1 Introduction
-
network topology: any pair of nodes can communicate but depending on their distance, exchanging messages take more or less time. We will simply assume that the time needed is proportional to the distance between the two agents, and that messages can not travel faster than the speed of the light.
-
timing constraints: protocols that aim to prevent against relay attacks typically rely on a rapid phase in which time measurements are performed. Our framework will allow us to model these time measurements through the use of timestamps put on each action.
2 Background
2.1 Distance Bounding Protocols
2.2 Attacks on Distance Bounding Protocols
2.3 Symbolic Security Analysis
3 A Security Model Dealing with Time and Location
3.1 Term Algebra
3.2 Timing Constraints
3.3 Process Algebra
-
\(T_\mathsf {rapid}= (v,\mathsf {out}^{z_1}(c)). (v,\mathsf {in}^{z_2}(y)). (v, [y=\mathsf {h}(c,m,\gamma )]).(v,[\![z_2 - z_1 < 2t_0]\!])\), and
-
\(\varPhi _\mathsf {rapid}= \varPhi _0 \uplus \{\mathsf {w}_4 \xrightarrow {v,\delta _0} m\}\).
-
Input: A trace T locally closed w.r.t. \(\mathcal {X}\) and \(\mathcal {Z}\), \(t_0 \in \mathbb {R}^+\), and a topology \(\mathcal {T}_0\).
-
Output: Do there exist \(\ell _1, \ldots , \ell _n\), \(\varPhi \), and t such that \((T;\emptyset ;t_0) \xrightarrow {\ell _1 \ldots , \ell _n}_{\mathcal {T}_0} (\epsilon ;\varPhi ;t)\)?
4 Modelling Using Horn Clauses
4.1 Preliminaries
-
a reachability predicate: \(\mathsf {r}_{w}\) holds when the run w is executable.
-
a deduction predicate: \(\mathsf {k}_{w} (R, u)\) holds if the message u can be built using the recipe \(R \in \mathcal {T}(\varSigma , \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\cup \mathcal {W})\) by an attacker using the outputs available after the execution of w (if this execution is possible).
-
if there exists \((T_n;\phi _n)\) such that
-
if for all \((T_n;\phi _n)\) such that we have that \(R\phi _n\mathord {\downarrow }= u\).
4.2 Seed Statements
-
\(w_0,\ldots , w_n\) are symbolic runs locally closed, \(w_i \sqsubseteq w_0\) for any \(i \in \{1,\ldots , n\}\);
-
\(u, u_1, \ldots , u_n\) are terms in \(\mathcal {T}(\varSigma ,\mathcal {N}\cup \mathbb {R}^+\cup \mathcal {X})\);
-
\(R \in \mathcal {T}(\varSigma ,\mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\cup \mathcal {W}\cup \{X_1,\ldots , X_n\}) \smallsetminus \mathcal {Y}\), and \(X_1, \dots , X_n\) are distinct variables from \(\mathcal {Y}\).
4.3 Soundness and Completeness
-
\(\hat{R}_j(\{X_i \rightarrow u_i~|~1 \le i\le n\} \uplus \phi (w_0))\mathord {\downarrow }= v_j\) for \(j \in \{1, \ldots , k'\}\); and
-
\(\hat{R}_j\sigma = R_i\) for \(j \in \{1, \ldots , k'\}\).
-
for any \(g\in \mathsf {seed}(T_0) \cup \mathcal {H}(\mathsf {seed}(T_0))\);
-
If with input recipes \(R_1, \ldots , R_k\) that are uniform w.r.t. \(\phi \) then1.\(\mathsf {r}_{\ell _1, \ldots , \ell _p} \in \mathcal {H}(\mathsf {seed}(T_0))\); and2.if \(R\phi \mathord {\downarrow }= u\) for some recipe R uniform w.r.t. \(\phi \) then \(\mathsf {k}_{\ell _1, \ldots , \ell _p}(R, u) \in \mathcal {H}(\mathsf {seed}(T_0))\).Moreover, we may assume that the proof tree witnessing these facts are uniform and match with \(\mathsf {exec}\) using \(R_1, \ldots , R_k\) as input recipes.
5 Saturation
5.1 Saturation Procedure
-
f is said to be solved if \(B_i = \mathsf {k}_{w_i}(X_i, x_i)\) with \(x_i \in \mathcal {X}\) for all \(i \in \{1, \ldots , n\}\).
-
f is said to be well-formed if whenever it is solved and \(H = \mathsf {k}_{w}(R, u)\), we have that \(u \not \in \mathcal {X}\).
5.2 Completeness
-
\(R <^{\mathsf {in}}_\mathsf {exec}\mathsf {w}\) when \(\ell _i = a, \mathsf {in}(u)\) with input recipe R and \(\ell _j = a, \mathsf {out}(u_j)\) with output recipe \(\mathsf {w}\) for some agent a with \(i < j\);
-
\(R' <^{\mathsf {sub}}_\mathsf {exec}R\) when \(R'\) is a strict subterm of R.
-
either \(\mathsf {time}(\mathsf {w}) + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}),a) < \mathsf {time}(\mathsf {w}') + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}'),a)\);
-
or \(\mathsf {time}(\mathsf {w}) + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}),a) = \mathsf {time}(\mathsf {w}') + \textsf {Dist}_{\mathcal {T}}(\mathsf {agent}(\mathsf {w}'),a)\), and the output \(\mathsf {w}\) occurs before \(\mathsf {w}'\) in the execution \(\mathsf {exec}\).
-
either \(R \in \mathcal {N}_\mathsf {pub}\cup \mathbb {R}^+\cup \mathcal {W}\) and \(\not \exists R'\) such that \(R'<_\mathsf {exec}R\) and \(R'\varPhi \mathord {\downarrow }= R\varPhi \mathord {\downarrow }\);
-
or \(R = \mathsf {f}(R_1,\ldots , R_k)\) with \(\mathsf {f}\in \varSigma \) and \(\not \exists R'\) such that \(R' <^a_\mathsf {exec}R\) and \({R'\varPhi \mathord {\downarrow }= R\varPhi \mathord {\downarrow }}\).
-
\(\mathsf {r}_{\ell _1, \ldots , \ell _p} \in \mathcal {H}(K)\) with a proof tree matching \(\mathsf {exec}\) and \(R_1, \ldots , R_k\);
-
\(\mathsf {k}_{u_0}(R, R\phi \mathord {\downarrow }) \in \mathcal {H}(K)\) with a proof tree matching \(\mathsf {exec}\) and \(R_1, \ldots , R_k\) whenever \(u_0 = \ell _1,\ldots , \ell _{q-1}\) for some \(q\in \mathsf {Rcv}(p)\) and R is asap w.r.t. \(b_{|\mathsf {Rcv}(q)|}\) and \(\mathsf {exec}\).
6 Algorithm
6.1 Description
-
\(z_{\mathsf {orig}(j)} + \textsf {Dist}_{\mathcal {T}_0}(a_{\mathsf {orig}(j)},a_i) \le z_i\) if \(R_i = \mathsf {w}_j\);
-
otherwise, we consider:$$\begin{aligned} \bigvee \nolimits _{b \in \mathcal {M}_0} \big (\bigwedge \nolimits _{\{j \mid \mathsf {w}_j \in vars (R_i)\}} z_{\mathsf {orig}(j)} + \textsf {Dist}_{\mathcal {T}_0}(a_{\mathsf {orig}(j)},b) \le z_i - \textsf {Dist}_{\mathcal {T}_0}(b,a_i) \;\big ) \end{aligned}$$
6.2 Termination Issues
6.3 Correctness of Our Algorithm
-
if Reachability\((K,t_0,\mathcal {T}_0)\) holds then \((T;\emptyset ;t)\) is executable in \(\mathcal {T}_0\);
-
if \((T;\emptyset ;t_0)\) is executable in \(\mathcal {T}_0\) then Reachability\((K,t_0,\mathcal {T}_0)\) holds.
7 Implementation and Case Studies
7.1 Integration in Akiss
7.2 Case Studies
Protocol | Mafia fraud | Distance hijacking | ||||
---|---|---|---|---|---|---|
roles/tr | time | status | roles/tr | time | status | |
TREAD-Asym [2] | 2/− | 1 s |
\(\times \)
| 2/− | 1 s |
\(\times \)
|
SPADE [11] | 2/− | 2 s |
\(\times \)
| 2/− | 4 s |
\(\times \)
|
TREAD-Sym [2] | 4/7500 | 18 min | 2/− | 1 s |
\(\times \)
| |
BC [10] | 4/5635 | 37 min | 2/− | 1 s |
\(\times \)
| |
Swiss-Knife [25] | 3/1080 | 25 s | 3/7470 | 4 min | ||
HK [23] | 3/20 | 1 s | 3/20 | 1 s | ||
4/3360 | 58 s | 4/3360 | 47 s | |||
5/30240 | 14 min | 5/30240 | 12 min |