MSR Papers

MSR 3

Logical foundations

The following two papers lay out the foundations of MSR 3 as a rewriting interpretation of a large fragment of linear logic. They differ in their technical development: the longer journal version takes a historical perspective and establishes MSR 3 through a series of intermediate logical formalisms; the technical report takes a more intuitive approach that is based on an alternative reading of the sequent rules of linear logic.

• Iliano Cervesato, Andre Scedrov: "Relating State-Based and Process-Based Concurrency through Linear Logic", Information and Computation, (to appear), Elsevier, 2009. (Find more here)
• Iliano Cervesato: "The Logical Meeting Point of Multiset Rewriting and Process Algebra: Progress Report", Technical Memo CHACS-5540-153, Center for High Assurance Computer Systems, Naval Research Laboratory, Washington, DC, September 2004. (Find more here)

MSR 2

Implementation

This paper describes the formal elements underlying the implementation of MSR 2 into an extension of rewriting logic with dependent types, and eventually into the Maude untyped rewriting engine.

• Iliano Cervesato, Mark-Oliver Stehr: "Representing the MSR Cryptoprotocol Specification Language in an Extension of Rewriting Logic with Dependent Types", Higher-Order and Symbolic Computation, vol. 20(1/2) (Narciso Martí-Oliet, Grigore Rosu and Carolyn Talcott, editors), pp. 3-35, Kluwer Academic Publishing, June 2007. (Find more here; for earlier versions of this paper, see here)

Specification of Kerberos V

The papers below summarize the outcomes of a project which used MSR 2 to specify and analyze the popular Kerberos 5 authentication protocol. The results of this analysis showed that the core Kerberos protocol is sound, but it also revealed a number of anomalies that led the IETF Kerberos Working Group to modify its public specification documents (see CSFW'02 and TCS'06 papers below). It also unveiled correct but dangerous behaviors in the cross-realm authentication semantics of Kerberos 5 (see WITS'05 paper). Most recently, the project exposed a serious attack on PKINIT, a popular extension of Kerberos 5: this led the IETF to modify the specifications of PKINIT and Microsoft to immediately issue a security update for all versions of Windows (see I&C'08 paper).

• Iliano Cervesato, Aaron D. Jaggard, Joe-Kai Tsay, Andre Scedrov and Christopher Walstad: "Breaking and Fixing Public-Key Kerberos", Information and Computation, vol. 206(2-4), pp. 402-424, Elsevier, April 2008. (Find more here; for earlier versions of this paper, see here and here)
• Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov and Christopher Walstad: "Specifying Kerberos 5 Cross-Realm Authentication", Fifth Workshop on Issues in the Theory of Security - WITS'05 (Catherine Meadows and Jan Jürjens, editors), pp. 12-26, ACM Digital Library, Long Beach, CA, January 2005. (Find more here)
• Iliano Cervesato, Frederic Butler, Aaron D. Jaggard, Andre Scedrov and Christopher Walstad: "Formal Analysis of Kerberos 5", Theoretical Computer Science, vol. 367(1-2), pp. 57-87, November 2006. (Find more here)
• Iliano Cervesato, Frederic Butler, Aaron D. Jaggard and Andre Scedrov: "A Formal Analysis of Some Properties of Kerberos 5 Using MSR", Fifteenth Computer Security Foundations Workshop, pp. 175-190, 2002. (Find more here; for an extended versions of this paper, see here; for a revised version, see here)

Foundational Studies about Security Protocols

The series of papers below leverage the type system of MSR 2 to study the concept of an attacker in a cryptographic protocol. The second introduces the notion of "data access specification" (DAS) rules and uses them to show that the standard Dolev-Yao attacker specification can emulate the actions of an arbitrary symbolic adversary, thereby providing a formal justification of its use in almost all automated tools. The first shows that the Dolev-Yao intruder rules can be automatically reconstructed from the DAS rules, and that the DAS rules can themselves be inferred from annotated typing declarations for the various message constructors.

• Iliano Cervesato: "The Wolf Within", Second Workshop on Issues in the Theory of Security, 2002. (Find more here)
• Iliano Cervesato: "Data Access Specification and the Most Powerful Symbolic Attacker in MSR", Post-proceedings of the 2002 Mext-NSF-JSPS International Symposium - ISSS'02 (M. Okada, B. Pierce, Andre Scedrov, H. Tokuda and A. Yonezawa, editors), pp. 384-416, Springer-Verlag LNCS 2609, Tokyo, Japan, November 2002. (Find more here; for earlier versions of this paper, see here)

Language Description

The papers below describe early designs of MSR 2 and give a number of examples. While the general idea is captured in these papers, it does not account for some of the extension that were added during the implementation phase (see above). An up-to-date formal specification of MSR 2 is almost complete.

• Iliano Cervesato: "A Specification Language for Crypto-Protocols based on Multiset Rewriting, Dependent Types and Subsorting", Workshop on Specification, Analysis and Validation for Emerging Technologies, pp. 1-22, 2001. (Find more here)
• Iliano Cervesato: "Typed MSR: Syntax and Examples", First International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, pp. 159-177, 2001. (Find more here)
• Iliano Cervesato: "Typed Multiset Rewriting Specifications of Security Protocols", First Irish Conference on the Mathematical Foundations of Computer Science and Information Technology, pp. 1-43, 2000. (Find more here)

MSR 1.0

Decidability of Protocol Verification

The two papers below, from which MSR originated, established the first undecidability results for crypto-protocol verification (more specifically of the secrecy problem). Since then this line of investigation has been picked up by numerous researchers who specialized our results to particular classes of protocols.

• Nancy Durgin, Patrick D. Lincoln, John C. Mitchell and Andre Scedrov: "Undecidability of bounded security protocols", FLoC'99 Workshop on Formal Methods and Security Protocols - FMSP'99, Trento, Italy, 5 July, 1999.
• Iliano Cervesato, Nancy Durgin, Patrick D. Lincoln, John C. Mitchell and Andre Scedrov: "A Meta-Notation for Protocol Analysis", 12th Computer Security Foundations Workshop, pp. 55-69, 1999. (Find more here)

Relation to Other Formalisms

This initial version of MSR also proved to be a formidable neutral ground where to formally relate the major families of languages for expressing protocols: the papers below build bridges between MSR 1 and the popular strand spaces, process algebras, and linear logic. This formally justified the independent development of the CAPSL Intermediate Language, a middleware that allowed translating specifications written in the language of one verification tool to the language of another.

• Iliano Cervesato, Nancy Durgin, Max I. Kanovich and Andre Scedrov: "Interpreting Strands in Linear Logic", 2000 Workshop on Formal Methods and Computer Security, 2000. (Find more here)
• Iliano Cervesato, Nancy Durgin, Patrick D. Lincoln, John C. Mitchell and Andre Scedrov: "A Comparison between Strand Spaces and Multiset Rewriting for Security Protocol Analysis", Journal of Computer Security, vol. 13(2), pp. 265-316, IOS Press, April 2005. (Find more here; for earlier versions of this paper, see here and here)
• Stefano Bistarelli, Iliano Cervesato, Gabriele Lenzini and Fabio Martinelli: "Relating Multiset Rewriting and Process Algebras for Security Protocol Analysis", Journal of Computer Security, vol. 13(1) (Roberto Gorrieri, editor), pp. 3-47, IOS Press, February 2005. (Find more here; for earlier versions of this paper, see here and here)

Attacker Models

This paper relies on MSR 1 to show that all attacks that can be mounted by a traditional Dolev-Yao intruder against common cryptographic protocols can be enacted by an apparently weaker "Machiavellian" adversary in which compromised principals will not share long-term secrets and will not send arbitrary messages. It also shows that a Dolev-Yao adversary composed of multiple compromised principals is attack-equivalent to an adversary consisting of a single dishonest principal who is only willing to produce messages in valid protocol form.

• Iliano Cervesato, Catherine Meadows and Paul F. Syverson: "Dolev-Yao is no better than Machiavelli", First Workshop on Issues in the Theory of Security - WITS'00 (P. Degano, editor), Geneva, Switzerland, 8-9 July 2000. (Find more here)

Quantitative Protocol Analysis

The traditional Dolev-Yao model of security limits attacks to "computationally feasible" operations. This paper depart from this model by exploring a small extension of MSR 1 that assigns a cost to protocol actions, both of the Dolev-Yao kind as well as non traditional forms such as computationally-hard operations, guessing, principal subversion, and failure. This quantitative approach enables evaluating protocol resilience to various forms of denial of service, guessing attacks, and resource limitation.

• Iliano Cervesato: "Towards a Notion of Quantitative Security Analysis", post-conference proceedings of the First Workshop on Quality of Protection - QoP'05, (Dieter Gollmann, Fabio Massacci and Artsiom Yautsiukhin, editors), pp. 131-144, Springer-Verlag Advances in Information Security 23, 2006. (Find more here; for earlier versions of this paper, see here)

Last modified: Fri Dec 31, 10 [an error occurred while processing this directive]