In this subsection, we discuss how the verification algorithm ensures termination. First, we exam- ine the possibility of an infinite loop during the searching procedure. Loop could either occur in the honest or attacker phase.
We assume on-demand source routing protocols, where the ID list is placed in the request and reply messages. We also assume that the routing protocol to be verified was designed “correctly”, such that it is loop free, and every honest node only handles the request (reply) with the same session ID once, which is valid in the most well known on-demand source routing protocols. In our verification procedure, we ensure this with the following two assumptions:
1. We examine only such invalid route Listinvalid in accept([Listinvalid]), where the node IDs
are pairwise different. The reason is that, in most cases, on-demand source routing protocols are defined/designed such that honest nodes will drop the request or reply if it contains the list with duplicated node IDs.
The checking of duplicated IDs is the most basic protection against invalid route when we design a routing protocol. Note that we can extend our deduction algorithm for detecting loop during the protocol run, but this falls outside the focus of the dissertation, where we aim
at detecting more critical weaknesses regarding the security issue. Moreover, the required steps for detecting loop can be protocol specific, depending on the particular contents of request/reply messages.
2. We assume that the routing protocol is specified such that each request includes the infor- mation about the node which sent it, while a reply message contains information about both the sender and the addressee (of course, this assumption is not valid to the messages sent by the attackers). This assumption is valid to all the well-known on-demand source routing protocols DSR, SRP, Ariadne, endairA, where in the request message the last node ID in the list belongs to the sender node, while both the addressee and the sender are encoded in a reply message.
Note that even in case the request/reply messages of a given protocol does not contain these information, we always can add them explicit without affecting the correctness of the protocol. For instance, if the protocol is defined such that in the request is broadcast unchanged by the honest nodes, then in the protocol rule
wm(yreqp )∧nbr(l p i,l p j)→wm(y p req)
we cannot determine which lpi is sender. Hence to make the deduction algorithm usable, we have to add the ID of the sender into the wm-facts, namely,wm((lpi, yp
req)). Note that
the added ID is not part of the request message, and only serves the automated deduction purpose: wm(lpi,yp req))∧nbr(l p i,l p j)→wm(l p j,y p req)).
Lemma 2. Besides the assumptions we provided above, in the honest phase PhH(Fwm), the de- duction will not step into an infinite loop.
Proof. First of all, point 3 of PhH(Fwm) prevents the usage of the same rule R for the a given
Fwminfinite amount of time, by keeping track of the rules already used before. Hence, since the
number of rules that can be resolvable withFwmis finite, the deduction algorithm examines the
derivation of a givenFwm only within a finite period of time.
In the second part of the proof, we will show that during the tree extending process (in a the depth-first search manner) with consecutive resolution steps, we will never get into an infinite deduction loop. Formally, when searching for the derivation of somewm-factFwm, the deduction
(tree) branch will not contain the sameFwmagain, infinitely. WithinPh-H we further distinguish
the request and reply phases in which the request and reply messages are exchanged between honest nodes, respectively.
• During a request phase, the message exchanges among honest nodes are simulated by the protocol rulesRreq3 ,Rreq2 andR1req. After each (backward) resolution step,Rreq3 ◦Fwm Fwm,
whereFwm=wm(tpreqj) andR req 3 =wm(y p reqi)∧nbr(l p i,l p j)→wm(y p reqj), we getwm(t p reqi)∧ nbr(lpi, lpj) as result. This means that in order to make lpj able to send the request tpreqj, its neighbor node lpi, should have sent the request tpreqi. Based on the assumption that
Listinvalid contains finite number of different node IDs, and the protocol rules Rreq3 , R
req
2 and R1req specify message exchanges between different nodes, it follows that the deduction procedure will terminate within a finite number of resolution steps. The resolution steps will be performed constantly usingR3requntil we reach to the point when the initial request has been sent by the source node, where the rulesRreq2 andRreq1 are used.
• The situation is similar in case of the reply phase. Again, let the reply tprep0 that has been sent by node ypi−1 to yp
prev includes the ID list [List, yprevp , y p i−1, y
p
next,List]. The algorithm
searches for the rules in Shon to extend the tree at wm((ypprev, t p
rep0)). After extending
wm((yprevp , t p
rep0)) the factwm((l
p
i−1, tprep)) is yielded. We recall that the ID at the beginning
of the message represents the addressee of the reply. Due to the value of the addressee is taken from [Listinvalid], the algorithm gets into an infinite loop only in case either the length
performed consecutively using Rrep2.12 until we reach to the point when the destination node sent back a reply after it received a request, which is modelled by the resolution with the ruleRreq4 .
To summarize, in both the request and reply phases, after performing each resolution step (i.e., tree extending step) basically we step from node to node in Listinvalid. Because the number of
node IDs inListinvalidis finite the honest phase will terminate within a finite number of resolution
steps.
Figure 23: The possibilities to get into an attacker phase PhA during the request and reply directions.
We continue with showing that the attacker phasePhA(Fattroot) is infinite loop-free as well.
Lemma 3. During searching for a derivation of accept([Listinvalid]) the algorithm does not get into an infinite deduction loop in the attacker phase PhA(Froot
att ).
Proof. In attacker phases an infinite computation loop could happen when (i.) the attacker repeat- edly performs some functionf and its inverse counterpartsf−1. For instance, the composition and decomposition rulesAcomp andAdcomp are performed iteratively in turn. However, in our method
we prevent this by performing decomposition only, and instead of using composition rule to set up the required message we introduced the set of rulesAmsgi , which derive the whole request or reply that contains the given (smaller) message part. (ii.) An another case which may cause loop is that the ruleAcontain
List may be performed infinite time. However, this is not the case because each
application of AcontainList introduced a new node in the network, which contains only finite number of nodes. Formally,AcontainList is allowed only to applied up to the number of nodes in the network. InPhA(Fattroot) we have to examine and search for the derivation of the att-facts placed inW.
The att-facts in W are the parts of the request and reply, and its number is finite because the request and reply messages contain finite data elements. Because we perform deduplications after putting new facts into W, the size of W is at most equal to the number of message parts of a request and a reply message (which is finite).
In addition, we prevent deduction loop by also keeping track of theatt-facts that are already examined before during the current deduction procedure (point 1 of PhA(Froot
att )), and whenever
we get into the point where we need to derive the same att-fact again, we stop continuing this deduction branch. In point 10 of PhA(Froot
att ), and points 11.9 and 12.3, we also keep track of
the request/reply messages that we have examined before. Since the number of the possible requests/repliestmsgatt , tbroaderatt and t
replace
att , and theatt-facts in W are finite, the total number of
resolutions performed inPhA(Fattroot)) will be finite as well.
Finally, we show that during the whole deduction procedure, the occurrences of the honest and the attacker phases are finite. Namely, there will not be an infinite loop between PhAand
PhH. In the request phase, whenever we search for a derivation of a givenwm-fact Fwm, we can
yielding anatt-fact Froot
att (whereFattroot =att(tpreq), for some request message tpreq). According to
the deduction steps defined inPhA, we have to search for the derivation of every message element intpreq, which is finite. In the worst case, we step into phasePhAafter points11.6-11.7 of function
REQREPcorrectplace, when we search for the derivation of the factatt(tbroaderatt ) within the phase PhA. Request messagetbroaderatt contains the broader list thanListinvalid, which we get by inserting
new honest node IDs in it. Let the number of the node IDs in the ID list of tbroaderatt be j. In the
honest phase (request direction), during get back from the destination to the source, we step into
PhA(Froot
att ) at mostj times (shown in the Figure 23). Each time, after getting intoPhA(Fattroot)
we can step into the honest phase PhH(Fwm) again, and in that honest phase we again can get
intoPhA, and so on. However, this circle cannot occur infinitely many times, because (i) in points 1-2 of PhA(Froot
att ), Fattroot = att(headreq; v1; . . . ; [List];. . . ; vk), we search for the derivation of
each elementatt(headreq),att(v1), . . . ,att([List]), . . . ,att(v
k) of the request, but only in case it has not been examined before within a session; (ii) the request contains finite parts of elements (i.e.,kand [List] are finite). Hence, after some rounds, when we run out of the message elements that have not been examined before, the attacker phase will always get stuck at point 2., and the deduction procedure returns to phasePhH(Fwm) (point 3 ofPhA), where we will step back to the
source after at mostj resolution steps using the rules Rreq1 , Rreq2 , Rreq3 . The situation is similar in case of the reply direction.