Scholarly article on topic 'Formalization of Signaling System by Process Calculus'

Formalization of Signaling System by Process Calculus Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
IERI Procedia
OECD Field of science
Keywords
{"Process Calculus" / "Communication Protocol" / "Telephone Exchange System" / "Cost Analysis"}

Abstract of research paper on Computer and information sciences, author of scientific article — Yasuaki Ibayashi, Shin-ya Nishizaki

Abstract Software systems play an important role in social infrastructures, and in the public and private sectors, for example in core banking, enterprise resource planning systems, electronic medical record systems, telephone exchange systems, etc. In such fundamental systems, we desire not only correctness but also robustness. Formal methods, such as software verification, have focused on correctness rather than robustness. The Spice calculus, which was proposed by Nishizaki et al., is a calculus process which enables us to formalize and analyze the resistance of communication protocols against Denial-of-Service attacks. The key idea of the analysis is analyzing costs of initiators and responders in communication protocols. In this paper, we extend the target area of systems to be analyzed by the Spice calculus and describe a new analysis methodology for distributed systems. We demonstrate analysis of a telephone exchange system, as an example of our methodology. In this paper, we extend the target area of systems to be analyzed by the Spice calculus and show a new analysis methodology for distributed systems. We demonstrate analysis of a telephone exchange system, as an example of our methodology. We set up ISUP of Signaling System No. 7 as a target and formalized a simple telephone network based on it in the framework of the Spice calculus. We then analyzed its connection establishing process and computation cost consumed the connection establishment.

Academic research paper on topic "Formalization of Signaling System by Process Calculus"

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

IERI Procedia 10 (2014) 160 - 168

2014 International Conference on Future Information Engineering

Formalization of Signaling System by Process Calculus

Yasuaki Ibayashi, Shin-ya Nishizaki*

Department of Computer Science, Tokyo Institute of Technology 2-12-1-W8-69, Ookayama,Meguro-ku, Tokyo 152-8552, Japan

Abstract

Software systems play an important role in social infrastructures, and in the public and private sectors, for example in core banking, enterprise resource planning systems, electronic medical record systems, telephone exchange systems, etc. In such fundamental systems, we desire not only correctness but also robustness. Formal methods, such as software verification, have focused on correctness rather than robustness. The Spice calculus, which was proposed by Nishizaki et al., is a calculus process which enables us to formalize and analyze the resistance of communication protocols against Denial-of-Service attacks. The key idea of the analysis is analyzing costs of initiators and responders in communication protocols. In this paper, we extend the target area of systems to be analyzed by the Spice calculus and describe a new analysis methodology for distributed systems. We demonstrate analysis of a telephone exchange system, as an example of our methodology. In this paper, we extend the target area of systems to be analyzed by the Spice calculus and show a new analysis methodology for distributed systems. We demonstrate analysis of a telephone exchange system, as an example of our methodology. We set up ISUP of Signaling System No. 7 as a target and formalized a simple telephone network based on it in the framework of the Spice calculus. We then analyzed its connection establishing process and computation cost consumed the connection establishment.

© 2014 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/3.0/).

Selectionand peerreviewunder responsibility oflnformation Engineering Research Institute Keywords: Process Calculus, Communication Protocol, Telephone Exchange System, Cost Analysis

* Corresponding author. Tel.: +81-3-5734-2772; fax: +81-3-5734-2772. E-mail address: nisizaki@cs.titech.ac.jp.

2212-6678 © 2014 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/3.0/).

Selection and peer review under responsibility of Information Engineering Research Institute doi:10.1016/j.ieri.2014.09.071

1. Introduction

Software systems play an important role in social infrastructures, and in the public and private sectors, for example in core banking, enterprise resource planning systems, electronic medical record systems, telephone exchange systems, etc. In such fundamental systems, we desire not only correctness with respect to specification requirements but also robustness to cope with unintended situations. Formal methods, such as software verification, have focused on correctness rather than robustness.

Many failures have occurred in such IT systems. For example, the core banking system of Mizuho Financial Group, which is the largest banking company in Japan, failed on March 14th 2011 and did not recover until the 23rd, owing to an overload caused by numerous payments of contributions for the Tohoku Earthquake[7]. Such lengthy failures of computer systems can be mitigated by improvements in system robustness.

Formal methods, such as software verification, have focused on correctness rather than robustness. Spice calculus [9], which was proposed by Nishizaki et al., is a calculus process which enables us to formalize and analyze the resistance of communication protocols against Denial-of-Service attacks, based on Milner's pi-calculus [6]. The key idea of the analysis is analyzing costs of initiators and responders in communication protocols. Vulnerability to Denial-of-Service attacks is caused by lack of balance between an initiator and a responder. Cost analysis is important not only for resistance against Denial-of-Service attacks but also for improving a system's robustness to withstanding various unintended situations. In this paper, we therefore apply Spice calculus to analysis of robustness of distributed systems. We conduct a case study using a telephone exchange system, as an example.

2. Spice calculus

We introduce Spice calculus [9] in this section. In the calculus, there are two categories of expression: one is a set of terms and the other is a set of processes. A term denotes data and a process denotes a series of computational operations which can be executed concurrently. Terms of spice-calculus are defined inductively as follows:

term name

I (M,.....M„) pai

Processes of Spice calculus are defined inductively as follows:

variable in leger ,M„) pair

oui M {N):P itip M (x):P (P I Q)

message sending message receiving parallel composition stopping termination memory allocation memory deallocation

stop end

store .v M:P free x.P

match M is N err{/\] ; P matching

split [a'i......v„ is M err{ I'}: P pair decomposition

(P + Q)

selection

Message sending (out M (N); P) sends message N through the port M. Message receiving (inp M (x); P) receives the message through port M and binds it to the variable x. Parallel decomposition (P | Q) executes the processes P and Q in parallel. The stopping process stop means an intermediate status on the way to the termination process end. In our computational system, memory allocation and de-allocation are explicitly operated as process (store x = M; P ) and (free x; P), respectively. Matching (match M is N err {P}; Q) is a conditional branch: if the values of M and N are equivalent, then P is executed; otherwise, Q is executed. Selection (P+Q) is a non-deterministic choice; either P or Q is executed non-deterministically.

The type system of Spice calculus is one of its distinctive features, and it enables us to specify the computational cost entailed by each computer node. For example, process (P1 | (Q | P2)) is of type A | (B | A), that is,

which describes that the processes P\ and P2 are executed on the computer nodes A and Q on B. Types of Spice calculus are defined as follows:

Operational semantics are given to the Spice calculus as transition relation between processes; a computational cost is attached to each step of the transition. For example,

This transition means that

• The processes P and Q are executed in parallel on nodes a and b respectively;

• The process (P I Q ) makes a transition to (P' I Q' );

• In this transition, matching and storing operations are done with two match-costs and one store-cost, respectively.

The transition relation is defined inductively by several rules (c.f. [9]). The following is one of the reduction rules defining the inner-process computation:

If it is assumed that the costs for evaluating M and N are c and d respectively, and both the resulting values of M and N are V, then the expression is transited to Q and the computational cost of the transition is

(c+d+match).

The rule below is one of the reduction rules defining the inter-process computation:

This rule means that if the process expression (inp n (x); P) is executed on computer node a, then memory cost store for a variable x on a. It is transited to an expression (x)P, which denotes an intermediate form waiting for the arrival of a message.

PhoneA SwitthA SwiKhB PlioneB

Fig. 1. Example of Switched Telephone Network

off-hook iam ring lone

dial tone

digits

ring tone

no tone

off-hook

busy tone

on-hook

on-hook

Fig. 2. Inter-city Call

3. Formalization of a signaling system using spice calculus

3.1. Signaling System No. 7 and ISUP

In this section, we formalize a switched telephone network based on a telephony signaling protocol, Signaling System No. 7 (SS7)[3], using Spice calculus [9]. We focus on an example on a simple switched telephone network which consists of two switches and several telephones. Its network topology is shown in Fig. 1.

In SS7, ISDN User Part (ISUP) defines the messages and protocol used in the establishment and tear down of calls over the public switched network, and to manage the trunk network on which they relay. ISUP is depicted as a sequence diagram in Fig. 2. Terminal nodes PhoneA and PhoneB are connecting, and intermediate switches SwitchA and SwitchB relay the connection. Control messages -iam, acm, anm, rel, and rlc -are defined in ISUP. The messages used are as follows.

• IAM (Initial address message), which is the first message sent to inform the partner switch that a call has to be established.

• ACM (Address complete message), which is returned from the terminating switch when the subscriber is reached.

• ANM (Answer message), which is sent when the subscriber picks up the phone.

• REL (Release), which is sent to clear the call when a subscriber goes on hook.

• RLC (Release completed), which is acknowledgement of the release.

The state transition diagram of Fig. 3 describes the behavior of a phone. The model of the phone receives messages: dialtone, ringtone, notone, busytone, and check. The former four messages represent notification of status from the partner switch, and the latter message gives confirmation of connectability. The model sends messages off hook, onhook, and dial. The former two messages describe signals that the handset is off-hooking and on-hooking, respectively. The latter message represents a dialing signal.

I____________________I

Fig. 3. Transition diagram of phone

3.2. Formalization of Phones and Switches in Spice Calculus

In Spice calculus, the behavior of phones (i.e. subscribers) and switches is formalized as processes. The behavior of a phone a with its partner switch A which has a connection with phone b with its partner switch B, is described as Subscriber(a,A,B,b), which is divided in two sub-processes, Sender(a,A,B,b) and Receiver(a,A):

Receivei(ct.A)

— store port = iocalport(a,A)\ inpport (fftig);

match msg is "check" err {free m.sg,porty, free nisi;: inp ¡wn (msg);

match mxg is "ringtone" err{free msg, port} ; free msg", (inp port (>nsg) ;

match msg is "notone" errjftee Stop;}

+ out port {"offhook");

(out port ( "onhr.'fik "); stO]!); + iup port ( "msg ");

match msg i.s "busytone" err {free msg, port};free msg; out port ("onhook")Mov\ The ports which are used in the processes for communication are depicted in Figs. 4 and 5.

Fig. 4. Intermediate Ports (before establishing connection) Fig. 5. Intermediate Ports (after establishing connection)

Here introduce the paper, and add nomenclature if necessary, in a box with the same font size as the rest of the paper. The paragraphs continue from here and are only separated by headings, subheadings, images and formulae. The section headings are arranged by numbers, and are in bold and 10 pt. Here follows further instructions for authors.

3.3. Cost Estimation by Spice Calculus

In this section, we show a cost analysis of a case in which a subscriber a with a partner switch A requests a connection to a subscriber b with a partner switch B. This is simpler than the situation mentioned in Figs. 4 and 5. Subscribers a1, a2 and a3 are simplified into only one subscriber a; b1, b2, and b3 are simplified into b. The behavior of this case is described as the following process.

By reducing the process described the system; we can see not only the computational result but also the total cost.

-++(■••) | (inp remote port (iiwi;);'• ■}

| (inpportb (iii.ïg);■■■ ) | (ouiponb ("offhook");■*■) : {b ■ match} ->-+('*•) | (inpremotepon (msg)i-• ■)

| (out portb {"anm"} ; - - ■ ) | (■■•session started-•■) : {B • match}

—H-((inp porta (msg);---) | (out porta ("no/one"); ■■■) | (- ■ ■ session started- ■■ ) | (- ■ - session started ■ ■ ■ ) : {A match}

-++{■ ■ ■ session started ■ ■ ■ ) | ( ■ - ■ session started ■ ■ ■ ) [ ( ■ ■ ■ session started ■ ■ ■ ) | ( ■ ■ ■ session started ■ ■ ■} : {ii miMi'h}

Summing up the costs attached to each transition step, we can see the total computation cost is as follows:

{ a -( storc+ makcport+3 mutch). A -(2 s tore+3 makeport+7 ninieh). B -(2 store+2 makeport+2 maich). a ■( More I- maieporl I 2 mutch)}

4. Related Works

Protocol verification has been studied for the last decade using several kinds of framework. For example, Bruns et al. [1] studied the MSMIE protocol, which allows processors in a distributed system to communicate via shared memory. They provided a formal model of the MSMIE protocol in Milner's CCS and analyzed the formal model using an automated verification tool, the Concurrency Workbench.

Quantitative analysis of communication and secure protocols was studied by one of the authors [9], but also by Cervesato [2], which enables evaluation of protocol resilience to various forms of denial of service, guessing attacks, and resource limitation using the MSR (Multi-Set Rewriting) specification language.

Liu et al. [5] formalized and verified in the framework of a colored petri net the capability exchange signaling (CES) protocol, which is a sub-protocol of the H.245 control protocol for multimedia communication.

5. Conclusion

In this paper, we present a case study in which we formalize the connection establishment part of a communication protocol in practical use, Signaling System No. 7 using the Spice calculus proposed in the previous work [9]. We analyze this from the quantitative viewpoint of the computational cost. From this case study, we can see that the Spice calculus has enough expressive power to describe protocols for practically-used systems.

Analysis of communication protocols using the spice calculus is too complicated to handle without automated software support. In our previous work [4], we proposed a method for symbolic analysis of a distributed system by means of numerical simulation. This is a promising research direction. Moreover, it is also necessary to extend the Spice calculus to improve its expressive power; for example, unification of environment calculus [8] into the spice calculus will give us more flexibility in network topology.

Acknowledgements

This work was supported by Grant-in-Aid for Scientific Research (C) (24500009).

References

[1] Bruns, G., Anderson, S.: The formalization and analysis of a communications protocol. Formal Aspects of Computing 6(1), 92—112 (1994).

[2] Cervesato, I.: Towards a Notion of Quantitative Security Analysis. In: D.Gollmann, F. Massacci, A.Yautsiukhin (eds.) Quality of Protection: Security Measurements and Metrics — QoP'05, pp. 131—144. Springer-Verlag Advances in Information Security 23 (2006)

[3] Dryburgh, L., Hewitt, J.: Signaling System No. 7 (SS7/C7): Protocol, Architecture, and Services. Cisco Press (2004)

[4] Ikeda, R., Narita, K., Nishizaki, S.: Cooperation of model checking and network simulation of cost analyses of distributed systems. International Journal of Computers and Applications 33(4) (2011)

[5] Liu, L., Billington, J.: Verification of the capability exchange signaling protocol. International Journal on Software Tools for Technology Transfer 9(3—4), 305—326 (2007).

[6] Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, part i and part ii. Information and Computation 100(1), 1—77 (1992)

[7] Causes and Plans for Improvements and Counter—Measures based on the Recent Computer System Failures. Mizuho Financial Group (2011).

http://www.mizuho-fg.co.jp/english/csr/mizuhocsr/calendar/2010/highlight_system/plan.html

[8] Nishizaki, S.: Polymorphic environment calculus and its type inference algorithm. Higher-Order and Symbolic Computation, Kluwer 13(3), 239—278 (2000)

[9] Tomioka, D., Nishizaki, S., Ikeda, R.: A cost estimation calculus for analyzing the resistance to denial-of-service attack. In: Software Security — Theories and Systems., Lecture Notes in Computer Science, vol. 3233, pp. 25—44. Springer Berlin Heidelberg (2004).

clude a subheading within the Appendix if you wish.