2005 ACM Symposium on Applied Computing
A Formal Logic-based Language and an Automated Verification Tool For Computer Forensic Investigation Slim REKHIS
Noureddine BOUDRIGA
Communication Networks and Security Research Lab (SUP’COM) University of Carthage November 7th, Tunisia
Communication Networks and Security Research Lab (SUP’COM) University of Carthage November 7th, Tunisia
[email protected]
[email protected]
ABSTRACT
terested a few works that dier on the techniques and method-
In this paper, a formal logic-based language, called S-TLA , is proposed for computer forensic investigation. It allows an unambiguous description of evidences, a modeling of the forensic expert knowledge in the form of hacking scenarios fragments, and a reasoning capability with uncertainty by lling in potential lack of data with hypotheses. The proposal is complemented by an automated formal verication tool, called S-TLC which helps exploring additional evidences and checks whether there are plausible hacking scenarios that meet the available evidences.
ologies they used. [2] presented an automated diagnosis sys-
+
tem that generates possible attacks sequences using a plan recognition technique, simulates them on the victim model, and performs pattern matching recognition between their side eects and log les entries.
This technique assumes
that the attack activity is logged, which is in contradiction with the fact that attack scenarios may subvert logging daemon and alter logs before hackers leave the system. [7] used an expert system with a decision tree to search through evidences for potential violations of invariant relationship between digital objects. The methodology is useful in reducing the amount of data to be analyzed. Nevertheless, it roughly
Keywords
depends on the system time granularity and the degree of preciseness that the system uses to record time on objects.
Formal Forensic Investigation, Temporal Logic of Security + Actions, S-TLA , S-TLC.
Moreover, while the system enables automation, it does not allow disclosing the performed hacking scenario.
1.
[6] pro-
posed an approach to automatically reconstruct a forensic
INTRODUCTION
evidence from a set of scattered fragments using a context
After the occurrence of digital security incident, computer
modeling technique, where probabilities related to fragment
forensic investigators start their analysis focusing on col-
adjacency are computed and pruning heuristics are used to
lecting evidences, determining the techniques and scenarios
compute the optimal ordering.
used to cause the incident, and building proofs from the col-
proach is its dependency on the evidence type.
One drawback to this ap-
lected information to enable hackers prosecution. Achieving
We propose in this work a new logic-based language along
these objectives with a cursory observation on the compro-
with an automated verication tool for formal computer
mised system is a challenging problem. Computer investi-
forensic investigation of digital security incidents. The work
gation eorts may depend upon a number of factors includ-
is based on the enhancement of the formal specication lan+ + guage TLA and its model checker TLC [5]. TLA has
ing: 1) how good the system under investigation has been initially prepared to handle forensic analysis; 2) the investigators'skills and their familiarity with attack techniques;
shown a good track record in describing concurrent and + asynchronous systems. Our new language, called S-TLA ,
and 3) the complexity of the conducted attacks.
To over-
is proposed to enable a formal and unambiguous description
come the above constraints, computer forensic investigation
of the available evidences, a modelling of the forensic experts
may require both formalization and automation for accuracy
knowledge in the form of hacking scenarios fragments, and
and practicality. This is time-saving and allows an unam-
a reasoning technique on compromised systems with uncer-
biguous representation of forensic investigators' knowledge
tainty by adding forward hypotheses to ll in any potential
and observations. It also makes the generated investigation
lack of details. S-TLC, as a new designed automated formal
deductions relevant, even with a huge amount of data.
verication tool, helps exploring additional evidences and
Formal reasoning on digital forensic investigation has in-
checking whether there are hacking scenarios that meet the available evidences. Our contribution is 3-fold.
+ First, S-TLA takes advan-
tage from the richness of the formal specication language + TLA to support description of scenarios and evidences us-
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SAC’05 , March 13-17, 2005, Santa Fe, New Mexico, USA Copyright 2005 ACM 1-58113-964-0/05/0003 ...$5.00.
ing temporal modalities.
Second, S-TLC keeps the core
components of TLC and represents a promising tool able + to handle a generic class of S-TLA specications. Third, such tool provides a computer-assisted diagnosis that reduces the computer investigator eorts and produces a for-
287
mal proof regarding malicious hacking activities without a
manner, we make TLA able to describe a system progress
need for advanced skills.
from a state to another, further to the execution of an action
The remaining part is organized
under hypothesis HA . S-TLA constrained variables:
as follows: First, the temporal logic of actions is reviewed
A
and the novel S-TLA logic along with the formal specica+ tion language S-TLA is dened. Section 3 describes the
whose value is set according to a hypothesis, from the re-
automated verication tool S-TLC, and demonstrates how
maining specication variables is of great importance.
hacking scenarios are inferred both using forward and back-
fact, we aim to handle them dierently, as we are looking
ward chaining. In Section 4, the proposal is exemplied by
to reach a given system state under a minimal set of hy-
a case study. Finally, the work is concluded in Section 5.
potheses. This will be signicantly realized during verication.
2.
Temporal Logic of Actions
In
Moreover a variable whose value is set according to
a hypothesis could not be valued dierently afterwards all
TEMPORAL LOGIC OF SECURITY ACTIONS We describe here the
Distinguishing variables
through the system behavior. Such type of variable is a bit dierent from the two TLA exible and rigid variables [5]. Thus, we introduce a new set of variables called constrained
and its
VC
+ supported language TLA [5], as they serve as a starting
variables set
point. Then we discuss the
potheses. This set of variables should be disjoint from sets
tions.
2.1
Temporal Logic of Security Ac-
VF
VR
that represent exible and rigid variables sets,
respectively.
S-TLA state:
Reviewing TLA/TLA+
from the collection
port for the specication of distributed and asynchronous systems, [4]. sitions.
VR ∪ VC set VC .
It allows the description of states and tran-
A state is a mapping from the set of all variable
prime operator
dened above.
old state, and a new state. Semantically, it is true or false and syntactically, it represents a
strained variable in the new state. We dene assumed and non-assumed variables to refer respectively to new and old state of constrained variables.
the prime operator).
{x ” | x ∈ VC }
In TLA, a system is specied by a formula of the form
described by the symbol
While a state is a valua-
O
is introduced to represent the
value of a constrained variable that up to the moment was
un-
not used to make a hypothesis. Broadly, a state with a con-
changed. The innite behavior of the system is constrained
L (written as a conjunction of weak
strained variable value that is dierent from
S-TLA inconsistency:
inconsistency
contains notations of set theory and syntactic structuring + mechanisms [5]. TLA provides a precise syntax and mod-
⊥
We formally dene an S-TLA
as a predicate containing constrained vari-
wanted condition (informally, it reects a combination of hypotheses). Semantically, it is true or false for a state. If an inconsistency is true for a state
three main sections embedding declarations, denitions, and
t , then the system tran-
sition on the way to that state should not be followed.
assumptions.
S-TLA action and hypothesis:
conjunct of two expressions.
Enhancing TLA
An S-TLA action is a
The rst expression is facili-
tative, of type boolean, denotes a hypothesis, and contains
Suppose a formal system description that should involve
assumed and non-assumed variables. The second is an old
n dependent variables, while of m system variables (m < n )
a detail (value progress) of its
TLA action containing primed and unprimed variables. In the case where an S-TLA action
Such lack of details happens often during
A
looks like a TLA action
(no hypothesis is enunciated), its semantic remains the same
To overcome such limita-
as dened in [5].
tion, it is conceivable to use a formalism that supports a
noted by
reasoning with uncertainty, to let enunciating hypotheses whenever there is missing information.
means that
ables, constants, and constants operators to denotes an un-
ule system for writing specications. A module represents + the lowest granular part of a TLA specication, it contains
computer forensic investigation.
O
there is an enunciated hypothesis to reach the related state.
and strong fairness conditions on actions). + TLA is a high-level language that is based on TLA and
currently only the behavior
VA ,
tion of the wholeness variables, a new ctive S-TLA value
and where every state satises the next state
is understood.
In this way, we let
be the set of assumed variables.
The S-TLA ctive value O:
describing the set of all its autho-
rized behaviors. It describes a system whose initial behavior
by the liveness property
We introduce a new S-TLA operator enti00 to denote the value of a con-
tled assumption operator
boolean expression containing primed and unprimed vari0 ables (primed refer to the variables of the new sate and is
Init
Such oper-
ator cannot thus be applied to a constrained variable as
tion is described by an action that is a relation between an
N , or leaves the tuple of specication variables v
Every time the TLA
is applied to a exible variable, it changes
eected to it in the previous system states.
expression that is true or false for a state. A state transi-
relation
0
its value independently of the previous values that have been
mer assigns a value to each state, the latter is a boolean
satises
A state can thus give information on the set of
S-TLA assumption operator 00 :
function and state predicate are of the same syntax, the for-
∃ x : Init ∧ 2[N ]v ∧ L,
Var = VF ∪
of values to the set
initial system state.
mula is build from state function using Boolean operators 0 in addition to three new operators ( , 2, and ∃ ). State
hs , t i;
Val
of variables including the new constrained variables
enunciated hypotheses that let it being reachable from the
names to the collection of all possible values. A TLA for-
for a pair of states
The semantic of the new S-TLA state
remains always a valuation of variables. it is an assignment
TLA is a state-based logic that was introduced by L. Lam-
2.2
and
to encompass the variables representing hy-
hs , t i
⊥,
Semantically, given an inconsistency de-
an S-TLA action
A
is true for a pair of states
s (x )/x ) expression means x is placed by s (x ), the value of x in state s , in action A):
TLA is unable to
support such kind of reasoning. To this end, we dene S+ TLA and its supported S-TLA language that is suitable for
if, and only if (A(
A(∀v ∈ VF : s (v )/v , t (v )/v 0 ) = true
formal modeling of digital postmortems. In a thoughtfully
288
re-
A(∀v ∈ VC : s (v )/v , t (v )/v 00 ) = true
hs , t i
∀v ∈ Vc / s (v ) 6= O : s (v )/v = t (v )/v
and (3) without
(t 2⊥)
t
t
x,
assigns to
x
1
higher than the 00 = 1, 00 being reached under the hypothesis =2
aects to
we introduce the
is
(2) under the hypothesis
v (N , ⊥φ ) , enabled N
N
). Finally, + describes a relevant S-TLA system state
is false
(a valuation of some system variables) which is of capital importance especially in specifying forensic evidences as it will
⊥φ
be demonstrated afterwards in section 4.
denition as
=⇒ hN iv ∧ ¬ ⊥φ
3.
The latter will be part the standard S-TLA specication dened as follows:
φ , ∃ x : Init ∧ 2[N ]v ∧ L ∧
Inc
g h
is executed,
To ensure that
No Inconsistency
NI
Evd
the predicate
in all system behaviors whenever an action
φ
s
(by the denition of inconsistency predicate
S-TLA specication formula:
formula
if (1) the value that
value that
AUTOMATED VERIFICATION USING STLC
To automate the proof in the context of forensic investi-
v (N , ⊥φ )
NI
Except the quoted syntactically and semantically modica-
gation, we propose S-TLC as an automated verication tool + for S-TLA specications with a stress on the handling of
tions, the remaining TLA notions including Fairness, stut-
hypotheses.
S-TLC is somehow an extension to TLC [5, + chapter 14], the Model Checker for TLA . S-TLC involves
tering, and temporal modalities are preserved.
2.3
node core
two notions:
Writing S-TLA+ specifications
and
node label.
The core of a node
represents a valuation of the entire non-constrained vari-
+ We dene S-TLA as a language for writing specica+ tions in S-TLA, it embodies TLA with some add-ons in
ables, and the node label represents the potential sets of
the module structure and in the constant and non constant + operators. To describe S-TLA , we concentrate only on the
ables) under which the node core is reached. The node la-
introduced modications as outlined hereinafter:
used in the Assumption Truth Maintenance System (ATMS
Module-Level constructs:
hypotheses (i.e., a valuation of the entire constrained varibel is represented and maintained in a way akin to the one [1]). Precisely, a node label is a set of environments, which
cvar1 , . . . , cvarn
cvariables
are sets of hypotheses.
Adds to the current module the declaration of con-
imal sets of hypotheses, while a straightforward reading of
strained variables.
the node label indicates the alternatives (hypotheses sets) under which a node is reachable.
Non constant S-TLA+ operators: h
Given a constrained variable : 00 [Denotes the value of
h
untouched
h
h
3.1
in the next state] 00 [Replace the expression = ]
h
h
Constant S-TLA+ operators: ∇
UF
to refer to its label in graph
G.
G , UF
The S-TLC and
UB . G
and
UB
are FIFO queues containing states whose suc-
cessors are not yet computed, respectively during forward
SpecExpl
and backward chaining phases. The S-TLC Model Checker works in three phases:
extends
Initialization phase:
G,
as well as
UF
and
UB
are cre-
ated and initialized respectively to empty set Ø and empty sequence
Init , (x = 0) ∧ (g = O) ∧ (h = O) A , (g ” = 1) ∧ (x 0 = x + 1) ∧ untouched h B , (h ” = 2) ∧ (x 0 = x − 1) ∧ untouched g C , (x 0 = x × 3) Next , A ∨ B ∨ C Evd , x = 2 Inc , (g = 1) ∧ (h = 2) Spec , Init ∧ 2[Next ]hx ,g ,h i ∧ nihx ,g ,h i (Next , Inc ) theorem
Label (G , t )
refers to the reachability directed graph under construction.
variable value, before a hypothesis is enunciated] module
Inferring scenarios with S-TLC Given a state t , we use tn to denote its corresponding node core, tc to describe its resulting environment, and algorithm employs three data structures
[A ctive value that represents the initial constrained
Naturals variables x cvariables h , g
The graph generated by S-TLC is
built by ensuring that a given node is reached under min-
hi.
During this step, each state satisfying the ini-
tial predicate
Init
is computed and then checked whether it
satises the invariant predicate it is appended to
G
Invariant .
with a pointer to the
On satisfaction,
null
state and a
label equal to the set of hypotheses relative to the current state. On failure, an error is generated. If the state does not satisfy the evidence predicate to the unseen queue
UF ,
minal state and appended to chaining.
it is attached
UB
to be retrieved in backward
:
All the scenarios that orig-
Forward chaining phase
Spec ⇒ 2(x ∈ Nat )
EvidenceState ,
otherwise it is considered as a ter-
inate from the set of initial system states are inferred in forward chaining. This involves the generation of new sets of hypotheses and evidences that are consequent to these
Figure 1: Standard form of a S-TLA+ specication
scenarios. During this phase and until the queue becomes empty, state
+ Figure 1 illustrates a typical S-TLA specication mod-
ule,
SpecExpl .
In the initial state there is no enunciated
O.
Action
is retrieved from the tail of
UF
and its suc-
t
sat-
isfying the predicate (specied to assert bounds on the set
g and h are both A, for instance, is true for a pair of states
hypotheses and the constrained variables equal to
s
cessor states are computed. For every successor state of reachable states)
Constraint , if the predicate Invariant
is
not satised, an error is generated and the algorithm termi-
289
t
nates, otherwise state 1. If
tn
is appended to
G,
does not exist in
G
4.
as follows:
a new node (set to
appended to the graph with a label equal to if satises predicate tached to
UF .
tn ) is tc and
gation on a public Web server that was found stopped providing its service. To deal with complex, unguessable, and
sn . State t is appended to UB EvidenceState , otherwise it is at-
a predecessor equal to
CASE STUDY
We propose the following case study which is an investi-
attack scenarios, where hackers may have altered any trace, we follow the approach used by [3]. We consider a hacking scenario as a combination of more generic and reusable fragments, which are basically described in advance without an
x in G that is equal to tn and whose label includes tc , then a conclusion could be made stating that node t was been added previously to G . In that case, a pointer is simply added from x to the predecessor state sn .
a priori knowledge about the whole hacking scenario that
2. If there exists a node
x
3. If there exists a node
in
G
that is equal to
tn ,
is looked for. This contributes to the creation of scenarios fragments progressively and allows security experts to in+ terfere eectively. Using S-TLA , we model every scenario fragment by an optional set of hypotheses underlying the scenario-fragment occurrence, a set of pre-conditions that must be satised, and a set of actions to achieve a sub-goal
but
tc , then the node label is updated as follows: First, tc is added to Label (G, x ). Second, any environment from Label (G, x ), which is a whose label does not include
of the whole scenario objective. For the sake of space, we + will only describe some parts of the S-TLA specication, deemed important.
superset of some other elements in this label, is deleted
tc
to ensure hypotheses minimality. Third, if
4.1
is still in
Label (G , t ) then x is pointed to the predecessor state sn and node t is appended to UB if it satises predicate EvidenceState . Otherwise, it is attached to UF .
Specification using S-TLA+
The available evidence is described with predicate uses function
running
Evd .
It
to state that there is no running Web
srvport described as a specication Evd , running [websrv ] 6= “web ”
service on the TCP port parameter.
The resulting graph is a set of scenarios that end in any state
+ Besides, S-TLA actions are used to specify hacking sce-
satisfying the predicate
nario fragments.
EvidenceState
and/or
Constraint .
produce states satisfying predicate
For readability reasons, we ignore those
that are not part of the whole expected scenarios.
Backward chaining phase: All the scenarios that could
EvidenceState , generated
1)
RmtUnprExploit :
If there is a web vulnerability that
in forward chaining, are constructed. During this phase and
directly grants an unprivileged system access and provided
until the queue becomes empty, the tail of
that there is a running web service, the user privilege
UB ,
described by
t , is retrieved and its predecessor states (ie, the set of states si such that (si , t ) satisfy action Next ) which are not terminal states and satisfy the predicate Invariant (States that don't satisfy predicate Invariant are discarded because state
rises from that
Constraint
appended to 1. If to
sn G
G
are computed.
Each computed state
G,
a new node (set to
sn )
sc .
a pointer is added from node appended to
x sc ,
2. If there is
UB .
in
G
appended to
to
that is equal to
sn
is
sn ,
tn
G.
s
UB .
and
s
∆ ∧ webvul " = rmtpr RmtPrExploit = ∧ ∃ x ∈ Ports : running [srvport ] = web ∧ pr = 0 ∧ pr 0 = 2 3) EscaladePr 1: hypothesizing that there is a local cong-
uration error in how local users are aected to groups. The
is
user privilege rises from
x
in
1
to
2
as the local conguration er-
ror is exploited.
∆ EscaladePr 1 = ∧ cferrorin " = usrgrpcfg ∧ pr = 1 ∧ pr 0 = 2 4) EscaladePr 2: Similar to the previous fragment, except
sn , but whose laLabel (G , t ) is updated as follows: Fist, sc is added to Label (G, x ). Second, any environment from Label (G, x ) which is a superset of
3. If there is
refers to the system administrator privilege.
as the vulnerability is exploited.
was been
sn
2
the user privilege to raise directly to the administrator's one
is
In that case a pointer is simply
to the predecessor state
lets a user
ability that directly grants a privileged access which leads
and whose label
s
1
pr
Note
ment, except that it assumes the existence of a web vulner-
Then,
and state
then it is stated that node
added previously to added from
tn
as the vulnerability is exploited.
∆ ∧ webvul " = rmtunpr RmtUnprExploit = ∧ ∃ x ∈ Ports : running [srvport ] = web ∧ pr = 0 ∧ pr 0 = 1 2) RmtPrExploit : This resembles to the previous frag-
is appended
with a label equal to the environment
1
means a restricted user privilege, while
Finally,
as follows:
is not in
includes
s
to
execute any command that the service is able to execute.
this step aims simply to generate additional explanations) and
0
0
G
that is equal to
bel doesn't include
sc ,
then
that the hypothesis concerning conguration error aects the running system update utility.
∆ EscaladePr 2 = ∧ cferrorin " = systemupdateutility ∧ pr = 1 ∧ pr 0 = 2 5) InstallBackdoor : Given no installed backdoor yet
some other elements in this label is deleted to ensure hypotheses minimality. Third, if in the label of state
x
predecessor state
and the node
x
sc
then the node
s
t
is still contained is pointed to the
is appended to
The outcome of the three phases is a graph
G
and
a provided administrator privilege, a unused port is chosen
UB .
at random and a∆shell is bound on it.
InstBackdoor
containing
the set of possible causes relative to the collected evidences. It embodies dierent initial system states apart from those described by the specication.
6)
290
= ∧ ∀ x ∈ Ports : running [x ] 6= shell ∧ pr = 2 ∧ ∃ x ∈ Ports \ {srvport } : running 0 = [running except ![x ] = shell ]
RemoveTelnetAuthentication :
Telnet service is recon-
gured to disable user authentication.
The result of this
operation is a shell bound to the same port.
The system
behaves thus like a backdoored system. Such action could be performed unless the current user is provided with an administrator privilege.
∆ RmTelnetAuth = ∧ pr = 2 ∧ ∃ x ∈ Ports : ∧ running [x ] = telnet ∧ running 0 = [running except ![x ] = shell ] 7) DoSWeb : Whenever the running user is equipped with
an administrative privilege, it could stop the web service, creating thus a denial of service state.
∆ DoSWeb = ∧ running [srvport ] 6= null ∧ pr = 2 ∧ running 0 = [running except ![srvport ] = null ] + An S-TLA inconsistency is specied by predicate Inc
to state that a system state should not be reached under a conjunct of two types of hypotheses:
a) there is a web
vulnerability and b) the system update utility is running. In fact, whenever a system update utility is running, it is unfeasible to have any persistent unxed vulnerability. ∆ Inc = ∧ cferrorin = systemupdateutility ∧ ∨ webvul = rmtpr ∨ webvul = rmtunpr
+
states. Two main drawbacks of such approach could be per-
section 2.2) where the initial system state is
ceived. First, the use of labels with model checking could be-
The system under investigation is specied by a S-TLA formula (c.f.
Figure 2: Scenarios generated in forward chaining
described by the predicate
Init
come painful as they may grow wider requiring thus a great
denoting a secure server pro-
amount of memory space to represent individual states. Sec-
viding only a web service, and where every permissible ac-
ondly, the use of backward chaining might aect consider-
tion is one among the seven specied scenario fragments, such that no inconsistency (as dened above) holds.
ably the system performance as this requires an additional + resources in interpreting the set of S-TLA actions back-
4.2
wards.
Automated investigation using S-TLC
rameters and
1,
PortNumber
and
srvport
respectively equal to
Nonetheless, it can be argued that the benets of
backward chaining are important in the sense that valuable
The execution of the described S-TLC algorithm with pa-
additional explanations could be generated.
2
until forward chaining (c.f. Figure 2) brings out two
dierent system states (the ones which are encircled) rep-
6.
resenting forensic evidences. The second state shows a new
[1] de Kleer, J. An assumption-based TMS.
Intelligence 28, 2 (1986), 127162.
additional evidence. It denotes an installed backdoor on another TCP port (precisely port number
2),
which provides
diagnosis for computer forensics. Tech. rep., The
under two possible set of hypotheses: 1) there is a remote
MITRE Corporation, 2001.
unprivileged vulnerability in the installed web service and a
[3] Keppens, J., and Zeleznikow, J. A model based
local conguration error in creating user groups and 2) there
reasoning approach for generating plausible crime
is a remote privileged vulnerability in the installed web serInconsistency is prevented from occurring, in fact action
EscaladePr 2 doesn't belong to the scenario since it contains
[4]
a hypothesis that is inconsistent with the one occurring in
RmtUnprExploit .
During backward chaining a new scenario is appended. It
[5]
states that the system is initially running telnet and web A hacker tries to get administrative privilege in
Addison-Wesley, 2002.
It introduces
[6] Shanmugasundaram, K., and Memon, N.
misleading system modications in the conguration of tel-
Automatic reassembly of document fragments via data
net service by removing the authentication phase, letting the
Proceeding of the Digital Forensics Research Workshop (2002). compression. In
system grant a shell to any connected user and thus behaves like a backdoored system.
5.
Proceedings of the 9th International Conference on Articial Intelligence and Law (2003). Lamport, L. The temporal logic of actions. ACM Transactions on Programming Languages and Systems 16, 3 (May 1994), 872923. + Language Lamport, L. Specifying Systems: The TLA and Tools for Hardware and Software Engineers. scenarios from evidence. In
vice.
the same way as in the previous scenarios.
Articial
[2] Elsaesser, C., and Tanner, M. C. Automated
a privileged shell on access. These evidences are generated
services.
REFERENCES
[7] Stallard, T., and Levitt, K. Automated analysis for digital forensic science: Semantic integrity checking.
CONCLUSION
Proceeding of the 19th Annual Computer Security Applications Conference (2003). In
We have proposed a novel formal logic-based language and + an automated verication tool, called S-TLA and S-TLC. + S-TLA uses a robust formalism that allows advancing hypotheses whenever there is some luck of details to demonstrate some part of an attack scenario. S-TLC presents efcient robustness in managing hypotheses and representing
291