#### DMCA

## On the correctness of an intrusion-tolerant group communication protocol (2003)

### Cached

### Download Links

- [hvg.ece.concordia.ca]
- [www.cs.mcgill.ca]
- [www.ece.concordia.ca]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings 12th Conference on Correct Hardware Design and Verification Methods (CHARME 2003 |

Citations: | 4 - 0 self |

### Citations

2651 | Timed Automata
- Alur
- 1999
(Show Context)
Citation Context ...ed actions, possibly performed by Byzantine faulty processes whose behavior is hard to represent in a model-checker. Instead, we use PVS [21] and formalize the protocol in the style of Timed-Automata =-=[5]-=-. This formalism makes it easy to express timing constraints on transitions. It also captures several useful aspects of real-time systems such as liveness, periodicity and bounded timing delays. Using... |

2581 | How to Leak a Secret,”
- Rivest, Shamir, et al.
- 2001
(Show Context)
Citation Context ...ially, we assume that a dealer chooses a generator g of Gq and a random secret integer x ∈ Zq. The dealer then generates n shares x1, ···,xn ∈ Zq using an f-threshold 2 Shamir’s secret sharing scheme =-=[18]-=-. The dealer secretly transmits the shares xi to their corresponding leaders and makes public hi = gxi for all leaders {Li}i≤n. We denote by ˜g = H(G) the output of a hash function H applied to the mo... |

655 | PVS: A prototype verification system.
- Owre, Rushby, et al.
- 1992
(Show Context)
Citation Context ... the nature of the correctness arguments in each module, the environment assumptions, and the easiness of performing verification. For instance, we found it more profitable to model-check the authentication module by taking advantage of the reduction techniques available in Murphi [15]. The Byzantine leaders agreement module, however, was a little trickier. In fact, the latter relies, to a large extent, on the timing and the coordination of a set of distributed actions, possibly performed by Byzantine faulty processes whose behavior is hard to represent in a model-checker. Instead, we use PVS [21] and formalize the protocol in the style of Timed-Automata [5]. This formalism makes it easy to express timing constraints on transitions. It also captures several useful aspects of real-time systems such as liveness, periodicity and bounded timing delays. Using this formalism, we specified the protocol for any number of leaders, and we proved safety and liveness properties such as Proper Agreement, Agreement Termination and Integrity. Finally, the group-key management module is based on a secret sharing scheme whose security relies fundamentally on the hardness of computing discrete logarithm... |

549 | An introduction to input/output automata,”
- Lynch, Tuttle
- 1989
(Show Context)
Citation Context ...iety of automata formalisms has been adopted to specify such protocols. Castro and Liskov [7] specified their Byzantine fault-tolerant replication algorithm using the I/O automata of Tuttle and Lynch =-=[6]-=-. They have manually proved their algorithm’s safety, but not its liveness, using invariant assertions and simulation relations. This work, although similar to our Byzantine agreement module, has neve... |

480 | The inductive approach to verifying cryptographic protocols.
- Paulson
- 1998
(Show Context)
Citation Context ...e last decade. A wide variety of techniques has been developed to verify a number of key security properties ranging from confidentiality and authentication to atomic transactions and non-repudiation =-=[2,3]-=-. Nevertheless, all the focus was either on two-party protocols (i.e., involving only a pair of users) or, in the best cases, on group protocols with centralized leadership (i.e., a presumably trusted... |

283 | A survey of authentication protocol literature: - Clark, Jacob - 1997 |

275 | Protocol verification as a hardware design aid.
- Dill, Drexler, et al.
- 1992
(Show Context)
Citation Context ...ns, and the easiness of performing verification. For instance, we found it more profitable to model-check the authentication module by taking advantage of the reduction techniques available in Murphi =-=[15]-=-. The Byzantine leaders agreement module, however, was a little trickier. In fact, the latter relies, to a large extent, on the timing and the coordination of a set of distributed actions, possibly pe... |

237 | The decisional diffie-hellman problem.
- Boneh
- 1998
(Show Context)
Citation Context ...h: – The perfect cryptography assumption (i.e., conditional entropy is no greater than simple entropy) S(yif+1 | yi1,yi2, ···,yij)=S(yif+1) for all j ≤ f – The Computational Diffie-Hellman assumption =-=[22]-=-, which states that there is no polynomial time probabilistic algorithm that computes yi =˜g xi given g, ˜g, and hi = gxi , with a non-negligible probability of error. As a result, the knowledge of up... |

223 | D.L.: Better verification through symmetry.
- Ip, Dill
- 1996
(Show Context)
Citation Context ...w up in down-scaled (finite state) version of the protocol. The Murphi tool is based on explicit state enumeration and supports a number of reduction techniques such as symmetry and data independency =-=[16,17]-=-. The desired properties of a protocol can be specified in Murphi by invariants. If a state is reached where some invariant is violated, Murphi prints an error trace exhibiting the problem. Our verifi... |

92 |
The Modelling and Analysis of Security Protocols : the CSP Approach.
- Ryan, Schneider, et al.
- 2001
(Show Context)
Citation Context ...nces with a finite number of states, which may, in some cases, prevent from discovering security flaws in realistic implementations of the protocols. This can be improved by the use of rank functions =-=[2]-=-. We believe that using rank functions is a very efficient way to mechanically prove authentication properties and we are considering it among our future work plans. Thanks to the high level of expres... |

63 | PVS: A prototype veri system - Owre, Rushby, et al. |

54 | Specifications and Proofs for Ensemble Layers.
- Hickey, Lynch, et al.
- 1999
(Show Context)
Citation Context ...iness and performance of the different earlier mentioned techniques to prove the overall Enclaves protocol. Timed automata were also used to model the fault-tolerant protocols PAXOS [11] and Ensemble =-=[14]-=-. The authors assume a partially synchronous network and support only benign failures. This bears some similarities with our Enclaves verification in the sense that we assume some bounds on timing, bu... |

53 | Revisiting the PAXOS Algorithm.
- Prisco, Lampson, et al.
- 1997
(Show Context)
Citation Context ...vantage of the easiness and performance of the different earlier mentioned techniques to prove the overall Enclaves protocol. Timed automata were also used to model the fault-tolerant protocols PAXOS =-=[11]-=- and Ensemble [14]. The authors assume a partially synchronous network and support only benign failures. This bears some similarities with our Enclaves verification in the sense that we assume some bo... |

48 | Verifying Systems with Replicated Components in Murphi.
- Ip, Dill
- 1996
(Show Context)
Citation Context ...w up in down-scaled (finite state) version of the protocol. The Murphi tool is based on explicit state enumeration and supports a number of reduction techniques such as symmetry and data independency =-=[16,17]-=-. The desired properties of a protocol can be specified in Murphi by invariants. If a state is reached where some invariant is violated, Murphi prints an error trace exhibiting the problem. Our verifi... |

48 | A Formally Verified Algorithm for Interactive Consistency under a Hybrid Fault Model.
- Lincoln, Rushby
- 1993
(Show Context)
Citation Context ...r. How much power should be given to a Byzantine fault and how general should the model be to capture the arbitrary nature of a Byzantine fault behavior? These questions have been extensively studied =-=[7,9,10]-=- and continue to be a center of focus. In this paper, faults are only limited by cryptographic constraints. For instance, faulty leaders can arbitrarily send random messages, reset their local clocks ... |

39 | The decision Die-Hellman problem - Boneh - 1423 |

38 | Action Transducers and Timed Automata. - Lynch, Vaandrager - 1996 |

26 | A Correctness Proof for a Practical Byzantine-FaultTolerant Replication Algorithm.
- Castro, Liskov
- 1999
(Show Context)
Citation Context ...r. How much power should be given to a Byzantine fault and how general should the model be to capture the arbitrary nature of a Byzantine fault behavior? These questions have been extensively studied =-=[7,9,10]-=- and continue to be a center of focus. In this paper, faults are only limited by cryptographic constraints. For instance, faulty leaders can arbitrarily send random messages, reset their local clocks ... |

26 |
Random Oracles in Constantipole: Practical Asynchronous Byzantine Agreement Using Cryptography.
- Cachin, Kursawe, et al.
- 2000
(Show Context)
Citation Context ...n Protocol 233 correctness arguments in a formal language, we found it more convenient to give a manual proof of the module’s robustness and unpredictability properties, using the Random Oracle model =-=[19]-=-. The remainder of this paper is organized as follows. In Section 2, we give an overview of the architecture and design goals of Enclaves, and we explicitly state our system model assumptions. In Sect... |

24 | Better Veri Through Symmetry - Ip, Dill - 1996 |

22 | Verifying Randomized Byzantine Agreement.
- Kwiatkowska, Norman
- 2002
(Show Context)
Citation Context ...r. How much power should be given to a Byzantine fault and how general should the model be to capture the arbitrary nature of a Byzantine fault behavior? These questions have been extensively studied =-=[7,9,10]-=- and continue to be a center of focus. In this paper, faults are only limited by cryptographic constraints. For instance, faulty leaders can arbitrarily send random messages, reset their local clocks ... |

20 | Proving Invariants of I/O Automata with TAME.
- Archer, Heitmeyer, et al.
- 2002
(Show Context)
Citation Context ...rs some similarities with our Enclaves verification in the sense that we assume some bounds on timing, but unlike the work in [11,14] we are dealing with the more subtle Byzantine kind of failure. In =-=[13]-=-, Archer et al. presented the formal verification of some distributed protocols using the Timed Automata Modeling Environment (TAME). TAME provides a set of theory templates to specify and prove I/O a... |

19 | Intrusion-Tolerant Enclaves. In
- Dutertre, Crettaz, et al.
- 2002
(Show Context)
Citation Context ...eptable, though possibly degraded, service of the overall system despite intrusions at some of its sub-parts. In this paper, we present a correctness proof of the Intrusion-tolerant Enclaves protocol =-=[1]-=- via an adaptive combination of techniques, namely model checking, theorem proving and analytical mathematics. We use Murphi to verify authentication, then PVS to formally specify and prove proper Byz... |

18 | Protocol veri as a hardware design aid - Dill, Drexler, et al. - 1992 |

13 |
Resilient consensus protocols
- Bra&a, Toueg
- 1983
(Show Context)
Citation Context ...s, of which at most f could fail at the same time. The protocol has a maximum resilience of one third (i.e., f ≤⌊n−1 3 ⌋) and uses an algorithm similar to the consistent broadcast of Bracha and Toueg =-=[4]-=-. The primary goal of Enclaves is to preserve an acceptable group-membership service of the overall system despite intrusions at some of its sub-parts. For instance, an authorized user u who requests ... |

12 |
Resilient consensus protocols.
- Bracha, Toueg
- 1983
(Show Context)
Citation Context ... group protocols with centralized leadership (i.e., a presumably trusted fault-free server managing a group of users). In the present work, we are concerned with the verification of the intrusion-tolerant Enclaves [1]: a group-membership protocol with a distributed leadership architecture, where the authority of the traditional single server is shared among a set of n independent elementary servers, of which at most f could fail at the same time. The protocol has a maximum resilience of one third (i.e., f ≤ n−13 ) and uses an algorithm similar to the consistent broadcast of Bracha and Toueg [4]. The primary goal of Enclaves is to preserve an acceptable group-membership service of the overall system despite intrusions at some of its sub-parts. For instance, an authorized user u who requests to join an active group of users should be eventually accepted, despite the fact that faulty leaders may coordinate their messages in such a way as to mislead non-faulty leaders (the majority) D. Geist and E. Tronci (Eds.): CHARME 2003, LNCS 2860, pp. 231–246, 2003. c© Springer-Verlag Berlin Heidelberg 2003 232 M. Layouni, J. Hooman, and S. Tahar into disagreement, and thus into rejecting user u. ... |

11 | Speci and proofs for ensemble layers - Hickey, Lynch, et al. - 1999 |

6 | A formally veri algorithm for interactive consistency under a hybrid fault model - Lincoln, Rushby - 1993 |

1 | Model-Checking a Secure Group Communication Protocol: A Case Study.
- Hu, Li, et al.
- 1999
(Show Context)
Citation Context ...h work has been done to formally verify fault-tolerance in distributed protocols. Some of these verifications deal with the Byzantine failure model [7], while others remain limited to the benign form =-=[8]-=-. A variety of automata formalisms has been adopted to specify such protocols. Castro and Liskov [7] specified their Byzantine fault-tolerant replication algorithm using the I/O automata of Tuttle and... |

1 |
paper available at http://www-users.cs.york.ac.uk/~jac
- Draft
(Show Context)
Citation Context ...eptable, though possibly degraded, service of the overall system despite intrusions at some of its sub-parts. In this paper, we present a correctness proof of the Intrusion-tolerant Enclaves protocol =-=[1]-=- via an adaptive combination of techniques, namely model checking, theorem proving and analytical mathematics. We use Murphi to verify authentication, then PVS to formally specify and prove proper Byz... |