A Formal Logic-based Language and an Automated Verification Tool ...

1 downloads 497 Views 281KB Size Report
S-TLC, as a new designed automated formal verification tool, helps exploring additional evidences and checking whether there are hacking scenarios that meet ...
2005 ACM Symposium on Applied Computing

A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation Slim REKHIS

Noureddine BOUDRIGA

Communication Networks and Security Research Lab (SUP’COM) University of Carthage November 7th, Tunisia

Communication Networks and Security Research Lab (SUP’COM) University of Carthage November 7th, Tunisia

[email protected]

[email protected]

ABSTRACT

terested a few works that dier on the techniques and method-

In this paper, a formal logic-based language, called S-TLA , is proposed for computer forensic investigation. It allows an unambiguous description of evidences, a modeling of the forensic expert knowledge in the form of hacking scenarios fragments, and a reasoning capability with uncertainty by lling in potential lack of data with hypotheses. The proposal is complemented by an automated formal verication tool, called S-TLC which helps exploring additional evidences and checks whether there are plausible hacking scenarios that meet the available evidences.

ologies they used. [2] presented an automated diagnosis sys-

+

tem that generates possible attacks sequences using a plan recognition technique, simulates them on the victim model, and performs pattern matching recognition between their side eects and log les entries.

This technique assumes

that the attack activity is logged, which is in contradiction with the fact that attack scenarios may subvert logging daemon and alter logs before hackers leave the system. [7] used an expert system with a decision tree to search through evidences for potential violations of invariant relationship between digital objects. The methodology is useful in reducing the amount of data to be analyzed. Nevertheless, it roughly

Keywords

depends on the system time granularity and the degree of preciseness that the system uses to record time on objects.

Formal Forensic Investigation, Temporal Logic of Security + Actions, S-TLA , S-TLC.

Moreover, while the system enables automation, it does not allow disclosing the performed hacking scenario.

1.

[6] pro-

posed an approach to automatically reconstruct a forensic

INTRODUCTION

evidence from a set of scattered fragments using a context

After the occurrence of digital security incident, computer

modeling technique, where probabilities related to fragment

forensic investigators start their analysis focusing on col-

adjacency are computed and pruning heuristics are used to

lecting evidences, determining the techniques and scenarios

compute the optimal ordering.

used to cause the incident, and building proofs from the col-

proach is its dependency on the evidence type.

One drawback to this ap-

lected information to enable hackers prosecution. Achieving

We propose in this work a new logic-based language along

these objectives with a cursory observation on the compro-

with an automated verication tool for formal computer

mised system is a challenging problem. Computer investi-

forensic investigation of digital security incidents. The work

gation eorts may depend upon a number of factors includ-

is based on the enhancement of the formal specication lan+ + guage TLA and its model checker TLC [5]. TLA has

ing: 1) how good the system under investigation has been initially prepared to handle forensic analysis; 2) the investigators'skills and their familiarity with attack techniques;

shown a good track record in describing concurrent and + asynchronous systems. Our new language, called S-TLA ,

and 3) the complexity of the conducted attacks.

To over-

is proposed to enable a formal and unambiguous description

come the above constraints, computer forensic investigation

of the available evidences, a modelling of the forensic experts

may require both formalization and automation for accuracy

knowledge in the form of hacking scenarios fragments, and

and practicality. This is time-saving and allows an unam-

a reasoning technique on compromised systems with uncer-

biguous representation of forensic investigators' knowledge

tainty by adding forward hypotheses to ll in any potential

and observations. It also makes the generated investigation

lack of details. S-TLC, as a new designed automated formal

deductions relevant, even with a huge amount of data.

verication tool, helps exploring additional evidences and

Formal reasoning on digital forensic investigation has in-

checking whether there are hacking scenarios that meet the available evidences. Our contribution is 3-fold.

+ First, S-TLA takes advan-

tage from the richness of the formal specication language + TLA to support description of scenarios and evidences us-

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SAC’05 , March 13-17, 2005, Santa Fe, New Mexico, USA Copyright 2005 ACM 1-58113-964-0/05/0003 ...$5.00.

ing temporal modalities.

Second, S-TLC keeps the core

components of TLC and represents a promising tool able + to handle a generic class of S-TLA specications. Third, such tool provides a computer-assisted diagnosis that reduces the computer investigator eorts and produces a for-

287

mal proof regarding malicious hacking activities without a

manner, we make TLA able to describe a system progress

need for advanced skills.

from a state to another, further to the execution of an action

The remaining part is organized

under hypothesis HA . S-TLA constrained variables:

as follows: First, the temporal logic of actions is reviewed

A

and the novel S-TLA logic along with the formal specica+ tion language S-TLA is dened. Section 3 describes the

whose value is set according to a hypothesis, from the re-

automated verication tool S-TLC, and demonstrates how

maining specication variables is of great importance.

hacking scenarios are inferred both using forward and back-

fact, we aim to handle them dierently, as we are looking

ward chaining. In Section 4, the proposal is exemplied by

to reach a given system state under a minimal set of hy-

a case study. Finally, the work is concluded in Section 5.

potheses. This will be signicantly realized during verication.

2.

Temporal Logic of Actions

In

Moreover a variable whose value is set according to

a hypothesis could not be valued dierently afterwards all

TEMPORAL LOGIC OF SECURITY ACTIONS We describe here the

Distinguishing variables

through the system behavior. Such type of variable is a bit dierent from the two TLA exible and rigid variables [5]. Thus, we introduce a new set of variables called constrained

and its

VC

+ supported language TLA [5], as they serve as a starting

variables set

point. Then we discuss the

potheses. This set of variables should be disjoint from sets

tions.

2.1

Temporal Logic of Security Ac-

VF

VR

that represent exible and rigid variables sets,

respectively.

S-TLA state:

Reviewing TLA/TLA+

from the collection

port for the specication of distributed and asynchronous systems, [4]. sitions.

VR ∪ VC set VC .

It allows the description of states and tran-

A state is a mapping from the set of all variable

prime operator

dened above.

old state, and a new state. Semantically, it is true or false and syntactically, it represents a

strained variable in the new state. We dene assumed and non-assumed variables to refer respectively to new and old state of constrained variables.

the prime operator).

{x ” | x ∈ VC }

In TLA, a system is specied by a formula of the form

described by the symbol

While a state is a valua-

O

is introduced to represent the

value of a constrained variable that up to the moment was

un-

not used to make a hypothesis. Broadly, a state with a con-

changed. The innite behavior of the system is constrained

L (written as a conjunction of weak

strained variable value that is dierent from

S-TLA inconsistency:

inconsistency

contains notations of set theory and syntactic structuring + mechanisms [5]. TLA provides a precise syntax and mod-



We formally dene an S-TLA

as a predicate containing constrained vari-

wanted condition (informally, it reects a combination of hypotheses). Semantically, it is true or false for a state. If an inconsistency is true for a state

three main sections embedding declarations, denitions, and

t , then the system tran-

sition on the way to that state should not be followed.

assumptions.

S-TLA action and hypothesis:

conjunct of two expressions.

Enhancing TLA

An S-TLA action is a

The rst expression is facili-

tative, of type boolean, denotes a hypothesis, and contains

Suppose a formal system description that should involve

assumed and non-assumed variables. The second is an old

n dependent variables, while of m system variables (m < n )

a detail (value progress) of its

TLA action containing primed and unprimed variables. In the case where an S-TLA action

Such lack of details happens often during

A

looks like a TLA action

(no hypothesis is enunciated), its semantic remains the same

To overcome such limita-

as dened in [5].

tion, it is conceivable to use a formalism that supports a

noted by

reasoning with uncertainty, to let enunciating hypotheses whenever there is missing information.

means that

ables, constants, and constants operators to denotes an un-

ule system for writing specications. A module represents + the lowest granular part of a TLA specication, it contains

computer forensic investigation.

O

there is an enunciated hypothesis to reach the related state.

and strong fairness conditions on actions). + TLA is a high-level language that is based on TLA and

currently only the behavior

VA ,

tion of the wholeness variables, a new ctive S-TLA value

and where every state satises the next state

is understood.

In this way, we let

be the set of assumed variables.

The S-TLA ctive value O:

describing the set of all its autho-

rized behaviors. It describes a system whose initial behavior

by the liveness property

We introduce a new S-TLA operator enti00 to denote the value of a con-

tled assumption operator

boolean expression containing primed and unprimed vari0 ables (primed refer to the variables of the new sate and is

Init

Such oper-

ator cannot thus be applied to a constrained variable as

tion is described by an action that is a relation between an

N , or leaves the tuple of specication variables v

Every time the TLA

is applied to a exible variable, it changes

eected to it in the previous system states.

expression that is true or false for a state. A state transi-

relation

0

its value independently of the previous values that have been

mer assigns a value to each state, the latter is a boolean

satises

A state can thus give information on the set of

S-TLA assumption operator 00 :

function and state predicate are of the same syntax, the for-

∃ x : Init ∧ 2[N ]v ∧ L,

Var = VF ∪

of values to the set

initial system state.

mula is build from state function using Boolean operators 0 in addition to three new operators ( , 2, and ∃ ). State

hs , t i;

Val

of variables including the new constrained variables

enunciated hypotheses that let it being reachable from the

names to the collection of all possible values. A TLA for-

for a pair of states

The semantic of the new S-TLA state

remains always a valuation of variables. it is an assignment

TLA is a state-based logic that was introduced by L. Lam-

2.2

and

to encompass the variables representing hy-

hs , t i

⊥,

Semantically, given an inconsistency de-

an S-TLA action

A

is true for a pair of states

s (x )/x ) expression means x is placed by s (x ), the value of x in state s , in action A):

TLA is unable to

support such kind of reasoning. To this end, we dene S+ TLA and its supported S-TLA language that is suitable for

if, and only if (A(

 A(∀v ∈ VF : s (v )/v , t (v )/v 0 ) = true

formal modeling of digital postmortems. In a thoughtfully

288

re-

 A(∀v ∈ VC : s (v )/v , t (v )/v 00 ) = true

hs , t i

 ∀v ∈ Vc / s (v ) 6= O : s (v )/v = t (v )/v

and (3) without

 (t 2⊥)

t

t

x,

assigns to

x

1

higher than the 00 = 1, 00 being reached under the hypothesis =2

aects to

we introduce the 

is

(2) under the hypothesis

v (N , ⊥φ ) , enabled N

N

). Finally, + describes a relevant S-TLA system state

is false

(a valuation of some system variables) which is of capital importance especially in specifying forensic evidences as it will

⊥φ

be demonstrated afterwards in section 4.

denition as

=⇒ hN iv ∧ ¬ ⊥φ

3.

The latter will be part the standard S-TLA specication dened as follows:

φ , ∃ x : Init ∧ 2[N ]v ∧ L ∧

Inc

g h

is executed,

To ensure that

No Inconsistency 

NI

Evd

the predicate

in all system behaviors whenever an action

φ

s

(by the denition of inconsistency predicate

S-TLA specication formula:

formula

if (1) the value that

value that

AUTOMATED VERIFICATION USING STLC

To automate the proof in the context of forensic investi-

v (N , ⊥φ )

NI

Except the quoted syntactically and semantically modica-

gation, we propose S-TLC as an automated verication tool + for S-TLA specications with a stress on the handling of

tions, the remaining TLA notions including Fairness, stut-

hypotheses.

S-TLC is somehow an extension to TLC [5, + chapter 14], the Model Checker for TLA . S-TLC involves

tering, and temporal modalities are preserved.

2.3

node core

two notions:

Writing S-TLA+ specifications

and

node label.

The core of a node

represents a valuation of the entire non-constrained vari-

+ We dene S-TLA as a language for writing specica+ tions in S-TLA, it embodies TLA with some add-ons in

ables, and the node label represents the potential sets of

the module structure and in the constant and non constant + operators. To describe S-TLA , we concentrate only on the

ables) under which the node core is reached. The node la-

introduced modications as outlined hereinafter:

used in the Assumption Truth Maintenance System (ATMS

Module-Level constructs:

hypotheses (i.e., a valuation of the entire constrained varibel is represented and maintained in a way akin to the one [1]). Precisely, a node label is a set of environments, which

cvar1 , . . . , cvarn

cvariables

are sets of hypotheses.

Adds to the current module the declaration of con-

imal sets of hypotheses, while a straightforward reading of

strained variables.

the node label indicates the alternatives (hypotheses sets) under which a node is reachable.

Non constant S-TLA+ operators: h

Given a constrained variable : 00 [Denotes the value of

h

untouched

h

h

3.1

in the next state] 00 [Replace the expression = ]

h

h

Constant S-TLA+ operators: ∇

UF

to refer to its label in graph

G.

G , UF

The S-TLC and

UB . G

and

UB

are FIFO queues containing states whose suc-

cessors are not yet computed, respectively during forward

SpecExpl

and backward chaining phases. The S-TLC Model Checker works in three phases:

extends

Initialization phase:

G,

as well as

UF

and

UB

are cre-

ated and initialized respectively to empty set Ø and empty sequence

Init , (x = 0) ∧ (g = O) ∧ (h = O) A , (g ” = 1) ∧ (x 0 = x + 1) ∧ untouched h B , (h ” = 2) ∧ (x 0 = x − 1) ∧ untouched g C , (x 0 = x × 3) Next , A ∨ B ∨ C Evd , x = 2 Inc , (g = 1) ∧ (h = 2) Spec , Init ∧ 2[Next ]hx ,g ,h i ∧ nihx ,g ,h i (Next , Inc ) theorem

Label (G , t )

refers to the reachability directed graph under construction.

variable value, before a hypothesis is enunciated] module

Inferring scenarios with S-TLC Given a state t , we use tn to denote its corresponding node core, tc to describe its resulting environment, and algorithm employs three data structures

[A ctive value that represents the initial constrained

Naturals variables x cvariables h , g

The graph generated by S-TLC is

built by ensuring that a given node is reached under min-

hi.

During this step, each state satisfying the ini-

tial predicate

Init

is computed and then checked whether it

satises the invariant predicate it is appended to

G

Invariant .

with a pointer to the

On satisfaction,

null

state and a

label equal to the set of hypotheses relative to the current state. On failure, an error is generated. If the state does not satisfy the evidence predicate to the unseen queue

UF ,

minal state and appended to chaining.

it is attached

UB

to be retrieved in backward

:

All the scenarios that orig-

Forward chaining phase

Spec ⇒ 2(x ∈ Nat )

EvidenceState ,

otherwise it is considered as a ter-

inate from the set of initial system states are inferred in forward chaining. This involves the generation of new sets of hypotheses and evidences that are consequent to these

Figure 1: Standard form of a S-TLA+ specication

scenarios. During this phase and until the queue becomes empty, state

+ Figure 1 illustrates a typical S-TLA specication mod-

ule,

SpecExpl .

In the initial state there is no enunciated

O.

Action

is retrieved from the tail of

UF

and its suc-

t

sat-

isfying the predicate (specied to assert bounds on the set

g and h are both A, for instance, is true for a pair of states

hypotheses and the constrained variables equal to

s

cessor states are computed. For every successor state of reachable states)

Constraint , if the predicate Invariant

is

not satised, an error is generated and the algorithm termi-

289

t

nates, otherwise state 1. If

tn

is appended to

G,

does not exist in

G

4.

as follows:

a new node (set to

appended to the graph with a label equal to if satises predicate tached to

UF .

tn ) is tc and

gation on a public Web server that was found stopped providing its service. To deal with complex, unguessable, and

sn . State t is appended to UB EvidenceState , otherwise it is at-

a predecessor equal to

CASE STUDY

We propose the following case study which is an investi-

attack scenarios, where hackers may have altered any trace, we follow the approach used by [3]. We consider a hacking scenario as a combination of more generic and reusable fragments, which are basically described in advance without an

x in G that is equal to tn and whose label includes tc , then a conclusion could be made stating that node t was been added previously to G . In that case, a pointer is simply added from x to the predecessor state sn .

a priori knowledge about the whole hacking scenario that

2. If there exists a node

x

3. If there exists a node

in

G

that is equal to

tn ,

is looked for. This contributes to the creation of scenarios fragments progressively and allows security experts to in+ terfere eectively. Using S-TLA , we model every scenario fragment by an optional set of hypotheses underlying the scenario-fragment occurrence, a set of pre-conditions that must be satised, and a set of actions to achieve a sub-goal

but

tc , then the node label is updated as follows: First, tc is added to Label (G, x ). Second, any environment from Label (G, x ), which is a whose label does not include

of the whole scenario objective. For the sake of space, we + will only describe some parts of the S-TLA specication, deemed important.

superset of some other elements in this label, is deleted

tc

to ensure hypotheses minimality. Third, if

4.1

is still in

Label (G , t ) then x is pointed to the predecessor state sn and node t is appended to UB if it satises predicate EvidenceState . Otherwise, it is attached to UF .

Specification using S-TLA+

The available evidence is described with predicate uses function

running

Evd .

It

to state that there is no running Web

srvport described as a specication Evd , running [websrv ] 6= “web ”

service on the TCP port parameter.

The resulting graph is a set of scenarios that end in any state

+ Besides, S-TLA actions are used to specify hacking sce-

satisfying the predicate

nario fragments.

EvidenceState

and/or

Constraint .

produce states satisfying predicate

For readability reasons, we ignore those

that are not part of the whole expected scenarios.

Backward chaining phase: All the scenarios that could

EvidenceState , generated

1)

RmtUnprExploit :

If there is a web vulnerability that

in forward chaining, are constructed. During this phase and

directly grants an unprivileged system access and provided

until the queue becomes empty, the tail of

that there is a running web service, the user privilege

UB ,

described by

t , is retrieved and its predecessor states (ie, the set of states si such that (si , t ) satisfy action Next ) which are not terminal states and satisfy the predicate Invariant (States that don't satisfy predicate Invariant are discarded because state

rises from that

Constraint

appended to 1. If to

sn G

G

are computed.

Each computed state

G,

a new node (set to

sn )

sc .

a pointer is added from node appended to

x sc ,

2. If there is

UB .

in

G

appended to

to

that is equal to

sn

is

sn ,

tn

G.

s

UB .

and

s

∆ ∧ webvul " = rmtpr RmtPrExploit = ∧ ∃ x ∈ Ports : running [srvport ] = web ∧ pr = 0 ∧ pr 0 = 2 3) EscaladePr 1: hypothesizing that there is a local cong-

uration error in how local users are aected to groups. The

is

user privilege rises from

x

in

1

to

2

as the local conguration er-

ror is exploited.

∆ EscaladePr 1 = ∧ cferrorin " = usrgrpcfg ∧ pr = 1 ∧ pr 0 = 2 4) EscaladePr 2: Similar to the previous fragment, except

sn , but whose laLabel (G , t ) is updated as follows: Fist, sc is added to Label (G, x ). Second, any environment from Label (G, x ) which is a superset of

3. If there is

refers to the system administrator privilege.

as the vulnerability is exploited.

was been

sn

2

the user privilege to raise directly to the administrator's one

is

In that case a pointer is simply

to the predecessor state

lets a user

ability that directly grants a privileged access which leads

and whose label

s

1

pr

Note

ment, except that it assumes the existence of a web vulner-

Then,

and state

then it is stated that node

added previously to added from

tn

as the vulnerability is exploited.

∆ ∧ webvul " = rmtunpr RmtUnprExploit = ∧ ∃ x ∈ Ports : running [srvport ] = web ∧ pr = 0 ∧ pr 0 = 1 2) RmtPrExploit : This resembles to the previous frag-

is appended

with a label equal to the environment

1

means a restricted user privilege, while

Finally,

as follows:

is not in

includes

s

to

execute any command that the service is able to execute.

this step aims simply to generate additional explanations) and

0

0

G

that is equal to

bel doesn't include

sc ,

then

that the hypothesis concerning conguration error aects the running system update utility.

∆ EscaladePr 2 = ∧ cferrorin " = systemupdateutility ∧ pr = 1 ∧ pr 0 = 2 5) InstallBackdoor : Given no installed backdoor yet

some other elements in this label is deleted to ensure hypotheses minimality. Third, if in the label of state

x

predecessor state

and the node

x

sc

then the node

s

t

is still contained is pointed to the

is appended to

The outcome of the three phases is a graph

G

and

a provided administrator privilege, a unused port is chosen

UB .

at random and a∆shell is bound on it.

InstBackdoor

containing

the set of possible causes relative to the collected evidences. It embodies dierent initial system states apart from those described by the specication.

6)

290

= ∧ ∀ x ∈ Ports : running [x ] 6= shell ∧ pr = 2 ∧ ∃ x ∈ Ports \ {srvport } : running 0 = [running except ![x ] = shell ]

RemoveTelnetAuthentication :

Telnet service is recon-

gured to disable user authentication.

The result of this

operation is a shell bound to the same port.

The system

behaves thus like a backdoored system. Such action could be performed unless the current user is provided with an administrator privilege.

∆ RmTelnetAuth = ∧ pr = 2 ∧ ∃ x ∈ Ports : ∧ running [x ] = telnet ∧ running 0 = [running except ![x ] = shell ] 7) DoSWeb : Whenever the running user is equipped with

an administrative privilege, it could stop the web service, creating thus a denial of service state.

∆ DoSWeb = ∧ running [srvport ] 6= null ∧ pr = 2 ∧ running 0 = [running except ![srvport ] = null ] + An S-TLA inconsistency is specied by predicate Inc

to state that a system state should not be reached under a conjunct of two types of hypotheses:

a) there is a web

vulnerability and b) the system update utility is running. In fact, whenever a system update utility is running, it is unfeasible to have any persistent unxed vulnerability. ∆ Inc = ∧ cferrorin = systemupdateutility ∧ ∨ webvul = rmtpr ∨ webvul = rmtunpr

+

states. Two main drawbacks of such approach could be per-

section 2.2) where the initial system state is

ceived. First, the use of labels with model checking could be-

The system under investigation is specied by a S-TLA formula (c.f.

Figure 2: Scenarios generated in forward chaining

described by the predicate

Init

come painful as they may grow wider requiring thus a great

denoting a secure server pro-

amount of memory space to represent individual states. Sec-

viding only a web service, and where every permissible ac-

ondly, the use of backward chaining might aect consider-

tion is one among the seven specied scenario fragments, such that no inconsistency (as dened above) holds.

ably the system performance as this requires an additional + resources in interpreting the set of S-TLA actions back-

4.2

wards.

Automated investigation using S-TLC

rameters and

1,

PortNumber

and

srvport

respectively equal to

Nonetheless, it can be argued that the benets of

backward chaining are important in the sense that valuable

The execution of the described S-TLC algorithm with pa-

additional explanations could be generated.

2

until forward chaining (c.f. Figure 2) brings out two

dierent system states (the ones which are encircled) rep-

6.

resenting forensic evidences. The second state shows a new

[1] de Kleer, J. An assumption-based TMS.

Intelligence 28, 2 (1986), 127162.

additional evidence. It denotes an installed backdoor on another TCP port (precisely port number

2),

which provides

diagnosis for computer forensics. Tech. rep., The

under two possible set of hypotheses: 1) there is a remote

MITRE Corporation, 2001.

unprivileged vulnerability in the installed web service and a

[3] Keppens, J., and Zeleznikow, J. A model based

local conguration error in creating user groups and 2) there

reasoning approach for generating plausible crime

is a remote privileged vulnerability in the installed web serInconsistency is prevented from occurring, in fact action

EscaladePr 2 doesn't belong to the scenario since it contains

[4]

a hypothesis that is inconsistent with the one occurring in

RmtUnprExploit .

During backward chaining a new scenario is appended. It

[5]

states that the system is initially running telnet and web A hacker tries to get administrative privilege in

Addison-Wesley, 2002.

It introduces

[6] Shanmugasundaram, K., and Memon, N.

misleading system modications in the conguration of tel-

Automatic reassembly of document fragments via data

net service by removing the authentication phase, letting the

Proceeding of the Digital Forensics Research Workshop (2002). compression. In

system grant a shell to any connected user and thus behaves like a backdoored system.

5.

Proceedings of the 9th International Conference on Articial Intelligence and Law (2003). Lamport, L. The temporal logic of actions. ACM Transactions on Programming Languages and Systems 16, 3 (May 1994), 872923. + Language Lamport, L. Specifying Systems: The TLA and Tools for Hardware and Software Engineers. scenarios from evidence. In

vice.

the same way as in the previous scenarios.

Articial

[2] Elsaesser, C., and Tanner, M. C. Automated

a privileged shell on access. These evidences are generated

services.

REFERENCES

[7] Stallard, T., and Levitt, K. Automated analysis for digital forensic science: Semantic integrity checking.

CONCLUSION

Proceeding of the 19th Annual Computer Security Applications Conference (2003). In

We have proposed a novel formal logic-based language and + an automated verication tool, called S-TLA and S-TLC. + S-TLA uses a robust formalism that allows advancing hypotheses whenever there is some luck of details to demonstrate some part of an attack scenario. S-TLC presents efcient robustness in managing hypotheses and representing

291