Guoqiang Li,Mizuhito Ogawa

DOI: https://doi.org/10.2197/ipsjdc.3.343

2007-01-01

Abstract:Trace analysis for a security protocol represents every possible run as a trace and analyzes whether any insecure run is reachable. The number of traces will be infinite due to (1) infinitely many sessions of a protocol, (2) infinitely many principals in the network, and (3) infinitely many messages that intruders can generate. This paper presents an on-the-fly model checking method by restricting/abstracting these infinite factors to a finite model. First, we restrict a typed process calculus to avoid recursive operations, so that only finitely many sessions are considered. Next, a bound variable is introduced as an index of a message to represent its intended destination, so that an unbounded number of principals are finitely described. Then, messages in which irrelevant parts are reduced in a protocol are unified to a parametric message based on the type information. We implement the on-the-fly model checking method using Maude, and automatically detect the flaws of several security protocols, such as the NSPK protocol and the Woo-Lam protocol, etc..

María Alpuente,Demis Ballis,Santiago Escobar,Julia Sapiña

DOI: https://doi.org/10.48550/arXiv.1907.10919

2019-07-25

Abstract:Concurrent functional languages that are endowed with symbolic reasoning capabilities such as Maude offer a high-level, elegant, and efficient approach to programming and analyzing complex, highly nondeterministic software systems. Maude's symbolic capabilities are based on equational unification and narrowing in rewrite theories, and provide Maude with advanced logic programming capabilities such as unification modulo user-definable equational theories and symbolic reachability analysis in rewrite theories. Intricate computing problems may be effectively and naturally solved in Maude thanks to the synergy of these recently developed symbolic capabilities and classical Maude features, such as: (i) rich type structures with sorts (types), subsorts, and overloading; (ii) equational rewriting modulo various combinations of axioms such as associativity, commutativity, and identity; and (iii) classical reachability analysis in rewrite theories. However, the combination of all of these features may hinder the understanding of Maude symbolic computations for non-experienced developers. The purpose of this article is to describe how programming and analysis of Maude rewrite theories can be made easier by providing a sophisticated graphical tool called Narval that supports the fine-grained inspection of Maude symbolic computations. This paper is under consideration for acceptance in TPLP.

Logic in Computer Science,Programming Languages

Rubén Rubio,Narciso Martí-Oliet,Isabel Pita,Alberto Verdejo

DOI: https://doi.org/10.1016/j.jlamp.2021.100700

2024-01-15

Abstract:Rewriting logic and its implementation Maude are a natural and expressive framework for the specification of concurrent systems and logics. Its nondeterministic local transformations are described by rewriting rules, which can be controlled at a higher level using a builtin strategy language added to Maude~3. This specification resource would not be of much interest without tools to analyze their models, so in a previous work, we extended the Maude LTL model checker to verify strategy-controlled systems. In this paper, CTL* and $\mu$-calculus are added to the repertoire of supported logics, after discussing which adaptations are needed for branching-time properties. The new extension relies on some external model checkers that are exposed the Maude models through general and efficient connections, profitable for future extensions and further applications. The performance of these model checkers is compared.

Logic in Computer Science

Antonio González-Burgueño,Damián Aparicio,Santiago Escobar,Catherine Meadows,José Meseguer

DOI: https://doi.org/10.48550/arXiv.1806.07209

2018-06-19

Abstract:In this paper, we perform an automated analysis of two devices developed by Yubico: YubiKey, designed to authenticate a user to network-based services, and YubiHSM, Yubicos hardware security module. Both are analyzed using the Maude-NPA cryptographic protocol analyzer. Although previous work has been done applying automated tools to these devices, to the best of our knowledge there has been no completely automated analysis to date. This is not surprising, because both YubiKey and YubiHSM, which make use of cryptographic APIs, involve a number of complex features: (i) discrete time in the form of Lamport clocks, (ii) a mutable memory for storing previously seen keys or nonces, (iii) event-based properties that require an analysis of sequences of actions, and (iv) reasoning modulo exclusive-or. In this work, we have been able to both prove properties of YubiKey and find the known attacks on the YubiHSM, in a completely automated way beyond the capabilities of previous work in the literature.

Cryptography and Security

Zehong (Zephyr) Qiu,Fan Zhang

DOI: https://doi.org/10.46586/tches.v2023.i3.570-596

2023-01-01

Abstract:Algebraic Fault Analysis (AFA) is a cryptanalysis for block ciphers proposed by Courtois et al., which incorporates algebraic cryptanalysis to overcome the complexity of manual analysis within the context of Differential Fault Analysis (DFA). The effectiveness of AFA on lightweight block ciphers has been demonstrated. However, the complexity of the algebraic systems prevents it from attacking heavyweight block ciphers efficiently. In this paper, we propose a novel cryptanalysis called Redundancies-assisted Algebraic Fault Analysis (RAFA) to facilitate the solution of algebraic systems in the setting of heavyweight block ciphers. The core idea of RAFA is to expedite SAT solvers by modifying the algebraic systems, which is accomplished via two methods. The first method introduces redundant constraints, which is proposed for the first time in the context of algebraic cryptanalysis. The second one is a sophisticated linearization of the nonlinear Algebraic Normal Form (ANF). It takes RAFA for about 9.68 hours to attack AES-128. To the best of our knowledge, this is the first work that uses a general SAT solver to attack AES with only a single injection of byte-fault. Moreover, RAFA can attack AES-128 in 50.92 and 27.54 minutes for nibble- and bit-based fault model, respectively. In comparison, the traditional DFA algorithm implemented by pure C takes 4 ~ 5 hours under all three fault models investigated in this work. Moreover, in order to show the generality of RAFA, we also apply it to other heavyweight block ciphers. The best results show that RAFA could recover the key of Serpent-256 and SPEEDY-r-192 in 20.7 and 1.5 hours using only three faults, respectively. In comparison, AFA could not break these two ciphers even when 30 bits and 50 bits of their keys are known, respectively. Furthermore, no DFA work on Serpent or SPEEDY is known using comparable fault models.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.

Sabina Szymoniak,Olga Siedlecka-Lamch,Mirosław Kurkowski

DOI: https://doi.org/10.1007/978-3-319-92459-5_28

IF: 5.493

2018-01-01

Computer Networks

Abstract:In many verification approaches for security protocols analysis time aspects are omitted. According to this in our work we try to show how these problems are important in this area. To do this we present new ideas as well as methods for calculating and checking several types of time parameters that characterize some time aspects during and after the protocol’s execution. As an example we present the timed analysis in the case of the timed version of the well known the NSPKL protocol (Needham Schroeder Public Key Protocol revised by Lowe). The experimental results obtained using a proprietary tool are also shown. Using this, during the running of the protocol, the “presence” of the Intruder can be followed by observing incorrect time of the protocol execution. As we will see, both those too short and too long allows this.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Jaime Arias,Kyungmin Bae,Carlos Olarte,Peter Csaba Ölveczky,Laure Petrucci

2024-09-13

Abstract:This paper presents a concrete and a symbolic rewriting logic semantics for parametric time Petri nets with inhibitor arcs (PITPNs), a flexible model of timed systems where parameters are allowed in firing bounds. We prove that our semantics is bisimilar to the "standard" semantics of PITPNs. This allows us to use the rewriting logic tool Maude, combined with SMT solving, to provide sound and complete formal analyses for PITPNs. We develop and implement a new general folding approach for symbolic reachability, so that Maude-with-SMT reachability analysis terminates whenever the parametric state-class graph of the PITPN is finite. Our work opens up the possibility of using the many formal analysis capabilities of Maude -- including full LTL model checking, analysis with user-defined analysis strategies, and even statistical model checking -- for such nets. We illustrate this by explaining how almost all formal analysis and parameter synthesis methods supported by the state-of-the-art PITPN tool Romeo can be performed using Maude with SMT. In addition, we also support analysis and parameter synthesis from parametric initial markings, as well as full LTL model checking and analysis with user-defined execution strategies. Experiments show that our methods outperform Romeo in many cases.

Logic in Computer Science

Michele Boreale,Maria Grazia Buscemi

DOI: https://doi.org/10.1016/j.tcs.2005.03.044

IF: 1.002

2005-06-01

Theoretical Computer Science

Abstract:In security protocols, message exchange between the intruder and honest participants induces a form of state explosion which makes protocol models infinite. We propose a general method for automatic analysis of security protocols based on the notion of frame, essentially a rewrite system plus a set of distinguished terms called messages. Frames are intended to model generic crypto-systems. Based on frames, we introduce a process language akin to Abadi and Fournet's applied pi. For this language, we define a symbolic operational semantics that relies on unification and provides finite and effective protocol models. Next, we give a method to carry out trace analysis directly on the symbolic model. We spell out a regularity condition on the underlying frame, which guarantees completeness of our method for the considered class of properties, including secrecy and various forms of authentication. We show how to instantiate our method to some of the most common crypto-systems, including shared- and public-key encryption, hashing and Diffie–Hellman key exchange.

computer science, theory & methods

Bruno Montalto

DOI: https://doi.org/10.3929/ethz-a-010349801

Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Computer Science

Jan Grashöfer,Peter Oettig,Robin Sommer,Tim Wojtulewicz,Hannes Hartenstein

DOI: https://doi.org/10.48550/arXiv.2106.12454

2021-06-23

Networking and Internet Architecture

Abstract:With information technology entering new fields and levels of deployment, e.g., in areas of energy, mobility, and production, network security monitoring needs to be able to cope with those environments and their evolution. However, state-of-the-art Network Security Monitors (NSMs) typically lack the necessary flexibility to handle the diversity of the packet-oriented layers below the abstraction of TCP/IP connections. In this work, we advance the software architecture of a network security monitor to facilitate the flexible integration of lower-layer protocol dissectors while maintaining required performance levels. We proceed in three steps: First, we identify the challenges for modular packet-level analysis, present a refined NSM architecture to address them and specify requirements for its implementation. Second, we evaluate the performance of data structures to be used for protocol dispatching, implement the proposed design into the popular open-source NSM Zeek and assess its impact on the monitor performance. Our experiments show that hash-based data structures for dispatching introduce a significant overhead while array-based approaches qualify for practical application. Finally, we demonstrate the benefits of the proposed architecture and implementation by migrating Zeek's previously hard-coded stack of link and internet layer protocols to the new interface. Furthermore, we implement dissectors for non-IP based industrial communication protocols and leverage them to realize attack detection strategies from recent applied research. We integrate the proposed architecture into the Zeek open-source project and publish the implementation to support the scientific community as well as practitioners, promoting the transfer of research into practice.

Ming-Song CHEN,Jian-Hua ZHAO,Xuan-Dong LI,Guo-Liang ZHENG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.01.060

2007-01-01

Computer Science

Abstract:The reachability analysis algorithm explores the state space of a timed automaton by enumeration of symbolic states. Each symbolic state consists of a location and a time zone which are conjunctions of automatic formulae in the form x-y ≤(<)n. Sometimes the amount of generated symbolic states is very large, the memory required to store the generated symbolic states is not feasible. In this paper, we present an approach to reduce the memory requirement of the reachability analysis algorithm. By analyzing the dependence relation between symbolic states, we can expand some of the symbolic states by removing specific kinds of atomic formulae without changing the reachability analysis result. The expanded states can contain more symbolic states. Removing these contained states can reduce the memory requirement of reachability analysis. The case studies presented in this paper show that our algorithm can save memory in the practical application efficiently.

Qurat ul Ain Nizamani,Emilio Tuosto

DOI: https://doi.org/10.4204/EPTCS.7.5

2009-10-21

Abstract:Model checking is an automatic verification technique to verify hardware and software systems. However it suffers from state-space explosion problem. In this paper we address this problem in the context of cryptographic protocols by proposing a security property-dependent heuristic. The heuristic weights the state space by exploiting the security formulae; the weights may then be used to explore the state space when searching for attacks.

Cryptography and Security,Logic in Computer Science,Programming Languages

Leifeng He,Guanjun Liu

DOI: https://doi.org/10.1109/TCSS.2022.3164052

2020-12-18

Abstract:Computation Tree Logic of Knowledge (CTLK) can specify many design requirements of privacy and security of multi-agent systems (MAS). In our conference paper, we defined Knowledge-oriented Petri Nets (KPN) to model MAS and proposed Reachability Graphs with Equivalence Relations (RGER) to verify CTLK. In this paper, we use the technique of Ordered Binary Decision Diagrams (OBDD) to encode RGER in order to alleviate the state explosion problem and enhance the verification efficiency. We propose a heuristic method to order those variables in OBDD, which can well improve the time and space performance of producing, encoding and exploring a huge state space. More importantly, our method does not produce and encode any transition or equivalence relation of states when producing and encoding an RGER, and in fact it dynamically produces those transition or equivalence relations that are required in the verification process of CTLK formulas. This policy can save a lot of time and space since the number of transition or equivalence relations of states is much greater than the number of states themselves. We design symbolic model checking algorithms, develop a tool and apply them to two famous examples: Alice-Bob Protocol and Dining Cryptographers Protocol. We compare our tool with MCMAS which is the state-of-the-art model checker of verifying CTLK. The experimental results illustrate the advantages of our model and method. Our tool running in a general PC can totally spend less than 14 hours to verify Dining Cryptographers Protocol with 1200 concurrent cryptographers where there are about $10^{1080}$ states and the two verified CTLK formulas have more than 6000 atomic propositions and more than 3600 operators. These good performances are owed to a combination of the OBDD technique and the structure characteristics of KPN.

Software Engineering

Canh Minh Do,Kazuhiro Ogata

DOI: https://doi.org/10.7717/peerj-cs.2098

2024-06-21

PeerJ Computer Science

Abstract:This article presents a symbolic approach to model checking quantum circuits using a set of laws from quantum mechanics and basic matrix operations with Dirac notation. We use Maude, a high-level specification/programming language based on rewriting logic, to implement our symbolic approach. As case studies, we use the approach to formally specify several quantum communication protocols in the early work of quantum communication and formally verify their correctness: Superdense Coding, Quantum Teleportation, Quantum Secret Sharing, Entanglement Swapping, Quantum Gate Teleportation, Two Mirror-image Teleportation, and Quantum Network Coding. We demonstrate that our approach/implementation can be a first step toward a general framework to formally specify and verify quantum circuits in Maude. The proposed way to formally specify a quantum circuit makes it possible to describe the quantum circuit in Maude such that the formal specification can be regarded as a series of quantum gate/measurement applications. Once a quantum circuit has been formally specified in the proposed way together with an initial state and a desired property expressed in linear temporal logic (LTL), the proposed model checking technique utilizes a built-in Maude LTL model checker to automatically conduct formal verification that the quantum circuit enjoys the property starting from the initial state.

computer science, information systems, artificial intelligence, theory & methods

Jaime Arias,Kyungmin Bae,Carlos Olarte,Peter Csaba Ölveczky,Laure Petrucci,Fredrik Rømming

DOI: https://doi.org/10.48550/arXiv.2303.08929

2023-03-16

Abstract:Parametric time Petri nets with inhibitor arcs (PITPNs) support flexibility for timed systems by allowing parameters in firing bounds. In this paper we present and prove correct a concrete and a symbolic rewriting logic semantics for PITPNs. We show how this allows us to use Maude combined with SMT solving to provide sound and complete formal analyses for PITPNs. We develop a new general folding approach for symbolic reachability that terminates whenever the parametric state-class graph of the PITPN is finite. We explain how almost all formal analysis and parameter synthesis supported by the state-of-the-art PITPN tool Roméo can be done in Maude with SMT. In addition, we also support analysis and parameter synthesis from parametric initial markings, as well as full LTL model checking and analysis with user-defined execution strategies. Experiments on three benchmarks show that our methods outperform Roméo in many cases.

Logic in Computer Science

Xiaoyu Zhou,Qian Li,Jianhua Zhao

DOI: https://doi.org/10.1109/sere-c.2012.45

2012-01-01

Abstract:A new partial order reduction method for timed automaton model checking is presented in this paper. This method avoids exhaustive state-space exploration by enumerating only part of enabled transitions at some symbolic states. This paper gives some sufficient conditions on which partial enumeration does not change the reach ability analysis result. Efficient algorithms are presented to check these conditions. The optimized reach ability analysis algorithm only computes successors w.r.t. part of enabled transitions when it visits a symbolic state the first time. Later, the algorithm revisits generated states to check whether it is necessary to enumerate all transitions. Some experiments shows that the method significantly reduce the number of symbolic states generated during state space exploration.

Max von Hippel,Panagiotis Manolios,Kenneth L. McMillan,Cristina Nita-Rotaru,Lenore Zuck

DOI: https://doi.org/10.4204/EPTCS.393.6

2023-11-15

Abstract:When verifying computer systems we sometimes want to study their asymptotic behaviors, i.e., how they behave in the long run. In such cases, we need real analysis, the area of mathematics that deals with limits and the foundations of calculus. In a prior work, we used real analysis in ACL2s to study the asymptotic behavior of the RTO computation, commonly used in congestion control algorithms across the Internet. One key component in our RTO computation analysis was proving in ACL2s that for all alpha in [0, 1), the limit as n approaches infinity of alpha raised to n is zero. Whereas the most obvious proof strategy involves the logarithm, whose codomain includes irrationals, by default ACL2 only supports rationals, which forced us to take a non-standard approach. In this paper, we explore different approaches to proving the above result in ACL2(r) and ACL2s, from the perspective of a relatively new user to each. We also contextualize the theorem by showing how it allowed us to prove important asymptotic properties of the RTO computation. Finally, we discuss tradeoffs between the various proof strategies and directions for future research.

Logic in Computer Science,Mathematical Software

Carlos Olarte,Peter Csaba Ölveczky

2024-03-14

Abstract:In this paper we propose a language for conveniently defining a wide range of execution strategies for real-time rewrite theories, and provide Maude-strategy-implemented versions of most Real-Time Maude analysis methods, albeit with user-defined discrete and timed strategies. We also identify a new time sampling strategy that should provide both efficient and exhaustive analysis for many distributed real-time systems. We exemplify the use of our language and its analyses on a simple round trip time protocol, and compare the performance of standard Maude search with our strategy-implemented reachability analyses on the CASH scheduling algorithm benchmark.

Logic in Computer Science

Haiwen Qin,Baofeng Wu

DOI: https://doi.org/10.48550/arXiv.2203.09741

2022-03-18

Abstract:ARX-based ciphers, constructed by the modular addition, rotation and XOR operations, have been receiving a lot of attention in the design of lightweight symmetric ciphers. For their differential cryptanalysis, most automatic search methods of differential trails adopt the assumption of independence of modulo additions. However, this assumption does not necessarily hold when the trail includes consecutive modular additions (CMAs). It has already been found that in this case some differential trails searched by automatic methods before are actually impossible, but the study is not in depth yet, for example, few effort has been paid to exploiting the root causes of non-independence between CMAs and accurate calculation of probabilities of the valid trails. In this paper, we devote to solving these two problems. By examing the differential equations of single and consecutive modular additions, we find that the influence of non-independence can be described by relationships between constraints on the intermediate state of two additions. Specifically, constraints of the first addition can make some of its output bits non-uniform, and when they meet the constraints of the second addition, the differential probability of the whole CMA may be different from the value calculated under the independence assumption. As a result, we can build SAT models to verify the validity of a given differential trail of ARX ciphers and #SAT models to calculate the exact probabilities of the differential propagation through CMAs in the trail, promising a more accurate evaluation of probability of the trail. Our automic methods and searching tools are applied to search related-key differential trails of SPECK and Chaskey including CMAs in the key schedule and the round function respectively.

Cryptography and Security