Dialects for CoAP-like Messaging Protocols

The Constrained Application Protocol (CoAP) [9, 4] is an HTTP-like client-server Protocol for use by resource-constrained devices (e.g. low power) and networks (low bandwidth, lossy). CoAP provides a request/response RESTFUL interaction model between application endpoints. Servers hold resources that can be generated, updated, accessed by clients. An endpoint can be a client, a server, or both. A design goal is to keep message overhead small, to limit need for fragmentation. Note that server resources may be connected to actuators having effects on the environment.

CoAP features include UDP binding (reliability supported at the protocol level by a retry mechanism) and asynchronous two-way message exchange. A binding to Datagram Transport Layer Security (DTLS) provides security, but with substantial overhead. Expected applications include: smart buildings, instrumented infrastructure, medical devices, etc.

RFC7252 specifies a binary format for CoAP messages. Here we present an abstract data-type view. A CoAP message consists of four parts: Header, Token, Options, and Payload. The header has four parts: Version, Type, Code, and MsgId (we will ignore the version).

The header type is one of {CON, NON, ACK, RST}. A message of type CON is confirmable. The receiver must acknowledge with a message of type ACK, in addition to a response if appropriate. The sender should resend a CON message if no ACK is received within ACK-TIMEOUT time. There is a bound on the number of resends (a configuration parameter). A message of type NON is non-confirmable. If received it may require that a response is sent, but no separate acknowledgment is sent. A message of type RST is a reset message, used to indicate receipt of message that can’t be handled, also use as a kind of ping.

Code is an HTTP like code that determines if the message is a request or response. In the case of a request the code also determines the method–one of GET,POST,PUT,DELETE. In the case of a response, the code determines if the result is a success (with value in the payload), a client error, or a server error.

The MsgId header element is a string that uniquely identifies the message (among messages from the sender). It is used to match acknowledgements to CON messages. It also is used to provide limited replay protection. Message identifiers have a limited lifetime (a configuration parameter) after which they can be reused.

The token message component is a unique identifier generated by a requestor to match request to response. Options is a list of name-value pairs used to specify additional information, including: content-format, request Uri, and response Uri (of a created resource). Payload contains additional request information (for example the value to PUT) or response value (for example the result of a GET).

The rules for handling requests with a given method are similar to those for HTTP. A response can be piggy backed on the acknowledgement of a CON request. A separate response can be of type CON or NON. Servers are required to respond to legitimate requests, but they should only process a request once. Thus if a confirmable request is resent, for example because the acknowledgement was lost or delayed, the server may just resend the ACK or it may resend the actual response, but it should not repeat the actions needed to carry out the response.

A protocol dialect is a variation on protocol messages intended as a light weight mechanism to provide some additional security properties such as forms of authentication or message integrity.

A dialect uses a family of lingos to transform protocol messages. A lingo provides a pair of functions that are inverse of one another, possibly modulo parameters. Dialects provide moving target defense in the sense that lingo parameters and choice of lingo change over time in a dialect specified manner. This means weaker forms of message transformation can be used, because even if a message transformation is determined, it doesn’t help as that transformation will not be used on later messages. It also means that honest participants must synchronize on the choice of lingo and lingo parameters.

A typical application of dialects is to networks where at least some nodes are resource limited devices. An example would be smart infrastructure with sensors and actuators running on battery power, and with limited memory and cpu capability. Thus a dialect should not require substantial resources. In addition to providing new security properties, a dialect should preserve important properties of the underlying protocol. The protocol may be running on a network with limited bandwith, thus a dialect should not generate significant additional traffic, and should not significantly increase message size.

The following are some examples of dialects and their application. Dialects to improve SDN (Software defined network) security are defined and evaluated in [10, 11]. Two transformations based on HMAC over the message data are proposed. One places the HMAC in the session id slot. This limits the HMAC size and thus the hash key is changed every second. For messages that use this slot, a 512-bit HMAC tag is appended to data packets. Sequence numbers are included in the hashed content to prevent replay. Keys are generated from pre-shared symmetric keys, delivered out-of-band. Dialects are implemented using proxies inserted into the communication path to carry out the message transformations. One goal is to protect against TLS downgrade attacks by providing authentication for initial TLS communications.

Dialects for FTP and MQTT protocols using bit shuffling or packet splitting are studied in [3]. A self-synchronization mechanisms is propsed. In [5] the authors propose a Deep Neural Network mechanism for synchronization. A dialect is implemented by (conceptually) inserting a separate process between the protocol and the network.

Dialecting is proposed in [8] to mitigate known exploitable vulnerabilities in IoT devices deployed in large numbers thus enabling massive attacks. The idea is to transform functions that construct and parse message data structures to construct and parse mutated data structures. The message constructor/parser functions are identified automatically and message mutations are typically per message field. Specific mutations are designed using testing. Dialects are implemented by modifying the identified message constructor and parser functions of the protocol implementation. The method is evaluated on implementations of MQTT, LwM2M, and DDS. In the experiments, the mutations successfully blocked reproducible attacks corresponding to a selected set of CVEs reported for the protocols

The above works propose dialects and evaluate them experimentally. In [2] a formal framework for specifying and applying dialects is proposed. The ideas are illustrated using the MQTT protocol. This work and its relation to the current work is discussed in detail in section 9.

Rewriting logic [6] is a logic for specifying concurrent and distributed systems. A rewrite theory has the form $(\Sigma,\mathcal{E},\mathcal{R})$ where $\Sigma$ is a signature specifying a partial order of sorts, and a set of operators (the name, argument sorts and result sort). $(\Sigma,\mathcal{E})$ is the equational sub-theory, where the equations $\mathcal{E}$ define functions and properties declared in the signature. $\mathcal{R}$ is the set of rewrite rules of the form $l:lhs\Longrightarrow rhs~{}~{}\mathit{if}~{}c.$ Here $lhs,rhs$ are terms, possibly with variables, and $c$ is a boolean term, the condition, which is optional. An important feature of rewriting logic is that rules are applied locally, i.e. to matching sub-terms of the term being rewritten. Given terms (of the language given by $\Sigma$) $t$, $t^{\prime}$ we have $t\Longrightarrow t^{\prime}$ ($t$ rewrites to $t^{\prime}$) using rule $l$ just if there is a position $p$ of $t$ and a substitution $\sigma$ matching $lhs$ to the subterm of $t$ at $p$ ($\sigma(lhs)=_{\mathcal{E}}t\downarrow p$) such that $\sigma(c)$ holds and $t^{\prime}$ is the result of replacing the subterm of $t$ at $p$ by $\sigma(rhs)$.

Maude [1] is a language and tool implementing rewriting logic. Maude can be downloaded from the Maude website [12]. Rewrite theories are represented by Maude modules. Functional modules (declared using the keyword fmod at the beginning and endfm at the end) represent equational theories (with no rules). System modules (declared using the keyword mod at the beginning and endm at the end) represent rewrite theories with rules. We introduce the main Maude syntax elements with examples from the CoAP specification (discussed in detail in Section 3). Sorts and their ordering are declared using the keywords sort and subsort. For example, the following declares two sorts Msg (the message sort) and MsgS (multisets of messages) with Msg (singleton sets) being a subsort of MsgS.

    sort Msg MsgS .
    subsort Msg < MsgS .

Example initial configurations and properties for our CoAP specification are defined in section 3 and reachability analysis experiments for different attack models are given in Sections 5 and Appendix 0.B.

Five rules are used to specify CoAP executions. The rules labelled devsend and rcv specify transmission and receipt of messages by an endpoint. The rule labelled ackTimeout specifies when a confirmable message is resent. The rule labelled net specifies the network action of moving a delayed message from the input side to the output side. Finally, the rule labelled tick specifies the passing of time. Rules devsend, rcv and ackTimeout operate on sub-configurations consisting of an endpoint and the network, the rule net simply transforms the network configuration element, while tick rule requires the full system configuration {conf}, formed by encapsulating a configuration term in curly braces. The net rule was discussed in Section 2.3. The remaining rules are discussed in the remainder of this (sub)section.

Our specification of attacks against CoAP messaging consists of a specification of attack capabilities (sort Cap), a function doAttack, an attacker agent, and a rule for executing attacks, that invokes doAttack on a target message using an available capability. Attack models resulting from different choices of capability sets, and corresponding doAttack clauses, are discussed in Section 4. We note that the usual symbolic model matching patterns representing attacker ability to construct messages doesn’t work because there is no a priori expectation of what messages are expected.

A scenario is specified by an intial system configuration. This together with the CoAP rewrite theory determines a set of execution traces and the reachable states of the scenario. To support systematic testing of CoAP messaging and analysis of attacks we defined two functions to generate initial configurations for scenarios tCS2C (test Client Server 2 endpoints) and tCS3C (test Client Server 3 endpoints). These are used in the experiments validating the vulnerabilities discussed in [4], described in Appendix 0.B. They were also used in experiments testing various CoAP messaging patterns and effects of dialecting.

In addition to having an empty network, initial configurations are characterized by the initial attributes of the endpoints. The function initDevAttrs defines the initial values of attributes that are the same for all endpoints in the scenarios considered. It has two arguments that are passed on to the function mkCoapConf the defines global configuration parameters

    op mkInitDevAttrs : Nat Nat -> Attrs .
    eq mkInitDevAttrs(mqd:Nat,w4ab:Nat) =
      w4Ack(mtDM)
      w4Rsp(mtM)
      rspSntD(mtDM)
      rspRcd(mtM)
      ctr(0)
      config(mkCoapConf(mqd:Nat,w4ab:Nat)) .
 

To illustrate the use of the CoAP specification, and introduce some of the attacks of interest we define some small scenarios and show how to search for attacks. Attack models are discussed in more detail and formalized in Section 4.

Consider a scenario with client, "dev0", that requests server, "dev1", to unlock (PUTCDU), then lock the door (PUTCDL). In between the resource "sig" is set to "go" (PUTNSG). After a normal execution of this protocol, the door is locked at the end.

      dev0           dev1
      ----           lock
       o --PUTCDU-->  o
       o <--ack --    o
       o <--2.04--    o
       o --PUTNSG-->  o
       o <--2.01--    o
       o --PUTCDL-->  o
       o <--ack --    o
       O <--2.04--    o

We use the function tCS and the application message constructors described above to create the initial configuration for this scenario:

    iSys0 = {tCS(mkPutC("putCDU","dev1","door","unlock") ;
                 mkPutN("putNSG","dev1","sig","go") ;
                 mkPutC("putCDL","dev1","door","lock"),
                 rb("door","lock"),mtC)} .

    search [1] iSys0 =>! {c:Conf} such that
       checkRsrc(c:Conf,"dev1","door","unlock") .

    iSys1 = {tCS(mkPutC("putNDU","dev1","door","unlock") ;
                 mkPutN("putNSG","dev1","sig","go") ;
                 mkPutC("putNDL","dev1","door","lock"),
            rb("door","lock"),drop)}

There is no solution because even if the attacker drops the lock request, since the request is confirmable, the client will retry. If the attacker can drop two messages then it can force termination with the door unlocked [not shown].

Suppose the attacker can replay a message (i.e. make a copy and delay it) as in scenario iSys2.

    iSys2 = {tCS(mkPutC("putNDU","dev1","door","unlock") ;
                 mkPutN("putNSG","dev1","sig","go") ;
                 mkPutC("putNDL","dev1","door","lock"),
              rb("door","lock"),replay(10))}

Now, consider a situation where there are two servers ("dev1" and "dev2") with door resources. The client wants the state of the door at "dev1". Can the attacker reroute the "GET" request so that the client receives the state of the door at "dev2" instead?

      dev0         eve           dev1        dev2
      ----         ---          unlock       lock
       o -GETN(1)-> @ [-GETN(1)->] ?
       |            o               -GETN(2)->o
       | <-lock(1)- @ <---lock(2)--            o
       |          [<--unlock(1)--] o
       o <-oneof{lock,unlock}-

Suppose the attacker can not change messages in transit, but can make and edit copies. This is modelled by setting the flag in the capabilities to false, as in the scenario iSys3r.

    iSys3r = tCSS(mkGetN("getN","dev1" ,"door"),
                  rb("door","unlock"),rb("door","lock"),
                  mc("dev1","dev0",false,act("dev2","dev0",0))
                  mc("dev0","dev2",false,act("dev0","dev1",0))) .

    search iSys3r =>! {c:Conf} such that
        checkRsrc(c:Conf,"dev1","door","unlock") and
        hasGetRsp(c:Conf,"dev0","dev1","getN","lock") .

A simple active attacker (A0) has a finite set of single actions from the capability set $\mathtt{CapsA0}=\{\mathtt{drop},\mathtt{delay(n)}\}$, where drop (also called block) prevents a message from being delivered, and delay(n) delays delivery of a message by $n$ time units. $\mathtt{CapsA1}$ extends $\mathtt{CapsA1}$ with two additional capabilities $\{\mathtt{replay(n)},\mathtt{reroute(tpat,spat,n)}\}$. Applying replay(n) makes a copy of the message and transmits it with $n$ added to its delay, while reroute(tpat,spat,n) modifies the message target and source according to tpat and spat respectively and adds $n$ to the delay. The pattern tpat is either a wild card (the empty identifier) which leaves the target unchanged, or a specific endpoint identifier that replaces the original. Similarly for the action of spat on the message source.

Informally, these attack capacities can be used to achieve the following basic effects on CoAP messaging.

• •

  drop can be used to prevent a request (for some action) from being received, or to prevent a response to some request. In the response case this leaves the client is a state of not knowing the requested data value, or if the requested action happened. Note that due to CoAPs reliability mechanism, if the target message is confirmable, the drop attack will need to be applied to all retries to succeed.

• •

  The delay of a request, say DM1 from a sequence DM1 ... DM2 until after DM2 can undo the effect of DM2 (door unlock after door lock), or could cause DM2 to happen in the wrong context, for example without lights turned on.

• •

  The delay of a response, say to DM1 delivered as response to a later (blocked) request DM2 could cause the requesting client to receive out-of-date data, or to think the action requested by DM2 happened, when only the action of DM1 happened. If DM1, DM2 are GET requests for different resources, say r1 and r2, the client may interpret the response received as the value of r2 when it is the value of r1. We note that this only happens with weak implementation of the token mechanism used to link requests and responses.

• •

  Rerouting a request from ep0 to ep1 to a request from ep0 to ep2 and (un)rerouting the response from ep2 to be from ep1 causes the client ep0 to interpret the response as the value of requested resource at ep1 when it is the value at ep2.

A reactive attacker can not modify or block a message in transit. It can see/copy a message, change the source/target or the delay amount and transmit the result.

A simple reactive attacker has capabilities in the set $\mathtt{CapsR0}$ that allows the attacker to make (and edit) one copy of a target message. A given attacker instance is limited to a finite number of attack attempts.

We also consider a multi action reactive attacker, with capabilities in the set $\mathtt{CapsR1}$. Using a multi-action, an attacker can make multiple copies per message, optionally adding to the delay and/or modifying the message source or target. We allow the attacker to restrict attention to a given target-source pattern. This mainly improves the attacker efficiency (reduces the search space) but adds no power at the granularity we consider. As for the simple reactive attacker, each attacker instance is limited to a finite set of multi-action capabilities. In a little more detail a multi-action capability consists of a condition match(tpat,spat) constraining the set of messages to be attacked, and a finite set of attack actions act(tpat,spat,n). As before, (tpat,spat) can be wild cards (represented by the empty string) or specific endpoint identifiers. In the match case a wild card matches any identifier, while specific identifiers require equality to match. In the case of act, a wild card means the corresponding target or source is not changed, while a specific identifier causes the corresponding target or source to be replaced by the pattern element. The copy is further delayed by the amount given by the number $n$.

The simple reactive attacker is a special case of the multi-action reactive attacker, where the condition is restricted to match("","") and the capset applied to a message is a singleton. Although a reactive attacker can’t block or delay messages in transit, many of the active attack effects can be achieved.

Here are examples of what a reactive attacker can do.

• •

  R1. Undo/revert an action. Suppose messages M1, M2 PUT different values for the same resource. The attacker copies M1 and sends the copy with sufficient delay to arrive after M2, thus overriding the effect of M2. This emulates some of the reordering capability of the active attacker, leaving the resource in a state other that what the client planned. It could for example leave a process running that should have stopped. If the client then starts a process by PUTting a different resource in the state "on" after sending M2, the new process may run in an unexpected context.

• •

  R2. Violate ordering or concurrency constraints. The attacker observes a message M1 from ep0 to ep1. It makes copies redirected to ep2 (ep3 …). A compliant CoAP endpoint ep0 will ignore responses from ep2 (ep3 …). But in the case of requests causing actions, there will be unexpected actions. For example, if ep0 is activating ep1, ep2, …, in sequence then ep2, …, will be acting out of sequence, concurrently with ep1, which could lead to undesired consequences.

• •

  R3. Duplication of a process. Suppose as above ep0 is coordinating a process by activating ep1, …, epk in sequence, using messages M1, …, Mk. Suppose also that ep0x, ep1x, …, epkx are a functionally equivalent set of endpoints, say in a different location. Then the attacker can copy each message and redirect to ep1x, …epkx.

• •

  R4. Spoofing (Redirect GET request/response). The attacker observes a message M1 from ep0 to ep1. It makes a copy redirected to ep2. A compliant CoAP endpoint will reject the response from ep2 (wrong server). If the attacker also makes a copy of the response, rerouting it to appear to be from ep1 then ep0 will accept which ever response arrives first. If M1 is a GET request, then the client may receive the wrong value for the requested resource.

R1 only needs one capability instance with one action. R2 only needs one capability instance but with 2 or more actions. R3, R4 need multiple capability instances, each one needs only a single action.

There are additional, stronger, attack models that could be considered in the future. One is a reactive attacker with memory. Here the attacker sees all messages and can remember some. Then at some point the attacker can make edited copies of some of the messages in its knowledge base and transmit them, for example to rerun an application sequence either with the original set of endpoints at a later time, or a separate set (with the same behavior) at some point. The attacker may use observation of a message occurrence to trigger actions, or time elapse.

A creative reactive attacker can additionally create new messages and receive responses, i.e. becoming a rogue endpoint.

As part of the CoAP specification, we specified a general attack framework where an attacker is endowed with a finite set of capabilities. In this section we specify specific capabilities corresponding to the active and reactive attack models discussed above. We define capability constructors and define their semantics by giving equations for the doAttack function for each capability. Different models are obtained by constraining the capability attribute of the attacker agent.

We define a generic capability construction, mc(tpat,spat,active?,acaps). tpat,spat are target, source patterns used to restrict the set of messages to be ‘attacked’. acapsis a possibly empty set of actions. Each action, act(tpat1,spat1,d), causes a copy of the matched message to be made, transformed, and transmitted. tpat1,spat1 are target, source patterns used to determine he target and source of the transformed message. If a pattern is "" the original target or source is used, otherwise the pattern string is used. The delay d is added to the delay of the original message. If the boolean active? is true, this is an active capability, and the original message is removed from the network, only the copies generated by the actions are transmitted. If active? is false the capability is reactive and the original message is left in the network to be transmitted as usual. This is formalized by the following definitions.

    ****      tpat   spat  delay
    op act : String String Nat -> Cap .
    ****     tpat  spat  active? actions
    op mc : String String Bool Caps -> Cap .

The function doAttack defines the semantics of each attack capability. It is given the attack agent attributes, including its knowledge base of messages seen, the attack target message, dmsg, and a multi capability. If the target message matches the selection pattern (using pmatch) then the toSend attribute is computed and returned along with the knowledge base with the attacked message added. The toSend attribute includes the attacked message iff the flag b is false. It also includes the results of applyCaps(dmsg,acaps,mtDM), that gives the semantics of each action.

The function applyCaps makes a transformed copy of the attacked message for each action in acaps. The transformation sets the message target and source according to the action patterns, and increments the delay,

**** multi cap attack
    op applyCaps : DMsg Caps DMsgS -> DMsgS .
    eq applyCaps(dmsg,mtC,dmsgs) = dmsgs .
    eq applyCaps(msg @ n,act(tpat,spat,n0) acaps,dmsgs) =
          applyCaps(msg @ n,acaps, dmsgs
          (setTgtSrc(msg,tpat,spat) @ (n + n0)) ) .

For early experiments and readability we defined a number of specific (active) attack capacities. We list them here with their definitions as instances of the mc construction.

• •

  drop = mc("","",true,mtC) — drop the target message

• •

  delay(n) = mc("","",true,act("","",n)) — add n to the target message delay

• •

  divert(dst0,dst1) = mc(dst0,"",true,act(dst1,"")) — reroute a target message with destination dst0 to dst1

• •

  undivert(src0,src1) = mc("",src0,true,act("",src1,0)) — make a target message from src0 appear to be from src1

• •

  replay(n)= mc("","",false,act("","",n)) — replay the target message after delay n (the original message is delivered as expected)

.

The R1 scenario is a variant of the attacks on CoAP vulnerabilities Figures 3,4,5,6 (see Section 0.B). The basic requirement is that the door remains unlocked. The attacker aims for the door to be locked at the end, or before the optional signal message.

        dev0        eve        dev1
        ----        ---        unlock
         o -PUTNDL-> ----------->
                    @ act("","",5/10)
         o <-------  <-2.04--    o
          ....
         o -PUTNDU-> ----------> o
         o <-------  <-2.04--    o
                    --- PUTNDL-> o  --- attack
    optional
         o -PUTNSO->  ------>    o
         o <-------  <-2.01--    o

The function raR1 generates instances of this scenario. It is parameterized by the delay between application message sends (mqd:Nat), the bound on pending acknowledgements that blocks sending an application message (w4b:Nat), the delay to be added to an replayed message (d:Nat), and a boolean (nso:Bool) specifying whether the optional "signal" message should be sent.

    op raR1 : Nat Nat Nat Bool -> Conf .
    eq raR1(mqd:Nat,w4b:Nat,d:Nat,nso:Bool) =
     tCS2C(0,0,mkPutN("putNDL","dev1","door","lock") ;
               mkPutN("putNDU","dev1","door","unlock") ;
             (if nso:Bool
              then mkPutN("putNS","dev1","signal","on")
              else nilAM fi) ,
              mtR,mqd:Nat,w4b:Nat,
          1,1,nilAM,rb("door","unlock")rb("sig","off"),2,0,
          mc("dev1","dev0",false, act("","",d:Nat))) .

In this example, a sequence of $n$ tasks is to be executed one after the other. The protocol consists of a controller (client endpoint) and n servers that execute the tasks. A task is initiated when the server receives a PUT "sig" "on" request and terminates when he server receives a PUT "sig" "off" request.

    dev0        eve        dev1  ... devk
    ----        ---        off
     o -PUTNon  ----------> o
                 @(cc dev2)> ----->
     o <-------  <-2.04--   o
     ...
     o -PUTNoff  ----------> o
     o <-------  <-2.04--    o
      ....
      ....
     o -PUTNon-> ---------->         o
     o <-------  <-2.04---------     o
     o -PUTNoff-> -----------------> o
     o <-------  <-2.04---------     o

We consider three levels of attacker capability. Level $j$ (caps-j) looks for messages from "dev0" to "dev1" and immediately (additional delay 0) sends a copy to "dev2" … "dev1+j".

    ops caps-1 caps-2 caps-3 : -> Caps .
    eq caps-1 = mc("dev1","dev0",false,act("dev2","",0)) .
    eq caps-2 = mc("dev1","dev0",false,
                   act("dev2","",0) act("dev3","",0)) .
    eq caps-3 = mc("dev1","dev0",false,
                   act("dev2","",0) act("dev3","",0)
                   act("dev4","",0)) .

We can also ask if the attacker can cause dev2 to start before dev1 finishes.

    **** attack 3 dev2 starts before dev1 finishes
    search iSysX(3,0,caps-2) =>+ {c:Conf} such that
        subLIL(c:Conf, rcvP("dev1","sig","on") ;
                       rcvP("dev2","sig","on") ;
                       rcvP("dev1","sig","off")) .

IoT systems may be replicated, for example running the same protocol in multiple smart rooms, or in a manufacturing setting multiple instances of a manufacturing step.

The function iSysY generates example scenarios with one client (controller) and 2 sets of n servers. The client will send a PUT message to set the "sig" resource "go" to each server in the first set of servers. Each server initially has resource map rb("sig","off").

    op iSysY : Nat  Caps -> Sys .
    eq iSysY(n,caps) =
          {CnS(2 * n,mkGoAMs(n,nilAM),rb("sig","off"),5,0)
           mkAtt(caps)  log(nilLI)} .

We consider scenarios with $n=2$ and $n=3$ and ask whether the attacker can drive a the second set of devices, either concurrently or following the first. The attacker capabilities for the two scenario sizes are defined as follows, parameterized by the amount to delay message copies.

    ops caps2-2 caps3-3 : Nat -> Caps .
    eq caps2-2(d) =
      mc("dev1","dev0",act("dev3","dev0",d))
      mc("dev2","dev0",act("dev4","dev0",d)) .
    eq caps3-3(d) =
      mc("dev1","dev0",act("dev4","dev0",d))
      mc("dev2","dev0",act("dev5","dev0",d))
      mc("dev3","dev0",act("dev6","dev0",d)) .

The four search commands, results (with witness log) are as follows.

     *** search for duplicate 2 server process running concurrently
    search iSysY(2,caps2-2(0)) =>! {c:Conf} such that
      subLIL(c:Conf, rcvP("dev3","sig","") ; rcvP("dev4","sig","")) and
       subLIL(c:Conf, rcvP("dev3","sig","") ; rcvP("dev2","sig","")) .

    log(rcvP("dev1", "sig", "go") ; rcvP("dev2", "sig", "go") ;
        rcvP( "dev3", "sig", "go") ; rcvP("dev4", "sig", "go"))

     **** search for duplicate 3 server process the second after the first
    search iSysY(3,caps3-3(0)) =>! {c:Conf} such that
      subLIL(c:Conf, rcvP("dev4","sig","") ;
        rcvP("dev5","sig","") ; rcvP("dev6","sig","")) and
      subLIL(c:Conf, rcvP("dev1","sig","") ;
        rcvP("dev4","sig","") ; rcvP("dev2","sig","")) and
      subLIL(c:Conf, rcvP("dev2","sig","") ;
        rcvP("dev5","sig","") ; rcvP("dev3","sig","") ;
        rcvP("dev6","sig","")) .

    log(rcvP("dev1", "sig", "go") ; rcvP("dev4", "sig", "go") ;
        rcvP( "dev2", "sig", "go") ; rcvP("dev5", "sig", "go") ;
        rcvP("dev3", "sig", "go") ; rcvP("dev6", "sig", "go"))

    **** search for duplicate 3 server process the second after the first
    search iSysY(3,caps3-3(15)) =>! {c:Conf} such that
        subLIL(c:Conf, rcvP("dev4","sig","") ;
            rcvP("dev5","sig","") ; rcvP("dev6","sig","")) and
        subLIL(c:Conf, rcvP("dev3","sig","") ; rcvP("dev4","sig","")) .

Although a reactive attacker can not redirect a message in transit, as the active attacker can (see Section 0.B.6), it can make a copy and direct it to a different server. The reactive attacker also has to make a copy of the response from that server to appear to come from the original server. Thus the client will receive 3 responses. They can arrive in any order. The client will ignore the one from the alternate server, and its a race between the two messages apparently from the intended server.

    op iSySZ : Nat  Nat -> Sys .
    eq iSySZ(mqd:Nat,w4b:Nat) =
         {tCS3C(0,0,mkGetN("getN0","dev1","door"),
                   mtR,mqd:Nat,w4b:Nat,
              1,1,nilAM,rb("door","unlock"),5,0,
              2,2,nilAM,rb("door","lock"),5,0,
              mc("dev1","dev0",false,act("dev2","",0))
              mc("dev0","dev2",false,act("","dev1",0)) )
              log(nilLI) }  .

To demonstrate attacks we search for final states in which the client has received a "lock" response to the GET request while "dev1" has the "door" resource bound to "unlock".

    search iSySZ(5,0) =>! {c:Conf} such that
      hasGetRsp(c:Conf,"dev0","dev1","getN0","lock") and
      checkRsrc(c:Conf,"dev1","door","unlock") .

A dialected message has a target and a source (sort String as for normal messages) and a dialect encoded content (sort DContent). The message constructor is overloaded to construct dialected messages.

    op m : String String DContent -> Msg .

    op dc : DCBits Nat -> DContent [ctor] .

    op ‘{_‘,_‘} : Content Nat -> ContentNat [ctor] .

    op g : String Nat Nat -> String .
    op f1 : String ContentNat -> DCBits .
    op f2 : String DContent  ~> ContentNat .
    eq f2(g(rand,k,ix),dc(f1(g(rand,k,ix),{content,ix}),ix))
          = {content,ix} .

As described in [2] we represent a dialect wrapper by a meta-agent that has the same identifier as the wrapped agent, a conf attribute that encapsulates the base agent and its network stub, and additional attributes for managing dialect transformations.

    *** dialected endpoint
    [eid | conf([eid | devattrs] net), ddevattrs]

The additional attributes for a dialect meta endpoint include:

• •

  used(umap) — a map from endpoint ids to sets of lingo indices already received from the identified endpoint.

• •

  toRcv(dmsgs) — holds the result of decoding– the original message or the empty (delayed) message set, if decoding fails

• •

  seedTo(eid,str) – the shared secret seed for sending to eid

• •

  seedFr(eid,str) – the shared secret seed for receiving from eid

• •

  ixCtr(eid,nat) — the counter for generating lingo indices for messages to endpoint named eid

• •

  randSize(k) – the size of generated (pseudo) random strings

There are two rules to specify dialect behavior. The rule labeled ddevsend handles applying a dialect lingo to a message sent by an endpoint and putting it in the global network. It selects a message in the internal network sent by the wrapped entity, calls applyDialect, and puts the resulting dialected message in the external network.

    crl[ddevsend]:
      [epid | conf([epid  | devatts ] net(dmsgs0,dmsgs1)) dattrs ]
      net(ddmsgs0,ddmsgs1)
    =>
      [epid | conf([epid  | devatts ] net(mtDM,dmsgs) ) dattrs1 ]
      net(ddmsgs0 ddmsg,ddmsgs1)
    if dmsgs (msg @ n) := dmsgs0 dmsgs1
    /\ getSrc(msg) = epid
    /\ toSend(ddmsg) dattrs1 := applyDialect(dattrs,msg @ n) .

The rule labeled ddevrcv handles receipt of a dialected message. It selects a message with 0 delay and target the wrapped entity an calls decodeDialect. If decoding produced a message, the rule calls the rcvMsg directly since the result may include a logging attribute that needs the full configuration to process, which the base CoAP receive rule would not have.

    crl[ddevrcv]:
    {[epid | conf([epid | devatts ] net(dmsgs0,dmsgs1))
             dattrs ]
      net(ddmsgs0,ddmsgs1 msgd @ 0) conf}
    =>
    {[epid | conf([epid | devatts2 ]
                  net(dmsgs0 dmsgs2,dmsgs1))
            dattrs1 ]
      net(ddmsgs0,ddmsgs1)  conf1}
    if getTgt(msgd) == epid
    /\ toRcv(dmsgs) dattrs1 := decodeDialect(dattrs,msgd)

    /\ toSend(dmsgs2) devatts1 :=
        (if dmsgs :: DMsg
         then rcvMsg(epid, devatts, DMsg2Msg(dmsgs))
         else toSend(mtDM) devatts
         fi)
    /\ conf1 := doLog(conf,devatts1)
    /\ devatts2 := clearToLog(devatts1) } .

In addition to the dialect send and receive rules, the auxiliary functions mte and passtime used by the rule labeled tick are extended to account for the nesting of configurations. If there are messages in the local network then they need to be processed before time can pass. These messages will be messages from epid the should be dialected and placed in the global network.

  eq mte(atts conf([epid | devattrs] net(dmsgs0,dmsgs1)),ni)
   = (if dmsgs0 dmsgs1 =/= mtDM
      then 0
      else mte(atts, mte(devattrs,ni))
      fi) .

As a step towards realizing the dialects as theory transformations, we define a function D that maps a term representing an initial system configuration to its dialected form. D calls the auxilliary function DX with the system term to transform and the set of ids of non-attacker endpoints computed by getIds. The function DX uses DAs to transform the individual agents of the configuration aconf, and adds the initial network element. The argument "xxxx" of DAs is used to construct abstract representations of the pairwise shared secrets. The last argument of DAs is a configuration accumulator. We also define a partial inverse, UD, to the dialect transform D. The partial inverse is only meaningful when applied to systems with no dialected messages pending. It is generally applied only to inital or terminal states, which have empty network elements.

    op DA : Agent Strings String -> Agent .
    ceq DA([eid | devatts],eids,str) =
        [eid | conf([eid | devatts]
                    net(mtDM,mtDM)) ddevatts]
    if ddevatts := sharedDialectAttrs
                   mkSeeds(eid,eids,str,mtA)
                   mkIxCtrs(eids,mtA) .

{ net(mtDM, mtDM)
  ["dev0" | conf(net(mtDM, mtDM)
          ["dev0" | w4Ack(mtDM) w4Rsp(mtM) ...
                    rsrcs(mtR) ctr(0)
                    sendReqs(...) config(...) sndCtr(0)])
    used(mtU) randSize(128)
        seedTo("dev1", "xxxxdev1dev0")
        seedFr("dev1", "xxxxdev0dev1") ixCtr("dev1", 0)]
  ["dev1" | conf(net(mtDM, mtDM)
            ["dev1" | w4Ack(mtDM) w4Rsp(mtM) ...
                     rsrcs(rb("door", "unlocked"))
                     ctr(0) sendReqs(nilAM) config(...) sndCtr(1)])
    used(mtU) randSize(128)
        seedTo("dev0", "xxxxdev0dev1")
        seedFr("dev0","xxxxdev1dev0") ixCtr("dev0", 0)]
  ["eve" | kb(mtDM) caps(drop)]}

The function UD extracts CoAP endpoints from conf attributes and passes other configuration elements unchanged

op UD : Sys -> Sys .
op UDX : Conf Conf -> Conf .
eq UD({conf}) = {UDX(conf,mt)} .
eq UDX([eid | conf([eid | devatts] conf1) ddevatts] conf0,
               uconf) =
      UDX(conf0, uconf [eid | devatts]) .
eq UDX(conf0, uconf) = uconf conf0 [owise] .

**** produce configurations by omitting the final system construction
op UDC : Conf -> Conf .
**** eq UDC(conf net(dmsgs0,dmsgs1)) = UDX(conf,mt) .
eq UDC(conf) = UDX(conf,mt) .

As we prove in Appendix 0.C dialecting mitigates attacks of a reactive attacker. To illustrate this claim we can lift the scenarios for reactive attacks of Section refsec:reactive-attacks to dialected scenarios and lift the search for attacks to the dialected situation. To do this we apply the transform D to the initial system term and apply the inverse (on configurations) UDC to uses of the search target pattern c:Conf in the search condition. For example in the R1 attack (the attacker locks the door after the client has unlocked it) example the search

    search D({raR1(5,0,10,false)}) =>! {c:Conf} such that
        checkRsrc(UDC(c:Conf),"dev1","door","lock") .

The remaining cases are similar.