more x2

main.aux

@@ -24,32 +24,21 @@
 \newlabel{sec:usage_attacker_models}{{III}{2}{}{}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-A}}Dropping Attacker Model}{2}{}\protected@file@percent }
 \newlabel{sub:Dropping Attacker}{{\mbox  {III-A}}{2}{}{}{}}
-\bibstyle{IEEEtran}
-\bibdata{main}
-\bibcite{Lamport_1994}{1}
-\bibcite{Holzmann_1997}{2}
-\bibcite{Clarke_Wang}{3}
 \newlabel{lst:korg_drop}{{2}{3}{}{}{}}
 \@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{3}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-B}}Replaying Attacker Model}{3}{}\protected@file@percent }
 \newlabel{sub:Replay Attacker}{{\mbox  {III-B}}{3}{}{}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-C}}Rearranging Attacker Model}{3}{}\protected@file@percent }
 \newlabel{sub:Rearrange Attacker}{{\mbox  {III-C}}{3}{}{}{}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-D}}Custom Attacker Models}{3}{}\protected@file@percent }
-\newlabel{sub:Custom Attacker Models}{{\mbox  {III-D}}{3}{}{}{}}
 \newlabel{lst:korg_replay}{{3}{3}{}{}{}}
 \@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{3}{}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{3}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {III-D}}Custom Attacker Models}{3}{}\protected@file@percent }
-\newlabel{sec:case_studies}{{IV}{3}{}{}{}}
+\newlabel{sub:Custom Attacker Models}{{\mbox  {III-D}}{3}{}{}{}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {IV-A}}SCTP}{3}{}\protected@file@percent }
+\bibstyle{IEEEtran}
-\newlabel{sub:SCTP}{{\mbox  {IV-A}}{3}{}{}{}}
+\bibdata{main}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {IV-B}}TCP}{3}{}\protected@file@percent }
+\bibcite{Lamport_1994}{1}
-\newlabel{sub:TCP}{{\mbox  {IV-B}}{3}{}{}{}}
+\bibcite{Holzmann_1997}{2}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {IV-C}}DCCP}{3}{}\protected@file@percent }
+\bibcite{Clarke_Wang}{3}
-\newlabel{sub:DCCP}{{\mbox  {IV-C}}{3}{}{}{}}
-\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{3}{}\protected@file@percent }
-\newlabel{sec:conclusion}{{V}{3}{}{}{}}
-\@writefile{toc}{\contentsline {section}{References}{3}{}\protected@file@percent }
 \bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
 \bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
 \bibcite{Kobeissi_Nicolas_Tiwari}{6}
@@ -59,12 +48,29 @@
 \bibcite{Vardi_Wolper_1986}{10}
 \bibcite{clarke2000model}{11}
 \bibcite{Kozen_1977}{12}
+\newlabel{lst:korg_rearrange}{{4}{4}{}{}{}}
+\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example rearrange attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{4}{}\protected@file@percent }
+\newlabel{lst:io-file}{{5}{4}{}{}{}}
+\@writefile{lol}{\contentsline {lstlisting}{\numberline {5}Example I/O file targetting channel "cn"}{4}{}\protected@file@percent }
+\newlabel{lst:io-file-synth}{{6}{4}{}{}{}}
+\@writefile{lol}{\contentsline {lstlisting}{\numberline {6}Example gadget synthesized from an I/O file targetting the channel "cn"}{4}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{4}{}\protected@file@percent }
+\newlabel{sec:case_studies}{{IV}{4}{}{}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {IV-A}}SCTP}{4}{}\protected@file@percent }
+\newlabel{sub:SCTP}{{\mbox  {IV-A}}{4}{}{}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {IV-B}}TCP}{4}{}\protected@file@percent }
+\newlabel{sub:TCP}{{\mbox  {IV-B}}{4}{}{}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {IV-C}}DCCP}{4}{}\protected@file@percent }
+\newlabel{sub:DCCP}{{\mbox  {IV-C}}{4}{}{}{}}
+\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{4}{}\protected@file@percent }
+\newlabel{sec:conclusion}{{V}{4}{}{}{}}
+\@writefile{toc}{\contentsline {section}{References}{4}{}\protected@file@percent }
 \@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{4}{}\protected@file@percent }
 \newlabel{sec:Appendix}{{VI}{4}{}{}{}}
 \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {VI-A}}Full Korg Soundness and Completeness Proofs}{4}{}\protected@file@percent }
 \newlabel{sub:korg_proofs}{{\mbox  {VI-A}}{4}{}{}{}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {VI-B}}Preventing Korg Livelocks}{4}{}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox  {VI-B}}Preventing Korg Livelocks}{5}{}\protected@file@percent }
-\newlabel{sub:Preventing Korg Livelocks}{{\mbox  {VI-B}}{4}{}{}{}}
+\newlabel{sub:Preventing Korg Livelocks}{{\mbox  {VI-B}}{5}{}{}{}}
-\newlabel{lst:drop_passer}{{4}{4}{}{}{}}
+\newlabel{lst:drop_passer}{{7}{5}{}{}{}}
-\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example dropping attacker model gadget with message skipping}{4}{}\protected@file@percent }
+\@writefile{lol}{\contentsline {lstlisting}{\numberline {7}Example dropping attacker model gadget with message skipping}{5}{}\protected@file@percent }
-\gdef \@abspage@last{4}
+\gdef \@abspage@last{5}

main.fls

@@ -223,13 +223,13 @@ INPUT ./sections/conclusion.tex
 INPUT ./main.bbl
 INPUT ./main.bbl
 INPUT ./main.bbl
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
+INPUT ./sections/appendix.tex
 INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
 INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
-INPUT ./sections/appendix.tex
 INPUT ./main.aux
 INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
 INPUT /usr/share/texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb

main.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2)  11 NOV 2024 13:11
+This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2)  11 NOV 2024 14:24
 entering extended mode
  restricted \write18 enabled.
  %&-line parsing enabled.
@@ -410,6 +410,13 @@ LaTeX Warning: `h' float specifier changed to `ht'.
 
 LaTeX Warning: `h' float specifier changed to `ht'.
 
+
+LaTeX Warning: `h' float specifier changed to `ht'.
+
+[3]
+
+LaTeX Warning: `h' float specifier changed to `ht'.
+
 ) (./sections/case_studies.tex) (./sections/conclusion.tex) (./main.bbl
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
@@ -417,6 +424,10 @@ LaTeX Warning: `h' float specifier changed to `ht'.
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
+
+Underfull \vbox (badness 10000) has occurred while \output is active []
+
+
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
@@ -426,7 +437,6 @@ LaTeX Warning: `h' float specifier changed to `ht'.
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
-[3]
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
@@ -466,11 +476,14 @@ might try typing `S' now just to see what is salvageable.
 ** WARNING: IEEEtran.bst: No hyphenation pattern has been
 ** loaded for the language `en'. Using the pattern for
 ** the default language instead.
-) (./sections/appendix.tex
+) (./sections/appendix.tex [4]
 
 LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
 (Font)              using `OT1/ptm/m/sc' instead on input line 15.
 
+
+LaTeX Warning: `h' float specifier changed to `ht'.
+
 )
 
 ** Conference Paper **
@@ -483,17 +496,17 @@ Before submitting the final camera ready copy, remember to:
  uses only Type 1 fonts and that every step in the generation
  process uses the appropriate paper size.
 
-[4] (./main.aux)
+[5] (./main.aux)
  ***********
 LaTeX2e <2023-11-01> patch level 1
 L3 programming layer <2024-02-20>
  ***********
  ) 
 Here is how much of TeX's memory you used:
- 6344 strings out of 476076
+ 6386 strings out of 476076
- 94418 string characters out of 5793776
+ 94893 string characters out of 5793776
- 2116187 words of memory out of 5000000
+ 2180187 words of memory out of 5000000
- 28361 multiletter control sequences out of 15000+600000
+ 28403 multiletter control sequences out of 15000+600000
  597323 words of font info for 103 fonts, out of 8000000 for 9000
  14 hyphenation exceptions out of 8191
  57i,8n,65p,1155b,1257s stack positions out of 10000i,1000n,20000p,200000b,200000s
@@ -502,10 +515,10 @@ texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb></usr/share/texmf-dist/fonts/type
 1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb
 ></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-dist
 /fonts/type1/urw/times/utmri8a.pfb>
-Output written on ./main.pdf (4 pages, 160828 bytes).
+Output written on ./main.pdf (5 pages, 164937 bytes).
 PDF statistics:
- 49 PDF objects out of 1000 (max. 8388607)
+ 52 PDF objects out of 1000 (max. 8388607)
- 29 compressed objects within 1 object stream
+ 31 compressed objects within 1 object stream
  0 named destinations out of 1000 (max. 500000)
  6 words of extra memory for PDF output out of 10000 (max. 10000000)
 

sections/attacker_models.tex

@@ -88,6 +88,87 @@ BREAK:
 \label{sub:Rearrange Attacker}
 Lastly, \korg supports an attacker model such that an attacker can \textit{rearrange} messages on a channel. Like the drop and replay attacker models, the user can specify a "rearrange limit" that caps the number of messages that can be rearranged by the attacker on the specified channel.
 
+The rearrange attacker model gadget \korg synthesizes works as follows. The gadget has three states, \textsc{Init}, \textsc{Consume}, and \textsc{Replay}. The gadget begins in the \textsc{Init} state, where it arbitrarily chooses a message to start consuming by transitioning to the \textsc{Consume} state. When in the \textsc{Consume} state, the gadget consumes all messages that appear on the channel, filling up a local buffer, until hitting the defined rearrange limit. Once this limit is hit, the gadget transitions into the \textsc{Replay} state. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_rearrange}.
+
+\begin{figure}[h]
+\begin{lstlisting}[caption={Example rearrange attacker model gadget with the selected replay limit as 3, targetting channel "cn"}, label={lst:korg_rearrange}]
+chan cn = [8] of { int, int, int }; 
+
+chan gadget_mem = [3] of { int, int, int };
+active proctype attacker_rearrange() priority 255 {
+byte b_0, b_1, b_2, blocker;
+int i = 3;
+INIT:
+do
+  // arbitrarily choose a message to start consuming on
+  :: {
+      blocker = len(cn);
+      do
+      :: b != len(c) -> goto INIT;
+      od
+    }
+  :: goto CONSUME;
+od
+CONSUME:
+do
+  // consume messages with high priority
+  :: c ? [b_0] -> atomic {
+    c ? b_0 -> gadget_mem ! b_0;
+    i--;
+    if 
+    :: i == 0 -> goto REPLAY;
+    :: i != 0 -> goto CONSUME;
+    fi
+  }
+od
+REPLAY:
+  do
+  // replay messages back onto the channel, also with priority
+  :: atomic {
+    int am;
+    select(am : 0 .. len(gadget_mem)-1);
+    do
+    :: am != 0 ->
+      am = am-1;
+      gadget_mem ? b_0 -> attacker_mem_0 ! b_0;
+    :: am == 0 ->
+      gadget_mem ? b_0 -> c ! b_0;
+      break;
+    od
+    }
+  :: atomic { empty(gadget_mem) -> goto BREAK; }
+  od
+BREAK:
+}
+
+\end{lstlisting}
+\end{figure}
+
+
 \subsection{Custom Attacker Models}%
 \label{sub:Custom Attacker Models}
-While the drop, replay, and rearrange attacker models as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs.  
+While the drop, replay, and rearrange attacker models as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs. The user defines an \textit{IO-file} denoting the specific input and output messages the attacker is capable of sending, and \korg generates a gadget capable of synthesizing attacks with respect to the user's specification. An example I/O file is given in Figure \ref{lst:io-file}, and the generated gadget is given in \ref{lst:io-file-synth}.
+
+\begin{figure}[h]
+\begin{lstlisting}[caption={Example I/O file targetting channel "cn"}, label={lst:io-file}]
+cn:
+	I:
+	O:1-1-1, 1-2-3, 3-4-5
+\end{lstlisting}
+
+\begin{lstlisting}[caption={Example gadget synthesized from an I/O file targetting the channel "cn"}, label={lst:io-file-synth}]
+chan cn = [8] of { int, int, int };
+
+active proctype daisy() {
+INIT:
+  do
+  :: cn ! 1,1,1;
+  :: cn ! 1,2,3;
+  :: cn ! 3,4,5;
+  :: goto RECOVERY;
+  od
+RECOVERY:
+}
+\end{lstlisting}
+\end{figure}
+