147 lines
12 KiB
TeX
147 lines
12 KiB
TeX
\relax
|
|
\providecommand\zref@newlabel[2]{}
|
|
\providecommand\hyper@newdestlabel[2]{}
|
|
\providecommand\HyField@AuxAddToFields[1]{}
|
|
\providecommand\HyField@AuxAddToCoFields[2]{}
|
|
\citation{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016,Ongaro_Ousterhout}
|
|
\citation{Delzanno_Tatarek_Traverso_2014,ironfleet,Rahli_Vukotic_Völp_Esteves-Verissimo_2018}
|
|
\citation{Sergey_Wilcox_Tatlock_2018,ironfleet}
|
|
\citation{Smith_1997,Narayana_Chen_Zhao_Chen_Fu_Zhou_2006,Arun_Arashloo_Saeed_Alizadeh_Balakrishnan_2021,Beurdouche}
|
|
\providecommand \oddpage@label [2]{}
|
|
\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{1}{section.1}\protected@file@percent }
|
|
\newlabel{sec:introduction}{{1}{1}{Introduction}{section.1}{}}
|
|
\citation{Hippel2022}
|
|
\@writefile{toc}{\contentsline {section}{\numberline {2}Attacker Gadgets}{2}{section.2}\protected@file@percent }
|
|
\newlabel{sec:Attacker Gadgets}{{2}{2}{Attacker Gadgets}{section.2}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces high-level state machine diagram of the \textit {drop} attacker gadget, attacking a channel \texttt {chan}. A natural number \texttt {lim} is pre-defined.}}{2}{figure.caption.1}\protected@file@percent }
|
|
\providecommand*\caption@xref[2]{\@setref\relax\@undefined{#1}}
|
|
\newlabel{fig:drop}{{1}{2}{high-level state machine diagram of the \textit {drop} attacker gadget, attacking a channel \texttt {chan}. A natural number \texttt {lim} is pre-defined}{figure.caption.1}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces High-level state machine diagram of the \textit {replay} attacker gadget, attacking a channel \texttt {chan}. A natural number \texttt {lim} is pre-defined. \texttt {buf} is a simple FIFO buffer of length \texttt {lim}.}}{2}{figure.caption.2}\protected@file@percent }
|
|
\newlabel{fig:replay}{{2}{2}{High-level state machine diagram of the \textit {replay} attacker gadget, attacking a channel \texttt {chan}. A natural number \texttt {lim} is pre-defined. \texttt {buf} is a simple FIFO buffer of length \texttt {lim}}{figure.caption.2}{}}
|
|
\citation{Holzmann_2014}
|
|
\citation{Holzmann_Smith_2000}
|
|
\citation{mcp}
|
|
\citation{message_queues_TLA}
|
|
\citation{Hsieh_Mitra_2019}
|
|
\citation{mCRL2}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces High-level state machine diagram of the \textit {reorder} attacker gadget, attacking a channel \texttt {chan}. A natural number \texttt {lim} is pre-defined. \texttt {buf} is a simple FIFO buffer of length \texttt {lim}.}}{3}{figure.caption.3}\protected@file@percent }
|
|
\newlabel{fig:reorder}{{3}{3}{High-level state machine diagram of the \textit {reorder} attacker gadget, attacking a channel \texttt {chan}. A natural number \texttt {lim} is pre-defined. \texttt {buf} is a simple FIFO buffer of length \texttt {lim}}{figure.caption.3}{}}
|
|
\@writefile{toc}{\contentsline {section}{\numberline {3}\textsc {Panda}\xspace Architecture}{3}{section.3}\protected@file@percent }
|
|
\newlabel{sec:design}{{3}{3}{\korg Architecture}{section.3}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}High-level design}{3}{subsection.3.1}\protected@file@percent }
|
|
\newlabel{sub:High-level design}{{3.1}{3}{High-level design}{subsection.3.1}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}\textsc {Panda}\xspace Implementation}{3}{subsection.3.2}\protected@file@percent }
|
|
\newlabel{sub:impl}{{3.2}{3}{\korg Implementation}{subsection.3.2}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {4}{\ignorespaces A high-level overview of the \textsc {Panda}\xspace workflow}}{3}{figure.caption.4}\protected@file@percent }
|
|
\newlabel{fig:korg_workflow}{{4}{3}{A high-level overview of the \korg workflow}{figure.caption.4}{}}
|
|
\newlabel{lst:spin-model}{{1}{3}{Example \promela model of peers communicating over a channel. \texttt {!} indicates sending a message onto a channel, \texttt {?} indicates receiving a message from a channel}{lstlisting.1}{}}
|
|
\@writefile{lol}{\contentsline {lstlisting}{\numberline {1}{\ignorespaces Example \textsc {Promela}\xspace model of peers communicating over a channel. \texttt {!} indicates sending a message onto a channel, \texttt {?} indicates receiving a message from a channel.}}{3}{lstlisting.1}\protected@file@percent }
|
|
\newlabel{lst:korg_drop}{{\caption@xref {lst:korg_drop}{ on input line 117}}{4}{\korg Implementation}{figure.caption.5}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {5}{\ignorespaces Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}}{4}{figure.caption.5}\protected@file@percent }
|
|
\newlabel{lst:korg_drop}{{5}{4}{Example dropping attacker model gadget with drop limit of 3, targetting channel "cn"}{figure.caption.5}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {6}{\ignorespaces Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{4}{figure.caption.6}\protected@file@percent }
|
|
\newlabel{lst:korg_replay}{{6}{4}{Example replay attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{figure.caption.6}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {7}{\ignorespaces Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}}{5}{figure.caption.7}\protected@file@percent }
|
|
\newlabel{lst:korg_reordering}{{7}{5}{Example reordering attacker model gadget with the selected replay limit as 3, targetting channel "cn"}{figure.caption.7}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Usage}{5}{subsection.3.3}\protected@file@percent }
|
|
\newlabel{sub:Usage}{{3.3}{5}{Usage}{subsection.3.3}{}}
|
|
\citation{Cluzel_Georgiou_Moy_Zeller_2021,Smith_1997,Pacheco2022}
|
|
\citation{Pacheco2022}
|
|
\citation{Pacheco2022}
|
|
\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016,Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Ongaro}
|
|
\citation{Ongaro}
|
|
\citation{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}
|
|
\newlabel{lst:abp}{{2}{6}{Example (simplified) \promela model of the alternating bit protocol}{lstlisting.2}{}}
|
|
\@writefile{lol}{\contentsline {lstlisting}{\numberline {2}{\ignorespaces Example (simplified) \textsc {Promela}\xspace model of the alternating bit protocol.}}{6}{lstlisting.2}\protected@file@percent }
|
|
\newlabel{lst:korg-shell}{{3.3}{6}{}{lstlisting.-5}{}}
|
|
\@writefile{toc}{\contentsline {section}{\numberline {4}Case Studies}{6}{section.4}\protected@file@percent }
|
|
\newlabel{sec:case_studies}{{4}{6}{Case Studies}{section.4}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}TCP}{6}{subsection.4.1}\protected@file@percent }
|
|
\newlabel{sub:TCP}{{4.1}{6}{TCP}{subsection.4.1}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Raft}{6}{subsection.4.2}\protected@file@percent }
|
|
\newlabel{sub:Raft}{{4.2}{6}{Raft}{subsection.4.2}{}}
|
|
\citation{Ongaro}
|
|
\citation{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}
|
|
\citation{Ginesin2024}
|
|
\citation{rfc9260}
|
|
\citation{Kobeissi_Nicolas_Tiwari,Proverif,Tamarin,Cremers}
|
|
\citation{Blanchet_Jacomme,Pereira}
|
|
\citation{ParnoSOK,Basin_Cremers_Meadows_2018}
|
|
\citation{Khan_Mukund_Suresh_2005,Clarke_Wang,wayne_adversaries,Narayana_Chen_Zhao_Chen_Fu_Zhou_2006,Delzanno_Tatarek_Traverso_2014}
|
|
\newlabel{res:tcp-table}{{\caption@xref {res:tcp-table}{ on input line 28}}{7}{TCP}{figure.caption.8}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {8}{\ignorespaces Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \textsc {Panda}\xspace proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact.}}{7}{figure.caption.8}\protected@file@percent }
|
|
\newlabel{res:tcp-table}{{8}{7}{Automatically discovered attacks against our TCP model for $\phi _1$ through $\phi _4$. "x" indicates an attack was discovered, and no "x" indicates \korg proved the absence of an attack via an exhaustive search. These experiments were ran on a laptop with an eighth generation i7 and 16gb of memory. Full attack traces are available in the artifact}{figure.caption.8}{}}
|
|
\newlabel{res:raft_table}{{\caption@xref {res:raft_table}{ on input line 91}}{7}{Raft}{figure.caption.9}{}}
|
|
\@writefile{lof}{\contentsline {figure}{\numberline {9}{\ignorespaces Breakdown of the attacker scenarios assessed with \textsc {Panda}\xspace against our buggy Raft \textsc {Promela}\xspace model, \texttt {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \textsc {Panda}\xspace synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact.}}{7}{figure.caption.9}\protected@file@percent }
|
|
\newlabel{res:raft_table}{{9}{7}{Breakdown of the attacker scenarios assessed with \korg against our buggy Raft \promela model, \texttt {raft-bug.pml}. In all experiments, the Raft model was set to five peers and the drop/replay limits of the gadgets \korg synthesized were set to two. We conducted our experiments on a research computing cluster, allocating 250GB of memory to each verification run. The full models and attacker traces are included in the artifact}{figure.caption.9}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}SCTP}{7}{subsection.4.3}\protected@file@percent }
|
|
\newlabel{sub:SCTP}{{4.3}{7}{SCTP}{subsection.4.3}{}}
|
|
\@writefile{toc}{\contentsline {section}{\numberline {5}Related Work}{7}{section.5}\protected@file@percent }
|
|
\newlabel{sec:Related Work}{{5}{7}{Related Work}{section.5}{}}
|
|
\citation{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson,Castro_Liskov_2002,Delzanno_Tatarek_Traverso_2014}
|
|
\citation{Henda}
|
|
\citation{Ginesin}
|
|
\citation{TCPwn}
|
|
\citation{Hippel2022}
|
|
\bibstyle{plain}
|
|
\bibdata{main}
|
|
\bibcite{Arun_Arashloo_Saeed_Alizadeh_Balakrishnan_2021}{1}
|
|
\bibcite{ParnoSOK}{2}
|
|
\bibcite{Tamarin}{3}
|
|
\bibcite{Basin_Cremers_Meadows_2018}{4}
|
|
\bibcite{Henda}{5}
|
|
\bibcite{Beurdouche}{6}
|
|
\bibcite{Blanchet_Jacomme}{7}
|
|
\bibcite{Proverif}{8}
|
|
\bibcite{mCRL2}{9}
|
|
\bibcite{Castro_Liskov_2002}{10}
|
|
\bibcite{Clarke_Wang}{11}
|
|
\bibcite{Cluzel_Georgiou_Moy_Zeller_2021}{12}
|
|
\bibcite{Cremers}{13}
|
|
\bibcite{Delzanno_Tatarek_Traverso_2014}{14}
|
|
\bibcite{Ginesin2024}{15}
|
|
\bibcite{Ginesin}{16}
|
|
\bibcite{ironfleet}{17}
|
|
\@writefile{toc}{\contentsline {section}{\numberline {6}Conclusion}{8}{section.6}\protected@file@percent }
|
|
\newlabel{sec:conclusion}{{6}{8}{Conclusion}{section.6}{}}
|
|
\bibcite{Holzmann_2014}{18}
|
|
\bibcite{Holzmann_Smith_2000}{19}
|
|
\bibcite{Holzmann_1997}{20}
|
|
\bibcite{Hsieh_Mitra_2019}{21}
|
|
\bibcite{TCPwn}{22}
|
|
\bibcite{Khan_Mukund_Suresh_2005}{23}
|
|
\bibcite{Kobeissi_Nicolas_Tiwari}{24}
|
|
\bibcite{Kozen_1977}{25}
|
|
\bibcite{Narayana_Chen_Zhao_Chen_Fu_Zhou_2006}{26}
|
|
\bibcite{Ongaro}{27}
|
|
\bibcite{Ongaro_Ousterhout}{28}
|
|
\bibcite{Pacheco2022}{29}
|
|
\bibcite{Pereira}{30}
|
|
\bibcite{Rahli_Vukotic_Völp_Esteves-Verissimo_2018}{31}
|
|
\bibcite{Sergey_Wilcox_Tatlock_2018}{32}
|
|
\bibcite{Smith_1997}{33}
|
|
\bibcite{rfc9260}{34}
|
|
\bibcite{mcp}{35}
|
|
\bibcite{Hippel2022}{36}
|
|
\bibcite{message_queues_TLA}{37}
|
|
\bibcite{wayne_adversaries}{38}
|
|
\bibcite{Wilcox_Woos_Panchekha_Tatlock_Wang_Ernst_Anderson}{39}
|
|
\bibcite{Woos_Wilcox_Anton_Tatlock_Ernst_Anderson_2016}{40}
|
|
\citation{Hippel2022}
|
|
\citation{Hippel2022}
|
|
\citation{Hippel2022}
|
|
\citation{Hippel2022}
|
|
\@writefile{toc}{\contentsline {section}{\numberline {7}Appendix}{10}{section.7}\protected@file@percent }
|
|
\newlabel{sec:appendix}{{7}{10}{Appendix}{section.7}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {7.1}Mathematical Preliminaries}{10}{subsection.7.1}\protected@file@percent }
|
|
\newlabel{sub:Mathematical Preliminaries}{{7.1}{10}{Mathematical Preliminaries}{subsection.7.1}{}}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {7.2}Arguments for \textsc {Panda}\xspace 's Soundness, Completeness, and Complexity}{10}{subsection.7.2}\protected@file@percent }
|
|
\newlabel{sub:Proofs of Soundness and Completeness}{{7.2}{10}{Arguments for \korg 's Soundness, Completeness, and Complexity}{subsection.7.2}{}}
|
|
\citation{Hippel2022}
|
|
\citation{Holzmann_1997}
|
|
\citation{Hippel2022}
|
|
\citation{Kozen_1977}
|
|
\@writefile{toc}{\contentsline {subsection}{\numberline {7.3}Priorities \& On-the-fly B\"uchi Automata Composition}{11}{subsection.7.3}\protected@file@percent }
|
|
\newlabel{sub:Priority \& On-the-fly B\"uchi Automata Composition}{{7.3}{11}{Priorities \& On-the-fly B\"uchi Automata Composition}{subsection.7.3}{}}
|
|
\gdef \@abspage@last{11}
|