Upload
abu-hussein
View
1.068
Download
2
Embed Size (px)
DESCRIPTION
my PDF
Citation preview
11/8/2002 MNLAB, CTI, DEPAUL 1
Colored Petri Nets Theory and Applications:Modeling and Verifications of Protocols
Multimedia and Network Research LabCTI , DePaul University
Chicago, USA11/8/2002
11/8/2002 MNLAB, CTI, DEPAUL 2
Main Points
Verification and Analysis Tools Introduction to Petri Nets
Basic Concepts of Colored Petri NetsApplications of CP-NetsAnalysis and Verifications of Security Protocols• Definitions and Modeling Objects• Using CP-Nets to Verify Security Protocols
Analysis and Verifications of STS ProtocolConclusion & References
11/8/2002 MNLAB, CTI, DEPAUL 3
Verification Tools and Models Verification Tools and Models Verification Tools and Models
Finite State MachineBrotus , Marrero , CMUPetri Nets , Aarhus Univ. , DKBAN Logic , California Univ.Spi Calculus , Cambridge Univ.Murphi , Stanford Univ.The Non-interference [CCS and SPA] ApproachThe Strand SpacesLOTOS+CADPInductive Approach, Isabelle/HOLOthers
11/8/2002 MNLAB, CTI, DEPAUL 4
Why do we make these models?Why do we make these models?
• We do make models to:– learn new things about a system.– verify correctness of a protocol or a system, absence of
deadlocks, etc.– discover Bugs and Errors, remove bottlenecks– try to simulate the system, because We do not have the
real recourses to implement– measure the performance (as benchmark)– check that the system design has certain expected
propertiesEX. find insecure states or check if they are reachable…
11/8/2002 MNLAB, CTI, DEPAUL 5
Petri NetsPetri Nets: : a a formalformal, , graphicalgraphical, , executableexecutable technique for the technique for the
specificationspecification and and analysisanalysis of of concurrentconcurrent, , discretediscrete--event event dynamic systemsdynamic systems; ; MoreMore………… On Petri NetsOn Petri Nets
Formal:Formal:The technique is mathematically well-defined. Many static and dynamic properties
of a Petri net may be mathematically proven
Graphical: Graphical: The technique belongs to a branch of mathematics called graph theory. A Petri net may be
represented graphically as well as mathematically. The ability to visualize structure and behavior of a Petri net promotes understanding of the modeled system. Software tools exist which support graphical construction and visualization
Executable: Executable: A Petri net may be executed and the dynamic behavior observed graphically. Software tools exist
which automate execution
11/8/2002 MNLAB, CTI, DEPAUL 6
Petri NetsPetri Nets: : a a formalformal, , graphicalgraphical, , executableexecutable technique for the technique for the
specificationspecification andand analysisanalysis of of concurrentconcurrent, , discretediscrete--event event dynamic systemsdynamic systems; ; MoreMore………… On Petri NetsOn Petri Nets
SpecificationSpecification: System requirements expressed and verified (by formal analysis) using the technique
constitute a formal system specification.
Analysis: Analysis: System specification is often an iterative process, with requirements initially poorly understood or ill-defined.
A specification in the form of a Petri net model may be formally analyzed against static and dynamic system requirements. Visual feedback from the Petri net graph at each iteration of the specification increases understanding of the requirements, highlights errors in the model (or sometimes the requirements) and results in rapid convergence on a mathematically correct and consistent specification. Software tools exist which support and automate analysis.
Concurrent: Concurrent: The representation of multiple independent dynamic entities within a system is supported naturally by the
technique, making it highly suitable for capturing systems which exhibit concurrency, e.g., multi-agent systems, distributed databases, client-server networks and modern telecommunications systems.
Discrete event dynamic system:Discrete event dynamic system:a system which may change state over time, based on current state and state-transition rules, and where
each state is separated from its neighbor by a step rather than a continuum of intermediate infinitesimal states. Often falling into this classification are information systems, operating systems, networking protocols, banking systems, business processes and telecommunications systems
7
Basic DefinitionsBasic Basic DefinitionsDefinitions( , , , )PN = Ρ Τ Α Ν
P T P A T A∩ = ∩ = ∩ =∅
In a formal way, A P-net is a tuple • I P is a finite set of Places.• II- T is a finite set of Transitions.• III- A is a finite set of Arcs such that: • IV- N is a set of Token
In a formal way, A CP-net is a tuple
I- is a finite set of non-empty types, also called colored sets.II- P is a finite set of Places.III- T is a finite set of Transitions.IV- A is a finite set of Arcs such that: V- N is a node function. It is defined from A into .”colored over arcs”VI- C is a color function. It is defined from P into . “token”VII- G is a guard function. It is defined from T into expressions such that: “Boolean function with
probability.”
VIII- E is an arc expression function. It is defined from A in to expressions such that: i.e. (check k=n)
IX- I is an initialization function. It is defined from P into closed expressions such that
),,,,,,,,( IEGCCPN ΝΑΤΡ∑=
∑
P T P A T A∩ = ∩ = ∩ =∅
P T T P× ∪ ×
∑
:[ ( ( )) ( ( ( ))) ].t T Type G t B Type Var G t∀ ∈ = ∧ ⊆ ∑
: [ ( ( ) ) ( ) ( ( ( ) ) ) ] P i s t h e p l a c e o f N ( a )
a A t y p e E a C p M S T y p e V a r E aw h e r e∀ ∈ = ∧ ⊆ ∑
:[ ( ( )) ( ) ].p P Type I p C p ms∀ ∈ =
11/8/2002 MNLAB, CTI, DEPAUL 8
Presentation using Petri NetsPresentation usingPresentation using PetriPetri NetsNets- Graph Petri NetA Petri net, which can be used in a graph, has four essential elements:
places, transitions, arcs, and tokens. As finite state machine and other tools, Petri nets are used to detect protocol failures.
- Algebraic Petri NetIt is another form of Petri nets that represents a system and a protocol
as a grammar language or logic in an algebraic form
- Colored Petri NetIt is a specific type of petri nets, where the arcs contain data
For more details: http://www.daimi.au.dk/PetriNets/
11/8/2002 MNLAB, CTI, DEPAUL 9
Why Colored Petri Nets Why ColoredWhy Colored PetriPetri Nets Nets
CP-nets have a graphical representationCP-nets are very general and can be used to describe a large variety of different systemsCP-nets have an explicit description of both states and actionsCP-nets offer hierarchical descriptionsCP-nets offer interactive simulations where the results are presented directly on the CPN diagramCP-nets have computer tools supporting their drawing, simulation and formal analysis
http://www.daimi.au.dk/CPNets/
11/8/2002 MNLAB, CTI, DEPAUL 10
CP-Net AspectsCPCP--Net AspectsNet Aspects
• One of the reasons for the success of CP-nets is the fact that It simultaneously has worked in all three areas.
TOOLS • editing • simulation • verificationTHEORY
• models• basic concepts• analysis methods
PRACTICAL USE • specification • validation • verification • implementation
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11
Colored Petri Nets (CP-nets or CPN) is a graphical oriented language for design, specification, simulation and verification of systems. It is in particular well-suited for systems in which communication, synchronization and resource sharing are important.
Typical examples of application areas are communication protocols, distributed systems, imbedded systems, automated production systems, work flow analysis and VLSI chips, Medicine, Bio-informatics , .
For :•Networking protocols•Security protocols•Multi agent application•Distributed systems•Work flow•VLSI•Industrial protocols•Many other application
CPN Can do:•Simulation•Verification•Design & model•Specification•Compute the Performance
http://www.daimi.au.dk/~kjensen/papers_books/rec_papers_books.html#intro_cpn_papers
An Introduction to Colored Petri Nets University of Aarhus, DKAarhusAarhus, DK
An Introduction to Colored Petri Nets An Introduction to Colored Petri Nets University ofUniversity of , DK
11/8/2002 MNLAB, CTI, DEPAUL 12
Elements of CPN
• The ellipses and the circles are called places. They describe the states of the system (buffers)
• The rectangles are called transitions. They describe the actions (processes).
• The arrows are called arcs. The arc expressions describe how the state of the CP-net changes when the transitions occur.
• Each place contains a set of markers called tokens. each of these tokens carries a data value, which belongs to a given type.
Show Diagram
11/8/2002 MNLAB, CTI, DEPAUL 13
Coloured Petri Nets• Modelling language for systems where synchronisation,
communication, and resource sharing are important.Combination of Petri Nets and Programming Language.
Control structures, synchronisation, communication, and resource sharing are described by Colored Petri Nets.Data and data manipulations are described byfunctional programming language.
CPN models are validated by means of simulation and verified by means of state spaces and place invariants.
Coloured Petri Nets is developed at University ofAarhus, Denmark over the last 20 years.
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
14
Combination of graphics and textsIntroductory Model (Simple)
• Network of nodes and arcs.
Arcs tell how actions modify the state and when they occur
Places describe the state of the system. A,B, C or C1, C2, S1, S2
Transitions describe the actions of the system i.e. send, receive, encrypt, check
Places carry markers, called tokens.int, string, data
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.htmlIFIF The token is moved from A to B. This means that the packet is successfully transmitted over the network.
11/8/2002 MNLAB, CTI, DEPAUL 15
Applicable Example:Applicable Example:Applicable Example:
Simulation of scenariosReceiver expectspacket no. 6.
Sender is still sending packetno. 5.
Acknowledgement requesting packetno. 6 is arriving.
May be the package did not arrive (lost)
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 16
Abstract Example:Abstract Example:Abstract Example:
11/8/2002 MNLAB, CTI, DEPAUL 17
Incidence Matrix (State Equation) for CPN..Incidence Matrix (State Equation) for CPN..Incidence Matrix (State Equation) for CPN..
11/8/2002 MNLAB, CTI, DEPAUL 18
B
BR
02
=
001
σSuppose the initial marking =Μ 0
−−
−−
BRBRR
BRR
2022
000
A=
σΑ+Μ=Μ 01
New concepts of
Addition
subtraction,
Multiplication
…..etc.
BR
B2
0
=Μ1Then we can compute
11/8/2002 MNLAB, CTI, DEPAUL 19
Examples of Industrial Use of CPExamples of Industrial Use of CP--netsnetsThe following projects document large-scale practical use of CP-nets and their tools. Many of the projects have been carried out in an industrial environment. For all projects one or more papers are available
CP-Nets ApplicationsCPCP--Nets ApplicationsNets Applications
• Protocols and Networks• Software• Hardware• Control of Systems• Military Systems• Other Systems
REF. And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 20
Application areasProtocols and Networks
Intelligent Networks at Deutsche Telekom IEEE 802.6 Configuration Control at Telstra Research LabsAllocation Policies in the Fieldbus Protocol in Japan ISDN Services at Telstra Research Laboratories Protocol for an Audio/Video System at Bang & OlufsenTCP Protocols at Hewlett-Packard Local Area Network at University of Las Palmas UPC Algorithms in ATM Networks at University of AarhusBRI Protocol in ISDN Networks Network Management System at RC International A/SInterprocess Communication in Pool IDA at King's College
SoftwareMobile Phones at Nokia Bank Transactions & Interconnect Fabric at Hewlett-Packard Mutual Exclusion Algorithm at University of Aarhus Distributed Program Execution at University of Aarhus Internet Cache at the Hungarian Academy of Science Electronic Funds Transfer in the US Document Storage System at Bull AG ADA Program at Draper Laboratories
ApplicationsApplicationsApplications
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 21
Control of SystemsSecurity and Access Control Systems at Dalcotech A/S Mechatronic Systems in Cars at Peugeot-Citroën in France European Train Control System in Germany Flowmeter System at Danfoss Traffic Signals in Brazil Chemical Production in Germany Model Train System at University of Kiel
Hardware Superscalar Processor Architectures at University of Newcastle VLSI Chip in the US Arbiter Cascade at Meta Software Corp.
Military SystemsMilitary Communications Gateway in Australia Influence Nets for the US Air Force Missile Simulator in Australia Naval Command and Control System in Canada
Other Systems
ApplicationsApplicationsApplications
Bank Courier Network at Shawmut National Coop. Nuclear Waste Management Programme in the US
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 22
Automatic code generationImportant applicationImportant applicationImportant application
• CPN models are often used to specify and validate new software:
• It is also possible to implement the software by automatic code generation.– This method has been applied to develop a system
for access control to buildings.– The source code for the final implementation was
generated automatically from the CPN specification - by extracting parts of the Standard ML code used by the CPN simulator.
– The approach is only sensible for systems that are not time critical and systems that are produced in small numbers.
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 23
Computer tools• Design/CPN was developed in the late 80'ies
and early 90'ies. – Today it is the most widely used Petri net package.– 750 different organisations in 50 countries– including 200 commercial companies.
• CPN Tools is the next generation of tool support forColoured Petri Nets.– Within the next 1-2 years the CPN Tools is
expected to replace Design/CPN and obtain the same number of users.
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 24
• One of the reasons for the success of CP-nets is the fact that we simultaneously have worked in all three areas.
TOOLS • editing • simulation • verificationTHEORY
• models• basic concepts• analysis methods
PRACTICAL USE • specification • validation • verification • implementation
CP-Net AspectsCPCP--Net AspectsNet Aspects
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 25
Verification of Security Protocols using Colored Petri Nets
• Why• How• Results• Improvement
11/8/2002 MNLAB, CTI, DEPAUL 26
Colored Petri Net Objects ColoredColored PetriPetri Net Objects Net Objects
Introductory Example:Introductory Example:Introductory Example:
11/8/2002 MNLAB, CTI, DEPAUL 27
CP-net Intruder ModelCPCP--net Intruder Modelnet Intruder Model
simple model
11/8/2002 MNLAB, CTI, DEPAUL 28
Modeling Protocols Using Colored Petri NetsModeling Protocols Using ColoredModeling Protocols Using Colored PetriPetri NetsNets
The model consists of the following steps:Step1: describe the protocol in a CP-Net form.Step2: write Acceptance Check Steps (ACS).Step3: describe the intruder model.Step4: find the insecure states.Step5: apply the Matrix Analysis Steps (MAS).
Then run your computer program to solve the equation
σΑ+Μ=Μ 0n
11/8/2002 MNLAB, CTI, DEPAUL 29
MAS Flow Chart and Implementation
MAS Flow Chart MAS Flow Chart and Implementation and Implementation
This flow chart supposes we know the insecure state and want to verify and test whether the vector exists or not
σ
11/8/2002 MNLAB, CTI, DEPAUL 30
STS Protocol MessagesSTS Protocol MessagesSTS Protocol Messages
B to A : )),,((,mod pyx
Bky BSE
sααα Ρ
Ρ=Κ mod)( yxα
Sign_mess with server secret key and encrypted by computed session keyThe server sends after generating a secret random Ρmodyα y
Ρmodxα xA to B: Ρmod, xA αThe client sends after generating a secret random
A to B : )),,(( pyx
Ak ASEs
ααΡ=Κ mod)( xyα
Sign_mess with client secret key and encrypted by computed session key.
11/8/2002 MNLAB, CTI, DEPAUL 31
STS Protocol ScenarioSTS Protocol ScenarioSTS Protocol Scenario
11/8/2002 MNLAB, CTI, DEPAUL 32
11/8/2002 MNLAB, CTI, DEPAUL 33
Steps of AnalysisSteps of AnalysisSteps of AnalysisStep1: model the STS using CP-net illustrated in the previous figure
M1: Ρmod, xA α
M2: )),,((,mod pyx
Bky BSE
sααα Ρ
)),,(( pyx
Ak ASEs
ααStep2: applying the Acceptance Check Step (ACS) to STS messages
M3:
Step3: add the proposed intruder side in the model as in the figure
11/8/2002 MNLAB, CTI, DEPAUL 34
11/8/2002 MNLAB, CTI, DEPAUL 35
Part I: Specifying STSPart I: Specifying STSPart I: Specifying STS
Step4.I: by analyzing the protocol, we find that man-in-middle attack has the ability to direct the negotiation between the client and server. The intruder shares K1 with the client and K2 with the server.
=TM 0 [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0], where n = 20
And the insecure state
=TnM [0,0,0,0,M2\,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0], where n = 20
11/8/2002 MNLAB, CTI, DEPAUL 36
11/8/2002 MNLAB, CTI, DEPAUL 37
computem1
send m1
receivem2\
decryptm2\
verify m2\
receive m1
store m1
compute
m1\
send m1\
receive m1\
sign m2
encrypt m2
send m2
receive m2
a1 M1 -M1
a2 -M2\ M2\
a3 M2\ -M2\
a4 M2\
a5 M2\
c1 M1 -M1
c2 M1\ -M1\
c3 M2 -M2
c4 -M2\
b1 M1\ -M1\
b2 M2 -M2
b3 M2 -M2
i1 M1 -M1
i2 M1 -M1
i3 M2 -M2
i4 M2
11/8/2002 MNLAB, CTI, DEPAUL 38
compute m1
send m1
receivem2\
decrypt m2\
verify m2\
receive m1
store m1
compute m1\
send m1\
receive m1\
sign m2
encrypt m2
send m2
receive m2
decrypt m2
sign m2\
encrypt m2\
send m2\
a1 M1 -M1
a2 -M2\ M2\
a3 M2\ -M2\
a4 M2\
a5 M2\
c1 M1 -M1
c2 M1\ -M1\
c3 M2 -M2
c4 -M2\ M2\
b1 M1\ -M1\
b2 M2 -M2
b3 M2 -M2
i1 M1 -M1
i2 M1 -M1
i3 M2 -M2
i4 M2 -M2
i5 M2 -M2
i6 M2\ -M2\
i7 M2\ -M2\
i8 M1 -M1
11/8/2002 MNLAB, CTI, DEPAUL 39
ContinueStep5.I: Applying MAS, we find that the defined final insecure state is reachable from the initial state, which is considered a major problem in the security of STS protocol.
σΑ+Μ=Μ 0n
11/8/2002 MNLAB, CTI, DEPAUL 40
11/8/2002 MNLAB, CTI, DEPAUL 41
ConclusionConclusionConclusion
STS Protocol has been verified and specified using Colored Petri netsthe insecure states in STS Protocol have been provedMore research needs to be conducted in verification of protocols (sp. security protocols)Analysis complex security protocolsCompute the performance of security protocols using CP-nets
Compare between different tools for verification and analysis of security protocols
11/8/2002 MNLAB, CTI, DEPAUL 42
Conclusion
• One of the reasons for the success of CP-nets is the fact that we simultaneously have worked in all three areas.
TOOLS • editing • simulation • verificationTHEORY
• models• basic concepts• analysis methods
PRACTICAL USE • specification • validation • verification • implementation
REF. Kurt Jensen And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 43
References and Links
• http://www.daimi.au.dk/CPnets/• www.students.depaul.edu/~saly.html• http://www.daimi.au.dk/PetriNets/research/• A list of of more than 50 published papers describing
different industrial applications of CP-nets and the CPN tools. http://www.daimi.au.dk/CPnets/intro/example_indu.html
REF. And Details: http://www.daimi.au.dk/CPnets/intro/example_indu.html
11/8/2002 MNLAB, CTI, DEPAUL 44
Questions ??Questions ??Open DiscussionOpen Discussion
????
?? ??