Applying Predicate Logic to Monitoring Network Traffic Wolfgang - - PowerPoint PPT Presentation

Applying Predicate Logic to Monitoring Network Traffic

Wolfgang Schreiner

Wolfgang.Schreiner@risc.jku.at

Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Joint work with Temur Kutsia (RISC), Michael Krieger, Bashar Ahmad (RISC Software), Helmut Otto, and Martin Rummerstorfer (SecureGUARD). Supported by the FFG BRIDGE project “LogicGuard”.

Wolfgang Schreiner http://www.risc.jku.at 1/30

The Problem: Monitoring Network Traffic

Monitor Forward Package (yes/no)? Specification Package

Block (or just report) every package that triggers a violation of the specified safety property.

Wolfgang Schreiner http://www.risc.jku.at 2/30

Network Traffic

Wolfgang Schreiner http://www.risc.jku.at 3/30

General Idea

Treat the problem as an application of “runtime verification”. Specify safety property in a high-level declarative form.

What to detect, not how to detect it.

Automatically translate the specification into an executable monitor.

A program that surveils the traffic for violations of the property.

Advantage: no manual low-level coding of monitors required.

Tedious and error-prone, difficult to maintain.

Challenge: time and space complexity of the monitor.

Must operate with limited time and memory resources.

Various specification formalisms have been devised for this purpose.

Wolfgang Schreiner http://www.risc.jku.at 4/30

Our Approach

Predicate logic formulas interpreted over infinite streams.

S p p p p q p

∀i : q(Si) ⇒ ∃j < i : ¬p(Sj) Set-builder notation to construct new streams.

S T

T := f (Si, Si+2) | i ∈ N ∧ i mod 4 < 2 Classical logic and set theory.

Wolfgang Schreiner http://www.risc.jku.at 5/30

The Monitoring Model

Formulas are evaluated on streams, external as well as internally constructed (virtual) ones.

stream IP : stream S1 = stream i in IP ... S@i ... : stream S2 = stream j in IP ... S@j ... : monitor i in S1 ... : monitor j in S2 ... : ... S1@i ... S2@j ...

Internal streams to express properties on a higher level of abstraction.

S1 IP S2 Check violations monitor

Wolfgang Schreiner http://www.risc.jku.at 6/30

Example

type int; int Square(int); bool isOne(int); bool isTwo(int); // the base stream and a derived virtual stream stream<int> IP; stream<int> S = construct X in IP with 0 in IP <= X value<int> M = IP.at(X) satisfying isOne(M) || isTwo(M) : Square(IP.at(X)); // are 1s not more than 50 units apart? monitor M = position X in S : isOne(S.at(X)) => exists Y in S with X<Y<=(X+50) : isOne(S.at(Y));

A specification using the test runtime system.

000,2 010,1 020,0 030,0 040,0 050,2 060,1 070,0 080,2 090,0 100,2 110,0 120,2 130,1 140,2 150,1 160,2 170,0 180,2 190,0 200,2 210,1 220,2 000,4 010,1 050,4 060,1 080,4 100,4 120,4 130,1 140,4 150,1 160,4 180,4 200,4 210,1 220,4

Wolfgang Schreiner http://www.risc.jku.at 7/30

Example

// IntFunctions.cs using System; using LogicGuard.Network.IntTS; namespace External { class IntFunctions { public static bool isZero(IntTSMessage m) { return m.Payload == 0; } public static bool isOne(IntTSMessage m) { return m.Payload == 1; } ... } }

The corresponding external functions.

Wolfgang Schreiner http://www.risc.jku.at 8/30

Monitor Execution

Main.Exe -test TranslatorTester\traces\PAS.txt TranslatorTester\specs\PAS.lgs External\bin\Debug\External.dll

Wolfgang Schreiner http://www.risc.jku.at 9/30

Abstract Specification Language

P ::= (B | S)∗ M∗ M ::= F | monitor X : F F ::= XF | B : F | PC(TV ∗) | true | false | ˜F | F1 /\ F2 | F1 \/ F2 | F1 => F2 | F1 <=> F2 | forall X : F | exists X : F TS ::= XS | B : TS | FS(TS∗) | stream X : (TV | TS) | scombine(FC,TV ) X : TV TP ::= XP | B : TP | FP(TP∗) | TP+N | TP-N | min X : F | max X : F TV ::= XV | B : XV | FV (TV ∗) | TS@TP | TSTP | number X : F | combine(FC,TV ) X :TV B ::= formula XF = F | position XP = TP | value XV = TV S ::= stream XS = TS X ::= XP in TS with TP1 <= XP <= TP2 (B | satisfying F1)∗ (until F2)?

A simplified and regularized version of the concrete language.

Wolfgang Schreiner http://www.risc.jku.at 10/30

Semantics of the Language

Environment := Variable → B ∪ Stream ∪ N ∪ Value Stream := Messageω ∪ Message∗ Message := Value × N [ . ] : Monitor → Environment → P(N) [ monitor X : F ](e) := let (x, s, N) := [ X ](e) : {n ∈ N : [ F ](e[x → n]) = false} [ . ] : Formula → Environment → B [ forall X : F ](e) := let (x, s, N) := [ X ](e) : if ∀n ∈ N : [ F ](e[x → n]) = true then true else false . . . [ . ] : TermValue → Environment → Value [ TS@TP ](e) := ([ TS ](e)([ TP ](e))).1 [ TSTP ](e) := ([ TS ](e)([ TP ](e))).2 . . .

Phrases are interpreted over variables that may be mapped to streams.

Wolfgang Schreiner http://www.risc.jku.at 11/30

Semantics of the Language

[ . ] : TermStream → Environment → Stream [ stream X : TV ](e) := let (x, s, N) := [ X ](e) : let S := {n ∈ N | ∃t ∈ N : isTimeOf (t, TV , e[x → n])} such s′ ∈ Stream : timeIncreases(s′) ∧ allMessages(s′, S, TV , e, x) isTimeOf (t, TV , e) :⇔ // at time t, the value of TV is defined wrt. e ∀e′ ∈ Environment : domain(e′) = domain(e) ∧ (∀x ∈ domain(e) : if e(x) ∈ Stream then e′(x) = e(x) else e′(x) ∈ Stream ∧ ∀i ∈ domain(e′(x)) : e′(x)(i).2 ≤ t ⇒ e′(x)(i) = e(x)(i)) ⇒ [ TV ](e, s) = [ TV ](e′, s) timeIncreases(s′) :⇔ ∀i, j ∈ domain(s′) : i < j ⇒ s′(i).2 ≤ s′(j).2 allMessages(s′, S, TV , e, x) :⇔ // s′ contains all TV (x) wrt. e with x from S ∃p ∈ domain(s′)

bij.

− → S : ∀i ∈ domain(s′) : s′(i) = let t := min t ∈ N : isTimeOf (t, TV , e[x → p(i)]) : ([ TV ](e[x → p(i)]), t)

The stream orders all values by the time they become defined.

Wolfgang Schreiner http://www.risc.jku.at 12/30

From Semantics to Operation

Translation Engine New State Syntax Semantics Value Next Message Soundness

We translate the various kinds of phrases to operational “engines”; this translation “preserves” the semantics of the phrases.

Wolfgang Schreiner http://www.risc.jku.at 13/30

The Translation

All phrases are translated to value-producing engines. Monitors: T : Monitor → MonitorStep

MonitorStep := PresentM → MonitorResult MonitorResult := P(N∗) × (done + next of MonitorStep)

At each step, vectors of violating positions are produced.

Formulas: T : Formula → FormulaStep

FormulaStep := Present → FormulaResult FormulaResult := done of B + next of FormulaStep

At termination, a truth value is delivered.

Streams: T : Stream → StreamStep

StreamStep := Present → StreamResult StreamResult := P(Message) × (done + next of StreamStep)

At each step, messages are produced.

At each new message received, the engines make an execution step.

Wolfgang Schreiner http://www.risc.jku.at 14/30

A Core Language

For the further discussion, we reduce our language to a “skeleton”.

M ::= monitor X : F F ::= @X | ˜F | F1 /\ F2 | forall X in B1..B2 : F B ::= 0 | infinity | X | B + N | B − N N ::= 0 | 1 | 2 | . . . X ::= x | y | z | . . .

A core monitor is interpreted over a single stream of truth values.

Wolfgang Schreiner http://www.risc.jku.at 15/30

Translation of the Monitor

PresentM := Message∗ × Message Present := Message∗ × Message × Context Context := Variable

partial

− → (N × B) Instance := N × FormulaStep × Context T(monitor X : F) := TM(X, T(F), ∅) where TM : Variable × FormulaStep × P(Instance) → MonitorStep TM(X, f , fs)(ms, m) := let n := |ms| : let c := [X → (n, m)] : let fs0 := fs ∪ {(n, f , c)} : let rs := {n ∈ N | ∃g ∈ FormulaStep, c ∈ Context : (n, g, c) ∈ fs0 ∧ case g(ms, m, c) of done(b) → b = false | _ → false} : let fs1 := {(n, g0, c) ∈ Instance | ∃g ∈ FormulaStep : (n, g, c) ∈ fs0 ∧ case g(ms, m, c) of next(g1) → g0 = g1 | _ → false} : (rs, next(TM(X, f , fs1)))

Report positions rs and maintain formula instances fs.

Wolfgang Schreiner http://www.risc.jku.at 16/30

Translation of Formulas

T(@X) := TV (X) where TV : Variable → FormulaStep TV (X)(ms, m, c) := if X ∈ domain(c) then done(c(X).2) else done(false) T(˜F) := TN(T(F)) where TN : FormulaStep → FormulaStep TN(f )(ms, m, c) := case f (ms, m, c) of done(false) → done(true) done(true) → done(false) next(f ′) → next(TN(f ′)) T(F1 /\ F2) := TC(T(F1), T(F2)) where TC : FormulaStep × FormulaStep → FormulaStep TC(f1, f2)(ms, m, c) := case f1(ms, m, c) of done(false) → done(false) done(true) → f2(ms, m, c) next(f ′

1) → next(TC(f ′ 1, f2))

Maintain component steps f1, f2 and ultimately yield a truth value.

Wolfgang Schreiner http://www.risc.jku.at 17/30

A Concrete Formula Step

TC : FormulaStep × FormulaStep → FormulaStep TC(f1, f2)(ms, m, c) := case f1(ms, m, c) of done(false) → done(false) done(true) → f2(ms, m, c) next(f ′

1) → next(TC(f ′ 1, f2))

let rec monitorAnd (f1 : FormulaStep) (f2 : FormulaStep): FormulaStep = fun (present : Present) -> match f1 present with | done(false) -> done(false) | done(true)

• > f2 present

| next(step1) -> next(monitorAnd step1 f2)

Prototype implementation in F#.

Wolfgang Schreiner http://www.risc.jku.at 18/30

Translation of Quantifiers

T(forall X in B1..B2 : F) := TA(X, T(B1), T(B2), T(F)) where TA : Variable × (Context → N)2 × FormulaStep → FormulaStep TA(X, b1, b2, f )(ms, m, c) := TA0(X, b1(c), b2(c), f )(ms, m, c) TA0 : Variable × N × N × FormulaStep → FormulaStep TA0(X, n1, n2, f )(ms, m, c) := let n := |ms| : if n < n1 then next(TA0(X, n1, n2, f )) else let fs := {(n0, f , c[X → (n0, ms(n0))]) | n1 ≤ n0 < min(n, n2 + 1)} : TA1(X, n2, f , fs)(ms, m, c)

First determine iteration range, then set up formula instances fs.

Wolfgang Schreiner http://www.risc.jku.at 19/30

Translation of Quantifiers

TA1 : Variable × N × FormulaStep × P(Instance) → FormulaStep TA1(X, n2, f , fs)(ms, m, c) := let n := |ms| : let fs0 := if n > n2 then fs else fs ∪ {(n, f , (c[X → (n, m)]))} : if (∃n ∈ N, g ∈ FormulaStep, c ∈ Context : (n, g, c) ∈ fs0 ∧ case g(ms, m, c) of done(b) → b = false | _ → false) then done(false) else let fs1 := {(n, g0, c) ∈ Instance | ∃g ∈ FormulaStep : (n, g, c) ∈ fs0 ∧ case g(ms, m, c) of next(g1) → g0 = g1 | _ → false} : if fs1 = ∅ ∧ n ≥ n2 then done(true) else next(TA1(X, n2, f , fs1))

Maintain formula instances fs and ultimately yield a truth value.

Wolfgang Schreiner http://www.risc.jku.at 20/30

Soundness of the Translation

Semantics of Core Monitor:

[ . ] : Monitor → Stream → P(N) [ M ](s) := . . .

Operation of Core Monitor:

run : N × MonitorStep × Message∗ × Stream → P(N) run(n, M, ms, s) := if n = 0 then ∅ else case M(ms, hd(s)) of (rs, done) → rs (rs, next(M′)) → rs ∪ run(n − 1, M′, ms ◦ hd(s), tl(s))

Soundness of Translation:

∀n ∈ N, M ∈ Monitor, s ∈ Stream : run(n, T(M), , s) ⊆ [ M ](s)

Only violations of safety properties can be detected by monitoring.

Wolfgang Schreiner http://www.risc.jku.at 21/30

Efficiency of the Execution

The described implementation is effective but not efficient. A monitor may in general require the full “history” of received messages for its execution:

run(n, M, ms, s) := . . . M(ms, hd(s)) . . . . . . run(n − 1, M′, ms ◦ hd(s), tl(s))

A monitor may in general keep track of an arbitrary number of monitor instances:

T(monitor X : F) := TM(X, T(F), ∅) where TM : Variable × FormulaStep × P(Instance) → MonitorStep TM(X, f , fs)(ms, m) := . . . (rs, next(TM(X, f , fs1)))

In practice we are only interested in monitors that cope with a bounded amount of memory.

Wolfgang Schreiner http://www.risc.jku.at 22/30

Example

monitor X: @X => monitor X: ~(@X /\ exists X-1 <= Y <= X+2 : ~@X forall X-1 <= Y <= X+2 : ~@X)

1 2 3 4 5 6 7 8 9 . . . ⊥ ⊤ ⊤ ⊥ ⊤ ⊤ ⊤ ⊤ ⊥ ⊥ . . . F[0]

• F[1]

×

• F[2]

× ⊗ × F[3]

• F[4]

×

• F[5]

× ⊗ × × F[6] × ⊗ × × F[7] × ⊗ × F[8]

• F[9]
• .

. .

The monitor needs a history of size 1 and preserves at most 2 instances.

Wolfgang Schreiner http://www.risc.jku.at 23/30

The Resource Analysis

We are going to devise a rule-based analysis that determines whether the resources of the monitor can be bounded.

⊢ Monitor : N∞ × N∞ Environment ⊢ Formula : N∞ × N∞ Environment := Variable

partial

− → Z∞ × Z∞

⊢ M : (h, d). . . Monitor M needs history of at most size h and keeps at most d instances. e ⊢ F : (h, d) . . . Formula F needs at most h past messages and at most d future messages for its evaluation to a truth value.

e(X) = (l, u) . . . Position X is in the interval [p + l, p + u] with respect to the position p of the “current” message.

Wolfgang Schreiner http://www.risc.jku.at 24/30

The Resource Analysis

[[ X ] → (0, 0)] ⊢ F : (h, d) ⊢ (monitor X : F) : (h, d) e ⊢ @X : (0, 0) e ⊢ F : (h, d) e ⊢ ˜F : (h, d) e ⊢ F1 : (h1, d1), e ⊢ F2 : (h2, d2) e ⊢ F1 /\ F2 : (max∞(h1, h2 +∞ d1), max∞(d1, d2)) e ⊢ B1 : (l1, u1), e ⊢ B2 : (l2, u2) e[[ X ] → (l1, u2)] ⊢ F : (h′, d′) h = max∞(h′, N∞(−∞l1)) d = max∞(d′, N∞(u2)) e ⊢ (forall X in B1..B2 : F) : (h, d) e ⊢ 0 : (0, 0) e ⊢ infinity : (∞, ∞) [ X ] ∈ domain(e) e ⊢ X : (0, 0) [ X ] ∈ domain(e) e ⊢ X : e([ X ]) e ⊢ B : (l, u) e ⊢ B+N : (l +∞ [ N ], u +∞ [ N ]) e ⊢ B : (l, u) e ⊢ B-N : (l −∞ [ N ], u −∞ [ N ])

An abstract interpretation of the monitor.

Wolfgang Schreiner http://www.risc.jku.at 25/30

Example

We annotate first variables top-down and then formulas bottom-up.

monitor X(0,0): ˜( @X /\ forall X-1 < Y(−1,2) <= X+2 : ˜@X) (1,2) (1,2) (0,0) (1,2) (0,0)

The analysis yields ⊢ M : (1, 2) as required.

Wolfgang Schreiner http://www.risc.jku.at 26/30

The Effect of Delays

Without delay in conjunction:

monitor X(0,0) : @X /\ forall Y(0,5) in X..X+5 : forall Z(−3,4) in Y-3..Y-1 : @Z (3,5) (0,0) (3,5) (3,4) (0,0)

With delay in conjunction:

monitor X(0,0) : (forall Y(0,3) in X..X+3 : @Y) /\ forall Y(0,5) in X..X+5 : forall Z(−3,4) in Y-3..Y-1 : @Z (6,5) (0,3) (3,5) (3,4) (0,0)

Delays in conjunctions let the history requirements increase.

Wolfgang Schreiner http://www.risc.jku.at 27/30

Soundness of the Resource Analysis

The results of the analysis bound the resources of the monitor.

∀M ∈ Monitor, Mt ∈ TMonitor, n ∈ N, s ∈ Stream, rs ∈ N, d ∈ N∞, h ∈ N∞ : ⊢ M : (h, d) ⇒ (d ∈ N ⇒ (⊢ T(M) →∗

n,s,rs Mt ⇒ |instances(Mt)| ≤ d)) ∧

(h ∈ N ⇒ (⊢ T(M) →∗

n,s,rs Mt ⇔ ⊢ T(M) →∗ n,s,rs,h Mt))

Mt →∗

n,s,rs Mt′

Mt′ is the state of the monitor Mt after processing n messages from stream s (by which the violations rs are reported).

Mt →∗

n,s,rs,h Mt′

Mt′ is the state of the monitor Mt after processing n messages from stream s (by which the violations rs are reported), if only the last h messages are preserved in the stream history.

For the proof of soundness, an operational semantics of the monitor execution is derived from the previously presented denotational semantics.

Wolfgang Schreiner http://www.risc.jku.at 28/30

Proof of the Soundness of the Analysis

• 1. Prove an invariant of monitor execution.

∀X ∈ Variable, . . . : ⊢ T(monitor X : F) →∗

n,s,rs TM(Y , Ft, It) ⇒

X = Y ∧ Ft = T(F) ∧ alldifferent(It) ∧ allnext(It) ∧ ((t, Ft′, c) ∈ It ⇒ c = [X → (t, s(t))] ∧ ⊢ (monitor X : F) : (h, d) ∧ d ∈ N ⇒ n − d ≤ t ≤ n − 1 ∧ ∃b ∈ B, d′ ∈ N : d′ ≤ d ∧ Ft′ →∗

max(0,t+d′−n),n,s,c(X).1 done(b))

• 2. Prove soundness of analysis w.r.t. monitor execution.

∀M ∈ Monitor, Mt ∈ TMonitor, n ∈ N, s ∈ Stream, rs ∈ N, d ∈ N∞, h ∈ N∞ : ⊢ M : (h, d) ⇒ (d ∈ N ⇒ (⊢ T(M) →∗

n,s,rs Mt ⇒ |instances(Mt)| ≤ d)) ∧

(h ∈ N ⇒ (⊢ T(M) →∗

n,s,rs Mt ⇔ ⊢ T(M) →∗ n,s,rs,h Mt))

Use invariant as additional assumption. Derive required soundness statement for formula evaluation.

• 3. Prove soundness statement for formula evaluation.

Wolfgang Schreiner http://www.risc.jku.at 29/30

Conclusions

Current status:

Predicate-logic based monitor specification language developed. Prototype of monitor translation implemented. Resource analysis formulated (for a simplified language). Proof of soundness of analysis under way (for a core language).

Future tasks:

Implementation of soundness analysis. Verification of soundness of translation. Compilation of specifications (currently interpretation). More optimizations based on a more detailed formula analysis. Development of a catalogue of application examples. Performance analysis of application examples.

http://www.risc.jku.at/projects/LogicGuard

Wolfgang Schreiner http://www.risc.jku.at 30/30