Automated Game-Theoretic Verification of Security Systems

Abstract

Security-sensitive computerised communication systems are of increasing importance, however checking that they function correctly can be non-trivial. We propose automated verification techniques for the formal analysis of quantitative properties of such systems. Since communication networks typically require the collaboration of their participants to work effectively, we adopt a game-theoretic approach. Utility functions for each player, such as the degree of security offered and the communication costs incurred, are formally specified using quantitative temporal logics. Then, building upon probabilistic verification techniques for parametric Markov chains, we develop methods to identify Nash equilibria representing stable strategies for the participants. We implement our methods as an extension of the PRISM model checker, and illustrate their applicability by studying anonymity-cost trade-offs in the Crowds anonymity protocol.

The author thanks David Parker for many suggestions, help and insightful discussions. This work is supported in part by EPSRC (EP/K038575/1), and was partially performed when the author was at University of Birmingham.

Appendices

Appendix A: Sensitivity Study of the Reward Structures

Table 2. Sensitivity study of the reward structures to Nash equilibria (N.E.s) & utilities (\(N=4, N_h=3\))

Appendix B: The PRISM Model of Crowds Protocol

Fig. 3.

Model of Crowds with 2 honest players and 2 malicious player with \(PF=0.5\). For \(i \in \{1,2,3,4\}\), transition label \(r_i\) denotes relaying a message by player i; for \(i \in \{1,2\}\), \(s_i\) denotes sending a message by (honest) player i, \(c_i\) denotes the player i decide to be cooperative, \(n_i\) denotes the i choose to be selfish. Label init denotes randomly pick up an honest player as a initiator to send out a message. State labelled as \(i:(\mathtt{status, from, to, sender})\) implies state \((\mathtt{status, from, to, sender}) \in S_i\) for player \(i \in \{0,1,2,3,4\}\), player \(i=0\) is used to model a coordinator, where the \(\mathtt{status}=0,1,2,3,4,5\) denotes that the sender is randomly picked up, the message is sent, the player decides to be cooperative, the player decides to be selfish and the message is discarded, and the message reaches the destination respectively.

1. (1)

   Cost structures for honest players \(i=1,2\): assigns a cost of 1 and 2 to all transitions labelled with ‘\(s_1\)’ and ‘\(r_1\)’ to player 1 respectively; and assigns a cost of 2 and 3 to all transitions labelled with ‘\(s_2\)’ and ‘\(r_2\)’ to player 2 respectively.

2. (2)

   Property specification for honest players: the utility function of player i is defined as the probability of good behaviours/costs. We say a run is good if it reaches the destination without violating the anonymity properties.