You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

194 lines
11 KiB

4 months ago
  1. // CROWDS [Reiter,Rubin]
  2. // Vitaly Shmatikov, 2002
  3. // Modified by Ernst Moritz Hahn (emh@cs.uni-sb.de)
  4. // note:
  5. // Change everything marked CWDSIZ when changing the size of the crowd
  6. // Change everything marked CWDMAX when increasing max size of the crowd
  7. dtmc
  8. // Model parameters
  9. const double PF; // forwarding probability
  10. const double badC; // probability that member is untrustworthy
  11. // Probability of forwarding
  12. // const double PF = 0.8;
  13. // const double notPF = 0.2; // must be 1-PF
  14. // Probability that a crowd member is bad
  15. // const double badC = 0.1;
  16. // const double badC = 0.091;
  17. // const double badC = 0.167;
  18. // const double goodC = 0.909; // must be 1-badC
  19. // const double goodC = 0.833; // must be 1-badC
  20. const int CrowdSize = 3; // CWDSIZ: actual number of good crowd members
  21. const int TotalRuns = 5; // Total number of protocol runs to analyze
  22. const int MaxGood=20; // CWDMAX: maximum number of good crowd members
  23. // Process definitions
  24. module crowds
  25. // Auxiliary variables
  26. launch: bool init true; // Start modeling?
  27. newInstance: bool init false; // Initialize a new protocol instance?
  28. runCount: [0..TotalRuns] init TotalRuns; // Counts protocol instances
  29. start: bool init false; // Start the protocol?
  30. run: bool init false; // Run the protocol?
  31. lastSeen: [0..MaxGood] init 0; // Last crowd member to touch msg
  32. good: bool init false; // Crowd member is good?
  33. bad: bool init false; // ... bad?
  34. recordLast: bool init false; // Record last seen crowd member?
  35. badObserve: bool init false; // Bad members observes who sent msg?
  36. deliver: bool init false; // Deliver message to destination?
  37. done: bool init false; // Protocol instance finished?
  38. // Counters for attackers' observations
  39. // CWDMAX: 1 counter per each good crowd member
  40. observe0: [0..TotalRuns];
  41. observe1: [0..TotalRuns];
  42. observe2: [0..TotalRuns];
  43. observe3: [0..TotalRuns];
  44. observe4: [0..TotalRuns];
  45. observe5: [0..TotalRuns];
  46. observe6: [0..TotalRuns];
  47. observe7: [0..TotalRuns];
  48. observe8: [0..TotalRuns];
  49. observe9: [0..TotalRuns];
  50. observe10: [0..TotalRuns];
  51. observe11: [0..TotalRuns];
  52. observe12: [0..TotalRuns];
  53. observe13: [0..TotalRuns];
  54. observe14: [0..TotalRuns];
  55. observe15: [0..TotalRuns];
  56. observe16: [0..TotalRuns];
  57. observe17: [0..TotalRuns];
  58. observe18: [0..TotalRuns];
  59. observe19: [0..TotalRuns];
  60. [] launch -> (newInstance'=true) & (runCount'=TotalRuns) & (launch'=false);
  61. // Set up a newInstance protocol instance
  62. [] newInstance & runCount>0 -> (runCount'=runCount-1) & (newInstance'=false) & (start'=true);
  63. // SENDER
  64. // Start the protocol
  65. [] start -> (lastSeen'=0) & (run'=true) & (deliver'=false) & (start'=false);
  66. // CROWD MEMBERS
  67. // Good or bad crowd member?
  68. [] !good & !bad & !deliver & run ->
  69. 1-badC : (good'=true) & (recordLast'=true) & (run'=false) +
  70. badC : (bad'=true) & (badObserve'=true) & (run'=false);
  71. // GOOD MEMBERS
  72. // Forward with probability PF, else deliver
  73. [] good & !deliver & run -> PF : (good'=false) + 1-PF : (deliver'=true);
  74. // Record the last crowd member who touched the msg;
  75. // all good members may appear with equal probability
  76. // Note: This is backward. In the real protocol, each honest
  77. // forwarder randomly chooses the next forwarder.
  78. // Here, the identity of an honest forwarder is randomly
  79. // chosen *after* it has forwarded the message.
  80. [] recordLast & CrowdSize=2 ->
  81. 1/2 : (lastSeen'=0) & (recordLast'=false) & (run'=true) +
  82. 1/2 : (lastSeen'=1) & (recordLast'=false) & (run'=true);
  83. [] recordLast & CrowdSize=3 ->
  84. 1/3 : (lastSeen'=0) & (recordLast'=false) & (run'=true) +
  85. 1/3 : (lastSeen'=1) & (recordLast'=false) & (run'=true) +
  86. 1/3 : (lastSeen'=2) & (recordLast'=false) & (run'=true);
  87. [] recordLast & CrowdSize=4 ->
  88. 1/4 : (lastSeen'=0) & (recordLast'=false) & (run'=true) +
  89. 1/4 : (lastSeen'=1) & (recordLast'=false) & (run'=true) +
  90. 1/4 : (lastSeen'=2) & (recordLast'=false) & (run'=true) +
  91. 1/4 : (lastSeen'=3) & (recordLast'=false) & (run'=true);
  92. [] recordLast & CrowdSize=5 ->
  93. 1/5 : (lastSeen'=0) & (recordLast'=false) & (run'=true) +
  94. 1/5 : (lastSeen'=1) & (recordLast'=false) & (run'=true) +
  95. 1/5 : (lastSeen'=2) & (recordLast'=false) & (run'=true) +
  96. 1/5 : (lastSeen'=3) & (recordLast'=false) & (run'=true) +
  97. 1/5 : (lastSeen'=4) & (recordLast'=false) & (run'=true);
  98. [] recordLast & CrowdSize=10 ->
  99. 1/10 : (lastSeen'=0) & (recordLast'=false) & (run'=true) +
  100. 1/10 : (lastSeen'=1) & (recordLast'=false) & (run'=true) +
  101. 1/10 : (lastSeen'=2) & (recordLast'=false) & (run'=true) +
  102. 1/10 : (lastSeen'=3) & (recordLast'=false) & (run'=true) +
  103. 1/10 : (lastSeen'=4) & (recordLast'=false) & (run'=true) +
  104. 1/10 : (lastSeen'=5) & (recordLast'=false) & (run'=true) +
  105. 1/10 : (lastSeen'=6) & (recordLast'=false) & (run'=true) +
  106. 1/10 : (lastSeen'=7) & (recordLast'=false) & (run'=true) +
  107. 1/10 : (lastSeen'=8) & (recordLast'=false) & (run'=true) +
  108. 1/10 : (lastSeen'=9) & (recordLast'=false) & (run'=true);
  109. [] recordLast & CrowdSize=15 ->
  110. 1/15 : (lastSeen'=0) & (recordLast'=false) & (run'=true) +
  111. 1/15 : (lastSeen'=1) & (recordLast'=false) & (run'=true) +
  112. 1/15 : (lastSeen'=2) & (recordLast'=false) & (run'=true) +
  113. 1/15 : (lastSeen'=3) & (recordLast'=false) & (run'=true) +
  114. 1/15 : (lastSeen'=4) & (recordLast'=false) & (run'=true) +
  115. 1/15 : (lastSeen'=5) & (recordLast'=false) & (run'=true) +
  116. 1/15 : (lastSeen'=6) & (recordLast'=false) & (run'=true) +
  117. 1/15 : (lastSeen'=7) & (recordLast'=false) & (run'=true) +
  118. 1/15 : (lastSeen'=8) & (recordLast'=false) & (run'=true) +
  119. 1/15 : (lastSeen'=9) & (recordLast'=false) & (run'=true) +
  120. 1/15 : (lastSeen'=10) & (recordLast'=false) & (run'=true) +
  121. 1/15 : (lastSeen'=11) & (recordLast'=false) & (run'=true) +
  122. 1/15 : (lastSeen'=12) & (recordLast'=false) & (run'=true) +
  123. 1/15 : (lastSeen'=13) & (recordLast'=false) & (run'=true) +
  124. 1/15 : (lastSeen'=14) & (recordLast'=false) & (run'=true);
  125. [] recordLast & CrowdSize=20 ->
  126. 1/20 : (lastSeen'=0) & (recordLast'=false) & (run'=true) +
  127. 1/20 : (lastSeen'=1) & (recordLast'=false) & (run'=true) +
  128. 1/20 : (lastSeen'=2) & (recordLast'=false) & (run'=true) +
  129. 1/20 : (lastSeen'=3) & (recordLast'=false) & (run'=true) +
  130. 1/20 : (lastSeen'=4) & (recordLast'=false) & (run'=true) +
  131. 1/20 : (lastSeen'=5) & (recordLast'=false) & (run'=true) +
  132. 1/20 : (lastSeen'=6) & (recordLast'=false) & (run'=true) +
  133. 1/20 : (lastSeen'=7) & (recordLast'=false) & (run'=true) +
  134. 1/20 : (lastSeen'=8) & (recordLast'=false) & (run'=true) +
  135. 1/20 : (lastSeen'=9) & (recordLast'=false) & (run'=true) +
  136. 1/20 : (lastSeen'=10) & (recordLast'=false) & (run'=true) +
  137. 1/20 : (lastSeen'=11) & (recordLast'=false) & (run'=true) +
  138. 1/20 : (lastSeen'=12) & (recordLast'=false) & (run'=true) +
  139. 1/20 : (lastSeen'=13) & (recordLast'=false) & (run'=true) +
  140. 1/20 : (lastSeen'=14) & (recordLast'=false) & (run'=true) +
  141. 1/20 : (lastSeen'=15) & (recordLast'=false) & (run'=true) +
  142. 1/20 : (lastSeen'=16) & (recordLast'=false) & (run'=true) +
  143. 1/20 : (lastSeen'=17) & (recordLast'=false) & (run'=true) +
  144. 1/20 : (lastSeen'=18) & (recordLast'=false) & (run'=true) +
  145. 1/20 : (lastSeen'=19) & (recordLast'=false) & (run'=true);
  146. // BAD MEMBERS
  147. // Remember from whom the message was received and deliver
  148. // CWDMAX: 1 rule per each good crowd member
  149. [] lastSeen=0 & badObserve & observe0 <TotalRuns -> (observe0' =observe0 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  150. [] lastSeen=1 & badObserve & observe1 <TotalRuns -> (observe1' =observe1 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  151. [] lastSeen=2 & badObserve & observe2 <TotalRuns -> (observe2' =observe2 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  152. [] lastSeen=3 & badObserve & observe3 <TotalRuns -> (observe3' =observe3 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  153. [] lastSeen=4 & badObserve & observe4 <TotalRuns -> (observe4' =observe4 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  154. [] lastSeen=5 & badObserve & observe5 <TotalRuns -> (observe5' =observe5 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  155. [] lastSeen=6 & badObserve & observe6 <TotalRuns -> (observe6' =observe6 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  156. [] lastSeen=7 & badObserve & observe7 <TotalRuns -> (observe7' =observe7 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  157. [] lastSeen=8 & badObserve & observe8 <TotalRuns -> (observe8' =observe8 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  158. [] lastSeen=9 & badObserve & observe9 <TotalRuns -> (observe9' =observe9 +1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  159. [] lastSeen=10 & badObserve & observe10<TotalRuns -> (observe10'=observe10+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  160. [] lastSeen=11 & badObserve & observe11<TotalRuns -> (observe11'=observe11+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  161. [] lastSeen=12 & badObserve & observe12<TotalRuns -> (observe12'=observe12+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  162. [] lastSeen=13 & badObserve & observe13<TotalRuns -> (observe13'=observe13+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  163. [] lastSeen=14 & badObserve & observe14<TotalRuns -> (observe14'=observe14+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  164. [] lastSeen=15 & badObserve & observe15<TotalRuns -> (observe15'=observe15+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  165. [] lastSeen=16 & badObserve & observe16<TotalRuns -> (observe16'=observe16+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  166. [] lastSeen=17 & badObserve & observe17<TotalRuns -> (observe17'=observe17+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  167. [] lastSeen=18 & badObserve & observe18<TotalRuns -> (observe18'=observe18+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  168. [] lastSeen=19 & badObserve & observe19<TotalRuns -> (observe19'=observe19+1) & (deliver'=true) & (run'=true) & (badObserve'=false);
  169. // RECIPIENT
  170. // Delivery to destination
  171. [] deliver & run -> (done'=true) & (deliver'=false) & (run'=false) & (good'=false) & (bad'=false);
  172. // Start a newInstance instance
  173. [] done -> (newInstance'=true) & (done'=false) & (run'=false) & (lastSeen'=MaxGood);
  174. endmodule
  175. label "observe0Greater1" = observe0 > 1;
  176. label "observeIGreater1" = observe1>1|observe2>1;
  177. label "observeOnlyTrueSender" = observe0>1&observe1<=1 & observe2<=1;