synchronous/korg-paper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more

Browse Source
This commit is contained in:
Your Name
2025-01-26 15:30:30 -05:00
parent 07dfd06cb4
commit cc322832e2
11 changed files with 2062 additions and 2063 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3882
.latexrun.db
View File

File diff suppressed because it is too large Load Diff

28
main.aux
View File

@@ -9,13 +9,13 @@
\providecommand \oddpage@label [2]{}
\@writefile{toc}{\contentsline {section}{\numberline {I}Introduction}{1}{section.1}\protected@file@percent }
\newlabel{sec:introduction}{{I}{1}{Introduction}{section.1}{}}
\@writefile{toc}{\contentsline {section}{\numberline {II}\textsc {PANDA}\xspace Architecture}{1}{section.2}\protected@file@percent }
\@writefile{toc}{\contentsline {section}{\numberline {II}\textsc {Korg}\xspace Architecture}{1}{section.2}\protected@file@percent }
\newlabel{sec:design}{{II}{1}{\korg Architecture}{section.2}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-A}}Mathematical Preliminaries}{1}{subsection.2.1}\protected@file@percent }
\newlabel{sub:Mathematical Preliminaries}{{\mbox {II-A}}{1}{Mathematical Preliminaries}{subsection.2.1}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-B}}High-level design}{2}{subsection.2.2}\protected@file@percent }
\newlabel{sub:High-level design}{{\mbox {II-B}}{2}{High-level design}{subsection.2.2}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces A high-level overview of the \textsc {PANDA}\xspace workflow}}{2}{figure.caption.1}\protected@file@percent }
\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces A high-level overview of the \textsc {Korg}\xspace workflow}}{2}{figure.caption.1}\protected@file@percent }
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
\newlabel{fig:korg_workflow}{{1}{2}{A high-level overview of the \korg workflow}{figure.caption.1}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-C}}Supported Attacker Models}{2}{subsection.2.3}\protected@file@percent }
@@ -29,7 +29,7 @@
\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}{\ignorespaces Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{3}{lstlisting.2}\protected@file@percent }
\newlabel{lst:korg_reordering}{{3}{3}{Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{lstlisting.3}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {3}{\ignorespaces Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{3}{lstlisting.3}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-D}}\textsc {PANDA}\xspace Implementation}{3}{subsection.2.4}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-D}}\textsc {Korg}\xspace Implementation}{3}{subsection.2.4}\protected@file@percent }
\newlabel{sub:impl}{{\mbox {II-D}}{3}{\korg Implementation}{subsection.2.4}{}}
\newlabel{lst:io-file}{{4}{4}{Example I/O file targetting channel "cn"}{lstlisting.4}{}}
\@writefile{lol}{\contentsline {lstlisting}{\numberline {4}{\ignorespaces Example I/O file targetting channel "cn"}}{4}{lstlisting.4}\protected@file@percent }
@@ -54,22 +54,22 @@
\newlabel{sec:case_studies}{{III}{5}{Case Studies}{section.3}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-A}}TCP}{5}{subsection.3.1}\protected@file@percent }
\newlabel{sub:TCP}{{\mbox {III-A}}{5}{TCP}{subsection.3.1}{}}
\newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 30}}{5}{TCP}{figure.caption.7}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {PANDA}\xspace proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{5}{figure.caption.7}\protected@file@percent }
\newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 28}}{5}{TCP}{figure.caption.7}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {Korg}\xspace proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{5}{figure.caption.7}\protected@file@percent }
\newlabel{res:tcp-table}{{2}{5}{Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact}{figure.caption.7}{}}
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Raft}{5}{subsection.3.2}\protected@file@percent }
\newlabel{sub:Raft}{{\mbox {III-B}}{5}{Raft}{subsection.3.2}{}}
\citation{Ongaro}
\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
\citation{Hippel2022_anonym}
\citation{Hippel2022_anonym}
\citation{Hippel2022_anonym}
\newlabel{res:raft_table}{{\caption@xref {res:raft_table}{ on input line 93}}{6}{Raft}{figure.caption.8}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc {PANDA}\xspace against our buggy Raft \textsc {Promela}\xspace model, \texttt {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \textsc {PANDA}\xspace synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{6}{figure.caption.8}\protected@file@percent }
\@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Raft}{6}{subsection.3.2}\protected@file@percent }
\newlabel{sub:Raft}{{\mbox {III-B}}{6}{Raft}{subsection.3.2}{}}
\newlabel{res:raft_table}{{\caption@xref {res:raft_table}{ on input line 91}}{6}{Raft}{figure.caption.8}{}}
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc {Korg}\xspace against our buggy Raft \textsc {Promela}\xspace model, \texttt {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \textsc {Korg}\xspace synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{6}{figure.caption.8}\protected@file@percent }
\newlabel{res:raft_table}{{3}{6}{Breakdown of the attacker scenarios assessed with \korg against our buggy Raft \promela model, \texttt {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \korg synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact}{figure.caption.8}{}}
\@writefile{toc}{\contentsline {section}{\numberline {IV}Proofs of Soundness and Completeness}{6}{section.4}\protected@file@percent }
\newlabel{sec:proofs}{{IV}{6}{Proofs of Soundness and Completeness}{section.4}{}}
\citation{Hippel2022_anonym}
\citation{Hippel2022_anonym}
\citation{Holzmann_1997}
\citation{Hippel2022_anonym}
\citation{Kozen_1977}
@@ -81,14 +81,14 @@
\citation{Henda}
\citation{Ginesin}
\citation{TCPwn}
\bibstyle{IEEEtran}
\bibdata{main}
\bibcite{Lamport_1994}{1}
\bibcite{Holzmann_1997}{2}
\@writefile{toc}{\contentsline {section}{\numberline {V}Related Work}{7}{section.5}\protected@file@percent }
\newlabel{sec:Related Work}{{V}{7}{Related Work}{section.5}{}}
\@writefile{toc}{\contentsline {section}{\numberline {VI}Conclusion}{7}{section.6}\protected@file@percent }
\newlabel{sec:conclusion}{{VI}{7}{Conclusion}{section.6}{}}
\bibstyle{IEEEtran}
\bibdata{main}
\bibcite{Lamport_1994}{1}
\bibcite{Holzmann_1997}{2}
\bibcite{Clarke_Wang}{3}
\bibcite{Basin_Cremers_Dreier_Sasse_2022}{4}
\bibcite{Kobeissi_Nicolas_Tiwari}{5}

99
main.fls
View File

@@ -483,6 +483,50 @@ INPUT /usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm5.tfm
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map
INPUT /usr/share/texmf-dist/fonts/enc/dvips/base/8r.enc
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmbi7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmbi8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmbc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT ./assets/diagram3.png
INPUT ./assets/diagram3.png
INPUT ./assets/diagram3.png
INPUT ./assets/diagram3.png
INPUT ./assets/diagram3.png
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr8.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmr6.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/cm/cmmi8.tfm
@@ -496,61 +540,16 @@ INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msam7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm10.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/public/amsfonts/symbols/msbm7.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmrc7t.tfm
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT ./sections/design.tex
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map
INPUT /usr/share/texmf-dist/fonts/enc/dvips/base/8r.enc
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmbi7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmbi8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmbc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmrc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmri7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmri8r.tfm
INPUT ./assets/diagram-anon.png
INPUT ./assets/diagram-anon.png
INPUT ./assets/diagram-anon.png
INPUT ./assets/diagram-anon.png
INPUT ./assets/diagram-anon.png
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ot1pcr.fd
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr7t.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmb7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT ./sections/examples.tex
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmbc7t.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/courier/pcrr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/courier/pcrr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmbc7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmb8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/fonts/tfm/adobe/times/ptmr8r.tfm
INPUT /usr/share/texmf-dist/fonts/vf/adobe/times/ptmr7t.vf
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
INPUT /usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd

70
main.log
View File

@@ -1,4 +1,4 @@
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 4 DEC 2024 16:46
This is pdfTeX, Version 3.141592653-2.6-1.40.26 (TeX Live 2024/Arch Linux) (preloaded format=pdflatex 2024.7.2) 16 DEC 2024 14:25
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
@@ -1304,23 +1304,14 @@ Package hyperref Info: Link coloring OFF on input line 65.
\@outlinefile=\write5
\openout5 = `main.out'.
LaTeX Warning: No \author given.
LaTeX Warning: No \author given.
LaTeX Warning: No \author given.
(./sections/abstract.tex) (./sections/introduction.tex
LaTeX Font Info: Trying to load font information for U+msa on input line 7.
(./sections/abstract.tex)
(./sections/introduction.tex
LaTeX Font Info: Trying to load font information for U+msa on input line 13.
(/usr/share/texmf-dist/tex/latex/amsfonts/umsa.fd
File: umsa.fd 2013/01/14 v3.01 AMS symbols A
)
LaTeX Font Info: Trying to load font information for U+msb on input line 7.
LaTeX Font Info: Trying to load font information for U+msb on input line 13.
(/usr/share/texmf-dist/tex/latex/amsfonts/umsb.fd
File: umsb.fd 2013/01/14 v3.01 AMS symbols B
@@ -1330,11 +1321,11 @@ ts/enc/dvips/base/8r.enc}
]
<assets/diagram-anon.png, id=91, 584.1825pt x 222.07968pt>
File: assets/diagram-anon.png Graphic file (type png)
<use assets/diagram-anon.png>
Package pdftex.def Info: assets/diagram-anon.png used on input line 33.
(pdftex.def) Requested size: 258.0pt x 98.08133pt.
<assets/diagram3.png, id=89, 733.99219pt x 277.035pt>
File: assets/diagram3.png Graphic file (type png)
<use assets/diagram3.png>
Package pdftex.def Info: assets/diagram3.png used on input line 33.
(pdftex.def) Requested size: 258.0pt x 97.37796pt.
Overfull \hbox (6.0pt too wide) in paragraph at lines 33--34
[][]
@@ -1359,7 +1350,7 @@ LaTeX Warning: `h' float specifier changed to `ht'.
LaTeX Warning: `h' float specifier changed to `ht'.
[2 <./assets/diagram-anon.png (PNG copy)>] (./sections/examples.tex)
[2 <./assets/diagram3.png (PNG copy)>] (./sections/examples.tex)
LaTeX Font Warning: Font shape `OT1/ptm/m/scit' undefined
(Font) using `OT1/ptm/m/sc' instead on input line 247.
@@ -1370,6 +1361,12 @@ LaTeX Font Info: Trying to load font information for TS1+pcr on input line 3
(/usr/share/texmf-dist/tex/latex/psnfss/ts1pcr.fd
File: ts1pcr.fd 2001/06/04 font definitions for TS1/pcr.
)
Underfull \hbox (badness 2158) in paragraph at lines 360--361
\OT1/ptm/m/n/10 the \OT1/pcr/m/n/10 replay \OT1/ptm/m/n/10 at-tacker gad-gets a
t-tack-ing chan-nels \OT1/pcr/m/n/10 StoR
[]
Underfull \hbox (badness 10000) in paragraph at lines 360--361
[]
@@ -1400,11 +1397,17 @@ Underfull \hbox (badness 4144) in paragraph at lines 19--19
[]
Excluding 'comment' comment. [5]
Underfull \hbox (badness 3646) in paragraph at lines 109--109
Underfull \hbox (badness 3646) in paragraph at lines 107--107
[]\OT1/ptm/m/n/10 Fig. 3: |Break-down of the at-tacker sce-nar-ios as-sessed
[]
Underfull \hbox (badness 2393) in paragraph at lines 107--107
\OT1/ptm/m/n/10 with \OT1/ptm/m/sc/10 Korg \OT1/ptm/m/n/10 against our buggy Ra
ft \OT1/ptm/m/sc/10 Promela \OT1/ptm/m/n/10 model,
[]
LaTeX Warning: `!h' float specifier changed to `!ht'.
) (./sections/proofs.tex
@@ -1430,7 +1433,7 @@ Underfull \hbox (badness 1715) in paragraph at lines 97--99
\OT1/ptm/m/n/10 via the pre-vi-ous the-o-rem we can con-struct B[]uchi Au-
[]
) (./sections/related_work.tex) (./sections/conclusion.tex) (./main.bbl
) (./sections/related_work.tex) (./sections/conclusion.tex) [7] (./main.bbl
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
@@ -1443,7 +1446,6 @@ Underfull \hbox (badness 1715) in paragraph at lines 97--99
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
[7]
** WARNING: IEEEtran.bst: No hyphenation pattern has been
** loaded for the language `en'. Using the pattern for
** the default language instead.
@@ -1580,16 +1582,16 @@ L3 programming layer <2024-02-20>
LaTeX Warning: There were multiply-defined labels.
Package rerunfilecheck Info: File `main.out' has not changed.
(rerunfilecheck) Checksum: 27EE6006AAFB1A1E6386C970007B5C60;1792.
(rerunfilecheck) Checksum: E62423E3622D99C1DA4F98881EBEF84A;1782.
)
Here is how much of TeX's memory you used:
41058 strings out of 476076
907883 string characters out of 5793776
2208187 words of memory out of 5000000
62172 multiletter control sequences out of 15000+600000
606090 words of font info for 125 fonts, out of 8000000 for 9000
41056 strings out of 476076
907830 string characters out of 5793776
2207187 words of memory out of 5000000
62171 multiletter control sequences out of 15000+600000
605444 words of font info for 124 fonts, out of 8000000 for 9000
14 hyphenation exceptions out of 8191
99i,11n,101p,1201b,1517s stack positions out of 10000i,1000n,20000p,200000b,200000s
99i,11n,101p,1159b,1394s stack positions out of 10000i,1000n,20000p,200000b,200000s
</usr/share/texmf-dist/fonts/type1/public/amsfonts/cm/cmex10.pfb></usr/share/
texmf-dist/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/share/texmf-dist/fon
ts/type1/public/amsfonts/cm/cmmi5.pfb></usr/share/texmf-dist/fonts/type1/public
@@ -1601,10 +1603,10 @@ lic/amsfonts/cm/cmsy7.pfb></usr/share/texmf-dist/fonts/type1/urw/courier/ucrr8a
.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmb8a.pfb></usr/share/texmf-
dist/fonts/type1/urw/times/utmbi8a.pfb></usr/share/texmf-dist/fonts/type1/urw/t
imes/utmr8a.pfb></usr/share/texmf-dist/fonts/type1/urw/times/utmri8a.pfb>
Output written on ./main.pdf (8 pages, 266844 bytes).
Output written on ./main.pdf (8 pages, 280569 bytes).
PDF statistics:
565 PDF objects out of 1000 (max. 8388607)
520 compressed objects within 6 object streams
271 named destinations out of 1000 (max. 500000)
562 PDF objects out of 1000 (max. 8388607)
517 compressed objects within 6 object streams
270 named destinations out of 1000 (max. 500000)
130 words of extra memory for PDF output out of 10000 (max. 10000000)

4
main.out
View File

@@ -1,9 +1,9 @@
\BOOKMARK [1][-]{section.1}{\376\377\000I\000n\000t\000r\000o\000d\000u\000c\000t\000i\000o\000n}{}% 1
\BOOKMARK [1][-]{section.2}{\376\377\000P\000A\000N\000D\000A\000\040\000A\000r\000c\000h\000i\000t\000e\000c\000t\000u\000r\000e}{}% 2
\BOOKMARK [1][-]{section.2}{\376\377\000K\000o\000r\000g\000\040\000A\000r\000c\000h\000i\000t\000e\000c\000t\000u\000r\000e}{}% 2
\BOOKMARK [2][-]{subsection.2.1}{\376\377\000M\000a\000t\000h\000e\000m\000a\000t\000i\000c\000a\000l\000\040\000P\000r\000e\000l\000i\000m\000i\000n\000a\000r\000i\000e\000s}{section.2}% 3
\BOOKMARK [2][-]{subsection.2.2}{\376\377\000H\000i\000g\000h\000-\000l\000e\000v\000e\000l\000\040\000d\000e\000s\000i\000g\000n}{section.2}% 4
\BOOKMARK [2][-]{subsection.2.3}{\376\377\000S\000u\000p\000p\000o\000r\000t\000e\000d\000\040\000A\000t\000t\000a\000c\000k\000e\000r\000\040\000M\000o\000d\000e\000l\000s}{section.2}% 5
\BOOKMARK [2][-]{subsection.2.4}{\376\377\000P\000A\000N\000D\000A\000\040\000I\000m\000p\000l\000e\000m\000e\000n\000t\000a\000t\000i\000o\000n}{section.2}% 6
\BOOKMARK [2][-]{subsection.2.4}{\376\377\000K\000o\000r\000g\000\040\000I\000m\000p\000l\000e\000m\000e\000n\000t\000a\000t\000i\000o\000n}{section.2}% 6
\BOOKMARK [2][-]{subsection.2.5}{\376\377\000U\000s\000a\000g\000e}{section.2}% 7
\BOOKMARK [1][-]{section.3}{\376\377\000C\000a\000s\000e\000\040\000S\000t\000u\000d\000i\000e\000s}{}% 8
\BOOKMARK [2][-]{subsection.3.1}{\376\377\000T\000C\000P}{section.3}% 9

BIN
main.pdf
View File

Binary file not shown.

BIN
main.synctex.gz
View File

Binary file not shown.

20
main.tex
View File

@@ -31,7 +31,7 @@ comment,adjustbox,mdframed,changepage,algorithm,algorithmic}
\newcommand{\mvh}[1]{\textcolor{magenta}{Max says: {#1}}}
\newcommand{\jg}[1]{\textcolor{purple}{Jake says: {#1}}}
\newcommand{\spin}[0]{\textsc{Spin}\xspace}
\newcommand{\korg}[0]{\textsc{PANDA}\xspace}
\newcommand{\korg}[0]{\textsc{Korg}\xspace}
\newcommand{\promela}[0]{\textsc{Promela}\xspace}
\usepackage{listings}
@@ -69,15 +69,15 @@ comment,adjustbox,mdframed,changepage,algorithm,algorithmic}
}
%\author{\IEEEauthorblockN{Jacob Ginesin}
%\IEEEauthorblockA{\textit{Northeastern University}}
%\and
%\IEEEauthorblockN{Max von Hippel}
%\IEEEauthorblockA{\textit{Northeastern University}}
%\and
%\IEEEauthorblockN{Cristina Nita-Rotaru}
%\IEEEauthorblockA{\textit{Northeastern University}}
%}
\author{\IEEEauthorblockN{Jacob Ginesin}
\IEEEauthorblockA{\textit{Northeastern University}}
\and
\IEEEauthorblockN{Max von Hippel}
\IEEEauthorblockA{\textit{Northeastern University}}
\and
\IEEEauthorblockN{Cristina Nita-Rotaru}
\IEEEauthorblockA{\textit{Northeastern University}}
}
\maketitle

2
sections/case_studies.tex
View File

@@ -23,8 +23,6 @@ For our analysis, we borrow the four LTL properties used in \cite{Pacheco2022},
We evaluated the TCP \promela model against \korg's drop, replay, and reordering attacker models on a single uni-directional communication channel. The resulting breakdown of attacks discovered is shown in Figure \ref{res:tcp-table}.
%Evaluating the canonical TCP model using \korg led us to identify edge-cases in the connection establishment routine that weren't accounted for, leading us to construct a "revised" TCP model accounting for these missing edge cases.
\begin{figure}[h!]
\centering
\label{res:tcp-table}

10
sections/design.tex
View File

@@ -5,7 +5,7 @@ In this section we discuss the details behind the design, formal guarantees, imp
\label{sub:Mathematical Preliminaries}
Linear Temporal Logic (LTL) is a model logic for reasoning about program executions. In LTL, we say a program $P$ \textit{models} a property $\phi$ (notationally, $P \models \phi$). That is, $\phi$ holds over every execution of $P$. If $\phi$ does not hold over every execution of $P$, we say $P \not\models \phi$. The LTL language is given by predicates over a first-order logic with additional temporal operators: \textit{next}, \textit{always}, \textit{eventually}, and \textit{until}.
An LTL model is a tool that, given $P$ and $\phi$, can automatically check whether or not $P \models \phi$; in general, LTL is a \textit{decidable} logic, and LTL model checkers will always be able to decide whether $P \models \phi$ given enough time and resources.
An LTL model checker is a tool that, given $P$ and $\phi$, can automatically check whether or not $P \models \phi$; in general, LTL is a \textit{decidable} logic, and LTL model checkers will always be able to decide whether $P \models \phi$ given enough time and resources.
We use $\mid \mid$ to denote rendezvous composition. That is, if $S = P \mid \mid Q$, processes $P$ and $Q$ are composed together into a singular state machine by matching their equivalent transitions.
@@ -15,13 +15,13 @@ We use $\mid \mid$ to denote rendezvous composition. That is, if $S = P \mid \mi
\subsection{High-level design}%
\label{sub:High-level design}
As aforementioned, \korg is based on \textit{LTL attack synthesis}; in particular, \korg synthesizes attacks with respect to \textit{imperfect} channels. That is, \korg is designed to synthesize attacks that involve replaying, dropping, reordering, or inserting messages on a communication channel.
As aforementioned, \korg is based on \textit{LTL attack synthesis}; in particular, \korg synthesizes attacks with respect to \textit{imperfect} channels. That is, \korg is designed to synthesize attacks that involve replaying, dropping, reordering, or inserting messages on one or more communication channels.
%The methodology behind the construction of \korg is based on \textit{LTL attack synthesis}.
\korg is designed to attack user-specified communication channels in state machine-based formal models of distributed protocols. To use \korg, the user inputs a formal model of a distributed protocol in the \promela language, the communication channel(s) in the formal model they wish to attack, the desired attacker model, and a formalized correctness property for the formal model. The formal model should satisfy the correctness property in absence of \korg.
\korg is designed to attack user-specified communication channels in state machine-based formal models of distributed protocols. To use \korg, the user inputs a formal model of a distributed protocol in the \promela language, the communication channel(s) in the protocol model they wish to attack, the desired attacker model, and a formalized correctness property for the protocol model. The protocol model should satisfy the correctness property in absence of \korg.
Once \korg is invoked, it will modify the user-inputted \promela model such that it integrates the desired attacker model. Then, \korg passes the updated \promela model to the model checker, which performs the exhaustive search or provides an explicit counterexample.
Once \korg is invoked, it will modify the user-inputted \promela model such that it integrates the desired attacker model. Then, \korg passes the updated \promela model to the model checker which performs the exhaustive search for an attack, returning a trace if such an attack is found.
%programs written in formal models. The user inputs a formal model of choice, their desired communication channels to attack, the attacker model of choice, and the correctness property of choice. \korg then invokes the model checker, which exhaustively searches for attacks with respect to the chosen attacker model, formal protocol model, and the correctness property.
%\promela, the modeling language of the \spin model checker. The user inputs a \promela model,
@@ -30,7 +30,7 @@ A high-level visual overview of the \korg pipeline is given in Figure \ref{fig:k
\begin{figure}[h]
\centering
\includegraphics[width=0.5\textwidth]{assets/diagram-anon.png}
\includegraphics[width=0.5\textwidth]{assets/diagram3.png}
\caption{A high-level overview of the \korg workflow}
\label{fig:korg_workflow}
\end{figure}

8
sections/introduction.tex
View File

@@ -4,15 +4,15 @@ Distributed protocols are the foundation for the modern internet, and therefore
%, Blanchet_Smyth_Cheval_Sylvestre
This myriad of formal methods tooling applicable to secure protocols has enabled reasoning about security-relevant properties involving secrecy, authentication, indistinguishability in addition to concurrency, safety, and liveness. However, no previous formal methods tooling offered an effective solution for rigorously studying an attacker that controls communication channels. That is, how do you reason about an attacker that can arbitrarily drop, reorder, replay, or insert messages onto a communication channel?
To fill this gap, we introduce \korg \footnote{\korg is a fictitious name for our system, for double-blind submission.}, a tool for synthesizing attacks on distributed protocols that implements and extends the theoretical framework proposed in \cite{Hippel2022_anonym}. In particular, \korg targets the communication channels between the protocol endpoints, and synthesizes attacks to violate arbitrary linear temporal logic (LTL) specifications. \korg either synthesizes attack, or proves the absence of such via an exhaustive state-space search. \korg is sound and complete, meaning if there exists an attack \korg will find it, and \korg will never have false positives. \korg supports pre-defined attacker models, including attackers that can replay, reorder, or drop messages on channels, as well as custom user-defined attacker models. Although \korg best lends itself for reasoning about denial of service attacks, it can target any specification expressable in LTL.
To fill this gap, we introduce \korg, a tool for synthesizing attacks on distributed protocols that implements and extends the theoretical framework proposed in \cite{Hippel2022_anonym}. In particular, \korg targets the communication channels between the protocol endpoints, and synthesizes attacks to violate arbitrary linear temporal logic (LTL) specifications. \korg either synthesizes attack, or proves the absence of such via an exhaustive state-space search. \korg is sound and complete, meaning if there exists an attack \korg will find it, and \korg will never have false positives. \korg supports pre-defined attacker models, including attackers that can replay, reorder, or drop messages on channels, as well as custom user-defined attacker models. Although \korg best lends itself for reasoning about denial of service attacks, it can target any specification expressable in LTL.
In this work we take an approach rooted in \textit{formal methods} and \textit{automated reasoning} to construct \korg. In particular, we employ \textit{model checking}, a sub-discipline of formal methods, to decidably and automatically find attacks in protocols or prove the absence of such.
We summarize our contributions:
\begin{itemize}
\item We present \korg, a tool for synthesizing attacks against communication protocols. \korg supports four general attacker model gadgets: an attacker that can drop, replay, reorder, or insert messages on a channel.
\item We provide and overview of \korg and show how it can be used through an example of the ABP protocol.
\item We present two case studies for two well-known protocols TCP and Raft, illustrating the usefulness of \korg.
\item We present \korg, a tool for synthesizing attacks against distributed communication protocols. \korg supports four general attacker models: an attacker that can drop, replay, reorder, or insert messages on a channel.
\item We provide an overview of \korg and demonstrate its usage by walking through applying it to the ABP protocol
\item We present two case studies for two well-known protocols, TCP and Raft, illustrating the usefulness of \korg.
\end{itemize}
We release our code and our models as open source at \url{https://anonymous.4open.science/r/attacksynth-artifact-1B5D}.