\relax \providecommand\zref@newlabel[2]{} \providecommand\hyper@newdestlabel[2]{} \providecommand\HyField@AuxAddToFields[1]{} \providecommand\HyField@AuxAddToCoFields[2]{} \citation{Lamport_1994,Holzmann_1997,Clarke_Wang} \citation{Basin_Cremers_Dreier_Sasse_2022,Blanchet_Smyth_Cheval_Sylvestre,Kobeissi_Nicolas_Tiwari,Blanchet_Jacomme,Basin_Linker_Sasse} \citation{Hippel2022_anonym} \providecommand \oddpage@label [2]{} \@writefile{toc}{\contentsline {section}{\numberline {I}Introduction}{1}{section.1}\protected@file@percent } \newlabel{sec:introduction}{{I}{1}{Introduction}{section.1}{}} \@writefile{toc}{\contentsline {section}{\numberline {II}\textsc {PANDA}\xspace Architecture}{1}{section.2}\protected@file@percent } \newlabel{sec:design}{{II}{1}{\korg Architecture}{section.2}{}} \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-A}}Mathematical Preliminaries}{1}{subsection.2.1}\protected@file@percent } \newlabel{sub:Mathematical Preliminaries}{{\mbox {II-A}}{1}{Mathematical Preliminaries}{subsection.2.1}{}} \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-B}}High-level design}{1}{subsection.2.2}\protected@file@percent } \newlabel{sub:High-level design}{{\mbox {II-B}}{1}{High-level design}{subsection.2.2}{}} \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-C}}Supported Attacker Models}{2}{subsection.2.3}\protected@file@percent } \newlabel{sub:Supported Attacker Models}{{\mbox {II-C}}{2}{Supported Attacker Models}{subsection.2.3}{}} \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-D}}\textsc {PANDA}\xspace Implementation}{2}{subsection.2.4}\protected@file@percent } \newlabel{sub:impl}{{\mbox {II-D}}{2}{\korg Implementation}{subsection.2.4}{}} \newlabel{lst:spin-model}{{6}{2}{Example \promela model of peers communicating over a channel. \texttt {!} indicates sending a message onto a channel, \texttt {?} indicates receiving a message from a channel}{lstlisting.6}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {6}{\ignorespaces Example \textsc {Promela}\xspace model of peers communicating over a channel. \texttt {!} indicates sending a message onto a channel, \texttt {?} indicates receiving a message from a channel.}}{2}{lstlisting.6}\protected@file@percent } \@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces A high-level overview of the \textsc {PANDA}\xspace workflow}}{3}{figure.caption.1}\protected@file@percent } \providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}} \newlabel{fig:korg_workflow}{{1}{3}{A high-level overview of the \korg workflow}{figure.caption.1}{}} \newlabel{lst:korg_drop}{{1}{3}{Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{lstlisting.1}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {1}{\ignorespaces Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}}{3}{lstlisting.1}\protected@file@percent } \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {II-E}}Usage}{3}{subsection.2.5}\protected@file@percent } \newlabel{sub:Usage}{{\mbox {II-E}}{3}{Usage}{subsection.2.5}{}} \newlabel{lst:abp}{{8}{3}{Example (simplified) \promela model of the alternating bit protocol}{lstlisting.8}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {8}{\ignorespaces Example (simplified) \textsc {Promela}\xspace model of the alternating bit protocol.}}{3}{lstlisting.8}\protected@file@percent } \newlabel{lst:korg_replay}{{2}{4}{Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{lstlisting.2}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {2}{\ignorespaces Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{4}{lstlisting.2}\protected@file@percent } \newlabel{lst:korg-shell}{{\mbox {II-E}}{4}{}{lstlisting.-1}{}} \newlabel{lst:korg_reordering}{{3}{4}{Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{lstlisting.3}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {3}{\ignorespaces Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{4}{lstlisting.3}\protected@file@percent } \citation{Cluzel_Georgiou_Moy_Zeller_2021,Smith_1997,Pacheco2022} \citation{Pacheco2022} \citation{Pacheco2022} \citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016,Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Ongaro} \citation{Ongaro} \newlabel{lst:io-file}{{4}{5}{Example I/O file targetting channel "cn"}{lstlisting.4}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {4}{\ignorespaces Example I/O file targetting channel "cn"}}{5}{lstlisting.4}\protected@file@percent } \newlabel{lst:io-file-synth}{{5}{5}{Example gadget synthesized from an I/O file targetting the channel "cn"}{lstlisting.5}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {5}{\ignorespaces Example gadget synthesized from an I/O file targetting the channel "cn"}}{5}{lstlisting.5}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {III}Case Studies}{5}{section.3}\protected@file@percent } \newlabel{sec:case_studies}{{III}{5}{Case Studies}{section.3}{}} \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-A}}TCP}{5}{subsection.3.1}\protected@file@percent } \newlabel{sub:TCP}{{\mbox {III-A}}{5}{TCP}{subsection.3.1}{}} \newlabel{lst:drop_passer}{{7}{5}{Example dropping attacker model gadget with message skipping}{lstlisting.7}{}} \@writefile{lol}{\contentsline {lstlisting}{\numberline {7}{\ignorespaces Example dropping attacker model gadget with message skipping}}{5}{lstlisting.7}\protected@file@percent } \newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 42}}{5}{TCP}{figure.caption.7}{}} \@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {PANDA}\xspace proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{5}{figure.caption.7}\protected@file@percent } \citation{Ongaro} \citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016} \citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016} \bibstyle{IEEEtran} \bibdata{main} \bibcite{Lamport_1994}{1} \bibcite{Holzmann_1997}{2} \bibcite{Clarke_Wang}{3} \bibcite{Basin_Cremers_Dreier_Sasse_2022}{4} \bibcite{Blanchet_Smyth_Cheval_Sylvestre}{5} \bibcite{Kobeissi_Nicolas_Tiwari}{6} \bibcite{Blanchet_Jacomme}{7} \bibcite{Basin_Linker_Sasse}{8} \bibcite{Hippel2022_anonym}{9} \bibcite{Cluzel_Georgiou_Moy_Zeller_2021}{10} \bibcite{Smith_1997}{11} \bibcite{Pacheco2022}{12} \bibcite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}{13} \@writefile{toc}{\contentsline {subsection}{\numberline {\mbox {III-B}}Raft}{6}{subsection.3.2}\protected@file@percent } \newlabel{sub:Raft}{{\mbox {III-B}}{6}{Raft}{subsection.3.2}{}} \newlabel{res:raft-table}{{\caption@xref {res:raft-table}{ on input line 92}}{6}{Raft}{figure.caption.8}{}} \@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc {PANDA}\xspace against our Raft \textsc {Promela}\xspace model. In all experiments, Raft was set to five peers and the drop/replay limits of the gadgets \textsc {PANDA}\xspace synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{6}{figure.caption.8}\protected@file@percent } \@writefile{toc}{\contentsline {section}{\numberline {IV}Conclusion}{6}{section.4}\protected@file@percent } \newlabel{sec:conclusion}{{IV}{6}{Conclusion}{section.4}{}} \@writefile{toc}{\contentsline {section}{References}{6}{section*.9}\protected@file@percent } \bibcite{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}{14} \bibcite{Ongaro}{15} \gdef \@abspage@last{7}