synchronous/korg-paper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more x2

Browse Source
This commit is contained in:
JakeGinesin
2024-11-11 14:24:44 -05:00
parent 59757ebb24
commit 762d8f6566
7 changed files with 600 additions and 500 deletions
Download Patch File Download Diff File Expand all files Collapse all files

920
.latexrun.db
View File

File diff suppressed because it is too large Load Diff

52
main.aux
View File

@@ -24,32 +24,21 @@
\newlabel{sec:usage_attacker_models}{{III}{2}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-A}}Dropping Attacker Model}{2}{}\protected@file@percent }
\newlabel{sub:Dropping Attacker}{{\mbox {III-A}}{2}{}{}{}}
\bibstyle{IEEEtran}
\bibdata{main}
\bibcite{Lamport_1994}{1}
\bibcite{Holzmann_1997}{2}
\bibcite{Clarke_Wang}{3}
\newlabel{lst:korg_drop}{{2}{3}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Replaying Attacker Model}{3}{}\protected@file@percent }
\newlabel{sub:Replay Attacker}{{\mbox {III-B}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-C}}Rearranging Attacker Model}{3}{}\protected@file@percent }
\newlabel{sub:Rearrange Attacker}{{\mbox {III-C}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-D}}Custom Attacker Models}{3}{}\protected@file@percent }
\newlabel{sub:Custom Attacker Models}{{\mbox {III-D}}{3}{}{}{}}
\newlabel{lst:korg_replay}{{3}{3}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{3}{}\protected@file@percent }
\newlabel{sec:case_studies}{{IV}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-A}}SCTP}{3}{}\protected@file@percent }
\newlabel{sub:SCTP}{{\mbox {IV-A}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-B}}TCP}{3}{}\protected@file@percent }
\newlabel{sub:TCP}{{\mbox {IV-B}}{3}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-C}}DCCP}{3}{}\protected@file@percent }
\newlabel{sub:DCCP}{{\mbox {IV-C}}{3}{}{}{}}
\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{3}{}\protected@file@percent }
\newlabel{sec:conclusion}{{V}{3}{}{}{}}
\@writefile{toc}{\contentsline {section}{References}{3}{}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-D}}Custom Attacker Models}{3}{}\protected@file@percent }
\newlabel{sub:Custom Attacker Models}{{\mbox {III-D}}{3}{}{}{}}
\bibstyle{IEEEtran}
\bibdata{main}
\bibcite{Lamport_1994}{1}
\bibcite{Holzmann_1997}{2}
\bibcite{Clarke_Wang}{3}
\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
\bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
\bibcite{Kobeissi_Nicolas_Tiwari}{6}
@@ -59,12 +48,29 @@
\bibcite{Vardi_Wolper_1986}{10}
\bibcite{clarke2000model}{11}
\bibcite{Kozen_1977}{12}
\newlabel{lst:korg_rearrange}{{4}{4}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example rearrange attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{4}{}\protected@file@percent }
\newlabel{lst:io-file}{{5}{4}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {5}Example I/O file targetting channel "cn"}{4}{}\protected@file@percent }
\newlabel{lst:io-file-synth}{{6}{4}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {6}Example gadget synthesized from an I/O file targetting the channel "cn"}{4}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {IV}Case Studies}{4}{}\protected@file@percent }
\newlabel{sec:case_studies}{{IV}{4}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-A}}SCTP}{4}{}\protected@file@percent }
\newlabel{sub:SCTP}{{\mbox {IV-A}}{4}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-B}}TCP}{4}{}\protected@file@percent }
\newlabel{sub:TCP}{{\mbox {IV-B}}{4}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {IV-C}}DCCP}{4}{}\protected@file@percent }
\newlabel{sub:DCCP}{{\mbox {IV-C}}{4}{}{}{}}
\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{4}{}\protected@file@percent }
\newlabel{sec:conclusion}{{V}{4}{}{}{}}
\@writefile{toc}{\contentsline {section}{References}{4}{}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {VI}Appendix}{4}{}\protected@file@percent }
\newlabel{sec:Appendix}{{VI}{4}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-A}}Full Korg Soundness and Completeness Proofs}{4}{}\protected@file@percent }
\newlabel{sub:korg_proofs}{{\mbox {VI-A}}{4}{}{}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-B}}Preventing Korg Livelocks}{4}{}\protected@file@percent }
\newlabel{sub:Preventing Korg Livelocks}{{\mbox {VI-B}}{4}{}{}{}}
\newlabel{lst:drop_passer}{{4}{4}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}Example dropping attacker model gadget with message skipping}{4}{}\protected@file@percent }
\gdef \@abspage@last{4}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {VI-B}}Preventing Korg Livelocks}{5}{}\protected@file@percent }
\newlabel{sub:Preventing Korg Livelocks}{{\mbox {VI-B}}{5}{}{}{}}
\newlabel{lst:drop_passer}{{7}{5}{}{}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {7}Example dropping attacker model gadget with message skipping}{5}{}\protected@file@percent }
\gdef \@abspage@last{5}

10
main.fls
View File

@@ -223,13 +223,13 @@ INPUT ./sections/conclusion.tex
INPUT ./main.bbl
INPUT ./main.bbl
INPUT ./main.bbl
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./sections/appendix.tex
INPUT ./main.aux
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
INPUT /usr/share/texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb

35
main.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 11 NOV 2024 13:11
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 11 NOV 2024 14:24
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -410,6 +410,13 @@ LaTeX Warning: `h' float specifier changed to `ht'.
LaTeX Warning: `h' float specifier changed to `ht'.
LaTeX Warning: `h' float specifier changed to `ht'.
[3]
LaTeX Warning: `h' float specifier changed to `ht'.
) (./sections/case_studies.tex) (./sections/conclusion.tex) (./main.bbl
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
@@ -417,6 +424,10 @@ LaTeX Warning: `h' float specifier changed to `ht'.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
Underfull \vbox (badness 10000) has occurred while \output is active []
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
@@ -426,7 +437,6 @@ LaTeX Warning: `h' float specifier changed to `ht'.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
[3]
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
@@ -466,11 +476,14 @@ might try typing `S' now just to see what is salvageable.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
) (./sections/appendix.tex
) (./sections/appendix.tex [4]
LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
(Font) using `OT1/ptm/m/sc' instead on input line 15.
LaTeX Warning: `h' float specifier changed to `ht'.
)
** Conference Paper **
@@ -483,17 +496,17 @@ Before submitting the final camera ready copy, remember to:
uses only Type 1 fonts and that every step in the generation
process uses the appropriate paper size.
[4] (./main.aux)
[5] (./main.aux)
***********
LaTeX2e <2023-11-01> patch level 1
L3 programming layer <2024-02-20>
***********
)
Here is how much of TeX's memory you used:
6344 strings out of 476076
94418 string characters out of 5793776
2116187 words of memory out of 5000000
28361 multiletter control sequences out of 15000+600000
6386 strings out of 476076
94893 string characters out of 5793776
2180187 words of memory out of 5000000
28403 multiletter control sequences out of 15000+600000
597323 words of font info for 103 fonts, out of 8000000 for 9000
14 hyphenation exceptions out of 8191
57i,8n,65p,1155b,1257s stack positions out of 10000i,1000n,20000p,200000b,200000s
@@ -502,10 +515,10 @@ texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb></usr/share/texmf-dist/fonts/type
1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb
></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-dist
/fonts/type1/urw/times/utmri8a.pfb>
Output written on ./main.pdf (4 pages, 160828 bytes).
Output written on ./main.pdf (5 pages, 164937 bytes).
PDF statistics:
49 PDF objects out of 1000 (max. 8388607)
29 compressed objects within 1 object stream
52 PDF objects out of 1000 (max. 8388607)
31 compressed objects within 1 object stream
0 named destinations out of 1000 (max. 500000)
6 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
main.pdf
View File

Binary file not shown.

BIN
main.synctex.gz
View File

Binary file not shown.

83
sections/attacker_models.tex
View File

@@ -88,6 +88,87 @@ BREAK:
\label{sub:Rearrange Attacker}
Lastly, \korg supports an attacker model such that an attacker can \textit{rearrange} messages on a channel. Like the drop and replay attacker models, the user can specify a "rearrange limit" that caps the number of messages that can be rearranged by the attacker on the specified channel.
The rearrange attacker model gadget \korg synthesizes works as follows. The gadget has three states, \textsc{Init}, \textsc{Consume}, and \textsc{Replay}. The gadget begins in the \textsc{Init} state, where it arbitrarily chooses a message to start consuming by transitioning to the \textsc{Consume} state. When in the \textsc{Consume} state, the gadget consumes all messages that appear on the channel, filling up a local buffer, until hitting the defined rearrange limit. Once this limit is hit, the gadget transitions into the \textsc{Replay} state. In the \textsc{Replay} state, the gadget nondeterministically selects messages from its storage buffer to replay onto the channel until out of messages. An example is shown in Figure \ref{lst:korg_rearrange}.
\begin{figure}[h]
\begin{lstlisting}[caption={Example rearrange attacker model gadget with the selected replay limit as 3, targetting channel "cn"}, label={lst:korg_rearrange}]
chan cn = [8] of { int, int, int };
chan gadget_mem = [3] of { int, int, int };
active proctype attacker_rearrange() priority 255 {
byte b_0, b_1, b_2, blocker;
int i = 3;
INIT:
do
// arbitrarily choose a message to start consuming on
:: {
blocker = len(cn);
do
:: b != len(c) -> goto INIT;
od
}
:: goto CONSUME;
od
CONSUME:
do
// consume messages with high priority
:: c ? [b_0] -> atomic {
c ? b_0 -> gadget_mem ! b_0;
i--;
if
:: i == 0 -> goto REPLAY;
:: i != 0 -> goto CONSUME;
fi
}
od
REPLAY:
do
// replay messages back onto the channel, also with priority
:: atomic {
int am;
select(am : 0 .. len(gadget_mem)-1);
do
:: am != 0 ->
am = am-1;
gadget_mem ? b_0 -> attacker_mem_0 ! b_0;
:: am == 0 ->
gadget_mem ? b_0 -> c ! b_0;
break;
od
}
:: atomic { empty(gadget_mem) -> goto BREAK; }
od
BREAK:
}
\end{lstlisting}
\end{figure}
\subsection{Custom Attacker Models}%
\label{sub:Custom Attacker Models}
While the drop, replay, and rearrange attacker models as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs.
While the drop, replay, and rearrange attacker models as previously described have complex gadgets that \korg synthesizes with respect to a user-specified channel, \korg also supports the synthesis of gadgets with respect to user-defined inputs and outputs. The user defines an \textit{IO-file} denoting the specific input and output messages the attacker is capable of sending, and \korg generates a gadget capable of synthesizing attacks with respect to the user's specification. An example I/O file is given in Figure \ref{lst:io-file}, and the generated gadget is given in \ref{lst:io-file-synth}.
\begin{figure}[h]
\begin{lstlisting}[caption={Example I/O file targetting channel "cn"}, label={lst:io-file}]
cn:
I:
O:1-1-1, 1-2-3, 3-4-5
\end{lstlisting}
\begin{lstlisting}[caption={Example gadget synthesized from an I/O file targetting the channel "cn"}, label={lst:io-file-synth}]
chan cn = [8] of { int, int, int };
active proctype daisy() {
INIT:
do
:: cn ! 1,1,1;
:: cn ! 1,2,3;
:: cn ! 3,4,5;
:: goto RECOVERY;
od
RECOVERY:
}
\end{lstlisting}
\end{figure}