->
A_curr = (A_curr + 1) % 2;
fi
od
}
active proctype Receiver(){
do
:: RtoS ! B_curr;
:: StoR ? rcv_b ->
:: rcv_b != B_curr ->
B_curr = rcv_b;
fi
od
}
ltl eventually_agrees {
(A_curr != B_curr) implies eventually (A_curr == B_curr)
}
\end{lstlisting}
Next, the user selects a \textit{channel} to generate an attacker on, and an attacker model of choice. For example, we select \texttt{StoR} and \texttt{RtoS} as our channels of choice, \texttt{replay} as our attacker model of choice, and assume the ABP model is in the file \texttt{abp.pml}. Then, we run \korg via command line.
\begin{lstlisting}[label={lst:korg-shell}]
$ ./korg --model=abp.pml --attacker=replay --channel=StoR,RtoS --eval
\end{lstlisting}
\korg will then modify the \texttt{abp.pml} file to include the \texttt{replay} attacker gadgets attacking channels \texttt{StoR} and \texttt{RtoS}, and model-check it with \spin. \korg outputs the following text, cut down for readability, indicating an exhaustive search for attacks:
\begin{lstlisting}
Full statespace search for:
never claim + (eventually_agrees)
ltl eventually_agree ((A_curr!=B_curr))) implies (eventually ((A_curr==B_curr))
Korg's exhaustive search is complete, no attacks found!
\end{lstlisting}
If desired, \texttt{--output} can also be specified so the \korg-modified \texttt{abp.pml} can be more closely examined and modified. A full shell-script replicating this example is available in the artifact.
\begin{comment}
% JAKE'S OLD EXAMPLE (TO BE IGNORED)
Take the following producer-consumer model, as shown in Listing \ref{lst:prod-consume}.
\begin{lstlisting}[caption={Example \promela model with four producers and one consumer.}, label={lst:prod-consume}] \begin{lstlisting}[caption={Example \promela model with four producers and one consumer.}, label={lst:prod-consume}]
chan msgs = [4] of { bit }; chan msgs = [4] of { bit };
@@ -133,6 +207,8 @@ Never claim moves to line 3 [assert(!(!((count>=0))))]
Additional examples and usage information are provided in the anonymous repository link: (link) Additional examples and usage information are provided in the anonymous repository link: (link)
\end{comment}
%the user inputs a \promela model, a correctness property specified in LTL, a channel from the given \promela model, and an attacker model of choice. \korg will then generate an attacker model gadget corresponding to the selected attacker model with respect to the chosen channel. The attacker model gadget is then appended onto the given \promela model and evaluated against the LTL property with \spin. \korg will then either produce an attack trace demonstrating the precise actions the attacker took to violate the LTL property, or demonstrate the absence of an attack via an exhaustive state-space search. %the user inputs a \promela model, a correctness property specified in LTL, a channel from the given \promela model, and an attacker model of choice. \korg will then generate an attacker model gadget corresponding to the selected attacker model with respect to the chosen channel. The attacker model gadget is then appended onto the given \promela model and evaluated against the LTL property with \spin. \korg will then either produce an attack trace demonstrating the precise actions the attacker took to violate the LTL property, or demonstrate the absence of an attack via an exhaustive state-space search.