synchronous/korg-paper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more

Browse Source
This commit is contained in:
JakeGinesin
2024-12-02 09:54:54 -05:00
parent cd55d288e9
commit b636781367
14 changed files with 2196 additions and 1964 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3690
.latexrun.db
View File

File diff suppressed because it is too large Load Diff

61
main.aux
View File

@@ -13,8 +13,11 @@
\newlabel{sec:design}{{II}{1}{\korg Architecture}{section.2}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-A}}Mathematical Preliminaries}{1}{subsection.2.1}\protected@file@percent }
\newlabel{sub:Mathematical Preliminaries}{{\mbox {II-A}}{1}{Mathematical Preliminaries}{subsection.2.1}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-B}}High-level design}{1}{subsection.2.2}\protected@file@percent }
\newlabel{sub:High-level design}{{\mbox {II-B}}{1}{High-level design}{subsection.2.2}{}}
\citation{Holzmann_2014}
\citation{Holzmann_Smith_2000}
\citation{mcp}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-B}}High-level design}{2}{subsection.2.2}\protected@file@percent }
\newlabel{sub:High-level design}{{\mbox {II-B}}{2}{High-level design}{subsection.2.2}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-C}}Supported Attacker Models}{2}{subsection.2.3}\protected@file@percent }
\newlabel{sub:Supported Attacker Models}{{\mbox {II-C}}{2}{Supported Attacker Models}{subsection.2.3}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-D}}\textsc {PANDA}\xspace Implementation}{2}{subsection.2.4}\protected@file@percent }
@@ -32,7 +35,6 @@
\@writefile{lol}{\contentsline {lstlisting}{\numberline {8}{\ignorespaces Example (simplified) \textsc {Promela}\xspace model of the alternating bit protocol.}}{3}{lstlisting.8}\protected@file@percent }
\newlabel{lst:korg_replay}{{2}{4}{Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{lstlisting.2}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}{\ignorespaces Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{4}{lstlisting.2}\protected@file@percent }
\newlabel{lst:korg-shell}{{\mbox {II-E}}{4}{}{lstlisting.-1}{}}
\newlabel{lst:korg_reordering}{{3}{4}{Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{lstlisting.3}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}{\ignorespaces Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{4}{lstlisting.3}\protected@file@percent }
\citation{Cluzel_Georgiou_Moy_Zeller_2021,Smith_1997,Pacheco2022}
@@ -44,17 +46,32 @@
\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}{\ignorespaces Example I/O file targetting channel "cn"}}{5}{lstlisting.4}\protected@file@percent }
\newlabel{lst:io-file-synth}{{5}{5}{Example gadget synthesized from an I/O file targetting the channel "cn"}{lstlisting.5}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {5}{\ignorespaces Example gadget synthesized from an I/O file targetting the channel "cn"}}{5}{lstlisting.5}\protected@file@percent }
\newlabel{lst:korg-shell}{{\mbox {II-E}}{5}{}{lstlisting.-1}{}}
\newlabel{lst:drop_passer}{{7}{5}{Example dropping attacker model gadget with message skipping}{lstlisting.7}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {7}{\ignorespaces Example dropping attacker model gadget with message skipping}}{5}{lstlisting.7}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {III}Case Studies}{5}{section.3}\protected@file@percent }
\newlabel{sec:case_studies}{{III}{5}{Case Studies}{section.3}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-A}}TCP}{5}{subsection.3.1}\protected@file@percent }
\newlabel{sub:TCP}{{\mbox {III-A}}{5}{TCP}{subsection.3.1}{}}
\newlabel{lst:drop_passer}{{7}{5}{Example dropping attacker model gadget with message skipping}{lstlisting.7}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {7}{\ignorespaces Example dropping attacker model gadget with message skipping}}{5}{lstlisting.7}\protected@file@percent }
\newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 42}}{5}{TCP}{figure.caption.7}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {PANDA}\xspace proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{5}{figure.caption.7}\protected@file@percent }
\citation{Ongaro}
\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
\citation{Hippel2022_anonym}
\citation{Hippel2022_anonym}
\citation{Hippel2022_anonym}
\newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 42}}{6}{TCP}{figure.caption.7}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {PANDA}\xspace proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{6}{figure.caption.7}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Raft}{6}{subsection.3.2}\protected@file@percent }
\newlabel{sub:Raft}{{\mbox {III-B}}{6}{Raft}{subsection.3.2}{}}
\newlabel{res:raft_table}{{\caption@xref {res:raft_table}{ on input line 92}}{6}{Raft}{figure.caption.8}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc {PANDA}\xspace against our Raft \textsc {Promela}\xspace model. In all experiments, Raft was set to five peers and the drop/replay limits of the gadgets \textsc {PANDA}\xspace synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{6}{figure.caption.8}\protected@file@percent }
\newlabel{res:raft_table}{{3}{6}{Breakdown of the attacker scenarios assessed with \korg against our Raft \promela model. In all experiments, Raft was set to five peers and the drop/replay limits of the gadgets \korg synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact}{figure.caption.8}{}}
\@writefile{toc}{\contentsline {section}{\numberline {IV}Proofs of Soundness and Completeness}{6}{section.4}\protected@file@percent }
\newlabel{sec:proofs}{{IV}{6}{Proofs of Soundness and Completeness}{section.4}{}}
\citation{Hippel2022_anonym}
\citation{Hippel2022_anonym}
\citation{Holzmann_1997}
\citation{Hippel2022_anonym}
\citation{Kozen_1977}
\bibstyle{IEEEtran}
\bibdata{main}
\bibcite{Lamport_1994}{1}
@@ -62,21 +79,21 @@
\bibcite{Clarke_Wang}{3}
\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
\bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5}
\@writefile{toc}{\contentsline {section}{\numberline {V}Conclusion}{7}{section.5}\protected@file@percent }
\newlabel{sec:conclusion}{{V}{7}{Conclusion}{section.5}{}}
\@writefile{toc}{\contentsline {section}{References}{7}{section*.9}\protected@file@percent }
\bibcite{Kobeissi_Nicolas_Tiwari}{6}
\bibcite{Blanchet_Jacomme}{7}
\bibcite{Basin_Linker_Sasse}{8}
\bibcite{Hippel2022_anonym}{9}
\bibcite{Cluzel_Georgiou_Moy_Zeller_2021}{10}
\bibcite{Smith_1997}{11}
\bibcite{Pacheco2022}{12}
\bibcite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}{13}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Raft}{6}{subsection.3.2}\protected@file@percent }
\newlabel{sub:Raft}{{\mbox {III-B}}{6}{Raft}{subsection.3.2}{}}
\newlabel{res:raft-table}{{\caption@xref {res:raft-table}{ on input line 92}}{6}{Raft}{figure.caption.8}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc {PANDA}\xspace against our Raft \textsc {Promela}\xspace model. In all experiments, Raft was set to five peers and the drop/replay limits of the gadgets \textsc {PANDA}\xspace synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{6}{figure.caption.8}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {IV}Conclusion}{6}{section.4}\protected@file@percent }
\newlabel{sec:conclusion}{{IV}{6}{Conclusion}{section.4}{}}
\@writefile{toc}{\contentsline {section}{References}{6}{section*.9}\protected@file@percent }
\bibcite{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}{14}
\bibcite{Ongaro}{15}
\gdef \@abspage@last{7}
\bibcite{Holzmann_2014}{10}
\bibcite{Holzmann_Smith_2000}{11}
\bibcite{mcp}{12}
\bibcite{Cluzel_Georgiou_Moy_Zeller_2021}{13}
\bibcite{Smith_1997}{14}
\bibcite{Pacheco2022}{15}
\bibcite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}{16}
\bibcite{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}{17}
\bibcite{Ongaro}{18}
\bibcite{Kozen_1977}{19}
\gdef \@abspage@last{8}

29
main.bbl
View File

@@ -61,6 +61,26 @@ D.~Basin, F.~Linker, and R.~Sasse, ``\BIBforeignlanguage{en}{A formal analysis
\bibitem{Hippel2022_anonym}
Anonym, ``Anonymized for blinded submission,'' XXX.
\bibitem{Holzmann_2014}
G.~J. Holzmann, ``\BIBforeignlanguage{en}{Mars code},''
\emph{\BIBforeignlanguage{en}{Communications of the ACM}}, vol.~57, no.~2, p.
6473, Feb. 2014.
\bibitem{Holzmann_Smith_2000}
G.~J. Holzmann and M.~H. Smith, ``\BIBforeignlanguage{en}{Automating software
feature verification},'' \emph{\BIBforeignlanguage{en}{Bell Labs Technical
Journal}}, vol.~5, no.~2, p. 7287, 2000.
\bibitem{mcp}
\BIBentryALTinterwordspacing
W.~Visser, K.~Havelund, G.~Brat, and S.~Park, ``\BIBforeignlanguage{en}{Model
checking programs},'' in \emph{\BIBforeignlanguage{en}{Proceedings ASE 2000.
Fifteenth IEEE International Conference on Automated Software
Engineering}}.\hskip 1em plus 0.5em minus 0.4em\relax Grenoble, France: IEEE,
2000, p. 311. [Online]. Available:
\url{http://ieeexplore.ieee.org/document/873645/}
\BIBentrySTDinterwordspacing
\bibitem{Cluzel_Georgiou_Moy_Zeller_2021}
\BIBentryALTinterwordspacing
G.~Cluzel, K.~Georgiou, Y.~Moy, and C.~Zeller,
@@ -110,4 +130,13 @@ J.~R. Wilcox, D.~Woos, P.~Panchekha, Z.~Tatlock, X.~Wang, M.~D. Ernst, and
D.~Ongaro, ``\BIBforeignlanguage{en}{Consensus: Bridging theory and
practice}.''
\bibitem{Kozen_1977}
\BIBentryALTinterwordspacing
D.~Kozen, ``\BIBforeignlanguage{en}{Lower bounds for natural proof systems},''
in \emph{\BIBforeignlanguage{en}{18th Annual Symposium on Foundations of
Computer Science (sfcs 1977)}}.\hskip 1em plus 0.5em minus 0.4em\relax
Providence, RI, USA: IEEE, Sep. 1977, p. 254266. [Online]. Available:
\url{http://ieeexplore.ieee.org/document/4567949/}
\BIBentrySTDinterwordspacing
\end{thebibliography}

6
main.bib
View File

@@ -74,3 +74,9 @@ concurrent finite-state programs.}, publisher={IEEE Computer Society}, author={V
url = {https://www.rfc-editor.org/rfc/rfc9260},
doi = {10.17487/RFC9260}
}
@article{Holzmann_2014, title={Mars code}, volume={57}, ISSN={0001-0782, 1557-7317}, DOI={10.1145/2560217.2560218}, abstractNote={Redundant software (and hardware) ensured Curiosity reached its destination and functioned as its designers intended.}, number={2}, journal={Communications of the ACM}, author={Holzmann, Gerard J.}, year={2014}, month=feb, pages={6473}, language={en} }
@article{Holzmann_Smith_2000, title={Automating software feature verification}, volume={5}, ISSN={1538-7305}, DOI={10.1002/bltj.2223}, abstractNote={A significant part of the call processing software for Lucents new PathStar™ Access Server was checked with formal verification techniques. The verification system we built for this purpose, named FeaVer, is accessed via a standard Web browser. The system maintains a database of feature requirements, together with the results of the most recently performed verifications. Via the browser the user can invoke new verification runs, which are performed in the background with the help of a logic model checking tool. Requirement violations are reported either as high-level message sequence charts or as detailed execution traces of the system source. A main strength of the system is its capability to detect potential feature interaction problems at an early stage of systems design. This type of problem is difficult to detect with traditional testing techniques. Error reports are typically generated by the system within minutes after a comprehensive check is initiated, allowing near-interactive probing of feature requirements and quick confirmation (or rejection) of the validity of tentative software fixes.}, number={2}, journal={Bell Labs Technical Journal}, author={Holzmann, Gerard J. and Smith, Margaret H.}, year={2000}, pages={7287}, language={en} }
@inproceedings{mcp, address={Grenoble, France}, title={Model checking programs}, ISBN={978-0-7695-0710-1}, url={http://ieeexplore.ieee.org/document/873645/}, DOI={10.1109/ASE.2000.873645}, abstractNote={The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.}, booktitle={Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering}, publisher={IEEE}, author={Visser, W. and Havelund, K. and Brat, G. and Seungjoon Park}, year={2000}, pages={311}, language={en} }

62
main.blg
View File

@@ -28,45 +28,45 @@ Warning--empty journal in Ongaro
Warning--empty year in Ongaro
Done.
You've used 15 entries,
You've used 19 entries,
4087 wiz_defined-function locations,
915 strings with 10229 characters,
and the built_in function-call counts, 8148 in all, are:
= -- 647
> -- 190
< -- 12
+ -- 90
- -- 45
* -- 461
:= -- 1272
add.period$ -- 33
call.type$ -- 15
change.case$ -- 16
946 strings with 10939 characters,
and the built_in function-call counts, 10982 in all, are:
= -- 918
> -- 224
< -- 20
+ -- 106
- -- 53
* -- 609
:= -- 1703
add.period$ -- 43
call.type$ -- 19
change.case$ -- 20
chr.to.int$ -- 0
cite$ -- 30
duplicate$ -- 706
empty$ -- 685
format.name$ -- 55
if$ -- 1848
cite$ -- 34
duplicate$ -- 955
empty$ -- 924
format.name$ -- 65
if$ -- 2529
int.to.chr$ -- 0
int.to.str$ -- 15
missing$ -- 132
newline$ -- 76
num.names$ -- 15
pop$ -- 353
int.to.str$ -- 19
missing$ -- 171
newline$ -- 92
num.names$ -- 19
pop$ -- 437
preamble$ -- 1
purify$ -- 0
quote$ -- 2
skip$ -- 613
skip$ -- 856
stack$ -- 0
substring$ -- 113
swap$ -- 485
text.length$ -- 12
substring$ -- 175
swap$ -- 680
text.length$ -- 20
text.prefix$ -- 0
top$ -- 5
type$ -- 15
type$ -- 19
warning$ -- 15
while$ -- 21
width$ -- 17
write$ -- 153
while$ -- 29
width$ -- 21
write$ -- 199
(There were 15 warnings)

26
main.fls
View File

@@ -542,11 +542,11 @@ INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmbc7t.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmbc7t.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmbc7t.vf
@@ -555,14 +555,21 @@ INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8c.tfm
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr8c.vf
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT ./sections/case_studies.tex
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT ./sections/proofs.tex
INPUT ./sections/proofs.tex
INPUT ./sections/proofs.tex
INPUT ./sections/proofs.tex
INPUT ./sections/proofs.tex
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm
INPUT ./sections/conclusion.tex
INPUT ./sections/conclusion.tex
INPUT ./sections/conclusion.tex
@@ -576,12 +583,15 @@ INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
INPUT ./main.aux
INPUT ./main.out
INPUT ./main.out
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmex10.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi5.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi7.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr5.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr7.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb
INPUT /usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy7.pfb
INPUT /usr/share/texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb
INPUT /usr/share/texmf-dist/fonts/type1/urw/times/utmb8a.pfb
INPUT /usr/share/texmf-dist/fonts/type1/urw/times/utmbi8a.pfb

134
main.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 29 NOV 2024 14:56
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 2 DEC 2024 02:51
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1232,7 +1232,11 @@ File: lstlang3.sty 2024/02/21 1.10 listings language file
File: lstmisc.sty 2024/02/21 1.10 (Carsten Heinz)
)
\c@theorem=\count404
(./main.aux)
(./main.aux
LaTeX Warning: Label `res:raft_table' multiply defined.
)
\openout1 = `main.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 65.
@@ -1323,10 +1327,10 @@ ts/enc/dvips/base/8r.enc}
]
<assets/diagram-anon.png, id=82, 584.1825pt x 222.07968pt>
<assets/diagram-anon.png, id=87, 584.1825pt x 222.07968pt>
File: assets/diagram-anon.png Graphic file (type png)
<use assets/diagram-anon.png>
Package pdftex.def Info: assets/diagram-anon.png used on input line 27.
Package pdftex.def Info: assets/diagram-anon.png used on input line 30.
(pdftex.def) Requested size: 361.19843pt x 137.31522pt.
@@ -1355,25 +1359,25 @@ LaTeX Warning: `h' float specifier changed to `ht'.
)
LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
(Font) using `OT1/ptm/m/sc' instead on input line 101.
(Font) using `OT1/ptm/m/sc' instead on input line 104.
[2]
LaTeX Warning: `h' float specifier changed to `ht'.
Underfull \vbox (badness 10000) has occurred while \output is active []
[3 <./assets/diagram-anon.png (PNG copy)>]
Underfull \vbox (badness 3168) has occurred while \output is active []
Underfull \vbox (badness 3168) has occurred while \output is active []
[4]
LaTeX Font Info: Trying to load font information for TS1+pcr on input line 2
09.
14.
(/usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
File: ts1pcr.fd 2001/06/04 font definitions for TS1/pcr.
)
Underfull \vbox (badness 3312) has occurred while \output is active []
[4]
Excluding 'comment' comment.) (./sections/case_studies.tex
Underfull \hbox (badness 4144) in paragraph at lines 19--19
[]\OT1/pcr/m/n/10 SYN_RECEIVED \OT1/ptm/m/n/10 is even-tu-ally fol-lowed by
@@ -1395,25 +1399,42 @@ Underfull \hbox (badness 4144) in paragraph at lines 19--19
[]
Underfull \vbox (badness 1635) has occurred while \output is active []
Package caption Warning: \label without proper reference on input line 42.
See the caption package documentation for explanation.
LaTeX Warning: Reference `res:tcp-table' on page 5 undefined on input line 23.
LaTeX Warning: `!h' float specifier changed to `!ht'.
Excluding 'comment' comment. [5]
Package caption Warning: \label without proper reference on input line 92.
See the caption package documentation for explanation.
LaTeX Warning: `!h' float specifier changed to `!ht'.
) (./sections/proofs.tex
Underfull \hbox (badness 3503) in paragraph at lines 19--21
[][]\OT1/ptm/b/n/10 Definition 2 \OT1/ptm/m/n/10 (Pro-cess)\OT1/ptm/b/n/10 . []
\OT1/ptm/m/it/10 A \OT1/ptm/m/n/10 Pro-cess \OT1/ptm/m/it/10 is a tu-ple $\OML/
cmm/m/it/10 P \OT1/cmr/m/n/10 =
[]
[6]
Underfull \hbox (badness 2165) in paragraph at lines 73--74
[]\OT1/ptm/m/n/10 In the Pro-cess: $\OML/cmm/m/it/10 s[]; s[]; s[]; []$ \OT1/pt
m/m/n/10 with $\OML/cmm/m/it/10 s[] \OT1/cmr/m/n/10 = \OML/cmm/m/it/10 s[]$ \OT
1/ptm/m/n/10 and
[]
LaTeX Warning: Reference `res:raft-table' on page 6 undefined on input line 87.
LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
(Font) using `OT1/ptm/m/sc' instead on input line 91.
Underfull \hbox (badness 1715) in paragraph at lines 98--100
\OT1/ptm/m/n/10 via the pre-vi-ous the-o-rem we can con-struct B[]uchi Au-
[]
) (./sections/conclusion.tex) (./main.bbl
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
@@ -1439,6 +1460,25 @@ LaTeX Warning: Reference `res:raft-table' on page 6 undefined on input line 87.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
[7]
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
@@ -1469,7 +1509,12 @@ LaTeX Warning: Reference `res:raft-table' on page 6 undefined on input line 87.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
[6]
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
@@ -1488,7 +1533,7 @@ Before submitting the final camera ready copy, remember to:
uses only Type 1 fonts and that every step in the generation
process uses the appropriate paper size.
[7
[8
] (./main.aux)
***********
@@ -1499,30 +1544,35 @@ L3 programming layer <2024-02-20>
LaTeX Warning: There were undefined references.
LaTeX Warning: There were multiply-defined labels.
Package rerunfilecheck Info: File `main.out' has not changed.
(rerunfilecheck) Checksum: 63CC73A5CD412988EF7130C704170A62;1449.
(rerunfilecheck) Checksum: 5B902670F40C388F59EF45336B329F15;1685.
)
Here is how much of TeX's memory you used:
40984 strings out of 476076
906282 string characters out of 5793776
2259187 words of memory out of 5000000
62121 multiletter control sequences out of 15000+600000
604798 words of font info for 123 fonts, out of 8000000 for 9000
41033 strings out of 476076
907381 string characters out of 5793776
2286187 words of memory out of 5000000
62155 multiletter control sequences out of 15000+600000
606090 words of font info for 125 fonts, out of 8000000 for 9000
14 hyphenation exceptions out of 8191
99i,11n,101p,1390b,1635s stack positions out of 10000i,1000n,20000p,200000b,200000s
</usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/
texmf-dist/fonts/type1/public/amsfonts/cm/cmmi7.pfb></usr/share/texmf-dist/font
s/type1/public/amsfonts/cm/cmr10.pfb></usr/share/texmf-dist/fonts/type1/public/
amsfonts/cm/cmr5.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr7
.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/sha
re/texmf-dist/fonts/type1/urw/courier/ucrr8a.pfb></usr/share/texmf-dist/fonts/t
ype1/urw/times/utmb8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmbi8a.
pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-d
ist/fonts/type1/urw/times/utmri8a.pfb>
Output written on ./main.pdf (7 pages, 212829 bytes).
99i,11n,101p,1201b,2034s stack positions out of 10000i,1000n,20000p,200000b,200000s
</usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmex10.pfb></usr/share/
texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texmf-dist/fon
ts/type1/public/amsfonts/cm/cmmi5.pfb></usr/share/texmf-dist/fonts/type1/public
/amsfonts/cm/cmmi7.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cm
r10.pfb></usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmr5.pfb></usr/sh
are/texmf-dist/fonts/type1/public/amsfonts/cm/cmr7.pfb></usr/share/texmf-dist/f
onts/type1/public/amsfonts/cm/cmsy10.pfb></usr/share/texmf-dist/fonts/type1/pub
lic/amsfonts/cm/cmsy7.pfb></usr/share/texmf-dist/fonts/type1/urw/courier/ucrr8a
.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texmf-
dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texmf-dist/fonts/type1/urw/t
imes/utmr8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on ./main.pdf (8 pages, 260146 bytes).
PDF statistics:
473 PDF objects out of 1000 (max. 8388607)
436 compressed objects within 5 object streams
254 named destinations out of 1000 (max. 500000)
114 words of extra memory for PDF output out of 10000 (max. 10000000)
522 PDF objects out of 1000 (max. 8388607)
478 compressed objects within 5 object streams
266 named destinations out of 1000 (max. 500000)
122 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
main.pdf
View File

Binary file not shown.

BIN
main.synctex.gz
View File

Binary file not shown.

5
main.tex
View File

@@ -105,10 +105,15 @@ Protocols, Attack Synthesis, Denial of Service, Model Checking
\label{sec:case_studies}
\input{sections/case_studies}
\section{Proofs of Soundness and Completeness}
\label{sec:proofs}
\input{sections/proofs}
\section{Conclusion}
\label{sec:conclusion}
\input{sections/conclusion}
\bibliographystyle{IEEEtran}
\bibliography{main}

14
sections/case_studies.tex
View File

@@ -84,12 +84,14 @@ Referencing the original Raft thesis \cite{Ongaro} and other raft models \cite{W
\phi_5 &= \text{\parbox[t]{20em}{If any two servers commit the same log entry, the log entry at the previous index must be equivalent}}
\end{aligned}
\]
We construct our Raft model such that we can model-check an arbitrary number of peers. We also designed our model such that each peer maintains separate channels for receiving AppendEntry requests, AppendEntry responses, RequestVote requests, and RequestVote responses. This gives \korg ample handle to reason about Raft. In particular, we study Raft in the presence of drop and replay attackers on all four aforementioned channel types, attacking both a minority and majority of peers. A breakdown of our findings is shown in Figure \ref{res:raft-table}.
We construct our Raft model such that we can model-check an arbitrary number of peers. We also designed our model such that each peer maintains separate channels for receiving AppendEntry requests, AppendEntry responses, RequestVote requests, and RequestVote responses. This gives \korg ample handle to reason about Raft. In particular, we study Raft in the presence of drop and replay attackers on all four aforementioned channel types, attacking both a minority and majority of peers.
To test \korg, we introduce a subtle bug in the Raft consensus mechanism: not ensuring votes come from unique peers. A breakdown of our findings is shown in Figure \ref{res:raft_table}.
\begin{figure}[h!]
\label{res:raft_table}
\centering
\begin{scriptsize}
\label{res:raft-table}
\begin{tabular}{|c|c|}
\hline
Scenario & Attack found? \\
@@ -104,12 +106,10 @@ Dropping AppendEntryResponse messages & no \\
\end{tabular}
\end{scriptsize}
\caption{Breakdown of the attacker scenarios assessed with \korg against our Raft \promela model. In all experiments, Raft was set to five peers and the drop/replay limits of the gadgets \korg synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}
%\caption{Automatically discovered attacks against
%the hand-written TCP model from Pacheco et al. and our own,
%our TCP model for $\phi_1$ through $\phi_4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}
\label{res:raft_table}
\end{figure}
In our experiments, we found just one attack on our Raft \promela model, violating election safety in particular. In this scenario, peer A and peer B are candidates for election. Peer A receives three votes, one from itself and two from other peers, and Peer B receives two votes, one from itself and one from another peer. The replay attacker simply replays the vote sent to peer B. Then, both Peer A and Peer B are convinced they won the election and change their state to leader. Following this, leader completeness is also naturally violated.
In our experiments, we found just one attack on our Raft \promela model, violating election safety in particular. In this scenario, peer A and peer B are candidates for election. Peer A receives three votes, one from itself and two from other peers, and Peer B receives two votes, one from itself and one from another peer. The replay attacker simply replays the vote sent to peer B. Then, both Peer A and Peer B are convinced they won the election and change their state to leader. Following this, leader completeness is also naturally violated. In this scenario, \korg demonstrates its ability to discover subtle bugs in protocol logic; our Raft model satisfies $\phi_1$-$\phi_5$ assuming perfect channels, and \korg allowed us to reason precisely about the effect of imperfect, vulnerable channels.
To be clear, this is not an attack on the general Raft protocol, but rather an attack on our specific Raft implementation: in this case, the bug \korg exploits involves our Raft model not ensuring votes received are from unique peers\footnote{Naturally, this requires cryptography and therefore is challenging to express in the semantics of \promela.}. In general, the complete Raft protocol has been proven to resist drop and replay attackers \cite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}. In this scenario, \korg demonstrates its ability to discover subtle bugs in protocol logic; our Raft model satisfies $\phi_1$-$\phi_5$ assuming perfect channels, and \korg allowed us to reason precisely about the effect of imperfect, vulnerable channels.
%To be clear, this is not an attack on the general Raft protocol, but rather an attack on our specific Raft implementation: in this case, the bug \korg exploits involves our Raft model not ensuring votes received are from unique peers\footnote{Naturally, this requires cryptography and therefore is challenging to express in the semantics of \promela.}. In general, the complete Raft protocol has been proven to resist drop and replay attackers \cite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}.
% We note our analysis is in no

11
sections/design.tex
View File

@@ -19,7 +19,10 @@ As aforementioned, \korg is based on \textit{LTL attack synthesis}; in particula
%The methodology behind the construction of \korg is based on \textit{LTL attack synthesis}.
\korg is designed to target user-specified communication channels in programs written in \promela, the modeling language of the \spin model checker. The user inputs a \promela model, their desired communication channels to attack, the attacker model of choice, and the LTL correctness property of choice. \korg then invokes \spin, which exhaustively searches for attacks with respect to the chosen attacker model, \promela model, and correctness property.
\korg is designed to target user-specified communication channels in programs written in formal models. The user inputs a formal model of choice, their desired communication channels to attack, the attacker model of choice, and the correctness property of choice. \korg then invokes the model checker, which exhaustively searches for attacks with respect to the chosen attacker model, formal protocol model, and the correctness property.
%\promela, the modeling language of the \spin model checker. The user inputs a \promela model,
%their desired communication channels to attack, the attacker model of choice, and the LTL correctness property of choice. \korg then invokes \spin, which exhaustively searches for attacks with respect to the chosen attacker model, \promela model, and correctness property.
A high-level overview of the \korg pipeline is given in the Figure \ref{fig:korg_workflow}.
\begin{figure*}[h]
@@ -42,7 +45,7 @@ A high-level overview of the \korg pipeline is given in the Figure \ref{fig:korg
%\item \textbf{Insert Attacker Model}. Insert attackers are capable of inserting arbitrary messages (as specifiable by the user) onto a channel.
%\end{itemize}
\korg supports four general attacker model gadgets: an attacker that can drop, replay, reorder, or insert messages on a channel. In this section we discuss the various details that went into the implementation of the gadgets that encapsulate the behavior of the respective attacker models.
\korg supports four general attacker models: an attacker that can drop, replay, reorder, or insert messages on a channel. In this section we discuss the various details that went into the implementation of the gadgets that encapsulate the behavior of the respective attacker models.
% Additionally, \korg supports user-defined attacker that insert arbitrary messages onto a channel. In this section we discuss the various details that go into each attacker model.
@@ -101,7 +104,9 @@ These attacker models can be mixed and matched as desired by the \korg user. For
\subsection{\korg Implementation}%
\label{sub:impl}
We implemented \korg on top of the \spin, a popular and robust model checker for reasoning about distributed and concurrent systems. Intuitively, models written in \promela, the modeling language of \spin, are communicating state machines whose messages are passed over defined \textit{channels}. Channels in \promela can either be unbuffered \textit{synchronous} channels, or buffered \textit{asynchronous} channels. \korg generates attacks \textit{with respect} to these defined channels.
We implemented \korg on top of the \spin, a popular and robust model checker for reasoning about distributed and concurrent systems. \spin has existed for over 40 years, and has been applied to dozens of real systems including the Mars Rover \cite{Holzmann_2014}, Path-Star Access server \cite{Holzmann_Smith_2000}, and an avionics operating system \cite{mcp}. Additionally, \spin has spawned a dedicated formal methods symposium, currently in its 32nd year\footnote{\url{https://spin-web.github.io/SPIN2025/}}, and earned the 2002 ACM Software System award.
Intuitively, models written in \promela, the modeling language of \spin, are communicating state machines whose messages are passed over defined \textit{channels}. Channels in \promela can either be unbuffered \textit{synchronous} channels, or buffered \textit{asynchronous} channels. \korg generates attacks \textit{with respect} to these defined channels.
\begin{lstlisting}[caption={Example \promela model of peers communicating over a channel. \texttt{!} indicates sending a message onto a channel, \texttt{?} indicates receiving a message from a channel.}, label={lst:spin-model}]
// channel of buffer size 0

3
sections/introduction.tex
View File

@@ -4,6 +4,9 @@ Distributed protocols are the foundation for the modern internet, and therefore
This myriad of formal methods tooling applicable to secure protocols has enabled reasoning about security-relevant properties involving secrecy, authentication, indistinguishability in addition to concurrency, safety, and liveness. However, no previous formal methods tooling offered an effective solution for rigorously studying an attacker that controls communication channels. That is, how do you reason about an attacker that can arbitrarily drop, reorder, replay, or insert messages onto a communication channel?
To fill this gap, we introduce \korg \footnote{\korg is a fictitious name for our system, for double-blind submission.}, a tool for synthesizing attacks on distributed protocols that implements and extends the theoretical framework proposed in \cite{Hippel2022_anonym}. In particular, \korg targets the communication channels between the protocol endpoints, and synthesizes attacks to violate arbitrary linear temporal logic (LTL) specifications. \korg either synthesizes attack, or proves the absence of such via an exhaustive state-space search. \korg is sound and complete, meaning if there exists an attack \korg will find it, and \korg will never have false positives. \korg supports pre-defined attacker models, including attackers that can replay, reorder, or drop messages on channels, as well as custom user-defined attacker models. Although \korg best lends itself for reasoning about denial of service attacks, it can target any specification expressable in LTL.
In this work we take an approach rooted in \textit{formal methods} and \textit{automated reasoning} to construct \korg. In particular, we employ \textit{model checking}, a sub-discipline of formal methods, to decidably and automatically find attacks in protocols or prove the absence of such.
We summarize our contributions:
\begin{itemize}
\item We present \korg, a tool for synthesizing attacks against communication protocols. \korg supports four general attacker model gadgets: an attacker that can drop, replay, reorder, or insert messages on a channel.

121
sections/proofs.tex
View File

@@ -1,36 +1,115 @@
\subsection{Soundness And Completeness of \korg}%
\label{sub:Soundness And Completeness}
\korg is an implementation of the theoretical attack synthesis framework proposed by \cite{Hippel2022_anonym}. This framework enjoys soundness and completeness guarantees for attacks discovered; that is, if there exists an attack, it is discovered, and if an attack is discovered, it is valid. However, the attack synthesis framework proposed by \cite{Hippel2022_anonym} reasons about an abstracted, theoretical process construct. Therefore, in order to correctly claim \korg is also sound and complete, it is necessary to demonstrate discovering an attack within the theoretical framework reduces to the semantics of \spin, the model checker \korg is built on top of.
\newcommand{\comp}{\mid\mid}
\newcommand{\ioint}{\mathcal{C}}
There exists a semantic gap between the theoretical attack synthesis framework proposed by \cite{Hippel2022_anonym}, and the semantics of \korg. Therefore, in order to correctly claim \korg maintains the soundness and completeness of the theoretical framework it implements, it suffices to demonstrate finding an attack within the theoretical attack synthesis framework precisely reduces to the semantics of \spin.
%the model checker \korg is implemented on top of.
Fundamentally, the theoretical framework that \korg implements was presented in \cite{Hippel2022_anoym} about \textit{communicating processes}; similarly, \korg is best understood as a synthesizer for attackers that sit \textit{between} communicating processes.
\begin{definition}[\ba]
A \ba is a tuple \( B = (Q, \Sigma, \delta, Q_0, F) \) where:
\begin{itemize}
\item \( Q \) is a finite set of states,
\item \( \Sigma \) is a finite alphabet,
\item \( \delta \subseteq Q \times \Sigma \times Q \) is a transition relation,
\item \( Q_0 \subseteq Q \) is a set of initial states,
\item \( F \subseteq Q \) is a set of accepting states.
\end{itemize}
A run of a \ba is an infinite sequence of states \( q_0, q_1, q_2, \ldots \) such that \( q_0 \in Q_0 \) and \( (q_i, a, q_{i+1}) \in \delta \) for some \( a \in \Sigma \) at each step \( i \). The run is considered accepting if it visits states in \( F \) infinitely often.
\end{definition}
The theoretical attack synthesis framework and \korg use slightly different formalisms. Both employ derivations the general \textit{Input/Output (I/O) automata}, state machines whose transitions indicate sending or receiving a message.\footnote{
A fundamental assumption both \korg and the theoretical attack synthesis framework rely upon is unicast transition relations of I/O automata within this context. That is, if one sending automata has an output transition matching an input transition of two receiving automata, only one input/output transition pair can be composed upon. Model checkers for I/O automata such as \spin will explore both possibilities.
}
In particular, the theoretical attack synthesis framework defines their own notion of a \textit{process} and argues their attack synthesis algorithm maintains soundness and completeness guarantees with respect to it, while \korg relies upon \spin's preferred model checking formalism, the B\"uchi Automata. Both utilize linear temporal logic as their specification language of choice.
We ultimately seek to conclude \korg maintains the guarantees of the theoretical framework it implements, therefore it is necessary to demonstrate the equivalence of \textit{processes} from the theoretical attack synthesis framework with the B\"uchi Automata. For ease of reading and clarity, we only provide shortened narrations of the arguments here. The detailed, definitions, theorems, and proofs are provided in Appendix Section \ref{sub:korg_proofs}.
\begin{definition}[Process]
A \emph{Process} is a tuple \( P = \langle AP, I, O, S, s_0, T, L \rangle \), where:
\begin{itemize}
\item \( AP \) is a finite set of atomic propositions,
\item \( I \) is a set of inputs,
\item \( O \) is a set of output, such that \( I \cap O = \emptyset \),
\item \( S \) is a finite set of states,
\item \( s_0 \in S \) is the initial state,
\item \( T \subseteq S \times (I \cup O) \times S \) is the transition relation,
\item \( L: S \to 2^{AP} \) is a labeling function mapping each state to a subset of atomic propositions.
\end{itemize}
A transition \( (s, x, s') \in T \) is called an \emph{input transition} if \( x \in I \) and an \emph{output transition} if \( x \in O \).
\end{definition}
\setcounter{theorem}{0}
\begin{theorem}
A process, always directly corresponds to a B\"uchi Automata.
A process, as defined in \cite{Hippel2022_anonym}, always directly corresponds to a \ba.
\end{theorem}
In short, a process in the theoretical attack synthesis framework is a Kripke Structure equipped with input and output transitions. That is, when composing two processes, an output transition must be matched to a respective input transition. Processes also include atomic propositions, which the given linear temporal logic specifications are defined over. We invoke and build on the well-known correspondence between Kripke Structures and \ba to show our desired correspondence.
\begin{proof}
Given a \ba \( B = (Q, \Sigma, \delta, Q_0, F) \), we construct a corresponding Process \( P = \langle AP, I, O, S, s_0, T, L \rangle \) as follows:
\begin{itemize}
\item Atomic Propositions: \( AP = \{ \text{accept} \} \), a singleton set containing a special proposition indicating acceptance.
\item Inputs and Outputs: \( I = \Sigma \) and \( O = \emptyset \).
\item States: \( S = Q \) and \( s_0 \in Q_0 \).
\item Transition Relation: \( T = \delta \).
\item Labeling Function: \( L: S \to 2^{AP} \) defined by
\end{itemize}
\[
L(s) =
\begin{cases}
\{ \text{accept} \} & \text{if } s \in F, \\
\emptyset & \text{otherwise}.
\end{cases}
\]
In this mapping, the states and transitions of the BA are preserved in the Process, and the accepting states \( F \) are identified via the labeling function \( L \).
Conversely, given a Process \( P = \langle AP, I, O, S, s_0, T, L \rangle \) with an acceptance condition defined by a distinguished proposition \( p \in AP \), we define a \ba \( B = (Q, \Sigma, \delta, Q_0, F) \) as follows:
\begin{itemize}
\item States: \( Q = S \) and \( Q_0 = \{ s_0 \} \).
\item Alphabet: \( \Sigma = I \cup O \).
\item Transition Relation: \( \delta = T \).
\item Accepting States: \( F = \{ s \in S \mid p \in L(s) \} \).
\end{itemize}
Here, the accepting states in the BA correspond to those states in the Process that are labeled with the distinguished proposition \( p \).
In both structures, a run is an infinite sequence of states connected by transitions:
\begin{itemize}
\item In the \ba: \( q_0, q_1, q_2, \ldots \) with \( q_0 \in Q_0 \) and \( (q_i, a_i, q_{i+1}) \in \delta \) for some \( a_i \in \Sigma \).
\item In the Process: \( s_0, s_1, s_2, \ldots \) with \( s_0 = s_0 \) and \( (s_i, x_i, s_{i+1}) \in T \) for some \( x_i \in I \cup O \).
\end{itemize}
An accepting run in the \ba visits states in \( F \) infinitely often. Similarly, an accepting run in the Process visits states labeled with \( p \) infinitely often. Since \( F = \{ s \in S \mid p \in L(s) \} \), the acceptance conditions are preserved under the mappings.
\end{proof}
\begin{definition}[Threat Model]
A threat model is a tuple \( (P, (Q_i)_{i=0}^m, \phi) \) where:
\begin{itemize}
\item \( P, Q_0, \ldots, Q_m \) are processes.
\item Each process \( Q_i \) has no atomic propositions (i.e., its set of atomic propositions is empty).
\item \( \varphi \) is an LTL formula such that \( P \parallel Q_0 \parallel \cdots \parallel Q_m \models \phi \).
\item The system \( P \parallel Q_0 \parallel \cdots \parallel Q_m \) satisfies the formula \( \phi \) in a non-trivial manner, meaning that \( P \parallel Q_0 \parallel \cdots \parallel Q_m \) has at least one infinite run.
\end{itemize}
\end{definition}
\begin{theorem}
Checking whether there exists an attacker under a given threat model, the R-$\exists$ASP problem as proposed in Hippel et al., is equivalent to B\"uchi Automata language inclusion (which is in turn solved by the \spin model checker).
Checking whether there exists an attacker under a given threat model, the R-$\exists$ASP problem as proposed in \cite{Hippel2022_anonym}, is equivalent to B\"uchi Automata language inclusion (which is in turn solved by the \spin model checker).
\end{theorem}
Via the previous theorem, we can translate the threat model processes and the victim processes to \ba and intersect them. B\"uchi Automata intersection corresponds with \ba language inclusion, which is in turn solved by \spin. From this result, we naturally get a complexity-theoretic result for finding an attacker from a given threat model.
\begin{proof}
For a given threat model \( (P, (Q_i)_{i=0}^m, \phi) \), checking $\exists ASP$ is equivalent to checking
\[
R = MC(P \mid \mid \text{Daisy}(Q_0) \mid \mid \ldots \mid \mid \text{Daisy}(Q_m), \phi)
\]
Where $MC$ is a model checker, and Daisy($Q_i$) is for intents of this proof, equivalent to a process. Therefore, via the previous theorem we can construct \ba \( BA_{P}, BA_{\text{Daisy}(Q_0)}, \ldots, BA_{\text{Daisy}(Q_m)} \) from the processes \( P, \text{Daisy}(Q_0), \ldots ,\text{Daisy}(Q_m) \). Then, we check
\[
\text{\spin}(BA_{P} \mid \mid BA_{\text{Daisy}(Q_0)} \mid \mid \ldots \mid \mid BA_{\text{Daisy}(Q_m)}, \phi)
\]
Or equivalently, translating $\phi$ to the equivalent \ba $BA_{\phi}$ via \cite{Holzmann_1997}, we equivalently check
\[
\left(BA_{P} \mid \mid BA_{\text{Daisy}(Q_0)} \mid \mid \ldots \mid \mid BA_{\text{Daisy}(Q_m)}\right) \subseteq BA_{\phi}
\]
\end{proof}
\begin{theorem}
Checking whether there exists an attacker for a given threat model, the R-$\exists$ASP problem as proposed in Hippel et al., is PSPACE-complete.
Checking whether there exists an attacker for a given threat model, the R-$\exists$ASP problem as proposed in \cite{Hippel2022_anonym}, is PSPACE-complete.
\end{theorem}
By the previous argument the attack synthesis problem reduces to intersecting multiple \ba (or alternatively \ba language inclusion), which is well-known to be PSPACE-complete \cite{Kozen_1977}.
Although this result implies \korg has a rough upper bound complexity, in practice due the various implementation-level optimizations of \spin finding attacks on some property is generally fast, but proving their absence via a state-space search can expensive \cite{Clarke_Wang}.
Since \korg uses \spin as its underlying model checker, we can effectively conclude \korg is sound and complete.
\begin{proof}
By the previous argument the $\exists$ASP problem corresponds to \ba language inclusion, which is well-known to be PSPACE-complete \cite{Kozen_1977}.
\end{proof}