Iliano Cervesato

NEXCEL, a Deductive Spreadsheet

Iliano Cervesato — Wed, 29 Jul 2009 01:32:21 PDT

Usability and usefulness have made the spreadsheet one of the most successful computing applications of all times: millions rely on it every day for anything from typing grocery lists to developing multimillion dollar budgets. One thing spreadsheets are not very good at is manipulating symbolic data and helping users make decisions based on them. By tapping into recent research in Logic Programming, Databases and Cognitive Psychology, we propose a deductive extension to the spreadsheet paradigm which addresses precisely this issue. The accompanying tool, which we call NEXCEL, is intended as an automated assistant for the daily reasoning and decision-making needs of computer users, in the same way as a spreadsheet application such as Microsoft Excel assists them every day with calculations simple and complex. Users without formal training in Logic or even Computer Science can interactively define logical rules in the same simple way as they define formulas in Excel. NEXCEL immediately evaluates these rules thereby returning lists of values that satisfy them, again just like with numerical formulas. The deductive component is seamlessly integrated into the traditional spreadsheet so that a user not only still has access to the usual functionalities, but is able to use them as part of the logical inference and, dually, to embed deductive steps in a numerical calculation.

A Formal Analysis of Some Properties of Kerberos 5 Using MSR

Frederick Butler — Wed, 29 Jul 2009 01:32:21 PDT

We give three formalizations of the Kerberos 5 authentication protocol in the Multi-Set Rewriting (MSR) formalism. One is a high-level formalization containing just enough detail to prove authentication and confidentiality properties of the protocol. A second formalization refines this by adding a variety of protocol options; we similarly refine proofs of properties in the first formalization to prove properties of the second formalization. Our third formalization adds timestamps to the first formalization but has not been analyzed extensively. The various proofs make use of rank and corank functions, inspired by work of Schneider in CSP, and provide examples of reasoning about real-world protocols in MSR.We also note some potentially curious protocol behavior; given our positive results, this does not compromise the security of the protocol.

Relating State-Based and Process-Based Concurrency through Linear Logic

Iliano Cervesato — Wed, 29 Jul 2009 01:32:20 PDT

This paper has the purpose of reviewing some of the established relationships between logic and concurrency, and of exploring new ones. Concurrent and distributed systems are notoriously hard to get right. Therefore, following an approach that has proved highly beneficial for sequential programs, much effort has been invested in tracing the foundations of concurrency in logic. The starting points of such investigations have been various idealized languages of concurrent and distributed programming, in particular the well-established state-transformation model inspired by Petri nets and multiset rewriting, and the prolific process-based models such as the π-calculus and other process algebras. In nearly all cases, the target of these investigations has been linear logic, a formal language that supports a view of formulas as consumable resources. In the first part of this paper, we review some of these interpretations of concurrent languages into linear logic and observe that, possibly modulo duality, they invariably target a small semantic fragment of linear logic that we call LV^obs.In the second part of the paper, we propose a new approach to understanding concurrent and distributed programming as a manifestation of logic, which yields a language that merges those two main paradigms of concurrency. Specifically, we present a new semantics for multiset rewriting founded on an alternative view of linear logic and specifically LV^obs. The resulting interpretation is extended with a majority of linear connectives into the language of ω-multisets. This interpretation drops the distinction between multiset elements and rewrite rules, and considerably enriches the expressive power of standard multiset rewriting with embedded rules, choice, replication, and more. Derivations are now primarily viewed as open objects, and are closed only to examine intermediate rewriting states. The resulting language can also be interpreted as a process algebra. For example, a simple translation maps process constructors of the asynchronous π-calculus to rewrite operators. The language of ω multisets forms the basis for the security protocol specification language MSR 3. With relations to both multiset rewriting and process algebra, it supports specifications that are process-based, state-based, or of a mixed nature, with the potential of combining verification techniques from both worlds. Additionally, its logical underpinning makes it an ideal common ground for systematically comparing protocol specification languages

On Teaching Programming Languages Using a Wiki

Iliano Cervesato — Wed, 29 Jul 2009 01:32:20 PDT

This paper reports on an ongoing experiment with using a wiki as support material for CMU-CS 15-212, a sophomore-level course on advanced programming concepts and skills. We found that the use of a wiki promotes participatory learning and encourages the students to read upcoming material before class. Future developments include pairing up the wiki with an e-tutor and supporting delivery to small-screen devices such as PDAs and smartphones. A wiki is also a natural medium for a repository for essential programming language concepts and material for teaching such concepts.

Breaking and Fixing Public-Key Kerberos

Iliano Cervesato — Wed, 29 Jul 2009 01:32:20 PDT

We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We discovered this attack as part of an ongoing formal analysis of the Kerberos protocol suite, and we have formally verified several possible fixes to PKINIT--including the one adopted by the IETF--that prevent our attack as well as other authentication and secrecy properties of Kerberos with PKINIT.

One Picture is Worth a Dozen Connectives: A Fault-Tree Representation of NPATRL Security Requirements

Iliano Cervesato — Wed, 29 Jul 2009 01:32:19 PDT

In this paper we show how we can increase the ease of reading and writing security requirements for cryptographic protocols at the Dolev-Yao level of abstraction by developing a visual language based on fault trees. We develop such a semantics for a subset of NPATRL, a temporal language used for expressing safety requirements for cryptographic protocols, and show that the subset is sound and complete with respect to the semantics. We also show how the fault trees can be used to improve the presentation of some specifications that we developed in our analysis of the Group Domain of Interpretation (GDOI) protocol. Other examples involve a property of Kerberos 5, and a visual account of the requirements in Lowe's authentication hierarchy.

Representing the MSR Cryptoprotocol Specification Language in an Extension of Rewriting Logic with Dependent Types

Iliano Cervesato — Wed, 29 Jul 2009 01:32:19 PDT

This paper presents a shallow and efficient embedding of the security protocol specification language MSR into an extension of rewriting logic with dependent types. The latter is an instance of the open calculus of constructions which integrates key concepts from equational logic, rewriting logic, and type theory.MSR is based on a form of first-order multiset rewriting extended with existential name generation and a flexible type infrastructure centered on dependent types with subsorting. The encoding presented in this paper has served as the basis for the implementation of an MSR specification and analysis environment using the first-order rewriting engine Maude.

Specifying Properties of Concurrent Computations in CLF

Iliano Cervesato — Wed, 29 Jul 2009 01:32:18 PDT

CLF (the Concurrent Logical Framework) is a language for specifying and reasoning about concurrent systems. Its most significant feature is the first-class representation of concurrent executions as monadic expressions. We illustrate the representation techniques available within CLF by applying them to an asynchronous pi-calculus with correspondence assertions, including its dynamic semantics, safety criterion, and a type system with latent effects due to Gordon and Jeffrey.