Aaron Hunter

Iterated belief change due to actions and observations

In action domains where agents may have erroneous beliefs, reasoning about the effects of actions involves reasoning about belief change. In this paper, we use a transition system approach to reason about the evolution of an agents beliefs as actions are executed. Some actions cause an agent to perform belief revision while others cause an agent to perform belief update, but the interaction between revision and update can be nonelementary. We present a set of rationality properties describing the interaction between revision and update, and we introduce a new class of belief change operators for reasoning about alternating sequences of revisions and updates. Our belief change operators can be characterized in terms of a natural shifting operation on total pre-orderings over interpretations. We compare our approach with related work on iterated belief change due to action, and we conclude with some directions for future research.

Protocol Verification in a Theory of Action

Cryptographic protocols are usually specified in an informal language, with crucial elements of the protocol left implicit. We suggest that this is one reason that such protocols are difficult to analyse, and are subject to subtle and nonintuitive attacks. We present an approach for formalising and analysing cryptographic protocols in the situation calculus, in which all aspects of a protocol must be explicitly specified. We provide a declarative specification of underlying assumptions and capabilities, such that a protocol is translated into a sequence of actions to be executed by the principals, and a successful attack is an executable plan by an intruder that compromises the goal of the protocol. Our prototype verification software takes a protocol specification, translates it into a high-level situation calculus (Golog) program, and outputs any attacks that can be found. We describe the structure and operation of our prototype software, and discuss performance issues.

A General Approach to the Verification of Cryptographic Protocols Using Answer Set Programming

We introduce a general approach to cryptographic protocol verification based on answer set programming. In our approach, cryptographic protocols are represented as extended logic programs where the answer sets correspond to traces of protocol runs. Using queries, we can find attacks on a protocol by finding the answer sets for the corresponding logic program. Our encoding is modular, with different modules representing the message passing environment, the protocol structure and the intruder model. We can easily tailor each module to suit a specific application, while keeping the rest of the encoding constant. As such, our approach is more flexible and elaboration tolerant than related formalizations. The present system is intended as a first step towards the development of a compiler from protocol specifications to executable programs; such a compiler would make verification a completely automated process. This work is also part of a larger project in which we are exploring the advantages of explicit, declarative representations of protocol verification problems.

Spectrum hierarchies and subdiagonal functions

The spectrum of a first-order sentence is the set of cardinalities of its finite models. Relatively little is known about the subclasses of spectra that are obtained by looking only at sentences with a specific signature. In this paper, we study natural subclasses of spectra and their closure properties under simple subdiagonal functions. We show that many natural closure properties turn out to be equivalent to the collapse of potential spectrum hierarchies. We prove all of our results using explicit transformations on first-order structures.

On the representation and verification of cryptographic protocols in a theory of action

Cryptographic protocols are usually specified in an informal, ad hoc language, with crucial elements, such as the protocol goal, left implicit. We suggest that this is one reason that such protocols are difficult to analyse, and are subject to subtle and nonintuitive attacks. We present an approach for formalising and analysing cryptographic protocols in a theory of action, specifically the situation calculus. Our thesis is that all aspects of a protocol must be explicitly specified. We provide a declarative specification of underlying assumptions and capabilities in the situation calculus. A protocol is translated into a sequence of actions to be executed by the principals, and a successful attack is an executable plan by an intruder that compromises the specified goal. Our prototype verification software takes a protocol specification, translates it into a high-level situation calculus (Golog) program, and outputs any attacks that can be found. We describe the structure and operation of our prototype software, and discuss performance issues.

Belief Change and Non-deterministic Actions

Belief change refers to the process in which an agent incorporates new information together with some pre-existing set of beliefs. We are interested in the situation where an agent must incorporate new information after the execution of actions with non-deterministic effects. In this case, the observation plays two distinct roles. First, it provides information about the current state of the world. Second, it provides information about the outcomes of any actions that have previously occurred. While the literature on belief change has extensively explored the former, we suggest that existing approaches to belief change have not explicitly considered how an agent uses observed information to determine the effects of non-deterministic actions. In this paper, we propose an approach in which action effects simply progress the agent’s underlying plausibility ordering over possible states. In the case of non-deterministic actions, new possible world trajectories are created and then subsequently dismissed as dictated by observations.

Belief Manipulation: A Formal Model of Deceit in Message Passing Systems

A dishonest participant in a message exchange is often interested in trying to convince others to hold particular, erroneous beliefs. While the study of belief change has a long history, to date there has not been a great deal of interest in modelling the conscious manipulation of others beliefs. In this paper, we introduce a formal definition of a belief manipulation problem. The definition relies on well-known concepts from Artificial Intelligence and the theory of belief change, and it is highly amenable to implementation using existing tools. We discuss applications of belief manipulation in two important domains: cryptographic protocol verification and Smart Grid security. In each of these domains, it is clear that many security problems can be abstracted and analyzed in terms of formal belief manipulation problems. The focus of this paper is on introducing a new problem of general interest in Security, and taking the first steps towards practical application.

Dissecting the Meaning of an Encrypted Message: An Approach to Discovering the Goals of an Adversary

Secure communication over a hostile network typically involves the use of cryptographic protocols that specify the precise order in which messages should be exchanged to achieve communicative goals. There has been a great deal of literature on the formal verification of cryptographic protocols, where the emphasis is on finding attacks that compromise the security of a given protocol. However, in the context of intelligence analysis, simply determining if an attack exists is not sufficient. Even in the absence of a known security flaw, we are still interested in monitoring communication and determining the goals of individuals that attempt to manipulate a protocol. By monitoring communication at this level, we are able to predict future attacks, deny service to offending parties, and determine which pieces of information are desirable to intruders on a particular network. In order to discern the goals of an intruder, we need to understand what an agent is attempting to achieve by sending a given message. In the context of cryptographic protocols, it is particularly important to understand what an agent is attempting to achieve by encrypting a specific message with a specific key. In this paper, we study the meaning of encrypted messages using tools imported from discourse analysis and Computational Intelligence. We demonstrate that explicitly specifying the communicative acts performed by encrypted messages allows us to uncover the goals of an intruder. The utility of this information is discussed.

Security and trust for surveillance cameras

We address security and trust in the context of a commercial IP camera. We take a hands-on approach, as we not only define abstract vulnerabilities, but we actually implement the attacks on a real camera. We then discuss the nature of the attacks and the root cause; we propose a formal model of trust that can be used to address the vulnerabilities by explicitly constraining compositionality for trust relationships.

Exploiting known vulnerabilities of a smart thermostat

We address security vulnerabilities for a smart thermostat. As this kind of smart appliance is adopted in homes around the world, every user will be opening up a new avenue for cyber attack. Since these devices have known vulnerabilities and they are being managed by non-technical users, we anticipate that smart thermostats are likely to be targetted by unsophisticated attackers relying on publicly available exploits to take advantage of weakly protected devices. As such, in this paper, we take the role of a ‘script kiddy’ and we assess the security of a smart thermostat by using Internet resources for attacks at both the physical level and the network level. We demonstrate that such attacks are unlikely to be effective without some additional social engineering to obtain user credentials. Moreover, we suggest that the vulnerability to attack can be further minimized by simply reducing the use of remote storage where possible.